Java Code Examples for org.apache.hadoop.hbase.security.access.UserPermission

The following examples show how to use org.apache.hadoop.hbase.security.access.UserPermission. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: phoenix   Source File: PhoenixAccessController.java    License: Apache License 2.0 6 votes vote down vote up
private List<UserPermission> getPermissionForUser(List<UserPermission> perms, String user) {
    if (perms != null) {
        // get list of permissions for the user as multiple implementation of AccessControl coprocessors can give
        // permissions for same users
        List<UserPermission> permissions = new ArrayList<>();
        for (UserPermission p : perms) {
            if (getUserFromUP(p).equals(user)){
                 permissions.add(p);
            }
        }
        if (!permissions.isEmpty()){
           return permissions;
        }
    }
    return null;
}
 
Example 2
Source Project: hbase   Source File: MasterCoprocessorHost.java    License: Apache License 2.0 5 votes vote down vote up
public void preGrant(UserPermission userPermission, boolean mergeExistingPermissions)
    throws IOException {
  execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
    @Override
    public void call(MasterObserver observer) throws IOException {
      observer.preGrant(this, userPermission, mergeExistingPermissions);
    }
  });
}
 
Example 3
Source Project: hbase   Source File: MasterCoprocessorHost.java    License: Apache License 2.0 5 votes vote down vote up
public void postGrant(UserPermission userPermission, boolean mergeExistingPermissions)
    throws IOException {
  execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
    @Override
    public void call(MasterObserver observer) throws IOException {
      observer.postGrant(this, userPermission, mergeExistingPermissions);
    }
  });
}
 
Example 4
Source Project: hbase   Source File: MasterCoprocessorHost.java    License: Apache License 2.0 5 votes vote down vote up
public void preRevoke(UserPermission userPermission) throws IOException {
  execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
    @Override
    public void call(MasterObserver observer) throws IOException {
      observer.preRevoke(this, userPermission);
    }
  });
}
 
Example 5
Source Project: hbase   Source File: MasterCoprocessorHost.java    License: Apache License 2.0 5 votes vote down vote up
public void postRevoke(UserPermission userPermission) throws IOException {
  execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
    @Override
    public void call(MasterObserver observer) throws IOException {
      observer.postRevoke(this, userPermission);
    }
  });
}
 
Example 6
Source Project: hbase   Source File: MasterRpcServices.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public GrantResponse grant(RpcController controller, GrantRequest request)
    throws ServiceException {
  try {
    master.checkInitialized();
    if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) {
      final UserPermission perm =
          ShadedAccessControlUtil.toUserPermission(request.getUserPermission());
      boolean mergeExistingPermissions = request.getMergeExistingPermissions();
      master.cpHost.preGrant(perm, mergeExistingPermissions);
      try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
        PermissionStorage.addUserPermission(getConfiguration(), perm, table,
          mergeExistingPermissions);
      }
      master.cpHost.postGrant(perm, mergeExistingPermissions);
      User caller = RpcServer.getRequestUser().orElse(null);
      if (AUDITLOG.isTraceEnabled()) {
        // audit log should store permission changes in addition to auth results
        String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
        AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller,
          remoteAddress, perm);
      }
      return GrantResponse.getDefaultInstance();
    } else {
      throw new DoNotRetryIOException(
          new UnsupportedOperationException(AccessController.class.getName() + " is not loaded"));
    }
  } catch (IOException ioe) {
    throw new ServiceException(ioe);
  }
}
 
Example 7
Source Project: hbase   Source File: MasterRpcServices.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public RevokeResponse revoke(RpcController controller, RevokeRequest request)
    throws ServiceException {
  try {
    master.checkInitialized();
    if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) {
      final UserPermission userPermission =
          ShadedAccessControlUtil.toUserPermission(request.getUserPermission());
      master.cpHost.preRevoke(userPermission);
      try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
        PermissionStorage.removeUserPermission(master.getConfiguration(), userPermission, table);
      }
      master.cpHost.postRevoke(userPermission);
      User caller = RpcServer.getRequestUser().orElse(null);
      if (AUDITLOG.isTraceEnabled()) {
        // audit log should record all permission changes
        String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
        AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller,
          remoteAddress, userPermission);
      }
      return RevokeResponse.getDefaultInstance();
    } else {
      throw new DoNotRetryIOException(
          new UnsupportedOperationException(AccessController.class.getName() + " is not loaded"));
    }
  } catch (IOException ioe) {
    throw new ServiceException(ioe);
  }
}
 
