Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-21739 Move grant/revoke from regionserver to master 

Signed-off-by: Guanghao Zhang <zghao@apache.org>
This commit is contained in:
meiyi 2019-01-29 19:52:50 +08:00 committed by Guanghao Zhang
parent d82c1a6c2b
commit f997252344
20 changed files with 600 additions and 266 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
hbase-client/src/main/java/org/apache/hadoop/hbase/client/Admin.java
View File

@ -53,6 +53,7 @@ import org.apache.hadoop.hbase.replication.ReplicationException;
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig; import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription; import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
import org.apache.hadoop.hbase.replication.SyncReplicationState; import org.apache.hadoop.hbase.replication.SyncReplicationState;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.snapshot.HBaseSnapshotException; import org.apache.hadoop.hbase.snapshot.HBaseSnapshotException;
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException; import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
import org.apache.hadoop.hbase.snapshot.SnapshotCreationException; import org.apache.hadoop.hbase.snapshot.SnapshotCreationException;
@ -2833,4 +2834,23 @@ public interface Admin extends Abortable, Closeable {
* no quota information on that table. * no quota information on that table.
*/ */
SpaceQuotaSnapshotView getCurrentSpaceQuotaSnapshot(TableName tableName) throws IOException; SpaceQuotaSnapshotView getCurrentSpaceQuotaSnapshot(TableName tableName) throws IOException;
/**
* Grants user specific permissions
*
* @param userPermission user and permissions
* @param mergeExistingPermissions If set to false, later granted permissions will override
* previous granted permissions. otherwise, it'll merge with previous granted
* permissions.
* @throws IOException if a remote or network exception occurs
*/
void grant(UserPermission userPermission, boolean mergeExistingPermissions) throws IOException;
/**
* Revokes user specific permissions
*
* @param userPermission user and permissions
* @throws IOException if a remote or network exception occurs
*/
void revoke(UserPermission userPermission) throws IOException;
} }

16
hbase-client/src/main/java/org/apache/hadoop/hbase/client/AsyncAdmin.java
View File

@ -43,6 +43,7 @@ import org.apache.hadoop.hbase.quotas.SpaceQuotaSnapshotView;
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig; import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription; import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
import org.apache.hadoop.hbase.replication.SyncReplicationState; import org.apache.hadoop.hbase.replication.SyncReplicationState;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.yetus.audience.InterfaceAudience; import org.apache.yetus.audience.InterfaceAudience;
/** /**
@ -1324,4 +1325,19 @@ public interface AsyncAdmin {
*/ */
CompletableFuture<? extends SpaceQuotaSnapshotView> getCurrentSpaceQuotaSnapshot( CompletableFuture<? extends SpaceQuotaSnapshotView> getCurrentSpaceQuotaSnapshot(
TableName tableName); TableName tableName);
/**
* Grants user specific permissions
* @param userPermission user and permissions
* @param mergeExistingPermissions If set to false, later granted permissions will override
* previous granted permissions. otherwise, it'll merge with previous granted
* permissions.
*/
CompletableFuture<Void> grant(UserPermission userPermission, boolean mergeExistingPermissions);
/**
* Revokes user specific permissions
* @param userPermission user and permissions
*/
CompletableFuture<Void> revoke(UserPermission userPermission);
} }

12
hbase-client/src/main/java/org/apache/hadoop/hbase/client/AsyncHBaseAdmin.java
View File

@ -42,6 +42,7 @@ import org.apache.hadoop.hbase.quotas.SpaceQuotaSnapshot;
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig; import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription; import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
import org.apache.hadoop.hbase.replication.SyncReplicationState; import org.apache.hadoop.hbase.replication.SyncReplicationState;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.yetus.audience.InterfaceAudience; import org.apache.yetus.audience.InterfaceAudience;
/** /**
@ -796,4 +797,15 @@ class AsyncHBaseAdmin implements AsyncAdmin {
public CompletableFuture<SpaceQuotaSnapshot> getCurrentSpaceQuotaSnapshot(TableName tableName) { public CompletableFuture<SpaceQuotaSnapshot> getCurrentSpaceQuotaSnapshot(TableName tableName) {
return wrap(rawAdmin.getCurrentSpaceQuotaSnapshot(tableName)); return wrap(rawAdmin.getCurrentSpaceQuotaSnapshot(tableName));
} }
@Override
public CompletableFuture<Void> grant(UserPermission userPermission,
boolean mergeExistingPermissions) {
return wrap(rawAdmin.grant(userPermission, mergeExistingPermissions));
}
@Override
public CompletableFuture<Void> revoke(UserPermission userPermission) {
return wrap(rawAdmin.revoke(userPermission));
}
} }

13
hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionImplementation.java
View File

@ -92,6 +92,7 @@ import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter; import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos; import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos;
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos; import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos;
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.ClientService.BlockingInterface; import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.ClientService.BlockingInterface;
@ -1774,6 +1775,18 @@ class ConnectionImplementation implements ClusterConnection, Closeable {
IsRpcThrottleEnabledRequest request) throws ServiceException { IsRpcThrottleEnabledRequest request) throws ServiceException {
return stub.isRpcThrottleEnabled(controller, request); return stub.isRpcThrottleEnabled(controller, request);
} }
@Override
public AccessControlProtos.GrantResponse grant(RpcController controller,
AccessControlProtos.GrantRequest request) throws ServiceException {
return stub.grant(controller, request);
}
@Override
public AccessControlProtos.RevokeResponse revoke(RpcController controller,
AccessControlProtos.RevokeRequest request) throws ServiceException {
return stub.revoke(controller, request);
}
}; };
} }

30
hbase-client/src/main/java/org/apache/hadoop/hbase/client/HBaseAdmin.java
View File

@ -91,6 +91,8 @@ import org.apache.hadoop.hbase.replication.ReplicationException;
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig; import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription; import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
import org.apache.hadoop.hbase.replication.SyncReplicationState; import org.apache.hadoop.hbase.replication.SyncReplicationState;
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils; import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
import org.apache.hadoop.hbase.snapshot.HBaseSnapshotException; import org.apache.hadoop.hbase.snapshot.HBaseSnapshotException;
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException; import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
@ -113,6 +115,8 @@ import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter; import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos; import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.AdminService; import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.AdminService;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesRequest; import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesRequest;
@ -4464,4 +4468,30 @@ public class HBaseAdmin implements Admin {
} }
}); });
} }
@Override
public void grant(UserPermission userPermission, boolean mergeExistingPermissions)
throws IOException {
executeCallable(new MasterCallable<Void>(getConnection(), getRpcControllerFactory()) {
@Override
protected Void rpcCall() throws Exception {
GrantRequest req =
ShadedAccessControlUtil.buildGrantRequest(userPermission, mergeExistingPermissions);
this.master.grant(getRpcController(), req);
return null;
}
});
}
@Override
public void revoke(UserPermission userPermission) throws IOException {
executeCallable(new MasterCallable<Void>(getConnection(), getRpcControllerFactory()) {
@Override
protected Void rpcCall() throws Exception {
RevokeRequest req = ShadedAccessControlUtil.buildRevokeRequest(userPermission);
this.master.revoke(getRpcController(), req);
return null;
}
});
}
} }

