Java Code Examples for org.apache.hadoop.hbase.security.User#getShortName()

The following examples show how to use org.apache.hadoop.hbase.security.User#getShortName() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: HBaseAtlasHook.java    From atlas with Apache License 2.0 6 votes vote down vote up
public void sendHBaseTableOperation(TableDescriptor tableDescriptor, final TableName tableName, final OPERATION operation, ObserverContext<MasterCoprocessorEnvironment> ctx) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> HBaseAtlasHook.sendHBaseTableOperation()");
    }

    try {
        final UserGroupInformation ugi  = getUGI(ctx);
        final User user                 = getActiveUser(ctx);
        final String userName           = (user != null) ? user.getShortName() : null;
        HBaseOperationContext hbaseOperationContext = handleHBaseTableOperation(tableDescriptor, tableName, operation, ugi, userName);

        sendNotification(hbaseOperationContext);
    } catch (Throwable t) {
        LOG.error("<== HBaseAtlasHook.sendHBaseTableOperation(): failed to send notification", t);
    }

    if (LOG.isDebugEnabled()) {
        LOG.debug("<== HBaseAtlasHook.sendHBaseTableOperation()");
    }
}
 
Example 2
Source File: HBaseAtlasHook.java    From atlas with Apache License 2.0 6 votes vote down vote up
public void sendHBaseNameSpaceOperation(final NamespaceDescriptor namespaceDescriptor, final String nameSpace, final OPERATION operation, ObserverContext<MasterCoprocessorEnvironment> ctx) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> HBaseAtlasHook.sendHBaseNameSpaceOperation()");
    }

    try {
        final UserGroupInformation ugi  = getUGI(ctx);
        final User user                 = getActiveUser(ctx);
        final String userName           = (user != null) ? user.getShortName() : null;
        HBaseOperationContext hbaseOperationContext = handleHBaseNameSpaceOperation(namespaceDescriptor, nameSpace, operation, ugi, userName);

        sendNotification(hbaseOperationContext);
    } catch (Throwable t) {
        LOG.error("HBaseAtlasHook.sendHBaseNameSpaceOperation(): failed to send notification", t);
    }

    if (LOG.isDebugEnabled()) {
        LOG.debug("<== HBaseAtlasHook.sendHBaseNameSpaceOperation()");
    }
}
 
Example 3
Source File: SIObserver.java    From spliceengine with GNU Affero General Public License v3.0 6 votes vote down vote up
protected void checkAccess() throws AccessDeniedException {
    if (!spliceTable)
        return;

    if (!UserGroupInformation.isSecurityEnabled())
        return;

    User user = RpcServer.getRequestUser().get();
    if (user == null || user.getShortName().equalsIgnoreCase("hbase"))
        return;

    if (RpcUtils.isAccessAllowed())
        return;

    if (!authTokenEnabled && authManager.authorize(user, Permission.Action.ADMIN))
        return;

    throw new AccessDeniedException("Insufficient permissions for user " +
            user.getShortName());
}
 
Example 4
Source File: AccessChecker.java    From hbase with Apache License 2.0 6 votes vote down vote up
/**
 * Checks that the user has the given global permission. The generated
 * audit log message will contain context information for the operation
 * being authorized, based on the given parameters.
 *
 * @param user Active user to which authorization checks should be applied
 * @param request Request type
 * @param perm      Action being requested
 * @param namespace The given namespace
 */
public void requireGlobalPermission(User user, String request, Action perm,
    String namespace) throws IOException {
  AuthResult authResult;
  if (authManager.authorizeUserGlobal(user, perm)) {
    authResult = AuthResult.allow(request, "Global check allowed", user, perm, null);
    authResult.getParams().setNamespace(namespace);
    logResult(authResult);
  } else {
    authResult = AuthResult.deny(request, "Global check failed", user, perm, null);
    authResult.getParams().setNamespace(namespace);
    logResult(authResult);
    throw new AccessDeniedException(
        "Insufficient permissions for user '" + (user != null ? user.getShortName() : "null")
            + "' (global, action=" + perm.toString() + ")");
  }
}
 
