Java Code Examples for org.apache.hadoop.hbase.security.access.Permission.Action

The following examples show how to use org.apache.hadoop.hbase.security.access.Permission.Action. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: ranger   Source File: HbaseAuthUtilsImpl.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public String getAccess(Action action) {
	switch(action) {
		case READ:
			return ACCESS_TYPE_READ;
		case WRITE:
			return ACCESS_TYPE_WRITE;
		case CREATE:
			return ACCESS_TYPE_CREATE;
		case ADMIN:
			return ACCESS_TYPE_ADMIN;
		case EXEC:
			return ACCESS_TYPE_EXECUTE;
		default:
			return action.name().toLowerCase();
	}
}
 
Example 2
Source Project: phoenix   Source File: PhoenixAccessController.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void preAlterTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId,
        String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType) throws IOException {
    if (!accessCheckEnabled) { return; }
    for (MasterObserver observer : getAccessControllers()) {
        if (tableType != PTableType.VIEW) {
        observer.preModifyTable(getMasterObsevrverContext(), physicalTableName,
                TableDescriptorBuilder.newBuilder(physicalTableName).build());
        }
    }
    if (tableType == PTableType.VIEW) {
        if(execPermissionsCheckEnabled) {
            requireAccess("Alter "+tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
        } else {
            requireAccess("Alter "+tableType, parentPhysicalTableName, Action.READ);
        }
    }
}
 
Example 3
Source Project: ranger   Source File: RangerAuthorizationCoprocessor.java    License: Apache License 2.0 6 votes vote down vote up
boolean canSkipAccessCheck(User user, final String operation, String access, final RegionCoprocessorEnvironment regionServerEnv) throws AccessDeniedException {

		// read access to metadata tables is always allowed and isn't audited.
		if (isAccessForMetaTables(regionServerEnv) && _authUtils.isReadAccess(access)) {
			LOG.debug("isKnownAccessPattern: exiting: Read access for metadata tables allowed, not audited!");
			return true;
		}
		// if write access is desired to metatables then global create access is sufficient
		if (_authUtils.isWriteAccess(access) && isAccessForMetaTables(regionServerEnv)) {
			String createAccess = _authUtils.getAccess(Action.CREATE);
			AuthorizationSession session = new AuthorizationSession(hbasePlugin)
				.operation(operation)
				.remoteAddress(getRemoteAddress())
				.user(user)
				.access(createAccess)
				.buildRequest()
				.authorize();
			if (session.isAuthorized()) {
				// NOTE: this access isn't logged
				LOG.debug("isKnownAccessPattern: exiting: User has global create access, allowed!");
				return true;
			}
		}
		return false;
	}
 
Example 4
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
    List<TableName> tableNamesList, List<TableDescriptor> descriptors,
    String regex) throws IOException {
  // Skipping as checks in this case are already done by preGetTableDescriptors.
  if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
    return;
  }

  // Retains only those which passes authorization checks, as the checks weren't done as part
  // of preGetTableDescriptors.
  Iterator<TableDescriptor> itr = descriptors.iterator();
  while (itr.hasNext()) {
    TableDescriptor htd = itr.next();
    try {
      requirePermission(ctx, "getTableDescriptors", htd.getTableName(), null, null,
          Action.ADMIN, Action.CREATE);
    } catch (AccessDeniedException e) {
      itr.remove();
    }
  }
}
 
Example 5
Source Project: phoenix   Source File: PhoenixAccessController.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void preDropTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId,
        String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType,
        List<PTable> indexes) throws IOException {
    if (!accessCheckEnabled) { return; }

    for (MasterObserver observer : getAccessControllers()) {
        if (tableType != PTableType.VIEW) {
            observer.preDeleteTable(getMasterObsevrverContext(), physicalTableName);
        }
        if (indexes != null) {
            for (PTable index : indexes) {
                observer.preDeleteTable(getMasterObsevrverContext(),
                        TableName.valueOf(index.getPhysicalName().getBytes()));
            }
        }
    }
    //checking similar permission checked during the create of the view.
    if (tableType == PTableType.VIEW || tableType == PTableType.INDEX) {
        if(execPermissionsCheckEnabled) {
            requireAccess("Drop "+tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
        } else {
            requireAccess("Drop "+tableType, parentPhysicalTableName, Action.READ);
        }
    }
}
 
