org.apache.hadoop.hbase.security.access.Permission.Action Java Examples

The following examples show how to use org.apache.hadoop.hbase.security.access.Permission.Action. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: AccessChecker.java    From hbase with Apache License 2.0 6 votes vote down vote up
/**
 * Authorizes that the current user has any of the given permissions for the
 * given table, column family and column qualifier.
 *
 * @param user Active user to which authorization checks should be applied
 * @param request Request type
 * @param tableName Table requested
 * @param family    Column family requested
 * @param qualifier Column qualifier requested
 * @param filterUser User name to be filtered from permission as requested
 * @param permissions Actions being requested
 * @throws IOException if obtaining the current user fails
 * @throws AccessDeniedException if user has no authorization
 */
public void requirePermission(User user, String request, TableName tableName, byte[] family,
    byte[] qualifier, String filterUser, Action... permissions) throws IOException {
  AuthResult result = null;

  for (Action permission : permissions) {
    if (authManager.authorizeUserTable(user, tableName, family, qualifier, permission)) {
      result = AuthResult.allow(request, "Table permission granted",
          user, permission, tableName, family, qualifier);
      break;
    } else {
      // rest of the world
      result = AuthResult.deny(request, "Insufficient permissions",
        user, permission, tableName, family, qualifier);
    }
  }
  result.getParams().addExtraParam("filterUser", filterUser);
  logResult(result);
  if (!result.isAllowed()) {
    throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
  }
}
 
Example #2
Source File: AccessController.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Override
public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
    List<TableName> tableNamesList, List<TableDescriptor> descriptors,
    String regex) throws IOException {
  // Skipping as checks in this case are already done by preGetTableDescriptors.
  if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
    return;
  }

  // Retains only those which passes authorization checks, as the checks weren't done as part
  // of preGetTableDescriptors.
  Iterator<TableDescriptor> itr = descriptors.iterator();
  while (itr.hasNext()) {
    TableDescriptor htd = itr.next();
    try {
      requirePermission(ctx, "getTableDescriptors", htd.getTableName(), null, null,
          Action.ADMIN, Action.CREATE);
    } catch (AccessDeniedException e) {
      itr.remove();
    }
  }
}
 
Example #3
Source File: TestAccessController.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Test
public void testGlobalPermissionList() throws Exception {
  List<UserPermission> perms = systemUserConnection.getAdmin()
      .getUserPermissions(GetUserPermissionsRequest.newBuilder().build());

  Collection<String> superUsers = Superusers.getSuperUsers();
  List<UserPermission> adminPerms = new ArrayList<>(superUsers.size() + 1);
  adminPerms.add(new UserPermission(USER_ADMIN.getShortName(), Permission.newBuilder()
      .withActions(Action.ADMIN, Action.CREATE, Action.READ, Action.WRITE).build()));
  for (String user : superUsers) {
    // Global permission
    adminPerms.add(
      new UserPermission(user, Permission.newBuilder().withActions(Action.values()).build()));
  }
  assertTrue("Only super users, global users and user admin has permission on table hbase:acl " +
      "per setup", perms.size() == 5 + superUsers.size() &&
      hasFoundUserPermission(adminPerms, perms));
}
 
Example #4
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 6 votes vote down vote up
boolean canSkipAccessCheck(User user, final String operation, String access, final RegionCoprocessorEnvironment regionServerEnv) throws AccessDeniedException {

		// read access to metadata tables is always allowed and isn't audited.
		if (isAccessForMetaTables(regionServerEnv) && _authUtils.isReadAccess(access)) {
			LOG.debug("isKnownAccessPattern: exiting: Read access for metadata tables allowed, not audited!");
			return true;
		}
		// if write access is desired to metatables then global create access is sufficient
		if (_authUtils.isWriteAccess(access) && isAccessForMetaTables(regionServerEnv)) {
			String createAccess = _authUtils.getAccess(Action.CREATE);
			AuthorizationSession session = new AuthorizationSession(hbasePlugin)
				.operation(operation)
				.remoteAddress(getRemoteAddress())
				.user(user)
				.access(createAccess)
				.buildRequest()
				.authorize();
			if (session.isAuthorized()) {
				// NOTE: this access isn't logged
				LOG.debug("isKnownAccessPattern: exiting: User has global create access, allowed!");
				return true;
			}
		}
		return false;
	}
 
