1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.zookeeper;
19
20 import static org.junit.Assert.assertEquals;
21 import static org.junit.Assert.assertTrue;
22
23 import java.io.File;
24 import java.io.FileWriter;
25 import java.io.IOException;
26 import java.util.List;
27
28 import org.apache.commons.logging.Log;
29 import org.apache.commons.logging.LogFactory;
30 import org.apache.hadoop.conf.Configuration;
31 import org.apache.hadoop.hbase.HBaseTestingUtility;
32 import org.apache.hadoop.hbase.TestZooKeeper;
33 import org.apache.hadoop.hbase.zookeeper.ZKUtil;
34 import org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher;
35 import org.apache.zookeeper.ZooDefs;
36 import org.apache.zookeeper.data.ACL;
37 import org.apache.zookeeper.data.Stat;
38
39 import org.junit.AfterClass;
40 import org.junit.Before;
41 import org.junit.BeforeClass;
42 import org.junit.Test;
43
44 public class TestZooKeeperACL {
45 private final static Log LOG = LogFactory.getLog(TestZooKeeperACL.class);
46 private final static HBaseTestingUtility TEST_UTIL =
47 new HBaseTestingUtility();
48
49 private static ZooKeeperWatcher zkw;
50 private static boolean secureZKAvailable;
51
52 @BeforeClass
53 public static void setUpBeforeClass() throws Exception {
54 File saslConfFile = File.createTempFile("tmp", "jaas.conf");
55 FileWriter fwriter = new FileWriter(saslConfFile);
56
57 fwriter.write("" +
58 "Server {\n" +
59 "org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
60 "user_hbase=\"secret\";\n" +
61 "};\n" +
62 "Client {\n" +
63 "org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
64 "username=\"hbase\"\n" +
65 "password=\"secret\";\n" +
66 "};" + "\n");
67 fwriter.close();
68 System.setProperty("java.security.auth.login.config",
69 saslConfFile.getAbsolutePath());
70 System.setProperty("zookeeper.authProvider.1",
71 "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
72
73 TEST_UTIL.getConfiguration().setBoolean("dfs.support.append", true);
74 TEST_UTIL.getConfiguration().setInt("hbase.zookeeper.property.maxClientCnxns", 1000);
75
76
77
78 try {
79 TEST_UTIL.startMiniCluster();
80 } catch (IOException e) {
81 LOG.warn("Hadoop is missing HADOOP-7070", e);
82 secureZKAvailable = false;
83 return;
84 }
85 zkw = new ZooKeeperWatcher(
86 new Configuration(TEST_UTIL.getConfiguration()),
87 TestZooKeeper.class.getName(), null);
88 ZKUtil.waitForZKConnectionIfAuthenticating(zkw);
89 }
90
91
92
93
94 @AfterClass
95 public static void tearDownAfterClass() throws Exception {
96 if (!secureZKAvailable) {
97 return;
98 }
99 TEST_UTIL.shutdownMiniCluster();
100 }
101
102
103
104
105 @Before
106 public void setUp() throws Exception {
107 if (!secureZKAvailable) {
108 return;
109 }
110 TEST_UTIL.ensureSomeRegionServersAvailable(2);
111 }
112
113
114
115
116
117
118
119
120
121
122
123
124
125 @Test (timeout=30000)
126 public void testHBaseRootZNodeACL() throws Exception {
127 if (!secureZKAvailable) {
128 return;
129 }
130
131 List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper()
132 .getACL("/hbase", new Stat());
133 assertEquals(acls.size(),1);
134 assertEquals(acls.get(0).getId().getScheme(),"sasl");
135 assertEquals(acls.get(0).getId().getId(),"hbase");
136 assertEquals(acls.get(0).getPerms(), ZooDefs.Perms.ALL);
137 }
138
139
140
141
142
143
144 @Test (timeout=30000)
145 public void testHBaseRootRegionServerZNodeACL() throws Exception {
146 if (!secureZKAvailable) {
