HBASE-21974 Change Admin#grant/revoke parameter from UserPermission to user and Permission
Signed-off-by: Guanghao Zhang <zghao@apache.org>
This commit is contained in:
parent
5c03df5e50
commit
0d882bbc2b
|
@ -52,7 +52,7 @@ import org.apache.hadoop.hbase.regionserver.wal.FailedLogCloseException;
|
|||
import org.apache.hadoop.hbase.replication.ReplicationException;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.hadoop.hbase.snapshot.HBaseSnapshotException;
|
||||
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
|
||||
import org.apache.hadoop.hbase.snapshot.SnapshotCreationException;
|
||||
|
@ -2806,20 +2806,21 @@ public interface Admin extends Abortable, Closeable {
|
|||
|
||||
/**
|
||||
* Grants user specific permissions
|
||||
*
|
||||
* @param userPermission user and permissions
|
||||
* @param userName user name
|
||||
* @param permission the specific permission
|
||||
* @param mergeExistingPermissions If set to false, later granted permissions will override
|
||||
* previous granted permissions. otherwise, it'll merge with previous granted
|
||||
* permissions.
|
||||
* @throws IOException if a remote or network exception occurs
|
||||
*/
|
||||
void grant(UserPermission userPermission, boolean mergeExistingPermissions) throws IOException;
|
||||
void grant(String userName, Permission permission, boolean mergeExistingPermissions)
|
||||
throws IOException;
|
||||
|
||||
/**
|
||||
* Revokes user specific permissions
|
||||
*
|
||||
* @param userPermission user and permissions
|
||||
* @param userName user name
|
||||
* @param permission the specific permission
|
||||
* @throws IOException if a remote or network exception occurs
|
||||
*/
|
||||
void revoke(UserPermission userPermission) throws IOException;
|
||||
void revoke(String userName, Permission permission) throws IOException;
|
||||
}
|
||||
|
|
|
@ -41,7 +41,7 @@ import org.apache.hadoop.hbase.quotas.QuotaSettings;
|
|||
import org.apache.hadoop.hbase.quotas.SpaceQuotaSnapshotView;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
|
||||
/**
|
||||
|
@ -1305,16 +1305,19 @@ public interface AsyncAdmin {
|
|||
|
||||
/**
|
||||
* Grants user specific permissions
|
||||
* @param userPermission user and permissions
|
||||
* @param userName user name
|
||||
* @param permission the specific permission
|
||||
* @param mergeExistingPermissions If set to false, later granted permissions will override
|
||||
* previous granted permissions. otherwise, it'll merge with previous granted
|
||||
* permissions.
|
||||
*/
|
||||
CompletableFuture<Void> grant(UserPermission userPermission, boolean mergeExistingPermissions);
|
||||
CompletableFuture<Void> grant(String userName, Permission permission,
|
||||
boolean mergeExistingPermissions);
|
||||
|
||||
/**
|
||||
* Revokes user specific permissions
|
||||
* @param userPermission user and permissions
|
||||
* @param userName user name
|
||||
* @param permission the specific permission
|
||||
*/
|
||||
CompletableFuture<Void> revoke(UserPermission userPermission);
|
||||
CompletableFuture<Void> revoke(String userName, Permission permission);
|
||||
}
|
||||
|
|
|
@ -41,7 +41,7 @@ import org.apache.hadoop.hbase.quotas.QuotaSettings;
|
|||
import org.apache.hadoop.hbase.quotas.SpaceQuotaSnapshot;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.hadoop.hbase.util.FutureUtils;
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
|
||||
|
@ -790,13 +790,13 @@ class AsyncHBaseAdmin implements AsyncAdmin {
|
|||
}
|
||||
|
||||
@Override
|
||||
public CompletableFuture<Void> grant(UserPermission userPermission,
|
||||
public CompletableFuture<Void> grant(String userName, Permission permission,
|
||||
boolean mergeExistingPermissions) {
|
||||
return wrap(rawAdmin.grant(userPermission, mergeExistingPermissions));
|
||||
return wrap(rawAdmin.grant(userName, permission, mergeExistingPermissions));
|
||||
}
|
||||
|
||||
@Override
|
||||
public CompletableFuture<Void> revoke(UserPermission userPermission) {
|
||||
return wrap(rawAdmin.revoke(userPermission));
|
||||
