org.apache.hadoop.hbase.security.access.UserPermission Java Examples

The following examples show how to use org.apache.hadoop.hbase.security.access.UserPermission. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: PhoenixAccessController.java    From phoenix with Apache License 2.0 6 votes vote down vote up
private List<UserPermission> getPermissionForUser(List<UserPermission> perms, String user) {
    if (perms != null) {
        // get list of permissions for the user as multiple implementation of AccessControl coprocessors can give
        // permissions for same users
        List<UserPermission> permissions = new ArrayList<>();
        for (UserPermission p : perms) {
            if (getUserFromUP(p).equals(user)){
                 permissions.add(p);
            }
        }
        if (!permissions.isEmpty()){
           return permissions;
        }
    }
    return null;
}
 
Example #2
Source File: HBasePartitionAdmin.java    From spliceengine with GNU Affero General Public License v3.0 5 votes vote down vote up
private boolean hasCreatePrivilege(String tableName, String userName) throws Throwable{
    List<UserPermission> permissions = AccessControlClient.getUserPermissions(admin.getConnection(), tableName);
    for (String user : Arrays.asList(userName, userName.toUpperCase(), userName.toLowerCase())) {
        UserPermission up = getPermission(permissions, user);
        if (up == null || !up.implies(TableName.valueOf(tableName), null, null, Permission.Action.CREATE))
            return false;
    }
    return true;
}
 
Example #3
Source File: RawAsyncHBaseAdmin.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public CompletableFuture<List<UserPermission>>
    getUserPermissions(GetUserPermissionsRequest getUserPermissionsRequest) {
  return this.<List<UserPermission>> newMasterCaller().action((controller,
      stub) -> this.<AccessControlProtos.GetUserPermissionsRequest, GetUserPermissionsResponse,
          List<UserPermission>> call(controller, stub,
            ShadedAccessControlUtil.buildGetUserPermissionsRequest(getUserPermissionsRequest),
            (s, c, req, done) -> s.getUserPermissions(c, req, done),
            resp -> resp.getUserPermissionList().stream()
              .map(uPerm -> ShadedAccessControlUtil.toUserPermission(uPerm))
              .collect(Collectors.toList())))
      .call();
}
 
Example #4
Source File: RawAsyncHBaseAdmin.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public CompletableFuture<Void> revoke(UserPermission userPermission) {
  return this.<Void> newMasterCaller()
      .action((controller, stub) -> this.<RevokeRequest, RevokeResponse, Void> call(controller,
        stub, ShadedAccessControlUtil.buildRevokeRequest(userPermission),
        (s, c, req, done) -> s.revoke(c, req, done), resp -> null))
      .call();
}
 
Example #5
Source File: RawAsyncHBaseAdmin.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public CompletableFuture<Void> grant(UserPermission userPermission,
    boolean mergeExistingPermissions) {
  return this.<Void> newMasterCaller()
      .action((controller, stub) -> this.<GrantRequest, GrantResponse, Void> call(controller,
        stub, ShadedAccessControlUtil.buildGrantRequest(userPermission, mergeExistingPermissions),
        (s, c, req, done) -> s.grant(c, req, done), resp -> null))
      .call();
}
 
Example #6
Source File: SnapshotDescriptionUtils.java    From hbase with Apache License 2.0 5 votes vote down vote up
private static SnapshotDescription writeAclToSnapshotDescription(SnapshotDescription snapshot,
    Configuration conf) throws IOException {
  ListMultimap<String, UserPermission> perms =
      User.runAsLoginUser(new PrivilegedExceptionAction<ListMultimap<String, UserPermission>>() {
        @Override
        public ListMultimap<String, UserPermission> run() throws Exception {
          return PermissionStorage.getTablePermissions(conf,
            TableName.valueOf(snapshot.getTable()));
        }
      });
  return snapshot.toBuilder()
      .setUsersAndPermissions(ShadedAccessControlUtil.toUserTablePermissions(perms)).build();
}
 
