HBASE-20357 AccessControlClient API Enhancement
Signed-off-by: tedyu <yuzhihong@gmail.com>
This commit is contained in:
parent
63477d6251
commit
bb8826ca5f
|
@ -22,6 +22,7 @@ import java.util.ArrayList;
|
|||
import java.util.List;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.hadoop.hbase.HConstants;
|
||||
import org.apache.hadoop.hbase.HTableDescriptor;
|
||||
import org.apache.hadoop.hbase.MasterNotRunningException;
|
||||
|
@ -255,15 +256,28 @@ public class AccessControlClient {
|
|||
* along with the list of superusers would be returned. Else, no rows get returned.
|
||||
* @param connection The Connection instance to use
|
||||
* @param tableRegex The regular expression string to match against
|
||||
* @return - returns an array of UserPermissions
|
||||
* @return List of UserPermissions
|
||||
* @throws Throwable
|
||||
*/
|
||||
public static List<UserPermission> getUserPermissions(Connection connection, String tableRegex)
|
||||
throws Throwable {
|
||||
/** TODO: Pass an rpcController
|
||||
HBaseRpcController controller
|
||||
= ((ClusterConnection) connection).getRpcControllerFactory().newController();
|
||||
*/
|
||||
return getUserPermissions(connection, tableRegex, HConstants.EMPTY_STRING);
|
||||
}
|
||||
|
||||
/**
|
||||
* List all the userPermissions matching the given table pattern and user name.
|
||||
* @param connection Connection
|
||||
* @param tableRegex The regular expression string to match against
|
||||
* @param userName User name, if empty then all user permissions will be retrieved.
|
||||
* @return List of UserPermissions
|
||||
* @throws Throwable on failure
|
||||
*/
|
||||
public static List<UserPermission> getUserPermissions(Connection connection, String tableRegex,
|
||||
String userName) throws Throwable {
|
||||
/**
|
||||
* TODO: Pass an rpcController HBaseRpcController controller = ((ClusterConnection)
|
||||
* connection).getRpcControllerFactory().newController();
|
||||
*/
|
||||
List<UserPermission> permList = new ArrayList<>();
|
||||
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
|
||||
try (Admin admin = connection.getAdmin()) {
|
||||
|
@ -272,25 +286,167 @@ public class AccessControlClient {
|
|||
AccessControlProtos.AccessControlService.newBlockingStub(service);
|
||||
HTableDescriptor[] htds = null;
|
||||
if (tableRegex == null || tableRegex.isEmpty()) {
|
||||
permList = AccessControlUtil.getUserPermissions(null, protocol);
|
||||
} else if (tableRegex.charAt(0) == '@') { // Namespaces
|
||||
permList = AccessControlUtil.getUserPermissions(null, protocol, userName);
|
||||
} else if (tableRegex.charAt(0) == '@') { // Namespaces
|
||||
String namespaceRegex = tableRegex.substring(1);
|
||||
for (NamespaceDescriptor nsds : admin.listNamespaceDescriptors()) { // Read out all namespaces
|
||||
for (NamespaceDescriptor nsds : admin.listNamespaceDescriptors()) { // Read out all
|
||||
// namespaces
|
||||
String namespace = nsds.getName();
|
||||
if (namespace.matches(namespaceRegex)) { // Match the given namespace regex?
|
||||
if (namespace.matches(namespaceRegex)) { // Match the given namespace regex?
|
||||
permList.addAll(AccessControlUtil.getUserPermissions(null, protocol,
|
||||
Bytes.toBytes(namespace)));
|
||||
Bytes.toBytes(namespace), userName));
|
||||
}
|
||||
}
|
||||
} else { // Tables
|
||||
} else { // Tables
|
||||
htds = admin.listTables(Pattern.compile(tableRegex), true);
|
||||
for (HTableDescriptor hd : htds) {
|
||||
permList.addAll(AccessControlUtil.getUserPermissions(null, protocol,
|
||||
hd.getTableName()));
|
||||
for (HTableDescriptor htd : htds) {
|
||||
permList.addAll(AccessControlUtil.getUserPermissions(null, protocol, htd.getTableName(),
|
||||
null, null, userName));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return permList;
|
||||
}
|
||||
|
||||
/**
|
||||
* List all the userPermissions matching the given table pattern and column family.
|
||||
* @param connection Connection
|
||||
* @param tableRegex The regular expression string to match against. It shouldn't be null, empty
|
||||
* or a namespace regular expression.
|
||||
* @param columnFamily Column family
|
||||
* @return List of UserPermissions
|
||||
* @throws Throwable on failure
|
||||
*/
|
||||
public static List<UserPermission> getUserPermissions(Connection connection, String tableRegex,
|
||||
byte[] columnFamily) throws Throwable {
|
||||
return getUserPermissions(connection, tableRegex, columnFamily, null, HConstants.EMPTY_STRING);
|
||||
}
|
||||
|
||||
/**
|
||||
* List all the userPermissions matching the given table pattern, column family and user name.
|
||||
* @param connection Connection
|
||||
* @param tableRegex The regular expression string to match against. It shouldn't be null, empty
|
||||
* or a namespace regular expression.
|
||||
* @param columnFamily Column family
|
||||
* @param userName User name, if empty then all user permissions will be retrieved.
|
||||
* @return List of UserPermissions
|
||||
* @throws Throwable on failure
|
||||
*/
|
||||
public static List<UserPermission> getUserPermissions(Connection connection, String tableRegex,
|
||||
byte[] columnFamily, String userName) throws Throwable {
|
||||
return getUserPermissions(connection, tableRegex, columnFamily, null, userName);
|
||||
}
|
||||
|
||||
/**
|
||||
* List all the userPermissions matching the given table pattern, column family and column
|
||||
* qualifier.
|
||||
* @param connection Connection
|
||||
* @param tableRegex The regular expression string to match against. It shouldn't be null, empty
|
||||
* or a namespace regular expression.
|
||||
* @param columnFamily Column family
|
||||
* @param columnQualifier Column qualifier
|
||||
* @return List of UserPermissions
|
||||
* @throws Throwable on failure
|
||||
*/
|
||||
public static List<UserPermission> getUserPermissions(Connection connection, String tableRegex,
|
||||
byte[] columnFamily, byte[] columnQualifier) throws Throwable {
|
||||
return getUserPermissions(connection, tableRegex, columnFamily, columnQualifier,
|
||||
HConstants.EMPTY_STRING);
|
||||
}
|
||||
|
||||
/**
|
||||
* List all the userPermissions matching the given table pattern, column family and column
|
||||
* qualifier.
|
||||
* @param connection Connection
|
||||
* @param tableRegex The regular expression string to match against. It shouldn't be null, empty
|
||||
* or a namespace regular expression.
|
||||
* @param columnFamily Column family
|
||||
* @param columnQualifier Column qualifier
|
||||
* @param userName User name, if empty then all user permissions will be retrieved.
|
||||
* @return List of UserPermissions
|
||||
* @throws Throwable on failure
|
||||
*/
|
||||
public static List<UserPermission> getUserPermissions(Connection connection, String tableRegex,
|
||||
byte[] columnFamily, byte[] columnQualifier, String userName) throws Throwable {
|
||||
if (tableRegex == null || tableRegex.isEmpty() || tableRegex.charAt(0) == '@') {
|
||||
throw new IllegalArgumentException("Table name can't be null or empty or a namespace.");
|
||||
}
|
||||
/**
|
||||
* TODO: Pass an rpcController HBaseRpcController controller = ((ClusterConnection)
|
||||
* connection).getRpcControllerFactory().newController();
|
||||
*/
|
||||
List<UserPermission> permList = new ArrayList<UserPermission>();
|
||||
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
|
||||
try (Admin admin = connection.getAdmin()) {
|
||||
CoprocessorRpcChannel service = table.coprocessorService(HConstants.EMPTY_START_ROW);
|
||||
BlockingInterface protocol =
|
||||
AccessControlProtos.AccessControlService.newBlockingStub(service);
|
||||
HTableDescriptor[] htds = admin.listTables(Pattern.compile(tableRegex), true);
|
||||
// Retrieve table permissions
|
||||
for (HTableDescriptor htd : htds) {
|
||||
permList.addAll(AccessControlUtil.getUserPermissions(null, protocol, htd.getTableName(),
|
||||
columnFamily, columnQualifier, userName));
|
||||
}
|
||||
}
|
||||
}
|
||||
return permList;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates whether specified user has permission to perform actions on the mentioned table,
|
||||
* column family or column qualifier.
|
||||
* @param connection Connection
|
||||
* @param tableName Table name, it shouldn't be null or empty.
|
||||
* @param columnFamily The column family. Optional argument, can be empty. If empty then
|
||||
* validation will happen at table level.
|
||||
* @param columnQualifier The column qualifier. Optional argument, can be empty. If empty then
|
||||
* validation will happen at table and column family level. columnQualifier will not be
|
||||
* considered if columnFamily is passed as null or empty.
|
||||
* @param userName User name, it shouldn't be null or empty.
|
||||
* @param actions Actions
|
||||
* @return true if access allowed to the specified user, otherwise false.
|
||||
* @throws Throwable on failure
|
||||
*/
|
||||
public static boolean hasPermission(Connection connection, String tableName, String columnFamily,
|
||||
String columnQualifier, String userName, Permission.Action... actions) throws Throwable {
|
||||
return hasPermission(connection, tableName, Bytes.toBytes(columnFamily),
|
||||
Bytes.toBytes(columnQualifier), userName, actions);
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates whether specified user has permission to perform actions on the mentioned table,
|
||||
* column family or column qualifier.
|
||||
* @param connection Connection
|
||||
* @param tableName Table name, it shouldn't be null or empty.
|
||||
* @param columnFamily The column family. Optional argument, can be empty. If empty then
|
||||
* validation will happen at table level.
|
||||
* @param columnQualifier The column qualifier. Optional argument, can be empty. If empty then
|
||||
* validation will happen at table and column family level. columnQualifier will not be
|
||||
* considered if columnFamily is passed as null or empty.
|
||||
* @param userName User name, it shouldn't be null or empty.
|
||||
* @param actions Actions
|
||||
* @return true if access allowed to the specified user, otherwise false.
|
||||
* @throws Throwable on failure
|
||||
*/
|
||||
public static boolean hasPermission(Connection connection, String tableName, byte[] columnFamily,
|
||||
byte[] columnQualifier, String userName, Permission.Action... actions) throws Throwable {
|
||||
if (StringUtils.isEmpty(tableName) || StringUtils.isEmpty(userName)) {
|
||||
throw new IllegalArgumentException("Table and user name can't be null or empty.");
|
||||
}
|
||||
boolean hasPermission = false;
|
||||
/**
|
||||
* todo: pass an rpccontroller hbaserpccontroller controller = ((clusterconnection)
|
||||
* connection).getrpccontrollerfactory().newcontroller();
|
||||
*/
|
||||
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
|
||||
CoprocessorRpcChannel service = table.coprocessorService(HConstants.EMPTY_START_ROW);
|
||||
BlockingInterface protocol =
|
||||
AccessControlProtos.AccessControlService.newBlockingStub(service);
|
||||
// Check whether user has permission
|
||||
hasPermission = AccessControlUtil.hasPermission(null, protocol, TableName.valueOf(tableName),
|
||||
columnFamily, columnQualifier, userName, actions);
|
||||
}
|
||||
return hasPermission;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -22,6 +22,8 @@ import java.util.Collection;
|
|||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.hadoop.hbase.HConstants;
|
||||
import org.apache.hadoop.hbase.TableName;
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
|
||||
|
@ -29,7 +31,7 @@ import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
|
|||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.GetUserPermissionsResponse;
|
||||
import org.apache.hadoop.hbase.util.ByteStringer;
|
||||
|
||||
import org.apache.hadoop.hbase.util.Bytes;
|
||||
import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
|
||||
import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
|
||||
import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
|
||||
|
@ -255,9 +257,32 @@ public class AccessControlUtil {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts a TablePermission proto to a client TablePermission object.
|
||||
* @param proto the protobuf TablePermission
|
||||
* @return the converted TablePermission
|
||||
*/
|
||||
public static TablePermission toTablePermission(AccessControlProtos.TablePermission proto) {
|
||||
List<Permission.Action> actions = toPermissionActions(proto.getActionList());
|
||||
TableName table = null;
|
||||
byte[] qualifier = null;
|
||||
byte[] family = null;
|
||||
if (!proto.hasTableName()) {
|
||||
throw new IllegalStateException("TableName cannot be empty");
|
||||
}
|
||||
table = ProtobufUtil.toTableName(proto.getTableName());
|
||||
if (proto.hasFamily()) {
|
||||
family = proto.getFamily().toByteArray();
|
||||
}
|
||||
if (proto.hasQualifier()) {
|
||||
qualifier = proto.getQualifier().toByteArray();
|
||||
}
|
||||
return new TablePermission(table, family, qualifier,
|
||||
actions.toArray(new Permission.Action[actions.size()]));
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts a Permission proto to a client TablePermission object.
|
||||
*
|
||||
* @param proto the protobuf Permission
|
||||
* @return the converted TablePermission
|
||||
*/
|
||||
|
@ -539,6 +564,7 @@ public class AccessControlUtil {
|
|||
* <p>
|
||||
* It's also called by the shell, in case you want to find references.
