HBASE-22015 UserPermission should be annotated as InterfaceAudience.Public
Signed-off-by: Guanghao Zhang <zghao@apache.org>
This commit is contained in:
parent
f65bf79d1d
commit
86dd92cccb
|
@ -53,7 +53,7 @@ import org.apache.hadoop.hbase.replication.ReplicationException;
|
|||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.hadoop.hbase.snapshot.HBaseSnapshotException;
|
||||
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
|
||||
import org.apache.hadoop.hbase.snapshot.SnapshotCreationException;
|
||||
|
@ -2038,21 +2038,18 @@ public interface Admin extends Abortable, Closeable {
|
|||
|
||||
/**
|
||||
* Grants user specific permissions
|
||||
* @param userName user name
|
||||
* @param permission the specific permission
|
||||
* @param userPermission user name and the specific permission
|
||||
* @param mergeExistingPermissions If set to false, later granted permissions will override
|
||||
* previous granted permissions. otherwise, it'll merge with previous granted
|
||||
* permissions.
|
||||
* @throws IOException if a remote or network exception occurs
|
||||
*/
|
||||
void grant(String userName, Permission permission, boolean mergeExistingPermissions)
|
||||
throws IOException;
|
||||
void grant(UserPermission userPermission, boolean mergeExistingPermissions) throws IOException;
|
||||
|
||||
/**
|
||||
* Revokes user specific permissions
|
||||
* @param userName user name
|
||||
* @param permission the specific permission
|
||||
* @param userPermission user name and the specific permission
|
||||
* @throws IOException if a remote or network exception occurs
|
||||
*/
|
||||
void revoke(String userName, Permission permission) throws IOException;
|
||||
void revoke(UserPermission userPermission) throws IOException;
|
||||
}
|
||||
|
|
|
@ -46,7 +46,7 @@ import org.apache.hadoop.hbase.quotas.SpaceQuotaSnapshotView;
|
|||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
|
||||
/**
|
||||
|
@ -1428,19 +1428,16 @@ public interface AsyncAdmin {
|
|||
|
||||
/**
|
||||
* Grants user specific permissions
|
||||
* @param userName user name
|
||||
* @param permission the specific permission
|
||||
* @param userPermission user name and the specific permission
|
||||
* @param mergeExistingPermissions If set to false, later granted permissions will override
|
||||
* previous granted permissions. otherwise, it'll merge with previous granted
|
||||
* permissions.
|
||||
*/
|
||||
CompletableFuture<Void> grant(String userName, Permission permission,
|
||||
boolean mergeExistingPermissions);
|
||||
CompletableFuture<Void> grant(UserPermission userPermission, boolean mergeExistingPermissions);
|
||||
|
||||
/**
|
||||
* Revokes user specific permissions
|
||||
* @param userName user name
|
||||
* @param permission the specific permission
|
||||
* @param userPermission user name and the specific permission
|
||||
*/
|
||||
CompletableFuture<Void> revoke(String userName, Permission permission);
|
||||
CompletableFuture<Void> revoke(UserPermission userPermission);
|
||||
}
|
||||
|
|
|
@ -42,7 +42,7 @@ import org.apache.hadoop.hbase.quotas.SpaceQuotaSnapshot;
|
|||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.hadoop.hbase.util.FutureUtils;
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
|
||||
|
@ -798,13 +798,13 @@ class AsyncHBaseAdmin implements AsyncAdmin {
|
|||
}
|
||||
|
||||
@Override
|
||||
public CompletableFuture<Void> grant(String userName, Permission permission,
|
||||
public CompletableFuture<Void> grant(UserPermission userPermission,
|
||||
boolean mergeExistingPermissions) {
|
||||
return wrap(rawAdmin.grant(userName, permission, mergeExistingPermissions));
|
||||
return wrap(rawAdmin.grant(userPermission, mergeExistingPermissions));
|
||||
}
|
||||
|
||||
@Override
|
||||
public CompletableFuture<Void> revoke(String userName, Permission permission) {
|
||||
return wrap(rawAdmin.revoke(userName, permission));
|
||||
public CompletableFuture<Void> revoke(UserPermission userPermission) {
|
||||
return wrap(rawAdmin.revoke(userPermission));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -85,7 +85,6 @@ import org.apache.hadoop.hbase.regionserver.wal.FailedLogCloseException;
|
|||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
|
||||
|
@ -3819,13 +3818,13 @@ public class HBaseAdmin implements Admin {
|
|||
}
|
||||
|
||||
@Override
|
||||
public void grant(String userName, Permission permission, boolean mergeExistingPermissions)
|
||||
public void grant(UserPermission userPermission, boolean mergeExistingPermissions)
|
||||
throws IOException {
|
||||
executeCallable(new MasterCallable<Void>(getConnection(), getRpcControllerFactory()) {
|
||||
@Override
|
||||
protected Void rpcCall() throws Exception {
|
||||
GrantRequest req = ShadedAccessControlUtil
|
||||
.buildGrantRequest(new UserPermission(userName, permission), mergeExistingPermissions);
|
||||
GrantRequest req =
|
||||
ShadedAccessControlUtil.buildGrantRequest(userPermission, mergeExistingPermissions);
|
||||
this.master.grant(getRpcController(), req);
|
||||
return null;
|
||||
}
|
||||
|
@ -3833,12 +3832,11 @@ public class HBaseAdmin implements Admin {
|
|||
}
|
||||
|
||||
@Override
|
||||
public void revoke(String userName, Permission permission) throws IOException {
|
||||
public void revoke(UserPermission userPermission) throws IOException {
|
||||
executeCallable(new MasterCallable<Void>(getConnection(), getRpcControllerFactory()) {
|
||||
@Override
|
||||
protected Void rpcCall() throws Exception {
|
||||
RevokeRequest req =
|
||||
ShadedAccessControlUtil.buildRevokeRequest(new UserPermission(userName, permission));
|
||||
RevokeRequest req = ShadedAccessControlUtil.buildRevokeRequest(userPermission);
|
||||
this.master.revoke(getRpcController(), req);
|
||||
return null;
|
||||
}
|
||||
|
|
|
@ -85,7 +85,6 @@ import org.apache.hadoop.hbase.replication.ReplicationException;
|
|||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
|
||||
|
@ -3756,24 +3755,21 @@ class RawAsyncHBaseAdmin implements AsyncAdmin {
|
|||
}
|
||||
|
||||
@Override
|
||||
public CompletableFuture<Void> grant(String userName, Permission permission,
|
||||
public CompletableFuture<Void> grant(UserPermission userPermission,
|
||||
boolean mergeExistingPermissions) {
|
||||
return this.<Void> newMasterCaller()
|
||||
.action(
|
||||
(controller, stub) -> this.<GrantRequest, GrantResponse, Void> call(controller, stub,
|
||||
ShadedAccessControlUtil.buildGrantRequest(new UserPermission(userName, permission),
|
||||
mergeExistingPermissions),
|
||||
(s, c, req, done) -> s.grant(c, req, done), resp -> null))
|
||||
.action((controller, stub) -> this.<GrantRequest, GrantResponse, Void> call(controller,
|
||||
stub, ShadedAccessControlUtil.buildGrantRequest(userPermission, mergeExistingPermissions),
|
||||
(s, c, req, done) -> s.grant(c, req, done), resp -> null))
|
||||
.call();
|
||||
}
|
||||
|
||||
@Override
|
||||
public CompletableFuture<Void> revoke(String userName, Permission permission) {
|
||||
public CompletableFuture<Void> revoke(UserPermission userPermission) {
|
||||
return this.<Void> newMasterCaller()
|
||||
.action(
|
||||
(controller, stub) -> this.<RevokeRequest, RevokeResponse, Void> call(controller, stub,
|
||||
ShadedAccessControlUtil.buildRevokeRequest(new UserPermission(userName, permission)),
|
||||
(s, c, req, done) -> s.revoke(c, req, done), resp -> null))
|
||||
.action((controller, stub) -> this.<RevokeRequest, RevokeResponse, Void> call(controller,
|
||||
stub, ShadedAccessControlUtil.buildRevokeRequest(userPermission),
|
||||
(s, c, req, done) -> s.revoke(c, req, done), resp -> null))
|
||||
.call();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -92,7 +92,8 @@ public class AccessControlClient {
|
|||
private static void grant(Connection connection, final TableName tableName,
|
||||
final String userName, final byte[] family, final byte[] qual, boolean mergeExistingPermissions,
|
||||
final Permission.Action... actions) throws Throwable {
|
||||
connection.getAdmin().grant(userName, new TablePermission(tableName, family, qual, actions),
|
||||
connection.getAdmin().grant(new UserPermission(userName, Permission.newBuilder(tableName)
|
||||
.withFamily(family).withQualifier(qual).withActions(actions).build()),
|
||||
mergeExistingPermissions);
|
||||
}
|
||||
|
||||
|
@ -125,7 +126,8 @@ public class AccessControlClient {
