Apache/hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-6585 Audit log messages should contain info about the higher level operation being executed

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1423775 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Michael Stack 2012-12-19 07:52:24 +00:00
parent 17a99e939f
commit ef1b95bab2
2 changed files with 81 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
conf/log4j.properties
View File

@ -58,6 +58,7 @@ log4j.appender.RFAS.layout=org.apache.log4j.PatternLayout
log4j.appender.RFAS.layout.ConversionPattern=%d{ISO8601} %p %c: %m%n log4j.appender.RFAS.layout.ConversionPattern=%d{ISO8601} %p %c: %m%n
log4j.category.SecurityLogger=${hbase.security.logger} log4j.category.SecurityLogger=${hbase.security.logger}
log4j.additivity.SecurityLogger=false log4j.additivity.SecurityLogger=false
#log4j.logger.SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController=TRACE
# #
# Null Appender # Null Appender

152
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
View File

@ -118,12 +118,14 @@ public class AccessController extends BaseRegionObserver
private final byte[] family; private final byte[] family;
private final byte[] qualifier; private final byte[] qualifier;
private final Permission.Action action; private final Permission.Action action;
private final String request;
private final String reason; private final String reason;
private final User user; private final User user;
public AuthResult(boolean allowed, String reason, User user, public AuthResult(boolean allowed, String request, String reason, User user,
Permission.Action action, byte[] table, byte[] family, byte[] qualifier) { Permission.Action action, byte[] table, byte[] family, byte[] qualifier) {
this.allowed = allowed; this.allowed = allowed;
this.request = request;
this.reason = reason; this.reason = reason;
this.user = user; this.user = user;
this.table = table; this.table = table;
@ -138,6 +140,8 @@ public class AccessController extends BaseRegionObserver
public String getReason() { return reason; } public String getReason() { return reason; }
public String getRequest() { return request; }
public String toContextString() { public String toContextString() {
return "(user=" + (user != null ? user.getName() : "UNKNOWN") + ", " + return "(user=" + (user != null ? user.getName() : "UNKNOWN") + ", " +
"scope=" + (table == null ? "GLOBAL" : Bytes.toString(table)) + ", " + "scope=" + (table == null ? "GLOBAL" : Bytes.toString(table)) + ", " +
@ -151,23 +155,23 @@ public class AccessController extends BaseRegionObserver
.append(toContextString()).toString(); .append(toContextString()).toString();
} }
public static AuthResult allow(String reason, User user, Permission.Action action, public static AuthResult allow(String request, String reason, User user, Permission.Action action,
byte[] table, byte[] family, byte[] qualifier) { byte[] table, byte[] family, byte[] qualifier) {
return new AuthResult(true, reason, user, action, table, family, qualifier); return new AuthResult(true, request, reason, user, action, table, family, qualifier);
} }
public static AuthResult allow(String reason, User user, Permission.Action action, byte[] table) { public static AuthResult allow(String request, String reason, User user, Permission.Action action, byte[] table) {
return new AuthResult(true, reason, user, action, table, null, null); return new AuthResult(true, request, reason, user, action, table, null, null);
} }
public static AuthResult deny(String reason, User user, public static AuthResult deny(String request, String reason, User user,
Permission.Action action, byte[] table) { Permission.Action action, byte[] table) {
return new AuthResult(false, reason, user, action, table, null, null); return new AuthResult(false, request, reason, user, action, table, null, null);
} }
public static AuthResult deny(String reason, User user, public static AuthResult deny(String request, String reason, User user,
Permission.Action action, byte[] table, byte[] family, byte[] qualifier) { Permission.Action action, byte[] table, byte[] family, byte[] qualifier) {
return new AuthResult(false, reason, user, action, table, family, qualifier); return new AuthResult(false, request, reason, user, action, table, family, qualifier);
} }
} }
@ -257,7 +261,7 @@ public class AccessController extends BaseRegionObserver
* the request * the request
* @return * @return
*/ */
AuthResult permissionGranted(User user, Permission.Action permRequest, AuthResult permissionGranted(String request, User user, Permission.Action permRequest,
RegionCoprocessorEnvironment e, RegionCoprocessorEnvironment e,
Map<byte [], ? extends Collection<?>> families) { Map<byte [], ? extends Collection<?>> families) {
HRegionInfo hri = e.getRegion().getRegionInfo(); HRegionInfo hri = e.getRegion().getRegionInfo();
@ -267,12 +271,12 @@ public class AccessController extends BaseRegionObserver
// this is a very common operation, so deal with it quickly. // this is a very common operation, so deal with it quickly.
