org.apache.hadoop.hbase.security.access.Permission.Action Java Examples

/**
 * Authorizes that the current user has any of the given permissions for the
 * given table, column family and column qualifier.
 *
 * @param user Active user to which authorization checks should be applied
 * @param request Request type
 * @param tableName Table requested
 * @param family    Column family requested
 * @param qualifier Column qualifier requested
 * @param filterUser User name to be filtered from permission as requested
 * @param permissions Actions being requested
 * @throws IOException if obtaining the current user fails
 * @throws AccessDeniedException if user has no authorization
 */
public void requirePermission(User user, String request, TableName tableName, byte[] family,
    byte[] qualifier, String filterUser, Action... permissions) throws IOException {
  AuthResult result = null;

  for (Action permission : permissions) {
    if (authManager.authorizeUserTable(user, tableName, family, qualifier, permission)) {
      result = AuthResult.allow(request, "Table permission granted",
          user, permission, tableName, family, qualifier);
      break;
    } else {
      // rest of the world
      result = AuthResult.deny(request, "Insufficient permissions",
        user, permission, tableName, family, qualifier);
    }
  }
  result.getParams().addExtraParam("filterUser", filterUser);
  logResult(result);
  if (!result.isAllowed()) {
    throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
  }
}
 

@Override
public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
    List<TableName> tableNamesList, List<TableDescriptor> descriptors,
    String regex) throws IOException {
  // Skipping as checks in this case are already done by preGetTableDescriptors.
  if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
    return;
  }

  // Retains only those which passes authorization checks, as the checks weren't done as part
  // of preGetTableDescriptors.
  Iterator<TableDescriptor> itr = descriptors.iterator();
  while (itr.hasNext()) {
    TableDescriptor htd = itr.next();
    try {
      requirePermission(ctx, "getTableDescriptors", htd.getTableName(), null, null,
          Action.ADMIN, Action.CREATE);
    } catch (AccessDeniedException e) {
      itr.remove();
    }
  }
}
 

@Test
public void testGlobalPermissionList() throws Exception {
  List<UserPermission> perms = systemUserConnection.getAdmin()
      .getUserPermissions(GetUserPermissionsRequest.newBuilder().build());

  Collection<String> superUsers = Superusers.getSuperUsers();
  List<UserPermission> adminPerms = new ArrayList<>(superUsers.size() + 1);
  adminPerms.add(new UserPermission(USER_ADMIN.getShortName(), Permission.newBuilder()
      .withActions(Action.ADMIN, Action.CREATE, Action.READ, Action.WRITE).build()));
  for (String user : superUsers) {
    // Global permission
    adminPerms.add(
      new UserPermission(user, Permission.newBuilder().withActions(Action.values()).build()));
  }
  assertTrue("Only super users, global users and user admin has permission on table hbase:acl " +
      "per setup", perms.size() == 5 + superUsers.size() &&
      hasFoundUserPermission(adminPerms, perms));
}
 

boolean canSkipAccessCheck(User user, final String operation, String access, final RegionCoprocessorEnvironment regionServerEnv) throws AccessDeniedException {

		// read access to metadata tables is always allowed and isn't audited.
		if (isAccessForMetaTables(regionServerEnv) && _authUtils.isReadAccess(access)) {
			LOG.debug("isKnownAccessPattern: exiting: Read access for metadata tables allowed, not audited!");
			return true;
		}
		// if write access is desired to metatables then global create access is sufficient
		if (_authUtils.isWriteAccess(access) && isAccessForMetaTables(regionServerEnv)) {
			String createAccess = _authUtils.getAccess(Action.CREATE);
			AuthorizationSession session = new AuthorizationSession(hbasePlugin)
				.operation(operation)
				.remoteAddress(getRemoteAddress())
				.user(user)
				.access(createAccess)
				.buildRequest()
				.authorize();
			if (session.isAuthorized()) {
				// NOTE: this access isn't logged
				LOG.debug("isKnownAccessPattern: exiting: User has global create access, allowed!");
				return true;
			}
		}
		return false;
	}
 

