HBASE-21739 Move grant/revoke from regionserver to master
Signed-off-by: Guanghao Zhang <zghao@apache.org>
This commit is contained in:
parent
d82c1a6c2b
commit
f997252344
|
@ -53,6 +53,7 @@ import org.apache.hadoop.hbase.replication.ReplicationException;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||||
|
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||||
import org.apache.hadoop.hbase.snapshot.HBaseSnapshotException;
|
import org.apache.hadoop.hbase.snapshot.HBaseSnapshotException;
|
||||||
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
|
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
|
||||||
import org.apache.hadoop.hbase.snapshot.SnapshotCreationException;
|
import org.apache.hadoop.hbase.snapshot.SnapshotCreationException;
|
||||||
|
@ -2833,4 +2834,23 @@ public interface Admin extends Abortable, Closeable {
|
||||||
* no quota information on that table.
|
* no quota information on that table.
|
||||||
*/
|
*/
|
||||||
SpaceQuotaSnapshotView getCurrentSpaceQuotaSnapshot(TableName tableName) throws IOException;
|
SpaceQuotaSnapshotView getCurrentSpaceQuotaSnapshot(TableName tableName) throws IOException;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Grants user specific permissions
|
||||||
|
*
|
||||||
|
* @param userPermission user and permissions
|
||||||
|
* @param mergeExistingPermissions If set to false, later granted permissions will override
|
||||||
|
* previous granted permissions. otherwise, it'll merge with previous granted
|
||||||
|
* permissions.
|
||||||
|
* @throws IOException if a remote or network exception occurs
|
||||||
|
*/
|
||||||
|
void grant(UserPermission userPermission, boolean mergeExistingPermissions) throws IOException;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Revokes user specific permissions
|
||||||
|
*
|
||||||
|
* @param userPermission user and permissions
|
||||||
|
* @throws IOException if a remote or network exception occurs
|
||||||
|
*/
|
||||||
|
void revoke(UserPermission userPermission) throws IOException;
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,6 +43,7 @@ import org.apache.hadoop.hbase.quotas.SpaceQuotaSnapshotView;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||||
|
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||||
import org.apache.yetus.audience.InterfaceAudience;
|
import org.apache.yetus.audience.InterfaceAudience;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1324,4 +1325,19 @@ public interface AsyncAdmin {
|
||||||
*/
|
*/
|
||||||
CompletableFuture<? extends SpaceQuotaSnapshotView> getCurrentSpaceQuotaSnapshot(
|
CompletableFuture<? extends SpaceQuotaSnapshotView> getCurrentSpaceQuotaSnapshot(
|
||||||
TableName tableName);
|
TableName tableName);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Grants user specific permissions
|
||||||
|
* @param userPermission user and permissions
|
||||||
|
* @param mergeExistingPermissions If set to false, later granted permissions will override
|
||||||
|
* previous granted permissions. otherwise, it'll merge with previous granted
|
||||||
|
* permissions.
|
||||||
|
*/
|
||||||
|
CompletableFuture<Void> grant(UserPermission userPermission, boolean mergeExistingPermissions);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Revokes user specific permissions
|
||||||
|
* @param userPermission user and permissions
|
||||||
|
*/
|
||||||
|
CompletableFuture<Void> revoke(UserPermission userPermission);
|
||||||
}
|
}
|
||||||
|
|
|
@ -42,6 +42,7 @@ import org.apache.hadoop.hbase.quotas.SpaceQuotaSnapshot;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||||
|
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||||
import org.apache.yetus.audience.InterfaceAudience;
|
import org.apache.yetus.audience.InterfaceAudience;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -796,4 +797,15 @@ class AsyncHBaseAdmin implements AsyncAdmin {
|
||||||
public CompletableFuture<SpaceQuotaSnapshot> getCurrentSpaceQuotaSnapshot(TableName tableName) {
|
public CompletableFuture<SpaceQuotaSnapshot> getCurrentSpaceQuotaSnapshot(TableName tableName) {
|
||||||
return wrap(rawAdmin.getCurrentSpaceQuotaSnapshot(tableName));
|
return wrap(rawAdmin.getCurrentSpaceQuotaSnapshot(tableName));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public CompletableFuture<Void> grant(UserPermission userPermission,
|
||||||
|
boolean mergeExistingPermissions) {
|
||||||
|
return wrap(rawAdmin.grant(userPermission, mergeExistingPermissions));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public CompletableFuture<Void> revoke(UserPermission userPermission) {
|
||||||
|
return wrap(rawAdmin.revoke(userPermission));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -92,6 +92,7 @@ import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;
|
||||||
|
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
|
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter;
|
import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.ClientService.BlockingInterface;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.ClientService.BlockingInterface;
|
||||||
|
@ -1774,6 +1775,18 @@ class ConnectionImplementation implements ClusterConnection, Closeable {
|
||||||
IsRpcThrottleEnabledRequest request) throws ServiceException {
|
IsRpcThrottleEnabledRequest request) throws ServiceException {
|
||||||
return stub.isRpcThrottleEnabled(controller, request);
|
return stub.isRpcThrottleEnabled(controller, request);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public AccessControlProtos.GrantResponse grant(RpcController controller,
|
||||||
|
AccessControlProtos.GrantRequest request) throws ServiceException {
|
||||||
|
return stub.grant(controller, request);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public AccessControlProtos.RevokeResponse revoke(RpcController controller,
|
||||||
|
AccessControlProtos.RevokeRequest request) throws ServiceException {
|
||||||
|
return stub.revoke(controller, request);
|
||||||
|
}
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -91,6 +91,8 @@ import org.apache.hadoop.hbase.replication.ReplicationException;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||||
|
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
|
||||||
|
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||||
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
|
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
|
||||||
import org.apache.hadoop.hbase.snapshot.HBaseSnapshotException;
|
import org.apache.hadoop.hbase.snapshot.HBaseSnapshotException;
|
||||||
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
|
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
|
||||||
|
@ -113,6 +115,8 @@ import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;
|
||||||
|
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
|
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter;
|
import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantRequest;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeRequest;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.AdminService;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.AdminService;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesRequest;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesRequest;
|
||||||
|
@ -4464,4 +4468,30 @@ public class HBaseAdmin implements Admin {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void grant(UserPermission userPermission, boolean mergeExistingPermissions)
|
||||||
|
throws IOException {
|
||||||
|
executeCallable(new MasterCallable<Void>(getConnection(), getRpcControllerFactory()) {
|
||||||
|
@Override
|
||||||
|
protected Void rpcCall() throws Exception {
|
||||||
|
GrantRequest req =
|
||||||
|
ShadedAccessControlUtil.buildGrantRequest(userPermission, mergeExistingPermissions);
|
||||||
|
this.master.grant(getRpcController(), req);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void revoke(UserPermission userPermission) throws IOException {
|
||||||
|
executeCallable(new MasterCallable<Void>(getConnection(), getRpcControllerFactory()) {
|
||||||
|
@Override
|
||||||
|
protected Void rpcCall() throws Exception {
|
||||||
|
RevokeRequest req = ShadedAccessControlUtil.buildRevokeRequest(userPermission);
|
||||||
|
this.master.revoke(getRpcController(), req);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -82,6 +82,8 @@ import org.apache.hadoop.hbase.replication.ReplicationException;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||||
|
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
|
||||||
|
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||||
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
|
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
|
||||||
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
|
import org.apache.hadoop.hbase.snapshot.RestoreSnapshotException;
|
||||||
import org.apache.hadoop.hbase.snapshot.SnapshotCreationException;
|
import org.apache.hadoop.hbase.snapshot.SnapshotCreationException;
|
||||||
|
@ -101,6 +103,10 @@ import org.apache.hbase.thirdparty.io.netty.util.TimerTask;
|
||||||
|
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
|
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter;
|
import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantRequest;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantResponse;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeRequest;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeResponse;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.AdminService;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.AdminService;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesRequest;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesRequest;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesResponse;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.ClearCompactionQueuesResponse;
|
||||||
|
@ -3712,4 +3718,23 @@ class RawAsyncHBaseAdmin implements AsyncAdmin {
|
||||||
.filter(s -> s.getTableName().equals(protoTableName)).findFirst()
|
.filter(s -> s.getTableName().equals(protoTableName)).findFirst()
|
||||||
.map(s -> SpaceQuotaSnapshot.toSpaceQuotaSnapshot(s.getSnapshot())).orElse(null));
|
.map(s -> SpaceQuotaSnapshot.toSpaceQuotaSnapshot(s.getSnapshot())).orElse(null));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public CompletableFuture<Void> grant(UserPermission userPermission,
|
||||||
|
boolean mergeExistingPermissions) {
|
||||||
|
return this.<Void> newMasterCaller()
|
||||||
|
.action((controller, stub) -> this.<GrantRequest, GrantResponse, Void> call(controller,
|
||||||
|
stub, ShadedAccessControlUtil.buildGrantRequest(userPermission, mergeExistingPermissions),
|
||||||
|
(s, c, req, done) -> s.grant(c, req, done), resp -> null))
|
||||||
|
.call();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public CompletableFuture<Void> revoke(UserPermission userPermission) {
|
||||||
|
return this.<Void> newMasterCaller()
|
||||||
|
.action((controller, stub) -> this.<RevokeRequest, RevokeResponse, Void> call(controller,
|
||||||
|
stub, ShadedAccessControlUtil.buildRevokeRequest(userPermission),
|
||||||
|
(s, c, req, done) -> s.revoke(c, req, done), resp -> null))
|
||||||
|
.call();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,11 @@ package org.apache.hadoop.hbase.client;
|
||||||
import org.apache.yetus.audience.InterfaceAudience;
|
import org.apache.yetus.audience.InterfaceAudience;
|
||||||
import org.apache.hbase.thirdparty.com.google.protobuf.RpcController;
|
import org.apache.hbase.thirdparty.com.google.protobuf.RpcController;
|
||||||
import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;
|
import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;
|
||||||
|
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantRequest;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantResponse;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeRequest;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeResponse;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CoprocessorServiceRequest;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CoprocessorServiceRequest;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CoprocessorServiceResponse;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CoprocessorServiceResponse;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos.AbortProcedureRequest;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos.AbortProcedureRequest;
|
||||||
|
@ -663,4 +668,16 @@ public class ShortCircuitMasterConnection implements MasterKeepAliveConnection {
|
||||||
IsRpcThrottleEnabledRequest request) throws ServiceException {
|
IsRpcThrottleEnabledRequest request) throws ServiceException {
|
||||||
return stub.isRpcThrottleEnabled(controller, request);
|
return stub.isRpcThrottleEnabled(controller, request);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public GrantResponse grant(RpcController controller, GrantRequest request)
|
||||||
|
throws ServiceException {
|
||||||
|
return stub.grant(controller, request);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public RevokeResponse revoke(RpcController controller, RevokeRequest request)
|
||||||
|
throws ServiceException {
|
||||||
|
return stub.revoke(controller, request);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -94,10 +94,9 @@ public class AccessControlClient {
|
||||||
final String userName, final byte[] family, final byte[] qual, boolean mergeExistingPermissions,
|
final String userName, final byte[] family, final byte[] qual, boolean mergeExistingPermissions,
|
||||||
final Permission.Action... actions) throws Throwable {
|
final Permission.Action... actions) throws Throwable {
|
||||||
// TODO: Priority is not used.