25
hbase-client/src/main/java/org/apache/hadoop/hbase/client/RawAsyncHBaseAdmin.java
View File

@ -82,6 +82,8 @@ import org.apache.hadoop.hbase.replication.ReplicationException;
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig; import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription; import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
import org.apache.hadoop.hbase.replication.SyncReplicationState; import org.apache.hadoop.hbase.replication.SyncReplicationState;
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils; import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException; import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
import org.apache.hadoop.hbase.snapshot.SnapshotCreationException; import org.apache.hadoop.hbase.snapshot.SnapshotCreationException;
@ -101,6 +103,10 @@ import org.apache.hbase.thirdparty.io.netty.util.TimerTask;
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter; import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantResponse;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeResponse;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.AdminService; import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.AdminService;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesRequest; import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesResponse; import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesResponse;
@ -3712,4 +3718,23 @@ class RawAsyncHBaseAdmin implements AsyncAdmin {
.filter(s -> s.getTableName().equals(protoTableName)).findFirst() .filter(s -> s.getTableName().equals(protoTableName)).findFirst()
.map(s -> SpaceQuotaSnapshot.toSpaceQuotaSnapshot(s.getSnapshot())).orElse(null)); .map(s -> SpaceQuotaSnapshot.toSpaceQuotaSnapshot(s.getSnapshot())).orElse(null));
} }
@Override
public CompletableFuture<Void> grant(UserPermission userPermission,
boolean mergeExistingPermissions) {
return this.<Void> newMasterCaller()
.action((controller, stub) -> this.<GrantRequest, GrantResponse, Void> call(controller,
stub, ShadedAccessControlUtil.buildGrantRequest(userPermission, mergeExistingPermissions),
(s, c, req, done) -> s.grant(c, req, done), resp -> null))
.call();
}
@Override
public CompletableFuture<Void> revoke(UserPermission userPermission) {
return this.<Void> newMasterCaller()
.action((controller, stub) -> this.<RevokeRequest, RevokeResponse, Void> call(controller,
stub, ShadedAccessControlUtil.buildRevokeRequest(userPermission),
(s, c, req, done) -> s.revoke(c, req, done), resp -> null))
.call();
}
} }

17
hbase-client/src/main/java/org/apache/hadoop/hbase/client/ShortCircuitMasterConnection.java
View File

@ -20,6 +20,11 @@ package org.apache.hadoop.hbase.client;
import org.apache.yetus.audience.InterfaceAudience; import org.apache.yetus.audience.InterfaceAudience;
import org.apache.hbase.thirdparty.com.google.protobuf.RpcController; import org.apache.hbase.thirdparty.com.google.protobuf.RpcController;
import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException; import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantResponse;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeResponse;
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CoprocessorServiceRequest; import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CoprocessorServiceRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CoprocessorServiceResponse; import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CoprocessorServiceResponse;
import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos.AbortProcedureRequest; import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos.AbortProcedureRequest;
@ -663,4 +668,16 @@ public class ShortCircuitMasterConnection implements MasterKeepAliveConnection {
IsRpcThrottleEnabledRequest request) throws ServiceException { IsRpcThrottleEnabledRequest request) throws ServiceException {
return stub.isRpcThrottleEnabled(controller, request); return stub.isRpcThrottleEnabled(controller, request);
} }
@Override
public GrantResponse grant(RpcController controller, GrantRequest request)
throws ServiceException {
return stub.grant(controller, request);
}
@Override
public RevokeResponse revoke(RpcController controller, RevokeRequest request)
throws ServiceException {
return stub.revoke(controller, request);
}
} }

58
hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java
View File

@ -94,10 +94,9 @@ public class AccessControlClient {
final String userName, final byte[] family, final byte[] qual, boolean mergeExistingPermissions, final String userName, final byte[] family, final byte[] qual, boolean mergeExistingPermissions,
final Permission.Action... actions) throws Throwable { final Permission.Action... actions) throws Throwable {
// TODO: Priority is not used. // TODO: Priority is not used.
try (Table table = connection.getTable(ACL_TABLE_NAME)) { UserPermission userPermission =
AccessControlUtil.grant(null, getAccessControlServiceStub(table), userName, tableName, new UserPermission(userName, new TablePermission(tableName, family, qual, actions));
family, qual, mergeExistingPermissions, actions); connection.getAdmin().grant(userPermission, mergeExistingPermissions);
}
} }
/** /**
@ -129,11 +128,9 @@ public class AccessControlClient {
*/ */
private static void grant(Connection connection, final String namespace, final String userName, private static void grant(Connection connection, final String namespace, final String userName,
boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable { boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable {
// TODO: Pass an rpcController. UserPermission userPermission =
try (Table table = connection.getTable(ACL_TABLE_NAME)) { new UserPermission(userName, new NamespacePermission(namespace, actions));
AccessControlUtil.grant(null, getAccessControlServiceStub(table), userName, namespace, connection.getAdmin().grant(userPermission, mergeExistingPermissions);
mergeExistingPermissions, actions);
}
} }
/** /**
@ -152,7 +149,7 @@ public class AccessControlClient {
} }
/** /**
* Grants permission on the specified namespace for the specified user. * Grant global permissions for the specified user.
* @param connection * @param connection
* @param userName * @param userName
* @param mergeExistingPermissions If set to false, later granted permissions will override * @param mergeExistingPermissions If set to false, later granted permissions will override
@ -163,11 +160,8 @@ public class AccessControlClient {
*/ */
private static void grant(Connection connection, final String userName, private static void grant(Connection connection, final String userName,
boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable { boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable {
// TODO: Pass an rpcController UserPermission userPermission = new UserPermission(userName, new GlobalPermission(actions));
try (Table table = connection.getTable(ACL_TABLE_NAME)) { connection.getAdmin().grant(userPermission, mergeExistingPermissions);
AccessControlUtil.grant(null, getAccessControlServiceStub(table), userName,
mergeExistingPermissions, actions);
}
} }
/** /**
@ -204,19 +198,13 @@ public class AccessControlClient {
public static void revoke(Connection connection, final TableName tableName, public static void revoke(Connection connection, final TableName tableName,
final String username, final byte[] family, final byte[] qualifier, final String username, final byte[] family, final byte[] qualifier,
final Permission.Action... actions) throws Throwable { final Permission.Action... actions) throws Throwable {
/** TODO: Pass an rpcController UserPermission userPermission =
HBaseRpcController controller new UserPermission(username, new TablePermission(tableName, family, qualifier, actions));
= ((ClusterConnection) connection).getRpcControllerFactory().newController(); connection.getAdmin().revoke(userPermission);
controller.setPriority(tableName);
*/
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
AccessControlUtil.revoke(null, getAccessControlServiceStub(table), username, tableName,
family, qualifier, actions);
}
} }
/** /**
* Revokes the permission on the table for the specified user. * Revokes the permission on the namespace for the specified user.
* @param connection The Connection instance to use * @param connection The Connection instance to use
* @param namespace * @param namespace
* @param userName * @param userName
@ -225,14 +213,9 @@ public class AccessControlClient {
*/ */
public static void revoke(Connection connection, final String namespace, public static void revoke(Connection connection, final String namespace,
final String userName, final Permission.Action... actions) throws Throwable { final String userName, final Permission.Action... actions) throws Throwable {
/** TODO: Pass an rpcController UserPermission userPermission =
HBaseRpcController controller new UserPermission(userName, new NamespacePermission(namespace, actions));
= ((ClusterConnection) connection).getRpcControllerFactory().newController(); connection.getAdmin().revoke(userPermission);
*/
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
AccessControlUtil.revoke(null, getAccessControlServiceStub(table), userName, namespace,
actions);
}
} }
/** /**
@ -241,13 +224,8 @@ public class AccessControlClient {
*/ */
public static void revoke(Connection connection, final String userName, public static void revoke(Connection connection, final String userName,
final Permission.Action... actions) throws Throwable { final Permission.Action... actions) throws Throwable {
/** TODO: Pass an rpc controller. UserPermission userPermission = new UserPermission(userName, new GlobalPermission(actions));
HBaseRpcController controller connection.getAdmin().revoke(userPermission);
= ((ClusterConnection) connection).getRpcControllerFactory().newController();
*/
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
AccessControlUtil.revoke(null, getAccessControlServiceStub(table), userName, actions);
}
} }
/** /**