@Override
public void preAlterTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId,
        String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType) throws IOException {
    if (!accessCheckEnabled) { return; }
    for (MasterObserver observer : getAccessControllers()) {
        if (tableType != PTableType.VIEW) {
        observer.preModifyTable(getMasterObsevrverContext(), physicalTableName,
                TableDescriptorBuilder.newBuilder(physicalTableName).build());
        }
    }
    if (tableType == PTableType.VIEW) {
        if(execPermissionsCheckEnabled) {
            requireAccess("Alter "+tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
        } else {
            requireAccess("Alter "+tableType, parentPhysicalTableName, Action.READ);
        }
    }
}
 

@Override
public Result preAppendAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,
    final Append append) throws IOException {
  if (append.getAttribute(CHECK_COVERING_PERM) != null) {
    // We had failure with table, cf and q perm checks and now giving a chance for cell
    // perm check
    TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
    AuthResult authResult = null;
    User user = getActiveUser(c);
    if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(),
        append.getFamilyCellMap(), append.getTimeRange().getMax(), Action.WRITE)) {
      authResult = AuthResult.allow(OpType.APPEND.toString(),
          "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
    } else {
      authResult = AuthResult.deny(OpType.APPEND.toString(),
          "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
    }
    AccessChecker.logResult(authResult);
    if (authorizationEnabled && !authResult.isAllowed()) {
      throw new AccessDeniedException("Insufficient permissions " +
        authResult.toContextString());
    }
  }
  return null;
}
 

/**
 * Checks that the user has the given global or namespace permission.
 * @param user Active user to which authorization checks should be applied
 * @param request Request type
 * @param namespace Name space as requested
 * @param filterUser User name to be filtered from permission as requested
 * @param permissions Actions being requested
 */
public void requireNamespacePermission(User user, String request, String namespace,
    String filterUser, Action... permissions) throws IOException {
  AuthResult result = null;

  for (Action permission : permissions) {
    if (authManager.authorizeUserNamespace(user, namespace, permission)) {
      result =
          AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);
      break;
    } else {
      // rest of the world
      result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace);
    }
  }
  result.getParams().addExtraParam("filterUser", filterUser);
  logResult(result);
  if (!result.isAllowed()) {
    throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
  }
}
 

/**
 * Convert a client user permission to a user permission shaded proto.
 */
public static AccessControlProtos.Permission.Action toPermissionAction(Permission.Action action) {
  switch (action) {
    case READ:
      return AccessControlProtos.Permission.Action.READ;
    case WRITE:
      return AccessControlProtos.Permission.Action.WRITE;
    case EXEC:
      return AccessControlProtos.Permission.Action.EXEC;
    case CREATE:
      return AccessControlProtos.Permission.Action.CREATE;
    case ADMIN:
      return AccessControlProtos.Permission.Action.ADMIN;
  }
  throw new IllegalArgumentException("Unknown action value " + action.name());
}
 

@Override
public void preDropTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId,
        String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType,
        List<PTable> indexes) throws IOException {
    if (!accessCheckEnabled) { return; }

    for (MasterObserver observer : getAccessControllers()) {
        if (tableType != PTableType.VIEW) {
            observer.preDeleteTable(getMasterObsevrverContext(), physicalTableName);
        }
        if (indexes != null) {
            for (PTable index : indexes) {
                observer.preDeleteTable(getMasterObsevrverContext(),
                        TableName.valueOf(index.getPhysicalName().getBytes()));
            }
        }
    }
    //checking similar permission checked during the create of the view.
    if (tableType == PTableType.VIEW || tableType == PTableType.INDEX) {
        if(execPermissionsCheckEnabled) {
            requireAccess("Drop "+tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
        } else {
            requireAccess("Drop "+tableType, parentPhysicalTableName, Action.READ);
        }
    }
}
 

