public JVMClusterUtil.MasterThread addMaster(final Configuration c, final int index, User user)
throws IOException, InterruptedException {
return user.runAs(
new PrivilegedExceptionAction<JVMClusterUtil.MasterThread>() {
public JVMClusterUtil.MasterThread run() throws Exception {
return addMaster(c, index);
}
});
}
@BeforeClass
public static void setUpBeforeClass() throws Exception {
conf = TEST_UTIL.getConfiguration();
// Set up superuser
SecureTestUtil.configureSuperuser(conf);
// Install the VisibilityController as a system processor
VisibilityTestUtil.enableVisiblityLabels(conf);
// Now, DISABLE active authorization
conf.setBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, false);
TEST_UTIL.startMiniCluster();
// Wait for the labels table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(LABELS_TABLE_NAME);
// create a set of test users
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] {"supergroup"});
USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]);
// Define test labels
SUPERUSER.runAs(
new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
VisibilityClient.addLabels(conn, new String[] {SECRET, CONFIDENTIAL, PRIVATE});
VisibilityClient.setAuths(
conn, new String[] {SECRET, CONFIDENTIAL}, USER_RW.getShortName());
} catch (Throwable t) {
fail("Should not have failed");
}
return null;
}
});
}
@Test
public void testManageUserAuths() throws Throwable {
// Even though authorization is disabled, we should be able to manage user auths
SUPERUSER.runAs(
new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
VisibilityClient.setAuths(
conn, new String[] {SECRET, CONFIDENTIAL}, USER_RW.getShortName());
} catch (Throwable t) {
fail("Should not have failed");
}
return null;
}
});
PrivilegedExceptionAction<List<String>> getAuths =
new PrivilegedExceptionAction<List<String>>() {
public List<String> run() throws Exception {
GetAuthsResponse authsResponse = null;
try (Connection conn = ConnectionFactory.createConnection(conf)) {
authsResponse = VisibilityClient.getAuths(conn, USER_RW.getShortName());
} catch (Throwable t) {
fail("Should not have failed");
}
List<String> authsList = new ArrayList<String>();
for (ByteString authBS : authsResponse.getAuthList()) {
authsList.add(Bytes.toString(authBS.toByteArray()));
}
return authsList;
}
};
List<String> authsList = SUPERUSER.runAs(getAuths);
assertEquals(2, authsList.size());
assertTrue(authsList.contains(SECRET));
assertTrue(authsList.contains(CONFIDENTIAL));
SUPERUSER.runAs(
new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
VisibilityClient.clearAuths(conn, new String[] {SECRET}, USER_RW.getShortName());
} catch (Throwable t) {
fail("Should not have failed");
}
return null;
}
});
authsList = SUPERUSER.runAs(getAuths);
assertEquals(1, authsList.size());
assertTrue(authsList.contains(CONFIDENTIAL));
SUPERUSER.runAs(
new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
VisibilityClient.clearAuths(
conn, new String[] {CONFIDENTIAL}, USER_RW.getShortName());
} catch (Throwable t) {
fail("Should not have failed");
}
return null;
}
});
authsList = SUPERUSER.runAs(getAuths);
assertEquals(0, authsList.size());
}
@Test
public void testListNamespaces() throws Exception {
AccessTestAction listAction =
new AccessTestAction() {
@Override
public Object run() throws Exception {
Connection unmanagedConnection =
ConnectionFactory.createConnection(UTIL.getConfiguration());
Admin admin = unmanagedConnection.getAdmin();
try {
return Arrays.asList(admin.listNamespaceDescriptors());
} finally {
admin.close();
unmanagedConnection.close();
}
}
};
// listNamespaces : All access*
// * Returned list will only show what you can call getNamespaceDescriptor()
verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
// we have 3 namespaces: [default, hbase, TEST_NAMESPACE, TEST_NAMESPACE2]
assertEquals(4, ((List) SUPERUSER.runAs(listAction)).size());
assertEquals(4, ((List) USER_GLOBAL_ADMIN.runAs(listAction)).size());
assertEquals(4, ((List) USER_GROUP_ADMIN.runAs(listAction)).size());
assertEquals(2, ((List) USER_NS_ADMIN.runAs(listAction)).size());
assertEquals(0, ((List) USER_GLOBAL_CREATE.runAs(listAction)).size());
assertEquals(0, ((List) USER_GLOBAL_WRITE.runAs(listAction)).size());
assertEquals(0, ((List) USER_GLOBAL_READ.runAs(listAction)).size());
assertEquals(0, ((List) USER_GLOBAL_EXEC.runAs(listAction)).size());
assertEquals(0, ((List) USER_NS_CREATE.runAs(listAction)).size());
assertEquals(0, ((List) USER_NS_WRITE.runAs(listAction)).size());
assertEquals(0, ((List) USER_NS_READ.runAs(listAction)).size());
assertEquals(0, ((List) USER_NS_EXEC.runAs(listAction)).size());
assertEquals(0, ((List) USER_TABLE_CREATE.runAs(listAction)).size());
assertEquals(0, ((List) USER_TABLE_WRITE.runAs(listAction)).size());
assertEquals(0, ((List) USER_GROUP_CREATE.runAs(listAction)).size());
assertEquals(0, ((List) USER_GROUP_READ.runAs(listAction)).size());
assertEquals(0, ((List) USER_GROUP_WRITE.runAs(listAction)).size());
}