|
|||
*/
|
||||
private static void grant(Connection connection, final String namespace, final String userName,
|
||||
boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable {
|
||||
connection.getAdmin().grant(userName, new NamespacePermission(namespace, actions),
|
||||
connection.getAdmin().grant(
|
||||
new UserPermission(userName, Permission.newBuilder(namespace).withActions(actions).build()),
|
||||
mergeExistingPermissions);
|
||||
}
|
||||
|
||||
|
@ -156,7 +158,9 @@ public class AccessControlClient {
|
|||
*/
|
||||
private static void grant(Connection connection, final String userName,
|
||||
boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable {
|
||||
connection.getAdmin().grant(userName, new GlobalPermission(actions), mergeExistingPermissions);
|
||||
connection.getAdmin().grant(
|
||||
new UserPermission(userName, Permission.newBuilder().withActions(actions).build()),
|
||||
mergeExistingPermissions);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -193,8 +197,8 @@ public class AccessControlClient {
|
|||
public static void revoke(Connection connection, final TableName tableName,
|
||||
final String username, final byte[] family, final byte[] qualifier,
|
||||
final Permission.Action... actions) throws Throwable {
|
||||
connection.getAdmin().revoke(username,
|
||||
new TablePermission(tableName, family, qualifier, actions));
|
||||
connection.getAdmin().revoke(new UserPermission(username, Permission.newBuilder(tableName)
|
||||
.withFamily(family).withQualifier(qualifier).withActions(actions).build()));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -207,7 +211,8 @@ public class AccessControlClient {
|
|||
*/
|
||||
public static void revoke(Connection connection, final String namespace,
|
||||
final String userName, final Permission.Action... actions) throws Throwable {
|
||||
connection.getAdmin().revoke(userName, new NamespacePermission(namespace, actions));
|
||||
connection.getAdmin().revoke(
|
||||
new UserPermission(userName, Permission.newBuilder(namespace).withActions(actions).build()));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -216,7 +221,8 @@ public class AccessControlClient {
|
|||
*/
|
||||
public static void revoke(Connection connection, final String userName,
|
||||
final Permission.Action... actions) throws Throwable {
|
||||
connection.getAdmin().revoke(userName, new GlobalPermission(actions));
|
||||
connection.getAdmin()
|
||||
.revoke(new UserPermission(userName, Permission.newBuilder().withActions(actions).build()));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -247,7 +247,7 @@ public class AccessControlUtil {
|
|||
* @return the converted TablePermission
|
||||
*/
|
||||
public static TablePermission toTablePermission(AccessControlProtos.TablePermission proto) {
|
||||
List<Permission.Action> actions = toPermissionActions(proto.getActionList());
|
||||
Permission.Action[] actions = toPermissionActions(proto.getActionList());
|
||||
TableName table = null;
|
||||
byte[] qualifier = null;
|
||||
byte[] family = null;
|
||||
|
@ -261,8 +261,7 @@ public class AccessControlUtil {
|
|||
if (proto.hasQualifier()) {
|
||||
qualifier = proto.getQualifier().toByteArray();
|
||||
}
|
||||
return new TablePermission(table, family, qualifier,
|
||||
actions.toArray(new Permission.Action[actions.size()]));
|
||||
return new TablePermission(table, family, qualifier, actions);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -273,21 +272,21 @@ public class AccessControlUtil {
|
|||
public static Permission toPermission(AccessControlProtos.Permission proto) {
|
||||
if (proto.getType() == AccessControlProtos.Permission.Type.Global) {
|
||||
AccessControlProtos.GlobalPermission perm = proto.getGlobalPermission();
|
||||
List<Permission.Action> actions = toPermissionActions(perm.getActionList());
|
||||
return new GlobalPermission(actions.toArray(new Permission.Action[actions.size()]));
|
||||
Permission.Action[] actions = toPermissionActions(perm.getActionList());
|
||||
return Permission.newBuilder().withActions(actions).build();
|
||||
}
|
||||
if (proto.getType() == AccessControlProtos.Permission.Type.Namespace) {
|
||||
AccessControlProtos.NamespacePermission perm = proto.getNamespacePermission();
|
||||
List<Permission.Action> actions = toPermissionActions(perm.getActionList());
|
||||
Permission.Action[] actions = toPermissionActions(perm.getActionList());
|
||||
if (!proto.hasNamespacePermission()) {
|
||||
throw new IllegalStateException("Namespace must not be empty in NamespacePermission");
|
||||
}
|
||||
return new NamespacePermission(perm.getNamespaceName().toStringUtf8(),
|
||||
actions.toArray(new Permission.Action[actions.size()]));
|
||||
return Permission.newBuilder(perm.getNamespaceName().toStringUtf8()).withActions(actions)
|
||||
.build();
|
||||
}
|
||||
if (proto.getType() == AccessControlProtos.Permission.Type.Table) {
|
||||
AccessControlProtos.TablePermission perm = proto.getTablePermission();
|
||||
List<Permission.Action> actions = toPermissionActions(perm.getActionList());
|
||||
Permission.Action[] actions = toPermissionActions(perm.getActionList());
|
||||
byte[] qualifier = null;
|
||||
byte[] family = null;
|
||||
TableName table = null;
|
||||
|
@ -301,8 +300,8 @@ public class AccessControlUtil {
|
|||
if (perm.hasQualifier()) {
|
||||
qualifier = perm.getQualifier().toByteArray();
|
||||
}
|
||||
return new TablePermission(table, family, qualifier,
|
||||
actions.toArray(new Permission.Action[actions.size()]));
|
||||
return Permission.newBuilder(table).withFamily(family).withQualifier(qualifier)
|
||||
.withActions(actions).build();
|
||||
}
|
||||
throw new IllegalStateException("Unrecognize Perm Type: " + proto.getType());
|
||||
}
|
||||
|
@ -364,16 +363,16 @@ public class AccessControlUtil {
|
|||
}
|
||||
|
||||
/**
|
||||
* Converts a list of Permission.Action proto to a list of client Permission.Action objects.
|
||||
* Converts a list of Permission.Action proto to an array of client Permission.Action objects.
|
||||
*
|
||||
* @param protoActions the list of protobuf Actions
|
||||
* @return the converted list of Actions
|
||||
* @return the converted array of Actions
|
||||
*/
|
||||
public static List<Permission.Action> toPermissionActions(
|
||||
List<AccessControlProtos.Permission.Action> protoActions) {
|
||||
List<Permission.Action> actions = new ArrayList<>(protoActions.size());
|
||||
for (AccessControlProtos.Permission.Action a : protoActions) {
|
||||
actions.add(toPermissionAction(a));
|
||||
public static Permission.Action[]
|
||||
toPermissionActions(List<AccessControlProtos.Permission.Action> protoActions) {
|
||||
Permission.Action[] actions = new Permission.Action[protoActions.size()];
|
||||
for (int i = 0; i < protoActions.size(); i++) {
|
||||
actions[i] = toPermissionAction(protoActions.get(i));
|
||||
}
|
||||
return actions;
|
||||
}
|
||||
|
@ -491,7 +490,7 @@ public class AccessControlUtil {
|
|||
* @param userShortName the short name of the user to grant permissions
|
||||
* @param actions the permissions to be granted
|
||||
* @throws ServiceException
|
||||
* @deprecated Use {@link Admin#grant(String, Permission, boolean)} instead.
|
||||
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void grant(RpcController controller,
|
||||
|
@ -520,7 +519,7 @@ public class AccessControlUtil {
|
|||
* @param q optional qualifier
|
||||
* @param actions the permissions to be granted
|
||||
* @throws ServiceException
|
||||
* @deprecated Use {@link Admin#grant(String, Permission, boolean)} instead.
|
||||
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void grant(RpcController controller,
|
||||
|
@ -548,7 +547,7 @@ public class AccessControlUtil {
|
|||
* @param namespace the short name of the user to grant permissions
|
||||
* @param actions the permissions to be granted
|
||||
* @throws ServiceException
|
||||
* @deprecated Use {@link Admin#grant(String, Permission, boolean)} instead.
|
||||
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void grant(RpcController controller,
|
||||
|
@ -574,7 +573,7 @@ public class AccessControlUtil {
|
|||
* @param userShortName the short name of the user to revoke permissions
|
||||
* @param actions the permissions to be revoked
|
||||
* @throws ServiceException on failure
|
||||
* @deprecated Use {@link Admin#revoke(String, Permission)} instead.
