HBASE-20199 Add a unit test to verify flush and snapshot permission requirements aren't excessive
Signed-off-by: Ted Yu <yuzhih...@gmail.com> Signed-off-by: Michael Stack <st...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/5712fd04 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/5712fd04 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/5712fd04 Branch: refs/heads/branch-2 Commit: 5712fd0451cbf8f40b780ff69a0e9994ff9af3a1 Parents: 6f1aa0e Author: Josh Elser <els...@apache.org> Authored: Mon Mar 26 17:52:37 2018 -0400 Committer: Josh Elser <els...@apache.org> Committed: Tue Mar 27 20:10:28 2018 -0400 ---------------------------------------------------------------------- .../access/TestAdminOnlyOperations.java | 268 -------------- .../security/access/TestRpcAccessChecks.java | 362 +++++++++++++++++++ 2 files changed, 362 insertions(+), 268 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/5712fd04/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAdminOnlyOperations.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAdminOnlyOperations.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAdminOnlyOperations.java deleted file mode 100644 index 42d2f36..0000000 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAdminOnlyOperations.java +++ /dev/null @@ -1,268 +0,0 @@ - -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.hbase.security.access; - -import static org.apache.hadoop.hbase.AuthUtil.toGroupEntry; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; -import static org.mockito.Mockito.mock; - -import com.google.protobuf.Service; -import com.google.protobuf.ServiceException; -import java.io.IOException; -import java.security.PrivilegedExceptionAction; -import java.util.Collections; -import java.util.HashMap; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.hbase.HBaseClassTestRule; -import org.apache.hadoop.hbase.HBaseTestingUtility; -import org.apache.hadoop.hbase.ServerName; -import org.apache.hadoop.hbase.TableName; -import org.apache.hadoop.hbase.client.Admin; -import org.apache.hadoop.hbase.client.Connection; -import org.apache.hadoop.hbase.client.ConnectionFactory; -import org.apache.hadoop.hbase.coprocessor.CoprocessorHost; -import org.apache.hadoop.hbase.coprocessor.MasterCoprocessor; -import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessor; -import org.apache.hadoop.hbase.ipc.protobuf.generated.TestProtos; -import org.apache.hadoop.hbase.ipc.protobuf.generated.TestRpcServiceProtos; -import org.apache.hadoop.hbase.security.AccessDeniedException; -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.testclassification.MediumTests; -import org.apache.hadoop.hbase.testclassification.SecurityTests; -import org.junit.BeforeClass; -import org.junit.ClassRule; -import org.junit.Test; -import org.junit.experimental.categories.Category; - -/** - * This class tests operations in MasterRpcServices which require ADMIN access. - * It doesn't test all operations which require ADMIN access, only those which get vetted within - * MasterRpcServices at the point of entry itself (unlike old approach of using - * hooks in AccessController). - * - * Sidenote: - * There is one big difference between how security tests for AccessController hooks work, and how - * the tests in this class for security in MasterRpcServices work. - * The difference arises because of the way AC & MasterRpcServices get the user. - * - * In AccessController, it first checks if there is an active rpc user in ObserverContext. If not, - * it uses UserProvider for current user. This *might* make sense in the context of coprocessors, - * because they can be called outside the context of RPCs. - * But in the context of MasterRpcServices, only one way makes sense - RPCServer.getRequestUser(). - * - * In AC tests, when we do FooUser.runAs on AccessController instance directly, it bypasses - * the rpc framework completely, but works because UserProvider provides the correct user, i.e. - * FooUser in this case. - * - * But this doesn't work for the tests here, so we go around by doing complete RPCs. - */ -@Category({SecurityTests.class, MediumTests.class}) -public class TestAdminOnlyOperations { - @ClassRule - public static final HBaseClassTestRule CLASS_RULE = - HBaseClassTestRule.forClass(TestAdminOnlyOperations.class); - - private final static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); - private static Configuration conf; - - // user granted with all global permission - private static User USER_ADMIN; - // user without admin permissions - private static User USER_NON_ADMIN; - - private static final String GROUP_ADMIN = "admin_group"; - private static User USER_GROUP_ADMIN; - - // Dummy service to test execService calls. Needs to be public so can be loaded as Coprocessor. - public static class DummyCpService implements MasterCoprocessor, RegionServerCoprocessor { - public DummyCpService() {} - - @Override - public Iterable<Service> getServices() { - return Collections.singleton(mock(TestRpcServiceProtos.TestProtobufRpcProto.class)); - } - } - - private static void enableSecurity(Configuration conf) throws IOException { - conf.set("hadoop.security.authorization", "false"); - conf.set("hadoop.security.authentication", "simple"); - conf.set(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY, AccessController.class.getName() + - "," + DummyCpService.class.getName()); - conf.set(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY, AccessController.class.getName()); - conf.set(CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY, AccessController.class.getName() + - "," + DummyCpService.class.getName()); - conf.set(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, "true"); - SecureTestUtil.configureSuperuser(conf); - } - - @BeforeClass - public static void setup() throws Exception { - conf = TEST_UTIL.getConfiguration(); - - // Enable security - enableSecurity(conf); - TEST_UTIL.startMiniCluster(); - - // Wait for the ACL table to become available - TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME); - - // Create users - USER_ADMIN = User.createUserForTesting(conf, "admin", new String[0]); - USER_NON_ADMIN = User.createUserForTesting(conf, "non_admin", new String[0]); - USER_GROUP_ADMIN = - User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); - - // Assign permissions to users and groups - SecureTestUtil.grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(), Permission.Action.ADMIN); - SecureTestUtil.grantGlobal(TEST_UTIL, toGroupEntry(GROUP_ADMIN), Permission.Action.ADMIN); - // No permissions to USER_NON_ADMIN - } - - interface Action { - void run(Admin admin) throws Exception; - } - - private void verifyAllowed(User user, Action action) throws Exception { - user.runAs((PrivilegedExceptionAction<?>) () -> { - try (Connection conn = ConnectionFactory.createConnection(conf); - Admin admin = conn.getAdmin()) { - action.run(admin); - } catch (IOException e) { - fail(e.toString()); - } - return null; - }); - } - - private void verifyDenied(User user, Action action) throws Exception { - user.runAs((PrivilegedExceptionAction<?>) () -> { - boolean accessDenied = false; - try (Connection conn = ConnectionFactory.createConnection(conf); - Admin admin = conn.getAdmin()) { - action.run(admin); - } catch (AccessDeniedException e) { - accessDenied = true; - } - assertTrue("Expected access to be denied", accessDenied); - return null; - }); - } - - private void verifiedDeniedServiceException(User user, Action action) throws Exception { - user.runAs((PrivilegedExceptionAction<?>) () -> { - boolean accessDenied = false; - try (Connection conn = ConnectionFactory.createConnection(conf); - Admin admin = conn.getAdmin()) { - action.run(admin); - } catch (ServiceException e) { - // For MasterRpcServices.execService. - if (e.getCause() instanceof AccessDeniedException) { - accessDenied = true; - } - } - assertTrue("Expected access to be denied", accessDenied); - return null; - }); - - } - - private void verifyAdminCheckForAction(Action action) throws Exception { - verifyAllowed(USER_ADMIN, action); - verifyAllowed(USER_GROUP_ADMIN, action); - verifyDenied(USER_NON_ADMIN, action); - } - - @Test - public void testEnableCatalogJanitor() throws Exception { - verifyAdminCheckForAction((admin) -> admin.enableCatalogJanitor(true)); - } - - @Test - public void testRunCatalogJanitor() throws Exception { - verifyAdminCheckForAction((admin) -> admin.runCatalogJanitor()); - } - - @Test - public void testCleanerChoreRunning() throws Exception { - verifyAdminCheckForAction((admin) -> admin.cleanerChoreSwitch(true)); - } - - @Test - public void testRunCleanerChore() throws Exception { - verifyAdminCheckForAction((admin) -> admin.runCleanerChore()); - } - - @Test - public void testExecProcedure() throws Exception { - verifyAdminCheckForAction((admin) -> { - // Using existing table instead of creating a new one. - admin.execProcedure("flush-table-proc", TableName.META_TABLE_NAME.getNameAsString(), - new HashMap<>()); - }); - } - - @Test - public void testExecService() throws Exception { - Action action = (admin) -> { - TestRpcServiceProtos.TestProtobufRpcProto.BlockingInterface service = - TestRpcServiceProtos.TestProtobufRpcProto.newBlockingStub(admin.coprocessorService()); - service.ping(null, TestProtos.EmptyRequestProto.getDefaultInstance()); - }; - - verifyAllowed(USER_ADMIN, action); - verifyAllowed(USER_GROUP_ADMIN, action); - // This is same as above verifyAccessDenied - verifiedDeniedServiceException(USER_NON_ADMIN, action); - } - - @Test - public void testExecProcedureWithRet() throws Exception { - verifyAdminCheckForAction((admin) -> { - // Using existing table instead of creating a new one. - admin.execProcedureWithReturn("flush-table-proc", TableName.META_TABLE_NAME.getNameAsString(), - new HashMap<>()); - }); - } - - @Test - public void testNormalize() throws Exception { - verifyAdminCheckForAction((admin) -> admin.normalize()); - } - - @Test - public void testSetNormalizerRunning() throws Exception { - verifyAdminCheckForAction((admin) -> admin.normalizerSwitch(true)); - } - - @Test - public void testExecRegionServerService() throws Exception { - Action action = (admin) -> { - ServerName serverName = TEST_UTIL.getHBaseCluster().getRegionServer(0).getServerName(); - TestRpcServiceProtos.TestProtobufRpcProto.BlockingInterface service = - TestRpcServiceProtos.TestProtobufRpcProto.newBlockingStub( - admin.coprocessorService(serverName)); - service.ping(null, TestProtos.EmptyRequestProto.getDefaultInstance()); - }; - - verifyAllowed(USER_ADMIN, action); - verifyAllowed(USER_GROUP_ADMIN, action); - verifiedDeniedServiceException(USER_NON_ADMIN, action); - } -} http://git-wip-us.apache.org/repos/asf/hbase/blob/5712fd04/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java new file mode 100644 index 0000000..55873bb --- /dev/null +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java @@ -0,0 +1,362 @@ + +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.security.access; + +import static org.apache.hadoop.hbase.AuthUtil.toGroupEntry; +import static org.junit.Assert.assertArrayEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; +import static org.mockito.Mockito.mock; + +import com.google.protobuf.Service; +import com.google.protobuf.ServiceException; +import java.io.IOException; +import java.security.PrivilegedExceptionAction; +import java.util.Collections; +import java.util.HashMap; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.Cell; +import org.apache.hadoop.hbase.CellUtil; +import org.apache.hadoop.hbase.HBaseClassTestRule; +import org.apache.hadoop.hbase.HBaseTestingUtility; +import org.apache.hadoop.hbase.ServerName; +import org.apache.hadoop.hbase.TableName; +import org.apache.hadoop.hbase.client.Admin; +import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder; +import org.apache.hadoop.hbase.client.Connection; +import org.apache.hadoop.hbase.client.ConnectionFactory; +import org.apache.hadoop.hbase.client.Get; +import org.apache.hadoop.hbase.client.Put; +import org.apache.hadoop.hbase.client.Result; +import org.apache.hadoop.hbase.client.Table; +import org.apache.hadoop.hbase.client.TableDescriptor; +import org.apache.hadoop.hbase.client.TableDescriptorBuilder; +import org.apache.hadoop.hbase.coprocessor.CoprocessorHost; +import org.apache.hadoop.hbase.coprocessor.MasterCoprocessor; +import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessor; +import org.apache.hadoop.hbase.ipc.protobuf.generated.TestProtos; +import org.apache.hadoop.hbase.ipc.protobuf.generated.TestRpcServiceProtos; +import org.apache.hadoop.hbase.security.AccessDeniedException; +import org.apache.hadoop.hbase.security.User; +import org.apache.hadoop.hbase.testclassification.MediumTests; +import org.apache.hadoop.hbase.testclassification.SecurityTests; +import org.apache.hadoop.hbase.util.Bytes; +import org.junit.BeforeClass; +import org.junit.ClassRule; +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; +import org.junit.rules.TestName; + +/** + * This class tests operations in MasterRpcServices which require ADMIN access. + * It doesn't test all operations which require ADMIN access, only those which get vetted within + * MasterRpcServices at the point of entry itself (unlike old approach of using + * hooks in AccessController). + * + * Sidenote: + * There is one big difference between how security tests for AccessController hooks work, and how + * the tests in this class for security in MasterRpcServices work. + * The difference arises because of the way AC & MasterRpcServices get the user. + * + * In AccessController, it first checks if there is an active rpc user in ObserverContext. If not, + * it uses UserProvider for current user. This *might* make sense in the context of coprocessors, + * because they can be called outside the context of RPCs. + * But in the context of MasterRpcServices, only one way makes sense - RPCServer.getRequestUser(). + * + * In AC tests, when we do FooUser.runAs on AccessController instance directly, it bypasses + * the rpc framework completely, but works because UserProvider provides the correct user, i.e. + * FooUser in this case. + * + * But this doesn't work for the tests here, so we go around by doing complete RPCs. + */ +@Category({SecurityTests.class, MediumTests.class}) +public class TestRpcAccessChecks { + @ClassRule + public static final HBaseClassTestRule CLASS_RULE = + HBaseClassTestRule.forClass(TestRpcAccessChecks.class); + + @Rule + public final TestName TEST_NAME = new TestName(); + + private final static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); + private static Configuration conf; + + // user granted with all global permission + private static User USER_ADMIN; + // user without admin permissions + private static User USER_NON_ADMIN; + + private static final String GROUP_ADMIN = "admin_group"; + private static User USER_GROUP_ADMIN; + + // Dummy service to test execService calls. Needs to be public so can be loaded as Coprocessor. + public static class DummyCpService implements MasterCoprocessor, RegionServerCoprocessor { + public DummyCpService() {} + + @Override + public Iterable<Service> getServices() { + return Collections.singleton(mock(TestRpcServiceProtos.TestProtobufRpcProto.class)); + } + } + + private static void enableSecurity(Configuration conf) throws IOException { + conf.set("hadoop.security.authorization", "false"); + conf.set("hadoop.security.authentication", "simple"); + conf.set(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY, AccessController.class.getName() + + "," + DummyCpService.class.getName()); + conf.set(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY, AccessController.class.getName()); + conf.set(CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY, AccessController.class.getName() + + "," + DummyCpService.class.getName()); + conf.set(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, "true"); + SecureTestUtil.configureSuperuser(conf); + } + + @BeforeClass + public static void setup() throws Exception { + conf = TEST_UTIL.getConfiguration(); + + // Enable security + enableSecurity(conf); + TEST_UTIL.startMiniCluster(); + + // Wait for the ACL table to become available + TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME); + + // Create users + USER_ADMIN = User.createUserForTesting(conf, "admin", new String[0]); + USER_NON_ADMIN = User.createUserForTesting(conf, "non_admin", new String[0]); + USER_GROUP_ADMIN = + User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); + + // Assign permissions to users and groups + SecureTestUtil.grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(), Permission.Action.ADMIN); + SecureTestUtil.grantGlobal(TEST_UTIL, toGroupEntry(GROUP_ADMIN), Permission.Action.ADMIN); + // No permissions to USER_NON_ADMIN + } + + interface Action { + void run(Admin admin) throws Exception; + } + + private void verifyAllowed(User user, Action action) throws Exception { + user.runAs((PrivilegedExceptionAction<?>) () -> { + try (Connection conn = ConnectionFactory.createConnection(conf); + Admin admin = conn.getAdmin()) { + action.run(admin); + } catch (IOException e) { + fail(e.toString()); + } + return null; + }); + } + + private void verifyDenied(User user, Action action) throws Exception { + user.runAs((PrivilegedExceptionAction<?>) () -> { + boolean accessDenied = false; + try (Connection conn = ConnectionFactory.createConnection(conf); + Admin admin = conn.getAdmin()) { + action.run(admin); + } catch (AccessDeniedException e) { + accessDenied = true; + } + assertTrue("Expected access to be denied", accessDenied); + return null; + }); + } + + private void verifiedDeniedServiceException(User user, Action action) throws Exception { + user.runAs((PrivilegedExceptionAction<?>) () -> { + boolean accessDenied = false; + try (Connection conn = ConnectionFactory.createConnection(conf); + Admin admin = conn.getAdmin()) { + action.run(admin); + } catch (ServiceException e) { + // For MasterRpcServices.execService. + if (e.getCause() instanceof AccessDeniedException) { + accessDenied = true; + } + } + assertTrue("Expected access to be denied", accessDenied); + return null; + }); + + } + + private void verifyAdminCheckForAction(Action action) throws Exception { + verifyAllowed(USER_ADMIN, action); + verifyAllowed(USER_GROUP_ADMIN, action); + verifyDenied(USER_NON_ADMIN, action); + } + + @Test + public void testEnableCatalogJanitor() throws Exception { + verifyAdminCheckForAction((admin) -> admin.enableCatalogJanitor(true)); + } + + @Test + public void testRunCatalogJanitor() throws Exception { + verifyAdminCheckForAction((admin) -> admin.runCatalogJanitor()); + } + + @Test + public void testCleanerChoreRunning() throws Exception { + verifyAdminCheckForAction((admin) -> admin.cleanerChoreSwitch(true)); + } + + @Test + public void testRunCleanerChore() throws Exception { + verifyAdminCheckForAction((admin) -> admin.runCleanerChore()); + } + + @Test + public void testExecProcedure() throws Exception { + verifyAdminCheckForAction((admin) -> { + // Using existing table instead of creating a new one. + admin.execProcedure("flush-table-proc", TableName.META_TABLE_NAME.getNameAsString(), + new HashMap<>()); + }); + } + + @Test + public void testExecService() throws Exception { + Action action = (admin) -> { + TestRpcServiceProtos.TestProtobufRpcProto.BlockingInterface service = + TestRpcServiceProtos.TestProtobufRpcProto.newBlockingStub(admin.coprocessorService()); + service.ping(null, TestProtos.EmptyRequestProto.getDefaultInstance()); + }; + + verifyAllowed(USER_ADMIN, action); + verifyAllowed(USER_GROUP_ADMIN, action); + // This is same as above verifyAccessDenied + verifiedDeniedServiceException(USER_NON_ADMIN, action); + } + + @Test + public void testExecProcedureWithRet() throws Exception { + verifyAdminCheckForAction((admin) -> { + // Using existing table instead of creating a new one. + admin.execProcedureWithReturn("flush-table-proc", TableName.META_TABLE_NAME.getNameAsString(), + new HashMap<>()); + }); + } + + @Test + public void testNormalize() throws Exception { + verifyAdminCheckForAction((admin) -> admin.normalize()); + } + + @Test + public void testSetNormalizerRunning() throws Exception { + verifyAdminCheckForAction((admin) -> admin.normalizerSwitch(true)); + } + + @Test + public void testExecRegionServerService() throws Exception { + Action action = (admin) -> { + ServerName serverName = TEST_UTIL.getHBaseCluster().getRegionServer(0).getServerName(); + TestRpcServiceProtos.TestProtobufRpcProto.BlockingInterface service = + TestRpcServiceProtos.TestProtobufRpcProto.newBlockingStub( + admin.coprocessorService(serverName)); + service.ping(null, TestProtos.EmptyRequestProto.getDefaultInstance()); + }; + + verifyAllowed(USER_ADMIN, action); + verifyAllowed(USER_GROUP_ADMIN, action); + verifiedDeniedServiceException(USER_NON_ADMIN, action); + } + + @Test + public void testTableFlush() throws Exception { + TableName tn = TableName.valueOf(TEST_NAME.getMethodName()); + TableDescriptor desc = TableDescriptorBuilder.newBuilder(tn) + .setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1")).build(); + Action adminAction = (admin) -> { + admin.createTable(desc); + // Avoid giving a global permission which may screw up other tests + SecureTestUtil.grantOnTable( + TEST_UTIL, USER_NON_ADMIN.getShortName(), tn, null, null, Permission.Action.READ, + Permission.Action.WRITE, Permission.Action.CREATE); + }; + verifyAllowed(USER_ADMIN, adminAction); + + Action userAction = (admin) -> { + Connection conn = admin.getConnection(); + final byte[] rowKey = Bytes.toBytes("row1"); + final byte[] col = Bytes.toBytes("q1"); + final byte[] val = Bytes.toBytes("v1"); + try (Table table = conn.getTable(tn)) { + // Write a value + Put p = new Put(rowKey); + p.addColumn(Bytes.toBytes("f1"), col, val); + table.put(p); + // Flush should not require ADMIN permission + admin.flush(tn); + // Nb: ideally, we would verify snapshot permission too (as that was fixed in the + // regression HBASE-20185) but taking a snapshot requires ADMIN permission which + // masks the root issue. + // Make sure we read the value + Result result = table.get(new Get(rowKey)); + assertFalse(result.isEmpty()); + Cell c = result.getColumnLatestCell(Bytes.toBytes("f1"), col); + assertArrayEquals(val, CellUtil.cloneValue(c)); + } + }; + verifyAllowed(USER_NON_ADMIN, userAction); + } + + @Test + public void testTableFlushAndSnapshot() throws Exception { + TableName tn = TableName.valueOf(TEST_NAME.getMethodName()); + TableDescriptor desc = TableDescriptorBuilder.newBuilder(tn) + .setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1")).build(); + Action adminAction = (admin) -> { + admin.createTable(desc); + // Giving ADMIN here, but only on this table, *not* globally + SecureTestUtil.grantOnTable( + TEST_UTIL, USER_NON_ADMIN.getShortName(), tn, null, null, Permission.Action.READ, + Permission.Action.WRITE, Permission.Action.CREATE, Permission.Action.ADMIN); + }; + verifyAllowed(USER_ADMIN, adminAction); + + Action userAction = (admin) -> { + Connection conn = admin.getConnection(); + final byte[] rowKey = Bytes.toBytes("row1"); + final byte[] col = Bytes.toBytes("q1"); + final byte[] val = Bytes.toBytes("v1"); + try (Table table = conn.getTable(tn)) { + // Write a value + Put p = new Put(rowKey); + p.addColumn(Bytes.toBytes("f1"), col, val); + table.put(p); + // Flush should not require ADMIN permission + admin.flush(tn); + // Table admin should be sufficient to snapshot this table + admin.snapshot(tn.getNameAsString() + "_snapshot1", tn); + // Read the value just because + Result result = table.get(new Get(rowKey)); + assertFalse(result.isEmpty()); + Cell c = result.getColumnLatestCell(Bytes.toBytes("f1"), col); + assertArrayEquals(val, CellUtil.cloneValue(c)); + } + }; + verifyAllowed(USER_NON_ADMIN, userAction); + } +}