Example 6
Source Project: hbase   Source File: TestAccessController.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testNamespaceUserGrant() throws Exception {
  AccessTestAction getAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      try(Connection conn = ConnectionFactory.createConnection(conf);
          Table t = conn.getTable(TEST_TABLE)) {
        return t.get(new Get(TEST_ROW));
      }
    }
  };

  String namespace = TEST_TABLE.getNamespaceAsString();

  // Grant namespace READ to USER_NONE, this should supersede any table permissions
  grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
  // Now USER_NONE should be able to read
  verifyAllowed(getAction, USER_NONE);

  // Revoke namespace READ to USER_NONE
  revokeFromNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
  verifyDenied(getAction, USER_NONE);
}
 
Example 7
Source Project: hbase   Source File: TestAccessController2.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testCreateTableWithGroupPermissions() throws Exception {
  grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
  try {
    AccessTestAction createAction = new AccessTestAction() {
      @Override
      public Object run() throws Exception {
        TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
          new TableDescriptorBuilder.ModifyableTableDescriptor(testTable.getTableName());
        tableDescriptor.setColumnFamily(
          new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(TEST_FAMILY));
        try (Connection connection =
            ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
          try (Admin admin = connection.getAdmin()) {
            admin.createTable(tableDescriptor);
          }
        }
        return null;
      }
    };
    verifyAllowed(createAction, TESTGROUP1_USER1);
    verifyDenied(createAction, TESTGROUP2_USER1);
  } finally {
    revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
  }
}
 
Example 8
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public Result preAppendAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,
    final Append append) throws IOException {
  if (append.getAttribute(CHECK_COVERING_PERM) != null) {
    // We had failure with table, cf and q perm checks and now giving a chance for cell
    // perm check
    TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
    AuthResult authResult = null;
    User user = getActiveUser(c);
    if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(),
        append.getFamilyCellMap(), append.getTimeRange().getMax(), Action.WRITE)) {
      authResult = AuthResult.allow(OpType.APPEND.toString(),
          "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
    } else {
      authResult = AuthResult.deny(OpType.APPEND.toString(),
          "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
    }
    AccessChecker.logResult(authResult);
    if (authorizationEnabled && !authResult.isAllowed()) {
      throw new AccessDeniedException("Insufficient permissions " +
        authResult.toContextString());
    }
  }
  return null;
}
 
Example 9
Source Project: ranger   Source File: RangerAuthorizationCoprocessor.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void postGetProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
	/*if(!procInfoList.isEmpty()) {
		Iterator<Procedure<?>> itr = procInfoList.iterator();
		User user = this.getActiveUser();

		while(itr.hasNext()) {
			Procedure procInfo = itr.next();
			try {
				String owner = procInfo.getOwner();
				if (owner == null || !owner.equals(user.getShortName())) {
					requirePermission("getProcedures", Action.ADMIN);
				}
			} catch (AccessDeniedException var7) {
				itr.remove();
			}
		}

	}*/
	requirePermission(observerContext, "getProcedures", Action.ADMIN);
}
 
Example 10
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
     List<TableName> tableNamesList, List<TableDescriptor> descriptors,
     String regex) throws IOException {
  // We are delegating the authorization check to postGetTableDescriptors as we don't have
  // any concrete set of table names when a regex is present or the full list is requested.
  if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
    // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the
    // request can be granted.
    try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
      for (TableName tableName : tableNamesList) {
        // Skip checks for a table that does not exist
        if (!admin.tableExists(tableName)) {
          continue;
        }
        requirePermission(ctx, "getTableDescriptors", tableName, null, null, Action.ADMIN,
          Action.CREATE);
      }
    }
  }
}
 
Example 11
Source Project: hbase   Source File: TestAccessController.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testGlobalPermissionList() throws Exception {
  List<UserPermission> perms = systemUserConnection.getAdmin()
      .getUserPermissions(GetUserPermissionsRequest.newBuilder().build());