public CompletableFuture<Void> revoke(String userName, Permission permission) {
|
||||
return wrap(rawAdmin.revoke(userName, permission));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -90,6 +90,7 @@ import org.apache.hadoop.hbase.regionserver.wal.FailedLogCloseException;
|
|||
import org.apache.hadoop.hbase.replication.ReplicationException;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
|
||||
|
@ -4458,13 +4459,13 @@ public class HBaseAdmin implements Admin {
|
|||
}
|
||||
|
||||
@Override
|
||||
public void grant(UserPermission userPermission, boolean mergeExistingPermissions)
|
||||
public void grant(String userName, Permission permission, boolean mergeExistingPermissions)
|
||||
throws IOException {
|
||||
executeCallable(new MasterCallable<Void>(getConnection(), getRpcControllerFactory()) {
|
||||
@Override
|
||||
protected Void rpcCall() throws Exception {
|
||||
GrantRequest req =
|
||||
ShadedAccessControlUtil.buildGrantRequest(userPermission, mergeExistingPermissions);
|
||||
GrantRequest req = ShadedAccessControlUtil
|
||||
.buildGrantRequest(new UserPermission(userName, permission), mergeExistingPermissions);
|
||||
this.master.grant(getRpcController(), req);
|
||||
return null;
|
||||
}
|
||||
|
@ -4472,11 +4473,12 @@ public class HBaseAdmin implements Admin {
|
|||
}
|
||||
|
||||
@Override
|
||||
public void revoke(UserPermission userPermission) throws IOException {
|
||||
public void revoke(String userName, Permission permission) throws IOException {
|
||||
executeCallable(new MasterCallable<Void>(getConnection(), getRpcControllerFactory()) {
|
||||
@Override
|
||||
protected Void rpcCall() throws Exception {
|
||||
RevokeRequest req = ShadedAccessControlUtil.buildRevokeRequest(userPermission);
|
||||
RevokeRequest req =
|
||||
ShadedAccessControlUtil.buildRevokeRequest(new UserPermission(userName, permission));
|
||||
this.master.revoke(getRpcController(), req);
|
||||
return null;
|
||||
}
|
||||
|
|
|
@ -84,6 +84,7 @@ import org.apache.hadoop.hbase.quotas.SpaceQuotaSnapshot;
|
|||
import org.apache.hadoop.hbase.replication.ReplicationException;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
|
||||
|
@ -3739,20 +3740,23 @@ class RawAsyncHBaseAdmin implements AsyncAdmin {
|
|||
}
|
||||
|
||||
@Override
|
||||
public CompletableFuture<Void> grant(UserPermission userPermission,
|
||||
public CompletableFuture<Void> grant(String userName, Permission permission,
|
||||
boolean mergeExistingPermissions) {
|
||||
return this.<Void> newMasterCaller()
|
||||
.action((controller, stub) -> this.<GrantRequest, GrantResponse, Void> call(controller,
|
||||
stub, ShadedAccessControlUtil.buildGrantRequest(userPermission, mergeExistingPermissions),
|
||||
.action(
|
||||
(controller, stub) -> this.<GrantRequest, GrantResponse, Void> call(controller, stub,
|
||||
ShadedAccessControlUtil.buildGrantRequest(new UserPermission(userName, permission),
|
||||
mergeExistingPermissions),
|
||||
(s, c, req, done) -> s.grant(c, req, done), resp -> null))
|
||||
.call();
|
||||
}
|
||||
|
||||
@Override
|
||||
public CompletableFuture<Void> revoke(UserPermission userPermission) {
|
||||
public CompletableFuture<Void> revoke(String userName, Permission permission) {
|
||||
return this.<Void> newMasterCaller()
|
||||
.action((controller, stub) -> this.<RevokeRequest, RevokeResponse, Void> call(controller,
|
||||
stub, ShadedAccessControlUtil.buildRevokeRequest(userPermission),
|
||||
.action(
|
||||
(controller, stub) -> this.<RevokeRequest, RevokeResponse, Void> call(controller, stub,
|
||||
ShadedAccessControlUtil.buildRevokeRequest(new UserPermission(userName, permission)),
|
||||
(s, c, req, done) -> s.revoke(c, req, done), resp -> null))
|
||||
.call();
|
||||
}
|
||||
|
|
|
@ -93,10 +93,8 @@ public class AccessControlClient {
|
|||
private static void grant(Connection connection, final TableName tableName,
|
||||
final String userName, final byte[] family, final byte[] qual, boolean mergeExistingPermissions,
|
||||
final Permission.Action... actions) throws Throwable {
|
||||
// TODO: Priority is not used.
