org.apache.hadoop.hbase.security.access.UserPermission Java Examples
The following examples show how to use
org.apache.hadoop.hbase.security.access.UserPermission.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: PhoenixAccessController.java From phoenix with Apache License 2.0 | 6 votes |
|
private List<UserPermission> getPermissionForUser(List<UserPermission> perms, String user) {
if (perms != null) {
// get list of permissions for the user as multiple implementation of AccessControl coprocessors can give
// permissions for same users
List<UserPermission> permissions = new ArrayList<>();
for (UserPermission p : perms) {
if (getUserFromUP(p).equals(user)){
permissions.add(p);
}
}
if (!permissions.isEmpty()){
return permissions;
}
}
return null;
}
Example #2
| Source File: HBasePartitionAdmin.java From spliceengine with GNU Affero General Public License v3.0 | 5 votes |
|
private boolean hasCreatePrivilege(String tableName, String userName) throws Throwable{
List<UserPermission> permissions = AccessControlClient.getUserPermissions(admin.getConnection(), tableName);
for (String user : Arrays.asList(userName, userName.toUpperCase(), userName.toLowerCase())) {
UserPermission up = getPermission(permissions, user);
if (up == null || !up.implies(TableName.valueOf(tableName), null, null, Permission.Action.CREATE))
return false;
}
return true;
}
Example #3
| Source File: RawAsyncHBaseAdmin.java From hbase with Apache License 2.0 | 5 votes |
|
@Override
public CompletableFuture<List<UserPermission>>
getUserPermissions(GetUserPermissionsRequest getUserPermissionsRequest) {
return this.<List<UserPermission>> newMasterCaller().action((controller,
stub) -> this.<AccessControlProtos.GetUserPermissionsRequest, GetUserPermissionsResponse,
List<UserPermission>> call(controller, stub,
ShadedAccessControlUtil.buildGetUserPermissionsRequest(getUserPermissionsRequest),
(s, c, req, done) -> s.getUserPermissions(c, req, done),
resp -> resp.getUserPermissionList().stream()
.map(uPerm -> ShadedAccessControlUtil.toUserPermission(uPerm))
.collect(Collectors.toList())))
.call();
}
Example #4
| Source File: RawAsyncHBaseAdmin.java From hbase with Apache License 2.0 | 5 votes |
|
@Override
public CompletableFuture<Void> revoke(UserPermission userPermission) {
return this.<Void> newMasterCaller()
.action((controller, stub) -> this.<RevokeRequest, RevokeResponse, Void> call(controller,
stub, ShadedAccessControlUtil.buildRevokeRequest(userPermission),
(s, c, req, done) -> s.revoke(c, req, done), resp -> null))
.call();
}
Example #5
| Source File: RawAsyncHBaseAdmin.java From hbase with Apache License 2.0 | 5 votes |
|
@Override
public CompletableFuture<Void> grant(UserPermission userPermission,
boolean mergeExistingPermissions) {
return this.<Void> newMasterCaller()
.action((controller, stub) -> this.<GrantRequest, GrantResponse, Void> call(controller,
stub, ShadedAccessControlUtil.buildGrantRequest(userPermission, mergeExistingPermissions),
(s, c, req, done) -> s.grant(c, req, done), resp -> null))
.call();
}
Example #6
| Source File: SnapshotDescriptionUtils.java From hbase with Apache License 2.0 | 5 votes |
|
private static SnapshotDescription writeAclToSnapshotDescription(SnapshotDescription snapshot,
Configuration conf) throws IOException {
ListMultimap<String, UserPermission> perms =
User.runAsLoginUser(new PrivilegedExceptionAction<ListMultimap<String, UserPermission>>() {
@Override
public ListMultimap<String, UserPermission> run() throws Exception {
return PermissionStorage.getTablePermissions(conf,
TableName.valueOf(snapshot.getTable()));
}
});
return snapshot.toBuilder()
.setUsersAndPermissions(ShadedAccessControlUtil.toUserTablePermissions(perms)).build();
}
Example #7
| Source File: MasterRpcServices.java From hbase with Apache License 2.0 | 5 votes |
|
@Override
public RevokeResponse revoke(RpcController controller, RevokeRequest request)
throws ServiceException {
try {
master.checkInitialized();
if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) {
final UserPermission userPermission =
ShadedAccessControlUtil.toUserPermission(request.getUserPermission());
master.cpHost.preRevoke(userPermission);
try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.removeUserPermission(master.getConfiguration(), userPermission, table);
}
master.cpHost.postRevoke(userPermission);
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should record all permission changes
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller,
remoteAddress, userPermission);
}
return RevokeResponse.getDefaultInstance();
} else {
throw new DoNotRetryIOException(
new UnsupportedOperationException(AccessController.class.getName() + " is not loaded"));
}
} catch (IOException ioe) {
throw new ServiceException(ioe);
}
}
Example #8
| Source File: MasterRpcServices.java From hbase with Apache License 2.0 | 5 votes |
|
@Override
public GrantResponse grant(RpcController controller, GrantRequest request)
throws ServiceException {
try {
master.checkInitialized();
if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) {
final UserPermission perm =
ShadedAccessControlUtil.toUserPermission(request.getUserPermission());
boolean mergeExistingPermissions = request.getMergeExistingPermissions();
master.cpHost.preGrant(perm, mergeExistingPermissions);
try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.addUserPermission(getConfiguration(), perm, table,
mergeExistingPermissions);
}
master.cpHost.postGrant(perm, mergeExistingPermissions);
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should store permission changes in addition to auth results
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller,
remoteAddress, perm);
}
return GrantResponse.getDefaultInstance();
} else {
throw new DoNotRetryIOException(
new UnsupportedOperationException(AccessController.class.getName() + " is not loaded"));
}
} catch (IOException ioe) {
throw new ServiceException(ioe);
}
}
Example #9
| Source File: MasterCoprocessorHost.java From hbase with Apache License 2.0 | 5 votes |
|
public void postRevoke(UserPermission userPermission) throws IOException {
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
@Override
public void call(MasterObserver observer) throws IOException {
observer.postRevoke(this, userPermission);
}
});
}
Example #10
| Source File: MasterCoprocessorHost.java From hbase with Apache License 2.0 | 5 votes |
|
public void preRevoke(UserPermission userPermission) throws IOException {
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
@Override
public void call(MasterObserver observer) throws IOException {
observer.preRevoke(this, userPermission);
}
});
}
Example #11
| Source File: MasterCoprocessorHost.java From hbase with Apache License 2.0 | 5 votes |
|
public void postGrant(UserPermission userPermission, boolean mergeExistingPermissions)
throws IOException {
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
@Override
public void call(MasterObserver observer) throws IOException {
observer.postGrant(this, userPermission, mergeExistingPermissions);
}
});
}
Example #12
| Source File: MasterCoprocessorHost.java From hbase with Apache License 2.0 | 5 votes |
|
public void preGrant(UserPermission userPermission, boolean mergeExistingPermissions)
throws IOException {
execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() {
@Override
public void call(MasterObserver observer) throws IOException {
observer.preGrant(this, userPermission, mergeExistingPermissions);
}
});
}
Example #13
| Source File: HBasePartitionAdmin.java From spliceengine with GNU Affero General Public License v3.0 | 5 votes |
|
private boolean hasPrivileges(String userName, String spliceNamespace) throws Throwable {
List<UserPermission> permissions = AccessControlClient.getUserPermissions(admin.getConnection(), "@"+spliceNamespace);
for (String user : Arrays.asList(userName, userName.toUpperCase(), userName.toLowerCase())) {
UserPermission up = getPermission(permissions, user);
if (up == null)
return false;
for (Permission.Action action : Arrays.asList(Permission.Action.WRITE, Permission.Action.READ, Permission.Action.EXEC)) {
if (!up.implies(spliceNamespace, action))
return false;
}
}
return true;
}
Example #14
| Source File: HBasePartitionAdmin.java From spliceengine with GNU Affero General Public License v3.0 | 5 votes |
|
private UserPermission getPermission(List<UserPermission> permissions, String userName) {
for(UserPermission up: permissions) {
if (Bytes.equals(up.getUser(), Bytes.toBytes(userName))) {
return up;
}
}
return null;
}
Example #15
| Source File: AdminOverAsyncAdmin.java From hbase with Apache License 2.0 | 4 votes |
|
@Override
public void grant(UserPermission userPermission, boolean mergeExistingPermissions)
throws IOException {
get(admin.grant(userPermission, mergeExistingPermissions));
}
Example #16
| Source File: ThriftAdmin.java From hbase with Apache License 2.0 | 4 votes |
|
@Override
public void revoke(UserPermission userPermission) {
throw new NotImplementedException("revoke not supported in ThriftAdmin");
}
Example #17
| Source File: AdminOverAsyncAdmin.java From hbase with Apache License 2.0 | 4 votes |
|
@Override
public void revoke(UserPermission userPermission) throws IOException {
get(admin.revoke(userPermission));
}
Example #18
| Source File: AdminOverAsyncAdmin.java From hbase with Apache License 2.0 | 4 votes |
|
@Override
public List<UserPermission> getUserPermissions(
GetUserPermissionsRequest getUserPermissionsRequest) throws IOException {
return get(admin.getUserPermissions(getUserPermissionsRequest));
}
Example #19
| Source File: CompatPermissionUtil.java From phoenix with Apache License 2.0 | 4 votes |
|
public static String getUserFromUP(UserPermission userPermission) {
return Bytes.toString(userPermission.getUser());
}
Example #20
| Source File: CompatPermissionUtil.java From phoenix with Apache License 2.0 | 4 votes |
|
public static Permission getPermissionFromUP(UserPermission userPermission) {
return userPermission;
}
Example #21
| Source File: CompatPermissionUtil.java From phoenix with Apache License 2.0 | 4 votes |
|
public static String getUserFromUP(UserPermission userPermission) {
return userPermission.getUser();
}
Example #22
| Source File: CompatPermissionUtil.java From phoenix with Apache License 2.0 | 4 votes |
|
public static Permission getPermissionFromUP(UserPermission userPermission) {
return userPermission.getPermission();
}
Example #23
| Source File: CompatPermissionUtil.java From phoenix with Apache License 2.0 | 4 votes |
|
public static String getUserFromUP(UserPermission userPermission) {
return Bytes.toString(userPermission.getUser());
}
Example #24
| Source File: CompatPermissionUtil.java From phoenix with Apache License 2.0 | 4 votes |
|
public static Permission getPermissionFromUP(UserPermission userPermission) {
return userPermission;
}
Example #25
| Source File: VerifyingRSGroupAdmin.java From hbase with Apache License 2.0 | 4 votes |
|
public void revoke(UserPermission userPermission) throws IOException {
admin.revoke(userPermission);
}
Example #26
| Source File: ThriftAdmin.java From hbase with Apache License 2.0 | 4 votes |
|
@Override
public void grant(UserPermission userPermission, boolean mergeExistingPermissions) {
throw new NotImplementedException("grant not supported in ThriftAdmin");
}
Example #27
| Source File: ThriftAdmin.java From hbase with Apache License 2.0 | 4 votes |
|
@Override
public List<UserPermission> getUserPermissions(
GetUserPermissionsRequest getUserPermissionsRequest) {
throw new NotImplementedException("getUserPermissions not supported in ThriftAdmin");
}
Example #28
| Source File: MasterRpcServices.java From hbase with Apache License 2.0 | 4 votes |
|
@Override
public GetUserPermissionsResponse getUserPermissions(RpcController controller,
GetUserPermissionsRequest request) throws ServiceException {
try {
master.checkInitialized();
if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) {
final String userName = request.hasUserName() ? request.getUserName().toStringUtf8() : null;
String namespace =
request.hasNamespaceName() ? request.getNamespaceName().toStringUtf8() : null;
TableName table =
request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName()) : null;
byte[] cf = request.hasColumnFamily() ? request.getColumnFamily().toByteArray() : null;
byte[] cq =
request.hasColumnQualifier() ? request.getColumnQualifier().toByteArray() : null;
Type permissionType = request.hasType() ? request.getType() : null;
master.getMasterCoprocessorHost().preGetUserPermissions(userName, namespace, table, cf, cq);
List<UserPermission> perms = null;
if (permissionType == Type.Table) {
boolean filter = (cf != null || userName != null) ? true : false;
perms = PermissionStorage.getUserTablePermissions(master.getConfiguration(), table, cf,
cq, userName, filter);
} else if (permissionType == Type.Namespace) {
perms = PermissionStorage.getUserNamespacePermissions(master.getConfiguration(),
namespace, userName, userName != null ? true : false);
} else {
perms = PermissionStorage.getUserPermissions(master.getConfiguration(), null, null, null,
userName, userName != null ? true : false);
// Skip super users when filter user is specified
if (userName == null) {
// Adding superusers explicitly to the result set as PermissionStorage do not store
// them. Also using acl as table name to be inline with the results of global admin and
// will help in avoiding any leakage of information about being superusers.
for (String user : Superusers.getSuperUsers()) {
perms.add(new UserPermission(user,
Permission.newBuilder().withActions(Action.values()).build()));
}
}
}
master.getMasterCoprocessorHost().postGetUserPermissions(userName, namespace, table, cf,
cq);
AccessControlProtos.GetUserPermissionsResponse response =
ShadedAccessControlUtil.buildGetUserPermissionsResponse(perms);
return response;
} else {
throw new DoNotRetryIOException(
new UnsupportedOperationException(AccessController.class.getName() + " is not loaded"));
}
} catch (IOException ioe) {
throw new ServiceException(ioe);
}
}
Example #29
| Source File: TestAsyncAccessControlAdminApi.java From hbase with Apache License 2.0 | 4 votes |
|
@Test
public void test() throws Exception {
TableName tableName = TableName.valueOf("test-table");
String userName1 = "user1";
String userName2 = "user2";
User user2 = User.createUserForTesting(TEST_UTIL.getConfiguration(), userName2, new String[0]);
Permission permission =
Permission.newBuilder(tableName).withActions(Permission.Action.READ).build();
UserPermission userPermission = new UserPermission(userName1, permission);
// grant user1 table permission
admin.grant(userPermission, false).get();
// get table permissions
List<UserPermission> userPermissions =
admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()).get();
assertEquals(1, userPermissions.size());
assertEquals(userPermission, userPermissions.get(0));
// get table permissions
userPermissions =
admin
.getUserPermissions(
GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName1).build())
.get();
assertEquals(1, userPermissions.size());
assertEquals(userPermission, userPermissions.get(0));
userPermissions =
admin
.getUserPermissions(
GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName2).build())
.get();
assertEquals(0, userPermissions.size());
// has user permission
List<Permission> permissions = Lists.newArrayList(permission);
boolean hasPermission =
admin.hasUserPermissions(userName1, permissions).get().get(0).booleanValue();
assertTrue(hasPermission);
hasPermission = admin.hasUserPermissions(userName2, permissions).get().get(0).booleanValue();
assertFalse(hasPermission);
AccessTestAction hasPermissionAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (AsyncConnection conn =
ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
return conn.getAdmin().hasUserPermissions(userName1, permissions).get().get(0);
}
}
};
try {
user2.runAs(hasPermissionAction);
fail("Should not come here");
} catch (Exception e) {
LOG.error("Call has permission error", e);
}
// check permission
admin.hasUserPermissions(permissions);
AccessTestAction checkPermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (AsyncConnection conn =
ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
return conn.getAdmin().hasUserPermissions(permissions).get().get(0);
}
}
};
assertFalse((Boolean) user2.runAs(checkPermissionsAction));
}
Example #30
| Source File: VerifyingRSGroupAdmin.java From hbase with Apache License 2.0 | 4 votes |
|
public void grant(UserPermission userPermission, boolean mergeExistingPermissions)
throws IOException {
admin.grant(userPermission, mergeExistingPermissions);
}
