diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclController.java index eafc4be34c72..149c81f869ef 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclController.java @@ -98,19 +98,6 @@ public class HDFSAclController implements MasterCoprocessor, MasterObserver { private static final Logger LOG = LoggerFactory.getLogger(HDFSAclController.class); - public static final String HDFS_ACL_ENABLE = "hbase.hdfs.acl.enable"; - public static final String HDFS_ACL_THREAD_NUMBER = "hbase.hdfs.acl.thread.number"; - // the tmp directory to restore snapshot, it can not be a sub directory of HBase root dir - public static final String SNAPSHOT_RESTORE_TMP_DIR = "hbase.snapshot.restore.tmp.dir"; - public static final String SNAPSHOT_RESTORE_TMP_DIR_DEFAULT = - "/hbase/.tmpdir-to-restore-snapshot"; - // If enable this feature, set public directories permission to 751 - public static final FsPermission ACL_ENABLE_PUBLIC_HFILE_PERMISSION = - new FsPermission((short) 0751); - // If enable this feature, set restore directory permission to 703 - public static final FsPermission ACL_ENABLE_RESTORE_HFILE_PERMISSION = - new FsPermission((short) 0703); - private HDFSAclHelper hdfsAclHelper = null; private PathHelper pathHelper = null; private FileSystem fs = null; @@ -134,31 +121,11 @@ public void preMasterInitialization(final ObserverContext ctx) @Override public void preStopMaster(final ObserverContext c) { if (hdfsAclHelper != null) { - hdfsAclHelper.stop(); + hdfsAclHelper.close(); } } @@ -462,7 +429,7 @@ private void revokeUserTablePermission(Table aclTable, String userName, TableNam private boolean containReadPermission(UserPermission userPermission) { if (userPermission != null) { return Arrays.stream(userPermission.getPermission().getActions()) - .anyMatch(action -> action == Permission.Action.READ); + .anyMatch(action -> action == Action.READ); } return false; } @@ -498,7 +465,7 @@ private UserPermission getUserTablePermission(Configuration conf, String userNam } private boolean isHdfsAclEnabled(Configuration configuration) { - return configuration.getBoolean(HDFS_ACL_ENABLE, false); + return configuration.getBoolean(HDFSAclHelper.HDFS_ACL_ENABLE, false); } protected static final class HDFSAclStorage { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclHelper.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclHelper.java index 5e7d4ecce6d5..9e5977e03763 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclHelper.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclHelper.java @@ -24,8 +24,10 @@ import static org.apache.hadoop.fs.permission.FsAction.READ_EXECUTE; import static org.apache.hadoop.hbase.security.access.Permission.Action.READ; +import java.io.Closeable; import java.io.IOException; import java.util.ArrayList; +import java.util.HashSet; import java.util.List; import java.util.Set; import java.util.concurrent.CompletableFuture; @@ -42,10 +44,15 @@ import org.apache.hadoop.fs.permission.AclEntry; import org.apache.hadoop.fs.permission.AclEntryScope; import org.apache.hadoop.fs.permission.FsAction; +import org.apache.hadoop.fs.permission.FsPermission; import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.TableName; +import org.apache.hadoop.hbase.client.Admin; +import org.apache.hadoop.hbase.client.Connection; +import org.apache.hadoop.hbase.client.ConnectionFactory; import org.apache.hadoop.hbase.client.SnapshotDescription; -import org.apache.hadoop.hbase.master.MasterServices; +import org.apache.hadoop.hbase.util.Bytes; +import org.apache.hadoop.hbase.util.Pair; import org.apache.yetus.audience.InterfaceAudience; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -54,37 +61,99 @@ import org.apache.hbase.thirdparty.com.google.common.collect.Sets; import org.apache.hbase.thirdparty.com.google.common.util.concurrent.ThreadFactoryBuilder; -import org.apache.hadoop.hbase.shaded.protobuf.generated.SnapshotProtos; - /** * A helper to set HBase granted user access acl and default acl over hFiles. */ @InterfaceAudience.Private -public class HDFSAclHelper { +public class HDFSAclHelper implements Closeable { private static final Logger LOG = LoggerFactory.getLogger(HDFSAclHelper.class); - private final MasterServices masterServices; + + public static final String HDFS_ACL_ENABLE = "hbase.hdfs.acl.enable"; + public static final String HDFS_ACL_THREAD_NUMBER = "hbase.hdfs.acl.thread.number"; + // the tmp directory to restore snapshot, it can not be a sub directory of HBase root dir + public static final String SNAPSHOT_RESTORE_TMP_DIR = "hbase.snapshot.restore.tmp.dir"; + public static final String SNAPSHOT_RESTORE_TMP_DIR_DEFAULT = + "/hbase/.tmpdir-to-restore-snapshot"; + // If enable this feature, set public directories permission to 751 + public static final FsPermission ACL_ENABLE_PUBLIC_HFILE_PERMISSION = + new FsPermission((short) 0751); + // If enable this feature, set restore directory permission to 703 + public static final FsPermission ACL_ENABLE_RESTORE_HFILE_PERMISSION = + new FsPermission((short) 0703); + + private Admin admin; private final Configuration conf; private FileSystem fs; private PathHelper pathHelper; private ExecutorService pool; - public HDFSAclHelper(MasterServices masterServices) throws IOException { - this.masterServices = masterServices; - this.conf = masterServices.getConfiguration(); + public HDFSAclHelper(Configuration configuration, Connection connection) + throws IOException { + this.conf = configuration; this.pathHelper = new PathHelper(conf); this.fs = pathHelper.getFileSystem(); this.pathHelper = new PathHelper(conf); - this.pool = - Executors.newFixedThreadPool(conf.getInt(HDFSAclController.HDFS_ACL_THREAD_NUMBER, 10), - new ThreadFactoryBuilder().setNameFormat("hdfs-acl-thread-%d").setDaemon(true).build()); + this.pool = Executors.newFixedThreadPool(conf.getInt(HDFS_ACL_THREAD_NUMBER, 10), + new ThreadFactoryBuilder().setNameFormat("hdfs-acl-thread-%d").setDaemon(true).build()); + if (connection == null) { + connection = ConnectionFactory.createConnection(conf); + } + this.admin = connection.getAdmin(); } - public void stop() { + @Override + public void close() { if (pool != null) { pool.shutdown(); } } + public void setCommonDirPermission() throws IOException { + // Set public directory permission to 751 to make all users have access permission. + // And we also need the access permission of the parent of HBase root directory, but + // it's not set here, because the owner of HBase root directory may don't own permission + // to change it's parent permission to 751. + // The {root/.tmp} and {root/.tmp/data} directories are created to make global user HDFS + // acls can be inherited. + Path[] paths = new Path[] { pathHelper.getRootDir(), pathHelper.getDataDir(), + pathHelper.getTmpDir(), pathHelper.getTmpDataDir(), pathHelper.getArchiveDir(), + pathHelper.getArchiveDataDir(), pathHelper.getSnapshotRootDir() }; + for (Path path : paths) { + if (!fs.exists(path)) { + fs.mkdirs(path); + } + fs.setPermission(path, ACL_ENABLE_PUBLIC_HFILE_PERMISSION); + } + // create snapshot restore directory + Path restoreDir = + new Path(conf.get(SNAPSHOT_RESTORE_TMP_DIR, SNAPSHOT_RESTORE_TMP_DIR_DEFAULT)); + if (!fs.exists(restoreDir)) { + fs.mkdirs(restoreDir); + fs.setPermission(restoreDir, ACL_ENABLE_RESTORE_HFILE_PERMISSION); + } + } + + public boolean grant(byte[] entry, Set users) { + try { + Pair, List> operations; + if (PermissionStorage.isNamespaceEntry(entry)) { + String namespace = Bytes.toString(PermissionStorage.fromNamespaceEntry(entry)); + operations = getNamespaceHdfsAclOperations(users, HDFSAclOperation.OperationType.MODIFY, + namespace, new HashSet<>(0)); + } else if (PermissionStorage.isGlobalEntry(entry)) { + operations = getGlobalHdfsAclOperations(users, HDFSAclOperation.OperationType.MODIFY, + new HashSet<>(0), new HashSet<>()); + } else { + operations = getTableHdfsAclOperations(users, HDFSAclOperation.OperationType.MODIFY, + TableName.valueOf(entry)); + } + setHDFSAcl(operations); + return true; + } catch (Exception e) { + return false; + } + } + /** * Set acl when grant user permission * @param userPerm the user and permission @@ -147,7 +216,7 @@ public boolean snapshotAcl(SnapshotDescription snapshot) { List operations = new ArrayList<>(1); operations.add(new HDFSAclOperation(fs, path, userSet, HDFSAclOperation.OperationType.MODIFY, READ_EXECUTE, true, new ArrayList<>())); - setHDFSAcl(operations); + setHDFSAcl(new Pair<>(new ArrayList<>(), operations)); LOG.info("Set HDFS acl when snapshot {}, cost {} ms", snapshot.getName(), System.currentTimeMillis() - start); return true; @@ -244,26 +313,26 @@ public void addTableAcl(TableName tableName, String user) { * @return the {@link HDFSAclOperation} list * @throws IOException if an error occurred */ - private List getHdfsAclOperations(UserPermission userPermission, - HDFSAclOperation.OperationType operationType, Set skipNamespaces, - Set skipTables) throws IOException { - List hdfsAclOperations = new ArrayList<>(); + private Pair, List> getHdfsAclOperations( + UserPermission userPermission, HDFSAclOperation.OperationType operationType, + Set skipNamespaces, Set skipTables) throws IOException { + Pair, List> hdfsAclOperations = new Pair<>(); Set users = Sets.newHashSet(userPermission.getUser()); switch (userPermission.getAccessScope()) { case GLOBAL: - hdfsAclOperations - .addAll(getGlobalHdfsAclOperations(users, operationType, skipNamespaces, skipTables)); + hdfsAclOperations = + getGlobalHdfsAclOperations(users, operationType, skipNamespaces, skipTables); break; case NAMESPACE: NamespacePermission namespacePermission = (NamespacePermission) userPermission.getPermission(); - hdfsAclOperations.addAll(getNamespaceHdfsAclOperations(users, operationType, - namespacePermission.getNamespace(), skipTables)); + hdfsAclOperations = getNamespaceHdfsAclOperations(users, operationType, + namespacePermission.getNamespace(), skipTables); break; case TABLE: TablePermission tablePermission = (TablePermission) userPermission.getPermission(); - hdfsAclOperations.addAll( - getTableHdfsAclOperations(users, operationType, tablePermission.getTableName())); + hdfsAclOperations = + getTableHdfsAclOperations(users, operationType, tablePermission.getTableName()); break; default: LOG.error("Unknown scope for permission {}", userPermission); @@ -271,8 +340,8 @@ private List getHdfsAclOperations(UserPermission userPermissio return hdfsAclOperations; } - private List getGlobalHdfsAclOperations(Set users, - HDFSAclOperation.OperationType operationType, Set skipNamespaces, + private Pair, List> getGlobalHdfsAclOperations( + Set