if (hri.isRootRegion() || hri.isMetaRegion()) { if (hri.isRootRegion() || hri.isMetaRegion()) {
if (permRequest == Permission.Action.READ) { if (permRequest == Permission.Action.READ) {
return AuthResult.allow("All users allowed", user, permRequest, tableName); return AuthResult.allow(request, "All users allowed", user, permRequest, tableName);
} }
} }
if (user == null) { if (user == null) {
return AuthResult.deny("No user associated with request!", null, permRequest, tableName); return AuthResult.deny(request, "No user associated with request!", null, permRequest, tableName);
} }
// Users with CREATE/ADMIN rights need to modify .META. and _acl_ table // Users with CREATE/ADMIN rights need to modify .META. and _acl_ table
@ -286,12 +290,12 @@ public class AccessController extends BaseRegionObserver
(authManager.authorize(user, Permission.Action.CREATE) || (authManager.authorize(user, Permission.Action.CREATE) ||
authManager.authorize(user, Permission.Action.ADMIN))) authManager.authorize(user, Permission.Action.ADMIN)))
{ {
return AuthResult.allow("Table permission granted", user, permRequest, tableName); return AuthResult.allow(request, "Table permission granted", user, permRequest, tableName);
} }
// 2. check for the table-level, if successful we can short-circuit // 2. check for the table-level, if successful we can short-circuit
if (authManager.authorize(user, tableName, (byte[])null, permRequest)) { if (authManager.authorize(user, tableName, (byte[])null, permRequest)) {
return AuthResult.allow("Table permission granted", user, permRequest, tableName); return AuthResult.allow(request, "Table permission granted", user, permRequest, tableName);
} }
// 3. check permissions against the requested families // 3. check permissions against the requested families
@ -312,7 +316,7 @@ public class AccessController extends BaseRegionObserver
for (byte[] qualifier : familySet) { for (byte[] qualifier : familySet) {
if (!authManager.authorize(user, tableName, family.getKey(), if (!authManager.authorize(user, tableName, family.getKey(),
qualifier, permRequest)) { qualifier, permRequest)) {
return AuthResult.deny("Failed qualifier check", user, return AuthResult.deny(request, "Failed qualifier check", user,
permRequest, tableName, family.getKey(), qualifier); permRequest, tableName, family.getKey(), qualifier);
} }
} }
@ -321,25 +325,25 @@ public class AccessController extends BaseRegionObserver
for (KeyValue kv : kvList) { for (KeyValue kv : kvList) {
if (!authManager.authorize(user, tableName, family.getKey(), if (!authManager.authorize(user, tableName, family.getKey(),
kv.getQualifier(), permRequest)) { kv.getQualifier(), permRequest)) {
return AuthResult.deny("Failed qualifier check", user, return AuthResult.deny(request, "Failed qualifier check", user,
permRequest, tableName, family.getKey(), kv.getQualifier()); permRequest, tableName, family.getKey(), kv.getQualifier());
} }
} }
} }
} else { } else {
// no qualifiers and family-level check already failed // no qualifiers and family-level check already failed
return AuthResult.deny("Failed family check", user, permRequest, return AuthResult.deny(request, "Failed family check", user, permRequest,
tableName, family.getKey(), null); tableName, family.getKey(), null);
} }
} }
// all family checks passed // all family checks passed
return AuthResult.allow("All family checks passed", user, permRequest, return AuthResult.allow(request, "All family checks passed", user, permRequest,
tableName); tableName);
} }
// 4. no families to check and table level access failed // 4. no families to check and table level access failed
return AuthResult.deny("No families to check and table permission failed", return AuthResult.deny(request, "No families to check and table permission failed",
user, permRequest, tableName); user, permRequest, tableName);
} }
@ -354,6 +358,7 @@ public class AccessController extends BaseRegionObserver
" for user " + (result.getUser() != null ? result.getUser().getShortName() : "UNKNOWN") + " for user " + (result.getUser() != null ? result.getUser().getShortName() : "UNKNOWN") +
"; reason: " + result.getReason() + "; reason: " + result.getReason() +