13
hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlUtil.java
View File

@ -25,6 +25,7 @@ import java.util.Map;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.client.Admin;
import org.apache.yetus.audience.InterfaceAudience; import org.apache.yetus.audience.InterfaceAudience;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos; import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
@ -490,7 +491,9 @@ public class AccessControlUtil {
* @param userShortName the short name of the user to grant permissions * @param userShortName the short name of the user to grant permissions
* @param actions the permissions to be granted * @param actions the permissions to be granted
* @throws ServiceException * @throws ServiceException
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
*/ */
@Deprecated
public static void grant(RpcController controller, public static void grant(RpcController controller,
AccessControlService.BlockingInterface protocol, String userShortName, boolean mergeExistingPermissions, AccessControlService.BlockingInterface protocol, String userShortName, boolean mergeExistingPermissions,
Permission.Action... actions) throws ServiceException { Permission.Action... actions) throws ServiceException {
@ -517,7 +520,9 @@ public class AccessControlUtil {
* @param q optional qualifier * @param q optional qualifier
* @param actions the permissions to be granted * @param actions the permissions to be granted
* @throws ServiceException * @throws ServiceException
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
*/ */
@Deprecated
public static void grant(RpcController controller, public static void grant(RpcController controller,
AccessControlService.BlockingInterface protocol, String userShortName, TableName tableName, AccessControlService.BlockingInterface protocol, String userShortName, TableName tableName,
byte[] f, byte[] q, boolean mergeExistingPermissions, Permission.Action... actions) byte[] f, byte[] q, boolean mergeExistingPermissions, Permission.Action... actions)
@ -543,7 +548,9 @@ public class AccessControlUtil {
* @param namespace the short name of the user to grant permissions * @param namespace the short name of the user to grant permissions
* @param actions the permissions to be granted * @param actions the permissions to be granted
* @throws ServiceException * @throws ServiceException
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
*/ */
@Deprecated
public static void grant(RpcController controller, public static void grant(RpcController controller,
AccessControlService.BlockingInterface protocol, String userShortName, String namespace, AccessControlService.BlockingInterface protocol, String userShortName, String namespace,
boolean mergeExistingPermissions, Permission.Action... actions) throws ServiceException { boolean mergeExistingPermissions, Permission.Action... actions) throws ServiceException {
@ -567,7 +574,9 @@ public class AccessControlUtil {
* @param userShortName the short name of the user to revoke permissions * @param userShortName the short name of the user to revoke permissions
* @param actions the permissions to be revoked * @param actions the permissions to be revoked
* @throws ServiceException on failure * @throws ServiceException on failure
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
*/ */
@Deprecated
public static void revoke(RpcController controller, public static void revoke(RpcController controller,
AccessControlService.BlockingInterface protocol, String userShortName, AccessControlService.BlockingInterface protocol, String userShortName,
Permission.Action... actions) throws ServiceException { Permission.Action... actions) throws ServiceException {
@ -595,7 +604,9 @@ public class AccessControlUtil {
* @param q optional qualifier * @param q optional qualifier
* @param actions the permissions to be revoked * @param actions the permissions to be revoked
* @throws ServiceException on failure * @throws ServiceException on failure
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
*/ */
@Deprecated
public static void revoke(RpcController controller, public static void revoke(RpcController controller,
AccessControlService.BlockingInterface protocol, String userShortName, TableName tableName, AccessControlService.BlockingInterface protocol, String userShortName, TableName tableName,
byte[] f, byte[] q, Permission.Action... actions) throws ServiceException { byte[] f, byte[] q, Permission.Action... actions) throws ServiceException {
@ -620,7 +631,9 @@ public class AccessControlUtil {
* @param namespace optional table name * @param namespace optional table name
* @param actions the permissions to be revoked * @param actions the permissions to be revoked
* @throws ServiceException on failure * @throws ServiceException on failure
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
*/ */
@Deprecated
public static void revoke(RpcController controller, public static void revoke(RpcController controller,
AccessControlService.BlockingInterface protocol, String userShortName, String namespace, AccessControlService.BlockingInterface protocol, String userShortName, String namespace,
Permission.Action... actions) throws ServiceException { Permission.Action... actions) throws ServiceException {

120
hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/ShadedAccessControlUtil.java
View File

@ -18,20 +18,21 @@
package org.apache.hadoop.hbase.security.access; package org.apache.hadoop.hbase.security.access;
import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
import org.apache.hadoop.hbase.TableName;
import org.apache.yetus.audience.InterfaceAudience;
import org.apache.hadoop.hbase.security.access.Permission.Action;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos;
import org.apache.hadoop.hbase.shaded.protobuf.generated.HBaseProtos;
import org.apache.hbase.thirdparty.com.google.protobuf.ByteString;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.security.access.Permission.Action;
import org.apache.yetus.audience.InterfaceAudience;
import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
import org.apache.hbase.thirdparty.com.google.protobuf.ByteString;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.HBaseProtos;
/** /**
* Convert protobuf objects in AccessControl.proto under hbase-protocol-shaded to user-oriented * Convert protobuf objects in AccessControl.proto under hbase-protocol-shaded to user-oriented
@ -49,20 +50,18 @@ public class ShadedAccessControlUtil {
/** /**
* Convert a client user permission to a user permission shaded proto. * Convert a client user permission to a user permission shaded proto.
*/ */
public static public static AccessControlProtos.Permission.Action toPermissionAction(Permission.Action action) {
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action
toPermissionAction(Permission.Action action) {
switch (action) { switch (action) {
case READ: case READ:
return org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action.READ; return AccessControlProtos.Permission.Action.READ;
case WRITE: case WRITE:
return org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action.WRITE; return AccessControlProtos.Permission.Action.WRITE;
case EXEC: case EXEC:
return org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action.EXEC; return AccessControlProtos.Permission.Action.EXEC;
case CREATE: case CREATE:
return org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action.CREATE; return AccessControlProtos.Permission.Action.CREATE;
case ADMIN: case ADMIN:
return org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action.ADMIN; return AccessControlProtos.Permission.Action.ADMIN;
} }
throw new IllegalArgumentException("Unknown action value " + action.name()); throw new IllegalArgumentException("Unknown action value " + action.name());
} }
@ -70,8 +69,7 @@ public class ShadedAccessControlUtil {
/** /**
* Convert a Permission.Action shaded proto to a client Permission.Action object. * Convert a Permission.Action shaded proto to a client Permission.Action object.
*/ */
public static Permission.Action toPermissionAction( public static Permission.Action toPermissionAction(AccessControlProtos.Permission.Action action) {
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action action) {
switch (action) { switch (action) {
case READ: case READ:
return Permission.Action.READ; return Permission.Action.READ;
@ -94,9 +92,9 @@ public class ShadedAccessControlUtil {
* @return the converted list of Actions * @return the converted list of Actions
*/ */
public static List<Permission.Action> toPermissionActions( public static List<Permission.Action> toPermissionActions(
List<org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action> protoActions) { List<AccessControlProtos.Permission.Action> protoActions) {
List<Permission.Action> actions = new ArrayList<>(protoActions.size()); List<Permission.Action> actions = new ArrayList<>(protoActions.size());
for (org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action a : protoActions) { for (AccessControlProtos.Permission.Action a : protoActions) {
actions.add(toPermissionAction(a)); actions.add(toPermissionAction(a));
} }
return actions; return actions;
@ -163,18 +161,13 @@ public class ShadedAccessControlUtil {
* @param perm the client Permission * @param perm the client Permission
* @return the protobuf Permission * @return the protobuf Permission
*/ */
public static org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission public static AccessControlProtos.Permission toPermission(Permission perm) {
toPermission(Permission perm) { AccessControlProtos.Permission.Builder ret = AccessControlProtos.Permission.newBuilder();
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Builder ret =
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission
.newBuilder();
if (perm instanceof NamespacePermission) { if (perm instanceof NamespacePermission) {
NamespacePermission nsPerm = (NamespacePermission) perm; NamespacePermission nsPerm = (NamespacePermission) perm;
ret.setType( ret.setType(AccessControlProtos.Permission.Type.Namespace);
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Type.Namespace); AccessControlProtos.NamespacePermission.Builder builder =
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.NamespacePermission.Builder builder = AccessControlProtos.NamespacePermission.newBuilder();
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.NamespacePermission
.newBuilder();
builder.setNamespaceName(org.apache.hbase.thirdparty.com.google.protobuf.ByteString builder.setNamespaceName(org.apache.hbase.thirdparty.com.google.protobuf.ByteString
.copyFromUtf8(nsPerm.getNamespace())); .copyFromUtf8(nsPerm.getNamespace()));
Permission.Action[] actions = perm.getActions(); Permission.Action[] actions = perm.getActions();
@ -186,11 +179,9 @@ public class ShadedAccessControlUtil {
ret.setNamespacePermission(builder); ret.setNamespacePermission(builder);
} else if (perm instanceof TablePermission) { } else if (perm instanceof TablePermission) {
TablePermission tablePerm = (TablePermission) perm; TablePermission tablePerm = (TablePermission) perm;
ret.setType( ret.setType(AccessControlProtos.Permission.Type.Table);
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Type.Table); AccessControlProtos.TablePermission.Builder builder =
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.TablePermission.Builder builder = AccessControlProtos.TablePermission.newBuilder();
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.TablePermission
.newBuilder();
builder.setTableName(toProtoTableName(tablePerm.getTableName())); builder.setTableName(toProtoTableName(tablePerm.getTableName()));
if (tablePerm.hasFamily()) { if (tablePerm.hasFamily()) {
builder.setFamily(ByteString.copyFrom(tablePerm.getFamily())); builder.setFamily(ByteString.copyFrom(tablePerm.getFamily()));
@ -207,11 +198,9 @@ public class ShadedAccessControlUtil {
ret.setTablePermission(builder); ret.setTablePermission(builder);
} else { } else {
// perm.getAccessScope() == Permission.Scope.GLOBAL // perm.getAccessScope() == Permission.Scope.GLOBAL
ret.setType( ret.setType(AccessControlProtos.Permission.Type.Global);
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Type.Global); AccessControlProtos.GlobalPermission.Builder builder =
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GlobalPermission.Builder builder = AccessControlProtos.GlobalPermission.newBuilder();
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GlobalPermission
.newBuilder();
Permission.Action[] actions = perm.getActions(); Permission.Action[] actions = perm.getActions();
if (actions != null) { if (actions != null) {
for (Permission.Action a : actions) { for (Permission.Action a : actions) {
@ -230,9 +219,9 @@ public class ShadedAccessControlUtil {
* @return the converted UserPermission * @return the converted UserPermission
*/ */
public static ListMultimap<String, Permission> toUserTablePermissions( public static ListMultimap<String, Permission> toUserTablePermissions(
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions proto) { AccessControlProtos.UsersAndPermissions proto) {
ListMultimap<String, Permission> perms = ArrayListMultimap.create(); ListMultimap<String, Permission> perms = ArrayListMultimap.create();
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions.UserPermissions userPerm; AccessControlProtos.UsersAndPermissions.UserPermissions userPerm;
for (int i = 0; i < proto.getUserPermissionsCount(); i++) { for (int i = 0; i < proto.getUserPermissionsCount(); i++) {
userPerm = proto.getUserPermissions(i); userPerm = proto.getUserPermissions(i);
for (int j = 0; j < userPerm.getPermissionsCount(); j++) { for (int j = 0; j < userPerm.getPermissionsCount(); j++) {
@ -249,16 +238,13 @@ public class ShadedAccessControlUtil {
* @param perm the list of user and table permissions * @param perm the list of user and table permissions
* @return the protobuf UserTablePermissions * @return the protobuf UserTablePermissions
*/ */
public static public static AccessControlProtos.UsersAndPermissions
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions
toUserTablePermissions(ListMultimap<String, UserPermission> perm) { toUserTablePermissions(ListMultimap<String, UserPermission> perm) {
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions.Builder builder = AccessControlProtos.UsersAndPermissions.Builder builder =
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions AccessControlProtos.UsersAndPermissions.newBuilder();
.newBuilder();
for (Map.Entry<String, Collection<UserPermission>> entry : perm.asMap().entrySet()) { for (Map.Entry<String, Collection<UserPermission>> entry : perm.asMap().entrySet()) {
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions.UserPermissions.Builder userPermBuilder = AccessControlProtos.UsersAndPermissions.UserPermissions.Builder userPermBuilder =
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions.UserPermissions AccessControlProtos.UsersAndPermissions.UserPermissions.newBuilder();
.newBuilder();
userPermBuilder.setUser(ByteString.copyFromUtf8(entry.getKey())); userPermBuilder.setUser(ByteString.copyFromUtf8(entry.getKey()));
for (UserPermission userPerm : entry.getValue()) { for (UserPermission userPerm : entry.getValue()) {
userPermBuilder.addPermissions(toPermission(userPerm.getPermission())); userPermBuilder.addPermissions(toPermission(userPerm.getPermission()));
@ -267,4 +253,34 @@ public class ShadedAccessControlUtil {
} }
return builder.build(); return builder.build();
} }
/**
* Converts a user permission proto to a client user permission object.
* @param proto the protobuf UserPermission
* @return the converted UserPermission
*/
public static UserPermission toUserPermission(AccessControlProtos.UserPermission proto) {
return new UserPermission(proto.getUser().toStringUtf8(), toPermission(proto.getPermission()));
}
/**
* Convert a client user permission to a user permission proto
* @param perm the client UserPermission
* @return the protobuf UserPermission
*/
public static AccessControlProtos.UserPermission toUserPermission(UserPermission perm) {
return AccessControlProtos.UserPermission.newBuilder()
.setUser(ByteString.copyFromUtf8(perm.getUser()))
.setPermission(toPermission(perm.getPermission())).build();
}
public static GrantRequest buildGrantRequest(UserPermission userPermission,
boolean mergeExistingPermissions) {
return GrantRequest.newBuilder().setUserPermission(toUserPermission(userPermission))
.setMergeExistingPermissions(mergeExistingPermissions).build();
}
public static RevokeRequest buildRevokeRequest(UserPermission userPermission) {
return RevokeRequest.newBuilder().setUserPermission(toUserPermission(userPermission)).build();
}
} }