users, HDFSAclOperation.OperationType operationType, Set skipNamespaces, Set skipTables) throws IOException { // default acl path List defaultGlobalPathList = getDefaultGlobalPath(); @@ -297,14 +366,17 @@ private List getGlobalHdfsAclOperations(Set users, HDFSAclOperation.OperationType.MODIFY, READ_EXECUTE, false, new ArrayList<>())) .collect(Collectors.toList())); } - return hdfsAclOperations; + Path snapshotPath = pathHelper.getSnapshotRootDir(); + HDFSAclOperation snapshotHdfsAclOperation = + new HDFSAclOperation(fs, snapshotPath, users, operationType, READ_EXECUTE, true, skipPaths); + return new Pair<>(hdfsAclOperations, Lists.newArrayList(snapshotHdfsAclOperation)); } - private List getNamespaceHdfsAclOperations(Set users, - HDFSAclOperation.OperationType operationType, String namespace, Set skipTables) - throws IOException { + private Pair, List> getNamespaceHdfsAclOperations( + Set users, HDFSAclOperation.OperationType operationType, String namespace, + Set skipTables) throws IOException { // default acl path - List defaultNsPathList = getDefaultNamespacePath(namespace, true); + List defaultNsPathList = getDefaultNamespacePath(namespace, false); // skip path List skipTablePaths = Lists.newArrayList(); List skipNsPaths = new ArrayList<>(); @@ -322,23 +394,32 @@ private List getNamespaceHdfsAclOperations(Set users, HDFSAclOperation.OperationType.MODIFY, READ_EXECUTE, false, new ArrayList<>())) .collect(Collectors.toList())); } - return hdfsAclOperations; + List namespaceSnapshotPaths = getNamespaceSnapshotPath(namespace); + List namespaceSnapshotHdfsAclOps = + namespaceSnapshotPaths.stream().map(path -> new HDFSAclOperation(fs, path, users, + operationType, READ_EXECUTE, true, skipTablePaths)).collect(Collectors.toList()); + return new Pair<>(hdfsAclOperations, namespaceSnapshotHdfsAclOps); } - private List getTableHdfsAclOperations(Set users, - HDFSAclOperation.OperationType operationType, TableName tableName) throws IOException { + private Pair, List> getTableHdfsAclOperations( + Set users, HDFSAclOperation.OperationType operationType, TableName tableName) + throws IOException { String tableNamespace = tableName.getNamespaceAsString(); // acl path List tableNsPathList = getDefaultNamespacePath(tableNamespace, false); // default acl path - List tablePathList = getDefaultTablePath(tableName, true); + List tablePathList = getDefaultTablePath(tableName, false); // generate hdfs acl operations List hdfsAclOperations = tableNsPathList.stream().map(path -> new HDFSAclOperation(fs, path, users, operationType, READ_EXECUTE, false, new ArrayList<>())).collect(Collectors.toList()); hdfsAclOperations.addAll(tablePathList.stream().map(path -> new HDFSAclOperation(fs, path, users, operationType, READ_EXECUTE, true, new ArrayList<>())).collect(Collectors.toList())); - return hdfsAclOperations; + List tableSnapshotPath = getTableSnapshotPath(tableName); + List tableSnapshotHdfsAclOps = + tableSnapshotPath.stream().map(path -> new HDFSAclOperation(fs, path, users, operationType, + READ_EXECUTE, true, new ArrayList<>())).collect(Collectors.toList()); + return new Pair<>(hdfsAclOperations, tableSnapshotHdfsAclOps); } /** @@ -347,7 +428,7 @@ private List getTableHdfsAclOperations(Set users, */ private List getDefaultGlobalPath() { return Lists.newArrayList(pathHelper.getTmpDataDir(), pathHelper.getDataDir(), - pathHelper.getArchiveDataDir(), pathHelper.getSnapshotRootDir()); + pathHelper.getArchiveDataDir()); } /** @@ -362,12 +443,16 @@ private List getDefaultNamespacePath(String namespace, boolean includeName List paths = Lists.newArrayList(pathHelper.getTmpNsDir(namespace), pathHelper.getDataNsDir(namespace), pathHelper.getArchiveNsDir(namespace)); if (includeNamespaceSnapshot) { - paths.addAll(getNamespaceSnapshots(namespace).stream() - .map(snap -> pathHelper.getSnapshotDir(snap)).collect(Collectors.toList())); + paths.addAll(getNamespaceSnapshotPath(namespace)); } return paths; } + private List getNamespaceSnapshotPath(String namespace) throws IOException { + return getNamespaceSnapshots(namespace).stream().map(snap -> pathHelper.getSnapshotDir(snap)) + .collect(Collectors.toList()); + } + /** * return paths that user will table permission will visit * @param tableName the table @@ -380,12 +465,16 @@ private List getDefaultTablePath(TableName tableName, boolean includeTable List paths = Lists.newArrayList(pathHelper.getTmpTableDir(tableName), pathHelper.getTableDir(tableName), pathHelper.getArchiveTableDir(tableName)); if (includeTableSnapshotPath) { - paths.addAll(getTableSnapshots(tableName).stream() - .map(snap -> pathHelper.getSnapshotDir(snap)).collect(Collectors.toList())); + paths.addAll(getTableSnapshotPath(tableName)); } return paths; } + private List getTableSnapshotPath(TableName tableName) throws IOException { + return getTableSnapshots(tableName).stream().map(snap -> pathHelper.getSnapshotDir(snap)) + .collect(Collectors.toList()); + } + /** * Return users with namespace read permission * @param namespace the namespace @@ -419,9 +508,9 @@ private List getTableSnapshots(TableName tableName) throws IOException { return getSnapshots((snapDesc) -> TableName.valueOf(snapDesc.getTable()) == tableName); } - private List getSnapshots(Predicate predicate) - throws IOException { - return