"; remote address: " + (remoteAddr != null ? remoteAddr : "") + "; remote address: " + (remoteAddr != null ? remoteAddr : "") +
"; request: " + result.getRequest() +
"; context: " + result.toContextString()); "; context: " + result.toContextString());
} }
} }
@ -381,18 +386,20 @@ public class AccessController extends BaseRegionObserver
* @throws IOException if obtaining the current user fails * @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if user has no authorization * @throws AccessDeniedException if user has no authorization
*/ */
private void requirePermission(byte[] tableName, byte[] family, byte[] qualifier, private void requirePermission(String request, byte[] tableName, byte[] family, byte[] qualifier,
Action... permissions) throws IOException { Action... permissions) throws IOException {
User user = getActiveUser(); User user = getActiveUser();
AuthResult result = null; AuthResult result = null;
for (Action permission : permissions) { for (Action permission : permissions) {
if (authManager.authorize(user, tableName, family, qualifier, permission)) { if (authManager.authorize(user, tableName, family, qualifier, permission)) {
result = AuthResult.allow("Table permission granted", user, permission, tableName, family, qualifier); result = AuthResult.allow(request, "Table permission granted", user,
permission, tableName, family, qualifier);
break; break;
} else { } else {
// rest of the world // rest of the world
result = AuthResult.deny("Insufficient permissions", user, permission, tableName, family, qualifier); result = AuthResult.deny(request, "Insufficient permissions", user,
permission, tableName, family, qualifier);
} }
} }
logResult(result); logResult(result);
@ -407,12 +414,12 @@ public class AccessController extends BaseRegionObserver
* @throws IOException if obtaining the current user fails * @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if authorization is denied * @throws AccessDeniedException if authorization is denied
*/ */
private void requirePermission(Permission.Action perm) throws IOException { private void requirePermission(String request, Permission.Action perm) throws IOException {
User user = getActiveUser(); User user = getActiveUser();
if (authManager.authorize(user, perm)) { if (authManager.authorize(user, perm)) {
logResult(AuthResult.allow("Global check allowed", user, perm, null)); logResult(AuthResult.allow(request, "Global check allowed", user, perm, null));
} else { } else {
logResult(AuthResult.deny("Global check failed", user, perm, null)); logResult(AuthResult.deny(request, "Global check failed", user, perm, null));
throw new AccessDeniedException("Insufficient permissions for user '" + throw new AccessDeniedException("Insufficient permissions for user '" +
(user != null ? user.getShortName() : "null") +"' (global, action=" + (user != null ? user.getShortName() : "null") +"' (global, action=" +
perm.toString() + ")"); perm.toString() + ")");
@ -427,7 +434,7 @@ public class AccessController extends BaseRegionObserver
* @param families The set of column families present/required in the request * @param families The set of column families present/required in the request
* @throws AccessDeniedException if the authorization check failed * @throws AccessDeniedException if the authorization check failed
*/ */
private void requirePermission(Permission.Action perm, private void requirePermission(String request, Permission.Action perm,
RegionCoprocessorEnvironment env, Collection<byte[]> families) RegionCoprocessorEnvironment env, Collection<byte[]> families)
throws IOException { throws IOException {
// create a map of family-qualifier // create a map of family-qualifier
@ -435,7 +442,7 @@ public class AccessController extends BaseRegionObserver
for (byte[] family : families) { for (byte[] family : families) {
familyMap.put(family, null); familyMap.put(family, null);
} }
requirePermission(perm, env, familyMap); requirePermission(request, perm, env, familyMap);
} }
/** /**
@ -446,12 +453,12 @@ public class AccessController extends BaseRegionObserver
* @param families The map of column families-qualifiers. * @param families The map of column families-qualifiers.