|
// TODO: Priority is not used.
|
||||||
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
|
UserPermission userPermission =
|
||||||
AccessControlUtil.grant(null, getAccessControlServiceStub(table), userName, tableName,
|
new UserPermission(userName, new TablePermission(tableName, family, qual, actions));
|
||||||
family, qual, mergeExistingPermissions, actions);
|
connection.getAdmin().grant(userPermission, mergeExistingPermissions);
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -129,11 +128,9 @@ public class AccessControlClient {
|
||||||
*/
|
*/
|
||||||
private static void grant(Connection connection, final String namespace, final String userName,
|
private static void grant(Connection connection, final String namespace, final String userName,
|
||||||
boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable {
|
boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable {
|
||||||
// TODO: Pass an rpcController.
|
UserPermission userPermission =
|
||||||
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
|
new UserPermission(userName, new NamespacePermission(namespace, actions));
|
||||||
AccessControlUtil.grant(null, getAccessControlServiceStub(table), userName, namespace,
|
connection.getAdmin().grant(userPermission, mergeExistingPermissions);
|
||||||
mergeExistingPermissions, actions);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -152,7 +149,7 @@ public class AccessControlClient {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Grants permission on the specified namespace for the specified user.
|
* Grant global permissions for the specified user.
|
||||||
* @param connection
|
* @param connection
|
||||||
* @param userName
|
* @param userName
|
||||||
* @param mergeExistingPermissions If set to false, later granted permissions will override
|
* @param mergeExistingPermissions If set to false, later granted permissions will override
|
||||||
|
@ -163,11 +160,8 @@ public class AccessControlClient {
|
||||||
*/
|
*/
|
||||||
private static void grant(Connection connection, final String userName,
|
private static void grant(Connection connection, final String userName,
|
||||||
boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable {
|
boolean mergeExistingPermissions, final Permission.Action... actions) throws Throwable {
|
||||||
// TODO: Pass an rpcController
|
UserPermission userPermission = new UserPermission(userName, new GlobalPermission(actions));
|
||||||
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
|
connection.getAdmin().grant(userPermission, mergeExistingPermissions);
|
||||||
AccessControlUtil.grant(null, getAccessControlServiceStub(table), userName,
|
|
||||||
mergeExistingPermissions, actions);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -204,19 +198,13 @@ public class AccessControlClient {
|
||||||
public static void revoke(Connection connection, final TableName tableName,
|
public static void revoke(Connection connection, final TableName tableName,
|
||||||
final String username, final byte[] family, final byte[] qualifier,
|
final String username, final byte[] family, final byte[] qualifier,
|
||||||
final Permission.Action... actions) throws Throwable {
|
final Permission.Action... actions) throws Throwable {
|
||||||
/** TODO: Pass an rpcController
|
UserPermission userPermission =
|
||||||
HBaseRpcController controller
|
new UserPermission(username, new TablePermission(tableName, family, qualifier, actions));
|
||||||
= ((ClusterConnection) connection).getRpcControllerFactory().newController();
|
connection.getAdmin().revoke(userPermission);
|
||||||
controller.setPriority(tableName);
|
|
||||||
*/
|
|
||||||
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
|
|
||||||
AccessControlUtil.revoke(null, getAccessControlServiceStub(table), username, tableName,
|
|
||||||
family, qualifier, actions);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Revokes the permission on the table for the specified user.
|
* Revokes the permission on the namespace for the specified user.
|
||||||
* @param connection The Connection instance to use
|
* @param connection The Connection instance to use
|
||||||
* @param namespace
|
* @param namespace
|
||||||
* @param userName
|
* @param userName
|
||||||
|
@ -225,14 +213,9 @@ public class AccessControlClient {
|
||||||
*/
|
*/
|
||||||
public static void revoke(Connection connection, final String namespace,
|
public static void revoke(Connection connection, final String namespace,
|
||||||
final String userName, final Permission.Action... actions) throws Throwable {
|
final String userName, final Permission.Action... actions) throws Throwable {
|
||||||
/** TODO: Pass an rpcController
|
UserPermission userPermission =
|
||||||
HBaseRpcController controller
|
new UserPermission(userName, new NamespacePermission(namespace, actions));
|
||||||
= ((ClusterConnection) connection).getRpcControllerFactory().newController();
|
connection.getAdmin().revoke(userPermission);
|
||||||
*/
|
|
||||||
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
|
|
||||||
AccessControlUtil.revoke(null, getAccessControlServiceStub(table), userName, namespace,
|
|
||||||
actions);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -241,13 +224,8 @@ public class AccessControlClient {
|
||||||
*/
|
*/
|
||||||
public static void revoke(Connection connection, final String userName,
|
public static void revoke(Connection connection, final String userName,
|
||||||
final Permission.Action... actions) throws Throwable {
|
final Permission.Action... actions) throws Throwable {
|
||||||
/** TODO: Pass an rpc controller.