masterServices.getSnapshotManager().getCompletedSnapshots().stream() + private List getSnapshots(Predicate predicate) throws IOException { + List snapshotDescriptions = admin.listSnapshots(); + return snapshotDescriptions.stream() .filter(snapshotDescription -> predicate.test(snapshotDescription)) .map(snapshotDescription -> snapshotDescription.getName()).collect(Collectors.toList()); } @@ -434,11 +523,13 @@ protected PathHelper getPathHelper() { * Set HDFS acls * @param hdfsAclOperations the {@link HDFSAclOperation} list */ - private void setHDFSAcl(List hdfsAclOperations) + private void setHDFSAcl(Pair, List> hdfsAclOperations) throws InterruptedException, ExecutionException { - for (HDFSAclOperation hdfsAclOperation : hdfsAclOperations) { + CompletableFuture future = setHDFSAclParallel(hdfsAclOperations.getSecond()); + for (HDFSAclOperation hdfsAclOperation : hdfsAclOperations.getFirst()) { setSingleHDFSAcl(hdfsAclOperation).get(); } + future.get(); } private CompletableFuture setSingleHDFSAcl(HDFSAclOperation acl) { diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestHDFSAclController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestHDFSAclController.java index 4db861d17667..813f99469c27 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestHDFSAclController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestHDFSAclController.java @@ -25,6 +25,7 @@ import java.io.IOException; import java.security.PrivilegedExceptionAction; import java.util.ArrayList; +import java.util.Arrays; import java.util.List; import org.apache.hadoop.conf.Configuration; @@ -81,10 +82,11 @@ public static void setupBeforeClass() throws Exception { conf.setBoolean("dfs.namenode.acls.enabled", true); conf.set("fs.permissions.umask-mode", "027"); // enable hbase hdfs acl feature - conf.setBoolean(HDFSAclController.HDFS_ACL_ENABLE, true); + conf.setBoolean(HDFSAclHelper.HDFS_ACL_ENABLE, true); // enable secure conf.set(User.HBASE_SECURITY_CONF_KEY, "simple"); - conf.set(HDFSAclController.SNAPSHOT_RESTORE_TMP_DIR, HDFSAclController.SNAPSHOT_RESTORE_TMP_DIR_DEFAULT); + conf.set(HDFSAclHelper.SNAPSHOT_RESTORE_TMP_DIR, + HDFSAclHelper.SNAPSHOT_RESTORE_TMP_DIR_DEFAULT); SecureTestUtil.enableSecurity(conf); // add HDFSAclController coprocessor conf.set(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY, @@ -100,18 +102,18 @@ public static void setupBeforeClass() throws Exception { // set hbase directory permission Path path = rootDir; while (path != null) { - fs.setPermission(path, HDFSAclController.ACL_ENABLE_PUBLIC_HFILE_PERMISSION); + fs.setPermission(path, HDFSAclHelper.ACL_ENABLE_PUBLIC_HFILE_PERMISSION); path = path.getParent(); } // set restore directory permission - Path restoreDir = new Path(HDFSAclController.SNAPSHOT_RESTORE_TMP_DIR_DEFAULT); + Path restoreDir = new Path(HDFSAclHelper.SNAPSHOT_RESTORE_TMP_DIR_DEFAULT); if (!fs.exists(restoreDir)) { fs.mkdirs(restoreDir); - fs.setPermission(restoreDir, HDFSAclController.ACL_ENABLE_RESTORE_HFILE_PERMISSION); + fs.setPermission(restoreDir, HDFSAclHelper.ACL_ENABLE_RESTORE_HFILE_PERMISSION); } path = restoreDir.getParent(); while (path != null) { - fs.setPermission(path, HDFSAclController.ACL_ENABLE_PUBLIC_HFILE_PERMISSION); + fs.setPermission(path, HDFSAclHelper.ACL_ENABLE_PUBLIC_HFILE_PERMISSION); path = path.getParent(); } @@ -142,20 +144,19 @@ public void testGrantGlobal() throws Exception { String snapshot3 = namespace1 + "t3"; String snapshot31 = namespace1 + "t31"; - createNamespace(namespace1); - createTableAndPut(table1); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table1); admin.snapshot(snapshot, table1); // case 1: grant G(R) -> grant G(W) -> grant G(R) SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ); - canUserScanSnapshot(grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); admin.grant( new UserPermission(grantUserName, Permission.newBuilder().withActions(WRITE).build()), true); - canUserScanSnapshot(grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, WRITE); - canUserScanSnapshot(grantUser, snapshot, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, -1); SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ); - canUserScanSnapshot(grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); // case 2: grant G(R),N(R) -> G(W) admin.grant(new UserPermission(grantUserName, @@ -163,27 +164,25 @@ public void testGrantGlobal() throws Exception { false); SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, WRITE); // table in ns1 - createTableAndPut(table12); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table12); admin.snapshot(snapshot2, table12); // table in ns2 - createNamespace(namespace2); - createTableAndPut(table21); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table21); admin.snapshot(snapshot21, table21); - canUserScanSnapshot(grantUser, snapshot, 6); - canUserScanSnapshot(grantUser, snapshot2, 6); - canUserScanSnapshot(grantUser, snapshot21, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot21, -1); // case 3: grant