5
hbase-protocol-shaded/src/main/protobuf/Master.proto
View File

@ -36,6 +36,7 @@ import "Procedure.proto";
import "Quota.proto"; import "Quota.proto";
import "Replication.proto"; import "Replication.proto";
import "Snapshot.proto"; import "Snapshot.proto";
import "AccessControl.proto";
/* Column-level protobufs */ /* Column-level protobufs */
@ -1014,6 +1015,10 @@ service MasterService {
/** Get if is rpc throttled enabled */ /** Get if is rpc throttled enabled */
rpc IsRpcThrottleEnabled (IsRpcThrottleEnabledRequest) rpc IsRpcThrottleEnabled (IsRpcThrottleEnabledRequest)
returns (IsRpcThrottleEnabledResponse); returns (IsRpcThrottleEnabledResponse);
rpc Grant(GrantRequest) returns (GrantResponse);
rpc Revoke(RevokeRequest) returns (RevokeResponse);
} }
// HBCK Service definitions. // HBCK Service definitions.

39
hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java
View File

@ -37,6 +37,7 @@ import org.apache.hadoop.hbase.net.Address;
import org.apache.hadoop.hbase.quotas.GlobalQuotaSettings; import org.apache.hadoop.hbase.quotas.GlobalQuotaSettings;
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig; import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
import org.apache.hadoop.hbase.replication.SyncReplicationState; import org.apache.hadoop.hbase.replication.SyncReplicationState;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.yetus.audience.InterfaceAudience; import org.apache.yetus.audience.InterfaceAudience;
import org.apache.yetus.audience.InterfaceStability; import org.apache.yetus.audience.InterfaceStability;
@ -1573,4 +1574,42 @@ public interface MasterObserver {
default void postIsRpcThrottleEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx, default void postIsRpcThrottleEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx,
final boolean rpcThrottleEnabled) throws IOException { final boolean rpcThrottleEnabled) throws IOException {
} }
/**
* Called before granting user permissions.
* @param ctx the coprocessor instance's environment
* @param userPermission the user and permissions
* @param mergeExistingPermissions True if merge with previous granted permissions
*/
default void preGrant(ObserverContext<MasterCoprocessorEnvironment> ctx,
UserPermission userPermission, boolean mergeExistingPermissions) throws IOException {
}
/**
* Called after granting user permissions.
* @param ctx the coprocessor instance's environment
* @param userPermission the user and permissions
* @param mergeExistingPermissions True if merge with previous granted permissions
*/
default void postGrant(ObserverContext<MasterCoprocessorEnvironment> ctx,
UserPermission userPermission, boolean mergeExistingPermissions) throws IOException {
}
/**
* Called before revoking user permissions.
* @param ctx the coprocessor instance's environment
* @param userPermission the user and permissions
*/
default void preRevoke(ObserverContext<MasterCoprocessorEnvironment> ctx,
UserPermission userPermission) throws IOException {
}
/**
* Called after revoking user permissions.
* @param ctx the coprocessor instance's environment
* @param userPermission the user and permissions
*/
default void postRevoke(ObserverContext<MasterCoprocessorEnvironment> ctx,
UserPermission userPermission) throws IOException {
}
} }

39
hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java
View File

@ -58,6 +58,7 @@ import org.apache.hadoop.hbase.quotas.GlobalQuotaSettings;
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig; import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
import org.apache.hadoop.hbase.replication.SyncReplicationState; import org.apache.hadoop.hbase.replication.SyncReplicationState;
import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.yetus.audience.InterfaceAudience; import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -1834,4 +1835,42 @@ public class MasterCoprocessorHost
} }
}); });
} }
public void preGrant(UserPermission userPermission, boolean mergeExistingPermissions)
throws IOException {
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
@Override
public void call(MasterObserver observer) throws IOException {
observer.preGrant(this, userPermission, mergeExistingPermissions);
}
});
}
public void postGrant(UserPermission userPermission, boolean mergeExistingPermissions)
throws IOException {
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
@Override
public void call(MasterObserver observer) throws IOException {
observer.postGrant(this, userPermission, mergeExistingPermissions);
}
});
}
public void preRevoke(UserPermission userPermission) throws IOException {
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
@Override
public void call(MasterObserver observer) throws IOException {
observer.preRevoke(this, userPermission);
}
});
}
public void postRevoke(UserPermission userPermission) throws IOException {
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
@Override
public void call(MasterObserver observer) throws IOException {
observer.postRevoke(this, userPermission);
}
});
}
} }