@Override
public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
     List<TableName> tableNamesList, List<TableDescriptor> descriptors,
     String regex) throws IOException {
  // We are delegating the authorization check to postGetTableDescriptors as we don't have
  // any concrete set of table names when a regex is present or the full list is requested.
  if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
    // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the
    // request can be granted.
    try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
      for (TableName tableName : tableNamesList) {
        // Skip checks for a table that does not exist
        if (!admin.tableExists(tableName)) {
          continue;
        }
        requirePermission(ctx, "getTableDescriptors", tableName, null, null, Action.ADMIN,
          Action.CREATE);
      }
    }
  }
}
 

@Override
public String getAccess(Action action) {
	switch(action) {
		case READ:
			return ACCESS_TYPE_READ;
		case WRITE:
			return ACCESS_TYPE_WRITE;
		case CREATE:
			return ACCESS_TYPE_CREATE;
		case ADMIN:
			return ACCESS_TYPE_ADMIN;
		case EXEC:
			return ACCESS_TYPE_EXECUTE;
		default:
			return action.name().toLowerCase();
	}
}
 

@Override
public void postGetProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
	/*if(!procInfoList.isEmpty()) {
		Iterator<Procedure<?>> itr = procInfoList.iterator();
		User user = this.getActiveUser();

		while(itr.hasNext()) {
			Procedure procInfo = itr.next();
			try {
				String owner = procInfo.getOwner();
				if (owner == null || !owner.equals(user.getShortName())) {
					requirePermission("getProcedures", Action.ADMIN);
				}
			} catch (AccessDeniedException var7) {
				itr.remove();
			}
		}

	}*/
	requirePermission(observerContext, "getProcedures", Action.ADMIN);
}
 

@Test
public void testNamespaceUserGrant() throws Exception {
  AccessTestAction getAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      try(Connection conn = ConnectionFactory.createConnection(conf);
          Table t = conn.getTable(TEST_TABLE)) {
        return t.get(new Get(TEST_ROW));
      }
    }
  };

  String namespace = TEST_TABLE.getNamespaceAsString();

  // Grant namespace READ to USER_NONE, this should supersede any table permissions
  grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
  // Now USER_NONE should be able to read
  verifyAllowed(getAction, USER_NONE);

  // Revoke namespace READ to USER_NONE
  revokeFromNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
  verifyDenied(getAction, USER_NONE);
}
 

@Test
public void testCreateTableWithGroupPermissions() throws Exception {
  grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
  try {
    AccessTestAction createAction = new AccessTestAction() {
      @Override
      public Object run() throws Exception {
        TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
          new TableDescriptorBuilder.ModifyableTableDescriptor(testTable.getTableName());
        tableDescriptor.setColumnFamily(
          new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(TEST_FAMILY));
        try (Connection connection =
            ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
          try (Admin admin = connection.getAdmin()) {
            admin.createTable(tableDescriptor);
          }
        }
        return null;
      }
    };
    verifyAllowed(createAction, TESTGROUP1_USER1);
    verifyDenied(createAction, TESTGROUP2_USER1);
  } finally {
    revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
  }
}
 

@Test
public void testBuildTablePermission() {
  TableName tableName = TableName.valueOf("ns", "table");
  byte[] family = Bytes.toBytes("f");
  byte[] qualifier = Bytes.toBytes("q");
  // check table permission without family or qualifier
  Permission permission =
      Permission.newBuilder(tableName).withActions(Action.WRITE, Action.READ).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(2, permission.getActions().length);
  assertEquals(Action.READ, permission.getActions()[0]);
  assertEquals(Action.WRITE, permission.getActions()[1]);
  TablePermission tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertEquals(null, tPerm.getFamily());
  assertEquals(null, tPerm.getQualifier());