147 return;
148 }
149
150 List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper()
151 .getACL("/hbase/root-region-server", new Stat());
152 assertEquals(acls.size(),2);
153
154 boolean foundWorldReadableAcl = false;
155 boolean foundHBaseOwnerAcl = false;
156 for(int i = 0; i < 2; i++) {
157 if (acls.get(i).getId().getScheme().equals("world") == true) {
158 assertEquals(acls.get(0).getId().getId(),"anyone");
159 assertEquals(acls.get(0).getPerms(), ZooDefs.Perms.READ);
160 foundWorldReadableAcl = true;
161 }
162 else {
163 if (acls.get(i).getId().getScheme().equals("sasl") == true) {
164 assertEquals(acls.get(1).getId().getId(),"hbase");
165 assertEquals(acls.get(1).getId().getScheme(),"sasl");
166 foundHBaseOwnerAcl = true;
167 } else {
168 assertTrue(false);
169 }
170 }
171 }
172 assertTrue(foundWorldReadableAcl);
173 assertTrue(foundHBaseOwnerAcl);
174 }
175
176
177
178
179
180
181 @Test (timeout=30000)
182 public void testHBaseMasterServerZNodeACL() throws Exception {
183 if (!secureZKAvailable) {
184 return;
185 }
186
187 List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper()
188 .getACL("/hbase/master", new Stat());
189 assertEquals(acls.size(),2);
190
191 boolean foundWorldReadableAcl = false;
192 boolean foundHBaseOwnerAcl = false;
193 for(int i = 0; i < 2; i++) {
194 if (acls.get(i).getId().getScheme().equals("world") == true) {
195 assertEquals(acls.get(0).getId().getId(),"anyone");
196 assertEquals(acls.get(0).getPerms(), ZooDefs.Perms.READ);
197 foundWorldReadableAcl = true;
198 } else {
199 if (acls.get(i).getId().getScheme().equals("sasl") == true) {
200 assertEquals(acls.get(1).getId().getId(),"hbase");
201 assertEquals(acls.get(1).getId().getScheme(),"sasl");
202 foundHBaseOwnerAcl = true;
203 } else {
204 assertTrue(false);
205 }
206 }
207 }
208 assertTrue(foundWorldReadableAcl);
209 assertTrue(foundHBaseOwnerAcl);
210 }
211
212
213
214
215
216
217 @Test (timeout=30000)
218 public void testHBaseIDZNodeACL() throws Exception {
219 if (!secureZKAvailable) {
220 return;
221 }
222
223 List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper()
224 .getACL("/hbase/hbaseid", new Stat());
225 assertEquals(acls.size(),2);
226
227 boolean foundWorldReadableAcl = false;
228 boolean foundHBaseOwnerAcl = false;
229 for(int i = 0; i < 2; i++) {
230 if (acls.get(i).getId().getScheme().equals("world") == true) {
231 assertEquals(acls.get(0).getId().getId(),"anyone");
232 assertEquals(acls.get(0).getPerms(), ZooDefs.Perms.READ);
233 foundWorldReadableAcl = true;
234 } else {
235 if (acls.get(i).getId().getScheme().equals("sasl") == true) {
236 assertEquals(acls.get(1).getId().getId(),"hbase");
237 assertEquals(acls.get(1).getId().getScheme(),"sasl");
238 foundHBaseOwnerAcl = true;
239 } else {
240 assertTrue(false);
241 }
242 }
243 }
244 assertTrue(foundWorldReadableAcl);
245 assertTrue(foundHBaseOwnerAcl);
246 }
247
248
249
250
251
252 @Test
253 public void testOutsideHBaseNodeACL() throws Exception {
254 if (!secureZKAvailable) {
255 return;
256 }
257
258 ZKUtil.createWithParents(zkw, "/testACLNode");
259 List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper()
260 .getACL("/testACLNode", new Stat());
261 assertEquals(acls.size(),1);
262 assertEquals(acls.get(0).getId().getScheme(),"sasl");
263 assertEquals(acls.get(0).getId().getId(),"hbase");
264 assertEquals(acls.get(0).getPerms(), ZooDefs.Perms.ALL);
265 }
266 }