|
||||
UserPermission userPermission =
|
||||
new UserPermission(userName, new TablePermission(tableName, family, qual, actions));
|
||||
connection.getAdmin().grant(userPermission, mergeExistingPermissions);
|
||||
connection.getAdmin().grant(userName, new TablePermission(tableName, family, qual, actions),
|
||||
mergeExistingPermissions);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -128,9 +126,8 @@ public class AccessControlClient {
|
|||
*/
|
||||
private static void grant(Connection connection, final String namespace, final String userName,
|
||||
boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable {
|
||||
UserPermission userPermission =
|
||||
new UserPermission(userName, new NamespacePermission(namespace, actions));
|
||||
connection.getAdmin().grant(userPermission, mergeExistingPermissions);
|
||||
connection.getAdmin().grant(userName, new NamespacePermission(namespace, actions),
|
||||
mergeExistingPermissions);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -160,8 +157,7 @@ public class AccessControlClient {
|
|||
*/
|
||||
private static void grant(Connection connection, final String userName,
|
||||
boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable {
|
||||
UserPermission userPermission = new UserPermission(userName, new GlobalPermission(actions));
|
||||
connection.getAdmin().grant(userPermission, mergeExistingPermissions);
|
||||
connection.getAdmin().grant(userName, new GlobalPermission(actions), mergeExistingPermissions);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -198,9 +194,8 @@ public class AccessControlClient {
|
|||
public static void revoke(Connection connection, final TableName tableName,
|
||||
final String username, final byte[] family, final byte[] qualifier,
|
||||
final Permission.Action... actions) throws Throwable {
|
||||
UserPermission userPermission =
|
||||
new UserPermission(username, new TablePermission(tableName, family, qualifier, actions));
|
||||
connection.getAdmin().revoke(userPermission);
|
||||
connection.getAdmin().revoke(username,
|
||||
new TablePermission(tableName, family, qualifier, actions));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -213,9 +208,7 @@ public class AccessControlClient {
|
|||
*/
|
||||
public static void revoke(Connection connection, final String namespace,
|
||||
final String userName, final Permission.Action... actions) throws Throwable {
|
||||
UserPermission userPermission =
|
||||
new UserPermission(userName, new NamespacePermission(namespace, actions));
|
||||
connection.getAdmin().revoke(userPermission);
|
||||
connection.getAdmin().revoke(userName, new NamespacePermission(namespace, actions));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -224,8 +217,7 @@ public class AccessControlClient {
|
|||
*/
|
||||
public static void revoke(Connection connection, final String userName,
|
||||
final Permission.Action... actions) throws Throwable {
|
||||
UserPermission userPermission = new UserPermission(userName, new GlobalPermission(actions));
|
||||
connection.getAdmin().revoke(userPermission);
|
||||
connection.getAdmin().revoke(userName, new GlobalPermission(actions));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -491,7 +491,7 @@ public class AccessControlUtil {
|
|||
* @param userShortName the short name of the user to grant permissions
|
||||
* @param actions the permissions to be granted
|
||||
* @throws ServiceException
|
||||
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||
* @deprecated Use {@link Admin#grant(String, Permission, boolean)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void grant(RpcController controller,
|
||||
|
@ -520,7 +520,7 @@ public class AccessControlUtil {
|
|||
* @param q optional qualifier
|
||||
* @param actions the permissions to be granted
|
||||
* @throws ServiceException
|
||||
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||
* @deprecated Use {@link Admin#grant(String, Permission, boolean)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void grant(RpcController controller,
|
||||
|
@ -548,7 +548,7 @@ public class AccessControlUtil {
|
|||
* @param namespace the short name of the user to grant permissions
|
||||
* @param actions the permissions to be granted
|
||||
* @throws ServiceException
|
||||
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||
* @deprecated Use {@link Admin#grant(String, Permission, boolean)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void grant(RpcController controller,
|
||||
|
@ -574,7 +574,7 @@ public class AccessControlUtil {
|
|||
* @param userShortName the short name of the user to revoke permissions
|
||||
* @param actions the permissions to be revoked
|