G(R),T(R) -> G(W) SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ); - createNamespace(namespace3); - createTableAndPut(table3); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table3); admin.snapshot(snapshot3, table3); - grantOnTable(grantUserName, table3, READ); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table3, READ); SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, WRITE); - createTableAndPut(table31); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table31); admin.snapshot(snapshot31, table31); - canUserScanSnapshot(grantUser, snapshot3, 6); - canUserScanSnapshot(grantUser, snapshot31, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot3, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot31, -1); } @Test @@ -199,38 +198,37 @@ public void testGrantNamespace() throws Exception { String snapshot2 = namespace + "t2"; String snapshot3 = namespace + "t3"; - createNamespace(namespace); - createTableAndPut(table); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table); admin.snapshot(snapshot, table); // case 1: grant N(R) -> grant N(W) -> grant N(R) SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ); - createTableAndPut(table3); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table3); admin.snapshot(snapshot3, table3); - canUserScanSnapshot(grantUser, snapshot, 6); - canUserScanSnapshot(grantUser, snapshot3, 6); - canUserScanSnapshot(unGrantUser, snapshot, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot3, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, unGrantUser, snapshot, -1); SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, WRITE); - canUserScanSnapshot(grantUser, snapshot, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, -1); SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ); // case 2: grant T(R) -> N(W) SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ); - grantOnTable(grantUserName, table, READ); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table, READ); SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, WRITE); - canUserScanSnapshot(grantUser, snapshot, 6); - createTableAndPut(table2); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table2); admin.snapshot(snapshot2, table2); - canUserScanSnapshot(grantUser, snapshot2, -1); - grantOnTable(grantUserName, table, WRITE); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, -1); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table, WRITE); // case 3: grant G(R) -> N(W) SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ); SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ); SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, WRITE); - canUserScanSnapshot(grantUser, snapshot, 6); - canUserScanSnapshot(grantUser, snapshot2, 6); - canUserScanSnapshot(grantUser, snapshot3, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot3, 6); } @Test @@ -245,31 +243,32 @@ public void testGrantTable() throws Exception { String snapshot2 = namespace + "t1-2"; String snapshot3 = namespace + "t2"; - createNamespace(namespace); - try (Table t = createTable(table)) { - put(t); + try (Table t = TestHDFSAclHelper.createTable(TEST_UTIL, table)) { + TestHDFSAclHelper.put(t); admin.snapshot(snapshot, table); // table owner can scan table snapshot - canUserScanSnapshot(User.createUserForTesting(conf, "owner", new String[] {}), snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, + User.createUserForTesting(conf, "owner", new String[] {}), snapshot, 6); // case 1: grant table family(R) - SecureTestUtil.grantOnTable(TEST_UTIL, grantUserName, table, COLUMN1, null, READ); - canUserScanSnapshot(grantUser, snapshot, -1); + SecureTestUtil.grantOnTable(TEST_UTIL, grantUserName, table, TestHDFSAclHelper.COLUMN1, null, + READ); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, -1); // case 2: grant T(R) - grantOnTable(grantUserName, table, READ); - put2(t); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table, READ); + TestHDFSAclHelper.put2(t); admin.snapshot(snapshot2, table); - canUserScanSnapshot(grantUser, snapshot, 6); - canUserScanSnapshot(grantUser, snapshot2, 10); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, 10); } // create t2 and snapshot - createTableAndPut(table2); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table2); admin.snapshot(snapshot3, table2); - canUserScanSnapshot(grantUser, snapshot3, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot3, -1); // case 3: grant T(R) -> grant T(W) - grantOnTable(grantUserName, table, WRITE); - canUserScanSnapshot(grantUser, snapshot, -1); - canUserScanSnapshot(grantUser, snapshot2, -1); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table, WRITE); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, -1); } @Test @@ -285,34 +284,33 @@ public void testRevokeGlobal() throws Exception { String snapshot2 = namespace + "t2"; String snapshot3 = namespace + "t3"; - createNamespace(namespace); - createTableAndPut(table1); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table1); admin.snapshot(snapshot1, table1); // case 1: grant G(R) -> revoke G(R) SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ); SecureTestUtil.revokeGlobal(TEST_UTIL, grantUserName, READ); - canUserScanSnapshot(grantUser, snapshot1, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, -1); // case 2: grant G(R), grant N(R), grant T(R) -> revoke G(R) SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ); SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ); - grantOnTable(grantUserName, table1, READ); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table1, READ); SecureTestUtil.revokeGlobal(TEST_UTIL, grantUserName, READ); - canUserScanSnapshot(grantUser, snapshot1, 