Example #5
Source File: PhoenixAccessController.java    From phoenix with Apache License 2.0 6 votes vote down vote up
@Override
public void preAlterTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId,
        String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType) throws IOException {
    if (!accessCheckEnabled) { return; }
    for (MasterObserver observer : getAccessControllers()) {
        if (tableType != PTableType.VIEW) {
        observer.preModifyTable(getMasterObsevrverContext(), physicalTableName,
                TableDescriptorBuilder.newBuilder(physicalTableName).build());
        }
    }
    if (tableType == PTableType.VIEW) {
        if(execPermissionsCheckEnabled) {
            requireAccess("Alter "+tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
        } else {
            requireAccess("Alter "+tableType, parentPhysicalTableName, Action.READ);
        }
    }
}
 
Example #6
Source File: AccessController.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Override
public Result preAppendAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,
    final Append append) throws IOException {
  if (append.getAttribute(CHECK_COVERING_PERM) != null) {
    // We had failure with table, cf and q perm checks and now giving a chance for cell
    // perm check
    TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
    AuthResult authResult = null;
    User user = getActiveUser(c);
    if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(),
        append.getFamilyCellMap(), append.getTimeRange().getMax(), Action.WRITE)) {
      authResult = AuthResult.allow(OpType.APPEND.toString(),
          "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
    } else {
      authResult = AuthResult.deny(OpType.APPEND.toString(),
          "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
    }
    AccessChecker.logResult(authResult);
    if (authorizationEnabled && !authResult.isAllowed()) {
      throw new AccessDeniedException("Insufficient permissions " +
        authResult.toContextString());
    }
  }
  return null;
}
 
Example #7
Source File: AccessChecker.java    From hbase with Apache License 2.0 6 votes vote down vote up
/**
 * Checks that the user has the given global or namespace permission.
 * @param user Active user to which authorization checks should be applied
 * @param request Request type
 * @param namespace Name space as requested
 * @param filterUser User name to be filtered from permission as requested
 * @param permissions Actions being requested
 */
public void requireNamespacePermission(User user, String request, String namespace,
    String filterUser, Action... permissions) throws IOException {
  AuthResult result = null;

  for (Action permission : permissions) {
    if (authManager.authorizeUserNamespace(user, namespace, permission)) {
      result =
          AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);
      break;
    } else {
      // rest of the world
      result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace);
    }
  }
  result.getParams().addExtraParam("filterUser", filterUser);
  logResult(result);
  if (!result.isAllowed()) {
    throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
  }
}
 
Example #8
Source File: ShadedAccessControlUtil.java    From hbase with Apache License 2.0 6 votes vote down vote up
/**
 * Convert a client user permission to a user permission shaded proto.
 */
public static AccessControlProtos.Permission.Action toPermissionAction(Permission.Action action) {
  switch (action) {
    case READ:
      return AccessControlProtos.Permission.Action.READ;
    case WRITE:
      return AccessControlProtos.Permission.Action.WRITE;
    case EXEC:
      return AccessControlProtos.Permission.Action.EXEC;
    case CREATE:
      return AccessControlProtos.Permission.Action.CREATE;
    case ADMIN:
      return AccessControlProtos.Permission.Action.ADMIN;
  }
  throw new IllegalArgumentException("Unknown action value " + action.name());
}
 
Example #9
Source File: PhoenixAccessController.java    From phoenix with Apache License 2.0 6 votes vote down vote up
@Override
public void preDropTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId,
        String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType,
        List<PTable> indexes) throws IOException {
    if (!accessCheckEnabled) { return; }

    for (MasterObserver observer : getAccessControllers()) {
        if (tableType != PTableType.VIEW) {
            observer.preDeleteTable(getMasterObsevrverContext(), physicalTableName);
        }
        if (indexes != null) {
            for (PTable index : indexes) {
                observer.preDeleteTable(getMasterObsevrverContext(),
                        TableName.valueOf(index.getPhysicalName().getBytes()));
            }
        }
    }
    //checking similar permission checked during the create of the view.
    if (tableType == PTableType.VIEW || tableType == PTableType.INDEX) {
        if(execPermissionsCheckEnabled) {
            requireAccess("Drop "+tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
        } else {
            requireAccess("Drop "+tableType, parentPhysicalTableName, Action.READ);
        }
    }
}
 