|
||||
* @deprecated Use {@link Admin#revoke(UserPermission)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void revoke(RpcController controller,
|
||||
|
@ -604,7 +603,7 @@ public class AccessControlUtil {
|
|||
* @param q optional qualifier
|
||||
* @param actions the permissions to be revoked
|
||||
* @throws ServiceException on failure
|
||||
* @deprecated Use {@link Admin#revoke(String, Permission)} instead.
|
||||
* @deprecated Use {@link Admin#revoke(UserPermission)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void revoke(RpcController controller,
|
||||
|
@ -631,7 +630,7 @@ public class AccessControlUtil {
|
|||
* @param namespace optional table name
|
||||
* @param actions the permissions to be revoked
|
||||
* @throws ServiceException on failure
|
||||
* @deprecated Use {@link Admin#revoke(String, Permission)} instead.
|
||||
* @deprecated Use {@link Admin#revoke(UserPermission)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static void revoke(RpcController controller,
|
||||
|
|
|
@ -23,15 +23,9 @@ import org.apache.yetus.audience.InterfaceAudience;
|
|||
/**
|
||||
* Represents an authorization for access whole cluster.
|
||||
*/
|
||||
@InterfaceAudience.Private
|
||||
@InterfaceAudience.Public
|
||||
public class GlobalPermission extends Permission {
|
||||
|
||||
/** Default constructor for Writable, do not use */
|
||||
public GlobalPermission() {
|
||||
super();
|
||||
this.scope = Scope.EMPTY;
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a global permission.
|
||||
* @param assigned assigned actions
|
||||
|
@ -41,15 +35,6 @@ public class GlobalPermission extends Permission {
|
|||
this.scope = Scope.GLOBAL;
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a global permission.
|
||||
* @param actionCode assigned actions
|
||||
*/
|
||||
GlobalPermission(byte[] actionCode) {
|
||||
super(actionCode);
|
||||
this.scope = Scope.GLOBAL;
|
||||
}
|
||||
|
||||
@Override
|
||||
public int hashCode() {
|
||||
return super.hashCode();
|
||||
|
|
|
@ -30,39 +30,22 @@ import org.apache.yetus.audience.InterfaceAudience;
|
|||
/**
|
||||
* Represents an authorization for access for the given namespace.
|
||||
*/
|
||||
@InterfaceAudience.Private
|
||||
@InterfaceAudience.Public
|
||||
public class NamespacePermission extends Permission {
|
||||
|
||||
private String namespace = NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR;
|
||||
|
||||
/** Default constructor for Writable, do not use */
|
||||
public NamespacePermission() {
|
||||
super();
|
||||
this.scope = Scope.EMPTY;
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a namespace permission.
|
||||
* @param namespace namespace's name
|
||||
* @param assigned assigned actions
|
||||
*/
|
||||
public NamespacePermission(String namespace, Action... assigned) {
|
||||
NamespacePermission(String namespace, Action... assigned) {
|
||||
super(assigned);
|
||||
this.namespace = namespace;
|
||||
this.scope = Scope.NAMESPACE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a namespace permission.
|
||||
* @param namespace namespace's name
|
||||
* @param actionCode assigned actions
|
||||
*/
|
||||
public NamespacePermission(String namespace, byte[] actionCode) {
|
||||
super(actionCode);
|
||||
this.namespace = namespace;
|
||||
this.scope = Scope.NAMESPACE;
|
||||
}
|
||||
|
||||
public String getNamespace() {
|
||||
return namespace;
|
||||
}
|
||||
|
|
|
@ -21,8 +21,10 @@ package org.apache.hadoop.hbase.security.access;
|
|||
import java.io.DataInput;
|
||||
import java.io.DataOutput;
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.EnumSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Objects;
|
||||
|
||||
|
@ -275,7 +277,7 @@ public class Permission extends VersionedWritable {
|
|||
private TableName tableName;
|
||||
private byte[] family;
|
||||
private byte[] qualifier;
|
||||
private Action[] actions;
|
||||
private List<Action> actions = new ArrayList<>();
|
||||
|
||||
private Builder() {
|
||||
}
|
||||
|
@ -301,17 +303,37 @@ public class Permission extends VersionedWritable {
|
|||
}
|
||||
|
||||
public Builder withActions(Action... actions) {
|
||||
this.actions = actions;
|
||||
for (Action action : actions) {
|
||||
if (action != null) {
|
||||
this.actions.add(action);
|
||||
}
|
||||
}
|
||||
return this;
|
||||
}
|
||||
|
||||
public Builder withActionCodes(byte[] actionCodes) {
|
||||
if (actionCodes != null) {
|
||||
for (byte code : actionCodes) {
|
||||
Action action = ACTION_BY_CODE.get(code);
|
||||
if (action == null) {
|
||||
LOG.error("Ignoring unknown action code '{}'",
|
||||
Bytes.toStringBinary(new byte[] { code }));
|
||||
continue;
|
||||
}
|
||||
this.actions.add(action);
|
||||
}
|
||||
}
|
||||
return this;
|
||||
}
|
||||
|
||||
public Permission build() {
|
||||
Action[] actionArray = actions.toArray(new Action[actions.size()]);
|
||||
if (namespace != null) {
|
||||
return new NamespacePermission(namespace, actions);
|
||||
return new NamespacePermission(namespace, actionArray);
|
||||
} else if (tableName != null) {
|
||||
return new TablePermission(tableName, family, qualifier, actions);
|
||||
return new TablePermission(tableName, family, qualifier, actionArray);
|
||||
} else {
|
||||
return new GlobalPermission(actions);
|
||||
return new GlobalPermission(actionArray);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,6 @@
|
|||
|
||||
package org.apache.hadoop.hbase.security.access;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
@ -86,16 +85,16 @@ public class ShadedAccessControlUtil {
|
|||
}
|
||||
|
||||
/**
|
||||
* Converts a list of Permission.Action shaded proto to a list of client Permission.Action
|
||||
* Converts a list of Permission.Action shaded proto to an array of client Permission.Action
|
||||
* objects.
|
||||
* @param protoActions the list of shaded protobuf Actions
|
||||
* @return the converted list of Actions
|
||||
* @return the converted array of Actions
|
||||
*/
|
||||
public static List<Permission.Action> toPermissionActions(
|
||||
List<AccessControlProtos.Permission.Action> protoActions) {
|
||||
List<Permission.Action> actions = new ArrayList<>(protoActions.size());
|
||||
for (AccessControlProtos.Permission.Action a : protoActions) {
|
||||
actions.add(toPermissionAction(a));
|
||||
public static Permission.Action[]
|
||||
toPermissionActions(List<AccessControlProtos.Permission.Action> protoActions) {
|
||||
Permission.Action[] actions = new Permission.Action[protoActions.size()];
|
||||
for (int i = 0; i < protoActions.size(); i++) {
|
||||
actions[i] = toPermissionAction(protoActions.get(i));
|
||||
}
|
||||
return actions;
|
||||
}
|
||||
|
@ -121,23 +120,22 @@ public class ShadedAccessControlUtil {
|
|||
|
||||
if (proto.getType() == AccessControlProtos.Permission.Type.Global) {
|
||||
AccessControlProtos.GlobalPermission perm = proto.getGlobalPermission();
|
||||
List<Action> actions = toPermissionActions(perm.getActionList());
|
||||
|
||||
return new GlobalPermission(actions.toArray(new Permission.Action[actions.size()]));
|
||||
Action[] actions = toPermissionActions(perm.getActionList());
|
||||
return Permission.newBuilder().withActions(actions).build();
|
||||
}
|
||||
if (proto.getType() == AccessControlProtos.Permission.Type.Namespace) {
|
||||
AccessControlProtos.NamespacePermission perm = proto.getNamespacePermission();
|
||||
List<Permission.Action> actions = toPermissionActions(perm.getActionList());
|
||||
Action[] actions = toPermissionActions(perm.getActionList());
|
||||
|
||||
if (!proto.hasNamespacePermission()) {
|
||||
throw new IllegalStateException("Namespace must not be empty in NamespacePermission");
|
||||
}
|
||||
String ns = perm.getNamespaceName().toStringUtf8();
|
||||
return new NamespacePermission(ns, actions.toArray(new Permission.Action[actions.size()]));
|
||||
return Permission.newBuilder(ns).withActions(actions).build();
|
||||
}
|
||||
if (proto.getType() == AccessControlProtos.Permission.Type.Table) {
|
||||
AccessControlProtos.TablePermission perm = proto.getTablePermission();
|
||||
List<Permission.Action> actions = toPermissionActions(perm.getActionList());
|
||||
Action[] actions = toPermissionActions(perm.getActionList());
|
||||
|
||||
byte[] qualifier = null;
|
||||
byte[] family = null;
|
||||
|
@ -149,9 +147,8 @@ public class ShadedAccessControlUtil {
|
|||
|
||||
if (perm.hasFamily()) family = perm.getFamily().toByteArray();
|
||||
if (perm.hasQualifier()) qualifier = perm.getQualifier().toByteArray();
|
||||
|
||||
return new TablePermission(table, family, qualifier,
|
||||
actions.toArray(new Permission.Action[actions.size()]));
|
||||
return Permission.newBuilder(table).withFamily(family).withQualifier(qualifier)
|
||||
.withActions(actions).build();
|
||||
}
|
||||
throw new IllegalStateException("Unrecognize Perm Type: " + proto.getType());
|
||||
}
|
||||
|
|
|
@ -34,38 +34,13 @@ import org.apache.hadoop.hbase.util.Bytes;
|
|||
* given table. If the family property is <code>null</code>, it implies
|
||||
* full table access.