* @throws AccessDeniedException if the authorization check failed * @throws AccessDeniedException if the authorization check failed
*/ */
private void requirePermission(Permission.Action perm, private void requirePermission(String request, Permission.Action perm,
RegionCoprocessorEnvironment env, RegionCoprocessorEnvironment env,
Map<byte[], ? extends Collection<?>> families) Map<byte[], ? extends Collection<?>> families)
throws IOException { throws IOException {
User user = getActiveUser(); User user = getActiveUser();
AuthResult result = permissionGranted(user, perm, env, families); AuthResult result = permissionGranted(request, user, perm, env, families);
logResult(result); logResult(result);
if (!result.isAllowed()) { if (!result.isAllowed()) {
@ -550,7 +557,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> c, public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> c,
HTableDescriptor desc, HRegionInfo[] regions) throws IOException { HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
requirePermission(Permission.Action.CREATE); requirePermission("createTable", Permission.Action.CREATE);
} }
@Override @Override
@ -577,7 +584,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName) public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName)
throws IOException { throws IOException {
requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE); requirePermission("deleteTable", tableName, null, null, Action.ADMIN, Action.CREATE);
} }
@Override @Override
@ -595,7 +602,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName, public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName,
HTableDescriptor htd) throws IOException { HTableDescriptor htd) throws IOException {
requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE); requirePermission("modifyTable", tableName, null, null, Action.ADMIN, Action.CREATE);
} }
@Override @Override
@ -621,7 +628,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName, public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName,
HColumnDescriptor column) throws IOException { HColumnDescriptor column) throws IOException {
requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE); requirePermission("addColumn", tableName, null, null, Action.ADMIN, Action.CREATE);
} }
@Override @Override
@ -637,7 +644,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName, public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName,
HColumnDescriptor descriptor) throws IOException { HColumnDescriptor descriptor) throws IOException {
requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE); requirePermission("modifyColumn", tableName, null, null, Action.ADMIN, Action.CREATE);
} }
@Override @Override
@ -654,7 +661,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName, public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName,
byte[] col) throws IOException { byte[] col) throws IOException {
requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE); requirePermission("deleteColumn", tableName, null, null, Action.ADMIN, Action.CREATE);
} }
@Override @Override
@ -673,7 +680,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName) public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName)
throws IOException { throws IOException {
requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE); requirePermission("enableTable", tableName, null, null, Action.ADMIN, Action.CREATE);
} }
@Override @Override
@ -693,7 +700,7 @@ public class AccessController extends BaseRegionObserver
throw new AccessDeniedException("Not allowed to disable " throw new AccessDeniedException("Not allowed to disable "
+ AccessControlLists.ACL_TABLE_NAME_STR + " table."); + AccessControlLists.ACL_TABLE_NAME_STR + " table.");
} }
requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE); requirePermission("disableTable", tableName, null, null, Action.ADMIN, Action.CREATE);
} }
@Override @Override
@ -709,7 +716,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo region, public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo region,
ServerName srcServer, ServerName destServer) throws IOException { ServerName srcServer, ServerName destServer) throws IOException {
requirePermission(region.getTableName(), null, null, Action.ADMIN); requirePermission("move", region.getTableName(), null, null, Action.ADMIN);
} }
@Override @Override
@ -720,7 +727,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo) public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo)
throws IOException { throws IOException {
requirePermission(regionInfo.getTableName(), null, null, Action.ADMIN); requirePermission("assign", regionInfo.getTableName(), null, null, Action.ADMIN);
} }
@Override @Override
@ -730,7 +737,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo, public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo,
boolean force) throws IOException { boolean force) throws IOException {
requirePermission(regionInfo.getTableName(), null, null, Action.ADMIN); requirePermission("unassign", regionInfo.getTableName(), null, null, Action.ADMIN);