||||
* @throws ServiceException on failure
|
||||
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||
* @deprecated Use {@link Admin#revoke(String, Permission)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void revoke(RpcController controller,
|
||||
|
@ -604,7 +604,7 @@ public class AccessControlUtil {
|
|||
* @param q optional qualifier
|
||||
* @param actions the permissions to be revoked
|
||||
* @throws ServiceException on failure
|
||||
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||
* @deprecated Use {@link Admin#revoke(String, Permission)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void revoke(RpcController controller,
|
||||
|
@ -631,7 +631,7 @@ public class AccessControlUtil {
|
|||
* @param namespace optional table name
|
||||
* @param actions the permissions to be revoked
|
||||
* @throws ServiceException on failure
|
||||
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||
* @deprecated Use {@link Admin#revoke(String, Permission)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void revoke(RpcController controller,
|
||||
|
|
|
@ -24,7 +24,9 @@ import java.io.IOException;
|
|||
import java.util.Arrays;
|
||||
import java.util.EnumSet;
|
||||
import java.util.Map;
|
||||
import java.util.Objects;
|
||||
|
||||
import org.apache.hadoop.hbase.TableName;
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
@ -241,4 +243,77 @@ public class Permission extends VersionedWritable {
|
|||
public Scope getAccessScope() {
|
||||
return scope;
|
||||
}
|
||||
|
||||
/**
|
||||
* Build a global permission
|
||||
* @return global permission builder
|
||||
*/
|
||||
public static Builder newBuilder() {
|
||||
return new Builder();
|
||||
}
|
||||
|
||||
/**
|
||||
* Build a namespace permission
|
||||
* @param namespace the specific namespace
|
||||
* @return namespace permission builder
|
||||
*/
|
||||
public static Builder newBuilder(String namespace) {
|
||||
return new Builder(namespace);
|
||||
}
|
||||
|
||||
/**
|
||||
* Build a table permission
|
||||
* @param tableName the specific table name
|
||||
* @return table permission builder
|
||||
*/
|
||||
public static Builder newBuilder(TableName tableName) {
|
||||
return new Builder(tableName);
|
||||
}
|
||||
|
||||
public static final class Builder {
|
||||
private String namespace;
|
||||
private TableName tableName;
|
||||
private byte[] family;
|
||||
private byte[] qualifier;
|
||||
private Action[] actions;
|
||||
|
||||
private Builder() {
|
||||
}
|
||||
|
||||
private Builder(String namespace) {
|
||||
this.namespace = namespace;
|
||||
}
|
||||
|
||||
private Builder(TableName tableName) {
|
||||
this.tableName = tableName;
|
||||
}
|
||||
|
||||
public Builder withFamily(byte[] family) {
|
||||
Objects.requireNonNull(tableName, "The tableName can't be NULL");
|
||||
this.family = family;
|
||||
return this;
|
||||
}
|
||||
|
||||
public Builder withQualifier(byte[] qualifier) {
|
||||
Objects.requireNonNull(tableName, "The tableName can't be NULL");
|
||||
this.qualifier = qualifier;
|
||||
return this;
|
||||
}
|
||||
|
||||
public Builder withActions(Action... actions) {
|
||||
this.actions = actions;
|
||||
return this;
|
||||
}
|
||||
|
||||
public Permission build() {
|
||||
if (namespace != null) {
|
||||
return new NamespacePermission(namespace, actions);
|
||||
} else if (tableName != null) {
|
||||
return new TablePermission(tableName, family, qualifier, actions);
|
||||
} else {
|
||||
return new GlobalPermission(actions);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -2054,7 +2054,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
/* ---- Protobuf AccessControlService implementation ---- */
|
||||
|
||||
/**
|
||||
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||
* @deprecated Use {@link Admin#grant(String, Permission, boolean)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
@Override
|
||||
|
@ -2077,7 +2077,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
preGrantOrRevoke(caller, "grant", perm);
|
||||
|
||||
// regionEnv is set at #start. Hopefully not null at this point.
|
||||
regionEnv.getConnection().getAdmin().grant(perm, request.getMergeExistingPermissions());
|
||||
regionEnv.getConnection().getAdmin().grant(perm.getUser(), perm.getPermission(),
|
||||
request.getMergeExistingPermissions());
|
||||
if (AUDITLOG.isTraceEnabled()) {
|
||||
// audit log should store permission changes in addition to auth results
|
||||
AUDITLOG.trace("Granted permission " + perm.toString());
|
||||
|
@ -2095,7 +2096,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
}
|
||||
|
||||
/**
|
||||
* @deprecated Use {@link Admin#revoke(UserPermission)} instead.