|
||||
*/
|
||||
@InterfaceAudience.Private
|
||||
@InterfaceAudience.Public
|
||||
public class TablePermission extends Permission {
|
||||
|
||||
private TableName table;
|
||||
private byte[] family;
|
||||
private byte[] qualifier;
|
||||
|
||||
/** Nullary constructor for Writable, do not use */
|
||||
public TablePermission() {
|
||||
super();
|
||||
this.scope = Scope.EMPTY;
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a table permission.
|
||||
* @param table table name
|
||||
* @param assigned assigned actions
|
||||
*/
|
||||
public TablePermission(TableName table, Action... assigned) {
|
||||
this(table, null, null, assigned);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a table:family permission.
|
||||
* @param table table name
|
||||
* @param family family name
|
||||
* @param assigned assigned actions
|
||||
*/
|
||||
public TablePermission(TableName table, byte[] family, Action... assigned) {
|
||||
this(table, family, null, assigned);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a table:family:qualifier permission.
|
||||
* @param table table name
|
||||
|
@ -73,7 +48,7 @@ public class TablePermission extends Permission {
|
|||
* @param qualifier qualifier name
|
||||
* @param assigned assigned actions
|
||||
*/
|
||||
public TablePermission(TableName table, byte[] family, byte[] qualifier, Action... assigned) {
|
||||
TablePermission(TableName table, byte[] family, byte[] qualifier, Action... assigned) {
|
||||
super(assigned);
|
||||
this.table = table;
|
||||
this.family = family;
|
||||
|
@ -81,48 +56,10 @@ public class TablePermission extends Permission {
|
|||
this.scope = Scope.TABLE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a table permission.
|
||||
* @param table table name
|
||||
* @param actionCodes assigned actions
|
||||
*/
|
||||
public TablePermission(TableName table, byte[] actionCodes) {
|
||||
this(table, null, null, actionCodes);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a table:family permission.
|
||||
* @param table table name
|
||||
* @param family family name
|
||||
* @param actionCodes assigned actions
|
||||
*/
|
||||
public TablePermission(TableName table, byte[] family, byte[] actionCodes) {
|
||||
this(table, family, null, actionCodes);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a table:family:qualifier permission.
|
||||
* @param table table name
|
||||
* @param family family name
|
||||
* @param qualifier qualifier name
|
||||
* @param actionCodes assigned actions
|
||||
*/
|
||||
public TablePermission(TableName table, byte[] family, byte[] qualifier, byte[] actionCodes) {
|
||||
super(actionCodes);
|
||||
this.table = table;
|
||||
this.family = family;
|
||||
this.qualifier = qualifier;
|
||||
this.scope = Scope.TABLE;
|
||||
}
|
||||
|
||||
public TableName getTableName() {
|
||||
return table;
|
||||
}
|
||||
|
||||
public void setTableName(TableName table) {
|
||||
this.table = table;
|
||||
}
|
||||
|
||||
public boolean hasFamily() {
|
||||
return family != null;
|
||||
}
|
||||
|
|
|
@ -20,101 +20,18 @@ package org.apache.hadoop.hbase.security.access;
|
|||
|
||||
import java.util.Objects;
|
||||
|
||||
import org.apache.hadoop.hbase.TableName;
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
|
||||
/**
|
||||
* UserPermission consists of a user name and a permission.
|
||||
* Permission can be one of [Global, Namespace, Table] permission.
|
||||
*/
|
||||
@InterfaceAudience.Private
|
||||
@InterfaceAudience.Public
|
||||
public class UserPermission {
|
||||
|
||||
private String user;
|
||||
private Permission permission;
|
||||
|
||||
/**
|
||||
* Construct a global user permission.
|
||||
* @param user user name
|
||||
* @param assigned assigned actions
|
||||
*/
|
||||
public UserPermission(String user, Permission.Action... assigned) {
|
||||
this.user = user;
|
||||
this.permission = new GlobalPermission(assigned);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a global user permission.
|
||||
* @param user user name
|
||||
* @param actionCode action codes
|
||||
*/
|
||||
public UserPermission(String user, byte[] actionCode) {
|
||||
this.user = user;
|
||||
this.permission = new GlobalPermission(actionCode);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a namespace user permission.
|
||||
* @param user user name
|
||||
* @param namespace namespace
|
||||
* @param assigned assigned actions
|
||||
*/
|
||||
public UserPermission(String user, String namespace, Permission.Action... assigned) {
|
||||
this.user = user;
|
||||
this.permission = new NamespacePermission(namespace, assigned);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a table user permission.
|
||||
* @param user user name
|
||||
* @param tableName table name
|
||||
* @param assigned assigned actions
|
||||
*/
|
||||
public UserPermission(String user, TableName tableName, Permission.Action... assigned) {
|
||||
this.user = user;
|
||||
this.permission = new TablePermission(tableName, assigned);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a table:family user permission.
|
||||
* @param user user name
|
||||
* @param tableName table name
|
||||
* @param family family name of table
|
||||
* @param assigned assigned actions
|
||||
*/
|
||||
public UserPermission(String user, TableName tableName, byte[] family,
|
||||
Permission.Action... assigned) {
|
||||
this(user, tableName, family, null, assigned);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a table:family:qualifier user permission.
|
||||
* @param user user name
|
||||
* @param tableName table name
|
||||
* @param family family name of table
|
||||
* @param qualifier qualifier name of table
|
||||
* @param assigned assigned actions
|
||||
*/
|
||||
public UserPermission(String user, TableName tableName, byte[] family, byte[] qualifier,
|
||||
Permission.Action... assigned) {
|
||||
this.user = user;
|
||||
this.permission = new TablePermission(tableName, family, qualifier, assigned);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a table:family:qualifier user permission.
|
||||
* @param user user name
|
||||
* @param tableName table name
|
||||
* @param family family name of table
|
||||
* @param qualifier qualifier name of table
|
||||
* @param actionCodes assigned actions
|
||||
*/
|
||||
public UserPermission(String user, TableName tableName, byte[] family, byte[] qualifier,
|
||||
byte[] actionCodes) {
|
||||
this.user = user;
|
||||
this.permission = new TablePermission(tableName, family, qualifier, actionCodes);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a user permission given permission.
|
||||
* @param user user name
|
||||
|
|
|
@ -638,7 +638,8 @@ public class AccessControlLists {
|
|||
}
|
||||
|
||||
return new Pair<>(username,
|
||||
new NamespacePermission(Bytes.toString(fromNamespaceEntry(entryName)), value));
|
||||
Permission.newBuilder(Bytes.toString(fromNamespaceEntry(entryName)))
|
||||
.withActionCodes(value).build());
|
||||
}
|
||||
|
||||
// Handle global entry
|
||||
|
@ -648,7 +649,7 @@ public class AccessControlLists {
|
|||
return null;
|
||||
}
|
||||
|
||||
return new Pair<>(username, new GlobalPermission(value));
|
||||
return new Pair<>(username, Permission.newBuilder().withActionCodes(value).build());
|
||||
}
|
||||
|
||||
// Handle table entry
|
||||
|
@ -681,8 +682,8 @@ public class AccessControlLists {
|
|||
}
|
||||
}
|
||||
|
||||
return new Pair<>(username,
|
||||
new TablePermission(TableName.valueOf(entryName), permFamily, permQualifier, value));
|
||||
return new Pair<>(username, Permission.newBuilder(TableName.valueOf(entryName))
|
||||
.withFamily(permFamily).withQualifier(permQualifier).withActionCodes(value).build());
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -887,7 +887,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
if (owner == null)
|
||||
owner = getActiveUser(c).getShortName();
|
||||
final UserPermission userPermission = new UserPermission(owner,
|
||||
desc.getTableName(), Action.values());
|
||||
Permission.newBuilder(desc.getTableName()).withActions(Action.values()).build());
|
||||
// switch to the real hbase master user for doing the RPC on the ACL table
|
||||
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
|
@ -990,7 +990,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
@Override
|
||||
public Void run() throws Exception {
|
||||
UserPermission userperm = new UserPermission(owner,
|
||||
currentDesc.getTableName(), Action.values());
|
||||
Permission.newBuilder(currentDesc.getTableName()).withActions(Action.values()).build());
|
||||
try (Table table = c.getEnvironment().getConnection().
