org.apache.hadoop.hbase.security.access.AccessController Java Examples
The following examples show how to use
org.apache.hadoop.hbase.security.access.AccessController.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: VisibilityController.java From hbase with Apache License 2.0 | 6 votes |
/****************************** Region related hooks ******************************/ @Override public void postOpen(ObserverContext<RegionCoprocessorEnvironment> e) { // Read the entire labels table and populate the zk if (e.getEnvironment().getRegion().getRegionInfo().getTable().equals(LABELS_TABLE_NAME)) { this.labelsRegion = true; synchronized (this) { this.accessControllerAvailable = CoprocessorHost.getLoadedCoprocessors() .contains(AccessController.class.getName()); } initVisibilityLabelService(e.getEnvironment()); } else { checkAuths = e.getEnvironment().getConfiguration() .getBoolean(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION, false); initVisibilityLabelService(e.getEnvironment()); } }
Example #2
Source File: SnapshotWithAclTestBase.java From hbase with Apache License 2.0 | 6 votes |
@BeforeClass public static void setupBeforeClass() throws Exception { Configuration conf = TEST_UTIL.getConfiguration(); // Enable security enableSecurity(conf); conf.set(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY, AccessController.class.getName()); // Verify enableSecurity sets up what we require verifyConfiguration(conf); // Enable EXEC permission checking conf.setBoolean(AccessControlConstants.EXEC_PERMISSION_CHECKS_KEY, true); TEST_UTIL.startMiniCluster(); TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME); MasterCoprocessorHost cpHost = TEST_UTIL.getMiniHBaseCluster().getMaster().getMasterCoprocessorHost(); cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf); USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]); USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); USER_NONE = User.createUserForTesting(conf, "usernone", new String[0]); }
Example #3
Source File: TestMasterCoprocessorServices.java From hbase with Apache License 2.0 | 6 votes |
@Test public void testAccessControlServices() { MasterCoprocessor defaultImpl = new AccessController(); MasterCoprocessor customImpl = new MockAccessController(); MasterCoprocessor unrelatedImpl = new JMXListener(); assertTrue(masterServices.checkCoprocessorWithService( Collections.singletonList(defaultImpl), AccessControlService.Interface.class)); assertTrue(masterServices.checkCoprocessorWithService( Collections.singletonList(customImpl), AccessControlService.Interface.class)); assertFalse(masterServices.checkCoprocessorWithService( Collections.emptyList(), AccessControlService.Interface.class)); assertFalse(masterServices.checkCoprocessorWithService( null, AccessControlService.Interface.class)); assertFalse(masterServices.checkCoprocessorWithService( Collections.singletonList(unrelatedImpl), AccessControlService.Interface.class)); assertTrue(masterServices.checkCoprocessorWithService( Arrays.asList(unrelatedImpl, customImpl), AccessControlService.Interface.class)); assertTrue(masterServices.checkCoprocessorWithService( Arrays.asList(unrelatedImpl, defaultImpl), AccessControlService.Interface.class)); }
Example #4
Source File: MasterRpcServices.java From hbase with Apache License 2.0 | 5 votes |
/** * Returns the security capabilities in effect on the cluster */ @Override public SecurityCapabilitiesResponse getSecurityCapabilities(RpcController controller, SecurityCapabilitiesRequest request) throws ServiceException { SecurityCapabilitiesResponse.Builder response = SecurityCapabilitiesResponse.newBuilder(); try { master.checkInitialized(); Set<SecurityCapabilitiesResponse.Capability> capabilities = new HashSet<>(); // Authentication if (User.isHBaseSecurityEnabled(master.getConfiguration())) { capabilities.add(SecurityCapabilitiesResponse.Capability.SECURE_AUTHENTICATION); } else { capabilities.add(SecurityCapabilitiesResponse.Capability.SIMPLE_AUTHENTICATION); } // A coprocessor that implements AccessControlService can provide AUTHORIZATION and // CELL_AUTHORIZATION if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) { if (AccessChecker.isAuthorizationSupported(master.getConfiguration())) { capabilities.add(SecurityCapabilitiesResponse.Capability.AUTHORIZATION); } if (AccessController.isCellAuthorizationSupported(master.getConfiguration())) { capabilities.add(SecurityCapabilitiesResponse.Capability.CELL_AUTHORIZATION); } } // A coprocessor that implements VisibilityLabelsService can provide CELL_VISIBILITY. if (master.cpHost != null && hasVisibilityLabelsServiceCoprocessor(master.cpHost)) { if (VisibilityController.isCellAuthorizationSupported(master.getConfiguration())) { capabilities.add(SecurityCapabilitiesResponse.Capability.CELL_VISIBILITY); } } response.addAllCapabilities(capabilities); } catch (IOException e) { throw new ServiceException(e); } return response.build(); }
Example #5
Source File: MasterRpcServices.java From hbase with Apache License 2.0 | 5 votes |
@Override public GrantResponse grant(RpcController controller, GrantRequest request) throws ServiceException { try { master.checkInitialized(); if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) { final UserPermission perm = ShadedAccessControlUtil.toUserPermission(request.getUserPermission()); boolean mergeExistingPermissions = request.getMergeExistingPermissions(); master.cpHost.preGrant(perm, mergeExistingPermissions); try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) { PermissionStorage.addUserPermission(getConfiguration(), perm, table, mergeExistingPermissions); } master.cpHost.postGrant(perm, mergeExistingPermissions); User caller = RpcServer.getRequestUser().orElse(null); if (AUDITLOG.isTraceEnabled()) { // audit log should store permission changes in addition to auth results String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress, perm); } return GrantResponse.getDefaultInstance(); } else { throw new DoNotRetryIOException( new UnsupportedOperationException(AccessController.class.getName() + " is not loaded")); } } catch (IOException ioe) { throw new ServiceException(ioe); } }
Example #6
Source File: MasterRpcServices.java From hbase with Apache License 2.0 | 5 votes |
@Override public RevokeResponse revoke(RpcController controller, RevokeRequest request) throws ServiceException { try { master.checkInitialized(); if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) { final UserPermission userPermission = ShadedAccessControlUtil.toUserPermission(request.getUserPermission()); master.cpHost.preRevoke(userPermission); try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) { PermissionStorage.removeUserPermission(master.getConfiguration(), userPermission, table); } master.cpHost.postRevoke(userPermission); User caller = RpcServer.getRequestUser().orElse(null); if (AUDITLOG.isTraceEnabled()) { // audit log should record all permission changes String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress, userPermission); } return RevokeResponse.getDefaultInstance(); } else { throw new DoNotRetryIOException( new UnsupportedOperationException(AccessController.class.getName() + " is not loaded")); } } catch (IOException ioe) { throw new ServiceException(ioe); } }
Example #7
Source File: TestVisibilityLabelsWithACL.java From hbase with Apache License 2.0 | 5 votes |
@BeforeClass public static void setupBeforeClass() throws Exception { // setup configuration conf = TEST_UTIL.getConfiguration(); SecureTestUtil.enableSecurity(conf); conf.set("hbase.coprocessor.master.classes", AccessController.class.getName() + "," + VisibilityController.class.getName()); conf.set("hbase.coprocessor.region.classes", AccessController.class.getName() + "," + VisibilityController.class.getName()); TEST_UTIL.startMiniCluster(2); TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME.getName(), 50000); // Wait for the labels table to become available TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000); addLabels(); // Create users for testing SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); NORMAL_USER1 = User.createUserForTesting(conf, "user1", new String[] {}); NORMAL_USER2 = User.createUserForTesting(conf, "user2", new String[] {}); // Grant users EXEC privilege on the labels table. For the purposes of this // test, we want to insure that access is denied even with the ability to access // the endpoint. SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER1.getShortName(), LABELS_TABLE_NAME, null, null, Permission.Action.EXEC); SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER2.getShortName(), LABELS_TABLE_NAME, null, null, Permission.Action.EXEC); }
Example #8
Source File: TestSuperUserQuotaPermissions.java From hbase with Apache License 2.0 | 5 votes |