Example #7
Source File: MasterRpcServices.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public RevokeResponse revoke(RpcController controller, RevokeRequest request)
    throws ServiceException {
  try {
    master.checkInitialized();
    if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) {
      final UserPermission userPermission =
          ShadedAccessControlUtil.toUserPermission(request.getUserPermission());
      master.cpHost.preRevoke(userPermission);
      try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
        PermissionStorage.removeUserPermission(master.getConfiguration(), userPermission, table);
      }
      master.cpHost.postRevoke(userPermission);
      User caller = RpcServer.getRequestUser().orElse(null);
      if (AUDITLOG.isTraceEnabled()) {
        // audit log should record all permission changes
        String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
        AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller,
          remoteAddress, userPermission);
      }
      return RevokeResponse.getDefaultInstance();
    } else {
      throw new DoNotRetryIOException(
          new UnsupportedOperationException(AccessController.class.getName() + " is not loaded"));
    }
  } catch (IOException ioe) {
    throw new ServiceException(ioe);
  }
}
 
Example #8
Source File: MasterRpcServices.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public GrantResponse grant(RpcController controller, GrantRequest request)
    throws ServiceException {
  try {
    master.checkInitialized();
    if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) {
      final UserPermission perm =
          ShadedAccessControlUtil.toUserPermission(request.getUserPermission());
      boolean mergeExistingPermissions = request.getMergeExistingPermissions();
      master.cpHost.preGrant(perm, mergeExistingPermissions);
      try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
        PermissionStorage.addUserPermission(getConfiguration(), perm, table,
          mergeExistingPermissions);
      }
      master.cpHost.postGrant(perm, mergeExistingPermissions);
      User caller = RpcServer.getRequestUser().orElse(null);
      if (AUDITLOG.isTraceEnabled()) {
        // audit log should store permission changes in addition to auth results
        String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
        AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller,
          remoteAddress, perm);
      }
      return GrantResponse.getDefaultInstance();
    } else {
      throw new DoNotRetryIOException(
          new UnsupportedOperationException(AccessController.class.getName() + " is not loaded"));
    }
  } catch (IOException ioe) {
    throw new ServiceException(ioe);
  }
}
 
Example #9
Source File: MasterCoprocessorHost.java    From hbase with Apache License 2.0 5 votes vote down vote up
public void postRevoke(UserPermission userPermission) throws IOException {
  execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
    @Override
    public void call(MasterObserver observer) throws IOException {
      observer.postRevoke(this, userPermission);
    }
  });
}
 
Example #10
Source File: MasterCoprocessorHost.java    From hbase with Apache License 2.0 5 votes vote down vote up
public void preRevoke(UserPermission userPermission) throws IOException {
  execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
    @Override
    public void call(MasterObserver observer) throws IOException {
      observer.preRevoke(this, userPermission);
    }
  });
}
 
Example #11
Source File: MasterCoprocessorHost.java    From hbase with Apache License 2.0 5 votes vote down vote up
public void postGrant(UserPermission userPermission, boolean mergeExistingPermissions)
    throws IOException {
  execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
    @Override
    public void call(MasterObserver observer) throws IOException {
      observer.postGrant(this, userPermission, mergeExistingPermissions);
    }
  });
}
 
Example #12
Source File: MasterCoprocessorHost.java    From hbase with Apache License 2.0 5 votes vote down vote up
public void preGrant(UserPermission userPermission, boolean mergeExistingPermissions)
    throws IOException {
  execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
    @Override
    public void call(MasterObserver observer) throws IOException {
      observer.preGrant(this, userPermission, mergeExistingPermissions);
    }
  });
}
 
Example #13
Source File: HBasePartitionAdmin.java    From spliceengine with GNU Affero General Public License v3.0 5 votes vote down vote up
private boolean hasPrivileges(String userName, String spliceNamespace) throws Throwable {
    List<UserPermission> permissions = AccessControlClient.getUserPermissions(admin.getConnection(), "@"+spliceNamespace);
    for (String user : Arrays.asList(userName, userName.toUpperCase(), userName.toLowerCase())) {
        UserPermission up = getPermission(permissions, user);
        if (up == null)
            return false;
        
        for (Permission.Action action : Arrays.asList(Permission.Action.WRITE, Permission.Action.READ, Permission.Action.EXEC)) {
            if (!up.implies(spliceNamespace, action))
                return false;
        }
    }
    return true;
}
 
Example #14
Source File: HBasePartitionAdmin.java    From spliceengine with GNU Affero General Public License v3.0 5 votes vote down vote up
private UserPermission getPermission(List<UserPermission> permissions, String userName) {
    for(UserPermission up: permissions) {
        if (Bytes.equals(up.getUser(), Bytes.toBytes(userName))) {
            return up;
        }
    }
    return null;
}
 
Example #15
Source File: AdminOverAsyncAdmin.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Override
public void grant(UserPermission userPermission, boolean mergeExistingPermissions)
    throws IOException {
  get(admin.grant(userPermission, mergeExistingPermissions));
}
 
Example #16
Source File: ThriftAdmin.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Override
public void revoke(UserPermission userPermission) {
  throw new NotImplementedException("revoke not supported in ThriftAdmin");
}
 
Example #17
Source File: AdminOverAsyncAdmin.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Override
public void revoke(UserPermission userPermission) throws IOException {
  get(admin.revoke(userPermission));
}
 
Example #18
Source File: AdminOverAsyncAdmin.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Override
public List<UserPermission> getUserPermissions(
    GetUserPermissionsRequest getUserPermissionsRequest) throws IOException {
  return get(admin.getUserPermissions(getUserPermissionsRequest));
}
 
Example #19
Source File: CompatPermissionUtil.java    From phoenix with Apache License 2.0 4 votes vote down vote up
public static String getUserFromUP(UserPermission userPermission) {
    return Bytes.toString(userPermission.getUser());
}
 
Example #20
Source File: CompatPermissionUtil.java    From phoenix with Apache License 2.0 4 votes vote down vote up
public static Permission getPermissionFromUP(UserPermission userPermission) {
    return userPermission;
}
 
Example #21
Source File: CompatPermissionUtil.java    From phoenix with Apache License 2.0 4 votes vote down vote up
public static String getUserFromUP(UserPermission userPermission) {
    return userPermission.getUser();
}
 
Example #22
Source File: CompatPermissionUtil.java    From phoenix with Apache License 2.0 4 votes vote down vote up
public static Permission getPermissionFromUP(UserPermission userPermission) {
    return userPermission.getPermission();
}
 
Example #23
Source File: CompatPermissionUtil.java    From phoenix with Apache License 2.0 4 votes vote down vote up
public static String getUserFromUP(UserPermission userPermission) {
    return Bytes.toString(userPermission.getUser());
}
 
Example #24
Source File: CompatPermissionUtil.java    From phoenix with Apache License 2.0 4 votes vote down vote up
public static Permission getPermissionFromUP(UserPermission userPermission) {
    return userPermission;
}
 
Example #25
Source File: VerifyingRSGroupAdmin.java    From hbase with Apache License 2.0 4 votes vote down vote up
public void revoke(UserPermission userPermission) throws IOException {
  admin.revoke(userPermission);
}
 
Example #26
Source File: ThriftAdmin.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Override
public void grant(UserPermission userPermission, boolean mergeExistingPermissions) {
  throw new NotImplementedException("grant not supported in ThriftAdmin");
}
 
Example #27
Source File: ThriftAdmin.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Override
public List<UserPermission> getUserPermissions(
    GetUserPermissionsRequest getUserPermissionsRequest) {
  throw new NotImplementedException("getUserPermissions not supported in ThriftAdmin");
}
 
Example #28
Source File: MasterRpcServices.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Override
public GetUserPermissionsResponse getUserPermissions(RpcController controller,
    GetUserPermissionsRequest request) throws ServiceException {
  try {
    master.checkInitialized();
    if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) {
      final String userName = request.hasUserName() ? request.getUserName().toStringUtf8() : null;
      String namespace =
          request.hasNamespaceName() ? request.getNamespaceName().toStringUtf8() : null;
      TableName table =
          request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName()) : null;
      byte[] cf = request.hasColumnFamily() ? request.getColumnFamily().toByteArray() : null;
      byte[] cq =
          request.hasColumnQualifier() ? request.getColumnQualifier().toByteArray() : null;
      Type permissionType = request.hasType() ? request.getType() : null;
      master.getMasterCoprocessorHost().preGetUserPermissions(userName, namespace, table, cf, cq);

      List<UserPermission> perms = null;
      if (permissionType == Type.Table) {
        boolean filter = (cf != null || userName != null) ? true : false;
        perms = PermissionStorage.getUserTablePermissions(master.getConfiguration(), table, cf,
          cq, userName, filter);
      } else if (permissionType == Type.Namespace) {
        perms = PermissionStorage.getUserNamespacePermissions(master.getConfiguration(),
          namespace, userName, userName != null ? true : false);
      } else {
        perms = PermissionStorage.getUserPermissions(master.getConfiguration(), null, null, null,
          userName, userName != null ? true : false);
        // Skip super users when filter user is specified
        if (userName == null) {
          // Adding superusers explicitly to the result set as PermissionStorage do not store
          // them. Also using acl as table name to be inline with the results of global admin and
          // will help in avoiding any leakage of information about being superusers.
          for (String user : Superusers.getSuperUsers()) {
            perms.add(new UserPermission(user,
                Permission.newBuilder().withActions(Action.values()).build()));
          }
        }
      }

      master.getMasterCoprocessorHost().postGetUserPermissions(userName, namespace, table, cf,
        cq);
      AccessControlProtos.GetUserPermissionsResponse response =
          ShadedAccessControlUtil.buildGetUserPermissionsResponse(perms);
      return response;
    } else {
      throw new DoNotRetryIOException(
          new UnsupportedOperationException(AccessController.class.getName() + " is not loaded"));
    }
  } catch (IOException ioe) {
    throw new ServiceException(ioe);
  }
}
 
Example #29
Source File: TestAsyncAccessControlAdminApi.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Test
public void test() throws Exception {
  TableName tableName = TableName.valueOf("test-table");
  String userName1 = "user1";
  String userName2 = "user2";
  User user2 = User.createUserForTesting(TEST_UTIL.getConfiguration(), userName2, new String[0]);
  Permission permission =
      Permission.newBuilder(tableName).withActions(Permission.Action.READ).build();
  UserPermission userPermission = new UserPermission(userName1, permission);

  // grant user1 table permission
  admin.grant(userPermission, false).get();

  // get table permissions
  List<UserPermission> userPermissions =
      admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()).get();
  assertEquals(1, userPermissions.size());
  assertEquals(userPermission, userPermissions.get(0));

  // get table permissions
  userPermissions =
      admin
          .getUserPermissions(
            GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName1).build())
          .get();
  assertEquals(1, userPermissions.size());
  assertEquals(userPermission, userPermissions.get(0));

  userPermissions =
      admin
          .getUserPermissions(
            GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName2).build())
          .get();
  assertEquals(0, userPermissions.size());

  // has user permission
  List<Permission> permissions = Lists.newArrayList(permission);
  boolean hasPermission =
      admin.hasUserPermissions(userName1, permissions).get().get(0).booleanValue();
  assertTrue(hasPermission);
  hasPermission = admin.hasUserPermissions(userName2, permissions).get().get(0).booleanValue();
  assertFalse(hasPermission);

  AccessTestAction hasPermissionAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      try (AsyncConnection conn =
          ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
        return conn.getAdmin().hasUserPermissions(userName1, permissions).get().get(0);
      }
    }
  };
  try {
    user2.runAs(hasPermissionAction);
    fail("Should not come here");
  } catch (Exception e) {
    LOG.error("Call has permission error", e);
  }

  // check permission
  admin.hasUserPermissions(permissions);
  AccessTestAction checkPermissionsAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      try (AsyncConnection conn =
          ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
        return conn.getAdmin().hasUserPermissions(permissions).get().get(0);
      }
    }
  };
  assertFalse((Boolean) user2.runAs(checkPermissionsAction));
}
 
Example #30
Source File: VerifyingRSGroupAdmin.java    From hbase with Apache License 2.0 4 votes vote down vote up
public void grant(UserPermission userPermission, boolean mergeExistingPermissions)
  throws IOException {
  admin.grant(userPermission, mergeExistingPermissions);
}