|
||||
getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||
AccessControlLists.addUserPermission(conf, userperm, table);
|
||||
|
@ -2053,7 +2053,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
/* ---- Protobuf AccessControlService implementation ---- */
|
||||
|
||||
/**
|
||||
* @deprecated Use {@link Admin#grant(String, Permission, boolean)} instead.
|
||||
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
@Override
|
||||
|
@ -2076,7 +2076,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
preGrantOrRevoke(caller, "grant", perm);
|
||||
|
||||
// regionEnv is set at #start. Hopefully not null at this point.
|
||||
regionEnv.getConnection().getAdmin().grant(perm.getUser(), perm.getPermission(),
|
||||
regionEnv.getConnection().getAdmin().grant(
|
||||
new UserPermission(perm.getUser(), perm.getPermission()),
|
||||
request.getMergeExistingPermissions());
|
||||
if (AUDITLOG.isTraceEnabled()) {
|
||||
// audit log should store permission changes in addition to auth results
|
||||
|
@ -2095,7 +2096,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
}
|
||||
|
||||
/**
|
||||
* @deprecated Use {@link Admin#revoke(String, Permission)} instead.
|
||||
* @deprecated Use {@link Admin#revoke(UserPermission)} instead.
|
||||
*/
|
||||
@Deprecated
|
||||
@Override
|
||||
|
@ -2116,7 +2117,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
}
|
||||
preGrantOrRevoke(caller, "revoke", perm);
|
||||
// regionEnv is set at #start. Hopefully not null here.
|
||||
regionEnv.getConnection().getAdmin().revoke(perm.getUser(), perm.getPermission());
|
||||
regionEnv.getConnection().getAdmin()
|
||||
.revoke(new UserPermission(perm.getUser(), perm.getPermission()));
|
||||
if (AUDITLOG.isTraceEnabled()) {
|
||||
// audit log should record all permission changes
|
||||
AUDITLOG.trace("Revoked permission " + perm.toString());
|
||||
|
@ -2211,7 +2213,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
// them. Also using acl as table name to be inline with the results of global admin and
|
||||
// will help in avoiding any leakage of information about being superusers.
|
||||
for (String user : Superusers.getSuperUsers()) {
|
||||
perms.add(new UserPermission(user, Action.values()));
|
||||
perms.add(new UserPermission(user,
|
||||
Permission.newBuilder().withActions(Action.values()).build()));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -865,10 +865,8 @@ public class RestoreSnapshotHelper {
|
|||
for (Entry<String, Permission> e : perms.entries()) {
|
||||
String user = e.getKey();
|
||||
TablePermission tablePerm = (TablePermission) e.getValue();
|
||||
TablePermission newPerm = new TablePermission(newTableName,
|
||||
tablePerm.getFamily(), tablePerm.getQualifier(), tablePerm.getActions());
|
||||
AccessControlClient.grant(conn, newPerm.getTableName(), user, newPerm.getFamily(),
|
||||
newPerm.getQualifier(), newPerm.getActions());
|
||||
AccessControlClient.grant(conn, newTableName, user, tablePerm.getFamily(),
|
||||
tablePerm.getQualifier(), tablePerm.getActions());
|
||||
}
|
||||
} catch (Throwable e) {
|
||||
throw new IOException("Grant acl into newly creatd table failed. snapshot: " + snapshot
|
||||
|
|
|
@ -378,7 +378,8 @@ public class SecureTestUtil {
|
|||
@Override
|
||||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin().grant(user, new GlobalPermission(actions), false);
|
||||
connection.getAdmin().grant(
|
||||
new UserPermission(user, Permission.newBuilder().withActions(actions).build()), false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -397,8 +398,8 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin().grant(user, Permission.newBuilder().withActions(actions).build(),
|
||||
false);
|
||||
connection.getAdmin().grant(
|
||||
new UserPermission(user, Permission.newBuilder().withActions(actions).build()), false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -416,7 +417,8 @@ public class SecureTestUtil {
|
|||
@Override
|
||||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin().revoke(user, new GlobalPermission(actions));
|
||||
connection.getAdmin().revoke(
|
||||
new UserPermission(user, Permission.newBuilder().withActions(actions).build()));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -435,7 +437,8 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin().revoke(user, Permission.newBuilder().withActions(actions).build());
|
||||
connection.getAdmin().revoke(
|
||||
new UserPermission(user, Permission.newBuilder().withActions(actions).build()));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -453,8 +456,9 @@ public class SecureTestUtil {
|
|||
@Override
|
||||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin()
|
||||
.grant(user, new NamespacePermission(namespace, actions), false);
|
||||
connection.getAdmin().grant(
|
||||
new UserPermission(user, Permission.newBuilder(namespace).withActions(actions).build()),
|
||||
false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -474,8 +478,9 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin().grant(user,
|
||||
Permission.newBuilder(namespace).withActions(actions).build(), false);
|
||||
connection.getAdmin().grant(
|
||||
new UserPermission(user, Permission.newBuilder(namespace).withActions(actions).build()),
|
||||
false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -535,7 +540,8 @@ public class SecureTestUtil {
|
|||
@Override
|
||||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin().revoke(user, new NamespacePermission(namespace, actions));
|
||||
connection.getAdmin().revoke(new UserPermission(user,
|
||||
Permission.newBuilder(namespace).withActions(actions).build()));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -555,8 +561,8 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin().revoke(user,
|
||||
Permission.newBuilder(namespace).withActions(actions).build());
|
||||
connection.getAdmin().revoke(new UserPermission(user,
|
||||
Permission.newBuilder(namespace).withActions(actions).build()));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -575,7 +581,8 @@ public class SecureTestUtil {
|
|||
@Override
|
||||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin().grant(user, new TablePermission(table, family, qualifier, actions),
|
||||
connection.getAdmin().grant(new UserPermission(user, Permission.newBuilder(table)
|
||||
.withFamily(family).withQualifier(qualifier).withActions(actions).build()),
|
||||
false);
|
||||
}
|
||||
return null;
|
||||
|
@ -596,8 +603,8 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin().grant(user, Permission.newBuilder(table).withFamily(family)
|
||||
.withQualifier(qualifier).withActions(actions).build(),
|
||||
connection.getAdmin().grant(new UserPermission(user, Permission.newBuilder(table)
|
||||
.withFamily(family).withQualifier(qualifier).withActions(actions).build()),
|
||||
false);
|
||||
}
|
||||
return null;
|
||||
|
@ -659,8 +666,8 @@ public class SecureTestUtil {
|
|||
@Override
|
||||
public Void call() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||
connection.getAdmin().revoke(user,
|
||||
new TablePermission(table, family, qualifier, actions));
|
||||
connection.getAdmin().revoke(new UserPermission(user, Permission.newBuilder(table)
|
||||
.withFamily(family).withQualifier(qualifier).withActions(actions).build()));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -680,8 +687,8 @@ public class SecureTestUtil {
|
|||
public Void call() throws Exception {
|
||||
Configuration conf = util.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf, caller)) {
|
||||
connection.getAdmin().revoke(user, Permission.newBuilder(table).withFamily(family)
|
||||
.withQualifier(qualifier).withActions(actions).build());
|
||||
connection.getAdmin().revoke(new UserPermission(user, Permission.newBuilder(table)
|
||||
.withFamily(family).withQualifier(qualifier).withActions(actions).build()));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
|
|
@ -1171,8 +1171,9 @@ public class TestAccessController extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection conn = ConnectionFactory.createConnection(conf)) {
|
||||
conn.getAdmin().grant(USER_RO.getShortName(),
|
||||
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ), false);
|
||||
conn.getAdmin().grant(new UserPermission(USER_RO.getShortName(), Permission
|
||||
.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withActions(Action.READ).build()),