|
||||
* @deprecated Use {@link Admin#revoke(String, Permission)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
@Override
|
||||
|
@ -2116,7 +2117,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
}
|
||||
preGrantOrRevoke(caller, "revoke", perm);
|
||||
// regionEnv is set at #start. Hopefully not null here.
|
||||
regionEnv.getConnection().getAdmin().revoke(perm);
|
||||
regionEnv.getConnection().getAdmin().revoke(perm.getUser(), perm.getPermission());
|
||||
if (AUDITLOG.isTraceEnabled()) {
|
||||
// audit log should record all permission changes
|
||||
AUDITLOG.trace("Revoked permission " + perm.toString());
|
||||
|
|
|
@ -378,8 +378,7 @@ public class SecureTestUtil {
|
|||
@Override
|
||||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin().grant(new UserPermission(user, new GlobalPermission(actions)),
|
||||
false);
|
||||
connection.getAdmin().grant(user, new GlobalPermission(actions), false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -398,7 +397,7 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin().grant(new UserPermission(user, new GlobalPermission(actions)),
|
||||
connection.getAdmin().grant(user, Permission.newBuilder().withActions(actions).build(),
|
||||
false);
|
||||
}
|
||||
return null;
|
||||
|
@ -417,7 +416,7 @@ public class SecureTestUtil {
|
|||
@Override
|
||||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin().revoke(new UserPermission(user, new GlobalPermission(actions)));
|
||||
connection.getAdmin().revoke(user, new GlobalPermission(actions));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -436,7 +435,7 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin().revoke(new UserPermission(user, new GlobalPermission(actions)));
|
||||
connection.getAdmin().revoke(user, Permission.newBuilder().withActions(actions).build());
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -455,7 +454,7 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin()
|
||||
.grant(new UserPermission(user, new NamespacePermission(namespace, actions)), false);
|
||||
.grant(user, new NamespacePermission(namespace, actions), false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -475,8 +474,8 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin()
|
||||
.grant(new UserPermission(user, new NamespacePermission(namespace, actions)), false);
|
||||
connection.getAdmin().grant(user,
|
||||
Permission.newBuilder(namespace).withActions(actions).build(), false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -536,8 +535,7 @@ public class SecureTestUtil {
|
|||
@Override
|
||||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin()
|
||||
.revoke(new UserPermission(user, new NamespacePermission(namespace, actions)));
|
||||
connection.getAdmin().revoke(user, new NamespacePermission(namespace, actions));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -557,8 +555,8 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin()
|
||||
.revoke(new UserPermission(user, new NamespacePermission(namespace, actions)));
|
||||
connection.getAdmin().revoke(user,
|
||||
Permission.newBuilder(namespace).withActions(actions).build());
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -577,8 +575,7 @@ public class SecureTestUtil {
|
|||
@Override
|
||||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin().grant(
|
||||
new UserPermission(user, new TablePermission(table, family, qualifier, actions)),
|
||||
connection.getAdmin().grant(user, new TablePermission(table, family, qualifier, actions),
|
||||
false);
|
||||
}
|
||||
return null;
|
||||
|
@ -599,8 +596,8 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin().grant(
|
||||
new UserPermission(user, new TablePermission(table, family, qualifier, actions)),
|
||||
connection.getAdmin().grant(user, Permission.newBuilder(table).withFamily(family)
|
||||
.withQualifier(qualifier).withActions(actions).build(),
|
||||
false);
|
||||
}
|
||||
return null;
|
||||
|
@ -662,8 +659,8 @@ public class SecureTestUtil {
|
|||
@Override
|
||||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin().revoke(
|
||||
new UserPermission(user, new TablePermission(table, family, qualifier, actions)));
|
||||
connection.getAdmin().revoke(user,
|
||||
new TablePermission(table, family, qualifier, actions));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -683,8 +680,8 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin().revoke(
|
||||
new UserPermission(user, new TablePermission(table, family, qualifier, actions)));