|
UserPermission userPermission = new UserPermission(userName, new GlobalPermission(actions));
|
||||||
HBaseRpcController controller
|
connection.getAdmin().revoke(userPermission);
|
||||||
= ((ClusterConnection) connection).getRpcControllerFactory().newController();
|
|
||||||
*/
|
|
||||||
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
|
|
||||||
AccessControlUtil.revoke(null, getAccessControlServiceStub(table), userName, actions);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -25,6 +25,7 @@ import java.util.Map;
|
||||||
import org.apache.commons.lang3.StringUtils;
|
import org.apache.commons.lang3.StringUtils;
|
||||||
import org.apache.hadoop.hbase.HConstants;
|
import org.apache.hadoop.hbase.HConstants;
|
||||||
import org.apache.hadoop.hbase.TableName;
|
import org.apache.hadoop.hbase.TableName;
|
||||||
|
import org.apache.hadoop.hbase.client.Admin;
|
||||||
import org.apache.yetus.audience.InterfaceAudience;
|
import org.apache.yetus.audience.InterfaceAudience;
|
||||||
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
|
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
|
||||||
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
|
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
|
||||||
|
@ -490,7 +491,9 @@ public class AccessControlUtil {
|
||||||
* @param userShortName the short name of the user to grant permissions
|
* @param userShortName the short name of the user to grant permissions
|
||||||
* @param actions the permissions to be granted
|
* @param actions the permissions to be granted
|
||||||
* @throws ServiceException
|
* @throws ServiceException
|
||||||
|
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
public static void grant(RpcController controller,
|
public static void grant(RpcController controller,
|
||||||
AccessControlService.BlockingInterface protocol, String userShortName, boolean mergeExistingPermissions,
|
AccessControlService.BlockingInterface protocol, String userShortName, boolean mergeExistingPermissions,
|
||||||
Permission.Action... actions) throws ServiceException {
|
Permission.Action... actions) throws ServiceException {
|
||||||
|
@ -517,7 +520,9 @@ public class AccessControlUtil {
|
||||||
* @param q optional qualifier
|
* @param q optional qualifier
|
||||||
* @param actions the permissions to be granted
|
* @param actions the permissions to be granted
|
||||||
* @throws ServiceException
|
* @throws ServiceException
|
||||||
|
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
public static void grant(RpcController controller,
|
public static void grant(RpcController controller,
|
||||||
AccessControlService.BlockingInterface protocol, String userShortName, TableName tableName,
|
AccessControlService.BlockingInterface protocol, String userShortName, TableName tableName,
|
||||||
byte[] f, byte[] q, boolean mergeExistingPermissions, Permission.Action... actions)
|
byte[] f, byte[] q, boolean mergeExistingPermissions, Permission.Action... actions)
|
||||||
|
@ -543,7 +548,9 @@ public class AccessControlUtil {
|
||||||
* @param namespace the short name of the user to grant permissions
|
* @param namespace the short name of the user to grant permissions
|
||||||
* @param actions the permissions to be granted
|
* @param actions the permissions to be granted
|
||||||
* @throws ServiceException
|
* @throws ServiceException
|
||||||
|
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
public static void grant(RpcController controller,
|
public static void grant(RpcController controller,
|
||||||
AccessControlService.BlockingInterface protocol, String userShortName, String namespace,
|
AccessControlService.BlockingInterface protocol, String userShortName, String namespace,
|
||||||
boolean mergeExistingPermissions, Permission.Action... actions) throws ServiceException {
|
boolean mergeExistingPermissions, Permission.Action... actions) throws ServiceException {
|
||||||
|
@ -567,7 +574,9 @@ public class AccessControlUtil {
|
||||||
* @param userShortName the short name of the user to revoke permissions
|
* @param userShortName the short name of the user to revoke permissions
|
||||||
* @param actions the permissions to be revoked
|
* @param actions the permissions to be revoked
|
||||||
* @throws ServiceException on failure
|
* @throws ServiceException on failure
|
||||||
|
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
public static void revoke(RpcController controller,
|
public static void revoke(RpcController controller,
|
||||||
AccessControlService.BlockingInterface protocol, String userShortName,
|
AccessControlService.BlockingInterface protocol, String userShortName,
|
||||||
Permission.Action... actions) throws ServiceException {
|
Permission.Action... actions) throws ServiceException {
|
||||||
|
@ -595,7 +604,9 @@ public class AccessControlUtil {
|
||||||
* @param q optional qualifier
|
* @param q optional qualifier
|
||||||
* @param actions the permissions to be revoked
|
* @param actions the permissions to be revoked
|
||||||
* @throws ServiceException on failure
|
* @throws ServiceException on failure
|
||||||
|
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
public static void revoke(RpcController controller,
|
public static void revoke(RpcController controller,
|
||||||
AccessControlService.BlockingInterface protocol, String userShortName, TableName tableName,
|
AccessControlService.BlockingInterface protocol, String userShortName, TableName tableName,
|
||||||
byte[] f, byte[] q, Permission.Action... actions) throws ServiceException {
|
byte[] f, byte[] q, Permission.Action... actions) throws ServiceException {
|
||||||
|
@ -620,7 +631,9 @@ public class AccessControlUtil {
|
||||||
* @param namespace optional table name
|
* @param namespace optional table name
|
||||||
* @param actions the permissions to be revoked
|
* @param actions the permissions to be revoked
|
||||||
* @throws ServiceException on failure
|
* @throws ServiceException on failure
|
||||||
|
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
public static void revoke(RpcController controller,
|
public static void revoke(RpcController controller,
|
||||||
AccessControlService.BlockingInterface protocol, String userShortName, String namespace,
|
AccessControlService.BlockingInterface protocol, String userShortName, String namespace,
|
||||||
Permission.Action... actions) throws ServiceException {
|
Permission.Action... actions) throws ServiceException {
|
||||||
|
|
|
@ -18,20 +18,21 @@
|
||||||
|
|
||||||
package org.apache.hadoop.hbase.security.access;
|
package org.apache.hadoop.hbase.security.access;
|
||||||
|
|
||||||
|
|
||||||
import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
|
|
||||||
import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
|
|
||||||
import org.apache.hadoop.hbase.TableName;
|
|
||||||
import org.apache.yetus.audience.InterfaceAudience;
|
|
||||||
import org.apache.hadoop.hbase.security.access.Permission.Action;
|
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos;
|
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.HBaseProtos;
|
|
||||||
import org.apache.hbase.thirdparty.com.google.protobuf.ByteString;
|
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
import org.apache.hadoop.hbase.TableName;
|
||||||
|
import org.apache.hadoop.hbase.security.access.Permission.Action;
|
||||||
|
import org.apache.yetus.audience.InterfaceAudience;
|
||||||
|
|
||||||
|
import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
|
||||||
|
import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
|
||||||
|
import org.apache.hbase.thirdparty.com.google.protobuf.ByteString;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantRequest;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeRequest;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.HBaseProtos;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Convert protobuf objects in AccessControl.proto under hbase-protocol-shaded to user-oriented
|
* Convert protobuf objects in AccessControl.proto under hbase-protocol-shaded to user-oriented
|
||||||
|
@ -49,20 +50,18 @@ public class ShadedAccessControlUtil {
|
||||||
/**
|
/**
|
||||||
* Convert a client user permission to a user permission shaded proto.
|
* Convert a client user permission to a user permission shaded proto.
|
||||||
*/
|
*/
|
||||||
public static
|
public static AccessControlProtos.Permission.Action toPermissionAction(Permission.Action action) {
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action
|
|
||||||
toPermissionAction(Permission.Action action) {
|
|
||||||
switch (action) {
|
switch (action) {
|
||||||
case READ:
|
case READ:
|
||||||
return org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action.READ;
|
return AccessControlProtos.Permission.Action.READ;
|
||||||
case WRITE:
|
case WRITE:
|
||||||
return org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action.WRITE;
|
return AccessControlProtos.Permission.Action.WRITE;
|
||||||
case EXEC:
|
case EXEC:
|
||||||
return org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action.EXEC;
|
return AccessControlProtos.Permission.Action.EXEC;
|
||||||
case CREATE:
|
case CREATE:
|
||||||
return org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action.CREATE;
|
return AccessControlProtos.Permission.Action.CREATE;
|
||||||
case ADMIN:
|
case ADMIN:
|
||||||
return org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action.ADMIN;
|
return AccessControlProtos.Permission.Action.ADMIN;
|
||||||
}
|
}
|
||||||
throw new IllegalArgumentException("Unknown action value " + action.name());
|
throw new IllegalArgumentException("Unknown action value " + action.name());
|
||||||
}
|
}
|
||||||
|
@ -70,8 +69,7 @@ public class ShadedAccessControlUtil {
|
||||||
/**
|
/**
|
||||||
* Convert a Permission.Action shaded proto to a client Permission.Action object.
|
* Convert a Permission.Action shaded proto to a client Permission.Action object.
|
||||||
*/
|
*/
|
||||||
public static Permission.Action toPermissionAction(
|
public static Permission.Action toPermissionAction(AccessControlProtos.Permission.Action action) {
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action action) {
|
|
||||||
switch (action) {
|
switch (action) {
|
||||||
case READ:
|
case READ:
|
||||||
return Permission.Action.READ;
|
return Permission.Action.READ;
|
||||||
|
@ -94,9 +92,9 @@ public class ShadedAccessControlUtil {
|
||||||
* @return the converted list of Actions
|
* @return the converted list of Actions
|
||||||
*/
|
*/
|
||||||
public static List<Permission.Action> toPermissionActions(
|
public static List<Permission.Action> toPermissionActions(
|
||||||
List<org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action> protoActions) {
|
List<AccessControlProtos.Permission.Action> protoActions) {
|
||||||
List<Permission.Action> actions = new ArrayList<>(protoActions.size());
|
List<Permission.Action> actions = new ArrayList<>(protoActions.size());
|
||||||
for (org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Action a : protoActions) {
|
for (AccessControlProtos.Permission.Action a : protoActions) {
|
||||||
actions.add(toPermissionAction(a));
|
actions.add(toPermissionAction(a));
|
||||||
}
|
}
|
||||||
return actions;
|
return actions;
|
||||||
|
@ -163,20 +161,15 @@ public class ShadedAccessControlUtil {
|
||||||
* @param perm the client Permission
|
* @param perm the client Permission
|
||||||
* @return the protobuf Permission
|
* @return the protobuf Permission
|
||||||
*/
|
*/
|
||||||
public static org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission
|
public static AccessControlProtos.Permission toPermission(Permission perm) {
|
||||||
toPermission(Permission perm) {
|
AccessControlProtos.Permission.Builder ret = AccessControlProtos.Permission.newBuilder();
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Builder ret =
|
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission
|
|
||||||
.newBuilder();
|
|
||||||
if (perm instanceof NamespacePermission) {
|
if (perm instanceof NamespacePermission) {
|
||||||
NamespacePermission nsPerm = (NamespacePermission) perm;
|
NamespacePermission nsPerm = (NamespacePermission) perm;
|
||||||
ret.setType(
|
ret.setType(AccessControlProtos.Permission.Type.Namespace);
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Type.Namespace);
|
AccessControlProtos.NamespacePermission.Builder builder =
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.NamespacePermission.Builder builder =
|
AccessControlProtos.NamespacePermission.newBuilder();
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.NamespacePermission
|
|
||||||
.newBuilder();
|
|
||||||
builder.setNamespaceName(org.apache.hbase.thirdparty.com.google.protobuf.ByteString
|
builder.setNamespaceName(org.apache.hbase.thirdparty.com.google.protobuf.ByteString
|
||||||
.copyFromUtf8(nsPerm.getNamespace()));
|
.copyFromUtf8(nsPerm.getNamespace()));
|
||||||
Permission.Action[] actions = perm.getActions();
|
Permission.Action[] actions = perm.getActions();
|
||||||
if (actions != null) {
|
if (actions != null) {
|
||||||
for (Permission.Action a : actions) {
|
for (Permission.Action a : actions) {
|
||||||
|
@ -186,11 +179,9 @@ public class ShadedAccessControlUtil {
|
||||||
ret.setNamespacePermission(builder);
|
ret.setNamespacePermission(builder);
|
||||||
} else if (perm instanceof TablePermission) {
|
} else if (perm instanceof TablePermission) {
|
||||||
TablePermission tablePerm = (TablePermission) perm;
|
TablePermission tablePerm = (TablePermission) perm;
|
||||||
ret.setType(
|
ret.setType(AccessControlProtos.Permission.Type.Table);
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Type.Table);
|
AccessControlProtos.TablePermission.Builder builder =
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.TablePermission.Builder builder =
|
AccessControlProtos.TablePermission.newBuilder();
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.TablePermission
|
|
||||||
.newBuilder();
|
|
||||||
builder.setTableName(toProtoTableName(tablePerm.getTableName()));
|
builder.setTableName(toProtoTableName(tablePerm.getTableName()));
|
||||||
if (tablePerm.hasFamily()) {
|
if (tablePerm.hasFamily()) {
|
||||||
builder.setFamily(ByteString.copyFrom(tablePerm.getFamily()));
|
builder.setFamily(ByteString.copyFrom(tablePerm.getFamily()));
|
||||||
|
@ -207,11 +198,9 @@ public class ShadedAccessControlUtil {
|
||||||
ret.setTablePermission(builder);
|
ret.setTablePermission(builder);
|
||||||
} else {
|
} else {
|
||||||
// perm.getAccessScope() == Permission.Scope.GLOBAL
|
// perm.getAccessScope() == Permission.Scope.GLOBAL
|
||||||
ret.setType(
|
ret.setType(AccessControlProtos.Permission.Type.Global);
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.Permission.Type.Global);
|
AccessControlProtos.GlobalPermission.Builder builder =
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GlobalPermission.Builder builder =
|
AccessControlProtos.GlobalPermission.newBuilder();
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GlobalPermission
|
|
||||||
.newBuilder();
|
|
||||||
Permission.Action[] actions = perm.getActions();
|
Permission.Action[] actions = perm.getActions();
|
||||||
if (actions != null) {
|
if (actions != null) {
|
||||||
for (Permission.Action a : actions) {
|
for (Permission.Action a : actions) {
|
||||||
|
@ -230,9 +219,9 @@ public class ShadedAccessControlUtil {
|
||||||
* @return the converted UserPermission
|
* @return the converted UserPermission
|
||||||
*/
|
*/
|
||||||
public static ListMultimap<String, Permission> toUserTablePermissions(
|
public static ListMultimap<String, Permission> toUserTablePermissions(
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions proto) {
|
AccessControlProtos.UsersAndPermissions proto) {
|
||||||
ListMultimap<String, Permission> perms = ArrayListMultimap.create();
|
ListMultimap<String, Permission> perms = ArrayListMultimap.create();
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions.UserPermissions userPerm;
|
AccessControlProtos.UsersAndPermissions.UserPermissions userPerm;
|
||||||
for (int i = 0; i < proto.getUserPermissionsCount(); i++) {
|
for (int i = 0; i < proto.getUserPermissionsCount(); i++) {
|
||||||
userPerm = proto.getUserPermissions(i);
|
userPerm = proto.getUserPermissions(i);
|
||||||
for (int j = 0; j < userPerm.getPermissionsCount(); j++) {
|
for (int j = 0; j < userPerm.getPermissionsCount(); j++) {
|
||||||
|
@ -249,16 +238,13 @@ public class ShadedAccessControlUtil {
|
||||||
* @param perm the list of user and table permissions
|
* @param perm the list of user and table permissions
|
||||||
* @return the protobuf UserTablePermissions
|
* @return the protobuf UserTablePermissions
|
||||||
*/
|
*/
|
||||||
public static
|
public static AccessControlProtos.UsersAndPermissions
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions
|
|
||||||
toUserTablePermissions(ListMultimap<String, UserPermission> perm) {
|
toUserTablePermissions(ListMultimap<String, UserPermission> perm) {
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions.Builder builder =
|
AccessControlProtos.UsersAndPermissions.Builder builder =
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions
|
AccessControlProtos.UsersAndPermissions.newBuilder();
|
||||||
.newBuilder();
|
|
||||||
for (Map.Entry<String, Collection<UserPermission>> entry : perm.asMap().entrySet()) {
|
for (Map.Entry<String, Collection<UserPermission>> entry : perm.asMap().entrySet()) {
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions.UserPermissions.Builder userPermBuilder =
|
AccessControlProtos.UsersAndPermissions.UserPermissions.Builder userPermBuilder =
|
||||||
org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.UsersAndPermissions.UserPermissions
|
AccessControlProtos.UsersAndPermissions.UserPermissions.newBuilder();
|
||||||
.newBuilder();
|
|
||||||
userPermBuilder.setUser(ByteString.copyFromUtf8(entry.getKey()));
|
userPermBuilder.setUser(ByteString.copyFromUtf8(entry.getKey()));
|
||||||
for (UserPermission userPerm : entry.getValue()) {
|
for (UserPermission userPerm : entry.getValue()) {
|
||||||
userPermBuilder.addPermissions(toPermission(userPerm.getPermission()));
|
userPermBuilder.addPermissions(toPermission(userPerm.getPermission()));
|
||||||
|
@ -267,4 +253,34 @@ public class ShadedAccessControlUtil {
|
||||||
}
|
}
|
||||||
return builder.build();
|
return builder.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Converts a user permission proto to a client user permission object.
|
||||||
|
* @param proto the protobuf UserPermission
|
||||||
|
* @return the converted UserPermission
|
||||||
|
*/
|
||||||
|
public static UserPermission toUserPermission(AccessControlProtos.UserPermission proto) {
|
||||||
|
return new UserPermission(proto.getUser().toStringUtf8(), toPermission(proto.getPermission()));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Convert a client user permission to a user permission proto
|
||||||
|
* @param perm the client UserPermission
|
||||||
|
* @return the protobuf UserPermission
|
||||||
|
*/
|
||||||
|
public static AccessControlProtos.UserPermission toUserPermission(UserPermission perm) {
|
||||||
|
return AccessControlProtos.UserPermission.newBuilder()
|
||||||
|
.setUser(ByteString.copyFromUtf8(perm.getUser()))
|
||||||
|
.setPermission(toPermission(perm.getPermission())).build();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static GrantRequest buildGrantRequest(UserPermission userPermission,
|
||||||
|
boolean mergeExistingPermissions) {
|
||||||
|
return GrantRequest.newBuilder().setUserPermission(toUserPermission(userPermission))
|
||||||
|
.setMergeExistingPermissions(mergeExistingPermissions).build();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static RevokeRequest buildRevokeRequest(UserPermission userPermission) {
|
||||||
|
return RevokeRequest.newBuilder().setUserPermission(toUserPermission(userPermission)).build();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -36,6 +36,7 @@ import "Procedure.proto";
|
||||||
import "Quota.proto";
|
import "Quota.proto";
|
||||||
import "Replication.proto";
|
import "Replication.proto";
|
||||||
import "Snapshot.proto";
|
import "Snapshot.proto";
|
||||||
|
import "AccessControl.proto";
|
||||||
|
|
||||||
/* Column-level protobufs */
|
/* Column-level protobufs */
|
||||||
|
|
||||||
|
@ -1014,6 +1015,10 @@ service MasterService {
|
||||||
/** Get if is rpc throttled enabled */
|
/** Get if is rpc throttled enabled */
|
||||||
rpc IsRpcThrottleEnabled (IsRpcThrottleEnabledRequest)
|
rpc IsRpcThrottleEnabled (IsRpcThrottleEnabledRequest)
|
||||||
returns (IsRpcThrottleEnabledResponse);
|
returns (IsRpcThrottleEnabledResponse);
|
||||||
|
|
||||||
|
rpc Grant(GrantRequest) returns (GrantResponse);
|
||||||
|
|
||||||
|
rpc Revoke(RevokeRequest) returns (RevokeResponse);
|
||||||
}
|
}
|
||||||
|
|
||||||
// HBCK Service definitions.
|
// HBCK Service definitions.
|
||||||
|
|
|
@ -37,6 +37,7 @@ import org.apache.hadoop.hbase.net.Address;
|
||||||
import org.apache.hadoop.hbase.quotas.GlobalQuotaSettings;
|
import org.apache.hadoop.hbase.quotas.GlobalQuotaSettings;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||||
|
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||||
import org.apache.yetus.audience.InterfaceAudience;
|
import org.apache.yetus.audience.InterfaceAudience;
|
||||||
import org.apache.yetus.audience.InterfaceStability;
|
import org.apache.yetus.audience.InterfaceStability;
|
||||||
|
|
||||||
|
@ -1573,4 +1574,42 @@ public interface MasterObserver {
|
||||||
default void postIsRpcThrottleEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx,
|
default void postIsRpcThrottleEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||||
final boolean rpcThrottleEnabled) throws IOException {
|
final boolean rpcThrottleEnabled) throws IOException {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Called before granting user permissions.
|
||||||
|
* @param ctx the coprocessor instance's environment
|
||||||
|
* @param userPermission the user and permissions
|
||||||
|
* @param mergeExistingPermissions True if merge with previous granted permissions
|
||||||
|
*/
|
||||||
|
default void preGrant(ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||||
|
UserPermission userPermission, boolean mergeExistingPermissions) throws IOException {
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Called after granting user permissions.
|
||||||
|
* @param ctx the coprocessor instance's environment
|
||||||
|
* @param userPermission the user and permissions
|
||||||
|
* @param mergeExistingPermissions True if merge with previous granted permissions
|
||||||
|
*/
|
||||||
|
default void postGrant(ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||||
|
UserPermission userPermission, boolean mergeExistingPermissions) throws IOException {
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Called before revoking user permissions.
|
||||||
|
* @param ctx the coprocessor instance's environment
|
||||||
|
* @param userPermission the user and permissions
|
||||||
|
*/
|
||||||
|
default void preRevoke(ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||||
|
UserPermission userPermission) throws IOException {
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Called after revoking user permissions.
|
||||||
|
* @param ctx the coprocessor instance's environment
|
||||||
|
* @param userPermission the user and permissions
|
||||||
|
*/
|
||||||
|
default void postRevoke(ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||||
|
UserPermission userPermission) throws IOException {
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -58,6 +58,7 @@ import org.apache.hadoop.hbase.quotas.GlobalQuotaSettings;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||||
import org.apache.hadoop.hbase.security.User;
|
import org.apache.hadoop.hbase.security.User;
|
||||||
|
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||||
import org.apache.yetus.audience.InterfaceAudience;
|
import org.apache.yetus.audience.InterfaceAudience;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
@ -1834,4 +1835,42 @@ public class MasterCoprocessorHost
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void preGrant(UserPermission userPermission, boolean mergeExistingPermissions)
|
||||||
|
throws IOException {
|
||||||
|
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
|
||||||
|
@Override
|
||||||
|
public void call(MasterObserver observer) throws IOException {
|
||||||
|
observer.preGrant(this, userPermission, mergeExistingPermissions);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
public void postGrant(UserPermission userPermission, boolean mergeExistingPermissions)
|
||||||
|
throws IOException {
|
||||||
|
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
|
||||||
|
@Override
|
||||||
|
public void call(MasterObserver observer) throws IOException {
|
||||||
|
observer.postGrant(this, userPermission, mergeExistingPermissions);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
public void preRevoke(UserPermission userPermission) throws IOException {
|
||||||
|
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
|
||||||
|
@Override
|
||||||
|
public void call(MasterObserver observer) throws IOException {
|
||||||
|
observer.preRevoke(this, userPermission);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
public void postRevoke(UserPermission userPermission) throws IOException {
|
||||||
|
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
|
||||||
|
@Override
|
||||||
|
public void call(MasterObserver observer) throws IOException {
|
||||||
|
observer.postRevoke(this, userPermission);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -49,6 +49,7 @@ import org.apache.hadoop.hbase.client.ColumnFamilyDescriptor;
|
||||||
import org.apache.hadoop.hbase.client.MasterSwitchType;
|
import org.apache.hadoop.hbase.client.MasterSwitchType;
|
||||||
import org.apache.hadoop.hbase.client.RegionInfo;
|
import org.apache.hadoop.hbase.client.RegionInfo;
|
||||||
import org.apache.hadoop.hbase.client.RegionInfoBuilder;
|
import org.apache.hadoop.hbase.client.RegionInfoBuilder;
|
||||||
|
import org.apache.hadoop.hbase.client.Table;
|
||||||
import org.apache.hadoop.hbase.client.TableDescriptor;
|
import org.apache.hadoop.hbase.client.TableDescriptor;
|
||||||
import org.apache.hadoop.hbase.client.TableState;
|
import org.apache.hadoop.hbase.client.TableState;
|
||||||
import org.apache.hadoop.hbase.client.VersionInfoUtil;
|
import org.apache.hadoop.hbase.client.VersionInfoUtil;
|
||||||
|
@ -92,8 +93,11 @@ import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||||
import org.apache.hadoop.hbase.security.User;
|
import org.apache.hadoop.hbase.security.User;
|
||||||
import org.apache.hadoop.hbase.security.access.AccessChecker;
|
import org.apache.hadoop.hbase.security.access.AccessChecker;
|
||||||
|
import org.apache.hadoop.hbase.security.access.AccessControlLists;
|
||||||
import org.apache.hadoop.hbase.security.access.AccessController;
|
import org.apache.hadoop.hbase.security.access.AccessController;
|
||||||
import org.apache.hadoop.hbase.security.access.Permission;
|
import org.apache.hadoop.hbase.security.access.Permission;
|
||||||
|
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
|
||||||
|
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||||
import org.apache.hadoop.hbase.security.visibility.VisibilityController;
|
import org.apache.hadoop.hbase.security.visibility.VisibilityController;
|
||||||
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
|
import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils;
|
||||||
import org.apache.hadoop.hbase.snapshot.SnapshotDescriptionUtils;
|
import org.apache.hadoop.hbase.snapshot.SnapshotDescriptionUtils;
|
||||||
|
@ -114,6 +118,10 @@ import org.apache.hbase.thirdparty.com.google.protobuf.UnsafeByteOperations;
|
||||||
|
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
|
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter;
|
import org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantRequest;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.GrantResponse;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeRequest;
|
||||||
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.RevokeResponse;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.CompactRegionRequest;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.CompactRegionRequest;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.CompactRegionResponse;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.CompactRegionResponse;
|
||||||
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.GetRegionInfoRequest;
|
import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.GetRegionInfoRequest;
|
||||||
|
@ -2502,6 +2510,50 @@ public class MasterRpcServices extends RSRpcServices
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public GrantResponse grant(RpcController controller, GrantRequest request)
|
||||||
|
throws ServiceException {
|
||||||
|
try {
|
||||||
|
final UserPermission perm =
|
||||||
|
ShadedAccessControlUtil.toUserPermission(request.getUserPermission());
|
||||||
|
boolean mergeExistingPermissions = request.getMergeExistingPermissions();
|
||||||
|
if (master.cpHost != null) {
|
||||||
|
master.cpHost.preGrant(perm, mergeExistingPermissions);
|
||||||
|
}
|
||||||
|
try (Table table = master.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||||
|
AccessControlLists.addUserPermission(getConfiguration(), perm, table,
|
||||||
|
mergeExistingPermissions);
|
||||||
|
}
|
||||||
|
if (master.cpHost != null) {
|
||||||
|
master.cpHost.postGrant(perm, mergeExistingPermissions);
|
||||||
|
}
|
||||||
|
return GrantResponse.getDefaultInstance();
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
throw new ServiceException(ioe);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public RevokeResponse revoke(RpcController controller, RevokeRequest request)
|
||||||
|
throws ServiceException {
|
||||||
|
try {
|
||||||
|
final UserPermission userPermission =
|
||||||
|
ShadedAccessControlUtil.toUserPermission(request.getUserPermission());
|
||||||
|
if (master.cpHost != null) {
|
||||||
|
master.cpHost.preRevoke(userPermission);
|
||||||
|
}
|
||||||
|
try (Table table = master.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||||
|
AccessControlLists.removeUserPermission(master.getConfiguration(), userPermission, table);
|
||||||
|
}
|
||||||
|
if (master.cpHost != null) {
|
||||||
|
master.cpHost.postRevoke(userPermission);
|
||||||
|
}
|
||||||
|
return RevokeResponse.getDefaultInstance();
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
throw new ServiceException(ioe);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
private boolean containMetaWals(ServerName serverName) throws IOException {
|
private boolean containMetaWals(ServerName serverName) throws IOException {
|
||||||
Path logDir = new Path(master.getWALRootDir(),
|
Path logDir = new Path(master.getWALRootDir(),
|
||||||
AbstractFSWALProvider.getWALDirectoryName(serverName.toString()));
|
AbstractFSWALProvider.getWALDirectoryName(serverName.toString()));
|
||||||
|
|
|
@ -130,7 +130,7 @@ public class AccessControlLists {
|
||||||
* @param t acl table instance. It is closed upon method return.