|
||||
false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -1182,8 +1183,8 @@ public class TestAccessController extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection conn = ConnectionFactory.createConnection(conf)) {
|
||||
conn.getAdmin().revoke(USER_RO.getShortName(), Permission.newBuilder(TEST_TABLE)
|
||||
.withFamily(TEST_FAMILY).withActions(Action.READ).build());
|
||||
conn.getAdmin().revoke(new UserPermission(USER_RO.getShortName(), Permission
|
||||
.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withActions(Action.READ).build()));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -1221,8 +1222,8 @@ public class TestAccessController extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
ACCESS_CONTROLLER.preGrant(ObserverContextImpl.createAndPrepare(CP_ENV),
|
||||
new UserPermission(USER_RO.getShortName(),
|
||||
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)),
|
||||
new UserPermission(USER_RO.getShortName(), Permission.newBuilder(TEST_TABLE)
|
||||
.withFamily(TEST_FAMILY).withActions(Action.READ).build()),
|
||||
false);
|
||||
return null;
|
||||
}
|
||||
|
@ -1232,8 +1233,8 @@ public class TestAccessController extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
ACCESS_CONTROLLER.preRevoke(ObserverContextImpl.createAndPrepare(CP_ENV),
|
||||
new UserPermission(USER_RO.getShortName(),
|
||||
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)));
|
||||
new UserPermission(USER_RO.getShortName(), Permission.newBuilder(TEST_TABLE)
|
||||
.withFamily(TEST_FAMILY).withActions(Action.READ).build()));
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
@ -1692,8 +1693,8 @@ public class TestAccessController extends SecureTestUtil {
|
|||
acl.close();
|
||||
}
|
||||
|
||||
UserPermission ownerperm =
|
||||
new UserPermission(USER_OWNER.getName(), tableName, Action.values());
|
||||
UserPermission ownerperm = new UserPermission(USER_OWNER.getName(),
|
||||
Permission.newBuilder(tableName).withActions(Action.values()).build());
|
||||
assertTrue("Owner should have all permissions on table",
|
||||
hasFoundUserPermission(ownerperm, perms));
|
||||
|
||||
|
@ -1701,7 +1702,8 @@ public class TestAccessController extends SecureTestUtil {
|
|||
String userName = user.getShortName();
|
||||
|
||||
UserPermission up =
|
||||
new UserPermission(userName, tableName, family1, qualifier, Permission.Action.READ);
|
||||
new UserPermission(userName, Permission.newBuilder(tableName).withFamily(family1)
|
||||
.withQualifier(qualifier).withActions(Permission.Action.READ).build());
|
||||
assertFalse("User should not be granted permission: " + up.toString(),
|
||||
hasFoundUserPermission(up, perms));
|
||||
|
||||
|
@ -1720,12 +1722,13 @@ public class TestAccessController extends SecureTestUtil {
|
|||
}
|
||||
|
||||
UserPermission upToVerify =
|
||||
new UserPermission(userName, tableName, family1, qualifier, Permission.Action.READ);
|
||||
new UserPermission(userName, Permission.newBuilder(tableName).withFamily(family1)
|
||||
.withQualifier(qualifier).withActions(Permission.Action.READ).build());
|
||||
assertTrue("User should be granted permission: " + upToVerify.toString(),
|
||||
hasFoundUserPermission(upToVerify, perms));
|
||||
|
||||
upToVerify =
|
||||
new UserPermission(userName, tableName, family1, qualifier, Permission.Action.WRITE);
|
||||
upToVerify = new UserPermission(userName, Permission.newBuilder(tableName).withFamily(family1)
|
||||
.withQualifier(qualifier).withActions(Permission.Action.WRITE).build());
|
||||
assertFalse("User should not be granted permission: " + upToVerify.toString(),
|
||||
hasFoundUserPermission(upToVerify, perms));
|
||||
|
||||
|
@ -1743,9 +1746,9 @@ public class TestAccessController extends SecureTestUtil {
|
|||
acl.close();
|
||||
}
|
||||
|
||||
upToVerify =
|
||||
new UserPermission(userName, tableName, family1, qualifier, Permission.Action.WRITE,
|
||||
Permission.Action.READ);
|
||||
upToVerify = new UserPermission(userName,
|
||||
Permission.newBuilder(tableName).withFamily(family1).withQualifier(qualifier)
|
||||
.withActions(Permission.Action.WRITE, Permission.Action.READ).build());
|
||||
assertTrue("User should be granted permission: " + upToVerify.toString(),
|
||||
hasFoundUserPermission(upToVerify, perms));
|
||||
|
||||
|
@ -1783,8 +1786,8 @@ public class TestAccessController extends SecureTestUtil {
|
|||
acl.close();
|
||||
}
|
||||
|
||||
UserPermission newOwnerperm =
|
||||
new UserPermission(newOwner.getName(), tableName, Action.values());
|
||||
UserPermission newOwnerperm = new UserPermission(newOwner.getName(),
|
||||
Permission.newBuilder(tableName).withActions(Action.values()).build());
|
||||
assertTrue("New owner should have all permissions on table",
|
||||
hasFoundUserPermission(newOwnerperm, perms));
|
||||
} finally {
|
||||
|
@ -1808,10 +1811,12 @@ public class TestAccessController extends SecureTestUtil {
|
|||
|
||||
Collection<String> superUsers = Superusers.getSuperUsers();
|
||||
List<UserPermission> adminPerms = new ArrayList<>(superUsers.size() + 1);
|
||||
adminPerms.add(new UserPermission(USER_ADMIN.getShortName(), Bytes.toBytes("ACRW")));
|
||||
for(String user: superUsers) {
|
||||
adminPerms.add(new UserPermission(USER_ADMIN.getShortName(), Permission.newBuilder()
|
||||
.withActions(Action.ADMIN, Action.CREATE, Action.READ, Action.WRITE).build()));
|
||||
for (String user : superUsers) {
|
||||
// Global permission
|
||||
adminPerms.add(new UserPermission(user, Action.values()));
|
||||
adminPerms.add(
|
||||
new UserPermission(user, Permission.newBuilder().withActions(Action.values()).build()));
|
||||
}
|
||||
assertTrue("Only super users, global users and user admin has permission on table hbase:acl " +
|
||||
"per setup", perms.size() == 5 + superUsers.size() &&
|
||||
|
|
|
@ -363,8 +363,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||
connection.getAdmin().grant(testUser,
|
||||
new NamespacePermission(TEST_NAMESPACE, Action.WRITE), false);
|
||||
connection.getAdmin().grant(new UserPermission(testUser,
|
||||
Permission.newBuilder(TEST_NAMESPACE).withActions(Action.WRITE).build()),
|
||||
false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -373,8 +374,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection conn = ConnectionFactory.createConnection(conf)) {
|
||||
conn.getAdmin().grant(USER_GROUP_NS_ADMIN.getShortName(),
|
||||
new NamespacePermission(TEST_NAMESPACE, Action.READ), false);
|
||||
conn.getAdmin().grant(new UserPermission(USER_GROUP_NS_ADMIN.getShortName(),
|
||||
Permission.newBuilder(TEST_NAMESPACE).withActions(Action.READ).build()),
|
||||
false);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -384,8 +386,8 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||
connection.getAdmin().revoke(testUser,
|
||||
new NamespacePermission(TEST_NAMESPACE, Action.WRITE));
|
||||
connection.getAdmin().revoke(new UserPermission(testUser,
|
||||
Permission.newBuilder(TEST_NAMESPACE).withActions(Action.WRITE).build()));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -394,8 +396,8 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||
connection.getAdmin().revoke(USER_GROUP_NS_ADMIN.getShortName(),
|
||||
new NamespacePermission(TEST_NAMESPACE, Action.READ));
|
||||
connection.getAdmin().revoke(new UserPermission(USER_GROUP_NS_ADMIN.getShortName(),
|
||||
Permission.newBuilder(TEST_NAMESPACE).withActions(Action.READ).build()));
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
|
|
@ -46,7 +46,7 @@ public class TestPermissionBuilder {
|
|||
assertEquals(0, permission.getActions().length);
|
||||
|
||||
// check global permission with ADMIN action
|
||||
permission = Permission.newBuilder().withActions(Action.ADMIN).build();
|
||||
permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("A")).build();
|
||||
assertTrue(permission instanceof GlobalPermission);
|
||||
assertEquals(1, permission.getActions().length);
|
||||
assertTrue(permission.getActions()[0] == Action.ADMIN);
|
||||
|
@ -57,8 +57,15 @@ public class TestPermissionBuilder {
|
|||
.withActions(Action.CREATE, Action.READ).build();
|
||||
fail("Should throw NPE");
|
||||
} catch (NullPointerException e) {
|
||||
// catch NPE because set family but table name is null
|
||||
// catch NPE because set qualifier but table name is null
