Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-12659 Replace the method calls to grant and revoke in shell scripts with AccessControlClient (Srikanth Srungarapu)

This commit is contained in:
tedyu 2014-12-13 10:17:43 -08:00
parent b24518562a
commit 65830b096b
4 changed files with 128 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java
View File

@ -100,6 +100,20 @@ public class AccessControlClient {
} }
} }
/**
* Grant global permissions for the specified user.
*/
public static void grant(Configuration conf, final String userName,
final Permission.Action... actions) throws Throwable {
// TODO: Make it so caller passes in a Connection rather than have us do this expensive
// setup each time. This class only used in test and shell at moment though.
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
ProtobufUtil.grant(getAccessControlServiceStub(table), userName, actions);
}
}
}
public static boolean isAccessControllerRunning(Configuration conf) public static boolean isAccessControllerRunning(Configuration conf)
throws MasterNotRunningException, ZooKeeperConnectionException, IOException { throws MasterNotRunningException, ZooKeeperConnectionException, IOException {
// TODO: Make it so caller passes in a Connection rather than have us do this expensive // TODO: Make it so caller passes in a Connection rather than have us do this expensive
@ -153,6 +167,20 @@ public class AccessControlClient {
} }
} }
/**
* Revoke global permissions for the specified user.
*/
public static void revoke(Configuration conf, final String userName,
final Permission.Action... actions) throws Throwable {
// TODO: Make it so caller passes in a Connection rather than have us do this expensive
// setup each time. This class only used in test and shell at moment though.
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
ProtobufUtil.revoke(getAccessControlServiceStub(table), userName, actions);
}
}
}
/** /**
* List all the userPermissions matching the given pattern. * List all the userPermissions matching the given pattern.
* @param conf * @param conf

42
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
View File

@ -498,6 +498,27 @@ public class SecureTestUtil {
}); });
} }
/**
* Grant global permissions to the given user using AccessControlClient. Will wait until all
* active AccessController instances have updated their permissions caches or will
* throw an exception upon timeout (10 seconds).
*/
public static void grantGlobalUsingAccessControlClient(final HBaseTestingUtility util,
final Configuration conf, final String user, final Permission.Action... actions)
throws Exception {
SecureTestUtil.updateACLs(util, new Callable<Void>() {
@Override
public Void call() throws Exception {
try {
AccessControlClient.grant(conf, user, actions);
} catch (Throwable t) {
t.printStackTrace();
}
return null;
}
});
}
/** /**
* Revoke permissions on a table from the given user. Will wait until all active * Revoke permissions on a table from the given user. Will wait until all active
* AccessController instances have updated their permissions caches or will * AccessController instances have updated their permissions caches or will
@ -542,4 +563,25 @@ public class SecureTestUtil {
} }
}); });
} }
/**
* Revoke global permissions from the given user using AccessControlClient. Will wait until
* all active AccessController instances have updated their permissions caches or will
* throw an exception upon timeout (10 seconds).
*/
public static void revokeGlobalUsingAccessControlClient(final HBaseTestingUtility util,
final Configuration conf, final String user,final Permission.Action... actions)
throws Exception {
SecureTestUtil.updateACLs(util, new Callable<Void>() {
@Override
public Void call() throws Exception {
try {
AccessControlClient.revoke(conf, user, actions);
} catch (Throwable t) {
t.printStackTrace();
}
return null;
}
});
}
} }

42
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -2212,6 +2212,48 @@ public class TestAccessController extends SecureTestUtil {
verifyDenied(getAction, testGrantRevoke); verifyDenied(getAction, testGrantRevoke);
} }
@Test
public void testAccessControlClientGlobalGrantRevoke() throws Exception {
// Create user for testing, who has no READ privileges by default.
User testGlobalGrantRevoke = User.createUserForTesting(conf,
"testGlobalGrantRevoke", new String[0]);
AccessTestAction getAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
HTable t = new HTable(conf, TEST_TABLE.getTableName());
try {
return t.get(new Get(TEST_ROW));
} finally {
t.close();
}
}
};
verifyDenied(getAction, testGlobalGrantRevoke);
// Grant table READ permissions to testGlobalGrantRevoke.
try {
grantGlobalUsingAccessControlClient(TEST_UTIL, conf, testGlobalGrantRevoke.getShortName(),
Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.grant. ", e);
}
// Now testGlobalGrantRevoke should be able to read also
verifyAllowed(getAction, testGlobalGrantRevoke);
// Revoke table READ permission to testGlobalGrantRevoke.
try {
revokeGlobalUsingAccessControlClient(TEST_UTIL, conf, testGlobalGrantRevoke.getShortName(),
Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.revoke ", e);
}
// Now testGlobalGrantRevoke shouldn't be able read
verifyDenied(getAction, testGlobalGrantRevoke);
}
@Test @Test
public void testAccessControlClientGrantRevokeOnNamespace() throws Exception { public void testAccessControlClientGrantRevokeOnNamespace() throws Exception {
// Create user for testing, who has no READ privileges by default. // Create user for testing, who has no READ privileges by default.

57
hbase-shell/src/main/ruby/hbase/security.rb
View File

@ -38,21 +38,14 @@ module Hbase
# TODO: need to validate user name # TODO: need to validate user name
begin begin
meta_table = @connection.getTable(
org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME)
service = meta_table.coprocessorService(
org.apache.hadoop.hbase.HConstants::EMPTY_START_ROW)
protocol = org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos::
AccessControlService.newBlockingStub(service)
perm = org.apache.hadoop.hbase.security.access.Permission.new(
permissions.to_java_bytes)
# Verify that the specified permission is valid # Verify that the specified permission is valid
if (permissions == nil || permissions.length == 0) if (permissions == nil || permissions.length == 0)
raise(ArgumentError, "Invalid permission: no actions associated with user") raise(ArgumentError, "Invalid permission: no actions associated with user")
end end
perm = org.apache.hadoop.hbase.security.access.Permission.new(
permissions.to_java_bytes)
if (table_name != nil) if (table_name != nil)
tablebytes=table_name.to_java_bytes tablebytes=table_name.to_java_bytes
#check if the tablename passed is actually a namespace #check if the tablename passed is actually a namespace
@ -62,9 +55,8 @@ module Hbase
raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless
namespace_exists?(namespace_name) namespace_exists?(namespace_name)
# invoke cp endpoint to perform access controlse org.apache.hadoop.hbase.security.access.AccessControlClient.grant(
org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant( @config, namespace_name, user, perm.getActions())
protocol, user, namespace_name, perm.getActions())
else else
# Table should exist # Table should exist
raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name) raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name)
@ -79,19 +71,14 @@ module Hbase
fambytes = family.to_java_bytes if (family != nil) fambytes = family.to_java_bytes if (family != nil)
qualbytes = qualifier.to_java_bytes if (qualifier != nil) qualbytes = qualifier.to_java_bytes if (qualifier != nil)
# invoke cp endpoint to perform access controlse org.apache.hadoop.hbase.security.access.AccessControlClient.grant(
org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant( @config, tableName, user, fambytes, qualbytes, perm.getActions())
protocol, user, tableName, fambytes,
qualbytes, perm.getActions())
end end
else else
# invoke cp endpoint to perform access controlse # invoke cp endpoint to perform access controls
org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant( org.apache.hadoop.hbase.security.access.AccessControlClient.grant(
protocol, user, perm.getActions()) @config, user, perm.getActions())
end end
ensure
meta_table.close()
end end
end end
@ -102,14 +89,6 @@ module Hbase
# TODO: need to validate user name # TODO: need to validate user name
begin begin
meta_table = @connection.getTable(
org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME)
service = meta_table.coprocessorService(
org.apache.hadoop.hbase.HConstants::EMPTY_START_ROW)
protocol = org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos::
AccessControlService.newBlockingStub(service)
if (table_name != nil) if (table_name != nil)
#check if the tablename passed is actually a namespace #check if the tablename passed is actually a namespace
if (isNamespace?(table_name)) if (isNamespace?(table_name))
@ -118,9 +97,8 @@ module Hbase
raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless namespace_exists?(namespace_name) raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless namespace_exists?(namespace_name)
tablebytes=table_name.to_java_bytes tablebytes=table_name.to_java_bytes
# invoke cp endpoint to perform access controlse org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke( @config, namespace_name, user)
protocol, user, namespace_name)
else else
# Table should exist # Table should exist
raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name) raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name)
@ -135,17 +113,14 @@ module Hbase
fambytes = family.to_java_bytes if (family != nil) fambytes = family.to_java_bytes if (family != nil)
qualbytes = qualifier.to_java_bytes if (qualifier != nil) qualbytes = qualifier.to_java_bytes if (qualifier != nil)
# invoke cp endpoint to perform access controlse org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke( @config, tableName, user, fambytes, qualbytes)
protocol, user, tableName, fambytes, qualbytes)
end end
else else
# invoke cp endpoint to perform access controlse
perm = org.apache.hadoop.hbase.security.access.Permission.new(''.to_java_bytes) perm = org.apache.hadoop.hbase.security.access.Permission.new(''.to_java_bytes)
org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke(protocol, user, perm.getActions()) org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
@config, user, perm.getActions())
end end
ensure
meta_table.close()
end end
end end