|
||||
connection.getAdmin().revoke(user, Permission.newBuilder(table).withFamily(family)
|
||||
.withQualifier(qualifier).withActions(actions).build());
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
|
|
@ -1168,9 +1168,8 @@ public class TestAccessController extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection conn = ConnectionFactory.createConnection(conf)) {
|
||||
conn.getAdmin().grant(new UserPermission(USER_RO.getShortName(),
|
||||
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)),
|
||||
false);
|
||||
conn.getAdmin().grant(USER_RO.getShortName(),
|
||||
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ), false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -1179,9 +1178,9 @@ public class TestAccessController extends SecureTestUtil {
|
|||
AccessTestAction revokeAction = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
try(Connection conn = ConnectionFactory.createConnection(conf)) {
|
||||
conn.getAdmin().revoke(new UserPermission(USER_RO.getShortName(),
|
||||
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)));
|
||||
try (Connection conn = ConnectionFactory.createConnection(conf)) {
|
||||
conn.getAdmin().revoke(USER_RO.getShortName(), Permission.newBuilder(TEST_TABLE)
|
||||
.withFamily(TEST_FAMILY).withActions(Action.READ).build());
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
|
|
@ -362,9 +362,8 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||
connection.getAdmin().grant(
|
||||
new UserPermission(testUser, new NamespacePermission(TEST_NAMESPACE, Action.WRITE)),
|
||||
false);
|
||||
connection.getAdmin().grant(testUser,
|
||||
new NamespacePermission(TEST_NAMESPACE, Action.WRITE), false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -373,9 +372,8 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection conn = ConnectionFactory.createConnection(conf)) {
|
||||
conn.getAdmin().grant(
|
||||
new UserPermission(USER_GROUP_NS_ADMIN.getShortName(), TEST_NAMESPACE, Action.READ),
|
||||
false);
|
||||
conn.getAdmin().grant(USER_GROUP_NS_ADMIN.getShortName(),
|
||||
new NamespacePermission(TEST_NAMESPACE, Action.READ), false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -385,8 +383,8 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||
connection.getAdmin().revoke(
|
||||
new UserPermission(testUser, new NamespacePermission(TEST_NAMESPACE, Action.WRITE)));
|
||||
connection.getAdmin().revoke(testUser,
|
||||
new NamespacePermission(TEST_NAMESPACE, Action.WRITE));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -395,8 +393,8 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||
connection.getAdmin().revoke(new UserPermission(USER_GROUP_NS_ADMIN.getShortName(),
|
||||
new NamespacePermission(TEST_NAMESPACE, Action.READ)));
|
||||
connection.getAdmin().revoke(USER_GROUP_NS_ADMIN.getShortName(),
|
||||
new NamespacePermission(TEST_NAMESPACE, Action.READ));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,125 @@
|
|||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.hadoop.hbase.security.access;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.junit.Assert.fail;
|
||||
|
||||
import org.apache.hadoop.hbase.HBaseClassTestRule;
|
||||
import org.apache.hadoop.hbase.TableName;
|
||||
import org.apache.hadoop.hbase.security.access.Permission.Action;
|
||||
import org.apache.hadoop.hbase.testclassification.SecurityTests;
|
||||
import org.apache.hadoop.hbase.testclassification.SmallTests;
|
||||
import org.apache.hadoop.hbase.util.Bytes;
|
||||
import org.junit.ClassRule;
|
||||
import org.junit.Test;
|
||||
import org.junit.experimental.categories.Category;
|
||||
|
||||
@Category({ SecurityTests.class, SmallTests.class })
|
||||
public class TestPermissionBuilder {
|
||||
|
||||
@ClassRule
|
||||
public static final HBaseClassTestRule CLASS_RULE =
|
||||
HBaseClassTestRule.forClass(TestPermissionBuilder.class);
|
||||
|
||||
@Test
|
||||
public void testBuildGlobalPermission() {
|
||||
// check global permission with empty action
|
||||
Permission permission = Permission.newBuilder().build();
|
||||
assertTrue(permission instanceof GlobalPermission);
|
||||
assertEquals(0, permission.getActions().length);
|
||||
|
||||
// check global permission with ADMIN action
|
||||
permission = Permission.newBuilder().withActions(Action.ADMIN).build();
|
||||
assertTrue(permission instanceof GlobalPermission);
|
||||
assertEquals(1, permission.getActions().length);
|
||||
assertTrue(permission.getActions()[0] == Action.ADMIN);
|
||||
|
||||
byte[] qualifier = Bytes.toBytes("q");
|
||||
try {
|
||||
permission = Permission.newBuilder().withQualifier(qualifier)
|
||||
.withActions(Action.CREATE, Action.READ).build();
|
||||
fail("Should throw NPE");
|
||||
} catch (NullPointerException e) {
|
||||
// catch NPE because set family but table name is null
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testBuildNamespacePermission() {
|
||||
String namespace = "ns";
|
||||
// check namespace permission with CREATE and READ actions
|
||||
Permission permission =
|
||||
Permission.newBuilder(namespace).withActions(Action.CREATE, Action.READ).build();
|
||||
assertTrue(permission instanceof NamespacePermission);
|
||||
NamespacePermission namespacePermission = (NamespacePermission) permission;
|
||||
assertEquals(namespace, namespacePermission.getNamespace());
|
||||
assertEquals(2, permission.getActions().length);
|
||||
assertEquals(Action.READ, permission.getActions()[0]);
|
||||
assertEquals(Action.CREATE, permission.getActions()[1]);
|
||||
|
||||
byte[] family = Bytes.toBytes("f");
|
||||
try {
|
||||
permission = Permission.newBuilder(namespace).withFamily(family)
|
||||
.withActions(Action.CREATE, Action.READ).build();
|
||||
fail("Should throw NPE");
|
||||
} catch (NullPointerException e) {
|
||||
// catch NPE because set family but table name is null
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testBuildTablePermission() {
|
||||
TableName tableName = TableName.valueOf("ns", "table");
|
||||
byte[] family = Bytes.toBytes("f");
|
||||
byte[] qualifier = Bytes.toBytes("q");
|
||||
// check table permission without family or qualifier
|
||||
Permission permission =
|
||||
Permission.newBuilder(tableName).withActions(Action.WRITE, Action.READ).build();
|
||||
assertTrue(permission instanceof TablePermission);
|
||||
assertEquals(2, permission.getActions().length);
|
||||
assertEquals(Action.READ, permission.getActions()[0]);
|
||||
assertEquals(Action.WRITE, permission.getActions()[1]);
|
||||
TablePermission tPerm = (TablePermission) permission;
|
||||
assertEquals(tableName, tPerm.getTableName());
|
||||
assertEquals(null, tPerm.getFamily());
|
||||
assertEquals(null, tPerm.getQualifier());
|
||||
|
||||
// check table permission with family
|
||||
permission =
|
||||
Permission.newBuilder(tableName).withFamily(family).withActions(Action.EXEC).build();
|
||||
assertTrue(permission instanceof TablePermission);
|
||||
assertEquals(1, permission.getActions().length);
|
||||
assertEquals(Action.EXEC, permission.getActions()[0]);
|
||||
tPerm = (TablePermission) permission;
|
||||
assertEquals(tableName, tPerm.getTableName());
|
||||
assertTrue(Bytes.equals(family, tPerm.getFamily()));
|
||||
assertTrue(Bytes.equals(null, tPerm.getQualifier()));
|
||||
|
||||
// check table permission with family and qualifier
|
||||
permission =
|
||||
Permission.newBuilder(tableName).withFamily(family).withQualifier(qualifier).build();
|
||||
assertTrue(permission instanceof TablePermission);
|
||||
assertEquals(0, permission.getActions().length);
|
||||
tPerm = (TablePermission) permission;
|
||||
assertEquals(tableName, tPerm.getTableName());
|
||||
assertTrue(Bytes.equals(family, tPerm.getFamily()));
|
||||
assertTrue(Bytes.equals(qualifier, tPerm.getQualifier()));
|
||||
}
|
||||
}
|
|
@ -59,7 +59,7 @@ import org.apache.hadoop.hbase.quotas.SpaceQuotaSnapshot;
|
|||
import org.apache.hadoop.hbase.replication.ReplicationException;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.hadoop.hbase.thrift2.ThriftUtilities;
|
||||
import org.apache.hadoop.hbase.thrift2.generated.TColumnFamilyDescriptor;
|
||||
import org.apache.hadoop.hbase.thrift2.generated.THBaseService;
|
||||
|
@ -1418,12 +1418,12 @@ public class ThriftAdmin implements Admin {
|
|||
}
|
||||
|
||||
@Override
|
||||
public void grant(UserPermission userPermission, boolean mergeExistingPermissions) {
|
||||
public void grant(String userName, Permission permission, boolean mergeExistingPermissions) {
|
||||
throw new NotImplementedException("grant not supported in ThriftAdmin");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void revoke(UserPermission userPermission) {
|
||||
public void revoke(String userName, Permission permission) {
|
||||
throw new NotImplementedException("revoke not supported in ThriftAdmin");
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue