HBASE-13294 Fix the critical ancient loopholes in security testing infrastructure (Srikanth Srungarapu)
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/050028c3 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/050028c3 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/050028c3 Branch: refs/heads/branch-1 Commit: 050028c32ea26e20ad2c7931036c1d7ebd4d4638 Parents: 01fdafb Author: Andrew Purtell <[email protected]> Authored: Wed Mar 25 09:28:12 2015 -0700 Committer: Andrew Purtell <[email protected]> Committed: Wed Mar 25 09:28:12 2015 -0700 ---------------------------------------------------------------------- .../hbase/security/access/SecureTestUtil.java | 63 ++-- .../security/access/TestAccessController.java | 352 +++++++------------ .../security/access/TestAccessController2.java | 19 +- .../access/TestCellACLWithMultipleVersions.java | 27 +- .../hbase/security/access/TestCellACLs.java | 4 +- .../security/access/TestNamespaceCommands.java | 185 +++++----- .../access/TestScanEarlyTermination.java | 2 +- 7 files changed, 269 insertions(+), 383 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java index f77bb85..6487ebe 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java @@ -154,6 +154,7 @@ public class SecureTestUtil { */ static interface AccessTestAction extends PrivilegedExceptionAction<Object> { } + /** This fails only in case of ADE or empty list for any of the actions. */ public static void verifyAllowed(User user, AccessTestAction... actions) throws Exception { for (AccessTestAction action : actions) { try { @@ -170,6 +171,7 @@ public class SecureTestUtil { } } + /** This fails only in case of ADE or empty list for any of the users. */ public static void verifyAllowed(AccessTestAction action, User... users) throws Exception { for (User user : users) { verifyAllowed(user, action); @@ -191,36 +193,53 @@ public class SecureTestUtil { } } - public static void verifyDeniedWithException(User user, AccessTestAction... actions) - throws Exception { - verifyDenied(user, true, actions); - } - - public static void verifyDeniedWithException(AccessTestAction action, User... users) - throws Exception { + /** This passes only in case of ADE for all users. */ + public static void verifyDenied(AccessTestAction action, User... users) throws Exception { for (User user : users) { - verifyDenied(user, true, action); + verifyDenied(user, action); } } - public static void verifyDenied(User user, AccessTestAction... actions) throws Exception { - verifyDenied(user, false, actions); - } - - public static void verifyDenied(User user, boolean requireException, - AccessTestAction... actions) throws Exception { - for (AccessTestAction action : actions) { + /** This passes only in case of empty list for all users. */ + public static void verifyIfEmptyList(AccessTestAction action, User... users) throws Exception { + for (User user : users) { try { Object obj = user.runAs(action); - if (requireException) { - fail("Expected exception was not thrown for user '" + user.getShortName() + "'"); - } if (obj != null && obj instanceof List<?>) { List<?> results = (List<?>) obj; if (results != null && !results.isEmpty()) { - fail("Unexpected results for user '" + user.getShortName() + "'"); + fail("Unexpected action results: " + results + " for user '" + + user.getShortName() + "'"); } + } else { + fail("Unexpected results for user '" + user.getShortName() + "'"); } + } catch (AccessDeniedException ade) { + fail("Expected action to pass for user '" + user.getShortName() + "' but was denied"); + } + } + } + + /** This passes only in case of null for all users. */ + public static void verifyIfNull(AccessTestAction action, User... users) throws Exception { + for (User user : users) { + try { + Object obj = user.runAs(action); + if (obj != null) { + fail("Non null results from action for user '" + user.getShortName() + "'"); + } + } catch (AccessDeniedException ade) { + fail("Expected action to pass for user '" + user.getShortName() + "' but was denied"); + } + } + } + + /** This passes only in case of ADE for all actions. */ + public static void verifyDenied(User user, AccessTestAction... actions) throws Exception { + for (AccessTestAction action : actions) { + try { + user.runAs(action); + fail("Expected exception was not thrown for user '" + user.getShortName() + "'"); } catch (IOException e) { boolean isAccessDeniedException = false; if(e instanceof RetriesExhaustedWithDetailsException) { @@ -266,12 +285,6 @@ public class SecureTestUtil { } } - public static void verifyDenied(AccessTestAction action, User... users) throws Exception { - for (User user : users) { - verifyDenied(user, action); - } - } - private static List<AccessController> getAccessControllers(MiniHBaseCluster cluster) { List<AccessController> result = Lists.newArrayList(); for (RegionServerThread t: cluster.getLiveRegionServerThreads()) { http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index e148558..d8f4d2d 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -137,7 +137,11 @@ public class TestAccessController extends SecureTestUtil { @Rule public TestTableName TEST_TABLE = new TestTableName(); private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); private static Configuration conf; - private static Connection connection; + + /** The systemUserConnection created here is tied to the system user. In case, you are planning + * to create AccessTestAction, DON'T use this systemUserConnection as the 'doAs' user + * gets eclipsed by the system user. */ + private static Connection systemUserConnection; // user with all permissions @@ -211,12 +215,11 @@ public class TestAccessController extends SecureTestUtil { USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); - connection = ConnectionFactory.createConnection(conf); + systemUserConnection = TEST_UTIL.getConnection(); } @AfterClass public static void tearDownAfterClass() throws Exception { - connection.close(); TEST_UTIL.shutdownMiniCluster(); } @@ -267,7 +270,7 @@ public class TestAccessController extends SecureTestUtil { assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); try { - assertEquals(5, AccessControlClient.getUserPermissions(connection, + assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString()).size()); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.getUserPermissions. ", e); @@ -355,8 +358,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE); - verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); + verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE); } @Test @@ -452,8 +455,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testMove() throws Exception { List<HRegionLocation> regions; - try (RegionLocator locator = - TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -475,8 +477,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testAssign() throws Exception { List<HRegionLocation> regions; - try (RegionLocator locator = - TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -496,8 +497,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testUnassign() throws Exception { List<HRegionLocation> regions; - try (RegionLocator locator = - TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -517,8 +517,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testRegionOffline() throws Exception { List<HRegionLocation> regions; - try (RegionLocator locator = - TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -674,20 +673,6 @@ public class TestAccessController extends SecureTestUtil { verifyDenied(action, USER_RW, USER_RO, USER_NONE); } - @Test - public void testPreCompactSelection() throws Exception { - AccessTestAction action = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preCompactSelection(ObserverContext.createAndPrepare(RCP_ENV, null), null, null); - return null; - } - }; - - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); - } - private void verifyRead(AccessTestAction action) throws Exception { verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO); verifyDenied(action, USER_NONE); @@ -706,11 +691,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Get g = new Get(TEST_ROW); g.addFamily(TEST_FAMILY); - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { t.get(g); - } finally { - t.close(); } return null; } @@ -724,9 +707,9 @@ public class TestAccessController extends SecureTestUtil { Scan s = new Scan(); s.addFamily(TEST_FAMILY); - Table table = new HTable(conf, TEST_TABLE.getTableName()); - try { - ResultScanner scanner = table.getScanner(s); + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { + ResultScanner scanner = t.getScanner(s); try { for (Result r = scanner.next(); r != null; r = scanner.next()) { // do nothing @@ -735,8 +718,6 @@ public class TestAccessController extends SecureTestUtil { } finally { scanner.close(); } - } finally { - table.close(); } return null; } @@ -753,11 +734,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { t.put(p); - } finally { - t.close(); } return null; } @@ -770,11 +749,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { t.delete(d); - } finally { - t.close(); } return null; } @@ -787,11 +764,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Increment inc = new Increment(TEST_ROW); inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1); - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { t.increment(inc); - } finally { - t.close(); } return null; } @@ -807,12 +782,10 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { t.checkAndDelete(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, - Bytes.toBytes("test_value"), d); - } finally { - t.close(); + Bytes.toBytes("test_value"), d); } return null; } @@ -825,12 +798,10 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { t.checkAndPut(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, - Bytes.toBytes("test_value"), p); - } finally { - t.close(); + Bytes.toBytes("test_value"), p); } return null; } @@ -927,7 +898,8 @@ public class TestAccessController extends SecureTestUtil { //set global read so RegionServer can move it setPermission(loadPath, FsPermission.valueOf("-rwxrwxrwx")); - try (HTable table = (HTable)TEST_UTIL.getConnection().getTable(tableName)) { + try (Connection conn = ConnectionFactory.createConnection(conf); + HTable table = (HTable)conn.getTable(tableName)) { TEST_UTIL.waitUntilAllRegionsAssigned(tableName); LoadIncrementalHFiles loader = new LoadIncrementalHFiles(conf); loader.doBulkLoad(loadPath, table); @@ -959,12 +931,10 @@ public class TestAccessController extends SecureTestUtil { put.add(TEST_FAMILY, qualifier, Bytes.toBytes(1)); Append append = new Append(row); append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2)); - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { t.put(put); t.append(append); - } finally { - t.close(); } return null; } @@ -979,15 +949,13 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction grantAction = new AccessTestAction() { @Override public Object run() throws Exception { - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), TEST_FAMILY, null, Action.READ); - } finally { - acl.close(); } return null; } @@ -996,15 +964,13 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction revokeAction = new AccessTestAction() { @Override public Object run() throws Exception { - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), - TEST_FAMILY, null, Action.READ); - } finally { - acl.close(); + TEST_FAMILY, null, Action.READ); } return null; } @@ -1013,14 +979,12 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction getTablePermissionsAction = new AccessTestAction() { @Override public Object run() throws Exception { - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); ProtobufUtil.getUserPermissions(protocol, TEST_TABLE.getTableName()); - } finally { - acl.close(); } return null; } @@ -1029,14 +993,12 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction getGlobalPermissionsAction = new AccessTestAction() { @Override public Object run() throws Exception { - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); ProtobufUtil.getUserPermissions(protocol); - } finally { - acl.close(); } return null; } @@ -1052,7 +1014,7 @@ public class TestAccessController extends SecureTestUtil { verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); - verifyDeniedWithException(getGlobalPermissionsAction, USER_CREATE, + verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -1087,11 +1049,9 @@ public class TestAccessController extends SecureTestUtil { Put p = new Put(Bytes.toBytes("a")); p.add(family1, qualifier, Bytes.toBytes("v1")); p.add(family2, qualifier, Bytes.toBytes("v2")); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.put(p); - } finally { - t.close(); } return null; } @@ -1102,11 +1062,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Put p = new Put(Bytes.toBytes("a")); p.add(family1, qualifier, Bytes.toBytes("v1")); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.put(p); - } finally { - t.close(); } return null; } @@ -1117,11 +1075,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Put p = new Put(Bytes.toBytes("a")); p.add(family2, qualifier, Bytes.toBytes("v2")); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.put(p); - } finally { - t.close(); } return null; } @@ -1133,11 +1089,9 @@ public class TestAccessController extends SecureTestUtil { Get g = new Get(TEST_ROW); g.addFamily(family1); g.addFamily(family2); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.get(g); - } finally { - t.close(); } return null; } @@ -1148,11 +1102,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Get g = new Get(TEST_ROW); g.addFamily(family1); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.get(g); - } finally { - t.close(); } return null; } @@ -1163,11 +1115,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Get g = new Get(TEST_ROW); g.addFamily(family2); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.get(g); - } finally { - t.close(); } return null; } @@ -1179,11 +1129,9 @@ public class TestAccessController extends SecureTestUtil { Delete d = new Delete(TEST_ROW); d.deleteFamily(family1); d.deleteFamily(family2); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.delete(d); - } finally { - t.close(); } return null; } @@ -1194,11 +1142,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Delete d = new Delete(TEST_ROW); d.deleteFamily(family1); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.delete(d); - } finally { - t.close(); } return null; } @@ -1209,11 +1155,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Delete d = new Delete(TEST_ROW); d.deleteFamily(family2); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.delete(d); - } finally { - t.close(); } return null; } @@ -1354,11 +1298,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Get g = new Get(TEST_ROW); g.addColumn(family1, qualifier); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.get(g); - } finally { - t.close(); } return null; } @@ -1369,11 +1311,9 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Put p = new Put(TEST_ROW); p.add(family1, qualifier, Bytes.toBytes("v1")); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.put(p); - } finally { - t.close(); } return null; } @@ -1385,11 +1325,9 @@ public class TestAccessController extends SecureTestUtil { Delete d = new Delete(TEST_ROW); d.deleteColumn(family1, qualifier); // d.deleteFamily(family1); - Table t = new HTable(conf, tableName); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { t.delete(d); - } finally { - t.close(); } return null; } @@ -1461,7 +1399,7 @@ public class TestAccessController extends SecureTestUtil { List<UserPermission> perms; - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); AccessControlService.BlockingInterface protocol = @@ -1474,7 +1412,7 @@ public class TestAccessController extends SecureTestUtil { UserPermission ownerperm = new UserPermission( Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values()); assertTrue("Owner should have all permissions on table", - hasFoundUserPermission(ownerperm, perms)); + hasFoundUserPermission(ownerperm, perms)); User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); byte[] userName = Bytes.toBytes(user.getShortName()); @@ -1488,7 +1426,7 @@ public class TestAccessController extends SecureTestUtil { grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, Permission.Action.READ); - acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); AccessControlService.BlockingInterface protocol = @@ -1513,7 +1451,7 @@ public class TestAccessController extends SecureTestUtil { tableName, family1, qualifier, Permission.Action.WRITE, Permission.Action.READ); - acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); AccessControlService.BlockingInterface protocol = @@ -1532,7 +1470,7 @@ public class TestAccessController extends SecureTestUtil { revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, Permission.Action.WRITE, Permission.Action.READ); - acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); AccessControlService.BlockingInterface protocol = @@ -1543,7 +1481,7 @@ public class TestAccessController extends SecureTestUtil { } assertFalse("User should not be granted permission: " + upToVerify.toString(), - hasFoundUserPermission(upToVerify, perms)); + hasFoundUserPermission(upToVerify, perms)); // disable table before modification admin.disableTable(tableName); @@ -1552,7 +1490,7 @@ public class TestAccessController extends SecureTestUtil { htd.setOwner(newOwner); admin.modifyTable(tableName, htd); - acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); AccessControlService.BlockingInterface protocol = @@ -1565,7 +1503,7 @@ public class TestAccessController extends SecureTestUtil { UserPermission newOwnerperm = new UserPermission( Bytes.toBytes(newOwner.getName()), tableName, null, Action.values()); assertTrue("New owner should have all permissions on table", - hasFoundUserPermission(newOwnerperm, perms)); + hasFoundUserPermission(newOwnerperm, perms)); // delete table deleteTable(TEST_UTIL, tableName); @@ -1574,7 +1512,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testGlobalPermissionList() throws Exception { List<UserPermission> perms; - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); AccessControlService.BlockingInterface protocol = @@ -1609,8 +1547,8 @@ public class TestAccessController extends SecureTestUtil { AccessControlProtos.GlobalPermission.newBuilder() .addAction(ProtobufUtil.toPermissionAction(a)).build())); } - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(channel); @@ -1619,8 +1557,6 @@ public class TestAccessController extends SecureTestUtil { } catch (ServiceException se) { ProtobufUtil.toIOException(se); } - } finally { - acl.close(); } } @@ -1639,8 +1575,8 @@ public class TestAccessController extends SecureTestUtil { for (Permission p : perms) { request.addPermission(ProtobufUtil.toPermission(p)); } - Table acl = new HTable(conf, table); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table acl = conn.getTable(table)) { AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(acl.coprocessorService(new byte[0])); try { @@ -1648,8 +1584,6 @@ public class TestAccessController extends SecureTestUtil { } catch (ServiceException se) { ProtobufUtil.toIOException(se); } - } finally { - acl.close(); } } @@ -1789,7 +1723,7 @@ public class TestAccessController extends SecureTestUtil { .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName())) .addAction(AccessControlProtos.Permission.Action.CREATE)) ).build(); - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); AccessControlService.BlockingInterface protocol = @@ -1939,13 +1873,13 @@ public class TestAccessController extends SecureTestUtil { // Move region to the new RegionServer. List<HRegionLocation> regions; - try (RegionLocator locator = TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE2)) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE2)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); final HRegionInfo hri = location.getRegionInfo(); final ServerName server = location.getServerName(); - try (HTable table = (HTable)TEST_UTIL.getConnection().getTable(TEST_TABLE2)) { + try (HTable table = (HTable) systemUserConnection.getTable(TEST_TABLE2)) { AccessTestAction moveAction = new AccessTestAction() { @Override public Object run() throws Exception { @@ -1997,37 +1931,25 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction listTablesAction = new AccessTestAction() { @Override public Object run() throws Exception { - Connection unmanagedConnection = - ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); - Admin admin = unmanagedConnection.getAdmin(); - try { - admin.listTables(); - } finally { - admin.close(); - unmanagedConnection.close(); + try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Admin admin = conn.getAdmin()) { + return Arrays.asList(admin.listTables()); } - return null; } }; AccessTestAction getTableDescAction = new AccessTestAction() { @Override public Object run() throws Exception { - Connection unmanagedConnection = - ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); - Admin admin = unmanagedConnection.getAdmin(); - try { - admin.getTableDescriptor(TEST_TABLE.getTableName()); - } finally { - admin.close(); - unmanagedConnection.close(); + try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Admin admin = conn.getAdmin();) { + return admin.getTableDescriptor(TEST_TABLE.getTableName()); } - return null; } }; verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN); - verifyDenied(listTablesAction, USER_RW, USER_RO, USER_NONE); + verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN); verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); @@ -2051,7 +1973,7 @@ public class TestAccessController extends SecureTestUtil { }; verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO); - verifyDenied(listTablesAction, USER_NONE); + verifyIfEmptyList(listTablesAction, USER_NONE); } @Test @@ -2087,28 +2009,23 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction getAction = new AccessTestAction() { @Override public Object run() throws Exception { - Table t = TEST_UTIL.getConnection().getTable(TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName());) { return t.get(new Get(TEST_ROW)); - } finally { - t.close(); } } }; - verifyDenied(getAction, USER_NONE); - - String namespace = "testNamespaceUserGrant"; - NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build(); - TEST_UTIL.getMiniHBaseCluster().getMaster().createNamespace(desc); + String namespace = TEST_TABLE.getTableName().getNamespaceAsString(); // Grant namespace READ to USER_NONE, this should supersede any table permissions grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); - - // Now USER_NONE should be able to read also + // Now USER_NONE should be able to read verifyAllowed(getAction, USER_NONE); - TEST_UTIL.getMiniHBaseCluster().getMaster().deleteNamespace(namespace); + // Revoke namespace READ to USER_NONE + revokeFromNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); + verifyDenied(getAction, USER_NONE); } @Test @@ -2118,11 +2035,9 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction getAction = new AccessTestAction() { @Override public Object run() throws Exception { - HTable t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { return t.get(new Get(TEST_ROW)); - } finally { - t.close(); } } }; @@ -2131,7 +2046,7 @@ public class TestAccessController extends SecureTestUtil { // Grant table READ permissions to testGrantRevoke. try { - grantOnTableUsingAccessControlClient(TEST_UTIL, connection, testGrantRevoke.getShortName(), + grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(), TEST_TABLE.getTableName(), null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); @@ -2142,7 +2057,7 @@ public class TestAccessController extends SecureTestUtil { // Revoke table READ permission to testGrantRevoke. try { - revokeFromTableUsingAccessControlClient(TEST_UTIL, connection, testGrantRevoke.getShortName(), + revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(), TEST_TABLE.getTableName(), null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.revoke ", e); @@ -2160,11 +2075,9 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction getAction = new AccessTestAction() { @Override public Object run() throws Exception { - HTable t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { return t.get(new Get(TEST_ROW)); - } finally { - t.close(); } } }; @@ -2173,7 +2086,7 @@ public class TestAccessController extends SecureTestUtil { // Grant table READ permissions to testGlobalGrantRevoke. try { - grantGlobalUsingAccessControlClient(TEST_UTIL, connection, + grantGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGlobalGrantRevoke.getShortName(), Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); @@ -2184,7 +2097,7 @@ public class TestAccessController extends SecureTestUtil { // Revoke table READ permission to testGlobalGrantRevoke. try { - revokeGlobalUsingAccessControlClient(TEST_UTIL, connection, + revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGlobalGrantRevoke.getShortName(), Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.revoke ", e); @@ -2201,11 +2114,9 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction getAction = new AccessTestAction() { @Override public Object run() throws Exception { - HTable t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { return t.get(new Get(TEST_ROW)); - } finally { - t.close(); } } }; @@ -2214,7 +2125,7 @@ public class TestAccessController extends SecureTestUtil { // Grant namespace READ to testNS, this should supersede any table permissions try { - grantOnNamespaceUsingAccessControlClient(TEST_UTIL, connection, testNS.getShortName(), + grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(), TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); @@ -2225,7 +2136,7 @@ public class TestAccessController extends SecureTestUtil { // Revoke namespace READ to testNS, this should supersede any table permissions try { - revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, connection, testNS.getShortName(), + revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(), TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.revoke ", e); @@ -2306,32 +2217,25 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction execEndpointAction = new AccessTestAction() { @Override public Object run() throws Exception { - Table t = TEST_UTIL.getConnection().getTable(TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName());) { BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY); PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build()); - } finally { - t.close(); } return null; } }; - // Verify that EXEC permission is checked correctly - verifyDenied(execEndpointAction, userB); - verifyAllowed(execEndpointAction, userA); - - String namespace = "testCoprocessorExec"; - NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build(); - TEST_UTIL.getMiniHBaseCluster().getMaster().createNamespace(desc); - + String namespace = TEST_TABLE.getTableName().getNamespaceAsString(); // Now grant EXEC to the entire namespace to user B grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); - // User B should now be allowed also verifyAllowed(execEndpointAction, userA, userB); - TEST_UTIL.getMiniHBaseCluster().getMaster().deleteNamespace(namespace); + revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); + // Verify that EXEC permission is checked correctly + verifyDenied(execEndpointAction, userB); + verifyAllowed(execEndpointAction, userA); } @Test @@ -2368,7 +2272,7 @@ public class TestAccessController extends SecureTestUtil { grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); try { List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions( - connection, AccessControlLists.toNamespaceEntry(namespace)); + systemUserConnection, AccessControlLists.toNamespaceEntry(namespace)); assertTrue(namespacePermissions != null); assertTrue(namespacePermissions.size() == 1); } catch (Throwable thw) { @@ -2380,15 +2284,15 @@ public class TestAccessController extends SecureTestUtil { @Test public void testTruncatePerms() throws Throwable { List<UserPermission> existingPerms = - AccessControlClient.getUserPermissions(connection, + AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.getTableName().getNameAsString()); assertTrue(existingPerms != null); assertTrue(existingPerms.size() > 1); - try (Admin admin = connection.getAdmin()) { + try (Admin admin = systemUserConnection.getAdmin()) { admin.disableTable(TEST_TABLE.getTableName()); admin.truncateTable(TEST_TABLE.getTableName(), true); } - List<UserPermission> perms = AccessControlClient.getUserPermissions(connection, + List<UserPermission> perms = AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.getTableName().getNameAsString()); assertTrue(perms != null); assertEquals(existingPerms.size(), perms.size()); @@ -2398,19 +2302,11 @@ public class TestAccessController extends SecureTestUtil { return new PrivilegedAction<List<UserPermission>>() { @Override public List<UserPermission> run() { - Connection connection = null; - try { - connection = ConnectionFactory.createConnection(conf); - return AccessControlClient.getUserPermissions(connection, regex); + try(Connection conn = ConnectionFactory.createConnection(conf);) { + return AccessControlClient.getUserPermissions(conn, regex); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.getUserPermissions.", e); return null; - } finally { - try { - connection.close(); - } catch (IOException e) { - LOG.error("Error during close of connection.", e); - } } } }; http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java index 54f1b1e..e828429 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java @@ -68,7 +68,7 @@ public class TestAccessController2 extends SecureTestUtil { private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); private static Configuration conf; - private static Connection connection; + private static Connection systemUserConnection; private final static byte[] Q1 = Bytes.toBytes("q1"); private final static byte[] value1 = Bytes.toBytes("value1"); @@ -108,7 +108,7 @@ public class TestAccessController2 extends SecureTestUtil { TESTGROUP2_USER1 = User.createUserForTesting(conf, "testgroup2_user2", new String[] { TESTGROUP_2 }); - connection = ConnectionFactory.createConnection(conf); + systemUserConnection = ConnectionFactory.createConnection(conf); } @Before @@ -138,7 +138,7 @@ public class TestAccessController2 extends SecureTestUtil { assertEquals(1, AccessControlLists.getTablePermissions(conf, tableName).size()); try { - assertEquals(1, AccessControlClient.getUserPermissions(connection, tableName.toString()) + assertEquals(1, AccessControlClient.getUserPermissions(systemUserConnection, tableName.toString()) .size()); } catch (Throwable e) { LOG.error("Error during call of AccessControlClient.getUserPermissions. ", e); @@ -148,7 +148,6 @@ public class TestAccessController2 extends SecureTestUtil { @AfterClass public static void tearDownAfterClass() throws Exception { - connection.close(); TEST_UTIL.shutdownMiniCluster(); } @@ -254,13 +253,11 @@ public class TestAccessController2 extends SecureTestUtil { AccessTestAction writeAction = new AccessTestAction() { @Override public Object run() throws Exception { - HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER, TEST_VALUE)); return null; - } finally { - t.close(); } } }; @@ -277,8 +274,8 @@ public class TestAccessController2 extends SecureTestUtil { AccessTestAction scanAction = new AccessTestAction() { @Override public Object run() throws Exception { - HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { ResultScanner s = t.getScanner(new Scan()); try { for (Result r = s.next(); r != null; r = s.next()) { @@ -288,8 +285,6 @@ public class TestAccessController2 extends SecureTestUtil { s.close(); } return null; - } finally { - t.close(); } } }; http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java index 0edc1e9..289b0e5 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java @@ -38,7 +38,6 @@ import org.apache.hadoop.hbase.client.Connection; import org.apache.hadoop.hbase.client.ConnectionFactory; import org.apache.hadoop.hbase.client.Delete; import org.apache.hadoop.hbase.client.Get; -import org.apache.hadoop.hbase.client.HTable; import org.apache.hadoop.hbase.client.Increment; import org.apache.hadoop.hbase.client.Put; import org.apache.hadoop.hbase.client.Table; @@ -153,8 +152,8 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil { verifyAllowed(new AccessTestAction() { @Override public Object run() throws Exception { - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { Put p; // with ro ACL p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO); @@ -173,8 +172,6 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil { p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO); p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE)); t.put(p); - } finally { - t.close(); } return null; } @@ -187,11 +184,9 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil { public Object run() throws Exception { Get get = new Get(TEST_ROW); get.setMaxVersions(10); - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { return t.get(get).listCells(); - } finally { - t.close(); } } }; @@ -201,11 +196,9 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil { public Object run() throws Exception { Get get = new Get(TEST_ROW); get.setMaxVersions(10); - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { return t.get(get).listCells(); - } finally { - t.close(); } } }; @@ -218,8 +211,8 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil { verifyAllowed(new AccessTestAction() { @Override public Object run() throws Exception { - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE.getTableName())) { Put p; p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO); p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE)); @@ -230,8 +223,6 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil { p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO); p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE)); t.put(p); - } finally { - t.close(); } return null; } @@ -439,7 +430,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil { // The other put should be covered by the tombstone - verifyDenied(getQ2, USER_OTHER); + verifyIfNull(getQ2, USER_OTHER); } @Test http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java index ae08a15..bccf17c 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java @@ -228,8 +228,8 @@ public class TestCellACLs extends SecureTestUtil { // Confirm this access does not extend to other cells - verifyDenied(getQ3, USER_OTHER); - verifyDenied(getQ4, USER_OTHER); + verifyIfNull(getQ3, USER_OTHER); + verifyIfNull(getQ4, USER_OTHER); /* ---- Scans ---- */ http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 91b38ea..4576260 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -35,7 +35,6 @@ import org.apache.hadoop.hbase.client.Admin; import org.apache.hadoop.hbase.client.Connection; import org.apache.hadoop.hbase.client.ConnectionFactory; import org.apache.hadoop.hbase.client.Get; -import org.apache.hadoop.hbase.client.HTable; import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.client.Table; import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment; @@ -156,8 +155,8 @@ public class TestNamespaceCommands extends SecureTestUtil { @Test public void testAclTableEntries() throws Exception { String userTestNamespace = "userTestNsp"; - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { ListMultimap<String, TablePermission> perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); @@ -188,8 +187,6 @@ public class TestNamespaceCommands extends SecureTestUtil { perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); assertEquals(5, perms.size()); - } finally { - acl.close(); } } @@ -208,16 +205,16 @@ public class TestNamespaceCommands extends SecureTestUtil { SUPERUSER, USER_GLOBAL_ADMIN); - verifyDeniedWithException(modifyNamespace, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC); + verifyDenied(modifyNamespace, + USER_GLOBAL_CREATE, + USER_GLOBAL_WRITE, + USER_GLOBAL_READ, + USER_GLOBAL_EXEC, + USER_NS_ADMIN, + USER_NS_CREATE, + USER_NS_WRITE, + USER_NS_READ, + USER_NS_EXEC); } @Test @@ -246,7 +243,7 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_GLOBAL_ADMIN); // all others should be denied - verifyDeniedWithException(createNamespace, + verifyDenied(createNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, @@ -264,18 +261,18 @@ public class TestNamespaceCommands extends SecureTestUtil { SUPERUSER, USER_GLOBAL_ADMIN); - verifyDeniedWithException(deleteNamespace, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyDenied(deleteNamespace, + USER_GLOBAL_CREATE, + USER_GLOBAL_WRITE, + USER_GLOBAL_READ, + USER_GLOBAL_EXEC, + USER_NS_ADMIN, + USER_NS_CREATE, + USER_NS_WRITE, + USER_NS_READ, + USER_NS_EXEC, + USER_TABLE_CREATE, + USER_TABLE_WRITE); } @Test @@ -294,17 +291,17 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_GLOBAL_ADMIN, USER_NS_ADMIN); - verifyDeniedWithException(getNamespaceAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyDenied(getNamespaceAction, + USER_GLOBAL_CREATE, + USER_GLOBAL_WRITE, + USER_GLOBAL_READ, + USER_GLOBAL_EXEC, + USER_NS_CREATE, + USER_NS_WRITE, + USER_NS_READ, + USER_NS_EXEC, + USER_TABLE_CREATE, + USER_TABLE_WRITE); } @Test @@ -359,15 +356,13 @@ public class TestNamespaceCommands extends SecureTestUtil { AccessTestAction grantAction = new AccessTestAction() { @Override public Object run() throws Exception { - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); ProtobufUtil.grant(protocol, testUser, TEST_NAMESPACE, Action.WRITE); - } finally { - acl.close(); } return null; } @@ -375,15 +370,13 @@ public class TestNamespaceCommands extends SecureTestUtil { AccessTestAction revokeAction = new AccessTestAction() { public Object run() throws Exception { - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); ProtobufUtil.revoke(protocol, testUser, TEST_NAMESPACE, Action.WRITE); - } finally { - acl.close(); } return null; } @@ -392,14 +385,12 @@ public class TestNamespaceCommands extends SecureTestUtil { AccessTestAction getPermissionsAction = new AccessTestAction() { @Override public Object run() throws Exception { - Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); ProtobufUtil.getUserPermissions(protocol, Bytes.toBytes(TEST_NAMESPACE)); - } finally { - acl.close(); } return null; } @@ -409,52 +400,52 @@ public class TestNamespaceCommands extends SecureTestUtil { SUPERUSER, USER_GLOBAL_ADMIN); - verifyDeniedWithException(grantAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyDenied(grantAction, + USER_GLOBAL_CREATE, + USER_GLOBAL_WRITE, + USER_GLOBAL_READ, + USER_GLOBAL_EXEC, + USER_NS_ADMIN, + USER_NS_CREATE, + USER_NS_WRITE, + USER_NS_READ, + USER_NS_EXEC, + USER_TABLE_CREATE, + USER_TABLE_WRITE); verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN); - verifyDeniedWithException(revokeAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyDenied(revokeAction, + USER_GLOBAL_CREATE, + USER_GLOBAL_WRITE, + USER_GLOBAL_READ, + USER_GLOBAL_EXEC, + USER_NS_ADMIN, + USER_NS_CREATE, + USER_NS_WRITE, + USER_NS_READ, + USER_NS_EXEC, + USER_TABLE_CREATE, + USER_TABLE_WRITE); verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN); - verifyDeniedWithException(getPermissionsAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyDenied(getPermissionsAction, + USER_GLOBAL_CREATE, + USER_GLOBAL_WRITE, + USER_GLOBAL_READ, + USER_GLOBAL_EXEC, + USER_NS_CREATE, + USER_NS_WRITE, + USER_NS_READ, + USER_NS_EXEC, + USER_TABLE_CREATE, + USER_TABLE_WRITE); } @Test @@ -475,16 +466,16 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_GLOBAL_CREATE, USER_NS_CREATE); - verifyDeniedWithException(createTable, - USER_GLOBAL_ADMIN, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyDenied(createTable, + USER_GLOBAL_ADMIN, + USER_GLOBAL_WRITE, + USER_GLOBAL_READ, + USER_GLOBAL_EXEC, + USER_NS_ADMIN, + USER_NS_WRITE, + USER_NS_READ, + USER_NS_EXEC, + USER_TABLE_CREATE, + USER_TABLE_WRITE); } } http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java index b14c706..0e618bd 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java @@ -220,7 +220,7 @@ public class TestScanEarlyTermination extends SecureTestUtil { }, USER_OTHER); // A scan of FAMILY2 will throw an AccessDeniedException - verifyDeniedWithException(new AccessTestAction() { + verifyDenied(new AccessTestAction() { @Override public Object run() throws Exception { // force a new RS connection