|
||||
*
|
||||
* @param controller RpcController
|
||||
* @param protocol the AccessControlService protocol proxy
|
||||
* @param namespace the short name of the user to grant permissions
|
||||
* @param actions the permissions to be granted
|
||||
|
@ -562,10 +588,11 @@ public class AccessControlUtil {
|
|||
* <p>
|
||||
* It's also called by the shell, in case you want to find references.
|
||||
*
|
||||
* @param controller RpcController
|
||||
* @param protocol the AccessControlService protocol proxy
|
||||
* @param userShortName the short name of the user to revoke permissions
|
||||
* @param actions the permissions to be revoked
|
||||
* @throws ServiceException
|
||||
* @throws ServiceException on failure
|
||||
*/
|
||||
public static void revoke(RpcController controller,
|
||||
AccessControlService.BlockingInterface protocol, String userShortName,
|
||||
|
@ -586,13 +613,14 @@ public class AccessControlUtil {
|
|||
* <p>
|
||||
* It's also called by the shell, in case you want to find references.
|
||||
*
|
||||
* @param controller RpcController
|
||||
* @param protocol the AccessControlService protocol proxy
|
||||
* @param userShortName the short name of the user to revoke permissions
|
||||
* @param tableName optional table name
|
||||
* @param f optional column family
|
||||
* @param q optional qualifier
|
||||
* @param actions the permissions to be revoked
|
||||
* @throws ServiceException
|
||||
* @throws ServiceException on failure
|
||||
*/
|
||||
public static void revoke(RpcController controller,
|
||||
AccessControlService.BlockingInterface protocol, String userShortName, TableName tableName,
|
||||
|
@ -612,11 +640,12 @@ public class AccessControlUtil {
|
|||
* <p>
|
||||
* It's also called by the shell, in case you want to find references.
|
||||
*
|
||||
* @param controller RpcController
|
||||
* @param protocol the AccessControlService protocol proxy
|
||||
* @param userShortName the short name of the user to revoke permissions
|
||||
* @param namespace optional table name
|
||||
* @param actions the permissions to be revoked
|
||||
* @throws ServiceException
|
||||
* @throws ServiceException on failure
|
||||
*/
|
||||
public static void revoke(RpcController controller,
|
||||
AccessControlService.BlockingInterface protocol, String userShortName, String namespace,
|
||||
|
@ -636,19 +665,36 @@ public class AccessControlUtil {
|
|||
* <p>
|
||||
* It's also called by the shell, in case you want to find references.
|
||||
*
|
||||
* @param controller RpcController
|
||||
* @param protocol the AccessControlService protocol proxy
|
||||
* @throws ServiceException
|
||||
* @throws ServiceException on failure
|
||||
*/
|
||||
public static List<UserPermission> getUserPermissions(RpcController controller,
|
||||
AccessControlService.BlockingInterface protocol) throws ServiceException {
|
||||
return getUserPermissions(controller, protocol, HConstants.EMPTY_STRING);
|
||||
}
|
||||
|
||||
/**
|
||||
* A utility used to get user's global permissions based on the specified user name.
|
||||
* @param controller RpcController
|
||||
* @param protocol the AccessControlService protocol proxy
|
||||
* @param userName User name, if empty then all user permissions will be retrieved.
|
||||
* @throws ServiceException
|
||||
*/
|
||||
public static List<UserPermission> getUserPermissions(RpcController controller,
|
||||
AccessControlService.BlockingInterface protocol, String userName) throws ServiceException {
|
||||
AccessControlProtos.GetUserPermissionsRequest.Builder builder =
|
||||
AccessControlProtos.GetUserPermissionsRequest.newBuilder();
|
||||
builder.setType(AccessControlProtos.Permission.Type.Global);
|
||||
if (!StringUtils.isEmpty(userName)) {
|
||||
builder.setUserName(ByteString.copyFromUtf8(userName));
|
||||
}
|
||||
|
||||
AccessControlProtos.GetUserPermissionsRequest request = builder.build();
|
||||
AccessControlProtos.GetUserPermissionsResponse response =
|
||||
protocol.getUserPermissions(controller, request);
|
||||
List<UserPermission> perms = new ArrayList<>(response.getUserPermissionCount());
|
||||
for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) {
|
||||
for (AccessControlProtos.UserPermission perm : response.getUserPermissionList()) {
|
||||
perms.add(toUserPermission(perm));
|
||||
}
|
||||
return perms;
|
||||
|
@ -659,6 +705,7 @@ public class AccessControlUtil {
|
|||
* <p>
|
||||
* It's also called by the shell, in case you want to find references.
|
||||
*
|
||||
* @param controller RpcController
|
||||
* @param protocol the AccessControlService protocol proxy
|
||||
* @param t optional table name
|
||||
* @throws ServiceException
|
||||
|
@ -666,17 +713,44 @@ public class AccessControlUtil {
|
|||
public static List<UserPermission> getUserPermissions(RpcController controller,
|
||||
AccessControlService.BlockingInterface protocol,
|
||||
TableName t) throws ServiceException {
|
||||
return getUserPermissions(controller, protocol, t, null, null, HConstants.EMPTY_STRING);
|
||||
}
|
||||
|
||||
/**
|
||||
* A utility used to get user table permissions based on the column family, column qualifier and
|
||||
* user name.
|
||||
* @param controller RpcController
|
||||
* @param protocol the AccessControlService protocol proxy
|
||||
* @param t optional table name
|
||||
* @param columnFamily Column family
|
||||
* @param columnQualifier Column qualifier
|
||||
* @param userName User name, if empty then all user permissions will be retrieved.
|
||||
* @throws ServiceException
|
||||
*/
|
||||
public static List<UserPermission> getUserPermissions(RpcController controller,
|
||||
AccessControlService.BlockingInterface protocol, TableName t, byte[] columnFamily,
|
||||
byte[] columnQualifier, String userName) throws ServiceException {
|
||||
AccessControlProtos.GetUserPermissionsRequest.Builder builder =
|
||||
AccessControlProtos.GetUserPermissionsRequest.newBuilder();
|
||||
if (t != null) {
|
||||
builder.setTableName(ProtobufUtil.toProtoTableName(t));
|
||||
}
|
||||
if (Bytes.len(columnFamily) > 0) {
|
||||
builder.setColumnFamily(ByteString.copyFrom(columnFamily));
|
||||
}
|
||||
if (Bytes.len(columnQualifier) > 0) {
|
||||
builder.setColumnQualifier(ByteString.copyFrom(columnQualifier));
|
||||
}
|
||||
if (!StringUtils.isEmpty(userName)) {
|
||||
builder.setUserName(ByteString.copyFromUtf8(userName));
|
||||
}
|
||||
|
||||
builder.setType(AccessControlProtos.Permission.Type.Table);
|
||||
AccessControlProtos.GetUserPermissionsRequest request = builder.build();
|
||||
AccessControlProtos.GetUserPermissionsResponse response =
|
||||
protocol.getUserPermissions(controller, request);
|
||||
List<UserPermission> perms = new ArrayList<>(response.getUserPermissionCount());
|
||||
for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) {
|
||||
for (AccessControlProtos.UserPermission perm : response.getUserPermissionList()) {
|
||||
perms.add(toUserPermission(perm));
|
||||
}
|
||||
return perms;
|
||||
|
@ -687,6 +761,7 @@ public class AccessControlUtil {
|
|||
* <p>
|
||||
* It's also called by the shell, in case you want to find references.
|
||||
*
|
||||
* @param controller RpcController
|
||||
* @param protocol the AccessControlService protocol proxy
|
||||
* @param namespace name of the namespace
|
||||
* @throws ServiceException
|
||||
|
@ -694,22 +769,80 @@ public class AccessControlUtil {
|
|||
public static List<UserPermission> getUserPermissions(RpcController controller,
|
||||
AccessControlService.BlockingInterface protocol,
|
||||
byte[] namespace) throws ServiceException {
|
||||
return getUserPermissions(controller, protocol, namespace, HConstants.EMPTY_STRING);
|
||||
}
|
||||
|
||||
/**
|
||||
* A utility used to get permissions for selected namespace based on the specified user name.
|
||||
* @param controller RpcController
|
||||
* @param protocol the AccessControlService protocol proxy
|
||||
* @param namespace name of the namespace
|
||||
* @param userName User name, if empty then all user permissions will be retrieved.
|
||||
* @throws ServiceException
|
||||
*/
|
||||
public static List<UserPermission> getUserPermissions(RpcController controller,
|
||||
AccessControlService.BlockingInterface protocol, byte[] namespace, String userName)
|
||||
throws ServiceException {
|
||||
AccessControlProtos.GetUserPermissionsRequest.Builder builder =
|
||||
AccessControlProtos.GetUserPermissionsRequest.newBuilder();
|
||||
if (namespace != null) {
|
||||
builder.setNamespaceName(ByteStringer.wrap(namespace));
|
||||
}
|
||||
if (!StringUtils.isEmpty(userName)) {
|
||||
builder.setUserName(ByteString.copyFromUtf8(userName));
|
||||
}
|
||||
builder.setType(AccessControlProtos.Permission.Type.Namespace);
|
||||
AccessControlProtos.GetUserPermissionsRequest request = builder.build();
|
||||
AccessControlProtos.GetUserPermissionsResponse response =
|
||||
protocol.getUserPermissions(controller, request);
|
||||
List<UserPermission> perms = new ArrayList<>(response.getUserPermissionCount());
|
||||
for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) {
|
||||
for (AccessControlProtos.UserPermission perm : response.getUserPermissionList()) {
|
||||
perms.add(toUserPermission(perm));
|
||||
}
|
||||
return perms;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates whether specified user has permission to perform actions on the mentioned table,
|
||||
* column family or column qualifier.
|
||||
* @param controller RpcController
|
||||
* @param protocol the AccessControlService protocol proxy
|
||||
* @param tableName Table name, it shouldn't be null or empty.
|
||||
* @param columnFamily The column family. Optional argument, can be empty. If empty then
|
||||
* validation will happen at table level.
|
||||
* @param columnQualifier The column qualifier. Optional argument, can be empty. If empty then
|
||||
* validation will happen at table and column family level. columnQualifier will not be
|
||||
* considered if columnFamily is passed as null or empty.
|
||||
* @param userName User name, it shouldn't be null or empty.
|
||||
* @param actions Actions
|
||||
* @return true if access allowed, otherwise false
|
||||
* @throws ServiceException
|
||||
*/
|
||||
public static boolean hasPermission(RpcController controller,
|
||||
AccessControlService.BlockingInterface protocol, TableName tableName, byte[] columnFamily,
|
||||
byte[] columnQualifier, String userName, Permission.Action[] actions)
|
||||
throws ServiceException {
|
||||
AccessControlProtos.TablePermission.Builder tablePermissionBuilder =
|
||||
AccessControlProtos.TablePermission.newBuilder();
|
||||
tablePermissionBuilder
|
||||
.setTableName(org.apache.hadoop.hbase.protobuf.ProtobufUtil.toProtoTableName(tableName));
|
||||
if (Bytes.len(columnFamily) > 0) {
|
||||
tablePermissionBuilder.setFamily(ByteStringer.wrap(columnFamily));
|
||||
}
|
||||
if (Bytes.len(columnQualifier) > 0) {
|
||||
tablePermissionBuilder.setQualifier(ByteString.copyFrom(columnQualifier));
|
||||
}
|
||||
for (Permission.Action a : actions) {
|
||||
tablePermissionBuilder.addAction(toPermissionAction(a));
|
||||
}
|
||||
AccessControlProtos.HasPermissionRequest request = AccessControlProtos.HasPermissionRequest
|
||||
.newBuilder().setTablePermission(tablePermissionBuilder)
|
||||
.setUserName(ByteString.copyFromUtf8(userName)).build();
|
||||
AccessControlProtos.HasPermissionResponse response =
|
||||
protocol.hasPermission(controller, request);
|
||||
return response.getHasPermission();
|
||||
}
|
||||
|
||||
/**
|
||||
* Convert a protobuf UserTablePermissions to a
|
||||
* ListMultimap<String, TablePermission> where key is username.
|
||||
|
|
|
@ -31,6 +31,7 @@ import org.apache.hadoop.hbase.client.RegionInfo;
|
|||
import org.apache.hadoop.hbase.client.Result;
|
||||
import org.apache.hadoop.hbase.client.SingleResponse;
|
||||
import org.apache.hadoop.hbase.ipc.ServerRpcController;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.HasPermissionResponse;
|
||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos;
|
||||
import org.apache.hadoop.util.StringUtils;
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
|
@ -228,6 +229,15 @@ public final class ResponseConverter {
|
|||
return parameterBuilder.build();
|
||||
}
|
||||
|
||||
/**
|
||||
* Builds a protocol buffer HasPermissionResponse
|
||||
*/
|
||||
public static HasPermissionResponse buildHasPermissionResponse(boolean hasPermission) {
|
||||
HasPermissionResponse.Builder builder = HasPermissionResponse.newBuilder();
|
||||
builder.setHasPermission(hasPermission);
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
// End utilities for Client
|
||||
// Start utilities for Admin
|
||||
|
||||
|
|
|
@ -530,10 +530,15 @@ public final class HConstants {
|
|||
// Other constants
|
||||
|
||||
/**
|
||||
* An empty instance.
|
||||
* An empty byte array instance.
|
||||
*/
|
||||
public static final byte [] EMPTY_BYTE_ARRAY = new byte [0];
|
||||
|
||||
/**
|
||||
* An empty string instance.