  Collection<String> superUsers = Superusers.getSuperUsers();
  List<UserPermission> adminPerms = new ArrayList<>(superUsers.size() + 1);
  adminPerms.add(new UserPermission(USER_ADMIN.getShortName(), Permission.newBuilder()
      .withActions(Action.ADMIN, Action.CREATE, Action.READ, Action.WRITE).build()));
  for (String user : superUsers) {
    // Global permission
    adminPerms.add(
      new UserPermission(user, Permission.newBuilder().withActions(Action.values()).build()));
  }
  assertTrue("Only super users, global users and user admin has permission on table hbase:acl " +
      "per setup", perms.size() == 5 + superUsers.size() &&
      hasFoundUserPermission(adminPerms, perms));
}
 
Example 12
Source Project: hbase   Source File: AccessChecker.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Checks that the user has the given global or namespace permission.
 * @param user Active user to which authorization checks should be applied
 * @param request Request type
 * @param namespace Name space as requested
 * @param filterUser User name to be filtered from permission as requested
 * @param permissions Actions being requested
 */
public void requireNamespacePermission(User user, String request, String namespace,
    String filterUser, Action... permissions) throws IOException {
  AuthResult result = null;

  for (Action permission : permissions) {
    if (authManager.authorizeUserNamespace(user, namespace, permission)) {
      result =
          AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);
      break;
    } else {
      // rest of the world
      result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace);
    }
  }
  result.getParams().addExtraParam("filterUser", filterUser);
  logResult(result);
  if (!result.isAllowed()) {
    throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
  }
}
 
Example 13
Source Project: hbase   Source File: ShadedAccessControlUtil.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Convert a client user permission to a user permission shaded proto.
 */
public static AccessControlProtos.Permission.Action toPermissionAction(Permission.Action action) {
  switch (action) {
    case READ:
      return AccessControlProtos.Permission.Action.READ;
    case WRITE:
      return AccessControlProtos.Permission.Action.WRITE;
    case EXEC:
      return AccessControlProtos.Permission.Action.EXEC;
    case CREATE:
      return AccessControlProtos.Permission.Action.CREATE;
    case ADMIN:
      return AccessControlProtos.Permission.Action.ADMIN;
  }
  throw new IllegalArgumentException("Unknown action value " + action.name());
}
 
Example 14
Source Project: hbase   Source File: AccessChecker.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Authorizes that the current user has any of the given permissions for the
 * given table, column family and column qualifier.
 *
 * @param user Active user to which authorization checks should be applied
 * @param request Request type
 * @param tableName Table requested
 * @param family    Column family requested
 * @param qualifier Column qualifier requested
 * @param filterUser User name to be filtered from permission as requested
 * @param permissions Actions being requested
 * @throws IOException if obtaining the current user fails
 * @throws AccessDeniedException if user has no authorization
 */
public void requirePermission(User user, String request, TableName tableName, byte[] family,
    byte[] qualifier, String filterUser, Action... permissions) throws IOException {
  AuthResult result = null;

  for (Action permission : permissions) {
    if (authManager.authorizeUserTable(user, tableName, family, qualifier, permission)) {
      result = AuthResult.allow(request, "Table permission granted",
          user, permission, tableName, family, qualifier);
      break;
    } else {
      // rest of the world
      result = AuthResult.deny(request, "Insufficient permissions",
        user, permission, tableName, family, qualifier);
    }
  }
  result.getParams().addExtraParam("filterUser", filterUser);
  logResult(result);
  if (!result.isAllowed()) {
    throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
  }
}
 
Example 15
Source Project: hbase   Source File: TestPermissionBuilder.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testBuildTablePermission() {
  TableName tableName = TableName.valueOf("ns", "table");
  byte[] family = Bytes.toBytes("f");
  byte[] qualifier = Bytes.toBytes("q");
  // check table permission without family or qualifier
  Permission permission =
      Permission.newBuilder(tableName).withActions(Action.WRITE, Action.READ).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(2, permission.getActions().length);
  assertEquals(Action.READ, permission.getActions()[0]);
  assertEquals(Action.WRITE, permission.getActions()[1]);
  TablePermission tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertEquals(null, tPerm.getFamily());
  assertEquals(null, tPerm.getQualifier());