52
hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
View File

@ -49,6 +49,7 @@ import org.apache.hadoop.hbase.client.ColumnFamilyDescriptor;
import org.apache.hadoop.hbase.client.MasterSwitchType; import org.apache.hadoop.hbase.client.MasterSwitchType;
import org.apache.hadoop.hbase.client.RegionInfo; import org.apache.hadoop.hbase.client.RegionInfo;
import org.apache.hadoop.hbase.client.RegionInfoBuilder; import org.apache.hadoop.hbase.client.RegionInfoBuilder;
import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.client.TableDescriptor; import org.apache.hadoop.hbase.client.TableDescriptor;
import org.apache.hadoop.hbase.client.TableState; import org.apache.hadoop.hbase.client.TableState;
import org.apache.hadoop.hbase.client.VersionInfoUtil; import org.apache.hadoop.hbase.client.VersionInfoUtil;
@ -92,8 +93,11 @@ import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription; import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessChecker; import org.apache.hadoop.hbase.security.access.AccessChecker;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessController; import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.security.access.Permission; import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.security.visibility.VisibilityController; import org.apache.hadoop.hbase.security.visibility.VisibilityController;
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils; import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
import org.apache.hadoop.hbase.snapshot.SnapshotDescriptionUtils; import org.apache.hadoop.hbase.snapshot.SnapshotDescriptionUtils;
@ -114,6 +118,10 @@ import org.apache.hbase.thirdparty.com.google.protobuf.UnsafeByteOperations;
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter; import org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantResponse;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeResponse;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.CompactRegionRequest; import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.CompactRegionRequest;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.CompactRegionResponse; import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.CompactRegionResponse;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.GetRegionInfoRequest; import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.GetRegionInfoRequest;
@ -2502,6 +2510,50 @@ public class MasterRpcServices extends RSRpcServices
} }
} }
@Override
public GrantResponse grant(RpcController controller, GrantRequest request)
throws ServiceException {
try {
final UserPermission perm =
ShadedAccessControlUtil.toUserPermission(request.getUserPermission());
boolean mergeExistingPermissions = request.getMergeExistingPermissions();
if (master.cpHost != null) {
master.cpHost.preGrant(perm, mergeExistingPermissions);
}
try (Table table = master.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.addUserPermission(getConfiguration(), perm, table,
mergeExistingPermissions);
}
if (master.cpHost != null) {
master.cpHost.postGrant(perm, mergeExistingPermissions);
}
return GrantResponse.getDefaultInstance();
} catch (IOException ioe) {
throw new ServiceException(ioe);
}
}
@Override
public RevokeResponse revoke(RpcController controller, RevokeRequest request)
throws ServiceException {
try {
final UserPermission userPermission =
ShadedAccessControlUtil.toUserPermission(request.getUserPermission());
if (master.cpHost != null) {
master.cpHost.preRevoke(userPermission);
}
try (Table table = master.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.removeUserPermission(master.getConfiguration(), userPermission, table);
}
if (master.cpHost != null) {
master.cpHost.postRevoke(userPermission);
}
return RevokeResponse.getDefaultInstance();
} catch (IOException ioe) {
throw new ServiceException(ioe);
}
}
private boolean containMetaWals(ServerName serverName) throws IOException { private boolean containMetaWals(ServerName serverName) throws IOException {
Path logDir = new Path(master.getWALRootDir(), Path logDir = new Path(master.getWALRootDir(),
AbstractFSWALProvider.getWALDirectoryName(serverName.toString())); AbstractFSWALProvider.getWALDirectoryName(serverName.toString()));

4
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
View File

@ -130,7 +130,7 @@ public class AccessControlLists {
* @param t acl table instance. It is closed upon method return. * @param t acl table instance. It is closed upon method return.
* @throws IOException in the case of an error accessing the metadata table * @throws IOException in the case of an error accessing the metadata table
*/ */
static void addUserPermission(Configuration conf, UserPermission userPerm, Table t, public static void addUserPermission(Configuration conf, UserPermission userPerm, Table t,
boolean mergeExistingPermissions) throws IOException { boolean mergeExistingPermissions) throws IOException {
Permission permission = userPerm.getPermission(); Permission permission = userPerm.getPermission();
Permission.Action[] actions = permission.getActions(); Permission.Action[] actions = permission.getActions();
@ -222,7 +222,7 @@ public class AccessControlLists {
* @param t acl table * @param t acl table
* @throws IOException if there is an error accessing the metadata table * @throws IOException if there is an error accessing the metadata table
*/ */
static void removeUserPermission(Configuration conf, UserPermission userPerm, Table t) public static void removeUserPermission(Configuration conf, UserPermission userPerm, Table t)
throws IOException { throws IOException {
if (null == userPerm.getPermission().getActions() || if (null == userPerm.getPermission().getActions() ||
userPerm.getPermission().getActions().length == 0) { userPerm.getPermission().getActions().length == 0) {

