org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos Java Examples

The following examples show how to use org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: HBase.java    From pxf with Apache License 2.0 6 votes vote down vote up
private void grantPermissions(Table table,
                              String user, Action... actions)
        throws Exception {

    ReportUtils.report(report, getClass(), config.toString());
    ReportUtils.report(report, getClass(),"grant request for user=" + user + " table" + table);
    String hbaseAuthEnabled = config.get("hbase.security.authorization");
    if (!isAuthorizationEnabled && (hbaseAuthEnabled == null || !hbaseAuthEnabled.equals("true"))) {
        ReportUtils.report(report, getClass(),
                "HBase security authorization is not enabled, cannot grant permissions");
        return;
    }

    org.apache.hadoop.hbase.client.Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME);
    try {
        BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
        AccessControlProtos.AccessControlService.BlockingInterface protocol = AccessControlProtos.AccessControlService.newBlockingStub(service);
        if (table == null) {
            ProtobufUtil.grant(protocol, user, actions);
        } else {
            ProtobufUtil.grant(protocol, user, TableName.valueOf(table.getName()), null, null, actions);
        }
    } finally {
        acl.close();
    }
}
 
Example #2
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 5 votes vote down vote up
private void init(){
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerAuthorizationCoprocessor.init()");
	}

	try {

		rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass());

		@SuppressWarnings("unchecked")
		Class<?> cls = Class.forName(RANGER_HBASE_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader);

		activatePluginClassLoader();

		impl 					 = cls.newInstance();
		implAccessControlService = (AccessControlProtos.AccessControlService.Interface)impl;
		implMasterCoprocessor 	 = (MasterCoprocessor)impl;
		implRegionCoprocessor	 = (RegionCoprocessor)impl;
		implRegionServerCoporcessor = (RegionServerCoprocessor)impl;
		implMasterObserver       = (MasterObserver)impl;
		implRegionObserver       = (RegionObserver)impl;
		implRegionServerObserver = (RegionServerObserver)impl;
		implBulkLoadObserver     = (BulkLoadObserver)impl;
		//implEndpointObserver	 = (EndpointObserver)impl;

	} catch (Exception e) {
		// check what need to be done
		LOG.error("Error Enabling RangerHbasePlugin", e);
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerAuthorizationCoprocessor.init()");
	}
}
 
Example #3
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public void checkPermissions(RpcController controller, AccessControlProtos.CheckPermissionsRequest request, RpcCallback<AccessControlProtos.CheckPermissionsResponse> done) {
	LOG.debug("checkPermissions(): ");
}
 
Example #4
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public void getUserPermissions(RpcController controller, AccessControlProtos.GetUserPermissionsRequest request,
		RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {
	AccessControlProtos.GetUserPermissionsResponse response = null;
	try {
		String operation = "userPermissions";
		final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
		User user = getActiveUser(null);
		Set<String> groups = _userUtils.getUserGroups(user);
		if (groups.isEmpty() && user.getUGI() != null) {
			String[] groupArray = user.getUGI().getGroupNames();
			if (groupArray != null) {
				groups = Sets.newHashSet(groupArray);
			}
		}
		RangerAccessRequestImpl rangerAccessrequest = new RangerAccessRequestImpl(resource, null,
				_userUtils.getUserAsString(user), groups, null);
		rangerAccessrequest.setAction(operation);
		rangerAccessrequest.setClientIPAddress(getRemoteAddress());
		rangerAccessrequest.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
		List<UserPermission> perms = null;
		if (request.getType() == AccessControlProtos.Permission.Type.Table) {
			final TableName table = request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName()) : null;
			requirePermission(null, operation, table.getName(), Action.ADMIN);
			resource.setValue(RangerHBaseResource.KEY_TABLE, table.getNameAsString());
			perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
				@Override
				public List<UserPermission> run() throws Exception {
					return getUserPermissions(
							hbasePlugin.getResourceACLs(rangerAccessrequest),
							table.getNameAsString(), false);
				}
			});
		} else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) {
			final String namespace = request.getNamespaceName().toStringUtf8();
			requireGlobalPermission(null, "getUserPermissionForNamespace", namespace, Action.ADMIN);
			resource.setValue(RangerHBaseResource.KEY_TABLE, namespace + RangerHBaseResource.NAMESPACE_SEPARATOR);
			rangerAccessrequest.setRequestData(namespace);
			perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
				@Override
				public List<UserPermission> run() throws Exception {
					return getUserPermissions(
							hbasePlugin.getResourceACLs(rangerAccessrequest),
							namespace, true);
				}
			});
		} else {
			requirePermission(null, "userPermissions", Action.ADMIN);
			perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
				@Override
				public List<UserPermission> run() throws Exception {
					return getUserPermissions(
							hbasePlugin.getResourceACLs(rangerAccessrequest), null,
							false);
				}
			});
			if (_userUtils.isSuperUser(user)) {
				perms.add(new UserPermission(Bytes.toBytes(_userUtils.getUserAsString(user)),
						AccessControlLists.ACL_TABLE_NAME, null, Action.values()));
			}
		}
		response = AccessControlUtil.buildGetUserPermissionsResponse(perms);
	} catch (IOException ioe) {
		// pass exception back up
		ResponseConverter.setControllerException(controller, ioe);
	}
	done.run(response);
}
 