Example #10
Source File: AccessController.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Override
public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
     List<TableName> tableNamesList, List<TableDescriptor> descriptors,
     String regex) throws IOException {
  // We are delegating the authorization check to postGetTableDescriptors as we don't have
  // any concrete set of table names when a regex is present or the full list is requested.
  if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
    // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the
    // request can be granted.
    try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
      for (TableName tableName : tableNamesList) {
        // Skip checks for a table that does not exist
        if (!admin.tableExists(tableName)) {
          continue;
        }
        requirePermission(ctx, "getTableDescriptors", tableName, null, null, Action.ADMIN,
          Action.CREATE);
      }
    }
  }
}
 
Example #11
Source File: HbaseAuthUtilsImpl.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public String getAccess(Action action) {
	switch(action) {
		case READ:
			return ACCESS_TYPE_READ;
		case WRITE:
			return ACCESS_TYPE_WRITE;
		case CREATE:
			return ACCESS_TYPE_CREATE;
		case ADMIN:
			return ACCESS_TYPE_ADMIN;
		case EXEC:
			return ACCESS_TYPE_EXECUTE;
		default:
			return action.name().toLowerCase();
	}
}
 
Example #12
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public void postGetProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
	/*if(!procInfoList.isEmpty()) {
		Iterator<Procedure<?>> itr = procInfoList.iterator();
		User user = this.getActiveUser();

		while(itr.hasNext()) {
			Procedure procInfo = itr.next();
			try {
				String owner = procInfo.getOwner();
				if (owner == null || !owner.equals(user.getShortName())) {
					requirePermission("getProcedures", Action.ADMIN);
				}
			} catch (AccessDeniedException var7) {
				itr.remove();
			}
		}

	}*/
	requirePermission(observerContext, "getProcedures", Action.ADMIN);
}
 
Example #13
Source File: TestAccessController.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Test
public void testNamespaceUserGrant() throws Exception {
  AccessTestAction getAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      try(Connection conn = ConnectionFactory.createConnection(conf);
          Table t = conn.getTable(TEST_TABLE)) {
        return t.get(new Get(TEST_ROW));
      }
    }
  };

  String namespace = TEST_TABLE.getNamespaceAsString();

  // Grant namespace READ to USER_NONE, this should supersede any table permissions
  grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
  // Now USER_NONE should be able to read
  verifyAllowed(getAction, USER_NONE);

  // Revoke namespace READ to USER_NONE
  revokeFromNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
  verifyDenied(getAction, USER_NONE);
}
 
Example #14
Source File: TestAccessController2.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Test
public void testCreateTableWithGroupPermissions() throws Exception {
  grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
  try {
    AccessTestAction createAction = new AccessTestAction() {
      @Override
      public Object run() throws Exception {
        TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
          new TableDescriptorBuilder.ModifyableTableDescriptor(testTable.getTableName());
        tableDescriptor.setColumnFamily(
          new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(TEST_FAMILY));
        try (Connection connection =
            ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
          try (Admin admin = connection.getAdmin()) {
            admin.createTable(tableDescriptor);
          }
        }
        return null;
      }
    };
    verifyAllowed(createAction, TESTGROUP1_USER1);
    verifyDenied(createAction, TESTGROUP2_USER1);
  } finally {
    revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
  }
}
 
Example #15
Source File: TestPermissionBuilder.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testBuildTablePermission() {
  TableName tableName = TableName.valueOf("ns", "table");
  byte[] family = Bytes.toBytes("f");
  byte[] qualifier = Bytes.toBytes("q");
  // check table permission without family or qualifier
  Permission permission =
      Permission.newBuilder(tableName).withActions(Action.WRITE, Action.READ).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(2, permission.getActions().length);
  assertEquals(Action.READ, permission.getActions()[0]);
  assertEquals(Action.WRITE, permission.getActions()[1]);
  TablePermission tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertEquals(null, tPerm.getFamily());
  assertEquals(null, tPerm.getQualifier());