|
||||
*/
|
||||
public static final String EMPTY_STRING = "";
|
||||
|
||||
public static final ByteBuffer EMPTY_BYTE_BUFFER = ByteBuffer.wrap(EMPTY_BYTE_ARRAY);
|
||||
|
||||
/**
|
||||
|
|
|
@ -96,6 +96,9 @@ message GetUserPermissionsRequest {
|
|||
optional Permission.Type type = 1;
|
||||
optional TableName table_name = 2;
|
||||
optional bytes namespace_name = 3;
|
||||
optional bytes column_family = 4;
|
||||
optional bytes column_qualifier = 5;
|
||||
optional bytes user_name = 6;
|
||||
}
|
||||
|
||||
message GetUserPermissionsResponse {
|
||||
|
@ -109,6 +112,15 @@ message CheckPermissionsRequest {
|
|||
message CheckPermissionsResponse {
|
||||
}
|
||||
|
||||
message HasPermissionRequest {
|
||||
required TablePermission table_permission = 1;
|
||||
required bytes user_name = 2;
|
||||
}
|
||||
|
||||
message HasPermissionResponse {
|
||||
optional bool has_permission = 1;
|
||||
}
|
||||
|
||||
service AccessControlService {
|
||||
rpc Grant(GrantRequest)
|
||||
returns (GrantResponse);
|
||||
|
@ -121,4 +133,7 @@ service AccessControlService {
|
|||
|
||||
rpc CheckPermissions(CheckPermissionsRequest)
|
||||
returns (CheckPermissionsResponse);
|
||||
|
||||
rpc HasPermission(HasPermissionRequest)
|
||||
returns (HasPermissionResponse);
|
||||
}
|
||||
|
|
|
@ -543,7 +543,7 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver {
|
|||
}
|
||||
|
||||
public void checkPermission(String request) throws IOException {
|
||||
accessChecker.requirePermission(getActiveUser(), request, Action.ADMIN);
|
||||
accessChecker.requirePermission(getActiveUser(), request, null, Action.ADMIN);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -1294,7 +1294,7 @@ public class RSRpcServices implements HBaseRPCErrorHandler,
|
|||
|
||||
protected void requirePermission(String request, Permission.Action perm) throws IOException {
|
||||
if (accessChecker != null) {
|
||||
accessChecker.requirePermission(RpcServer.getRequestUser().orElse(null), request, perm);
|
||||
accessChecker.requirePermission(RpcServer.getRequestUser().orElse(null), request, null, perm);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -20,7 +20,11 @@ package org.apache.hadoop.hbase.security.access;
|
|||
|
||||
import java.io.IOException;
|
||||
import java.net.InetAddress;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
|
@ -32,18 +36,25 @@ import org.apache.hadoop.hbase.security.AccessDeniedException;
|
|||
import org.apache.hadoop.hbase.security.User;
|
||||
import org.apache.hadoop.hbase.security.access.Permission.Action;
|
||||
import org.apache.hadoop.hbase.zookeeper.ZKWatcher;
|
||||
import org.apache.hadoop.security.Groups;
|
||||
import org.apache.hadoop.security.HadoopKerberosName;
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
@InterfaceAudience.Private
|
||||
public final class AccessChecker {
|
||||
private static final Logger LOG = LoggerFactory.getLogger(AccessChecker.class);
|
||||
private static final Logger AUDITLOG =
|
||||
LoggerFactory.getLogger("SecurityLogger." + AccessChecker.class.getName());
|
||||
// TODO: we should move to a design where we don't even instantiate an AccessChecker if
|
||||
// authorization is not enabled (like in RSRpcServices), instead of always instantiating one and
|
||||
// calling requireXXX() only to do nothing (since authorizationEnabled will be false).
|
||||
private TableAuthManager authManager;
|
||||
|
||||
/** Group service to retrieve the user group information */
|
||||
private static Groups groupService;
|
||||
|
||||
/**
|
||||
* if we are active, usually false, only true if "hbase.security.authorization"
|
||||
* has been set to true in site configuration.see HBASE-19483.
|
||||
|
@ -72,6 +83,7 @@ public final class AccessChecker {
|
|||
throw new NullPointerException("Error obtaining AccessChecker, zk found null.");
|
||||
}
|
||||
authorizationEnabled = isAuthorizationSupported(conf);
|
||||
initGroupService(conf);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -88,9 +100,11 @@ public final class AccessChecker {
|
|||
/**
|
||||
* Authorizes that the current user has any of the given permissions to access the table.
|
||||
*
|
||||
* @param user Active user to which authorization checks should be applied
|
||||
* @param request Request type.
|
||||
* @param tableName Table requested
|
||||
* @param permissions Actions being requested
|
||||
* @throws IOException if obtaining the current user fails
|
||||
* @throws IOException if obtaining the current user fails
|
||||
* @throws AccessDeniedException if user has no authorization
|
||||
*/
|
||||
public void requireAccess(User user, String request, TableName tableName,
|
||||
|
@ -119,14 +133,16 @@ public final class AccessChecker {
|
|||
|
||||
/**
|
||||
* Authorizes that the current user has global privileges for the given action.
|
||||
*
|
||||
* @param user Active user to which authorization checks should be applied
|
||||
* @param request Request type
|
||||
* @param filterUser User name to be filtered from permission as requested
|
||||
* @param perm The action being requested
|
||||
* @throws IOException if obtaining the current user fails
|
||||
* @throws IOException if obtaining the current user fails
|
||||
* @throws AccessDeniedException if authorization is denied
|
||||
*/
|
||||
public void requirePermission(User user, String request, Action perm)
|
||||
public void requirePermission(User user, String request, String filterUser, Action perm)
|
||||
throws IOException {
|
||||
requireGlobalPermission(user, request, perm, null, null);
|
||||
requireGlobalPermission(user, request, perm, null, null, filterUser);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -134,25 +150,29 @@ public final class AccessChecker {
|
|||
* audit log message will contain context information for the operation
|
||||
* being authorized, based on the given parameters.
|
||||
*
|
||||
* @param user Active user to which authorization checks should be applied
|
||||
* @param request Request type
|
||||
* @param perm Action being requested
|
||||
* @param tableName Affected table name.
|
||||
* @param familyMap Affected column families.
|
||||
* @param filterUser User name to be filtered from permission as requested
|
||||
*/
|
||||
public void requireGlobalPermission(User user, String request,
|
||||
Action perm, TableName tableName,
|
||||
Map<byte[], ? extends Collection<byte[]>> familyMap)throws IOException {
|
||||
Map<byte[], ? extends Collection<byte[]>> familyMap, String filterUser) throws IOException {
|
||||
if (!authorizationEnabled) {
|
||||
return;
|
||||
}
|
||||
AuthResult result;
|
||||
if (authManager.authorize(user, perm)) {
|
||||
result = AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap);
|
||||
result.getParams().setTableName(tableName).setFamilies(familyMap);
|
||||
logResult(result);
|
||||
} else {
|
||||
result = AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap);
|
||||
result.getParams().setTableName(tableName).setFamilies(familyMap);
|
||||
logResult(result);
|
||||
}
|
||||
result.getParams().setTableName(tableName).setFamilies(familyMap);
|
||||
result.getParams().addExtraParam("filterUser", filterUser);
|
||||
logResult(result);
|
||||
if (!result.isAllowed()) {
|
||||
throw new AccessDeniedException(
|
||||
"Insufficient permissions for user '" + (user != null ? user.getShortName() : "null")
|
||||
+ "' (global, action=" + perm.toString() + ")");
|
||||
|
@ -164,6 +184,8 @@ public final class AccessChecker {
|
|||
* audit log message will contain context information for the operation
|
||||
* being authorized, based on the given parameters.
|
||||
*
|
||||
* @param user Active user to which authorization checks should be applied
|
||||
* @param request Request type
|
||||
* @param perm Action being requested
|
||||
* @param namespace The given namespace
|
||||
*/
|
||||
|
@ -189,12 +211,14 @@ public final class AccessChecker {
|
|||
|
||||
/**
|
||||
* Checks that the user has the given global or namespace permission.
|
||||
*
|
||||
* @param namespace The given namespace
|
||||
* @param user Active user to which authorization checks should be applied
|
||||
* @param request Request type
|
||||
* @param namespace Name space as requested
|
||||
* @param filterUser User name to be filtered from permission as requested
|
||||
* @param permissions Actions being requested
|
||||
*/
|
||||
public void requireNamespacePermission(User user, String request, String namespace,
|
||||
Action... permissions) throws IOException {
|
||||
String filterUser, Action... permissions) throws IOException {
|
||||
if (!authorizationEnabled) {
|
||||
return;
|
||||
}
|
||||
|
@ -210,6 +234,7 @@ public final class AccessChecker {
|
|||
result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace);
|
||||
}
|
||||
}
|
||||
result.getParams().addExtraParam("filterUser", filterUser);
|
||||
logResult(result);
|
||||
if (!result.isAllowed()) {
|
||||
throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
|
||||
|
@ -219,7 +244,11 @@ public final class AccessChecker {
|
|||
/**
|
||||
* Checks that the user has the given global or namespace permission.
|
||||
*
|
||||
* @param user Active user to which authorization checks should be applied
|
||||
* @param request Request type
|
||||
* @param namespace The given namespace
|
||||
* @param tableName Table requested
|
||||
* @param familyMap Column family map requested
|
||||
* @param permissions Actions being requested
|
||||
*/
|
||||
public void requireNamespacePermission(User user, String request, String namespace,
|
||||
|
@ -252,14 +281,18 @@ public final class AccessChecker {
|
|||
* Authorizes that the current user has any of the given permissions for the
|
||||
* given table, column family and column qualifier.
|
||||
*
|
||||
* @param user Active user to which authorization checks should be applied
|
||||
* @param request Request type
|
||||
* @param tableName Table requested
|
||||
* @param family Column family requested
|
||||
* @param qualifier Column qualifier requested
|
||||
* @throws IOException if obtaining the current user fails
|
||||
* @param filterUser User name to be filtered from permission as requested
|
||||
* @param permissions Actions being requested
|
||||
* @throws IOException if obtaining the current user fails
|
||||
* @throws AccessDeniedException if user has no authorization
|
||||
*/
|
||||
public void requirePermission(User user, String request, TableName tableName, byte[] family,
|
||||
byte[] qualifier, Action... permissions) throws IOException {
|
||||
byte[] qualifier, String filterUser, Action... permissions) throws IOException {
|
||||
if (!authorizationEnabled) {
|
||||
return;
|
||||
}
|
||||
|
@ -273,9 +306,10 @@ public final class AccessChecker {
|
|||
} else {
|
||||
// rest of the world
|
||||
result = AuthResult.deny(request, "Insufficient permissions",
|
||||
user, permission, tableName, family, qualifier);
|
||||
user, permission, tableName, family, qualifier);
|
||||
}
|
||||
}
|
||||
result.getParams().addExtraParam("filterUser", filterUser);
|
||||
logResult(result);
|
||||
if (!result.isAllowed()) {
|
||||
throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
|
||||
|
@ -286,6 +320,8 @@ public final class AccessChecker {
|
|||
* Authorizes that the current user has any of the given permissions for the
|
||||
* given table, column family and column qualifier.
|
||||
*
|
||||
* @param user Active user to which authorization checks should be applied
|
||||
* @param request Request type
|
||||
* @param tableName Table requested
|
||||
* @param family Column family param
|
||||
* @param qualifier Column qualifier param
|
||||
|
@ -323,7 +359,7 @@ public final class AccessChecker {
|
|||
TableName tableName, RegionInfo[] regionInfos, String reason)
|
||||
throws IOException {
|
||||
if (namespace != null && !namespace.isEmpty()) {
|
||||
requireNamespacePermission(user, reason, namespace, Action.ADMIN, Action.CREATE);
|
||||
requireNamespacePermission(user, reason, namespace, null, Action.ADMIN, Action.CREATE);
|
||||
} else if (tableName != null || (regionInfos != null && regionInfos.length > 0)) {
|
||||
// So, either a table or regions op. If latter, check perms ons table.
|
||||
TableName tn = tableName != null? tableName: regionInfos[0].getTable();
|
||||
|
@ -340,9 +376,111 @@ public final class AccessChecker {
|
|||
"Access {} for user {}; reason: {}; remote address: {}; request: {}; context: {}",
|
||||
(result.isAllowed() ? "allowed" : "denied"),
|
||||
(result.getUser() != null ? result.getUser().getShortName() : "UNKNOWN"),
|
||||
result.getReason(),
|
||||
RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""),
|
||||
result.getReason(), RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""),
|
||||
result.getRequest(), result.toContextString());
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Validate the hasPermission operation caller with the filter user. Self check doesn't require
|
||||
* any privilege but for others caller must have ADMIN privilege.
|
||||
*/
|
||||
public User validateCallerWithFilterUser(User caller, TablePermission tPerm, String inputUserName)
|
||||
throws IOException {
|
||||
User filterUser = null;
|
||||
if (!caller.getShortName().equals(inputUserName)) {
|
||||
// User should have admin privilege if checking permission for other users
|
||||
requirePermission(caller, "hasPermission", tPerm.getTableName(), tPerm.getFamily(),
|
||||
tPerm.getQualifier(), inputUserName, Action.ADMIN);
|
||||
// Initialize user instance for the input user name
|
||||
List<String> groups = getUserGroups(inputUserName);
|
||||
filterUser = new InputUser(inputUserName, groups.toArray(new String[groups.size()]));
|
||||
} else {
|
||||
// User don't need ADMIN privilege for self check.