Example 5
Source File: AccessChecker.java    From hbase with Apache License 2.0 6 votes vote down vote up
/**
 * Checks that the user has the given global permission. The generated
 * audit log message will contain context information for the operation
 * being authorized, based on the given parameters.
 *
 * @param user Active user to which authorization checks should be applied
 * @param request Request type
 * @param perm      Action being requested
 * @param tableName Affected table name.
 * @param familyMap Affected column families.
 * @param filterUser User name to be filtered from permission as requested
 */
public void requireGlobalPermission(User user, String request,
    Action perm, TableName tableName,
    Map<byte[], ? extends Collection<byte[]>> familyMap, String filterUser) throws IOException {
  AuthResult result;
  if (authManager.authorizeUserGlobal(user, perm)) {
    result = AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap);
  } else {
    result = AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap);
  }
  result.getParams().setTableName(tableName).setFamilies(familyMap);
  result.getParams().addExtraParam("filterUser", filterUser);
  logResult(result);
  if (!result.isAllowed()) {
    throw new AccessDeniedException(
        "Insufficient permissions for user '" + (user != null ? user.getShortName() : "null")
            + "' (global, action=" + perm.toString() + ")");
  }
}
 
Example 6
Source File: BasePermissionsIT.java    From phoenix with Apache License 2.0 5 votes vote down vote up
private AccessTestAction grantPermissions(final String actions, final User user) throws SQLException {
    return new AccessTestAction() {
        @Override
        public Object run() throws Exception {
            try (Connection conn = getConnection(); Statement stmt = conn.createStatement();) {
                String grantStmtSQL = "GRANT '" + actions + "' TO " + " '" + user.getShortName() + "'";
                LOGGER.info("Grant Permissions SQL: " + grantStmtSQL);
                assertFalse(stmt.execute(grantStmtSQL));
            }
            return null;
        }
    };
}
 
Example 7
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
private void checkSystemOrSuperUser(User activeUser) throws IOException {
  // No need to check if we're not going to throw
  if (!authorizationEnabled) {
    return;
  }
  if (!Superusers.isSuperUser(activeUser)) {
    throw new AccessDeniedException("User '" + (activeUser != null ?
      activeUser.getShortName() : "null") + "' is not system or super user.");
  }
}
 
Example 8
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public RegionScanner postScannerOpen(final ObserverContext<RegionCoprocessorEnvironment> c,
    final Scan scan, final RegionScanner s) throws IOException {
  User user = getActiveUser(c);
  if (user != null && user.getShortName() != null) {
    // store reference to scanner owner for later checks
    scannerOwners.put(s, user.getShortName());
  }
  return s;
}
 
Example 9
Source File: EnforcingScanLabelGenerator.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public List<String> getLabels(User user, Authorizations authorizations) {
  String userName = user.getShortName();
  if (authorizations != null) {
    LOG.warn("Dropping authorizations requested by user " + userName + ": " + authorizations);
  }
  Set<String> auths = new HashSet<>();
  auths.addAll(this.labelsCache.getUserAuths(userName));
  auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames()));
  return new ArrayList<>(auths);
}
 
Example 10
Source File: FeedUserAuthScanLabelGenerator.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public List<String> getLabels(User user, Authorizations authorizations) {
  if (authorizations == null || authorizations.getLabels() == null
      || authorizations.getLabels().isEmpty()) {
    String userName = user.getShortName();
    Set<String> auths = new HashSet<>();
    auths.addAll(this.labelsCache.getUserAuths(userName));
    auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames()));
    return new ArrayList<>(auths);
  }
  return authorizations.getLabels();
}
 
Example 11
Source File: DefinedSetFilterScanLabelGenerator.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public List<String> getLabels(User user, Authorizations authorizations) {
  if (authorizations != null) {
    List<String> labels = authorizations.getLabels();
    String userName = user.getShortName();
    Set<String> auths = new HashSet<>();
    auths.addAll(this.labelsCache.getUserAuths(userName));
    auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames()));
    return dropLabelsNotInUserAuths(labels, new ArrayList<>(auths), userName);
  }
  return null;
}
 
Example 12
Source File: VisibilityController.java    From hbase with Apache License 2.0 5 votes vote down vote up
private void checkCallingUserAuth() throws IOException {
  if (!authorizationEnabled) { // Redundant, but just in case
    return;
  }
  if (!accessControllerAvailable) {
    User user = VisibilityUtils.getActiveUser();
    if (user == null) {
      throw new IOException("Unable to retrieve calling user");
    }
    if (!(this.visibilityLabelService.havingSystemAuth(user))) {
      throw new AccessDeniedException("User '" + user.getShortName()
          + "' is not authorized to perform this action.");
    }
  }
}
 
Example 13
Source File: VisibilityController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public RegionScanner postScannerOpen(final ObserverContext<RegionCoprocessorEnvironment> c,
    final Scan scan, final RegionScanner s) throws IOException {
  User user = VisibilityUtils.getActiveUser();
  if (user != null && user.getShortName() != null) {
    scannerOwners.put(s, user.getShortName());
  }
  return s;
}
 
Example 14
Source File: HFileReplicator.java    From hbase with Apache License 2.0 5 votes vote down vote up
private Path createStagingDir(Path baseDir, User user, TableName tableName) throws IOException {
  String tblName = tableName.getNameAsString().replace(":", UNDERSCORE);
  int RANDOM_WIDTH = 320;
  int RANDOM_RADIX = 32;
  String doubleUnderScore = UNDERSCORE + UNDERSCORE;
  String randomDir = user.getShortName() + doubleUnderScore + tblName + doubleUnderScore
      + (new BigInteger(RANDOM_WIDTH, new SecureRandom()).toString(RANDOM_RADIX));
  return createStagingDir(baseDir, user, randomDir);
}
 
Example 15
Source File: HbaseUserUtilsImpl.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public String getUserAsString(User user) {
	if (user == null) {
		throw new IllegalArgumentException("User is null!");
	}
	else {
		return user.getShortName();
	}
}
 
Example 16
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public RegionScanner postScannerOpen(ObserverContext<RegionCoprocessorEnvironment> c, Scan scan, RegionScanner s) throws IOException {
	User user = getActiveUser(c);
	if (user != null && user.getShortName() != null) {
		scannerOwners.put(s, user.getShortName());
	}
	return s;
}
 
Example 17
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 5 votes vote down vote up
private void requireScannerOwner(ObserverContext<?> ctx, InternalScanner s) throws AccessDeniedException {
    if (!RpcServer.isInRpcCallContext()) {
      return;
    }

    User user = getActiveUser(ctx);
 String requestUserName = user.getShortName();
    String owner = scannerOwners.get(s);
    if (owner != null && !owner.equals(requestUserName)) {
      throw new AccessDeniedException("User '"+ requestUserName +"' is not the scanner owner!");
    }	
}
 
Example 18
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 5 votes vote down vote up
protected void requireSystemOrSuperUser(Configuration conf, ObserverContext<?> ctx) throws IOException {
	User user = User.getCurrent();
	if (user == null) {
		throw new IOException("Unable to obtain the current user, authorization checks for internal operations will not work correctly!");
	}
	String systemUser = user.getShortName();
	User activeUser = getActiveUser(ctx);
	if (!Objects.equals(systemUser, activeUser.getShortName()) && !_userUtils.isSuperUser(activeUser)) {
		throw new AccessDeniedException("User '" + user.getShortName() + "is not system or super user.");
	}
}
 
Example 19
Source File: RangerAuthorizationCoprocessor.java    From ranger with Apache License 2.0 4 votes vote down vote up
private GrantRevokeRequest createRevokeData(AccessControlProtos.RevokeRequest request) throws Exception {
	AccessControlProtos.UserPermission up   = request.getUserPermission();
	AccessControlProtos.Permission     perm = up == null ? null : up.getPermission();

	UserPermission      userPerm  = up == null ? null : AccessControlUtil.toUserPermission(up);
	String              userName  = userPerm == null ? null : Bytes.toString(userPerm.getUser());
	String              nameSpace = null;
	String              tableName = null;
	String              colFamily = null;
	String              qualifier = null;

	if(perm == null) {
		throw new Exception("revoke(): invalid data - permission is null");
	}

	if(StringUtil.isEmpty(userName)) {
		throw new Exception("revoke(): invalid data - username empty");
	}

	switch(perm.getType()) {
		case Global :
			tableName = colFamily = qualifier = RangerHBaseResource.WILDCARD;
		break;

		case Table :
			tableName = Bytes.toString(userPerm.getTableName().getName());
			colFamily = Bytes.toString(userPerm.getFamily());
			qualifier = Bytes.toString(userPerm.getQualifier());
		break;

		case Namespace:
			nameSpace = userPerm.getNamespace();
		break;
	}

	if(StringUtil.isEmpty(nameSpace) && StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) {
		throw new Exception("revoke(): table/columnFamily/columnQualifier not specified");
	}

	tableName = StringUtil.isEmpty(tableName) ? RangerHBaseResource.WILDCARD : tableName;
	colFamily = StringUtil.isEmpty(colFamily) ? RangerHBaseResource.WILDCARD : colFamily;
	qualifier = StringUtil.isEmpty(qualifier) ? RangerHBaseResource.WILDCARD : qualifier;

	if(! StringUtil.isEmpty(nameSpace)) {
		tableName = nameSpace + RangerHBaseResource.NAMESPACE_SEPARATOR + tableName;
	}

	User   activeUser = getActiveUser(null);
	String grantor    = activeUser != null ? activeUser.getShortName() : null;
	String[] groups   = activeUser != null ? activeUser.getGroupNames() : null;

	Set<String> grantorGroups = null;

	if (groups != null && groups.length > 0) {
		grantorGroups = new HashSet<>(Arrays.asList(groups));
	}

	Map<String, String> mapResource = new HashMap<String, String>();
	mapResource.put(RangerHBaseResource.KEY_TABLE, tableName);
	mapResource.put(RangerHBaseResource.KEY_COLUMN_FAMILY, colFamily);
	mapResource.put(RangerHBaseResource.KEY_COLUMN, qualifier);

	GrantRevokeRequest ret = new GrantRevokeRequest();

	ret.setGrantor(grantor);
	ret.setGrantorGroups(grantorGroups);
	ret.setDelegateAdmin(Boolean.TRUE); // remove delegateAdmin privilege as well
	ret.setEnableAudit(Boolean.TRUE);
	ret.setReplaceExistingPermissions(Boolean.TRUE);
	ret.setResource(mapResource);
	ret.setClientIPAddress(getRemoteAddress());
	ret.setForwardedAddresses(null);//TODO: Need to check with Knox proxy how they handle forwarded add.
	ret.setRemoteIPAddress(getRemoteAddress());
	ret.setRequestData(up.toString());
	
	if(userName.startsWith(GROUP_PREFIX)) {
		ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
	} else {
		ret.getUsers().add(userName);
	}

	// revoke removes all permissions
	ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_READ);
	ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
	ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
	ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
	ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);

	return ret;
}
 
Example 20
Source File: TestAccessController.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Test
public void testPermissionList() throws Exception {
  final TableName tableName = TableName.valueOf(name.getMethodName());
  final byte[] family1 = Bytes.toBytes("f1");
  final byte[] family2 = Bytes.toBytes("f2");
  final byte[] qualifier = Bytes.toBytes("q");

  // create table
  Admin admin = TEST_UTIL.getAdmin();
  if (admin.tableExists(tableName)) {
    deleteTable(TEST_UTIL, tableName);
  }
  TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
    new TableDescriptorBuilder.ModifyableTableDescriptor(tableName);
  tableDescriptor.setColumnFamily(
    new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(family1));
  tableDescriptor.setColumnFamily(
    new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(family2));
  tableDescriptor.setOwner(USER_OWNER);
  createTable(TEST_UTIL, tableDescriptor);
  try {
    List<UserPermission> perms =
        admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build());
    UserPermission ownerperm = new UserPermission(USER_OWNER.getName(),
        Permission.newBuilder(tableName).withActions(Action.values()).build());
    assertTrue("Owner should have all permissions on table",
      hasFoundUserPermission(ownerperm, perms));

    User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]);
    String userName = user.getShortName();

    UserPermission up =
        new UserPermission(userName, Permission.newBuilder(tableName).withFamily(family1)
            .withQualifier(qualifier).withActions(Permission.Action.READ).build());
    assertFalse("User should not be granted permission: " + up.toString(),
      hasFoundUserPermission(up, perms));

    // grant read permission
    grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
      Permission.Action.READ);

    perms = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build());
    UserPermission upToVerify =
        new UserPermission(userName, Permission.newBuilder(tableName).withFamily(family1)
            .withQualifier(qualifier).withActions(Permission.Action.READ).build());
    assertTrue("User should be granted permission: " + upToVerify.toString(),
      hasFoundUserPermission(upToVerify, perms));

    upToVerify = new UserPermission(userName, Permission.newBuilder(tableName).withFamily(family1)
        .withQualifier(qualifier).withActions(Permission.Action.WRITE).build());
    assertFalse("User should not be granted permission: " + upToVerify.toString(),
      hasFoundUserPermission(upToVerify, perms));

    // grant read+write
    grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
      Permission.Action.WRITE, Permission.Action.READ);

    perms = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build());
    upToVerify = new UserPermission(userName,
        Permission.newBuilder(tableName).withFamily(family1).withQualifier(qualifier)
            .withActions(Permission.Action.WRITE, Permission.Action.READ).build());
    assertTrue("User should be granted permission: " + upToVerify.toString(),
      hasFoundUserPermission(upToVerify, perms));

    // revoke
    revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
      Permission.Action.WRITE, Permission.Action.READ);

    perms = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build());
    assertFalse("User should not be granted permission: " + upToVerify.toString(),
      hasFoundUserPermission(upToVerify, perms));

    // disable table before modification
    admin.disableTable(tableName);

    User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {});
    tableDescriptor.setOwner(newOwner);
    admin.modifyTable(tableDescriptor);

    perms = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build());
    UserPermission newOwnerperm = new UserPermission(newOwner.getName(),
        Permission.newBuilder(tableName).withActions(Action.values()).build());
    assertTrue("New owner should have all permissions on table",
      hasFoundUserPermission(newOwnerperm, perms));
  } finally {
    // delete table
    deleteTable(TEST_UTIL, tableName);
  }
}