  // check table permission with family
  permission =
      Permission.newBuilder(tableName).withFamily(family).withActions(Action.EXEC).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(1, permission.getActions().length);
  assertEquals(Action.EXEC, permission.getActions()[0]);
  tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertTrue(Bytes.equals(family, tPerm.getFamily()));
  assertTrue(Bytes.equals(null, tPerm.getQualifier()));

  // check table permission with family and qualifier
  permission =
      Permission.newBuilder(tableName).withFamily(family).withQualifier(qualifier).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(0, permission.getActions().length);
  tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertTrue(Bytes.equals(family, tPerm.getFamily()));
  assertTrue(Bytes.equals(qualifier, tPerm.getQualifier()));
}
 

public void checkLockPermissions(User user, String namespace,
    TableName tableName, RegionInfo[] regionInfos, String reason)
    throws IOException {
  if (namespace != null && !namespace.isEmpty()) {
    requireNamespacePermission(user, reason, namespace, null, Action.ADMIN, Action.CREATE);
  } else if (tableName != null || (regionInfos != null && regionInfos.length > 0)) {
    // So, either a table or regions op. If latter, check perms ons table.
    TableName tn = tableName != null? tableName: regionInfos[0].getTable();
    requireTablePermission(user, reason, tn, null, null,
        Action.ADMIN, Action.CREATE);
  } else {
    throw new DoNotRetryIOException("Invalid lock level when requesting permissions.");
  }
}
 

@Test
public void testBuildGlobalPermission() {
  // check global permission with empty action
  Permission permission = Permission.newBuilder().build();
  assertTrue(permission instanceof GlobalPermission);
  assertEquals(0, permission.getActions().length);

  // check global permission with ADMIN action
  permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("A")).build();
  assertTrue(permission instanceof GlobalPermission);
  assertEquals(1, permission.getActions().length);
  assertTrue(permission.getActions()[0] == Action.ADMIN);

  byte[] qualifier = Bytes.toBytes("q");
  try {
    permission = Permission.newBuilder().withQualifier(qualifier)
        .withActions(Action.CREATE, Action.READ).build();
    fail("Should throw NPE");
  } catch (NullPointerException e) {
    // catch NPE because set qualifier but table name is null
  }

  permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("ACP"))
      .withActions(Action.READ, Action.ADMIN).build();
  assertEquals(3, permission.getActions().length);
  assertEquals(Action.READ, permission.getActions()[0]);
  assertEquals(Action.CREATE, permission.getActions()[1]);
  assertEquals(Action.ADMIN, permission.getActions()[2]);
}
 

@Test
public void testAclTableEntries() throws Exception {
  String userTestNamespace = "userTestNsp";
  Table acl = UTIL.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
  try {
    ListMultimap<String, UserPermission> perms =
        PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    for (Map.Entry<String, UserPermission> entry : perms.entries()) {
      LOG.debug(Objects.toString(entry));
    }
    assertEquals(6, perms.size());

    // Grant and check state in ACL table
    grantOnNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
      Permission.Action.WRITE);

    Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
    assertTrue(result != null);
    perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    assertEquals(7, perms.size());
    List<UserPermission> namespacePerms = perms.get(userTestNamespace);
    assertTrue(perms.containsKey(userTestNamespace));
    assertEquals(1, namespacePerms.size());
    assertEquals(TEST_NAMESPACE,
      ((NamespacePermission) namespacePerms.get(0).getPermission()).getNamespace());
    assertEquals(1, namespacePerms.get(0).getPermission().getActions().length);
    assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getPermission().getActions()[0]);

    // Revoke and check state in ACL table
    revokeFromNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
      Permission.Action.WRITE);

    perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    assertEquals(6, perms.size());
  } finally {
    acl.close();
  }
}
 