|
* @param t acl table instance. It is closed upon method return.
|
||||||
* @throws IOException in the case of an error accessing the metadata table
|
* @throws IOException in the case of an error accessing the metadata table
|
||||||
*/
|
*/
|
||||||
static void addUserPermission(Configuration conf, UserPermission userPerm, Table t,
|
public static void addUserPermission(Configuration conf, UserPermission userPerm, Table t,
|
||||||
boolean mergeExistingPermissions) throws IOException {
|
boolean mergeExistingPermissions) throws IOException {
|
||||||
Permission permission = userPerm.getPermission();
|
Permission permission = userPerm.getPermission();
|
||||||
Permission.Action[] actions = permission.getActions();
|
Permission.Action[] actions = permission.getActions();
|
||||||
|
@ -222,7 +222,7 @@ public class AccessControlLists {
|
||||||
* @param t acl table
|
* @param t acl table
|
||||||
* @throws IOException if there is an error accessing the metadata table
|
* @throws IOException if there is an error accessing the metadata table
|
||||||
*/
|
*/
|
||||||
static void removeUserPermission(Configuration conf, UserPermission userPerm, Table t)
|
public static void removeUserPermission(Configuration conf, UserPermission userPerm, Table t)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
if (null == userPerm.getPermission().getActions() ||
|
if (null == userPerm.getPermission().getActions() ||
|
||||||
userPerm.getPermission().getActions().length == 0) {
|
userPerm.getPermission().getActions().length == 0) {
|
||||||
|
|
|
@ -2052,6 +2052,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
||||||
|
|
||||||
/* ---- Protobuf AccessControlService implementation ---- */
|
/* ---- Protobuf AccessControlService implementation ---- */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @deprecated Use {@link Admin#grant(UserPermission, boolean)} instead.
|
||||||
|
*/
|
||||||
|
@Deprecated
|
||||||
@Override
|
@Override
|
||||||
public void grant(RpcController controller,
|
public void grant(RpcController controller,
|
||||||
AccessControlProtos.GrantRequest request,
|
AccessControlProtos.GrantRequest request,
|
||||||
|
@ -2069,36 +2073,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
||||||
LOG.debug("Received request from {} to grant access permission {}",
|
LOG.debug("Received request from {} to grant access permission {}",
|
||||||
caller.getName(), perm.toString());
|
caller.getName(), perm.toString());
|
||||||
}
|
}
|
||||||
|
preGrantOrRevoke(caller, "grant", perm);
|
||||||
|
|
||||||
switch(request.getUserPermission().getPermission().getType()) {
|
// regionEnv is set at #start. Hopefully not null at this point.
|
||||||
case Global :
|
regionEnv.getConnection().getAdmin().grant(perm, request.getMergeExistingPermissions());
|
||||||
accessChecker.requireGlobalPermission(caller, "grant", Action.ADMIN, "");
|
|
||||||
break;
|
|
||||||
case Table :
|
|
||||||
TablePermission tablePerm = (TablePermission) perm.getPermission();
|
|
||||||
accessChecker.requirePermission(caller, "grant", tablePerm.getTableName(),
|
|
||||||
tablePerm.getFamily(), tablePerm.getQualifier(), null, Action.ADMIN);
|
|
||||||
break;
|
|
||||||
case Namespace :
|
|
||||||
NamespacePermission namespacePer = (NamespacePermission) perm.getPermission();
|
|
||||||
accessChecker.requireNamespacePermission(caller, "grant", namespacePer.getNamespace(),
|
|
||||||
null, Action.ADMIN);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
|
|
||||||
@Override
|
|
||||||
public Void run() throws Exception {
|
|
||||||
// regionEnv is set at #start. Hopefully not null at this point.
|
|
||||||
try (Table table = regionEnv.getConnection().
|
|
||||||
getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
|
||||||
AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm, table,
|
|
||||||
request.getMergeExistingPermissions());
|
|
||||||
}
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
|
|
||||||
if (AUDITLOG.isTraceEnabled()) {
|
if (AUDITLOG.isTraceEnabled()) {
|
||||||
// audit log should store permission changes in addition to auth results
|
// audit log should store permission changes in addition to auth results
|
||||||
AUDITLOG.trace("Granted permission " + perm.toString());
|
AUDITLOG.trace("Granted permission " + perm.toString());
|
||||||
|
@ -2115,9 +2093,12 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
||||||
done.run(response);
|
done.run(response);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @deprecated Use {@link Admin#revoke(UserPermission)} instead.
|
||||||
|
*/
|
||||||
|
@Deprecated
|
||||||
@Override
|
@Override
|
||||||
public void revoke(RpcController controller,
|
public void revoke(RpcController controller, AccessControlProtos.RevokeRequest request,
|
||||||
AccessControlProtos.RevokeRequest request,
|
|
||||||
RpcCallback<AccessControlProtos.RevokeResponse> done) {
|
RpcCallback<AccessControlProtos.RevokeResponse> done) {
|
||||||
final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission());
|
final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission());
|
||||||
AccessControlProtos.RevokeResponse response = null;
|
AccessControlProtos.RevokeResponse response = null;
|
||||||
|
@ -2132,35 +2113,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
||||||
LOG.debug("Received request from {} to revoke access permission {}",
|
LOG.debug("Received request from {} to revoke access permission {}",
|
||||||
caller.getShortName(), perm.toString());
|
caller.getShortName(), perm.toString());
|
||||||
}
|
}
|
||||||
|
preGrantOrRevoke(caller, "revoke", perm);
|
||||||
switch(request.getUserPermission().getPermission().getType()) {
|
// regionEnv is set at #start. Hopefully not null here.
|
||||||
case Global :
|
regionEnv.getConnection().getAdmin().revoke(perm);
|
||||||
accessChecker.requireGlobalPermission(caller, "revoke", Action.ADMIN, "");
|
|
||||||
break;
|
|
||||||
case Table :
|
|
||||||
TablePermission tablePerm = (TablePermission) perm.getPermission();
|
|
||||||
accessChecker.requirePermission(caller, "revoke", tablePerm.getTableName(),
|
|
||||||
tablePerm.getFamily(), tablePerm.getQualifier(), null, Action.ADMIN);
|
|
||||||
break;
|
|
||||||
case Namespace :
|
|
||||||
NamespacePermission namespacePer = (NamespacePermission) perm.getPermission();
|
|
||||||
accessChecker.requireNamespacePermission(caller, "revoke",
|
|
||||||
namespacePer.getNamespace(), null, Action.ADMIN);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
|
|
||||||
@Override
|
|
||||||
public Void run() throws Exception {
|
|
||||||
// regionEnv is set at #start. Hopefully not null here.
|
|
||||||
try (Table table = regionEnv.getConnection().