|
||||
}
|
||||
|
||||
permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("ACP"))
|
||||
.withActions(Action.READ, Action.ADMIN).build();
|
||||
assertEquals(3, permission.getActions().length);
|
||||
assertEquals(Action.READ, permission.getActions()[0]);
|
||||
assertEquals(Action.CREATE, permission.getActions()[1]);
|
||||
assertEquals(Action.ADMIN, permission.getActions()[2]);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
@ -143,14 +143,18 @@ public class TestTablePermissions {
|
|||
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||
// add some permissions
|
||||
addUserPermission(conf,
|
||||
new UserPermission("george", TEST_TABLE, Permission.Action.READ, Permission.Action.WRITE),
|
||||
new UserPermission("george",
|
||||
Permission.newBuilder(TEST_TABLE)
|
||||
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
addUserPermission(conf,
|
||||
new UserPermission("hubert", TEST_TABLE, Permission.Action.READ),
|
||||
new UserPermission("hubert",
|
||||
Permission.newBuilder(TEST_TABLE).withActions(Permission.Action.READ).build()),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
addUserPermission(conf,
|
||||
new UserPermission("humphrey", TEST_TABLE, TEST_FAMILY, TEST_QUALIFIER,
|
||||
Permission.Action.READ),
|
||||
new UserPermission("humphrey",
|
||||
Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_QUALIFIER)
|
||||
.withActions(Permission.Action.READ).build()),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
}
|
||||
// retrieve the same
|
||||
|
@ -211,7 +215,8 @@ public class TestTablePermissions {
|
|||
try (Connection connection = ConnectionFactory.createConnection(conf);
|
||||
Table table = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||
AccessControlLists.addUserPermission(conf,
|
||||
new UserPermission("hubert", TEST_TABLE2, Permission.Action.READ, Permission.Action.WRITE),
|
||||
new UserPermission("hubert", Permission.newBuilder(TEST_TABLE2)
|
||||
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
|
||||
table);
|
||||
}
|
||||
// check full load
|
||||
|
@ -246,17 +251,24 @@ public class TestTablePermissions {
|
|||
Configuration conf = UTIL.getConfiguration();
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||
addUserPermission(conf,
|
||||
new UserPermission("albert", TEST_TABLE, Permission.Action.READ),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
new UserPermission("albert",
|
||||
Permission.newBuilder(TEST_TABLE).withActions(Permission.Action.READ).build()),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
addUserPermission(conf,
|
||||
new UserPermission("betty", TEST_TABLE, Permission.Action.READ, Permission.Action.WRITE),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
new UserPermission("betty",
|
||||
Permission.newBuilder(TEST_TABLE)
|
||||
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
addUserPermission(conf,
|
||||
new UserPermission("clark", TEST_TABLE, TEST_FAMILY, Permission.Action.READ),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
new UserPermission("clark",
|
||||
Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY)
|
||||
.withActions(Permission.Action.READ).build()),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
addUserPermission(conf,
|
||||
new UserPermission("dwight", TEST_TABLE, TEST_FAMILY, TEST_QUALIFIER,
|
||||
Permission.Action.WRITE), connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
new UserPermission("dwight",
|
||||
Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_QUALIFIER)
|
||||
.withActions(Permission.Action.WRITE).build()),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
}
|
||||
// verify permissions survive changes in table metadata
|
||||
ListMultimap<String, UserPermission> preperms =
|
||||
|
@ -302,17 +314,16 @@ public class TestTablePermissions {
|
|||
|
||||
private ListMultimap<String, UserPermission> createPermissions() {
|
||||
ListMultimap<String, UserPermission> permissions = ArrayListMultimap.create();
|
||||
permissions.put("george",
|
||||
new UserPermission("george", TEST_TABLE, Permission.Action.READ));
|
||||
permissions.put("george",
|
||||
new UserPermission("george", TEST_TABLE, TEST_FAMILY, Permission.Action.WRITE));
|
||||
permissions.put("george",
|
||||
new UserPermission("george", TEST_TABLE2, Permission.Action.READ));
|
||||
permissions.put("hubert",
|
||||
new UserPermission("hubert", TEST_TABLE2, Permission.Action.READ,
|
||||
Permission.Action.WRITE));
|
||||
permissions.put("bruce",
|
||||
new UserPermission("bruce", TEST_NAMESPACE, Permission.Action.READ));
|
||||
permissions.put("george", new UserPermission("george",
|
||||
Permission.newBuilder(TEST_TABLE).withActions(Permission.Action.READ).build()));
|
||||
permissions.put("george", new UserPermission("george", Permission.newBuilder(TEST_TABLE)
|
||||
.withFamily(TEST_FAMILY).withActions(Permission.Action.WRITE).build()));
|
||||
permissions.put("george", new UserPermission("george",
|
||||
Permission.newBuilder(TEST_TABLE2).withActions(Permission.Action.READ).build()));
|
||||
permissions.put("hubert", new UserPermission("hubert", Permission.newBuilder(TEST_TABLE2)
|
||||
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()));
|
||||
permissions.put("bruce", new UserPermission("bruce",
|
||||
Permission.newBuilder(TEST_NAMESPACE).withActions(Permission.Action.READ).build()));
|
||||
return permissions;
|
||||
}
|
||||
|
||||
|
@ -334,50 +345,58 @@ public class TestTablePermissions {
|
|||
|
||||
@Test
|
||||
public void testEquals() throws Exception {
|
||||
Permission p1 = new TablePermission(TEST_TABLE, Permission.Action.READ);
|
||||
Permission p2 = new TablePermission(TEST_TABLE, Permission.Action.READ);
|
||||
Permission p1 = Permission.newBuilder(TEST_TABLE).withActions(Permission.Action.READ).build();
|
||||
Permission p2 = Permission.newBuilder(TEST_TABLE).withActions(Permission.Action.READ).build();
|
||||
assertTrue(p1.equals(p2));
|
||||
assertTrue(p2.equals(p1));
|
||||
|
||||
p1 = new TablePermission(TEST_TABLE, TablePermission.Action.READ, TablePermission.Action.WRITE);
|
||||
p2 = new TablePermission(TEST_TABLE, TablePermission.Action.WRITE, TablePermission.Action.READ);
|
||||
p1 = Permission.newBuilder(TEST_TABLE)
|
||||
.withActions(TablePermission.Action.READ, TablePermission.Action.WRITE).build();
|
||||
p2 = Permission.newBuilder(TEST_TABLE)
|
||||
.withActions(TablePermission.Action.WRITE, TablePermission.Action.READ).build();
|
||||
assertTrue(p1.equals(p2));
|
||||
assertTrue(p2.equals(p1));
|
||||
|
||||
p1 = new TablePermission(TEST_TABLE, TEST_FAMILY, TablePermission.Action.READ, TablePermission.Action.WRITE);
|
||||
p2 = new TablePermission(TEST_TABLE, TEST_FAMILY, TablePermission.Action.WRITE, TablePermission.Action.READ);
|
||||
p1 = Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY)
|
||||
.withActions(TablePermission.Action.READ, TablePermission.Action.WRITE).build();
|
||||
p2 = Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY)
|
||||
.withActions(TablePermission.Action.WRITE, TablePermission.Action.READ).build();
|
||||
assertTrue(p1.equals(p2));
|
||||
assertTrue(p2.equals(p1));
|
||||
|
||||
p1 = new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_QUALIFIER, TablePermission.Action.READ, TablePermission.Action.WRITE);
|
||||
p2 = new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_QUALIFIER, TablePermission.Action.WRITE, TablePermission.Action.READ);
|
||||
p1 = Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_QUALIFIER)
|
||||
.withActions(TablePermission.Action.READ, TablePermission.Action.WRITE).build();
|
||||
p2 = Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_QUALIFIER)
|
||||
.withActions(TablePermission.Action.WRITE, TablePermission.Action.READ).build();
|
||||
assertTrue(p1.equals(p2));
|
||||
assertTrue(p2.equals(p1));
|
||||
|
||||
p1 = new TablePermission(TEST_TABLE, TablePermission.Action.READ);
|
||||
p2 = new TablePermission(TEST_TABLE, TEST_FAMILY, TablePermission.Action.READ);
|
||||
p1 = Permission.newBuilder(TEST_TABLE).withActions(TablePermission.Action.READ).build();
|
||||
p2 = Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY)
|
||||
.withActions(TablePermission.Action.READ).build();
|
||||
assertFalse(p1.equals(p2));
|
||||
assertFalse(p2.equals(p1));
|
||||
|
||||
p1 = new TablePermission(TEST_TABLE, TablePermission.Action.READ);