6); - createTableAndPut(table2); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, 6); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table2); admin.snapshot(snapshot2, table2); - canUserScanSnapshot(grantUser, snapshot2, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, 6); SecureTestUtil.revokeFromNamespace(TEST_UTIL, grantUserName, namespace, READ); - canUserScanSnapshot(grantUser, snapshot2, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, -1); // case 3: grant G(R), grant T(R) -> revoke G(R) SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ); SecureTestUtil.revokeGlobal(TEST_UTIL, grantUserName, READ); - canUserScanSnapshot(grantUser, snapshot1, 6); - canUserScanSnapshot(grantUser, snapshot2, -1); - createTableAndPut(table3); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, -1); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table3); admin.snapshot(snapshot3, table3); - canUserScanSnapshot(grantUser, snapshot3, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot3, -1); } @Test @@ -330,36 +328,35 @@ public void testRevokeNamespace() throws Exception { String snapshot3 = namespace + "t3"; String snapshot4 = namespace + "t4"; - createNamespace(namespace); - createTableAndPut(table1); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table1); admin.snapshot(snapshot1, table1); // case 1: grant N(R) -> revoke N(R) SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ); admin.revoke(new UserPermission(grantUserName, Permission.newBuilder(namespace).build())); - createTableAndPut(table3); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table3); admin.snapshot(snapshot3, table3); - canUserScanSnapshot(grantUser, snapshot1, -1); - canUserScanSnapshot(grantUser, snapshot3, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot3, -1); // case 2: grant N(R), grant G(R) -> revoke N(R) SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ); SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ); admin.revoke(new UserPermission(grantUserName, Permission.newBuilder(namespace).build())); - createTableAndPut(table4); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table4); admin.snapshot(snapshot4, table4); - canUserScanSnapshot(grantUser, snapshot1, 6); - canUserScanSnapshot(grantUser, snapshot4, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot4, 6); SecureTestUtil.revokeGlobal(TEST_UTIL, grantUserName, READ); // case 3: grant N(R), grant T(R) -> revoke N(R) SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ); - grantOnTable(grantUserName, table1, READ); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table1, READ); SecureTestUtil.revokeFromNamespace(TEST_UTIL, grantUserName, namespace, READ); - canUserScanSnapshot(grantUser, snapshot1, 6); - createTable(table2); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, 6); + TestHDFSAclHelper.createTable(TEST_UTIL, table2); admin.snapshot(snapshot2, table2); - canUserScanSnapshot(grantUser, snapshot2, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, -1); } @Test @@ -371,34 +368,34 @@ public void testRevokeTable() throws Exception { TableName table = TableName.valueOf(namespace, "t1"); String snapshot = namespace + "t1"; - createNamespace(namespace); - createTableAndPut(table); + TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table); admin.snapshot(snapshot, table); // case 1: grant T(R) -> revoke table family - grantOnTable(grantUserName, table, READ); - SecureTestUtil.revokeFromTable(TEST_UTIL, grantUserName, table, COLUMN1, null, READ); - canUserScanSnapshot(grantUser, snapshot, 6); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table, READ); + SecureTestUtil.revokeFromTable(TEST_UTIL, grantUserName, table, TestHDFSAclHelper.COLUMN1, null, + READ); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); // case 2: grant T(R) -> revoke T(R) - grantOnTable(grantUserName, table, READ); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table, READ); admin.revoke(new UserPermission(grantUserName, Permission.newBuilder(table).build())); - canUserScanSnapshot(grantUser, snapshot, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, -1); // case 3: grant T(R), grant N(R) -> revoke T(R) - grantOnTable(grantUserName, table, READ); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table, READ); SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ); admin.revoke(new UserPermission(grantUserName, Permission.newBuilder(table).build())); - canUserScanSnapshot(grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); SecureTestUtil.revokeFromNamespace(TEST_UTIL, grantUserName, namespace, READ); // case 4: grant T(R), grant G(R) -> revoke T(R) - grantOnTable(grantUserName, table, READ); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table, READ); SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ); admin.revoke(new UserPermission(grantUserName, Permission.newBuilder(table).build())); - canUserScanSnapshot(grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); SecureTestUtil.revokeGlobal(TEST_UTIL, grantUserName, READ); - canUserScanSnapshot(grantUser, snapshot, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, -1); } @Test @@ -412,25 +409,24 @@ public void