  // check table permission with family
  permission =
      Permission.newBuilder(tableName).withFamily(family).withActions(Action.EXEC).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(1, permission.getActions().length);
  assertEquals(Action.EXEC, permission.getActions()[0]);
  tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertTrue(Bytes.equals(family, tPerm.getFamily()));
  assertTrue(Bytes.equals(null, tPerm.getQualifier()));

  // check table permission with family and qualifier
  permission =
      Permission.newBuilder(tableName).withFamily(family).withQualifier(qualifier).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(0, permission.getActions().length);
  tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertTrue(Bytes.equals(family, tPerm.getFamily()));
  assertTrue(Bytes.equals(qualifier, tPerm.getQualifier()));
}
 
Example 16
Source Project: hbase   Source File: TestPermissionBuilder.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testBuildGlobalPermission() {
  // check global permission with empty action
  Permission permission = Permission.newBuilder().build();
  assertTrue(permission instanceof GlobalPermission);
  assertEquals(0, permission.getActions().length);

  // check global permission with ADMIN action
  permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("A")).build();
  assertTrue(permission instanceof GlobalPermission);
  assertEquals(1, permission.getActions().length);
  assertTrue(permission.getActions()[0] == Action.ADMIN);

  byte[] qualifier = Bytes.toBytes("q");
  try {
    permission = Permission.newBuilder().withQualifier(qualifier)
        .withActions(Action.CREATE, Action.READ).build();
    fail("Should throw NPE");
  } catch (NullPointerException e) {
    // catch NPE because set qualifier but table name is null
  }

  permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("ACP"))
      .withActions(Action.READ, Action.ADMIN).build();
  assertEquals(3, permission.getActions().length);
  assertEquals(Action.READ, permission.getActions()[0]);
  assertEquals(Action.CREATE, permission.getActions()[1]);
  assertEquals(Action.ADMIN, permission.getActions()[2]);
}
 
Example 17
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Returns <code>true</code> if the current user is allowed the given action
 * over at least one of the column qualifiers in the given column families.
 */
private boolean hasFamilyQualifierPermission(User user,
    Action perm,
    RegionCoprocessorEnvironment env,
    Map<byte[], ? extends Collection<byte[]>> familyMap)
  throws IOException {
  RegionInfo hri = env.getRegion().getRegionInfo();
  TableName tableName = hri.getTable();

  if (user == null) {
    return false;
  }

  if (familyMap != null && familyMap.size() > 0) {
    // at least one family must be allowed
    for (Map.Entry<byte[], ? extends Collection<byte[]>> family :
        familyMap.entrySet()) {
      if (family.getValue() != null && !family.getValue().isEmpty()) {
        for (byte[] qualifier : family.getValue()) {
          if (getAuthManager().authorizeUserTable(user, tableName,
                family.getKey(), qualifier, perm)) {
            return true;
          }
        }
      } else {
        if (getAuthManager().authorizeUserFamily(user, tableName, family.getKey(), perm)) {
          return true;
        }
      }
    }
  } else if (LOG.isDebugEnabled()) {
    LOG.debug("Empty family map passed for permission check");
  }

  return false;
}
 
Example 18
Source Project: hbase   Source File: TestNamespaceCommands.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testAclTableEntries() throws Exception {
  String userTestNamespace = "userTestNsp";
  Table acl = UTIL.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
  try {
    ListMultimap<String, UserPermission> perms =
        PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    for (Map.Entry<String, UserPermission> entry : perms.entries()) {
      LOG.debug(Objects.toString(entry));
    }
    assertEquals(6, perms.size());

    // Grant and check state in ACL table
    grantOnNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
      Permission.Action.WRITE);

    Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
    assertTrue(result != null);
    perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    assertEquals(7, perms.size());
    List<UserPermission> namespacePerms = perms.get(userTestNamespace);
    assertTrue(perms.containsKey(userTestNamespace));
    assertEquals(1, namespacePerms.size());
    assertEquals(TEST_NAMESPACE,
      ((NamespacePermission) namespacePerms.get(0).getPermission()).getNamespace());
    assertEquals(1, namespacePerms.get(0).getPermission().getActions().length);
    assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getPermission().getActions()[0]);

    // Revoke and check state in ACL table
    revokeFromNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
      Permission.Action.WRITE);

    perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    assertEquals(6, perms.size());
  } finally {
    acl.close();
  }
}
 
Example 19
Source Project: hbase   Source File: TestAccessController.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testTableDeletion() throws Exception {
  User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]);
  final TableName tableName = TableName.valueOf(name.getMethodName());
  createTestTable(tableName);

  // Grant TABLE ADMIN privs
  grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), tableName, null, null, Permission.Action.ADMIN);

  AccessTestAction deleteTableAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      Connection unmanagedConnection =
          ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
      Admin admin = unmanagedConnection.getAdmin();
      try {
        deleteTable(TEST_UTIL, admin, tableName);
      } finally {
        admin.close();
        unmanagedConnection.close();
      }
      return null;
    }
  };

  verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
    USER_GROUP_WRITE);
  verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
 
Example 20
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
    TableName tableName, TableDescriptor currentDesc, TableDescriptor newDesc)
    throws IOException {
  // TODO: potentially check if this is a add/modify/delete column operation
  requirePermission(c, "modifyTable", tableName, null, null, Action.ADMIN, Action.CREATE);
  return newDesc;
}
 
Example 21
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c,
    final Increment increment)
    throws IOException {
  User user = getActiveUser(c);
  checkForReservedTagPresence(user, increment);

  // Require WRITE permission to the table, CF, and the KV to be replaced by
  // the incremented value
  RegionCoprocessorEnvironment env = c.getEnvironment();
  Map<byte[],? extends Collection<Cell>> families = increment.getFamilyCellMap();
  AuthResult authResult = permissionGranted(OpType.INCREMENT,
      user, env, families, Action.WRITE);
  AccessChecker.logResult(authResult);
  if (!authResult.isAllowed()) {
    if (cellFeaturesEnabled && !compatibleEarlyTermination) {
      increment.setAttribute(CHECK_COVERING_PERM, TRUE);
    } else if (authorizationEnabled) {
      throw new AccessDeniedException("Insufficient permissions " +
        authResult.toContextString());
    }
  }

  byte[] bytes = increment.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
  if (bytes != null) {
    if (cellFeaturesEnabled) {
      addCellPermissions(bytes, increment.getFamilyCellMap());
    } else {
      throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
    }
  }

  return null;
}
 
Example 22
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Check the current user for authorization to perform a specific action
 * against the given set of row data.
 * @param opType the operation type
 * @param user the user
 * @param e the coprocessor environment
 * @param families the map of column families to qualifiers present in
 * the request
 * @param actions the desired actions
 * @return an authorization result
 */
private AuthResult permissionGranted(OpType opType, User user, RegionCoprocessorEnvironment e,
    Map<byte [], ? extends Collection<?>> families, Action... actions) {
  AuthResult result = null;
  for (Action action: actions) {
    result = accessChecker.permissionGranted(opType.toString(), user, action,
      e.getRegion().getRegionInfo().getTable(), families);
    if (!result.isAllowed()) {
      return result;
    }
  }
  return result;
}
 
Example 23
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> c,
    MiniBatchOperationInProgress<Mutation> miniBatchOp) throws IOException {
  if (cellFeaturesEnabled && !compatibleEarlyTermination) {
    TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
    User user = getActiveUser(c);
    for (int i = 0; i < miniBatchOp.size(); i++) {
      Mutation m = miniBatchOp.getOperation(i);
      if (m.getAttribute(CHECK_COVERING_PERM) != null) {
        // We have a failure with table, cf and q perm checks and now giving a chance for cell
        // perm check
        OpType opType;
        if (m instanceof Put) {
          checkForReservedTagPresence(user, m);
          opType = OpType.PUT;
        } else {
          opType = OpType.DELETE;
        }
        AuthResult authResult = null;
        if (checkCoveringPermission(user, opType, c.getEnvironment(), m.getRow(),
          m.getFamilyCellMap(), m.getTimestamp(), Action.WRITE)) {
          authResult = AuthResult.allow(opType.toString(), "Covering cell set",
            user, Action.WRITE, table, m.getFamilyCellMap());
        } else {
          authResult = AuthResult.deny(opType.toString(), "Covering cell set",
            user, Action.WRITE, table, m.getFamilyCellMap());
        }
        AccessChecker.logResult(authResult);
        if (authorizationEnabled && !authResult.isAllowed()) {
          throw new AccessDeniedException("Insufficient permissions "
            + authResult.toContextString());
        }
      }
    }
  }
}
 