  // check table permission with family
  permission =
      Permission.newBuilder(tableName).withFamily(family).withActions(Action.EXEC).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(1, permission.getActions().length);
  assertEquals(Action.EXEC, permission.getActions()[0]);
  tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertTrue(Bytes.equals(family, tPerm.getFamily()));
  assertTrue(Bytes.equals(null, tPerm.getQualifier()));

  // check table permission with family and qualifier
  permission =
      Permission.newBuilder(tableName).withFamily(family).withQualifier(qualifier).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(0, permission.getActions().length);
  tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertTrue(Bytes.equals(family, tPerm.getFamily()));
  assertTrue(Bytes.equals(qualifier, tPerm.getQualifier()));
}
 
Example #16
Source File: AccessChecker.java    From hbase with Apache License 2.0 5 votes vote down vote up
public void checkLockPermissions(User user, String namespace,
    TableName tableName, RegionInfo[] regionInfos, String reason)
    throws IOException {
  if (namespace != null && !namespace.isEmpty()) {
    requireNamespacePermission(user, reason, namespace, null, Action.ADMIN, Action.CREATE);
  } else if (tableName != null || (regionInfos != null && regionInfos.length > 0)) {
    // So, either a table or regions op. If latter, check perms ons table.
    TableName tn = tableName != null? tableName: regionInfos[0].getTable();
    requireTablePermission(user, reason, tn, null, null,
        Action.ADMIN, Action.CREATE);
  } else {
    throw new DoNotRetryIOException("Invalid lock level when requesting permissions.");
  }
}
 
Example #17
Source File: TestPermissionBuilder.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testBuildGlobalPermission() {
  // check global permission with empty action
  Permission permission = Permission.newBuilder().build();
  assertTrue(permission instanceof GlobalPermission);
  assertEquals(0, permission.getActions().length);

  // check global permission with ADMIN action
  permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("A")).build();
  assertTrue(permission instanceof GlobalPermission);
  assertEquals(1, permission.getActions().length);
  assertTrue(permission.getActions()[0] == Action.ADMIN);

  byte[] qualifier = Bytes.toBytes("q");
  try {
    permission = Permission.newBuilder().withQualifier(qualifier)
        .withActions(Action.CREATE, Action.READ).build();
    fail("Should throw NPE");
  } catch (NullPointerException e) {
    // catch NPE because set qualifier but table name is null
  }

  permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("ACP"))
      .withActions(Action.READ, Action.ADMIN).build();
  assertEquals(3, permission.getActions().length);
  assertEquals(Action.READ, permission.getActions()[0]);
  assertEquals(Action.CREATE, permission.getActions()[1]);
  assertEquals(Action.ADMIN, permission.getActions()[2]);
}
 
Example #18
Source File: TestNamespaceCommands.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testAclTableEntries() throws Exception {
  String userTestNamespace = "userTestNsp";
  Table acl = UTIL.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
  try {
    ListMultimap<String, UserPermission> perms =
        PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    for (Map.Entry<String, UserPermission> entry : perms.entries()) {
      LOG.debug(Objects.toString(entry));
    }
    assertEquals(6, perms.size());

    // Grant and check state in ACL table
    grantOnNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
      Permission.Action.WRITE);

    Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
    assertTrue(result != null);
    perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    assertEquals(7, perms.size());
    List<UserPermission> namespacePerms = perms.get(userTestNamespace);
    assertTrue(perms.containsKey(userTestNamespace));
    assertEquals(1, namespacePerms.size());
    assertEquals(TEST_NAMESPACE,
      ((NamespacePermission) namespacePerms.get(0).getPermission()).getNamespace());
    assertEquals(1, namespacePerms.get(0).getPermission().getActions().length);
    assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getPermission().getActions()[0]);