testTruncateTable() throws Exception { TableName tableName = TableName.valueOf(namespace, "t1"); String snapshot = namespace + "t1"; String snapshot2 = namespace + "t1-2"; - createNamespace(namespace); - try (Table t = createTable(tableName)) { - put(t); + try (Table t = TestHDFSAclHelper.createTable(TEST_UTIL, tableName)) { + TestHDFSAclHelper.put(t); // snapshot admin.snapshot(snapshot, tableName); // grant user2 namespace permission SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName2, namespace, READ); // grant user table permission - grantOnTable(grantUserName, tableName, READ); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, tableName, READ); // truncate table admin.disableTable(tableName); admin.truncateTable(tableName, true); - put2(t); + TestHDFSAclHelper.put2(t); // snapshot admin.snapshot(snapshot2, tableName); - canUserScanSnapshot(grantUser, snapshot, 6); - canUserScanSnapshot(grantUser2, snapshot, 6); - canUserScanSnapshot(grantUser, snapshot2, 9); - canUserScanSnapshot(grantUser2, snapshot2, 9); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser2, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, 9); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser2, snapshot2, 9); } } @@ -444,35 +440,34 @@ public void testRestoreSnapshot() throws Exception { String snapshot2 = namespace + "t1-2"; String snapshot3 = namespace + "t1-3"; - createNamespace(namespace); - try (Table t = createTable(table)) { - put(t); + try (Table t = TestHDFSAclHelper.createTable(TEST_UTIL, table)) { + TestHDFSAclHelper.put(t); // grant t1, snapshot - grantOnTable(grantUserName, table, READ); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table, READ); admin.snapshot(snapshot, table); // delete admin.disableTable(table); admin.deleteTable(table); - canUserScanSnapshot(grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); // restore snapshot and restore acl admin.restoreSnapshot(snapshot, true, true); - put2(t); + TestHDFSAclHelper.put2(t); // snapshot admin.snapshot(snapshot2, table); // delete admin.disableTable(table); admin.deleteTable(table); - canUserScanSnapshot(grantUser, snapshot, 6); - canUserScanSnapshot(grantUser, snapshot2, 10); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, 10); // restore snapshot and skip restore acl admin.restoreSnapshot(snapshot); admin.snapshot(snapshot3, table); - canUserScanSnapshot(grantUser, snapshot, 6); - canUserScanSnapshot(grantUser, snapshot2, 10); - canUserScanSnapshot(grantUser, snapshot3, -1); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, 10); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot3, -1); } } @@ -490,24 +485,24 @@ public void testDeleteTable() throws Exception { TableName tableName2 = TableName.valueOf(namespace, "t2"); String snapshot1 = namespace + "t1"; String snapshot2 = namespace + "t2"; - createNamespace(namespace); - try (Table t = createTable(tableName1); Table t2 = createTable(tableName2)) { - put(t); - put(t2); + try (Table t = TestHDFSAclHelper.createTable(TEST_UTIL, tableName1); + Table t2 = TestHDFSAclHelper.createTable(TEST_UTIL, tableName2)) { + TestHDFSAclHelper.put(t); + TestHDFSAclHelper.put(t2); // snapshot admin.snapshot(snapshot1, tableName1); admin.snapshot(snapshot2, tableName2); // grant user table permission - grantOnTable(grantUserName1, tableName1, READ); - grantOnTable(grantUserName2, tableName2, READ); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName1, tableName1, READ); + TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName2, tableName2, READ); SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName3, namespace, READ); // delete table admin.disableTable(tableName1); admin.deleteTable(tableName1); // grantUser2 and grantUser3 should have data/ns acl - canUserScanSnapshot(grantUser1, snapshot1, 6); - canUserScanSnapshot(grantUser2, snapshot2, 6); - canUserScanSnapshot(grantUser3, snapshot2, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser1, snapshot1, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser2, snapshot2, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser3, snapshot2, 6); } } @@ -519,9 +514,8 @@ public void testDeleteNamespace() throws Exception { String namespace = name.getMethodName(); TableName tableName = TableName.valueOf(namespace, "t1"); String snapshot = namespace + "t1"; - createNamespace(namespace); - try (Table t = createTable(tableName)) { - put(t); + try (Table t = TestHDFSAclHelper.createTable(TEST_UTIL, tableName)) { + TestHDFSAclHelper.put(t); // snapshot admin.snapshot(snapshot, tableName); // grant user2 namespace permission @@ -531,27 +525,70 @@ public void testDeleteNamespace() throws Exception { admin.deleteTable(tableName); // snapshot admin.deleteNamespace(namespace); - canUserScanSnapshot(grantUser, snapshot, 6); + TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6); } } +} + +final class TestHDFSAclHelper { + + static void grantOnTable(HBaseTestingUtility util, String user, TableName tableName, + Permission.Action... actions) throws Exception { + SecureTestUtil.grantOnTable(util, user, tableName, null, null, actions); + } - private void grantOnTable(String user, TableName tableName, Permission.Action... actions) - throws Exception { - SecureTestUtil.grantOnTable(TEST_UTIL, user, tableName, null, null, actions); + private