Example 24
Source Project: ranger   Source File: RangerAuthorizationCoprocessor.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void preOpen(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
	RegionCoprocessorEnvironment env = e.getEnvironment();
	final Region region = env.getRegion();
	if (region == null) {
		LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");
	} else {
		RegionInfo regionInfo = region.getRegionInfo();
		if (isSpecialTable(regionInfo)) {
			requireSystemOrSuperUser(regionEnv.getConfiguration(),e);
		} else {
			requirePermission(e, "open", getTableName(e.getEnvironment()), Action.ADMIN);
		}
	}
}
 
Example 25
Source Project: hbase   Source File: TestAccessController2.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testCreateWithCorrectOwner() throws Exception {
  // Create a test user
  final User testUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "TestUser",
    new String[0]);
  // Grant the test user the ability to create tables
  SecureTestUtil.grantGlobal(TEST_UTIL, testUser.getShortName(), Action.CREATE);
  verifyAllowed(new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
        new TableDescriptorBuilder.ModifyableTableDescriptor(testTable.getTableName());
      tableDescriptor.setColumnFamily(
        new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(TEST_FAMILY));
      try (Connection connection =
          ConnectionFactory.createConnection(TEST_UTIL.getConfiguration(), testUser)) {
        try (Admin admin = connection.getAdmin()) {
          createTable(TEST_UTIL, admin, tableDescriptor);
        }
      }
      return null;
    }
  }, testUser);
  TEST_UTIL.waitTableAvailable(testTable.getTableName());
  // Verify that owner permissions have been granted to the test user on the
  // table just created
  List<UserPermission> perms = PermissionStorage
      .getTablePermissions(conf, testTable.getTableName()).get(testUser.getShortName());
  assertNotNull(perms);
  assertFalse(perms.isEmpty());
  // Should be RWXCA
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.READ));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.WRITE));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.EXEC));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.CREATE));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.ADMIN));
}
 
Example 26
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Authorization check for
 * SecureBulkLoadProtocol.prepareBulkLoad()
 * @param ctx the context
 * @throws IOException
 */
@Override
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
  requireAccess(ctx, "prePrepareBulkLoad",
      ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
      Action.CREATE);
}
 
Example 27
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 5 votes vote down vote up
private void preGetUserPermissions(User caller, String userName, String namespace,
    TableName tableName, byte[] family, byte[] qualifier) throws IOException {
  if (tableName != null) {
    accessChecker.requirePermission(caller, "getUserPermissions", tableName, family, qualifier,
      userName, Action.ADMIN);
  } else if (namespace != null) {
    accessChecker.requireNamespacePermission(caller, "getUserPermissions", namespace, userName,
      Action.ADMIN);
  } else {
    accessChecker.requirePermission(caller, "getUserPermissions", userName, Action.ADMIN);
  }
}
 
Example 28
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 5 votes vote down vote up
public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace,
    TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap,
    Action... permissions) throws IOException {
  accessChecker.requireNamespacePermission(getActiveUser(ctx),
      request, namespace, tableName, familyMap,
      permissions);
}
 
Example 29
Source Project: hbase   Source File: ShadedAccessControlUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Converts a list of Permission.Action shaded proto to an array of client Permission.Action
 * objects.
 * @param protoActions the list of shaded protobuf Actions
 * @return the converted array of Actions
 */
public static Permission.Action[]
    toPermissionActions(List<AccessControlProtos.Permission.Action> protoActions) {
  Permission.Action[] actions = new Permission.Action[protoActions.size()];
  for (int i = 0; i < protoActions.size(); i++) {
    actions[i] = toPermissionAction(protoActions.get(i));
  }
  return actions;
}
 
Example 30
Source Project: hbase   Source File: AccessController.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
    final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)
    throws IOException {
  // Move this ACL check to SnapshotManager#checkPermissions as part of AC deprecation.
  requirePermission(ctx, "snapshot " + snapshot.getName(),
      hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);
}