Examples with BaseMasterAndRegionObserver - org.apache.hadoop.hbase.coprocessor.BaseMasterAndRegionObserver

Example 1 with BaseMasterAndRegionObserver

use of org.apache.hadoop.hbase.coprocessor.BaseMasterAndRegionObserver in project phoenix by apache.

the class PhoenixAccessController method preCreateTable.

@Override
public void preCreateTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId, String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType, Set<byte[]> familySet, Set<TableName> indexes) throws IOException {
    if (!accessCheckEnabled) {
        return;
    }
    if (tableType != PTableType.VIEW) {
        final HTableDescriptor htd = new HTableDescriptor(physicalTableName);
        for (byte[] familyName : familySet) {
            htd.addFamily(new HColumnDescriptor(familyName));
        }
        for (BaseMasterAndRegionObserver observer : getAccessControllers()) {
            observer.preCreateTable(new ObserverContext<MasterCoprocessorEnvironment>(), htd, null);
        }
    }
    // Index and view require read access on parent physical table.
    Set<TableName> physicalTablesChecked = new HashSet<TableName>();
    if (tableType == PTableType.VIEW || tableType == PTableType.INDEX) {
        physicalTablesChecked.add(parentPhysicalTableName);
        requireAccess("Create" + tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
    }
    if (tableType == PTableType.VIEW) {
        Action[] requiredActions = { Action.READ, Action.EXEC };
        for (TableName index : indexes) {
            if (!physicalTablesChecked.add(index)) {
                // And for same physical table multiple times like view index table
                continue;
            }
            User user = getActiveUser();
            List<UserPermission> permissionForUser = getPermissionForUser(getUserPermissions(index), Bytes.toBytes(user.getShortName()));
            Set<Action> requireAccess = new HashSet<>();
            Set<Action> accessExists = new HashSet<>();
            if (permissionForUser != null) {
                for (UserPermission userPermission : permissionForUser) {
                    for (Action action : Arrays.asList(requiredActions)) {
                        if (!userPermission.implies(action)) {
                            requireAccess.add(action);
                        }
                    }
                }
                if (!requireAccess.isEmpty()) {
                    for (UserPermission userPermission : permissionForUser) {
                        accessExists.addAll(Arrays.asList(userPermission.getActions()));
                    }
                }
            } else {
                requireAccess.addAll(Arrays.asList(requiredActions));
            }
            if (!requireAccess.isEmpty()) {
                byte[] indexPhysicalTable = index.getName();
                handleRequireAccessOnDependentTable("Create" + tableType, user.getName(), TableName.valueOf(indexPhysicalTable), tableName, requireAccess, accessExists);
            }
        }
    }
    if (tableType == PTableType.INDEX) {
        // skip check for local index
        if (physicalTableName != null && !parentPhysicalTableName.equals(physicalTableName) && !MetaDataUtil.isViewIndex(physicalTableName.getNameAsString())) {
            authorizeOrGrantAccessToUsers("Create" + tableType, parentPhysicalTableName, Arrays.asList(Action.READ, Action.WRITE, Action.CREATE, Action.EXEC, Action.ADMIN), physicalTableName);
        }
    }
}

Also used : PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) Action(org.apache.hadoop.hbase.security.access.Permission.Action) User(org.apache.hadoop.hbase.security.User) HColumnDescriptor(org.apache.hadoop.hbase.HColumnDescriptor) BaseMasterAndRegionObserver(org.apache.hadoop.hbase.coprocessor.BaseMasterAndRegionObserver) HTableDescriptor(org.apache.hadoop.hbase.HTableDescriptor) TableName(org.apache.hadoop.hbase.TableName) MasterCoprocessorEnvironment(org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment) HashSet(java.util.HashSet) UserPermission(org.apache.hadoop.hbase.security.access.UserPermission)

Example 2 with BaseMasterAndRegionObserver

use of org.apache.hadoop.hbase.coprocessor.BaseMasterAndRegionObserver in project phoenix by apache.

the class PhoenixAccessController method getAccessControllers.

private List<BaseMasterAndRegionObserver> getAccessControllers() throws IOException {
    if (accessControllers == null) {
        synchronized (this) {
            if (accessControllers == null) {
                accessControllers = new ArrayList<BaseMasterAndRegionObserver>();
                RegionCoprocessorHost cpHost = this.env.getCoprocessorHost();
                List<BaseMasterAndRegionObserver> coprocessors = cpHost.findCoprocessors(BaseMasterAndRegionObserver.class);
                for (BaseMasterAndRegionObserver cp : coprocessors) {
                    if (cp instanceof AccessControlService.Interface) {
                        accessControllers.add(cp);
                    }
                }
            }
        }
    }
    return accessControllers;
}

Also used : BaseMasterAndRegionObserver(org.apache.hadoop.hbase.coprocessor.BaseMasterAndRegionObserver) RegionCoprocessorHost(org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost)

Aggregations

BaseMasterAndRegionObserver (org.apache.hadoop.hbase.coprocessor.BaseMasterAndRegionObserver)2 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1 HashSet (java.util.HashSet)1 HColumnDescriptor (org.apache.hadoop.hbase.HColumnDescriptor)1 HTableDescriptor (org.apache.hadoop.hbase.HTableDescriptor)1 TableName (org.apache.hadoop.hbase.TableName)1 MasterCoprocessorEnvironment (org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment)1 RegionCoprocessorHost (org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost)1 User (org.apache.hadoop.hbase.security.User)1 Action (org.apache.hadoop.hbase.security.access.Permission.Action)1 UserPermission (org.apache.hadoop.hbase.security.access.UserPermission)1