Example 8
Source Project: hbase   Source File: SnapshotDescriptionUtils.java    License: Apache License 2.0 5 votes vote down vote up
private static SnapshotDescription writeAclToSnapshotDescription(SnapshotDescription snapshot,
    Configuration conf) throws IOException {
  ListMultimap<String, UserPermission> perms =
      User.runAsLoginUser(new PrivilegedExceptionAction<ListMultimap<String, UserPermission>>() {
        @Override
        public ListMultimap<String, UserPermission> run() throws Exception {
          return PermissionStorage.getTablePermissions(conf,
            TableName.valueOf(snapshot.getTable()));
        }
      });
  return snapshot.toBuilder()
      .setUsersAndPermissions(ShadedAccessControlUtil.toUserTablePermissions(perms)).build();
}
 
Example 9
Source Project: hbase   Source File: RawAsyncHBaseAdmin.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public CompletableFuture<Void> grant(UserPermission userPermission,
    boolean mergeExistingPermissions) {
  return this.<Void> newMasterCaller()
      .action((controller, stub) -> this.<GrantRequest, GrantResponse, Void> call(controller,
        stub, ShadedAccessControlUtil.buildGrantRequest(userPermission, mergeExistingPermissions),
        (s, c, req, done) -> s.grant(c, req, done), resp -> null))
      .call();
}
 
Example 10
Source Project: hbase   Source File: RawAsyncHBaseAdmin.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public CompletableFuture<Void> revoke(UserPermission userPermission) {
  return this.<Void> newMasterCaller()
      .action((controller, stub) -> this.<RevokeRequest, RevokeResponse, Void> call(controller,
        stub, ShadedAccessControlUtil.buildRevokeRequest(userPermission),
        (s, c, req, done) -> s.revoke(c, req, done), resp -> null))
      .call();
}
 
Example 11
Source Project: hbase   Source File: RawAsyncHBaseAdmin.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public CompletableFuture<List<UserPermission>>
    getUserPermissions(GetUserPermissionsRequest getUserPermissionsRequest) {
  return this.<List<UserPermission>> newMasterCaller().action((controller,
      stub) -> this.<AccessControlProtos.GetUserPermissionsRequest, GetUserPermissionsResponse,
          List<UserPermission>> call(controller, stub,
            ShadedAccessControlUtil.buildGetUserPermissionsRequest(getUserPermissionsRequest),
            (s, c, req, done) -> s.getUserPermissions(c, req, done),
            resp -> resp.getUserPermissionList().stream()
              .map(uPerm -> ShadedAccessControlUtil.toUserPermission(uPerm))
              .collect(Collectors.toList())))
      .call();
}
 
Example 12
private boolean hasCreatePrivilege(String tableName, String userName) throws Throwable{
    List<UserPermission> permissions = AccessControlClient.getUserPermissions(admin.getConnection(), tableName);
    for (String user : Arrays.asList(userName, userName.toUpperCase(), userName.toLowerCase())) {
        UserPermission up = getPermission(permissions, user);
        if (up == null || !up.implies(TableName.valueOf(tableName), null, null, Permission.Action.CREATE))
            return false;
    }
    return true;
}
 
Example 13
private boolean hasPrivileges(String userName, String spliceNamespace) throws Throwable {
    List<UserPermission> permissions = AccessControlClient.getUserPermissions(admin.getConnection(), "@"+spliceNamespace);
    for (String user : Arrays.asList(userName, userName.toUpperCase(), userName.toLowerCase())) {
        UserPermission up = getPermission(permissions, user);
        if (up == null)
            return false;
        
        for (Permission.Action action : Arrays.asList(Permission.Action.WRITE, Permission.Action.READ, Permission.Action.EXEC)) {
            if (!up.implies(spliceNamespace, action))
                return false;
        }
    }
    return true;
}
 