|
|
||||||
getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
|
||||||
AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm, table);
|
|
||||||
}
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
|
|
||||||
if (AUDITLOG.isTraceEnabled()) {
|
if (AUDITLOG.isTraceEnabled()) {
|
||||||
// audit log should record all permission changes
|
// audit log should record all permission changes
|
||||||
AUDITLOG.trace("Revoked permission " + perm.toString());
|
AUDITLOG.trace("Revoked permission " + perm.toString());
|
||||||
|
@ -2680,4 +2635,36 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
||||||
}
|
}
|
||||||
done.run(response);
|
done.run(response);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void preGrant(ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||||
|
UserPermission userPermission, boolean mergeExistingPermissions) throws IOException {
|
||||||
|
preGrantOrRevoke(getActiveUser(ctx), "grant", userPermission);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void preRevoke(ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||||
|
UserPermission userPermission) throws IOException {
|
||||||
|
preGrantOrRevoke(getActiveUser(ctx), "revoke", userPermission);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void preGrantOrRevoke(User caller, String request, UserPermission userPermission)
|
||||||
|
throws IOException {
|
||||||
|
switch (userPermission.getPermission().scope) {
|
||||||
|
case GLOBAL:
|
||||||
|
accessChecker.requireGlobalPermission(caller, request, Action.ADMIN, "");
|
||||||
|
break;
|
||||||
|
case NAMESPACE:
|
||||||
|
NamespacePermission namespacePerm = (NamespacePermission) userPermission.getPermission();
|
||||||
|
accessChecker.requireNamespacePermission(caller, request, namespacePerm.getNamespace(),
|
||||||
|
null, Action.ADMIN);
|
||||||
|
break;
|
||||||
|
case TABLE:
|
||||||
|
TablePermission tablePerm = (TablePermission) userPermission.getPermission();
|
||||||
|
accessChecker.requirePermission(caller, request, tablePerm.getTableName(),
|
||||||
|
tablePerm.getFamily(), tablePerm.getQualifier(), null, Action.ADMIN);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,7 +34,6 @@ import com.google.protobuf.ServiceException;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.hbase.Coprocessor;
|
import org.apache.hadoop.hbase.Coprocessor;
|
||||||
import org.apache.hadoop.hbase.HBaseTestingUtility;
|
import org.apache.hadoop.hbase.HBaseTestingUtility;
|
||||||
import org.apache.hadoop.hbase.HConstants;
|
|
||||||
import org.apache.hadoop.hbase.MiniHBaseCluster;
|
import org.apache.hadoop.hbase.MiniHBaseCluster;
|
||||||
import org.apache.hadoop.hbase.NamespaceDescriptor;
|
import org.apache.hadoop.hbase.NamespaceDescriptor;
|
||||||
import org.apache.hadoop.hbase.TableName;
|
import org.apache.hadoop.hbase.TableName;
|
||||||
|
@ -375,12 +374,8 @@ public class SecureTestUtil {
|
||||||
@Override
|
@Override
|
||||||
public Void call() throws Exception {
|
public Void call() throws Exception {
|
||||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||||
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
connection.getAdmin().grant(new UserPermission(user, new GlobalPermission(actions)),
|
||||||
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
false);
|
||||||
AccessControlService.BlockingInterface protocol =
|
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.grant(null, protocol, user, false, actions);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -398,12 +393,7 @@ public class SecureTestUtil {
|
||||||
@Override
|
@Override
|
||||||
public Void call() throws Exception {
|
public Void call() throws Exception {
|
||||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||||
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
connection.getAdmin().revoke(new UserPermission(user, new GlobalPermission(actions)));
|
||||||
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
|
||||||
AccessControlService.BlockingInterface protocol =
|
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.revoke(null, protocol, user, actions);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -421,12 +411,8 @@ public class SecureTestUtil {
|
||||||
@Override
|
@Override
|
||||||
public Void call() throws Exception {
|
public Void call() throws Exception {
|
||||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||||
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
connection.getAdmin()
|
||||||
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
.grant(new UserPermission(user, new NamespacePermission(namespace, actions)), false);
|
||||||
AccessControlService.BlockingInterface protocol =
|
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.grant(null, protocol, user, namespace, false, actions);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -486,12 +472,8 @@ public class SecureTestUtil {
|
||||||
@Override
|
@Override
|
||||||
public Void call() throws Exception {
|
public Void call() throws Exception {
|
||||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||||
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
connection.getAdmin()
|
||||||
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
.revoke(new UserPermission(user, new NamespacePermission(namespace, actions)));
|
||||||
AccessControlService.BlockingInterface protocol =
|
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.revoke(null, protocol, user, namespace, actions);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -510,12 +492,9 @@ public class SecureTestUtil {
|
||||||
@Override
|
@Override
|
||||||
public Void call() throws Exception {
|
public Void call() throws Exception {
|
||||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||||
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
connection.getAdmin().grant(
|
||||||
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
new UserPermission(user, new TablePermission(table, family, qualifier, actions)),
|
||||||
AccessControlService.BlockingInterface protocol =
|
false);
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.grant(null, protocol, user, table, family, qualifier, false, actions);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -576,12 +555,8 @@ public class SecureTestUtil {
|
||||||
@Override
|
@Override
|
||||||
public Void call() throws Exception {
|
public Void call() throws Exception {
|
||||||
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
|
||||||
try (Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
connection.getAdmin().revoke(
|
||||||
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
new UserPermission(user, new TablePermission(table, family, qualifier, actions)));
|
||||||
AccessControlService.BlockingInterface protocol =
|
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.revoke(null, protocol, user, table, family, qualifier, actions);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1170,13 +1170,10 @@ public class TestAccessController extends SecureTestUtil {
|
||||||
AccessTestAction grantAction = new AccessTestAction() {
|
AccessTestAction grantAction = new AccessTestAction() {
|
||||||
@Override
|
@Override
|
||||||
public Object run() throws Exception {
|
public Object run() throws Exception {
|
||||||
try(Connection conn = ConnectionFactory.createConnection(conf);
|
try (Connection conn = ConnectionFactory.createConnection(conf)) {
|
||||||
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
conn.getAdmin().grant(new UserPermission(USER_RO.getShortName(),
|
||||||
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
|
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)),
|
||||||
AccessControlService.BlockingInterface protocol =
|
false);
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.grant(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY,
|
|
||||||
null, false, Action.READ);
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -1185,13 +1182,9 @@ public class TestAccessController extends SecureTestUtil {
|
||||||
AccessTestAction revokeAction = new AccessTestAction() {
|
AccessTestAction revokeAction = new AccessTestAction() {
|
||||||
@Override
|
@Override
|
||||||
public Object run() throws Exception {
|
public Object run() throws Exception {
|
||||||
try(Connection conn = ConnectionFactory.createConnection(conf);
|
try(Connection conn = ConnectionFactory.createConnection(conf)) {
|
||||||
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
conn.getAdmin().revoke(new UserPermission(USER_RO.getShortName(),
|
||||||
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
|
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)));
|
||||||
AccessControlService.BlockingInterface protocol =
|
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.revoke(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
|
|
||||||
Action.READ);
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -1225,6 +1218,57 @@ public class TestAccessController extends SecureTestUtil {
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
AccessTestAction preGrantAction = new AccessTestAction() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
ACCESS_CONTROLLER.preGrant(ObserverContextImpl.createAndPrepare(CP_ENV),
|
||||||
|
new UserPermission(USER_RO.getShortName(),
|
||||||
|
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)),
|
||||||
|
false);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
AccessTestAction preRevokeAction = new AccessTestAction() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
ACCESS_CONTROLLER.preRevoke(ObserverContextImpl.createAndPrepare(CP_ENV),
|
||||||
|
new UserPermission(USER_RO.getShortName(),
|
||||||
|
new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)));
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
AccessTestAction grantCPAction = new AccessTestAction() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
try (Connection conn = ConnectionFactory.createConnection(conf);
|
||||||
|
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||||
|
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
|
||||||
|
AccessControlService.BlockingInterface protocol =
|
||||||
|
AccessControlService.newBlockingStub(service);
|
||||||
|
AccessControlUtil.grant(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY,
|
||||||
|
null, false, Action.READ);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
AccessTestAction revokeCPAction = new AccessTestAction() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
try (Connection conn = ConnectionFactory.createConnection(conf);
|
||||||
|
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||||
|
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
|
||||||
|
AccessControlService.BlockingInterface protocol =
|
||||||
|
AccessControlService.newBlockingStub(service);
|
||||||
|
AccessControlUtil.revoke(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY,
|
||||||
|
null, Action.READ);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
|
verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
|
||||||
verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
|
verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
|
||||||
USER_GROUP_WRITE, USER_GROUP_CREATE);
|
USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
|
@ -1240,6 +1284,22 @@ public class TestAccessController extends SecureTestUtil {
|
||||||
verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
|
verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
|
||||||
verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
|
verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
|
||||||
USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
|
|
||||||
|
verifyAllowed(preGrantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
|
||||||
|
verifyDenied(preGrantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
|
||||||
|
USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
|
|
||||||
|
verifyAllowed(preRevokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
|
||||||
|
verifyDenied(preRevokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
|
||||||
|
USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
|
|
||||||
|
verifyAllowed(grantCPAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
|
||||||
|
verifyDenied(grantCPAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
|
||||||
|
USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
|
|
||||||
|
verifyAllowed(revokeCPAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
|
||||||
|
verifyDenied(revokeCPAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
|
||||||
|
USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
} finally {
|
} finally {
|
||||||
// Cleanup, Grant the revoked permission back to the user
|
// Cleanup, Grant the revoked permission back to the user
|
||||||
grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
|
grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
|
||||||
|
|
|
@ -356,40 +356,27 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testGrantRevoke() throws Exception{
|
public void testGrantRevoke() throws Exception {
|
||||||
final String testUser = "testUser";
|
final String testUser = "testUser";
|
||||||
|
|
||||||
// Test if client API actions are authorized
|
// Test if client API actions are authorized
|
||||||
|
|
||||||
AccessTestAction grantAction = new AccessTestAction() {
|
AccessTestAction grantAction = new AccessTestAction() {
|
||||||
@Override
|
@Override
|
||||||
public Object run() throws Exception {
|
public Object run() throws Exception {
|
||||||
Connection connection = ConnectionFactory.createConnection(conf);
|
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||||
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME);
|
connection.getAdmin().grant(
|
||||||
try {
|
new UserPermission(testUser, new NamespacePermission(TEST_NAMESPACE, Action.WRITE)),
|
||||||
BlockingRpcChannel service =
|
false);
|
||||||
acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
|
||||||
AccessControlService.BlockingInterface protocol =
|
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.grant(null, protocol, testUser, TEST_NAMESPACE, false, Action.WRITE);
|
|
||||||
} finally {
|
|
||||||
acl.close();
|
|
||||||
connection.close();
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
AccessTestAction grantNamespaceAction = new AccessTestAction() {
|
AccessTestAction grantNamespaceAction = new AccessTestAction() {
|
||||||
@Override
|
@Override
|
||||||
public Object run() throws Exception {
|
public Object run() throws Exception {
|
||||||
try(Connection conn = ConnectionFactory.createConnection(conf);
|
try (Connection conn = ConnectionFactory.createConnection(conf)) {
|
||||||
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
conn.getAdmin().grant(
|
||||||
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
new UserPermission(USER_GROUP_NS_ADMIN.getShortName(), TEST_NAMESPACE, Action.READ),
|
||||||
AccessControlService.BlockingInterface protocol =
|
false);
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.grant(null, protocol, USER_GROUP_NS_ADMIN.getShortName(),
|
|
||||||
TEST_NAMESPACE, false, Action.READ);
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -398,37 +385,19 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
||||||
AccessTestAction revokeAction = new AccessTestAction() {
|
AccessTestAction revokeAction = new AccessTestAction() {
|
||||||
@Override
|
@Override
|
||||||
public Object run() throws Exception {
|
public Object run() throws Exception {
|
||||||
Connection connection = ConnectionFactory.createConnection(conf);
|
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||||
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME);
|
connection.getAdmin().revoke(
|
||||||
try {
|
new UserPermission(testUser, new NamespacePermission(TEST_NAMESPACE, Action.WRITE)));
|
||||||
BlockingRpcChannel service =
|
|
||||||
acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
|
||||||
AccessControlService.BlockingInterface protocol =
|
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.revoke(null, protocol, testUser, TEST_NAMESPACE, Action.WRITE);
|
|
||||||
} finally {
|
|
||||||
acl.close();
|
|
||||||
connection.close();
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
AccessTestAction revokeNamespaceAction = new AccessTestAction() {
|
AccessTestAction revokeNamespaceAction = new AccessTestAction() {
|
||||||
@Override
|
@Override
|
||||||
public Object run() throws Exception {
|
public Object run() throws Exception {
|
||||||
Connection connection = ConnectionFactory.createConnection(conf);
|
try (Connection connection = ConnectionFactory.createConnection(conf)) {
|
||||||
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME);
|
connection.getAdmin().revoke(new UserPermission(USER_GROUP_NS_ADMIN.getShortName(),
|
||||||
try {
|
new NamespacePermission(TEST_NAMESPACE, Action.READ)));
|
||||||
BlockingRpcChannel service =
|
|
||||||
acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
|
||||||
AccessControlService.BlockingInterface protocol =
|
|
||||||
AccessControlService.newBlockingStub(service);
|
|
||||||
AccessControlUtil.revoke(null, protocol, USER_GROUP_NS_ADMIN.getShortName(),
|
|
||||||
TEST_NAMESPACE, Action.READ);
|
|
||||||
} finally {
|
|
||||||
acl.close();
|
|
||||||
connection.close();
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -437,16 +406,57 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
||||||
AccessTestAction getPermissionsAction = new AccessTestAction() {
|
AccessTestAction getPermissionsAction = new AccessTestAction() {
|
||||||
@Override
|
@Override
|
||||||
public Object run() throws Exception {
|
public Object run() throws Exception {
|
||||||
Connection connection = ConnectionFactory.createConnection(conf);
|
try (Connection connection = ConnectionFactory.createConnection(conf);
|
||||||
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME);
|
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||||
try {
|
|
||||||
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
||||||
AccessControlService.BlockingInterface protocol =
|
AccessControlService.BlockingInterface protocol =
|
||||||
AccessControlService.newBlockingStub(service);
|
AccessControlService.newBlockingStub(service);
|
||||||
AccessControlUtil.getUserPermissions(null, protocol, Bytes.toBytes(TEST_NAMESPACE));
|
AccessControlUtil.getUserPermissions(null, protocol, Bytes.toBytes(TEST_NAMESPACE));
|
||||||
} finally {
|
}
|
||||||
acl.close();
|
return null;
|
||||||
connection.close();
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
AccessTestAction preGrantAction = new AccessTestAction() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
ACCESS_CONTROLLER.preGrant(ObserverContextImpl.createAndPrepare(CP_ENV),
|
||||||
|
new UserPermission(testUser, new NamespacePermission(TEST_NAMESPACE, Action.WRITE)),
|
||||||
|
false);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
AccessTestAction preRevokeAction = new AccessTestAction() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
ACCESS_CONTROLLER.preRevoke(ObserverContextImpl.createAndPrepare(CP_ENV),
|
||||||
|
new UserPermission(testUser, new NamespacePermission(TEST_NAMESPACE, Action.WRITE)));
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
AccessTestAction grantCPAction = new AccessTestAction() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
try (Connection connection = ConnectionFactory.createConnection(conf);
|
||||||
|
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||||
|
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
||||||
|
AccessControlService.BlockingInterface protocol =
|
||||||
|
AccessControlService.newBlockingStub(service);
|
||||||
|
AccessControlUtil.grant(null, protocol, testUser, TEST_NAMESPACE, false, Action.WRITE);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
AccessTestAction revokeCPAction = new AccessTestAction() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
try (Connection connection = ConnectionFactory.createConnection(conf);
|
||||||
|
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
|
||||||
|
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
||||||
|
AccessControlService.BlockingInterface protocol =
|
||||||
|
AccessControlService.newBlockingStub(service);
|
||||||
|
AccessControlUtil.revoke(null, protocol, testUser, TEST_NAMESPACE, Action.WRITE);
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -456,7 +466,6 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
||||||
verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
||||||
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
|
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
|
||||||
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
|
|
||||||
verifyAllowed(grantNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN,
|
verifyAllowed(grantNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN,
|
||||||
USER_NS_ADMIN, USER_GROUP_NS_ADMIN);
|
USER_NS_ADMIN, USER_GROUP_NS_ADMIN);
|
||||||
verifyDenied(grantNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
verifyDenied(grantNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
||||||
|
@ -467,7 +476,6 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
||||||
verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
||||||
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
|
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
|
||||||
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
|
|
||||||
verifyAllowed(revokeNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN,
|
verifyAllowed(revokeNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN,
|
||||||
USER_NS_ADMIN, USER_GROUP_NS_ADMIN);
|
USER_NS_ADMIN, USER_GROUP_NS_ADMIN);
|
||||||
verifyDenied(revokeNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
verifyDenied(revokeNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
||||||
|
@ -479,6 +487,24 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
||||||
verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
||||||
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
|
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
|
||||||
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
|
|
||||||
|
verifyAllowed(preGrantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
|
||||||
|
verifyDenied(preGrantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
||||||
|
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
|
||||||
|
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
|
verifyAllowed(preRevokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
|
||||||
|
verifyDenied(preRevokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
||||||
|
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
|
||||||
|
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
|
|
||||||
|
verifyAllowed(grantCPAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
|
||||||
|
verifyDenied(grantCPAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
||||||
|
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
|
||||||
|
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
|
verifyAllowed(revokeCPAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
|
||||||
|
verifyDenied(revokeCPAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
||||||
|
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
|
||||||
|
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
|
@ -60,6 +60,7 @@ import org.apache.hadoop.hbase.replication.ReplicationException;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
|
||||||
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
import org.apache.hadoop.hbase.replication.ReplicationPeerDescription;
|
||||||
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
import org.apache.hadoop.hbase.replication.SyncReplicationState;
|
||||||
|
import org.apache.hadoop.hbase.security.access.UserPermission;
|
||||||
import org.apache.hadoop.hbase.thrift2.ThriftUtilities;
|
import org.apache.hadoop.hbase.thrift2.ThriftUtilities;
|
||||||
import org.apache.hadoop.hbase.thrift2.generated.TColumnFamilyDescriptor;
|
import org.apache.hadoop.hbase.thrift2.generated.TColumnFamilyDescriptor;
|
||||||
import org.apache.hadoop.hbase.thrift2.generated.THBaseService;
|
import org.apache.hadoop.hbase.thrift2.generated.THBaseService;
|
||||||
|
@ -1425,4 +1426,14 @@ public class ThriftAdmin implements Admin {
|
||||||
public SpaceQuotaSnapshot getCurrentSpaceQuotaSnapshot(TableName tableName) throws IOException {
|
public SpaceQuotaSnapshot getCurrentSpaceQuotaSnapshot(TableName tableName) throws IOException {
|
||||||
throw new NotImplementedException("getCurrentSpaceQuotaSnapshot not supported in ThriftAdmin");
|
throw new NotImplementedException("getCurrentSpaceQuotaSnapshot not supported in ThriftAdmin");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void grant(UserPermission userPermission, boolean mergeExistingPermissions) {
|
||||||
|
throw new NotImplementedException("grant not supported in ThriftAdmin");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void revoke(UserPermission userPermission) {
|
||||||
|
throw new NotImplementedException("revoke not supported in ThriftAdmin");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue