org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos Java Examples
The following examples show how to use
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: HBase.java From pxf with Apache License 2.0 | 6 votes |
|
private void grantPermissions(Table table,
String user, Action... actions)
throws Exception {
ReportUtils.report(report, getClass(), config.toString());
ReportUtils.report(report, getClass(),"grant request for user=" + user + " table" + table);
String hbaseAuthEnabled = config.get("hbase.security.authorization");
if (!isAuthorizationEnabled && (hbaseAuthEnabled == null || !hbaseAuthEnabled.equals("true"))) {
ReportUtils.report(report, getClass(),
"HBase security authorization is not enabled, cannot grant permissions");
return;
}
org.apache.hadoop.hbase.client.Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlProtos.AccessControlService.BlockingInterface protocol = AccessControlProtos.AccessControlService.newBlockingStub(service);
if (table == null) {
ProtobufUtil.grant(protocol, user, actions);
} else {
ProtobufUtil.grant(protocol, user, TableName.valueOf(table.getName()), null, null, actions);
}
} finally {
acl.close();
}
}
Example #2
| Source File: RangerAuthorizationCoprocessor.java From ranger with Apache License 2.0 | 5 votes |
|
private void init(){
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.init()");
}
try {
rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass());
@SuppressWarnings("unchecked")
Class<?> cls = Class.forName(RANGER_HBASE_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader);
activatePluginClassLoader();
impl = cls.newInstance();
implAccessControlService = (AccessControlProtos.AccessControlService.Interface)impl;
implMasterCoprocessor = (MasterCoprocessor)impl;
implRegionCoprocessor = (RegionCoprocessor)impl;
implRegionServerCoporcessor = (RegionServerCoprocessor)impl;
implMasterObserver = (MasterObserver)impl;
implRegionObserver = (RegionObserver)impl;
implRegionServerObserver = (RegionServerObserver)impl;
implBulkLoadObserver = (BulkLoadObserver)impl;
//implEndpointObserver = (EndpointObserver)impl;
} catch (Exception e) {
// check what need to be done
LOG.error("Error Enabling RangerHbasePlugin", e);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerAuthorizationCoprocessor.init()");
}
}
Example #3
| Source File: RangerAuthorizationCoprocessor.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public void checkPermissions(RpcController controller, AccessControlProtos.CheckPermissionsRequest request, RpcCallback<AccessControlProtos.CheckPermissionsResponse> done) {
LOG.debug("checkPermissions(): ");
}
Example #4
| Source File: RangerAuthorizationCoprocessor.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public void getUserPermissions(RpcController controller, AccessControlProtos.GetUserPermissionsRequest request,
RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {
AccessControlProtos.GetUserPermissionsResponse response = null;
try {
String operation = "userPermissions";
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
User user = getActiveUser(null);
Set<String> groups = _userUtils.getUserGroups(user);
if (groups.isEmpty() && user.getUGI() != null) {
String[] groupArray = user.getUGI().getGroupNames();
if (groupArray != null) {
groups = Sets.newHashSet(groupArray);
}
}
RangerAccessRequestImpl rangerAccessrequest = new RangerAccessRequestImpl(resource, null,
_userUtils.getUserAsString(user), groups, null);
rangerAccessrequest.setAction(operation);
rangerAccessrequest.setClientIPAddress(getRemoteAddress());
rangerAccessrequest.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
List<UserPermission> perms = null;
if (request.getType() == AccessControlProtos.Permission.Type.Table) {
final TableName table = request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName()) : null;
requirePermission(null, operation, table.getName(), Action.ADMIN);
resource.setValue(RangerHBaseResource.KEY_TABLE, table.getNameAsString());
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
return getUserPermissions(
hbasePlugin.getResourceACLs(rangerAccessrequest),
table.getNameAsString(), false);
}
});
} else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) {
final String namespace = request.getNamespaceName().toStringUtf8();
requireGlobalPermission(null, "getUserPermissionForNamespace", namespace, Action.ADMIN);
resource.setValue(RangerHBaseResource.KEY_TABLE, namespace + RangerHBaseResource.NAMESPACE_SEPARATOR);
rangerAccessrequest.setRequestData(namespace);
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
return getUserPermissions(
hbasePlugin.getResourceACLs(rangerAccessrequest),
namespace, true);
}
});
} else {
requirePermission(null, "userPermissions", Action.ADMIN);
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
return getUserPermissions(
hbasePlugin.getResourceACLs(rangerAccessrequest), null,
false);
}
});
if (_userUtils.isSuperUser(user)) {
perms.add(new UserPermission(Bytes.toBytes(_userUtils.getUserAsString(user)),
AccessControlLists.ACL_TABLE_NAME, null, Action.values()));
}
}
response = AccessControlUtil.buildGetUserPermissionsResponse(perms);
} catch (IOException ioe) {
// pass exception back up
ResponseConverter.setControllerException(controller, ioe);
}
done.run(response);
}
Example #5
| Source File: RangerAuthorizationCoprocessor.java From ranger with Apache License 2.0 | 4 votes |
|
private GrantRevokeRequest createRevokeData(AccessControlProtos.RevokeRequest request) throws Exception {
AccessControlProtos.UserPermission up = request.getUserPermission();
AccessControlProtos.Permission perm = up == null ? null : up.getPermission();
UserPermission userPerm = up == null ? null : AccessControlUtil.toUserPermission(up);
String userName = userPerm == null ? null : Bytes.toString(userPerm.getUser());
String nameSpace = null;
String tableName = null;
String colFamily = null;
String qualifier = null;
if(perm == null) {
throw new Exception("revoke(): invalid data - permission is null");
}
if(StringUtil.isEmpty(userName)) {
throw new Exception("revoke(): invalid data - username empty");
}
switch(perm.getType()) {
case Global :
tableName = colFamily = qualifier = RangerHBaseResource.WILDCARD;
break;
case Table :
tableName = Bytes.toString(userPerm.getTableName().getName());
colFamily = Bytes.toString(userPerm.getFamily());
qualifier = Bytes.toString(userPerm.getQualifier());
break;
case Namespace:
nameSpace = userPerm.getNamespace();
break;
}
if(StringUtil.isEmpty(nameSpace) && StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) {
throw new Exception("revoke(): table/columnFamily/columnQualifier not specified");
}
tableName = StringUtil.isEmpty(tableName) ? RangerHBaseResource.WILDCARD : tableName;
colFamily = StringUtil.isEmpty(colFamily) ? RangerHBaseResource.WILDCARD : colFamily;
qualifier = StringUtil.isEmpty(qualifier) ? RangerHBaseResource.WILDCARD : qualifier;
if(! StringUtil.isEmpty(nameSpace)) {
tableName = nameSpace + RangerHBaseResource.NAMESPACE_SEPARATOR + tableName;
}
User activeUser = getActiveUser(null);
String grantor = activeUser != null ? activeUser.getShortName() : null;
String[] groups = activeUser != null ? activeUser.getGroupNames() : null;
Set<String> grantorGroups = null;
if (groups != null && groups.length > 0) {
grantorGroups = new HashSet<>(Arrays.asList(groups));
}
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put(RangerHBaseResource.KEY_TABLE, tableName);
mapResource.put(RangerHBaseResource.KEY_COLUMN_FAMILY, colFamily);
mapResource.put(RangerHBaseResource.KEY_COLUMN, qualifier);
GrantRevokeRequest ret = new GrantRevokeRequest();
ret.setGrantor(grantor);
ret.setGrantorGroups(grantorGroups);
ret.setDelegateAdmin(Boolean.TRUE); // remove delegateAdmin privilege as well
ret.setEnableAudit(Boolean.TRUE);
ret.setReplaceExistingPermissions(Boolean.TRUE);
ret.setResource(mapResource);
ret.setClientIPAddress(getRemoteAddress());
ret.setForwardedAddresses(null);//TODO: Need to check with Knox proxy how they handle forwarded add.
ret.setRemoteIPAddress(getRemoteAddress());
ret.setRequestData(up.toString());
if(userName.startsWith(GROUP_PREFIX)) {
ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
} else {
ret.getUsers().add(userName);
}
// revoke removes all permissions
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_READ);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
return ret;
}
Example #6
| Source File: RangerAuthorizationCoprocessor.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public Iterable<Service> getServices() {
return Collections.singleton(AccessControlProtos.AccessControlService.newReflectiveService(this));
}