} }
@Override @Override
@ -740,7 +747,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c) public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c)
throws IOException { throws IOException {
requirePermission(Permission.Action.ADMIN); requirePermission("balance", Permission.Action.ADMIN);
} }
@Override @Override
public void postBalance(ObserverContext<MasterCoprocessorEnvironment> c, List<RegionPlan> plans) public void postBalance(ObserverContext<MasterCoprocessorEnvironment> c, List<RegionPlan> plans)
@ -749,7 +756,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public boolean preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c, public boolean preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c,
boolean newValue) throws IOException { boolean newValue) throws IOException {
requirePermission(Permission.Action.ADMIN); requirePermission("balanceSwitch", Permission.Action.ADMIN);
return newValue; return newValue;
} }
@Override @Override
@ -759,13 +766,13 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c) public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c)
throws IOException { throws IOException {
requirePermission(Permission.Action.ADMIN); requirePermission("shutdown", Permission.Action.ADMIN);
} }
@Override @Override
public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c) public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c)
throws IOException { throws IOException {
requirePermission(Permission.Action.ADMIN); requirePermission("stopMaster", Permission.Action.ADMIN);
} }
@Override @Override
@ -791,7 +798,7 @@ public class AccessController extends BaseRegionObserver
if (isSpecialTable(regionInfo)) { if (isSpecialTable(regionInfo)) {
isSystemOrSuperUser(regionEnv.getConfiguration()); isSystemOrSuperUser(regionEnv.getConfiguration());
} else { } else {
requirePermission(Action.ADMIN); requirePermission("preOpen", Action.ADMIN);
} }
} }
} }
@ -818,38 +825,38 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preFlush(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException { public void preFlush(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
requirePermission(getTableName(e.getEnvironment()), null, null, Action.ADMIN); requirePermission("flush", getTableName(e.getEnvironment()), null, null, Action.ADMIN);
} }
@Override @Override
public void preSplit(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException { public void preSplit(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
requirePermission(getTableName(e.getEnvironment()), null, null, Action.ADMIN); requirePermission("split", getTableName(e.getEnvironment()), null, null, Action.ADMIN);
} }
@Override @Override
public void preSplit(ObserverContext<RegionCoprocessorEnvironment> e, public void preSplit(ObserverContext<RegionCoprocessorEnvironment> e,
byte[] splitRow) throws IOException { byte[] splitRow) throws IOException {
requirePermission(getTableName(e.getEnvironment()), null, null, Action.ADMIN); requirePermission("split", getTableName(e.getEnvironment()), null, null, Action.ADMIN);
} }
@Override @Override
public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> e, public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> e,
final HStore store, final InternalScanner scanner) throws IOException { final HStore store, final InternalScanner scanner) throws IOException {
requirePermission(getTableName(e.getEnvironment()), null, null, Action.ADMIN); requirePermission("compact", getTableName(e.getEnvironment()), null, null, Action.ADMIN);
return scanner; return scanner;
} }
@Override @Override
public void preCompactSelection(final ObserverContext<RegionCoprocessorEnvironment> e, public void preCompactSelection(final ObserverContext<RegionCoprocessorEnvironment> e,
final HStore store, final List<StoreFile> candidates) throws IOException { final HStore store, final List<StoreFile> candidates) throws IOException {
requirePermission(getTableName(e.getEnvironment()), null, null, Action.ADMIN); requirePermission("compact", getTableName(e.getEnvironment()), null, null, Action.ADMIN);
} }
@Override @Override
public void preGetClosestRowBefore(final ObserverContext<RegionCoprocessorEnvironment> c, public void preGetClosestRowBefore(final ObserverContext<RegionCoprocessorEnvironment> c,
final byte [] row, final byte [] family, final Result result) final byte [] row, final byte [] family, final Result result)
throws IOException { throws IOException {
requirePermission(Permission.Action.READ, c.getEnvironment(), requirePermission("getClosestRowBefore", Permission.Action.READ, c.getEnvironment(),
(family != null ? Lists.newArrayList(family) : null)); (family != null ? Lists.newArrayList(family) : null));
} }
@ -862,7 +869,7 @@ public class AccessController extends BaseRegionObserver
*/ */
RegionCoprocessorEnvironment e = c.getEnvironment(); RegionCoprocessorEnvironment e = c.getEnvironment();
User requestUser = getActiveUser(); User requestUser = getActiveUser();