|
||||
// Setting action as null in AuthResult to display empty action in audit log
|
||||
AuthResult result = AuthResult.allow("hasPermission", "Self user validation allowed", caller,
|
||||
null, tPerm.getTableName(), tPerm.getFamily(), tPerm.getQualifier());
|
||||
logResult(result);
|
||||
filterUser = caller;
|
||||
}
|
||||
return filterUser;
|
||||
}
|
||||
|
||||
/**
|
||||
* A temporary user class to instantiate User instance based on the name and groups.
|
||||
*/
|
||||
public static class InputUser extends User {
|
||||
private String name;
|
||||
private String shortName = null;
|
||||
private String[] groups;
|
||||
|
||||
public InputUser(String name, String[] groups) {
|
||||
this.name = name;
|
||||
this.groups = groups;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getShortName() {
|
||||
if (this.shortName == null) {
|
||||
try {
|
||||
this.shortName = new HadoopKerberosName(this.name).getShortName();
|
||||
} catch (IOException ioe) {
|
||||
throw new IllegalArgumentException(
|
||||
"Illegal principal name " + this.name + ": " + ioe.toString(), ioe);
|
||||
}
|
||||
}
|
||||
return shortName;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getName() {
|
||||
return this.name;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String[] getGroupNames() {
|
||||
return this.groups;
|
||||
}
|
||||
|
||||
@Override
|
||||
public <T> T runAs(PrivilegedAction<T> action) {
|
||||
throw new UnsupportedOperationException(
|
||||
"Method not supported, this class has limited implementation");
|
||||
}
|
||||
|
||||
@Override
|
||||
public <T> T runAs(PrivilegedExceptionAction<T> action)
|
||||
throws IOException, InterruptedException {
|
||||
throw new UnsupportedOperationException(
|
||||
"Method not supported, this class has limited implementation");
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return this.name;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Initialize the group service.
|
||||
*/
|
||||
private void initGroupService(Configuration conf) {
|
||||
if (groupService == null) {
|
||||
groupService = Groups.getUserToGroupsMappingService(conf);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieve the groups of the given user.
|
||||
* @param user User name
|
||||
* @return Groups
|
||||
*/
|
||||
public static List<String> getUserGroups(String user) {
|
||||
try {
|
||||
return groupService.getGroups(user);
|
||||
} catch (IOException e) {
|
||||
LOG.error("Error occured while retrieving group for " + user, e);
|
||||
return new ArrayList<String>();
|
||||
}
|
||||
}
|
||||
}
|
|
@ -32,6 +32,7 @@ import java.util.Set;
|
|||
import java.util.TreeMap;
|
||||
import java.util.TreeSet;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.hbase.AuthUtil;
|
||||
import org.apache.hadoop.hbase.Cell;
|
||||
|
@ -144,7 +145,7 @@ public class AccessControlLists {
|
|||
|
||||
Set<Permission.Action> actionSet = new TreeSet<Permission.Action>();
|
||||
if(mergeExistingPermissions){
|
||||
List<UserPermission> perms = getUserPermissions(conf, rowKey);
|
||||
List<UserPermission> perms = getUserPermissions(conf, rowKey, null, null, null, false);
|
||||
UserPermission currentPerm = null;
|
||||
for (UserPermission perm : perms) {
|
||||
if (Bytes.equals(perm.getUser(), userPerm.getUser())
|
||||
|
@ -228,7 +229,8 @@ public class AccessControlLists {
|
|||
removePermissionRecord(conf, userPerm, t);
|
||||
} else {
|
||||
// Get all the global user permissions from the acl table
|
||||
List<UserPermission> permsList = getUserPermissions(conf, userPermissionRowKey(userPerm));
|
||||
List<UserPermission> permsList =
|
||||
getUserPermissions(conf, userPermissionRowKey(userPerm), null, null, null, false);
|
||||
List<Permission.Action> remainingActions = new ArrayList<>();
|
||||
List<Permission.Action> dropActions = Arrays.asList(userPerm.getActions());
|
||||
for (UserPermission perm : permsList) {
|
||||
|
@ -430,8 +432,8 @@ public class AccessControlLists {
|
|||
if (entry == null) {
|
||||
entry = CellUtil.cloneRow(kv);
|
||||
}
|
||||
Pair<String,TablePermission> permissionsOfUserOnTable =
|
||||
parsePermissionRecord(entry, kv);
|
||||
Pair<String, TablePermission> permissionsOfUserOnTable =
|
||||
parsePermissionRecord(entry, kv, null, null, false, null);
|
||||
if (permissionsOfUserOnTable != null) {
|
||||
String username = permissionsOfUserOnTable.getFirst();
|
||||
TablePermission permissions = permissionsOfUserOnTable.getSecond();
|
||||
|
@ -474,7 +476,8 @@ public class AccessControlLists {
|
|||
scanner = table.getScanner(scan);
|
||||
try {
|
||||
for (Result row : scanner) {
|
||||
ListMultimap<String,TablePermission> resultPerms = parsePermissions(row.getRow(), row);
|
||||
ListMultimap<String, TablePermission> resultPerms =
|
||||
parsePermissions(row.getRow(), row, null, null, null, false);
|
||||
allPerms.put(row.getRow(), resultPerms);
|
||||
}
|
||||
} finally {
|
||||
|
@ -488,28 +491,27 @@ public class AccessControlLists {
|
|||
|
||||
public static ListMultimap<String, TablePermission> getTablePermissions(Configuration conf,
|
||||
TableName tableName) throws IOException {
|
||||
return getPermissions(conf, tableName != null ? tableName.getName() : null, null);
|
||||
return getPermissions(conf, tableName != null ? tableName.getName() : null, null, null, null,
|
||||
null, false);
|
||||
}
|
||||
|
||||
@VisibleForTesting
|
||||
public static ListMultimap<String, TablePermission> getNamespacePermissions(Configuration conf,
|
||||
String namespace) throws IOException {
|
||||
return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)), null);
|
||||
return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)), null, null, null, null,
|
||||
false);
|
||||
}
|
||||
|
||||
/**
|
||||
* Reads user permission assignments stored in the <code>l:</code> column
|
||||
* family of the first table row in <code>_acl_</code>.
|
||||
*
|
||||
* Reads user permission assignments stored in the <code>l:</code> column family of the first
|
||||
* table row in <code>_acl_</code>.
|
||||
* <p>
|
||||
* See {@link AccessControlLists class documentation} for the key structure
|
||||
* used for storage.
|
||||
* See {@link AccessControlLists class documentation} for the key structure used for storage.
|
||||
* </p>
|
||||
*/
|
||||
static ListMultimap<String, TablePermission> getPermissions(Configuration conf,
|
||||
byte[] entryName, Table t) throws IOException {
|
||||
static ListMultimap<String, TablePermission> getPermissions(Configuration conf, byte[] entryName,
|
||||
Table t, byte[] cf, byte[] cq, String user, boolean hasFilterUser) throws IOException {
|
||||
if (entryName == null) entryName = ACL_GLOBAL_NAME;
|
||||
|
||||
// for normal user tables, we just read the table row from _acl_
|
||||
ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
|
||||
Get get = new Get(entryName);
|
||||
|
@ -525,7 +527,7 @@ public class AccessControlLists {
|
|||
row = t.get(get);
|
||||
}
|
||||
if (!row.isEmpty()) {
|
||||
perms = parsePermissions(entryName, row);
|
||||
perms = parsePermissions(entryName, row, cf, cq, user, hasFilterUser);
|
||||
} else {
|
||||
LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry "
|
||||
+ Bytes.toString(entryName));
|
||||
|
@ -535,34 +537,50 @@ public class AccessControlLists {
|
|||
}
|
||||
|
||||
/**
|
||||
* Returns the currently granted permissions for a given table as a list of
|
||||
* user plus associated permissions.
|
||||
* Returns the currently granted permissions for a given table as the specified user plus
|
||||
* associated permissions.
|
||||
*/
|
||||
static List<UserPermission> getUserTablePermissions(
|
||||
Configuration conf, TableName tableName) throws IOException {
|
||||
return getUserPermissions(conf, tableName == null ? null : tableName.getName());
|
||||
static List<UserPermission> getUserTablePermissions(Configuration conf, TableName tableName,
|
||||
byte[] cf, byte[] cq, String userName, boolean hasFilterUser) throws IOException {
|
||||
return getUserPermissions(conf, tableName == null ? null : tableName.getName(), cf, cq,
|
||||
userName, hasFilterUser);
|
||||
}
|
||||
|
||||
static List<UserPermission> getUserNamespacePermissions(
|
||||
Configuration conf, String namespace) throws IOException {
|
||||
return getUserPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
|
||||
/**
|
||||
* Returns the currently granted permissions for a given namespace as the specified user plus
|
||||
* associated permissions.
|
||||
*/
|
||||
static List<UserPermission> getUserNamespacePermissions(Configuration conf, String namespace,
|
||||
String user, boolean hasFilterUser) throws IOException {
|
||||
return getUserPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)), null, null, user,
|
||||
hasFilterUser);
|
||||
}
|
||||
|
||||
static List<UserPermission> getUserPermissions(
|
||||
Configuration conf, byte[] entryName)
|
||||
throws IOException {
|
||||
ListMultimap<String,TablePermission> allPerms = getPermissions(
|
||||
conf, entryName, null);
|
||||
/**
|
||||
* Returns the currently granted permissions for a given table/namespace with associated
|
||||
* permissions based on the specified column family, column qualifier and user name.
|
||||
* @param conf the configuration
|
||||
* @param entryName Table name or the namespace
|
||||
* @param cf Column family
|
||||
* @param cq Column qualifier
|
||||
* @param user User name to be filtered from permission as requested
|
||||
* @param hasFilterUser true if filter user is provided, otherwise false.
|
||||
* @return List of UserPermissions
|
||||
* @throws IOException on failure
|
||||
*/
|
||||
static List<UserPermission> getUserPermissions(Configuration conf, byte[] entryName, byte[] cf,
|
||||
byte[] cq, String user, boolean hasFilterUser) throws IOException {
|
||||
ListMultimap<String, TablePermission> allPerms =
|
||||
getPermissions(conf, entryName, null, cf, cq, user, hasFilterUser);
|
||||
|
||||
List<UserPermission> perms = new ArrayList<>();
|
||||
|
||||
if(isNamespaceEntry(entryName)) { // Namespace
|
||||
if (isNamespaceEntry(entryName)) { // Namespace
|
||||
for (Map.Entry<String, TablePermission> entry : allPerms.entries()) {
|
||||
UserPermission up = new UserPermission(Bytes.toBytes(entry.getKey()),
|
||||
entry.getValue().getNamespace(), entry.getValue().getActions());
|
||||
perms.add(up);
|
||||
}
|
||||
} else { // Table
|
||||
} else { // Table
|
||||
for (Map.Entry<String, TablePermission> entry : allPerms.entries()) {
|
||||
UserPermission up = new UserPermission(Bytes.toBytes(entry.getKey()),
|
||||
entry.getValue().getTableName(), entry.getValue().getFamily(),
|
||||
|
@ -570,17 +588,21 @@ public class AccessControlLists {
|
|||
perms.add(up);
|
||||
}
|
||||
}
|
||||
|
||||
return perms;
|
||||
}
|
||||
|
||||
private static ListMultimap<String, TablePermission> parsePermissions(
|
||||
byte[] entryName, Result result) {
|
||||
/**
|
||||
* Parse and filter permission based on the specified column family, column qualifier and user
|
||||
* name.
|
||||
*/
|
||||
private static ListMultimap<String, TablePermission> parsePermissions(byte[] entryName,
|
||||
Result result, byte[] cf, byte[] cq, String user, boolean hasFilterUser) {
|
||||
ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
|
||||
if (result != null && result.size() > 0) {
|
||||
for (Cell kv : result.rawCells()) {
|
||||
|
||||
Pair<String,TablePermission> permissionsOfUserOnTable =
|
||||
parsePermissionRecord(entryName, kv);
|
||||
Pair<String, TablePermission> permissionsOfUserOnTable =
|
||||
parsePermissionRecord(entryName, kv, cf, cq, hasFilterUser, user);
|
||||
|
||||
if (permissionsOfUserOnTable != null) {
|
||||
String username = permissionsOfUserOnTable.getFirst();
|
||||
|
@ -592,11 +614,10 @@ public class AccessControlLists {
|
|||
return perms;
|
||||
}
|
||||
|
||||
private static Pair<String, TablePermission> parsePermissionRecord(
|
||||
byte[] entryName, Cell kv) {
|
||||
private static Pair<String, TablePermission> parsePermissionRecord(byte[] entryName, Cell kv,
|
||||
byte[] cf, byte[] cq, boolean filterPerms, String filterUser) {
|
||||
// return X given a set of permissions encoded in the permissionRecord kv.
|
||||
byte[] family = CellUtil.cloneFamily(kv);
|
||||
|
||||
if (!Bytes.equals(family, ACL_LIST_FAMILY)) {
|
||||
return null;
|
||||
}
|
||||
|
@ -613,9 +634,25 @@ public class AccessControlLists {
|
|||
// TODO: avoid the string conversion to make this more efficient
|
||||
String username = Bytes.toString(key);
|
||||
|
||||
//Handle namespace entry
|
||||
if(isNamespaceEntry(entryName)) {
|
||||
return new Pair<>(username, new TablePermission(Bytes.toString(fromNamespaceEntry(entryName)), value));
|
||||
// Retrieve group list for the filterUser if cell key is a group.
|
||||
// Group list is not required when filterUser itself a group
|
||||
List<String> filterUserGroups = null;
|
||||
if (filterPerms) {
|
||||
if (username.charAt(0) == '@' && !StringUtils.isEmpty(filterUser)
|
||||
&& filterUser.charAt(0) != '@') {
|
||||
filterUserGroups = AccessChecker.getUserGroups(filterUser);
|
||||
}
|
||||
}
|
||||
|
||||
// Handle namespace entry
|
||||
if (isNamespaceEntry(entryName)) {
|
||||
// Filter the permissions cell record if client query
|
||||
if (filterPerms && !validateFilterUser(username, filterUser, filterUserGroups)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return new Pair<>(username,
|
||||
new TablePermission(Bytes.toString(fromNamespaceEntry(entryName)), value));
|
||||
}
|
||||
|
||||
//Handle table and global entry
|
||||
|
@ -635,14 +672,71 @@ public class AccessControlLists {
|
|||
}
|
||||
}
|
||||
|
||||
return new Pair<>(username, new TablePermission(TableName.valueOf(entryName), permFamily, permQualifier, value));
|
||||
// Filter the permissions cell record if client query
|
||||
if (filterPerms) {
|
||||
// ACL table contain 3 types of cell key entries; hbase:Acl, namespace and table. So to filter
|
||||
// the permission cell records additional validations are required at CF, CQ and username.
|
||||
// Here we can proceed based on client input whether it contain filterUser.
|
||||
// Validate the filterUser when specified
|
||||
if (filterUser != null && !validateFilterUser(username, filterUser, filterUserGroups)) {
|
||||
return null;
|
||||
}
|
||||
if (!validateCFAndCQ(permFamily, cf, permQualifier, cq)) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
return new Pair<>(username,
|
||||
new TablePermission(TableName.valueOf(entryName), permFamily, permQualifier, value));
|
||||
}
|
||||
|
||||
/*
|
||||
* Validate the cell key with the client filterUser if specified in the query input. 1. If cell
|
||||
* key (username) is not a group then check whether client filterUser is equal to username 2. If
|
||||
* cell key (username) is a group then check whether client filterUser belongs to the cell key
|
||||
* group (username) 3. In case when both filterUser and username are group names then cell will be
|
||||
* filtered if not equal.
|
||||
*/
|
||||
private static boolean validateFilterUser(String username, String filterUser,
|
||||
List<String> filterUserGroups) {
|
||||
if (filterUserGroups == null) {
|
||||
// Validate user name or group names whether equal
|
||||
if (filterUser.equals(username)) {
|
||||
return true;
|
||||
}
|
||||
} else {
|
||||
// Check whether filter user belongs to the cell key group.
|
||||
return filterUserGroups.contains(username.substring(1));
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/*
|
||||
* Validate the cell with client CF and CQ if specified in the query input. 1. If CF is NULL, then
|
||||
* no need of further validation, result should include all CF and CQ. 2. IF CF specified and
|
||||
* equal then validation required at CQ level if CF specified in client input, otherwise return
|
||||
* all CQ records.
|
||||
*/
|
||||
private static boolean validateCFAndCQ(byte[] permFamily, byte[] cf, byte[] permQualifier,
|
||||
byte[] cq) {
|
||||
boolean include = true;
|
||||
if (cf != null) {
|
||||
if (Bytes.equals(cf, permFamily)) {
|
||||
if (cq != null && !Bytes.equals(cq, permQualifier)) {
|
||||
// if CQ specified and didn't match then ignore this cell
|
||||
include = false;
|
||||
}
|
||||
} else {
|
||||
// if CF specified and didn't match then ignore this cell
|
||||
include = false;
|
||||
}
|
||||
}
|
||||
return include;
|
||||
}
|
||||
|
||||
/**
|
||||
* Writes a set of permissions as {@link org.apache.hadoop.io.Writable} instances
|
||||
* and returns the resulting byte array.
|
||||
*
|
||||
* Writes a set of permission [user: table permission]
|
||||
* Writes a set of permissions as {@link org.apache.hadoop.io.Writable} instances and returns the
|
||||
* resulting byte array. Writes a set of permission [user: table permission]
|
||||
*/
|
||||
public static byte[] writePermissionsAsBytes(ListMultimap<String, TablePermission> perms,
|
||||
Configuration conf) {
|
||||
|
|
|
@ -36,6 +36,7 @@ import java.util.Optional;
|
|||
import java.util.Set;
|
||||
import java.util.TreeMap;
|
||||
import java.util.TreeSet;
|
||||
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.hbase.ArrayBackedTag;
|
||||
import org.apache.hadoop.hbase.Cell;
|
||||
|
@ -98,6 +99,8 @@ import org.apache.hadoop.hbase.ipc.RpcServer;
|
|||
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.HasPermissionRequest;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.HasPermissionResponse;
|
||||
import org.apache.hadoop.hbase.quotas.GlobalQuotaSettings;
|
||||
import org.apache.hadoop.hbase.regionserver.BloomType;
|
||||
import org.apache.hadoop.hbase.regionserver.FlushLifeCycleTracker;
|
||||
|
@ -119,6 +122,7 @@ import org.apache.hadoop.hbase.security.User;
|
|||
import org.apache.hadoop.hbase.security.UserProvider;
|
||||
import org.apache.hadoop.hbase.security.access.Permission.Action;
|
||||
import org.apache.hadoop.hbase.snapshot.SnapshotDescriptionUtils;
|
||||
import org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter;
|
||||
import org.apache.hadoop.hbase.util.ByteRange;
|
||||
import org.apache.hadoop.hbase.util.Bytes;
|
||||
import org.apache.hadoop.hbase.util.EnvironmentEdgeManager;
|
||||
|
@ -240,8 +244,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
private void initialize(RegionCoprocessorEnvironment e) throws IOException {
|
||||
final Region region = e.getRegion();
|
||||
Configuration conf = e.getConfiguration();
|
||||
Map<byte[], ListMultimap<String,TablePermission>> tables =
|
||||
AccessControlLists.loadAll(region);
|
||||
Map<byte[], ListMultimap<String, TablePermission>> tables = AccessControlLists.loadAll(region);
|
||||
// For each table, write out the table's permissions to the respective
|
||||
// znode for that table.
|
||||
for (Map.Entry<byte[], ListMultimap<String,TablePermission>> t:
|
||||
|
@ -284,7 +287,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
for (byte[] entry : entries) {
|
||||
currentEntry = entry;
|
||||
ListMultimap<String, TablePermission> perms =
|
||||
AccessControlLists.getPermissions(conf, entry, t);
|
||||
AccessControlLists.getPermissions(conf, entry, t, null, null, null, false);
|
||||
byte[] serialized = AccessControlLists.writePermissionsAsBytes(perms, conf);
|
||||
zkw.writeToZookeeper(entry, serialized);
|
||||
}
|
||||
|
@ -295,31 +298,29 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
}
|
||||
|
||||
/**
|
||||
* Check the current user for authorization to perform a specific action
|
||||
* against the given set of row data.
|
||||
*
|
||||
* <p>Note: Ordering of the authorization checks
|
||||
* has been carefully optimized to short-circuit the most common requests
|
||||
* and minimize the amount of processing required.</p>
|
||||
*
|
||||
* Check the current user for authorization to perform a specific action against the given set of
|
||||
* row data.
|
||||
* <p>
|
||||
* Note: Ordering of the authorization checks has been carefully optimized to short-circuit the
|
||||
* most common requests and minimize the amount of processing required.
|
||||
* </p>
|
||||
* @param request User request
|
||||
* @param user User name
|
||||
* @param permRequest the action being requested
|
||||
* @param e the coprocessor environment
|
||||
* @param families the map of column families to qualifiers present in
|
||||
* the request
|
||||
* @param tableName Table name
|
||||
* @param families the map of column families to qualifiers present in the request
|
||||
* @return an authorization result
|
||||
*/
|
||||
private AuthResult permissionGranted(String request, User user, Action permRequest,
|
||||
RegionCoprocessorEnvironment e,
|
||||
Map<byte [], ? extends Collection<?>> families) {
|
||||
RegionInfo hri = e.getRegion().getRegionInfo();
|
||||
TableName tableName = hri.getTable();
|
||||
|
||||
RegionCoprocessorEnvironment e, TableName tableName,
|
||||
Map<byte[], ? extends Collection<?>> families) {
|
||||
// 1. All users need read access to hbase:meta table.
|
||||
// this is a very common operation, so deal with it quickly.
|
||||
if (hri.isMetaRegion()) {
|
||||
if (TableName.META_TABLE_NAME.equals(tableName)) {
|
||||
if (permRequest == Action.READ) {
|
||||
return AuthResult.allow(request, "All users allowed", user,
|
||||
permRequest, tableName, families);
|
||||
return AuthResult.allow(request, "All users allowed", user, permRequest, tableName,
|
||||
families);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -398,7 +399,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
Map<byte [], ? extends Collection<?>> families, Action... actions) {
|
||||
AuthResult result = null;
|
||||
for (Action action: actions) {
|
||||
result = permissionGranted(opType.toString(), user, action, e, families);
|
||||
result = permissionGranted(opType.toString(), user, action, e,
|
||||
e.getRegion().getRegionInfo().getTable(), families);
|
||||
if (!result.isAllowed()) {
|
||||
return result;
|
||||
}
|
||||
|
@ -413,14 +415,14 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
|
||||
public void requirePermission(ObserverContext<?> ctx, String request,
|
||||
Action perm) throws IOException {
|
||||
accessChecker.requirePermission(getActiveUser(ctx), request, perm);
|
||||
accessChecker.requirePermission(getActiveUser(ctx), request, null, perm);
|
||||
}
|
||||
|
||||
public void requireGlobalPermission(ObserverContext<?> ctx, String request,
|
||||
Action perm, TableName tableName,
|
||||
Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException {
|
||||
accessChecker.requireGlobalPermission(getActiveUser(ctx),
|
||||
request, perm,tableName, familyMap);
|
||||
accessChecker.requireGlobalPermission(getActiveUser(ctx), request, perm, tableName, familyMap,
|
||||
null);
|
||||
}
|
||||
|
||||
public void requireGlobalPermission(ObserverContext<?> ctx, String request,
|
||||
|
@ -432,7 +434,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace,
|
||||
Action... permissions) throws IOException {
|
||||
accessChecker.requireNamespacePermission(getActiveUser(ctx),
|
||||
request, namespace, permissions);
|
||||
request, namespace, null, permissions);
|
||||
}
|
||||
|
||||
public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace,
|
||||
|
@ -446,7 +448,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
public void requirePermission(ObserverContext<?> ctx, String request, TableName tableName,
|
||||
byte[] family, byte[] qualifier, Action... permissions) throws IOException {
|
||||
accessChecker.requirePermission(getActiveUser(ctx), request,
|
||||
tableName, family, qualifier, permissions);
|
||||
tableName, family, qualifier, null, permissions);
|
||||
}
|
||||
|
||||
public void requireTablePermission(ObserverContext<?> ctx, String request,
|
||||
|
@ -936,7 +938,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
List<UserPermission> acls = AccessControlLists.getUserTablePermissions(conf, tableName);
|
||||
List<UserPermission> acls =
|
||||
AccessControlLists.getUserTablePermissions(conf, tableName, null, null, null, false);
|
||||
if (acls != null) {
|
||||
tableAcls.put(tableName, acls);
|
||||
}
|
||||
|
@ -1040,7 +1043,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
public void preGetLocks(ObserverContext<MasterCoprocessorEnvironment> ctx)
|
||||
throws IOException {
|
||||
User user = getActiveUser(ctx);
|
||||
accessChecker.requirePermission(user, "getLocks", Action.ADMIN);
|
||||
accessChecker.requirePermission(user, "getLocks", null, Action.ADMIN);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -1152,7 +1155,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
"Snapshot owner check allowed", user, null, null, null);
|
||||
AccessChecker.logResult(result);
|
||||
} else {
|
||||
accessChecker.requirePermission(user, "listSnapshot " + snapshot.getName(), Action.ADMIN);
|
||||
accessChecker.requirePermission(user, "listSnapshot " + snapshot.getName(), null,
|
||||
Action.ADMIN);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1168,7 +1172,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
"Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null);
|
||||
AccessChecker.logResult(result);
|
||||
} else {
|
||||
accessChecker.requirePermission(user, "cloneSnapshot " + snapshot.getName(), Action.ADMIN);
|
||||
accessChecker.requirePermission(user, "cloneSnapshot " + snapshot.getName(), null,
|
||||
Action.ADMIN);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1179,9 +1184,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
User user = getActiveUser(ctx);
|
||||
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
|
||||
accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(),
|
||||
hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);
|
||||
hTableDescriptor.getTableName(), null, null, null, Permission.Action.ADMIN);
|
||||
} else {
|
||||
accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(), Action.ADMIN);
|
||||
accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(), null,
|
||||
Action.ADMIN);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1195,7 +1201,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
"Snapshot owner check allowed", user, null, null, null);
|
||||
AccessChecker.logResult(result);
|
||||
} else {
|
||||
accessChecker.requirePermission(user, "deleteSnapshot " + snapshot.getName(), Action.ADMIN);
|
||||
accessChecker.requirePermission(user, "deleteSnapshot " + snapshot.getName(), null,
|
||||
Action.ADMIN);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1255,8 +1262,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
while (itr.hasNext()) {
|
||||
NamespaceDescriptor desc = itr.next();
|
||||
try {
|
||||
accessChecker.requireNamespacePermission(user, "listNamespaces",
|
||||
desc.getName(), Action.ADMIN);
|
||||
accessChecker.requireNamespacePermission(user, "listNamespaces", desc.getName(), null,
|
||||
Action.ADMIN);
|
||||
} catch (AccessDeniedException e) {
|
||||
itr.remove();
|
||||
}
|
||||
|
@ -1971,10 +1978,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
User user = getActiveUser(ctx);
|
||||
for(Pair<byte[],String> el : familyPaths) {
|
||||
accessChecker.requirePermission(user, "preBulkLoadHFile",
|
||||
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(),
|
||||
el.getFirst(),
|
||||
null,
|
||||
Action.CREATE);
|
||||
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null,
|
||||
null, Action.CREATE);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -2048,11 +2053,11 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
case Global :
|
||||
case Table :
|
||||
accessChecker.requirePermission(caller, "grant", perm.getTableName(),
|
||||
perm.getFamily(), perm.getQualifier(), Action.ADMIN);
|
||||
perm.getFamily(), perm.getQualifier(), null, Action.ADMIN);
|
||||
break;
|
||||
case Namespace :
|
||||
accessChecker.requireNamespacePermission(caller, "grant", perm.getNamespace(),
|
||||
Action.ADMIN);
|
||||
null, Action.ADMIN);
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -2106,11 +2111,11 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
case Global :
|
||||
case Table :
|
||||
accessChecker.requirePermission(caller, "revoke", perm.getTableName(), perm.getFamily(),
|
||||
perm.getQualifier(), Action.ADMIN);
|
||||
perm.getQualifier(), null, Action.ADMIN);
|
||||
break;
|
||||
case Namespace :
|
||||
accessChecker.requireNamespacePermission(caller, "revoke", perm.getNamespace(),
|
||||
Action.ADMIN);
|
||||
null, Action.ADMIN);
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -2156,42 +2161,73 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
User caller = RpcServer.getRequestUser().orElse(null);
|
||||
|
||||
List<UserPermission> perms = null;
|
||||
// Initialize username, cf and cq. Set to null if request doesn't have.