Example 14
private UserPermission getPermission(List<UserPermission> permissions, String userName) {
    for(UserPermission up: permissions) {
        if (Bytes.equals(up.getUser(), Bytes.toBytes(userName))) {
            return up;
        }
    }
    return null;
}
 
Example 15
Source Project: hbase   Source File: ThriftAdmin.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public void grant(UserPermission userPermission, boolean mergeExistingPermissions) {
  throw new NotImplementedException("grant not supported in ThriftAdmin");
}
 
Example 16
Source Project: hbase   Source File: ThriftAdmin.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public void revoke(UserPermission userPermission) {
  throw new NotImplementedException("revoke not supported in ThriftAdmin");
}
 
Example 17
Source Project: hbase   Source File: ThriftAdmin.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public List<UserPermission> getUserPermissions(
    GetUserPermissionsRequest getUserPermissionsRequest) {
  throw new NotImplementedException("getUserPermissions not supported in ThriftAdmin");
}
 
Example 18
Source Project: hbase   Source File: MasterRpcServices.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public GetUserPermissionsResponse getUserPermissions(RpcController controller,
    GetUserPermissionsRequest request) throws ServiceException {
  try {
    master.checkInitialized();
    if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) {
      final String userName = request.hasUserName() ? request.getUserName().toStringUtf8() : null;
      String namespace =
          request.hasNamespaceName() ? request.getNamespaceName().toStringUtf8() : null;
      TableName table =
          request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName()) : null;
      byte[] cf = request.hasColumnFamily() ? request.getColumnFamily().toByteArray() : null;
      byte[] cq =
          request.hasColumnQualifier() ? request.getColumnQualifier().toByteArray() : null;
      Type permissionType = request.hasType() ? request.getType() : null;
      master.getMasterCoprocessorHost().preGetUserPermissions(userName, namespace, table, cf, cq);

      List<UserPermission> perms = null;
      if (permissionType == Type.Table) {
        boolean filter = (cf != null || userName != null) ? true : false;
        perms = PermissionStorage.getUserTablePermissions(master.getConfiguration(), table, cf,
          cq, userName, filter);
      } else if (permissionType == Type.Namespace) {
        perms = PermissionStorage.getUserNamespacePermissions(master.getConfiguration(),
          namespace, userName, userName != null ? true : false);
      } else {
        perms = PermissionStorage.getUserPermissions(master.getConfiguration(), null, null, null,
          userName, userName != null ? true : false);
        // Skip super users when filter user is specified
        if (userName == null) {
          // Adding superusers explicitly to the result set as PermissionStorage do not store
          // them. Also using acl as table name to be inline with the results of global admin and
          // will help in avoiding any leakage of information about being superusers.
          for (String user : Superusers.getSuperUsers()) {
            perms.add(new UserPermission(user,
                Permission.newBuilder().withActions(Action.values()).build()));
          }
        }
      }

      master.getMasterCoprocessorHost().postGetUserPermissions(userName, namespace, table, cf,
        cq);
      AccessControlProtos.GetUserPermissionsResponse response =
          ShadedAccessControlUtil.buildGetUserPermissionsResponse(perms);
      return response;
    } else {
      throw new DoNotRetryIOException(
          new UnsupportedOperationException(AccessController.class.getName() + " is not loaded"));
    }
  } catch (IOException ioe) {
    throw new ServiceException(ioe);
  }
}
 
Example 19
Source Project: hbase   Source File: TestAsyncAccessControlAdminApi.java    License: Apache License 2.0 4 votes vote down vote up
@Test
public void test() throws Exception {
  TableName tableName = TableName.valueOf("test-table");
  String userName1 = "user1";
  String userName2 = "user2";
  User user2 = User.createUserForTesting(TEST_UTIL.getConfiguration(), userName2, new String[0]);
  Permission permission =
      Permission.newBuilder(tableName).withActions(Permission.Action.READ).build();
  UserPermission userPermission = new UserPermission(userName1, permission);

  // grant user1 table permission
  admin.grant(userPermission, false).get();

  // get table permissions
  List<UserPermission> userPermissions =
      admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()).get();
  assertEquals(1, userPermissions.size());
  assertEquals(userPermission, userPermissions.get(0));

  // get table permissions
  userPermissions =
      admin
          .getUserPermissions(
            GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName1).build())
          .get();
  assertEquals(1, userPermissions.size());
  assertEquals(userPermission, userPermissions.get(0));

  userPermissions =
      admin
          .getUserPermissions(
            GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName2).build())
          .get();
  assertEquals(0, userPermissions.size());

  // has user permission
  List<Permission> permissions = Lists.newArrayList(permission);
  boolean hasPermission =
      admin.hasUserPermissions(userName1, permissions).get().get(0).booleanValue();
  assertTrue(hasPermission);
  hasPermission = admin.hasUserPermissions(userName2, permissions).get().get(0).booleanValue();
  assertFalse(hasPermission);

  AccessTestAction hasPermissionAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      try (AsyncConnection conn =
          ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
        return conn.getAdmin().hasUserPermissions(userName1, permissions).get().get(0);
      }
    }
  };
  try {
    user2.runAs(hasPermissionAction);
    fail("Should not come here");
  } catch (Exception e) {
    LOG.error("Call has permission error", e);
  }

  // check permission
  admin.hasUserPermissions(permissions);
  AccessTestAction checkPermissionsAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      try (AsyncConnection conn =
          ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
        return conn.getAdmin().hasUserPermissions(permissions).get().get(0);
      }
    }
  };
  assertFalse((Boolean) user2.runAs(checkPermissionsAction));
}
 
Example 20
Source Project: hbase   Source File: VerifyingRSGroupAdmin.java    License: Apache License 2.0 4 votes vote down vote up
public void grant(UserPermission userPermission, boolean mergeExistingPermissions)
  throws IOException {
  admin.grant(userPermission, mergeExistingPermissions);
}
 
Example 21
Source Project: hbase   Source File: VerifyingRSGroupAdmin.java    License: Apache License 2.0 4 votes vote down vote up
public void revoke(UserPermission userPermission) throws IOException {
  admin.revoke(userPermission);
}
 
Example 22
Source Project: hbase   Source File: VerifyingRSGroupAdmin.java    License: Apache License 2.0 4 votes vote down vote up
public List<UserPermission>
  getUserPermissions(GetUserPermissionsRequest getUserPermissionsRequest) throws IOException {
  return admin.getUserPermissions(getUserPermissionsRequest);
}
 
Example 23
Source Project: hbase   Source File: AsyncHBaseAdmin.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public CompletableFuture<Void> grant(UserPermission userPermission,
    boolean mergeExistingPermissions) {
  return wrap(rawAdmin.grant(userPermission, mergeExistingPermissions));
}
 
Example 24
Source Project: hbase   Source File: AsyncHBaseAdmin.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public CompletableFuture<Void> revoke(UserPermission userPermission) {
  return wrap(rawAdmin.revoke(userPermission));
}
 
Example 25
Source Project: hbase   Source File: AsyncHBaseAdmin.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public CompletableFuture<List<UserPermission>>
    getUserPermissions(GetUserPermissionsRequest getUserPermissionsRequest) {
  return wrap(rawAdmin.getUserPermissions(getUserPermissionsRequest));
}
 
Example 26
Source Project: hbase   Source File: AdminOverAsyncAdmin.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public void grant(UserPermission userPermission, boolean mergeExistingPermissions)
    throws IOException {
  get(admin.grant(userPermission, mergeExistingPermissions));
}
 
Example 27
Source Project: hbase   Source File: AdminOverAsyncAdmin.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public void revoke(UserPermission userPermission) throws IOException {
  get(admin.revoke(userPermission));
}
 
Example 28
Source Project: hbase   Source File: AdminOverAsyncAdmin.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public List<UserPermission> getUserPermissions(
    GetUserPermissionsRequest getUserPermissionsRequest) throws IOException {
  return get(admin.getUserPermissions(getUserPermissionsRequest));
}
 
Example 29
Source Project: phoenix   Source File: CompatPermissionUtil.java    License: Apache License 2.0 4 votes vote down vote up
public static String getUserFromUP(UserPermission userPermission) {
    return Bytes.toString(userPermission.getUser());
}
 
Example 30
Source Project: phoenix   Source File: CompatPermissionUtil.java    License: Apache License 2.0 4 votes vote down vote up
public static Permission getPermissionFromUP(UserPermission userPermission) {
    return userPermission;
}