AuthResult authResult = permissionGranted(requestUser, AuthResult authResult = permissionGranted("get", requestUser,
Permission.Action.READ, e, get.getFamilyMap()); Permission.Action.READ, e, get.getFamilyMap());
if (!authResult.isAllowed()) { if (!authResult.isAllowed()) {
if (hasFamilyQualifierPermission(requestUser, if (hasFamilyQualifierPermission(requestUser,
@ -879,7 +886,7 @@ public class AccessController extends BaseRegionObserver
} else { } else {
get.setFilter(filter); get.setFilter(filter);
} }
logResult(AuthResult.allow("Access allowed with filter", requestUser, logResult(AuthResult.allow("get", "Access allowed with filter", requestUser,
Permission.Action.READ, authResult.table)); Permission.Action.READ, authResult.table));
} else { } else {
logResult(authResult); logResult(authResult);
@ -895,7 +902,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public boolean preExists(final ObserverContext<RegionCoprocessorEnvironment> c, public boolean preExists(final ObserverContext<RegionCoprocessorEnvironment> c,
final Get get, final boolean exists) throws IOException { final Get get, final boolean exists) throws IOException {
requirePermission(Permission.Action.READ, c.getEnvironment(), requirePermission("exists", Permission.Action.READ, c.getEnvironment(),
get.familySet()); get.familySet());
return exists; return exists;
} }
@ -904,7 +911,7 @@ public class AccessController extends BaseRegionObserver
public void prePut(final ObserverContext<RegionCoprocessorEnvironment> c, public void prePut(final ObserverContext<RegionCoprocessorEnvironment> c,
final Put put, final WALEdit edit, final boolean writeToWAL) final Put put, final WALEdit edit, final boolean writeToWAL)
throws IOException { throws IOException {
requirePermission(Permission.Action.WRITE, c.getEnvironment(), requirePermission("put", Permission.Action.WRITE, c.getEnvironment(),
put.getFamilyMap()); put.getFamilyMap());
} }
@ -920,7 +927,7 @@ public class AccessController extends BaseRegionObserver
public void preDelete(final ObserverContext<RegionCoprocessorEnvironment> c, public void preDelete(final ObserverContext<RegionCoprocessorEnvironment> c,
final Delete delete, final WALEdit edit, final boolean writeToWAL) final Delete delete, final WALEdit edit, final boolean writeToWAL)
throws IOException { throws IOException {
requirePermission(Permission.Action.WRITE, c.getEnvironment(), requirePermission("delete", Permission.Action.WRITE, c.getEnvironment(),
delete.getFamilyMap()); delete.getFamilyMap());
} }
@ -940,8 +947,8 @@ public class AccessController extends BaseRegionObserver
final ByteArrayComparable comparator, final Put put, final ByteArrayComparable comparator, final Put put,
final boolean result) throws IOException { final boolean result) throws IOException {
Collection<byte[]> familyMap = Arrays.asList(new byte[][]{family}); Collection<byte[]> familyMap = Arrays.asList(new byte[][]{family});
requirePermission(Permission.Action.READ, c.getEnvironment(), familyMap); requirePermission("checkAndPut", Permission.Action.READ, c.getEnvironment(), familyMap);
requirePermission(Permission.Action.WRITE, c.getEnvironment(), familyMap); requirePermission("checkAndPut", Permission.Action.WRITE, c.getEnvironment(), familyMap);
return result; return result;
} }
@ -952,8 +959,8 @@ public class AccessController extends BaseRegionObserver
final ByteArrayComparable comparator, final Delete delete, final ByteArrayComparable comparator, final Delete delete,
final boolean result) throws IOException { final boolean result) throws IOException {
Collection<byte[]> familyMap = Arrays.asList(new byte[][]{family}); Collection<byte[]> familyMap = Arrays.asList(new byte[][]{family});
requirePermission(Permission.Action.READ, c.getEnvironment(), familyMap); requirePermission("checkAndDelete", Permission.Action.READ, c.getEnvironment(), familyMap);
requirePermission(Permission.Action.WRITE, c.getEnvironment(), familyMap); requirePermission("checkAndDelete", Permission.Action.WRITE, c.getEnvironment(), familyMap);
return result; return result;
} }
@ -962,7 +969,7 @@ public class AccessController extends BaseRegionObserver
final byte [] row, final byte [] family, final byte [] qualifier, final byte [] row, final byte [] family, final byte [] qualifier,
final long amount, final boolean writeToWAL) final long amount, final boolean writeToWAL)
throws IOException { throws IOException {
requirePermission(Permission.Action.WRITE, c.getEnvironment(), requirePermission("incrementColumnValue", Permission.Action.WRITE, c.getEnvironment(),
Arrays.asList(new byte[][]{family})); Arrays.asList(new byte[][]{family}));
return -1; return -1;
} }
@ -970,7 +977,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> c, Append append) public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> c, Append append)
throws IOException { throws IOException {
requirePermission(Permission.Action.WRITE, c.getEnvironment(), append.getFamilyMap()); requirePermission("append", Permission.Action.WRITE, c.getEnvironment(), append.getFamilyMap());
return null; return null;
} }
@ -978,7 +985,7 @@ public class AccessController extends BaseRegionObserver
public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c, public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c,
final Increment increment) final Increment increment)
throws IOException { throws IOException {
requirePermission(Permission.Action.WRITE, c.getEnvironment(), requirePermission("increment", Permission.Action.WRITE, c.getEnvironment(),
increment.getFamilyMap().keySet()); increment.getFamilyMap().keySet());
return null; return null;
} }
@ -992,7 +999,7 @@ public class AccessController extends BaseRegionObserver
*/ */
RegionCoprocessorEnvironment e = c.getEnvironment(); RegionCoprocessorEnvironment e = c.getEnvironment();
User user = getActiveUser(); User user = getActiveUser();
AuthResult authResult = permissionGranted(user, Permission.Action.READ, e, AuthResult authResult = permissionGranted("scannerOpen", user, Permission.Action.READ, e,
scan.getFamilyMap()); scan.getFamilyMap());
if (!authResult.isAllowed()) { if (!authResult.isAllowed()) {
if (hasFamilyQualifierPermission(user, Permission.Action.READ, e, if (hasFamilyQualifierPermission(user, Permission.Action.READ, e,
@ -1009,7 +1016,7 @@ public class AccessController extends BaseRegionObserver
} else { } else {
scan.setFilter(filter); scan.setFilter(filter);
} }
logResult(AuthResult.allow("Access allowed with filter", user, logResult(AuthResult.allow("scannerOpen", "Access allowed with filter", user,
Permission.Action.READ, authResult.table)); Permission.Action.READ, authResult.table));
} else { } else {
// no table/family level perms and no qualifier level perms, reject // no table/family level perms and no qualifier level perms, reject
@ -1086,7 +1093,7 @@ public class AccessController extends BaseRegionObserver
LOG.debug("Received request to grant access permission " + perm.toString()); LOG.debug("Received request to grant access permission " + perm.toString());
} }
requirePermission(perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); requirePermission("grant", perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN);
AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm); AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm);
if (AUDITLOG.isTraceEnabled()) { if (AUDITLOG.isTraceEnabled()) {
@ -1117,7 +1124,8 @@ public class AccessController extends BaseRegionObserver
LOG.debug("Received request to revoke access permission " + perm.toString()); LOG.debug("Received request to revoke access permission " + perm.toString());
} }
requirePermission(perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); requirePermission("revoke", perm.getTable(), perm.getFamily(),
perm.getQualifier(), Action.ADMIN);
AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm); AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm);
if (AUDITLOG.isTraceEnabled()) { if (AUDITLOG.isTraceEnabled()) {
@ -1144,7 +1152,7 @@ public class AccessController extends BaseRegionObserver
public List<UserPermission> getUserPermissions(final byte[] tableName) throws IOException { public List<UserPermission> getUserPermissions(final byte[] tableName) throws IOException {
// only allowed to be called on _acl_ region // only allowed to be called on _acl_ region
if (aclRegion) { if (aclRegion) {
requirePermission(tableName, null, null, Action.ADMIN); requirePermission("userPermissions", tableName, null, null, Action.ADMIN);
List<UserPermission> perms = AccessControlLists.getUserPermissions( List<UserPermission> perms = AccessControlLists.getUserPermissions(
regionEnv.getConfiguration(), tableName); regionEnv.getConfiguration(), tableName);
@ -1179,12 +1187,12 @@ public class AccessController extends BaseRegionObserver
} }
} }
requirePermission(action, regionEnv, familyMap); requirePermission("checkPermissions", action, regionEnv, familyMap);
} }
} else { } else {
for (Permission.Action action : permission.getActions()) { for (Permission.Action action : permission.getActions()) {
requirePermission(action); requirePermission("checkPermissions", action);
} }
} }
} }
@ -1297,7 +1305,7 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preClose(ObserverContext<RegionCoprocessorEnvironment> e, boolean abortRequested) public void preClose(ObserverContext<RegionCoprocessorEnvironment> e, boolean abortRequested)
throws IOException { throws IOException {
requirePermission(Action.ADMIN); requirePermission("preClose", Action.ADMIN);
} }
private void isSystemOrSuperUser(Configuration conf) throws IOException { private void isSystemOrSuperUser(Configuration conf) throws IOException {
@ -1329,6 +1337,6 @@ public class AccessController extends BaseRegionObserver
public void preStopRegionServer( public void preStopRegionServer(
ObserverContext<RegionServerCoprocessorEnvironment> env) ObserverContext<RegionServerCoprocessorEnvironment> env)
throws IOException { throws IOException {
requirePermission(Permission.Action.ADMIN); requirePermission("preStopRegionServer", Permission.Action.ADMIN);
} }
} }