@BeforeClass public static void setupMiniCluster() throws Exception { Configuration conf = TEST_UTIL.getConfiguration(); // Increase the frequency of some of the chores for responsiveness of the test SpaceQuotaHelperForTests.updateConfigForQuotas(conf); conf.set(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY, AccessController.class.getName()); conf.set(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY, AccessController.class.getName()); conf.set(CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY, AccessController.class.getName()); conf.setBoolean("hbase.security.exec.permission.checks", true); conf.setBoolean("hbase.security.authorization", true); conf.set("hbase.superuser", SUPERUSER_NAME); TEST_UTIL.startMiniCluster(1); }
Example #9
Source File: TestMasterQuotasObserverWithMocks.java From hbase with Apache License 2.0 | 5 votes |
@Test public void testAppendsObserver() { conf.set(MASTER_COPROCESSOR_CONF_KEY, AccessController.class.getName()); master.updateConfigurationForQuotasObserver(conf); Set<String> coprocs = new HashSet<>(conf.getStringCollection(MASTER_COPROCESSOR_CONF_KEY)); assertEquals(2, coprocs.size()); assertTrue( "Observed coprocessors were: " + coprocs, coprocs.contains(AccessController.class.getName())); assertTrue( "Observed coprocessors were: " + coprocs, coprocs.contains(MasterQuotasObserver.class.getName())); }
Example #10
Source File: IntegrationTestIngestWithACL.java From hbase with Apache License 2.0 | 5 votes |
@Override public void setUpCluster() throws Exception { util = getTestingUtil(null); Configuration conf = util.getConfiguration(); conf.setInt(HFile.FORMAT_VERSION_KEY, 3); conf.set("hbase.coprocessor.master.classes", AccessController.class.getName()); conf.set("hbase.coprocessor.region.classes", AccessController.class.getName()); conf.setBoolean("hbase.security.access.early_out", false); // conf.set("hbase.superuser", "admin"); super.setUpCluster(); }
Example #11
Source File: MasterRpcServices.java From hbase with Apache License 2.0 | 4 votes |
@Override public GetUserPermissionsResponse getUserPermissions(RpcController controller, GetUserPermissionsRequest request) throws ServiceException { try { master.checkInitialized(); if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) { final String userName = request.hasUserName() ? request.getUserName().toStringUtf8() : null; String namespace = request.hasNamespaceName() ? request.getNamespaceName().toStringUtf8() : null; TableName table = request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName()) : null; byte[] cf = request.hasColumnFamily() ? request.getColumnFamily().toByteArray() : null; byte[] cq = request.hasColumnQualifier() ? request.getColumnQualifier().toByteArray() : null; Type permissionType = request.hasType() ? request.getType() : null; master.getMasterCoprocessorHost().preGetUserPermissions(userName, namespace, table, cf, cq); List<UserPermission> perms = null; if (permissionType == Type.Table) { boolean filter = (cf != null || userName != null) ? true : false; perms = PermissionStorage.getUserTablePermissions(master.getConfiguration(), table, cf, cq, userName, filter); } else if (permissionType == Type.Namespace) { perms = PermissionStorage.getUserNamespacePermissions(master.getConfiguration(), namespace, userName, userName != null ? true : false); } else { perms = PermissionStorage.getUserPermissions(master.getConfiguration(), null, null, null, userName, userName != null ? true : false); // Skip super users when filter user is specified if (userName == null) { // Adding superusers explicitly to the result set as PermissionStorage do not store // them. Also using acl as table name to be inline with the results of global admin and // will help in avoiding any leakage of information about being superusers. for (String user : Superusers.getSuperUsers()) { perms.add(new UserPermission(user, Permission.newBuilder().withActions(Action.values()).build())); } } } master.getMasterCoprocessorHost().postGetUserPermissions(userName, namespace, table, cf, cq); AccessControlProtos.GetUserPermissionsResponse response = ShadedAccessControlUtil.buildGetUserPermissionsResponse(perms); return response; } else { throw new DoNotRetryIOException( new UnsupportedOperationException(AccessController.class.getName() + " is not loaded")); } } catch (IOException ioe) { throw new ServiceException(ioe); } }