/**
 * Returns <code>true</code> if the current user is allowed the given action
 * over at least one of the column qualifiers in the given column families.
 */
private boolean hasFamilyQualifierPermission(User user,
    Action perm,
    RegionCoprocessorEnvironment env,
    Map<byte[], ? extends Collection<byte[]>> familyMap)
  throws IOException {
  RegionInfo hri = env.getRegion().getRegionInfo();
  TableName tableName = hri.getTable();

  if (user == null) {
    return false;
  }

  if (familyMap != null && familyMap.size() > 0) {
    // at least one family must be allowed
    for (Map.Entry<byte[], ? extends Collection<byte[]>> family :
        familyMap.entrySet()) {
      if (family.getValue() != null && !family.getValue().isEmpty()) {
        for (byte[] qualifier : family.getValue()) {
          if (getAuthManager().authorizeUserTable(user, tableName,
                family.getKey(), qualifier, perm)) {
            return true;
          }
        }
      } else {
        if (getAuthManager().authorizeUserFamily(user, tableName, family.getKey(), perm)) {
          return true;
        }
      }
    }
  } else if (LOG.isDebugEnabled()) {
    LOG.debug("Empty family map passed for permission check");
  }

  return false;
}
 

@Test
public void testTableDeletion() throws Exception {
  User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]);
  final TableName tableName = TableName.valueOf(name.getMethodName());
  createTestTable(tableName);

  // Grant TABLE ADMIN privs
  grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), tableName, null, null, Permission.Action.ADMIN);

  AccessTestAction deleteTableAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      Connection unmanagedConnection =
          ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
      Admin admin = unmanagedConnection.getAdmin();
      try {
        deleteTable(TEST_UTIL, admin, tableName);
      } finally {
        admin.close();
        unmanagedConnection.close();
      }
      return null;
    }
  };

  verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
    USER_GROUP_WRITE);
  verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
 

/**
 * Authorization check for
 * SecureBulkLoadProtocol.prepareBulkLoad()
 * @param ctx the context
 * @throws IOException
 */
@Override
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
  requireAccess(ctx, "prePrepareBulkLoad",
      ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
      Action.CREATE);
}
 

@Override
public void preOpen(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
	RegionCoprocessorEnvironment env = e.getEnvironment();
	final Region region = env.getRegion();
	if (region == null) {
		LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");
	} else {
		RegionInfo regionInfo = region.getRegionInfo();
		if (isSpecialTable(regionInfo)) {
			requireSystemOrSuperUser(regionEnv.getConfiguration(),e);
		} else {
			requirePermission(e, "open", getTableName(e.getEnvironment()), Action.ADMIN);
		}
	}
}
 

@Override
public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
    TableName tableName, TableDescriptor currentDesc, TableDescriptor newDesc)
    throws IOException {
  // TODO: potentially check if this is a add/modify/delete column operation
  requirePermission(c, "modifyTable", tableName, null, null, Action.ADMIN, Action.CREATE);
  return newDesc;
}
 

@Override
public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
    final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)
    throws IOException {
  // Move this ACL check to SnapshotManager#checkPermissions as part of AC deprecation.
  requirePermission(ctx, "snapshot " + snapshot.getName(),
      hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);
}
 

@Override
public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c,
    final Increment increment)
    throws IOException {
  User user = getActiveUser(c);
  checkForReservedTagPresence(user, increment);

  // Require WRITE permission to the table, CF, and the KV to be replaced by
  // the incremented value
  RegionCoprocessorEnvironment env = c.getEnvironment();
  Map<byte[],? extends Collection<Cell>> families = increment.getFamilyCellMap();
  AuthResult authResult = permissionGranted(OpType.INCREMENT,
      user, env, families, Action.WRITE);
  AccessChecker.logResult(authResult);
  if (!authResult.isAllowed()) {
    if (cellFeaturesEnabled && !compatibleEarlyTermination) {
      increment.setAttribute(CHECK_COVERING_PERM, TRUE);
    } else if (authorizationEnabled) {
      throw new AccessDeniedException("Insufficient permissions " +
        authResult.toContextString());
    }
  }

  byte[] bytes = increment.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
  if (bytes != null) {
    if (cellFeaturesEnabled) {
      addCellPermissions(bytes, increment.getFamilyCellMap());
    } else {
      throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
    }
  }

  return null;
}
 

/**
 * Converts a list of Permission.Action shaded proto to an array of client Permission.Action
 * objects.
 * @param protoActions the list of shaded protobuf Actions
 * @return the converted array of Actions
 */
public static Permission.Action[]
    toPermissionActions(List<AccessControlProtos.Permission.Action> protoActions) {
  Permission.Action[] actions = new Permission.Action[protoActions.size()];
  for (int i = 0; i < protoActions.size(); i++) {
    actions[i] = toPermissionAction(protoActions.get(i));
  }
  return actions;
}
 

public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace,
    TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap,
    Action... permissions) throws IOException {
  accessChecker.requireNamespacePermission(getActiveUser(ctx),
      request, namespace, tableName, familyMap,
      permissions);
}
 

private void preGetUserPermissions(User caller, String userName, String namespace,
    TableName tableName, byte[] family, byte[] qualifier) throws IOException {
  if (tableName != null) {
    accessChecker.requirePermission(caller, "getUserPermissions", tableName, family, qualifier,
      userName, Action.ADMIN);
  } else if (namespace != null) {
    accessChecker.requireNamespacePermission(caller, "getUserPermissions", namespace, userName,
      Action.ADMIN);
  } else {
    accessChecker.requirePermission(caller, "getUserPermissions", userName, Action.ADMIN);
  }
}
 

@Override
public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> c,
    MiniBatchOperationInProgress<Mutation> miniBatchOp) throws IOException {
  if (cellFeaturesEnabled && !compatibleEarlyTermination) {
    TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
    User user = getActiveUser(c);
    for (int i = 0; i < miniBatchOp.size(); i++) {
      Mutation m = miniBatchOp.getOperation(i);
      if (m.getAttribute(CHECK_COVERING_PERM) != null) {
        // We have a failure with table, cf and q perm checks and now giving a chance for cell
        // perm check
        OpType opType;
        if (m instanceof Put) {
          checkForReservedTagPresence(user, m);
          opType = OpType.PUT;
        } else {
          opType = OpType.DELETE;
        }
        AuthResult authResult = null;
        if (checkCoveringPermission(user, opType, c.getEnvironment(), m.getRow(),
          m.getFamilyCellMap(), m.getTimestamp(), Action.WRITE)) {
          authResult = AuthResult.allow(opType.toString(), "Covering cell set",
            user, Action.WRITE, table, m.getFamilyCellMap());
        } else {
          authResult = AuthResult.deny(opType.toString(), "Covering cell set",
            user, Action.WRITE, table, m.getFamilyCellMap());
        }
        AccessChecker.logResult(authResult);
        if (authorizationEnabled && !authResult.isAllowed()) {
          throw new AccessDeniedException("Insufficient permissions "
            + authResult.toContextString());
        }
      }
    }
  }
}
 

/**
 * Check the current user for authorization to perform a specific action
 * against the given set of row data.
 * @param opType the operation type
 * @param user the user
 * @param e the coprocessor environment
 * @param families the map of column families to qualifiers present in
 * the request
 * @param actions the desired actions
 * @return an authorization result
 */
private AuthResult permissionGranted(OpType opType, User user, RegionCoprocessorEnvironment e,
    Map<byte [], ? extends Collection<?>> families, Action... actions) {
  AuthResult result = null;
  for (Action action: actions) {
    result = accessChecker.permissionGranted(opType.toString(), user, action,
      e.getRegion().getRegionInfo().getTable(), families);
    if (!result.isAllowed()) {
      return result;
    }
  }
  return result;
}