    // Revoke and check state in ACL table
    revokeFromNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
      Permission.Action.WRITE);

    perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    assertEquals(6, perms.size());
  } finally {
    acl.close();
  }
}
 
Example #19
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
/**
 * Returns <code>true</code> if the current user is allowed the given action
 * over at least one of the column qualifiers in the given column families.
 */
private boolean hasFamilyQualifierPermission(User user,
    Action perm,
    RegionCoprocessorEnvironment env,
    Map<byte[], ? extends Collection<byte[]>> familyMap)
  throws IOException {
  RegionInfo hri = env.getRegion().getRegionInfo();
  TableName tableName = hri.getTable();

  if (user == null) {
    return false;
  }

  if (familyMap != null && familyMap.size() > 0) {
    // at least one family must be allowed
    for (Map.Entry<byte[], ? extends Collection<byte[]>> family :
        familyMap.entrySet()) {
      if (family.getValue() != null && !family.getValue().isEmpty()) {
        for (byte[] qualifier : family.getValue()) {
          if (getAuthManager().authorizeUserTable(user, tableName,
                family.getKey(), qualifier, perm)) {
            return true;
          }
        }
      } else {
        if (getAuthManager().authorizeUserFamily(user, tableName, family.getKey(), perm)) {
          return true;
        }
      }
    }
  } else if (LOG.isDebugEnabled()) {
    LOG.debug("Empty family map passed for permission check");
  }

  return false;
}
 
Example #20
Source File: TestAccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testTableDeletion() throws Exception {
  User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]);
  final TableName tableName = TableName.valueOf(name.getMethodName());
  createTestTable(tableName);

  // Grant TABLE ADMIN privs
  grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), tableName, null, null, Permission.Action.ADMIN);

  AccessTestAction deleteTableAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      Connection unmanagedConnection =
          ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
      Admin admin = unmanagedConnection.getAdmin();
      try {
        deleteTable(TEST_UTIL, admin, tableName);
      } finally {
        admin.close();
        unmanagedConnection.close();
      }
      return null;
    }
  };

  verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
    USER_GROUP_WRITE);
  verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
 
Example #21
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
/**
 * Authorization check for
 * SecureBulkLoadProtocol.prepareBulkLoad()
 * @param ctx the context
 * @throws IOException
 */
@Override
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
  requireAccess(ctx, "prePrepareBulkLoad",
      ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
      Action.CREATE);
}
 
Example #22
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public void preOpen(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
	RegionCoprocessorEnvironment env = e.getEnvironment();
	final Region region = env.getRegion();
	if (region == null) {
		LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");
	} else {
		RegionInfo regionInfo = region.getRegionInfo();
		if (isSpecialTable(regionInfo)) {
			requireSystemOrSuperUser(regionEnv.getConfiguration(),e);
		} else {
			requirePermission(e, "open", getTableName(e.getEnvironment()), Action.ADMIN);
		}
	}
}
 
Example #23
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
    TableName tableName, TableDescriptor currentDesc, TableDescriptor newDesc)
    throws IOException {
  // TODO: potentially check if this is a add/modify/delete column operation
  requirePermission(c, "modifyTable", tableName, null, null, Action.ADMIN, Action.CREATE);
  return newDesc;
}
 
Example #24
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
    final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)
    throws IOException {
  // Move this ACL check to SnapshotManager#checkPermissions as part of AC deprecation.
  requirePermission(ctx, "snapshot " + snapshot.getName(),
      hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);
}
 
Example #25
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c,
    final Increment increment)
    throws IOException {
  User user = getActiveUser(c);
  checkForReservedTagPresence(user, increment);