|
||||
final String userName = request.hasUserName() ? request.getUserName().toStringUtf8() : null;
|
||||
final byte[] cf =
|
||||
request.hasColumnFamily() ? request.getColumnFamily().toByteArray() : null;
|
||||
final byte[] cq =
|
||||
request.hasColumnQualifier() ? request.getColumnQualifier().toByteArray() : null;
|
||||
|
||||
if (request.getType() == AccessControlProtos.Permission.Type.Table) {
|
||||
final TableName table = request.hasTableName() ?
|
||||
ProtobufUtil.toTableName(request.getTableName()) : null;
|
||||
accessChecker.requirePermission(caller, "userPermissions",
|
||||
table, null, null, Action.ADMIN);
|
||||
accessChecker.requirePermission(caller, "userPermissions", table, cf, cq, userName,
|
||||
Action.ADMIN);
|
||||
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
|
||||
@Override
|
||||
public List<UserPermission> run() throws Exception {
|
||||
return AccessControlLists.getUserTablePermissions(regionEnv.getConfiguration(), table);
|
||||
if (cf != null || userName != null) {
|
||||
// retrieve permission based on the requested parameters
|
||||
return AccessControlLists.getUserTablePermissions(regionEnv.getConfiguration(),
|
||||
table, cf, cq, userName, true);
|
||||
} else {
|
||||
return AccessControlLists.getUserTablePermissions(regionEnv.getConfiguration(),
|
||||
table, null, null, null, false);
|
||||
}
|
||||
}
|
||||
});
|
||||
} else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) {
|
||||
final String namespace = request.getNamespaceName().toStringUtf8();
|
||||
accessChecker.requireNamespacePermission(caller, "userPermissions",
|
||||
namespace, Action.ADMIN);
|
||||
namespace,userName, Action.ADMIN);
|
||||
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
|
||||
@Override
|
||||
public List<UserPermission> run() throws Exception {
|
||||
return AccessControlLists.getUserNamespacePermissions(regionEnv.getConfiguration(),
|
||||
namespace);
|
||||
if (userName != null) {
|
||||
// retrieve permission based on the requested parameters
|
||||
return AccessControlLists.getUserNamespacePermissions(regionEnv.getConfiguration(),
|
||||
namespace, userName, true);
|
||||
} else {
|
||||
return AccessControlLists.getUserNamespacePermissions(regionEnv.getConfiguration(),
|
||||
namespace, null, false);
|
||||
}
|
||||
}
|
||||
});
|
||||
} else {
|
||||
accessChecker.requirePermission(caller, "userPermissions", Action.ADMIN);
|
||||
accessChecker.requirePermission(caller, "userPermissions", userName, Action.ADMIN);
|
||||
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
|
||||
@Override
|
||||
public List<UserPermission> run() throws Exception {
|
||||
return AccessControlLists.getUserPermissions(regionEnv.getConfiguration(), null);
|
||||
if (userName != null) {
|
||||
// retrieve permission based on the requested parameters
|
||||
return AccessControlLists.getUserPermissions(regionEnv.getConfiguration(), null,
|
||||
null, null, userName, true);
|
||||
} else {
|
||||
return AccessControlLists.getUserPermissions(regionEnv.getConfiguration(), null,
|
||||
null, null, null, false);
|
||||
}
|
||||
}
|
||||
});
|
||||
// Adding superusers explicitly to the result set as AccessControlLists do not store them.
|
||||
// Also using acl as table name to be inline with the results of global admin and will
|
||||
// help in avoiding any leakage of information about being superusers.
|
||||
for (String user: Superusers.getSuperUsers()) {
|
||||
perms.add(new UserPermission(Bytes.toBytes(user), AccessControlLists.ACL_TABLE_NAME,
|
||||
null, Action.values()));
|
||||
|
||||
// Skip super users when filter user is specified
|
||||
if (userName == null) {
|
||||
// Adding superusers explicitly to the result set as AccessControlLists do not store
|
||||
// them. Also using acl as table name to be inline with the results of global admin and
|
||||
// will help in avoiding any leakage of information about being superusers.
|
||||
for (String user : Superusers.getSuperUsers()) {
|
||||
perms.add(new UserPermission(Bytes.toBytes(user), AccessControlLists.ACL_TABLE_NAME,
|
||||
null, Action.values()));
|
||||
}
|
||||
}
|
||||
}
|
||||
response = AccessControlUtil.buildGetUserPermissionsResponse(perms);
|
||||
|
@ -2243,7 +2279,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
}
|
||||
|
||||
AuthResult result = permissionGranted("checkPermissions", user, action, regionEnv,
|
||||
familyMap);
|
||||
regionEnv.getRegion().getRegionInfo().getTable(), familyMap);
|
||||
AccessChecker.logResult(result);
|
||||
if (!result.isAllowed()) {
|
||||
// Even if passive we need to throw an exception here, we support checking
|
||||
|
@ -2550,4 +2586,51 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
}
|
||||
return userProvider.getCurrent();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void hasPermission(RpcController controller, HasPermissionRequest request,
|
||||
RpcCallback<HasPermissionResponse> done) {
|
||||
// Converts proto to a TablePermission object.
|
||||
TablePermission tPerm = AccessControlUtil.toTablePermission(request.getTablePermission());
|
||||
// Check input user name
|
||||
if (!request.hasUserName()) {
|
||||
throw new IllegalStateException("Input username cannot be empty");
|
||||
}
|
||||
final String inputUserName = request.getUserName().toStringUtf8();
|
||||
AccessControlProtos.HasPermissionResponse response = null;
|
||||
try {
|
||||
User caller = RpcServer.getRequestUser().orElse(null);
|
||||
// User instance for the input user name
|
||||
User filterUser = accessChecker.validateCallerWithFilterUser(caller, tPerm, inputUserName);
|
||||
|
||||
// Initialize family and qualifier map
|
||||
Map<byte[], Set<byte[]>> familyMap = new TreeMap<byte[], Set<byte[]>>(Bytes.BYTES_COMPARATOR);
|
||||
if (tPerm.getFamily() != null) {
|
||||
if (tPerm.getQualifier() != null) {
|
||||
Set<byte[]> qualifiers = Sets.newTreeSet(Bytes.BYTES_COMPARATOR);
|
||||
qualifiers.add(tPerm.getQualifier());
|
||||
familyMap.put(tPerm.getFamily(), qualifiers);
|
||||
} else {
|
||||
familyMap.put(tPerm.getFamily(), null);
|
||||
}
|
||||
}
|
||||
|
||||
// Iterate each action and check whether permission granted
|
||||
boolean hasPermission = false;
|
||||
for (Action action : tPerm.getActions()) {
|
||||
AuthResult result = permissionGranted("hasPermission", filterUser, action, regionEnv,
|
||||
tPerm.getTableName(), familyMap);
|
||||
if (!result.isAllowed()) {
|
||||
hasPermission = false;
|
||||
// Break the loop is any action is not allowed
|
||||
break;
|
||||
}
|
||||
hasPermission = true;
|
||||
}
|
||||
response = ResponseConverter.buildHasPermissionResponse(hasPermission);
|
||||
} catch (IOException ioe) {
|
||||
ResponseConverter.setControllerException(controller, ioe);
|
||||
}
|
||||
done.run(response);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,9 @@
|
|||
package org.apache.hadoop.hbase.security.access;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import java.util.Map.Entry;
|
||||
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
import org.apache.hadoop.hbase.Cell;
|
||||
|
@ -254,6 +256,13 @@ public class AuthResult {
|
|||
private Map<byte[], ? extends Collection<?>> families = null;
|
||||
byte[] family = null;
|
||||
byte[] qualifier = null;
|
||||
// For extra parameters to be shown in audit log
|
||||
private final Map<String, String> extraParams = new HashMap<String, String>(2);
|
||||
|
||||
public Params addExtraParam(String key, String value) {
|
||||
extraParams.put(key, value);
|
||||
return this;
|
||||
}
|
||||
|
||||
public Params setNamespace(String namespace) {
|
||||
this.namespace = namespace;
|
||||
|
@ -286,10 +295,29 @@ public class AuthResult {
|
|||
String[] params = new String[] {
|
||||
namespace != null ? "namespace=" + namespace : null,
|
||||
tableName != null ? "table=" + tableName.getNameWithNamespaceInclAsString() : null,
|
||||
familiesString.length() > 0 ? "family=" + familiesString : null
|
||||
familiesString.length() > 0 ? "family=" + familiesString : null,
|
||||
extraParams.isEmpty() ? null : concatenateExtraParams()
|
||||
};
|
||||
return Joiner.on(",").skipNulls().join(params);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return extra parameter key/value string
|
||||
*/
|
||||
private String concatenateExtraParams() {
|
||||
final StringBuilder sb = new StringBuilder();
|
||||
boolean first = true;
|
||||
for (Entry<String, String> entry : extraParams.entrySet()) {
|
||||
if (entry.getKey() != null && entry.getValue() != null) {
|
||||
if (!first) {
|
||||
sb.append(',');
|
||||
}
|
||||
first = false;
|
||||
sb.append(entry.getKey() + '=');
|
||||
sb.append(entry.getValue());
|
||||
}
|
||||
}
|
||||
return sb.toString();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -41,6 +41,8 @@ import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.GetUserPer
|
|||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.GetUserPermissionsResponse;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.GrantRequest;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.GrantResponse;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.HasPermissionRequest;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.HasPermissionResponse;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.RevokeRequest;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.RevokeResponse;
|
||||
import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsRequest;
|
||||
|
@ -88,6 +90,11 @@ public class TestMasterCoprocessorServices {
|
|||
@Override
|
||||
public void checkPermissions(RpcController controller, CheckPermissionsRequest request,
|
||||
RpcCallback<CheckPermissionsResponse> done) {}
|
||||
|
||||
@Override
|
||||
public void hasPermission(RpcController controller, HasPermissionRequest request,
|
||||
RpcCallback<HasPermissionResponse> done) {
|
||||
}
|
||||
}
|
||||
|
||||
private static class MockVisibilityController implements VisibilityLabelsService.Interface,
|
||||
|
|
|
@ -38,6 +38,7 @@ import java.util.Collection;
|
|||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||
import org.apache.hadoop.fs.FileStatus;
|
||||
import org.apache.hadoop.fs.FileSystem;
|
||||
import org.apache.hadoop.fs.Path;
|
||||
|
@ -127,6 +128,9 @@ import org.apache.hadoop.hbase.tool.LoadIncrementalHFiles;
|
|||
import org.apache.hadoop.hbase.util.Bytes;
|
||||
import org.apache.hadoop.hbase.util.JVMClusterUtil;
|
||||
import org.apache.hadoop.hbase.util.Threads;
|
||||
import org.apache.hadoop.security.GroupMappingServiceProvider;
|
||||
import org.apache.hadoop.security.ShellBasedUnixGroupsMapping;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.ClassRule;
|
||||
|
@ -212,6 +216,11 @@ public class TestAccessController extends SecureTestUtil {
|
|||
conf = TEST_UTIL.getConfiguration();
|
||||
// Up the handlers; this test needs more than usual.