Example #5
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 4 votes vote down vote up
private GrantRevokeRequest createRevokeData(AccessControlProtos.RevokeRequest request) throws Exception {
	AccessControlProtos.UserPermission up   = request.getUserPermission();
	AccessControlProtos.Permission     perm = up == null ? null : up.getPermission();

	UserPermission      userPerm  = up == null ? null : AccessControlUtil.toUserPermission(up);
	String              userName  = userPerm == null ? null : Bytes.toString(userPerm.getUser());
	String              nameSpace = null;
	String              tableName = null;
	String              colFamily = null;
	String              qualifier = null;

	if(perm == null) {
		throw new Exception("revoke(): invalid data - permission is null");
	}

	if(StringUtil.isEmpty(userName)) {
		throw new Exception("revoke(): invalid data - username empty");
	}

	switch(perm.getType()) {
		case Global :
			tableName = colFamily = qualifier = RangerHBaseResource.WILDCARD;
		break;

		case Table :
			tableName = Bytes.toString(userPerm.getTableName().getName());
			colFamily = Bytes.toString(userPerm.getFamily());
			qualifier = Bytes.toString(userPerm.getQualifier());
		break;

		case Namespace:
			nameSpace = userPerm.getNamespace();
		break;
	}

	if(StringUtil.isEmpty(nameSpace) && StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) {
		throw new Exception("revoke(): table/columnFamily/columnQualifier not specified");
	}

	tableName = StringUtil.isEmpty(tableName) ? RangerHBaseResource.WILDCARD : tableName;
	colFamily = StringUtil.isEmpty(colFamily) ? RangerHBaseResource.WILDCARD : colFamily;
	qualifier = StringUtil.isEmpty(qualifier) ? RangerHBaseResource.WILDCARD : qualifier;

	if(! StringUtil.isEmpty(nameSpace)) {
		tableName = nameSpace + RangerHBaseResource.NAMESPACE_SEPARATOR + tableName;
	}

	User   activeUser = getActiveUser(null);
	String grantor    = activeUser != null ? activeUser.getShortName() : null;
	String[] groups   = activeUser != null ? activeUser.getGroupNames() : null;

	Set<String> grantorGroups = null;

	if (groups != null && groups.length > 0) {
		grantorGroups = new HashSet<>(Arrays.asList(groups));
	}

	Map<String, String> mapResource = new HashMap<String, String>();
	mapResource.put(RangerHBaseResource.KEY_TABLE, tableName);
	mapResource.put(RangerHBaseResource.KEY_COLUMN_FAMILY, colFamily);
	mapResource.put(RangerHBaseResource.KEY_COLUMN, qualifier);

	GrantRevokeRequest ret = new GrantRevokeRequest();

	ret.setGrantor(grantor);
	ret.setGrantorGroups(grantorGroups);
	ret.setDelegateAdmin(Boolean.TRUE); // remove delegateAdmin privilege as well
	ret.setEnableAudit(Boolean.TRUE);
	ret.setReplaceExistingPermissions(Boolean.TRUE);
	ret.setResource(mapResource);
	ret.setClientIPAddress(getRemoteAddress());
	ret.setForwardedAddresses(null);//TODO: Need to check with Knox proxy how they handle forwarded add.
	ret.setRemoteIPAddress(getRemoteAddress());
	ret.setRequestData(up.toString());
	
	if(userName.startsWith(GROUP_PREFIX)) {
		ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
	} else {
		ret.getUsers().add(userName);
	}

	// revoke removes all permissions
	ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_READ);
	ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
	ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
	ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
	ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);

	return ret;
}
 
Example #6
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public Iterable<Service> getServices() {
	return Collections.singleton(AccessControlProtos.AccessControlService.newReflectiveService(this));
}