103
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
View File

@ -2052,6 +2052,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
/* ---- Protobuf AccessControlService implementation ---- */ /* ---- Protobuf AccessControlService implementation ---- */
/**
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
*/
@Deprecated
@Override @Override
public void grant(RpcController controller, public void grant(RpcController controller,
AccessControlProtos.GrantRequest request, AccessControlProtos.GrantRequest request,
@ -2069,36 +2073,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
LOG.debug("Received request from {} to grant access permission {}", LOG.debug("Received request from {} to grant access permission {}",
caller.getName(), perm.toString()); caller.getName(), perm.toString());
} }
preGrantOrRevoke(caller, "grant", perm);
switch(request.getUserPermission().getPermission().getType()) {
case Global :
accessChecker.requireGlobalPermission(caller, "grant", Action.ADMIN, "");
break;
case Table :
TablePermission tablePerm = (TablePermission) perm.getPermission();
accessChecker.requirePermission(caller, "grant", tablePerm.getTableName(),
tablePerm.getFamily(), tablePerm.getQualifier(), null, Action.ADMIN);
break;
case Namespace :
NamespacePermission namespacePer = (NamespacePermission) perm.getPermission();
accessChecker.requireNamespacePermission(caller, "grant", namespacePer.getNamespace(),
null, Action.ADMIN);
break;
}
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
// regionEnv is set at #start. Hopefully not null at this point. // regionEnv is set at #start. Hopefully not null at this point.
try (Table table = regionEnv.getConnection(). regionEnv.getConnection().getAdmin().grant(perm, request.getMergeExistingPermissions());
getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm, table,
request.getMergeExistingPermissions());
}
return null;
}
});
if (AUDITLOG.isTraceEnabled()) { if (AUDITLOG.isTraceEnabled()) {
// audit log should store permission changes in addition to auth results // audit log should store permission changes in addition to auth results
AUDITLOG.trace("Granted permission " + perm.toString()); AUDITLOG.trace("Granted permission " + perm.toString());
@ -2115,9 +2093,12 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
done.run(response); done.run(response);
} }
/**
* @deprecated Use {@link Admin#revoke(UserPermission)} instead.
*/
@Deprecated
@Override @Override
public void revoke(RpcController controller, public void revoke(RpcController controller, AccessControlProtos.RevokeRequest request,
AccessControlProtos.RevokeRequest request,
RpcCallback<AccessControlProtos.RevokeResponse> done) { RpcCallback<AccessControlProtos.RevokeResponse> done) {
final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission()); final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission());
AccessControlProtos.RevokeResponse response = null; AccessControlProtos.RevokeResponse response = null;
@ -2132,35 +2113,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
LOG.debug("Received request from {} to revoke access permission {}", LOG.debug("Received request from {} to revoke access permission {}",
caller.getShortName(), perm.toString()); caller.getShortName(), perm.toString());
} }
preGrantOrRevoke(caller, "revoke", perm);
switch(request.getUserPermission().getPermission().getType()) {
case Global :
accessChecker.requireGlobalPermission(caller, "revoke", Action.ADMIN, "");
break;
case Table :
TablePermission tablePerm = (TablePermission) perm.getPermission();
accessChecker.requirePermission(caller, "revoke", tablePerm.getTableName(),
tablePerm.getFamily(), tablePerm.getQualifier(), null, Action.ADMIN);
break;
case Namespace :
NamespacePermission namespacePer = (NamespacePermission) perm.getPermission();
accessChecker.requireNamespacePermission(caller, "revoke",
namespacePer.getNamespace(), null, Action.ADMIN);
break;
}
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
// regionEnv is set at #start. Hopefully not null here. // regionEnv is set at #start. Hopefully not null here.
try (Table table = regionEnv.getConnection(). regionEnv.getConnection().getAdmin().revoke(perm);
getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm, table);
}
return null;
}
});
if (AUDITLOG.isTraceEnabled()) { if (AUDITLOG.isTraceEnabled()) {
// audit log should record all permission changes // audit log should record all permission changes
AUDITLOG.trace("Revoked permission " + perm.toString()); AUDITLOG.trace("Revoked permission " + perm.toString());
@ -2680,4 +2635,36 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
} }
done.run(response); done.run(response);
} }
@Override
public void preGrant(ObserverContext<MasterCoprocessorEnvironment> ctx,
UserPermission userPermission, boolean mergeExistingPermissions) throws IOException {
preGrantOrRevoke(getActiveUser(ctx), "grant", userPermission);
}
@Override
public void preRevoke(ObserverContext<MasterCoprocessorEnvironment> ctx,
UserPermission userPermission) throws IOException {
preGrantOrRevoke(getActiveUser(ctx), "revoke", userPermission);
}
private void preGrantOrRevoke(User caller, String request, UserPermission userPermission)
throws IOException {
switch (userPermission.getPermission().scope) {
case GLOBAL:
accessChecker.requireGlobalPermission(caller, request, Action.ADMIN, "");
break;
case NAMESPACE:
NamespacePermission namespacePerm = (NamespacePermission) userPermission.getPermission();
accessChecker.requireNamespacePermission(caller, request, namespacePerm.getNamespace(),
null, Action.ADMIN);
break;
case TABLE:
TablePermission tablePerm = (TablePermission) userPermission.getPermission();
accessChecker.requirePermission(caller, request, tablePerm.getTableName(),
tablePerm.getFamily(), tablePerm.getQualifier(), null, Action.ADMIN);
break;
default:
}
}
} }

49
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
View File

@ -34,7 +34,6 @@ import com.google.protobuf.ServiceException;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.Coprocessor; import org.apache.hadoop.hbase.Coprocessor;
import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.MiniHBaseCluster; import org.apache.hadoop.hbase.MiniHBaseCluster;
import org.apache.hadoop.hbase.NamespaceDescriptor; import org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.TableName;
@ -375,12 +374,8 @@ public class SecureTestUtil {
@Override @Override
public Void call() throws Exception { public Void call() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) { try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) { connection.getAdmin().grant(new UserPermission(user, new GlobalPermission(actions)),
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); false);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, user, false, actions);
}
} }
return null; return null;
} }
@ -398,12 +393,7 @@ public class SecureTestUtil {
@Override @Override
public Void call() throws Exception { public Void call() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) { try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) { connection.getAdmin().revoke(new UserPermission(user, new GlobalPermission(actions)));
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.revoke(null, protocol, user, actions);
}
} }
return null; return null;
} }
@ -421,12 +411,8 @@ public class SecureTestUtil {
@Override @Override
public Void call() throws Exception { public Void call() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) { try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) { connection.getAdmin()
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); .grant(new UserPermission(user, new NamespacePermission(namespace, actions)), false);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, user, namespace, false, actions);
}
} }
return null; return null;
} }
@ -486,12 +472,8 @@ public class SecureTestUtil {
@Override @Override
public Void call() throws Exception { public Void call() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) { try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) { connection.getAdmin()
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); .revoke(new UserPermission(user, new NamespacePermission(namespace, actions)));
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.revoke(null, protocol, user, namespace, actions);
}
} }
return null; return null;
} }
@ -510,12 +492,9 @@ public class SecureTestUtil {
@Override @Override
public Void call() throws Exception { public Void call() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) { try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) { connection.getAdmin().grant(
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); new UserPermission(user, new TablePermission(table, family, qualifier, actions)),
AccessControlService.BlockingInterface protocol = false);
AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, user, table, family, qualifier, false, actions);
}
} }
return null; return null;
} }
@ -576,12 +555,8 @@ public class SecureTestUtil {
@Override @Override
public Void call() throws Exception { public Void call() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) { try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) { connection.getAdmin().revoke(
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); new UserPermission(user, new TablePermission(table, family, qualifier, actions)));
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.revoke(null, protocol, user, table, family, qualifier, actions);
}
} }
return null; return null;
} }

88
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -1170,13 +1170,10 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction grantAction = new AccessTestAction() { AccessTestAction grantAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf); try (Connection conn = ConnectionFactory.createConnection(conf)) {
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { conn.getAdmin().grant(new UserPermission(USER_RO.getShortName(),
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)),
AccessControlService.BlockingInterface protocol = false);
AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY,
null, false, Action.READ);
} }
return null; return null;
} }
@ -1185,13 +1182,9 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction revokeAction = new AccessTestAction() { AccessTestAction revokeAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf); try(Connection conn = ConnectionFactory.createConnection(conf)) {
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { conn.getAdmin().revoke(new UserPermission(USER_RO.getShortName(),
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)));
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.revoke(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
Action.READ);
} }
return null; return null;
} }
@ -1225,6 +1218,57 @@ public class TestAccessController extends SecureTestUtil {
} }
}; };
AccessTestAction preGrantAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preGrant(ObserverContextImpl.createAndPrepare(CP_ENV),
new UserPermission(USER_RO.getShortName(),
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)),
false);
return null;
}
};
AccessTestAction preRevokeAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preRevoke(ObserverContextImpl.createAndPrepare(CP_ENV),
new UserPermission(USER_RO.getShortName(),
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)));
return null;
}
};
AccessTestAction grantCPAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY,
null, false, Action.READ);
}
return null;
}
};
AccessTestAction revokeCPAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.revoke(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY,
null, Action.READ);
}
return null;
}
};
verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE); USER_GROUP_WRITE, USER_GROUP_CREATE);
@ -1240,6 +1284,22 @@ public class TestAccessController extends SecureTestUtil {
verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(preGrantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(preGrantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(preRevokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(preRevokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(grantCPAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(grantCPAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(revokeCPAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(revokeCPAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally { } finally {
// Cleanup, Grant the revoked permission back to the user // Cleanup, Grant the revoked permission back to the user
grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,

134
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
View File

@ -356,40 +356,27 @@ public class TestNamespaceCommands extends SecureTestUtil {
} }
@Test @Test
public void testGrantRevoke() throws Exception{ public void testGrantRevoke() throws Exception {
final String testUser = "testUser"; final String testUser = "testUser";
// Test if client API actions are authorized // Test if client API actions are authorized
AccessTestAction grantAction = new AccessTestAction() { AccessTestAction grantAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Connection connection = ConnectionFactory.createConnection(conf); try (Connection connection = ConnectionFactory.createConnection(conf)) {
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME); connection.getAdmin().grant(
try { new UserPermission(testUser, new NamespacePermission(TEST_NAMESPACE, Action.WRITE)),
BlockingRpcChannel service = false);
acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, testUser, TEST_NAMESPACE, false, Action.WRITE);
} finally {
acl.close();
connection.close();
} }
return null; return null;
} }
}; };
AccessTestAction grantNamespaceAction = new AccessTestAction() { AccessTestAction grantNamespaceAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf); try (Connection conn = ConnectionFactory.createConnection(conf)) {
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { conn.getAdmin().grant(
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); new UserPermission(USER_GROUP_NS_ADMIN.getShortName(), TEST_NAMESPACE, Action.READ),
AccessControlService.BlockingInterface protocol = false);
AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, USER_GROUP_NS_ADMIN.getShortName(),
TEST_NAMESPACE, false, Action.READ);
} }
return null; return null;
} }
@ -398,37 +385,19 @@ public class TestNamespaceCommands extends SecureTestUtil {
AccessTestAction revokeAction = new AccessTestAction() { AccessTestAction revokeAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Connection connection = ConnectionFactory.createConnection(conf); try (Connection connection = ConnectionFactory.createConnection(conf)) {
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME); connection.getAdmin().revoke(
try { new UserPermission(testUser, new NamespacePermission(TEST_NAMESPACE, Action.WRITE)));
BlockingRpcChannel service =
acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.revoke(null, protocol, testUser, TEST_NAMESPACE, Action.WRITE);
} finally {
acl.close();
connection.close();
} }
return null; return null;
} }
}; };
AccessTestAction revokeNamespaceAction = new AccessTestAction() { AccessTestAction revokeNamespaceAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Connection connection = ConnectionFactory.createConnection(conf); try (Connection connection = ConnectionFactory.createConnection(conf)) {
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME); connection.getAdmin().revoke(new UserPermission(USER_GROUP_NS_ADMIN.getShortName(),
try { new NamespacePermission(TEST_NAMESPACE, Action.READ)));
BlockingRpcChannel service =
acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.revoke(null, protocol, USER_GROUP_NS_ADMIN.getShortName(),
TEST_NAMESPACE, Action.READ);
} finally {
acl.close();
connection.close();
} }
return null; return null;
} }
@ -437,16 +406,57 @@ public class TestNamespaceCommands extends SecureTestUtil {
AccessTestAction getPermissionsAction = new AccessTestAction() { AccessTestAction getPermissionsAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Connection connection = ConnectionFactory.createConnection(conf); try (Connection connection = ConnectionFactory.createConnection(conf);
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME); Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
try {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service); AccessControlService.newBlockingStub(service);
AccessControlUtil.getUserPermissions(null, protocol, Bytes.toBytes(TEST_NAMESPACE)); AccessControlUtil.getUserPermissions(null, protocol, Bytes.toBytes(TEST_NAMESPACE));
} finally { }
acl.close(); return null;
connection.close(); }
};
AccessTestAction preGrantAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preGrant(ObserverContextImpl.createAndPrepare(CP_ENV),
new UserPermission(testUser, new NamespacePermission(TEST_NAMESPACE, Action.WRITE)),
false);
return null;
}
};
AccessTestAction preRevokeAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preRevoke(ObserverContextImpl.createAndPrepare(CP_ENV),
new UserPermission(testUser, new NamespacePermission(TEST_NAMESPACE, Action.WRITE)));
return null;
}
};
AccessTestAction grantCPAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, testUser, TEST_NAMESPACE, false, Action.WRITE);
}
return null;
}
};
AccessTestAction revokeCPAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.revoke(null, protocol, testUser, TEST_NAMESPACE, Action.WRITE);
} }
return null; return null;
} }
@ -456,7 +466,6 @@ public class TestNamespaceCommands extends SecureTestUtil {
verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(grantNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, verifyAllowed(grantNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN,
USER_NS_ADMIN, USER_GROUP_NS_ADMIN); USER_NS_ADMIN, USER_GROUP_NS_ADMIN);
verifyDenied(grantNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, verifyDenied(grantNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
@ -467,7 +476,6 @@ public class TestNamespaceCommands extends SecureTestUtil {
verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(revokeNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, verifyAllowed(revokeNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN,
USER_NS_ADMIN, USER_GROUP_NS_ADMIN); USER_NS_ADMIN, USER_GROUP_NS_ADMIN);
verifyDenied(revokeNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, verifyDenied(revokeNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
@ -479,6 +487,24 @@ public class TestNamespaceCommands extends SecureTestUtil {
verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(preGrantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
verifyDenied(preGrantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(preRevokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
verifyDenied(preRevokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(grantCPAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
verifyDenied(grantCPAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(revokeCPAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
verifyDenied(revokeCPAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
} }
@Test @Test

11
hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/client/ThriftAdmin.java
View File

@ -60,6 +60,7 @@ import org.apache.hadoop.hbase.replication.ReplicationException;
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig; import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription; import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
import org.apache.hadoop.hbase.replication.SyncReplicationState; import org.apache.hadoop.hbase.replication.SyncReplicationState;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.thrift2.ThriftUtilities; import org.apache.hadoop.hbase.thrift2.ThriftUtilities;
import org.apache.hadoop.hbase.thrift2.generated.TColumnFamilyDescriptor; import org.apache.hadoop.hbase.thrift2.generated.TColumnFamilyDescriptor;
import org.apache.hadoop.hbase.thrift2.generated.THBaseService; import org.apache.hadoop.hbase.thrift2.generated.THBaseService;
@ -1425,4 +1426,14 @@ public class ThriftAdmin implements Admin {
public SpaceQuotaSnapshot getCurrentSpaceQuotaSnapshot(TableName tableName) throws IOException { public SpaceQuotaSnapshot getCurrentSpaceQuotaSnapshot(TableName tableName) throws IOException {
throw new NotImplementedException("getCurrentSpaceQuotaSnapshot not supported in ThriftAdmin"); throw new NotImplementedException("getCurrentSpaceQuotaSnapshot not supported in ThriftAdmin");
} }
@Override
public void grant(UserPermission userPermission, boolean mergeExistingPermissions) {
throw new NotImplementedException("grant not supported in ThriftAdmin");
}
@Override
public void revoke(UserPermission userPermission) {
throw new NotImplementedException("revoke not supported in ThriftAdmin");
}
} }