  // Require WRITE permission to the table, CF, and the KV to be replaced by
  // the incremented value
  RegionCoprocessorEnvironment env = c.getEnvironment();
  Map<byte[],? extends Collection<Cell>> families = increment.getFamilyCellMap();
  AuthResult authResult = permissionGranted(OpType.INCREMENT,
      user, env, families, Action.WRITE);
  AccessChecker.logResult(authResult);
  if (!authResult.isAllowed()) {
    if (cellFeaturesEnabled && !compatibleEarlyTermination) {
      increment.setAttribute(CHECK_COVERING_PERM, TRUE);
    } else if (authorizationEnabled) {
      throw new AccessDeniedException("Insufficient permissions " +
        authResult.toContextString());
    }
  }

  byte[] bytes = increment.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
  if (bytes != null) {
    if (cellFeaturesEnabled) {
      addCellPermissions(bytes, increment.getFamilyCellMap());
    } else {
      throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
    }
  }

  return null;
}
 
Example #26
Source File: ShadedAccessControlUtil.java    From hbase with Apache License 2.0 5 votes vote down vote up
/**
 * Converts a list of Permission.Action shaded proto to an array of client Permission.Action
 * objects.
 * @param protoActions the list of shaded protobuf Actions
 * @return the converted array of Actions
 */
public static Permission.Action[]
    toPermissionActions(List<AccessControlProtos.Permission.Action> protoActions) {
  Permission.Action[] actions = new Permission.Action[protoActions.size()];
  for (int i = 0; i < protoActions.size(); i++) {
    actions[i] = toPermissionAction(protoActions.get(i));
  }
  return actions;
}
 
Example #27
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace,
    TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap,
    Action... permissions) throws IOException {
  accessChecker.requireNamespacePermission(getActiveUser(ctx),
      request, namespace, tableName, familyMap,
      permissions);
}
 
Example #28
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
private void preGetUserPermissions(User caller, String userName, String namespace,
    TableName tableName, byte[] family, byte[] qualifier) throws IOException {
  if (tableName != null) {
    accessChecker.requirePermission(caller, "getUserPermissions", tableName, family, qualifier,
      userName, Action.ADMIN);
  } else if (namespace != null) {
    accessChecker.requireNamespacePermission(caller, "getUserPermissions", namespace, userName,
      Action.ADMIN);
  } else {
    accessChecker.requirePermission(caller, "getUserPermissions", userName, Action.ADMIN);
  }
}
 
Example #29
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> c,
    MiniBatchOperationInProgress<Mutation> miniBatchOp) throws IOException {
  if (cellFeaturesEnabled && !compatibleEarlyTermination) {
    TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
    User user = getActiveUser(c);
    for (int i = 0; i < miniBatchOp.size(); i++) {
      Mutation m = miniBatchOp.getOperation(i);
      if (m.getAttribute(CHECK_COVERING_PERM) != null) {
        // We have a failure with table, cf and q perm checks and now giving a chance for cell
        // perm check
        OpType opType;
        if (m instanceof Put) {
          checkForReservedTagPresence(user, m);
          opType = OpType.PUT;
        } else {
          opType = OpType.DELETE;
        }
        AuthResult authResult = null;
        if (checkCoveringPermission(user, opType, c.getEnvironment(), m.getRow(),
          m.getFamilyCellMap(), m.getTimestamp(), Action.WRITE)) {
          authResult = AuthResult.allow(opType.toString(), "Covering cell set",
            user, Action.WRITE, table, m.getFamilyCellMap());
        } else {
          authResult = AuthResult.deny(opType.toString(), "Covering cell set",
            user, Action.WRITE, table, m.getFamilyCellMap());
        }
        AccessChecker.logResult(authResult);
        if (authorizationEnabled && !authResult.isAllowed()) {
          throw new AccessDeniedException("Insufficient permissions "
            + authResult.toContextString());
        }
      }
    }
  }
}
 
Example #30
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
/**
 * Check the current user for authorization to perform a specific action
 * against the given set of row data.
 * @param opType the operation type
 * @param user the user
 * @param e the coprocessor environment
 * @param families the map of column families to qualifiers present in
 * the request
 * @param actions the desired actions
 * @return an authorization result
 */
private AuthResult permissionGranted(OpType opType, User user, RegionCoprocessorEnvironment e,
    Map<byte [], ? extends Collection<?>> families, Action... actions) {
  AuthResult result = null;
  for (Action action: actions) {
    result = accessChecker.permissionGranted(opType.toString(), user, action,
      e.getRegion().getRegionInfo().getTable(), families);
    if (!result.isAllowed()) {
      return result;
    }
  }
  return result;
}