|
||||
conf.setInt(HConstants.REGION_SERVER_HIGH_PRIORITY_HANDLER_COUNT, 10);
|
||||
|
||||
conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
|
||||
MyShellBasedUnixGroupsMapping.class.getName());
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
|
||||
// Enable security
|
||||
enableSecurity(conf);
|
||||
// In this particular test case, we can't use SecureBulkLoadEndpoint because its doAs will fail
|
||||
|
@ -2215,8 +2224,12 @@ public class TestAccessController extends SecureTestUtil {
|
|||
}
|
||||
|
||||
private void createTestTable(TableName tname) throws Exception {
|
||||
createTestTable(tname, TEST_FAMILY);
|
||||
}
|
||||
|
||||
private void createTestTable(TableName tname, byte[] cf) throws Exception {
|
||||
HTableDescriptor htd = new HTableDescriptor(tname);
|
||||
HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY);
|
||||
HColumnDescriptor hcd = new HColumnDescriptor(cf);
|
||||
hcd.setMaxVersions(100);
|
||||
htd.addFamily(hcd);
|
||||
htd.setOwner(USER_OWNER);
|
||||
|
@ -3105,4 +3118,470 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyAllowed(action, SUPERUSER);
|
||||
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_ADMIN);
|
||||
}
|
||||
|
||||
@Test(timeout = 180000)
|
||||
public void testGetUserPermissions() throws Throwable {
|
||||
Connection conn = null;
|
||||
try {
|
||||
conn = ConnectionFactory.createConnection(conf);
|
||||
User nSUser1 = User.createUserForTesting(conf, "nsuser1", new String[0]);
|
||||
User nSUser2 = User.createUserForTesting(conf, "nsuser2", new String[0]);
|
||||
User nSUser3 = User.createUserForTesting(conf, "nsuser3", new String[0]);
|
||||
|
||||
// Global access groups
|
||||
User globalGroupUser1 =
|
||||
User.createUserForTesting(conf, "globalGroupUser1", new String[] { "group_admin" });
|
||||
User globalGroupUser2 = User.createUserForTesting(conf, "globalGroupUser2",
|
||||
new String[] { "group_admin", "group_create" });
|
||||
// Namespace access groups
|
||||
User nsGroupUser1 =
|
||||
User.createUserForTesting(conf, "nsGroupUser1", new String[] { "ns_group1" });
|
||||
User nsGroupUser2 =
|
||||
User.createUserForTesting(conf, "nsGroupUser2", new String[] { "ns_group2" });
|
||||
// table Access groups
|
||||
User tableGroupUser1 =
|
||||
User.createUserForTesting(conf, "tableGroupUser1", new String[] { "table_group1" });
|
||||
User tableGroupUser2 =
|
||||
User.createUserForTesting(conf, "tableGroupUser2", new String[] { "table_group2" });
|
||||
|
||||
// Create namespaces
|
||||
String nsPrefix = "testNS";
|
||||
final String namespace1 = nsPrefix + "1";
|
||||
NamespaceDescriptor desc1 = NamespaceDescriptor.create(namespace1).build();
|
||||
createNamespace(TEST_UTIL, desc1);
|
||||
String namespace2 = nsPrefix + "2";
|
||||
NamespaceDescriptor desc2 = NamespaceDescriptor.create(namespace2).build();
|
||||
createNamespace(TEST_UTIL, desc2);
|
||||
|
||||
// Grant namespace permission
|
||||
grantOnNamespace(TEST_UTIL, nSUser1.getShortName(), namespace1, Permission.Action.ADMIN);
|
||||
grantOnNamespace(TEST_UTIL, nSUser3.getShortName(), namespace1, Permission.Action.READ);
|
||||
grantOnNamespace(TEST_UTIL, toGroupEntry("ns_group1"), namespace1, Permission.Action.ADMIN);
|
||||
grantOnNamespace(TEST_UTIL, nSUser2.getShortName(), namespace2, Permission.Action.ADMIN);
|
||||
grantOnNamespace(TEST_UTIL, nSUser3.getShortName(), namespace2, Permission.Action.ADMIN);
|
||||
grantOnNamespace(TEST_UTIL, toGroupEntry("ns_group2"), namespace2, Permission.Action.READ,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
// Create tables
|
||||
TableName table1 = TableName.valueOf(namespace1 + TableName.NAMESPACE_DELIM + "t1");
|
||||
TableName table2 = TableName.valueOf(namespace2 + TableName.NAMESPACE_DELIM + "t2");
|
||||
byte[] TEST_FAMILY2 = Bytes.toBytes("f2");
|
||||
byte[] TEST_QUALIFIER2 = Bytes.toBytes("q2");
|
||||
createTestTable(table1, TEST_FAMILY);
|
||||
createTestTable(table2, TEST_FAMILY2);
|
||||
|
||||
// Grant table permissions
|
||||
grantOnTable(TEST_UTIL, toGroupEntry("table_group1"), table1, null, null,
|
||||
Permission.Action.ADMIN);
|
||||
grantOnTable(TEST_UTIL, USER_ADMIN.getShortName(), table1, null, null,
|
||||
Permission.Action.ADMIN);
|
||||
grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), table1, TEST_FAMILY, null,
|
||||
Permission.Action.ADMIN);
|
||||
grantOnTable(TEST_UTIL, USER_RW.getShortName(), table1, TEST_FAMILY, TEST_QUALIFIER,
|
||||
Permission.Action.READ);
|
||||
grantOnTable(TEST_UTIL, USER_RW.getShortName(), table1, TEST_FAMILY, TEST_QUALIFIER2,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
grantOnTable(TEST_UTIL, toGroupEntry("table_group2"), table2, null, null,
|
||||
Permission.Action.ADMIN);
|
||||
grantOnTable(TEST_UTIL, USER_ADMIN.getShortName(), table2, null, null,
|
||||
Permission.Action.ADMIN);
|
||||
grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), table2, TEST_FAMILY2, null,
|
||||
Permission.Action.ADMIN);
|
||||
grantOnTable(TEST_UTIL, USER_RW.getShortName(), table2, TEST_FAMILY2, TEST_QUALIFIER,
|
||||
Permission.Action.READ);
|
||||
grantOnTable(TEST_UTIL, USER_RW.getShortName(), table2, TEST_FAMILY2, TEST_QUALIFIER2,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
List<UserPermission> userPermissions = null;
|
||||
Collection<String> superUsers = Superusers.getSuperUsers();
|
||||
int superUserCount = superUsers.size();
|
||||
|
||||
// Global User ACL
|
||||
validateGlobalUserACLForGetUserPermissions(conn, nSUser1, globalGroupUser1, globalGroupUser2,
|
||||
superUsers, superUserCount);
|
||||
|
||||
// Namespace ACL
|
||||
validateNamespaceUserACLForGetUserPermissions(conn, nSUser1, nSUser3, nsGroupUser1,
|
||||
nsGroupUser2, nsPrefix, namespace1, namespace2);
|
||||
|
||||
// Table + Users
|
||||
validateTableACLForGetUserPermissions(conn, nSUser1, tableGroupUser1, tableGroupUser2,
|
||||
nsPrefix, table1, table2, TEST_QUALIFIER2, superUsers);
|
||||
|
||||
// exception scenarios
|
||||
|
||||
try {
|
||||
// test case with table name as null
|
||||
assertEquals(3, AccessControlClient.getUserPermissions(conn, null, TEST_FAMILY).size());
|
||||
fail("this should have thrown IllegalArgumentException");
|
||||
} catch (IllegalArgumentException ex) {
|
||||
// expected
|
||||
}
|
||||
try {
|
||||
// test case with table name as emplty
|
||||
assertEquals(3, AccessControlClient
|
||||
.getUserPermissions(conn, HConstants.EMPTY_STRING, TEST_FAMILY).size());
|
||||
fail("this should have thrown IllegalArgumentException");
|
||||
} catch (IllegalArgumentException ex) {
|
||||
// expected
|
||||
}
|
||||
try {
|
||||
// test case with table name as namespace name
|
||||
assertEquals(3,
|
||||
AccessControlClient.getUserPermissions(conn, "@" + namespace2, TEST_FAMILY).size());
|
||||
fail("this should have thrown IllegalArgumentException");
|
||||
} catch (IllegalArgumentException ex) {
|
||||
// expected
|
||||
}
|
||||
|
||||
// Clean the table and namespace
|
||||
deleteTable(TEST_UTIL, table1);
|
||||
deleteTable(TEST_UTIL, table2);
|
||||
deleteNamespace(TEST_UTIL, namespace1);
|
||||
deleteNamespace(TEST_UTIL, namespace2);
|
||||
} finally {
|
||||
if (conn != null) {
|
||||
conn.close();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Test(timeout = 180000)
|
||||
public void testHasPermission() throws Throwable {
|
||||
Connection conn = null;
|
||||
try {
|
||||
conn = ConnectionFactory.createConnection(conf);
|
||||
// Create user and set namespace ACL
|
||||
User user1 = User.createUserForTesting(conf, "testHasPermissionUser1", new String[0]);
|
||||
// Grant namespace permission
|
||||
grantOnNamespaceUsingAccessControlClient(TEST_UTIL, conn, user1.getShortName(),
|
||||
NamespaceDescriptor.DEFAULT_NAMESPACE.getName(), Permission.Action.ADMIN,
|
||||
Permission.Action.CREATE, Permission.Action.READ);
|
||||
|
||||
// Create user and set table ACL
|
||||
User user2 = User.createUserForTesting(conf, "testHasPermissionUser2", new String[0]);
|
||||
// Grant namespace permission
|
||||
grantOnTableUsingAccessControlClient(TEST_UTIL, conn, user2.getShortName(), TEST_TABLE,
|
||||
TEST_FAMILY, TEST_QUALIFIER, Permission.Action.READ, Permission.Action.WRITE);
|
||||
|
||||
// Verify action privilege
|
||||
AccessTestAction hasPermissionAction = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection conn = ConnectionFactory.createConnection(conf);
|
||||
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
|
||||
AccessControlService.BlockingInterface protocol =
|
||||
AccessControlService.newBlockingStub(service);
|
||||
Permission.Action[] actions = { Permission.Action.READ, Permission.Action.WRITE };
|
||||
AccessControlUtil.hasPermission(null, protocol, TEST_TABLE, TEST_FAMILY,
|
||||
HConstants.EMPTY_BYTE_ARRAY, "dummy", actions);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
verifyAllowed(hasPermissionAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN, USER_OWNER,
|
||||
USER_ADMIN_CF, user1);
|
||||
verifyDenied(hasPermissionAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, user2);
|
||||
|
||||
// Check for global user
|
||||
assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(),
|
||||
HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_ADMIN.getShortName(),
|
||||
Permission.Action.READ, Permission.Action.WRITE, Permission.Action.CREATE,
|
||||
Permission.Action.ADMIN));
|
||||
assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(),
|
||||
HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_ADMIN.getShortName(),
|
||||
Permission.Action.READ, Permission.Action.WRITE, Permission.Action.CREATE,
|
||||
Permission.Action.ADMIN, Permission.Action.EXEC));
|
||||
|
||||
// Check for namespace access user
|
||||
assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(),
|
||||
HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, user1.getShortName(),
|
||||
Permission.Action.ADMIN, Permission.Action.CREATE));
|
||||
assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(),
|
||||
HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, user1.getShortName(),
|
||||
Permission.Action.ADMIN, Permission.Action.READ, Permission.Action.EXEC));
|
||||
|
||||
// Check for table owner
|
||||
assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(),
|
||||
HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_OWNER.getShortName(),
|
||||
Permission.Action.READ, Permission.Action.WRITE, Permission.Action.EXEC,
|
||||
Permission.Action.CREATE, Permission.Action.ADMIN));
|
||||
|
||||
// Check for table user
|
||||
assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(),
|
||||
HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_CREATE.getShortName(),
|
||||
Permission.Action.READ, Permission.Action.WRITE));
|
||||
assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(),
|
||||
HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_RO.getShortName(),
|
||||
Permission.Action.READ, Permission.Action.WRITE));
|
||||
|
||||
// Check for family access user
|
||||
assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY,
|
||||
HConstants.EMPTY_BYTE_ARRAY, USER_RO.getShortName(), Permission.Action.READ));
|
||||
assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY,
|
||||
HConstants.EMPTY_BYTE_ARRAY, USER_RW.getShortName(), Permission.Action.READ,
|
||||
Permission.Action.WRITE));
|
||||
assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(),
|
||||
HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_ADMIN_CF.getShortName(),
|
||||
Permission.Action.ADMIN, Permission.Action.CREATE));
|
||||
assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY,
|
||||
HConstants.EMPTY_BYTE_ARRAY, USER_ADMIN_CF.getShortName(), Permission.Action.ADMIN,
|
||||
Permission.Action.CREATE));
|
||||
assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY,
|
||||
HConstants.EMPTY_BYTE_ARRAY, USER_ADMIN_CF.getShortName(), Permission.Action.READ));
|
||||
|
||||
// Check for qualifier access user
|
||||
assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY,
|
||||
TEST_QUALIFIER, user2.getShortName(), Permission.Action.READ, Permission.Action.WRITE));
|
||||
assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY,
|
||||
TEST_QUALIFIER, user2.getShortName(), Permission.Action.EXEC, Permission.Action.READ));
|
||||
assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(),