|
||||
p2 = new TablePermission(TEST_TABLE, TablePermission.Action.WRITE);
|
||||
p1 = Permission.newBuilder(TEST_TABLE).withActions(TablePermission.Action.READ).build();
|
||||
p2 = Permission.newBuilder(TEST_TABLE).withActions(TablePermission.Action.WRITE).build();
|
||||
assertFalse(p1.equals(p2));
|
||||
assertFalse(p2.equals(p1));
|
||||
p2 = new TablePermission(TEST_TABLE, TablePermission.Action.READ, TablePermission.Action.WRITE);
|
||||
p2 = Permission.newBuilder(TEST_TABLE)
|
||||
.withActions(TablePermission.Action.READ, TablePermission.Action.WRITE).build();
|
||||
assertFalse(p1.equals(p2));
|
||||
assertFalse(p2.equals(p1));
|
||||
|
||||
p1 = new TablePermission(TEST_TABLE, TablePermission.Action.READ);
|
||||
p2 = new TablePermission(TEST_TABLE2, TablePermission.Action.READ);
|
||||
p1 = Permission.newBuilder(TEST_TABLE).withActions(TablePermission.Action.READ).build();
|
||||
p2 = Permission.newBuilder(TEST_TABLE2).withActions(TablePermission.Action.READ).build();
|
||||
assertFalse(p1.equals(p2));
|
||||
assertFalse(p2.equals(p1));
|
||||
|
||||
p1 = new NamespacePermission(TEST_NAMESPACE, TablePermission.Action.READ);
|
||||
p2 = new NamespacePermission(TEST_NAMESPACE, TablePermission.Action.READ);
|
||||
p1 = Permission.newBuilder(TEST_NAMESPACE).withActions(TablePermission.Action.READ).build();
|
||||
p2 = Permission.newBuilder(TEST_NAMESPACE).withActions(TablePermission.Action.READ).build();
|
||||
assertEquals(p1, p2);
|
||||
|
||||
p1 = new NamespacePermission(TEST_NAMESPACE, TablePermission.Action.READ);
|
||||
p2 = new NamespacePermission(TEST_NAMESPACE2, TablePermission.Action.READ);
|
||||
p1 = Permission.newBuilder(TEST_NAMESPACE).withActions(TablePermission.Action.READ).build();
|
||||
p2 = Permission.newBuilder(TEST_NAMESPACE2).withActions(TablePermission.Action.READ).build();
|
||||
assertFalse(p1.equals(p2));
|
||||
assertFalse(p2.equals(p1));
|
||||
}
|
||||
|
@ -389,15 +408,20 @@ public class TestTablePermissions {
|
|||
// add some permissions
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||
addUserPermission(conf,
|
||||
new UserPermission("user1",
|
||||
Permission.Action.READ, Permission.Action.WRITE), connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
new UserPermission("user1", Permission.newBuilder()
|
||||
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
addUserPermission(conf,
|
||||
new UserPermission("user2",
|
||||
Permission.Action.CREATE), connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
new UserPermission("user2",
|
||||
Permission.newBuilder().withActions(Permission.Action.CREATE).build()),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
addUserPermission(conf,
|
||||
new UserPermission("user3",
|
||||
Permission.Action.ADMIN, Permission.Action.READ, Permission.Action.CREATE),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
new UserPermission("user3",
|
||||
Permission.newBuilder()
|
||||
.withActions(Permission.Action.ADMIN, Permission.Action.READ,
|
||||
Permission.Action.CREATE)
|
||||
.build()),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
}
|
||||
ListMultimap<String, UserPermission> perms =
|
||||
AccessControlLists.getTablePermissions(conf, null);
|
||||
|
@ -434,9 +458,13 @@ public class TestTablePermissions {
|
|||
User currentUser = User.getCurrent();
|
||||
assertTrue(authManager.authorizeUserGlobal(currentUser, Permission.Action.ADMIN));
|
||||
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||
for (int i=1; i<=50; i++) {
|
||||
addUserPermission(conf, new UserPermission("testauth"+i,
|
||||
Permission.Action.ADMIN, Permission.Action.READ, Permission.Action.WRITE),
|
||||
for (int i = 1; i <= 50; i++) {
|
||||
addUserPermission(conf,
|
||||
new UserPermission("testauth" + i,
|
||||
Permission.newBuilder()
|
||||
.withActions(Permission.Action.ADMIN, Permission.Action.READ,
|
||||
Permission.Action.WRITE)
|
||||
.build()),
|
||||
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
|
||||
// make sure the system user still shows as authorized
|
||||
assertTrue("Failed current user auth check on iter "+i,
|
||||
|
|
|
@ -381,11 +381,12 @@ public class TestWithDisabledAuthorization extends SecureTestUtil {
|
|||
AccessTestAction checkMultiQualifierRead = new AccessTestAction() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[] {
|
||||
new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1,
|
||||
Permission.Action.READ),
|
||||
new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q2,
|
||||
Permission.Action.READ), });
|
||||
checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(),
|
||||
new Permission[] {
|
||||
Permission.newBuilder(TEST_TABLE.getTableName()).withFamily(TEST_FAMILY)
|
||||
.withQualifier(TEST_Q1).withActions(Action.READ).build(),
|
||||
Permission.newBuilder(TEST_TABLE.getTableName()).withFamily(TEST_FAMILY)
|
||||
.withQualifier(TEST_Q2).withActions(Action.READ).build() });
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
@ -397,11 +398,14 @@ public class TestWithDisabledAuthorization extends SecureTestUtil {
|
|||
AccessTestAction checkMultiQualifierReadWrite = new AccessTestAction() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[] {
|
||||
new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1,
|
||||
Permission.Action.READ, Permission.Action.WRITE),
|
||||
new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q2,
|
||||
Permission.Action.READ, Permission.Action.WRITE), });
|
||||
checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(),
|
||||
new Permission[] {
|
||||
Permission.newBuilder(TEST_TABLE.getTableName()).withFamily(TEST_FAMILY)
|
||||
.withQualifier(TEST_Q1)
|
||||
.withActions(Permission.Action.READ, Permission.Action.WRITE).build(),
|
||||
Permission.newBuilder(TEST_TABLE.getTableName()).withFamily(TEST_FAMILY)
|
||||
.withQualifier(TEST_Q2)
|
||||
.withActions(Permission.Action.READ, Permission.Action.WRITE).build() });
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
|
|
@ -113,8 +113,8 @@ public class TestZKPermissionWatcher {
|
|||
|
||||
// update ACL: george RW
|
||||
List<UserPermission> acl = new ArrayList<>(1);
|
||||
acl.add(new UserPermission(george.getShortName(), TEST_TABLE,
|
||||
Permission.Action.READ, Permission.Action.WRITE));
|
||||
acl.add(new UserPermission(george.getShortName(), Permission.newBuilder(TEST_TABLE)
|
||||
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()));
|
||||
ListMultimap<String, UserPermission> multimap = ArrayListMultimap.create();
|
||||
multimap.putAll(george.getShortName(), acl);
|
||||
byte[] serialized = AccessControlLists.writePermissionsAsBytes(multimap, conf);
|
||||
|
@ -141,7 +141,8 @@ public class TestZKPermissionWatcher {
|
|||
|
||||
// update ACL: hubert R
|
||||
List<UserPermission> acl2 = new ArrayList<>(1);
|
||||
acl2.add(new UserPermission(hubert.getShortName(), TEST_TABLE, TablePermission.Action.READ));
|
||||
acl2.add(new UserPermission(hubert.getShortName(),
|
||||
Permission.newBuilder(TEST_TABLE).withActions(TablePermission.Action.READ).build()));
|
||||
final long mtimeA = AUTH_A.getMTime();
|
||||
multimap.putAll(hubert.getShortName(), acl2);
|
||||
byte[] serialized2 = AccessControlLists.writePermissionsAsBytes(multimap, conf);
|
||||
|
|
|
@ -56,7 +56,7 @@ import org.apache.hadoop.hbase.quotas.SpaceQuotaSnapshot;
|
|||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||
import org.apache.hadoop.hbase.security.access.Permission;
|
||||
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
|
||||
import org.apache.hadoop.hbase.thrift2.ThriftUtilities;
|
||||
import org.apache.hadoop.hbase.thrift2.generated.TColumnFamilyDescriptor;
|
||||
|
@ -1101,12 +1101,12 @@ public class ThriftAdmin implements Admin {
|
|||
}
|
||||
|
||||
@Override
|
||||
public void grant(String userName, Permission permission, boolean mergeExistingPermissions) {
|
||||
public void grant(UserPermission userPermission, boolean mergeExistingPermissions) {
|
||||
throw new NotImplementedException("grant not supported in ThriftAdmin");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void revoke(String userName, Permission permission) {
|
||||
public void revoke(UserPermission userPermission) {
|
||||
throw new NotImplementedException("revoke not supported in ThriftAdmin");
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue