Thanks, that got me a little further, but it seems like even though the
security capabilities say that cell visibility is enabled, the scanner
ignores the authorization list I pass. This is the relevant code:
private static HBaseTestingUtility UTILITY;
private static final String[] FULL_AUTHS = new String[] { "PII", "PHI",
"UNRESTRICTED" };
private static final String[] PII_AUTHS = new String[] { "PII",
"UNRESTRICTED" };
private static final String[] PHI_AUTHS = new String[] { "PHI",
"UNRESTRICTED" };
private static final String USER_ID = "john.smith";
private static final String TABLE_NAME = "label_test_table";
private static final String FAM = "prop";
private static final String ROW = "test-row-id";
private static final String DEFAULT_VISIBILITY = "PII|UNRESTRICTED";
private static final String CLIENT_VAL = "hbaseClient";
@BeforeClass
public static void setup() throws Throwable {
UTILITY = new HBaseTestingUtility();///conf);
Configuration conf = UTILITY.getConfiguration();
SecureTestUtil.enableSecurity(conf);
conf.set("hbase.coprocessor.region.classes",
"org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.visibility.VisibilityController");
conf.set("hbase.coprocessor.master.classes",
"org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.visibility.VisibilityController");
UTILITY.startMiniCluster();
UTILITY.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
UTILITY.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName(),
50000);
List<SecurityCapability> capabilities =
UTILITY.getConnection().getAdmin()
.getSecurityCapabilities();
Assert.assertTrue("CELL_VISIBILITY capability is missing",
capabilities.contains(SecurityCapability.CELL_VISIBILITY));
LOCAL_USER = User.createUserForTesting(conf, USER_ID, new
String[]{});
VisibilityClient.addLabels(UTILITY.getConnection(), FULL_AUTHS);
VisibilityClient.setAuths(UTILITY.getConnection(), new
String[]{"PHI"}, USER_ID);
clientService = new
IntegrationTestClientService(UTILITY.getConnection());
UTILITY.createTable(TABLE_NAME.getBytes(), FAM.getBytes());
}
@Test
public void testGetHBase() throws Exception {
Table table =
UTILITY.getConnection().getTable(TableName.valueOf(TABLE_NAME));
Put put = new Put(ROW.getBytes());
put.addColumn(FAM.getBytes(), "fullName".getBytes(),
"john.smith2".getBytes());
put.setCellVisibility(new CellVisibility("PII&UNRESTRICTED"));
//Also tried PII|UNRESTRICTED
table.put(put);
table.close();
LOCAL_USER.runAs((PrivilegedExceptionAction<Object>) () -> {
Scan scan = new Scan();
scan.setAuthorizations(new Authorizations("PHI"));
ResultScanner scanner = table.getScanner(scan);
Result res = scanner.next();
Assert.assertTrue("It was not null", res == null);
return null;
});
}
(A chunk of that is copy pasta from trying to figure out why things weren't
working along the way)
Any ideas?
Thanks,
Mike
On Thu, Feb 22, 2018 at 3:14 PM, Ted Yu <[email protected]> wrote:
> labels table is created by VisibilityController#postStartMaster().
>
> You can add the following call in the @BeforeClass method:
>
>
> TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
>
>
> See TestVisibilityLabelsWithACL for complete example.
>
>
>
> On Thu, Feb 22, 2018 at 12:07 PM, Mike Thomsen <[email protected]>
> wrote:
>
> > I'm trying to spin up a mini cluster for integration testing. Can someone
> > give me an idea of what I'm doing wrong?
> >
> > public static void main(String[] args) throws Throwable {
> >
> > Configuration conf =
> > org.apache.hadoop.hbase.HBaseConfiguration.create();
> > conf.set("hbase.coprocessor.region.classes",
> > "org.apache.hadoop.hbase.security.visibility.VisibilityController");
> > conf.set("hbase.coprocessor.master.classes",
> > "org.apache.hadoop.hbase.security.visibility.VisibilityController");
> >
> > utility = new HBaseTestingUtility(conf);
> >
> > utility.startMiniCluster();
> >
> > VisibilityClient.addLabels(utility.getConnection(), new
> String[]{
> > "X", "Y", "Z" });
> > }
> >
> > That results in this:
> >
> > org.apache.hadoop.hbase.TableNotFoundException: hbase:labels
> >
> > Thanks,
> >
> > Mike
> >
>