|
||||
HConstants.EMPTY_BYTE_ARRAY, TEST_QUALIFIER, USER_RW.getShortName(),
|
||||
Permission.Action.WRITE, Permission.Action.READ));
|
||||
|
||||
// exception scenarios
|
||||
try {
|
||||
// test case with table name as null
|
||||
assertTrue(AccessControlClient.hasPermission(conn, null, HConstants.EMPTY_BYTE_ARRAY,
|
||||
HConstants.EMPTY_BYTE_ARRAY, null, Permission.Action.READ));
|
||||
fail("this should have thrown IllegalArgumentException");
|
||||
} catch (IllegalArgumentException ex) {
|
||||
// expected
|
||||
}
|
||||
try {
|
||||
// test case with username as null
|
||||
assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(),
|
||||
HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, null, Permission.Action.READ));
|
||||
fail("this should have thrown IllegalArgumentException");
|
||||
} catch (IllegalArgumentException ex) {
|
||||
// expected
|
||||
}
|
||||
|
||||
revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, conn, user1.getShortName(),
|
||||
NamespaceDescriptor.DEFAULT_NAMESPACE.getName(), Permission.Action.ADMIN,
|
||||
Permission.Action.CREATE, Permission.Action.READ);
|
||||
revokeFromTableUsingAccessControlClient(TEST_UTIL, conn, user2.getShortName(), TEST_TABLE,
|
||||
TEST_FAMILY, TEST_QUALIFIER, Permission.Action.READ, Permission.Action.WRITE);
|
||||
} finally {
|
||||
if (conn != null) {
|
||||
conn.close();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Validate Global User ACL
|
||||
*/
|
||||
private void validateGlobalUserACLForGetUserPermissions(final Connection conn, User nSUser1,
|
||||
User globalGroupUser1, User globalGroupUser2, Collection<String> superUsers,
|
||||
int superUserCount) throws Throwable {
|
||||
// Verify action privilege
|
||||
AccessTestAction globalUserPermissionAction = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection conn = ConnectionFactory.createConnection(conf);
|
||||
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
|
||||
AccessControlService.BlockingInterface protocol =
|
||||
AccessControlService.newBlockingStub(service);
|
||||
AccessControlUtil.getUserPermissions(null, protocol, "dummy");
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
verifyAllowed(globalUserPermissionAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
|
||||
verifyDenied(globalUserPermissionAction, USER_GROUP_CREATE, USER_GROUP_READ, USER_GROUP_WRITE);
|
||||
|
||||
// Validate global user permission
|
||||
List<UserPermission> userPermissions;
|
||||
assertEquals(5 + superUserCount, AccessControlClient.getUserPermissions(conn, null).size());
|
||||
assertEquals(5 + superUserCount,
|
||||
AccessControlClient.getUserPermissions(conn, HConstants.EMPTY_STRING).size());
|
||||
assertEquals(5 + superUserCount,
|
||||
AccessControlClient.getUserPermissions(conn, null, HConstants.EMPTY_STRING).size());
|
||||
userPermissions = AccessControlClient.getUserPermissions(conn, null, USER_ADMIN.getName());
|
||||
verifyGetUserPermissionResult(userPermissions, 1, null, null, USER_ADMIN.getName(), superUsers);
|
||||
assertEquals(0, AccessControlClient.getUserPermissions(conn, null, nSUser1.getName()).size());
|
||||
// Global group user ACL
|
||||
assertEquals(1,
|
||||
AccessControlClient.getUserPermissions(conn, null, globalGroupUser1.getName()).size());
|
||||
assertEquals(2,
|
||||
AccessControlClient.getUserPermissions(conn, null, globalGroupUser2.getName()).size());
|
||||
}
|
||||
|
||||
/*
|
||||
* Validate Namespace User ACL
|
||||
*/
|
||||
private void validateNamespaceUserACLForGetUserPermissions(final Connection conn, User nSUser1,
|
||||
User nSUser3, User nsGroupUser1, User nsGroupUser2, String nsPrefix, final String namespace1,
|
||||
String namespace2) throws Throwable {
|
||||
AccessTestAction namespaceUserPermissionAction = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection conn = ConnectionFactory.createConnection(conf);
|
||||
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
|
||||
AccessControlService.BlockingInterface protocol =
|
||||
AccessControlService.newBlockingStub(service);
|
||||
AccessControlUtil.getUserPermissions(null, protocol, Bytes.toBytes(namespace1), "dummy");
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
verifyAllowed(namespaceUserPermissionAction, SUPERUSER, USER_GROUP_ADMIN, USER_ADMIN, nSUser1,
|
||||
nsGroupUser1);
|
||||
verifyDenied(namespaceUserPermissionAction, USER_GROUP_CREATE, USER_GROUP_READ,
|
||||
USER_GROUP_WRITE, nSUser3, nsGroupUser2);
|
||||
|
||||
List<UserPermission> userPermissions;
|
||||
assertEquals(6, AccessControlClient.getUserPermissions(conn, "@" + nsPrefix + ".*").size());
|
||||
assertEquals(3, AccessControlClient.getUserPermissions(conn, "@" + namespace1).size());
|
||||
assertEquals(3, AccessControlClient
|
||||
.getUserPermissions(conn, "@" + namespace1, HConstants.EMPTY_STRING).size());
|
||||
userPermissions =
|
||||
AccessControlClient.getUserPermissions(conn, "@" + namespace1, nSUser1.getName());
|
||||
verifyGetUserPermissionResult(userPermissions, 1, null, null, nSUser1.getName(), null);
|
||||
userPermissions =
|
||||
AccessControlClient.getUserPermissions(conn, "@" + namespace1, nSUser3.getName());
|
||||
verifyGetUserPermissionResult(userPermissions, 1, null, null, nSUser3.getName(), null);
|
||||
assertEquals(0,
|
||||
AccessControlClient.getUserPermissions(conn, "@" + namespace1, USER_ADMIN.getName()).size());
|
||||
// Namespace group user ACL
|
||||
assertEquals(1, AccessControlClient
|
||||
.getUserPermissions(conn, "@" + namespace1, nsGroupUser1.getName()).size());
|
||||
assertEquals(1, AccessControlClient
|
||||
.getUserPermissions(conn, "@" + namespace2, nsGroupUser2.getName()).size());
|
||||
}
|
||||
|
||||
/*
|
||||
* Validate Table User ACL
|
||||
*/
|
||||
private void validateTableACLForGetUserPermissions(final Connection conn, User nSUser1,
|
||||
User tableGroupUser1, User tableGroupUser2, String nsPrefix, TableName table1,
|
||||
TableName table2, byte[] TEST_QUALIFIER2, Collection<String> superUsers) throws Throwable {
|
||||
AccessTestAction tableUserPermissionAction = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
try (Connection conn = ConnectionFactory.createConnection(conf);
|
||||
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
|
||||
AccessControlService.BlockingInterface protocol =
|
||||
AccessControlService.newBlockingStub(service);
|
||||
AccessControlUtil.getUserPermissions(null, protocol, TEST_TABLE, TEST_FAMILY,
|
||||
TEST_QUALIFIER, "dummy");
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
verifyAllowed(tableUserPermissionAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_ADMIN_CF);
|
||||
verifyDenied(tableUserPermissionAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_CREATE);
|
||||
|
||||
List<UserPermission> userPermissions;
|
||||
assertEquals(12, AccessControlClient.getUserPermissions(conn, nsPrefix + ".*").size());
|
||||
assertEquals(6, AccessControlClient.getUserPermissions(conn, table1.getNameAsString()).size());
|
||||
assertEquals(6, AccessControlClient
|
||||
.getUserPermissions(conn, table1.getNameAsString(), HConstants.EMPTY_STRING).size());
|
||||
userPermissions = AccessControlClient.getUserPermissions(conn, table1.getNameAsString(),
|
||||
USER_ADMIN_CF.getName());
|
||||
verifyGetUserPermissionResult(userPermissions, 1, null, null, USER_ADMIN_CF.getName(), null);
|
||||
assertEquals(0, AccessControlClient
|
||||
.getUserPermissions(conn, table1.getNameAsString(), nSUser1.getName()).size());
|
||||
// Table group user ACL
|
||||
assertEquals(1, AccessControlClient
|
||||
.getUserPermissions(conn, table1.getNameAsString(), tableGroupUser1.getName()).size());
|
||||
assertEquals(1, AccessControlClient
|
||||
.getUserPermissions(conn, table2.getNameAsString(), tableGroupUser2.getName()).size());
|
||||
|
||||
// Table Users + CF
|
||||
assertEquals(12, AccessControlClient
|
||||
.getUserPermissions(conn, nsPrefix + ".*", HConstants.EMPTY_BYTE_ARRAY).size());
|
||||
userPermissions = AccessControlClient.getUserPermissions(conn, nsPrefix + ".*", TEST_FAMILY);
|
||||
verifyGetUserPermissionResult(userPermissions, 3, TEST_FAMILY, null, null, null);
|
||||
assertEquals(0, AccessControlClient
|
||||
.getUserPermissions(conn, table1.getNameAsString(), Bytes.toBytes("dummmyCF")).size());
|
||||
|
||||
// Table Users + CF + User
|
||||
assertEquals(3,
|
||||
AccessControlClient
|
||||
.getUserPermissions(conn, table1.getNameAsString(), TEST_FAMILY, HConstants.EMPTY_STRING)
|
||||
.size());
|
||||
userPermissions = AccessControlClient.getUserPermissions(conn, table1.getNameAsString(),
|
||||
TEST_FAMILY, USER_ADMIN_CF.getName());
|
||||
verifyGetUserPermissionResult(userPermissions, 1, null, null, USER_ADMIN_CF.getName(),
|
||||
superUsers);
|
||||
assertEquals(0, AccessControlClient
|
||||
.getUserPermissions(conn, table1.getNameAsString(), TEST_FAMILY, nSUser1.getName()).size());
|
||||
|
||||
// Table Users + CF + CQ
|
||||
assertEquals(3, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(),
|
||||
TEST_FAMILY, HConstants.EMPTY_BYTE_ARRAY).size());
|
||||
assertEquals(1, AccessControlClient
|
||||
.getUserPermissions(conn, table1.getNameAsString(), TEST_FAMILY, TEST_QUALIFIER).size());
|
||||
assertEquals(1, AccessControlClient
|
||||
.getUserPermissions(conn, table1.getNameAsString(), TEST_FAMILY, TEST_QUALIFIER2).size());
|
||||
assertEquals(2, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(),
|
||||
HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_RW.getName()).size());
|
||||
assertEquals(0, AccessControlClient
|
||||
.getUserPermissions(conn, table1.getNameAsString(), TEST_FAMILY, Bytes.toBytes("dummmyCQ"))
|
||||
.size());
|
||||
|
||||
// Table Users + CF + CQ + User
|
||||
assertEquals(3, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(),
|
||||
TEST_FAMILY, HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_STRING).size());
|
||||
assertEquals(1, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(),
|
||||
TEST_FAMILY, TEST_QUALIFIER, USER_RW.getName()).size());
|
||||
assertEquals(1, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(),
|
||||
TEST_FAMILY, TEST_QUALIFIER2, USER_RW.getName()).size());
|
||||
assertEquals(0, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(),
|
||||
TEST_FAMILY, TEST_QUALIFIER2, nSUser1.getName()).size());
|
||||
}
|
||||
|
||||
/*
|
||||
* Validate the user permission against the specified column family, column qualifier and user
|
||||
* name.
|
||||
*/
|
||||
private void verifyGetUserPermissionResult(List<UserPermission> userPermissions, int resultCount,
|
||||
byte[] cf, byte[] cq, String userName, Collection<String> superUsers) {
|
||||
assertEquals(resultCount, userPermissions.size());
|
||||
|
||||
for (UserPermission perm : userPermissions) {
|
||||
if (cf != null) {
|
||||
assertTrue(Bytes.equals(cf, perm.getFamily()));
|
||||
}
|
||||
if (cq != null) {
|
||||
assertTrue(Bytes.equals(cq, perm.getQualifier()));
|
||||
}
|
||||
if (userName != null
|
||||
&& (superUsers == null || !superUsers.contains(Bytes.toString(perm.getUser())))) {
|
||||
assertTrue(userName.equals(Bytes.toString(perm.getUser())));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Dummy ShellBasedUnixGroupsMapping class to retrieve the groups for the test users.
|
||||
*/
|
||||
public static class MyShellBasedUnixGroupsMapping extends ShellBasedUnixGroupsMapping
|
||||
implements GroupMappingServiceProvider {
|
||||
@Override
|
||||
public List<String> getGroups(String user) throws IOException {
|
||||
if (user.equals("globalGroupUser1")) {
|
||||
return Arrays.asList(new String[] { "group_admin" });
|
||||
} else if (user.equals("globalGroupUser2")) {
|
||||
return Arrays.asList(new String[] { "group_admin", "group_create" });
|
||||
} else if (user.equals("nsGroupUser1")) {
|
||||
return Arrays.asList(new String[] { "ns_group1" });
|
||||
} else if (user.equals("nsGroupUser2")) {
|
||||
return Arrays.asList(new String[] { "ns_group2" });
|
||||
} else if (user.equals("tableGroupUser1")) {
|
||||
return Arrays.asList(new String[] { "table_group1" });
|
||||
} else if (user.equals("tableGroupUser2")) {
|
||||
return Arrays.asList(new String[] { "table_group2" });
|
||||
} else {
|
||||
return super.getGroups(user);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue