1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.security.access;
19
20 import static org.junit.Assert.*;
21
22 import java.util.UUID;
23
24 import org.apache.commons.logging.Log;
25 import org.apache.commons.logging.LogFactory;
26 import org.apache.hadoop.conf.Configuration;
27 import org.apache.hadoop.hbase.Coprocessor;
28 import org.apache.hadoop.hbase.HBaseTestingUtility;
29 import org.apache.hadoop.hbase.HColumnDescriptor;
30 import org.apache.hadoop.hbase.HTableDescriptor;
31 import org.apache.hadoop.hbase.testclassification.MediumTests;
32 import org.apache.hadoop.hbase.TableNotFoundException;
33 import org.apache.hadoop.hbase.client.Admin;
34 import org.apache.hadoop.hbase.client.HTable;
35 import org.apache.hadoop.hbase.client.Put;
36 import org.apache.hadoop.hbase.client.Result;
37 import org.apache.hadoop.hbase.client.Scan;
38 import org.apache.hadoop.hbase.client.Table;
39 import org.apache.hadoop.hbase.master.MasterCoprocessorHost;
40 import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost;
41 import org.apache.hadoop.hbase.security.User;
42 import org.apache.hadoop.hbase.security.access.Permission.Action;
43 import org.apache.hadoop.hbase.util.Bytes;
44 import org.apache.hadoop.hbase.util.TestTableName;
45 import org.apache.log4j.Level;
46 import org.apache.log4j.Logger;
47 import org.junit.After;
48 import org.junit.AfterClass;
49 import org.junit.Before;
50 import org.junit.BeforeClass;
51 import org.junit.Rule;
52 import org.junit.Test;
53 import org.junit.experimental.categories.Category;
54
55 @Category(MediumTests.class)
56 public class TestScanEarlyTermination extends SecureTestUtil {
57 private static final Log LOG = LogFactory.getLog(TestScanEarlyTermination.class);
58
59 static {
60 Logger.getLogger(AccessController.class).setLevel(Level.TRACE);
61 Logger.getLogger(AccessControlFilter.class).setLevel(Level.TRACE);
62 Logger.getLogger(TableAuthManager.class).setLevel(Level.TRACE);
63 }
64
65 @Rule
66 public TestTableName TEST_TABLE = new TestTableName();
67 private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
68 private static final byte[] TEST_FAMILY1 = Bytes.toBytes("f1");
69 private static final byte[] TEST_FAMILY2 = Bytes.toBytes("f2");
70 private static final byte[] TEST_ROW = Bytes.toBytes("testrow");
71 private static final byte[] TEST_Q1 = Bytes.toBytes("q1");
72 private static final byte[] TEST_Q2 = Bytes.toBytes("q2");
73 private static final byte[] ZERO = Bytes.toBytes(0L);
74
75 private static Configuration conf;
76
77 private static User USER_OWNER;
78 private static User USER_OTHER;
79
80 @BeforeClass
81 public static void setupBeforeClass() throws Exception {
82
83 conf = TEST_UTIL.getConfiguration();
84
85 enableSecurity(conf);
86
87 verifyConfiguration(conf);
88
89 TEST_UTIL.startMiniCluster();
90 MasterCoprocessorHost cpHost = TEST_UTIL.getMiniHBaseCluster().getMaster()
91 .getMasterCoprocessorHost();
92 cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf);
93 AccessController ac = (AccessController)
94 cpHost.findCoprocessor(AccessController.class.getName());
95 cpHost.createEnvironment(AccessController.class, ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
96 RegionServerCoprocessorHost rsHost = TEST_UTIL.getMiniHBaseCluster().getRegionServer(0)
97 .getRegionServerCoprocessorHost();
98 rsHost.createEnvironment(AccessController.class, ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
99
100
101 TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
102
103
104 USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
105 USER_OTHER = User.createUserForTesting(conf, "other", new String[0]);
106 }
107
108 @AfterClass
109 public static void tearDownAfterClass() throws Exception {
110 TEST_UTIL.shutdownMiniCluster();
111 }
112
113 @Before
114 public void setUp() throws Exception {
115 Admin admin = TEST_UTIL.getHBaseAdmin();
116 HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName());
117 htd.setOwner(USER_OWNER);
118 HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY1);
119 hcd.setMaxVersions(10);
120 htd.addFamily(hcd);
121 hcd = new HColumnDescriptor(TEST_FAMILY2);
122 hcd.setMaxVersions(10);
123 htd.addFamily(hcd);
124
125
126
127 htd.setConfiguration(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT, "true");
128
129 admin.createTable(htd);
130 TEST_UTIL.waitUntilAllRegionsAssigned(TEST_TABLE.getTableName());
131 }
132
133 @After
134 public void tearDown() throws Exception {
135
136 try {
137 TEST_UTIL.deleteTable(TEST_TABLE.getTableName());
138 } catch (TableNotFoundException ex) {
139
140 LOG.info("Test deleted table " + TEST_TABLE.getTableName());
141 }
142 assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
143 }
144
145 @Test
146 public void testEarlyScanTermination() throws Exception {
147
148 grantOnTable(TEST_UTIL, USER_OTHER.getShortName(), TEST_TABLE.getTableName(), TEST_FAMILY1,
149 null, Action.READ);
150
151
152 verifyAllowed(new AccessTestAction() {
153 @Override
154 public Object run() throws Exception {
155
156 conf.set("testkey", UUID.randomUUID().toString());
157 Table t = new HTable(conf, TEST_TABLE.getTableName());
158 try {
159 Put put = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
160 t.put(put);
161
162 put = new Put(TEST_ROW).add(TEST_FAMILY2, TEST_Q1, ZERO);
163 put.setACL(USER_OTHER.getShortName(), new Permission(Action.READ));
164 t.put(put);
165
166 put = new Put(TEST_ROW).add(TEST_FAMILY2, TEST_Q2, ZERO);
167 put.setACL(USER_OTHER.getShortName(), new Permission());
168 t.put(put);
169 } finally {
170 t.close();
171 }
172 return null;
173 }
174 }, USER_OWNER);
175
176
177 verifyAllowed(new AccessTestAction() {
178 @Override
179 public Object run() throws Exception {
180
181 conf.set("testkey", UUID.randomUUID().toString());
182 Table t = new HTable(conf, TEST_TABLE.getTableName());
183 try {
184 Scan scan = new Scan().addFamily(TEST_FAMILY1);
185 Result result = t.getScanner(scan).next();
186 if (result != null) {
187 assertTrue("Improper exclusion", result.containsColumn(TEST_FAMILY1, TEST_Q1));
188 assertFalse("Improper inclusion", result.containsColumn(TEST_FAMILY2, TEST_Q1));
189 return result.listCells();
190 }
191 return null;
192 } finally {
193 t.close();
194 }
195 }
196 }, USER_OTHER);
197
198
199
200
201 verifyAllowed(new AccessTestAction() {
202 @Override
203 public Object run() throws Exception {
204
205 conf.set("testkey", UUID.randomUUID().toString());
206 Table t = new HTable(conf, TEST_TABLE.getTableName());
207 try {
208 Scan scan = new Scan();
209 Result result = t.getScanner(scan).next();
210 if (result != null) {
211 assertTrue("Improper exclusion", result.containsColumn(TEST_FAMILY1, TEST_Q1));
212 assertFalse("Improper inclusion", result.containsColumn(TEST_FAMILY2, TEST_Q1));
213 return result.listCells();
214 }
215 return null;
216 } finally {
217 t.close();
218 }
219 }
220 }, USER_OTHER);
221
222
223 verifyDenied(new AccessTestAction() {
224 @Override
225 public Object run() throws Exception {
226
227 conf.set("testkey", UUID.randomUUID().toString());
228 Table t = new HTable(conf, TEST_TABLE.getTableName());
229 try {
230 Scan scan = new Scan().addFamily(TEST_FAMILY2);
231 Result result = t.getScanner(scan).next();
232 if (result != null) {
233 return result.listCells();
234 }
235 return null;
236 } finally {
237 t.close();
238 }
239 }
240 }, USER_OTHER);
241
242
243 grantOnTable(TEST_UTIL, USER_OTHER.getShortName(), TEST_TABLE.getTableName(), TEST_FAMILY2,
244 TEST_Q2, Action.READ);
245
246
247
248
249 verifyAllowed(new AccessTestAction() {
250 @Override
251 public Object run() throws Exception {
252
253 conf.set("testkey", UUID.randomUUID().toString());
254 Table t = new HTable(conf, TEST_TABLE.getTableName());
255 try {
256 Scan scan = new Scan();
257 Result result = t.getScanner(scan).next();
258 if (result != null) {
259 assertTrue("Improper exclusion", result.containsColumn(TEST_FAMILY1, TEST_Q1));
260 assertFalse("Improper inclusion", result.containsColumn(TEST_FAMILY2, TEST_Q1));
261 assertTrue("Improper exclusion", result.containsColumn(TEST_FAMILY2, TEST_Q2));
262 return result.listCells();
263 }
264 return null;
265 } finally {
266 t.close();
267 }
268 }
269 }, USER_OTHER);
270 }
271 }