static void createNamespace(HBaseTestingUtility util, String namespace) + throws IOException { + if (!Arrays.stream(util.getAdmin().listNamespaceDescriptors()) + .anyMatch(ns -> ns.getName().equals(namespace))) { + NamespaceDescriptor namespaceDescriptor = NamespaceDescriptor.create(namespace).build(); + util.getAdmin().createNamespace(namespaceDescriptor); + } } - private void createNamespace(String namespace) throws IOException { - createNamespace(admin, namespace); + static Table createTable(HBaseTestingUtility util, TableName tableName) throws IOException { + createNamespace(util, tableName.getNamespaceAsString()); + TableDescriptor td = TableDescriptorBuilder.newBuilder(tableName) + .setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(COLUMN1).build()) + .setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(COLUMN2).build()) + .setOwner(User.createUserForTesting(util.getConfiguration(), "owner", new String[] {})) + .build(); + byte[][] splits = new byte[][] { Bytes.toBytes("2"), Bytes.toBytes("4") }; + return util.createTable(td, splits); } - private void createTableAndPut(TableName tableNam) throws IOException { - try (Table t = createTable(tableNam)) { + static void createTableAndPut(HBaseTestingUtility util, TableName tableNam) throws IOException { + try (Table t = createTable(util, tableNam)) { put(t); } } - private Table createTable(TableName tableName) throws IOException { - return createTable(TEST_UTIL, tableName); + static final byte[] COLUMN1 = Bytes.toBytes("A"); + static final byte[] COLUMN2 = Bytes.toBytes("B"); + + static void put(Table hTable) throws IOException { + List puts = new ArrayList<>(); + for (int i = 0; i < 6; i++) { + Put put = new Put(Bytes.toBytes(i)); + put.addColumn(COLUMN1, null, Bytes.toBytes(i)); + put.addColumn(COLUMN2, null, Bytes.toBytes(i + 1)); + puts.add(put); + } + hTable.put(puts); + } + + static void put2(Table hTable) throws IOException { + List puts = new ArrayList<>(); + for (int i = 0; i < 10; i++) { + if (i == 5) { + continue; + } + Put put = new Put(Bytes.toBytes(i)); + put.addColumn(COLUMN1, null, Bytes.toBytes(i + 2)); + put.addColumn(COLUMN2, null, Bytes.toBytes(i + 3)); + puts.add(put); + } + hTable.put(puts); } /** @@ -563,18 +600,18 @@ private Table createTable(TableName tableName) throws IOException { * @throws IOException user scan snapshot error * @throws InterruptedException user scan snapshot error */ - private void canUserScanSnapshot(User user, String snapshot, int expectedRowCount) - throws IOException, InterruptedException { + static void canUserScanSnapshot(HBaseTestingUtility util, User user, String snapshot, + int expectedRowCount) throws IOException, InterruptedException { PrivilegedExceptionAction action = - getScanSnapshotAction(conf, snapshot, expectedRowCount); + getScanSnapshotAction(util.getConfiguration(), snapshot, expectedRowCount); user.runAs(action); } - private PrivilegedExceptionAction getScanSnapshotAction(Configuration conf, + private static PrivilegedExceptionAction getScanSnapshotAction(Configuration conf, String snapshotName, long expectedRowCount) { PrivilegedExceptionAction action = () -> { try { - Path restoreDir = new Path(HDFSAclController.SNAPSHOT_RESTORE_TMP_DIR_DEFAULT); + Path restoreDir = new Path(HDFSAclHelper.SNAPSHOT_RESTORE_TMP_DIR_DEFAULT); Scan scan = new Scan(); TableSnapshotScanner scanner = new TableSnapshotScanner(conf, restoreDir, snapshotName, scan); @@ -589,54 +626,10 @@ private PrivilegedExceptionAction getScanSnapshotAction(Configuration conf scanner.close(); assertEquals(expectedRowCount, rowCount); } catch (Exception e) { - LOG.error("Scan snapshot error", e); assertEquals(expectedRowCount, -1); } return null; }; return action; } - - private void createNamespace(Admin admin, String namespace) throws IOException { - NamespaceDescriptor namespaceDescriptor = NamespaceDescriptor.create(namespace).build(); - admin.createNamespace(namespaceDescriptor); - } - - private static final byte[] COLUMN1 = Bytes.toBytes("A"); - private static final byte[] COLUMN2 = Bytes.toBytes("B"); - - private Table createTable(HBaseTestingUtility utility, TableName tableName) - throws IOException { - TableDescriptor td = TableDescriptorBuilder.newBuilder(tableName) - .setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(COLUMN1).build()) - .setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(COLUMN2).build()) - .setOwner(User.createUserForTesting(conf, "owner", new String[] {})).build(); - byte[][] splits = new byte[][] { Bytes.toBytes("2"), Bytes.toBytes("4") }; - return utility.createTable(td, splits); - } - - private void put(Table hTable) throws IOException { - List puts = new ArrayList<>(); - for (int i = 0; i < 6; i++) { - Put put = new Put(Bytes.toBytes(i)); - put.addColumn(COLUMN1, null, Bytes.toBytes(i)); - put.addColumn(COLUMN2, null, Bytes.toBytes(i + 1)); - puts.add(put); - } - hTable.put(puts); - } - - private void put2(Table hTable) throws IOException { - List puts = new ArrayList<>(); - for (int i = 0; i < 10; i++) { - if (i == 5) { - continue; - } - Put put = new Put(Bytes.toBytes(i)); - put.addColumn(COLUMN1, null, Bytes.toBytes(i + 2)); - put.addColumn(COLUMN2, null, Bytes.toBytes(i + 3)); - puts.add(put); - } - hTable.put(puts); - } -} +} \ No newline at end of file