Example 1 with CoprocessorException
use of org.apache.hadoop.hbase.coprocessor.CoprocessorException in project hbase by apache.
the class AccessController method grant.
/* ---- Protobuf AccessControlService implementation ---- */
@Override
public void grant(RpcController controller, AccessControlProtos.GrantRequest request, RpcCallback<AccessControlProtos.GrantResponse> done) {
final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission());
AccessControlProtos.GrantResponse response = null;
try {
// verify it's only running at .acl.
if (aclRegion) {
if (!initialized) {
throw new CoprocessorException("AccessController not yet initialized");
}
if (LOG.isDebugEnabled()) {
LOG.debug("Received request to grant access permission " + perm.toString());
}
User caller = RpcServer.getRequestUser();
switch(request.getUserPermission().getPermission().getType()) {
case Global:
case Table:
requirePermission(caller, "grant", perm.getTableName(), perm.getFamily(), perm.getQualifier(), Action.ADMIN);
break;
case Namespace:
requireNamespacePermission(caller, "grant", perm.getNamespace(), Action.ADMIN);
break;
}
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm, regionEnv.getTable(AccessControlLists.ACL_TABLE_NAME), request.getMergeExistingPermissions());
return null;
}
});
if (AUDITLOG.isTraceEnabled()) {
// audit log should store permission changes in addition to auth results
AUDITLOG.trace("Granted permission " + perm.toString());
}
} else {
throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
}
response = AccessControlProtos.GrantResponse.getDefaultInstance();
} catch (IOException ioe) {
// pass exception back up
CoprocessorRpcUtils.setControllerException(controller, ioe);
}
done.run(response);
}
Also used :
AccessControlProtos(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)
User(org.apache.hadoop.hbase.security.User)
IOException(java.io.IOException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
IOException(java.io.IOException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
Example 2 with CoprocessorException
use of org.apache.hadoop.hbase.coprocessor.CoprocessorException in project hbase by apache.
the class AccessController method checkPermissions.
@Override
public void checkPermissions(RpcController controller, AccessControlProtos.CheckPermissionsRequest request, RpcCallback<AccessControlProtos.CheckPermissionsResponse> done) {
Permission[] permissions = new Permission[request.getPermissionCount()];
for (int i = 0; i < request.getPermissionCount(); i++) {
permissions[i] = AccessControlUtil.toPermission(request.getPermission(i));
}
AccessControlProtos.CheckPermissionsResponse response = null;
try {
User user = RpcServer.getRequestUser();
TableName tableName = regionEnv.getRegion().getTableDesc().getTableName();
for (Permission permission : permissions) {
if (permission instanceof TablePermission) {
// Check table permissions
TablePermission tperm = (TablePermission) permission;
for (Action action : permission.getActions()) {
if (!tperm.getTableName().equals(tableName)) {
throw new CoprocessorException(AccessController.class, String.format("This method " + "can only execute at the table specified in TablePermission. " + "Table of the region:%s , requested table:%s", tableName, tperm.getTableName()));
}
Map<byte[], Set<byte[]>> familyMap = new TreeMap<>(Bytes.BYTES_COMPARATOR);
if (tperm.getFamily() != null) {
if (tperm.getQualifier() != null) {
Set<byte[]> qualifiers = Sets.newTreeSet(Bytes.BYTES_COMPARATOR);
qualifiers.add(tperm.getQualifier());
familyMap.put(tperm.getFamily(), qualifiers);
} else {
familyMap.put(tperm.getFamily(), null);
}
}
AuthResult result = permissionGranted("checkPermissions", user, action, regionEnv, familyMap);
logResult(result);
if (!result.isAllowed()) {
// effective permissions, so throw unconditionally
throw new AccessDeniedException("Insufficient permissions (table=" + tableName + (familyMap.size() > 0 ? ", family: " + result.toFamilyString() : "") + ", action=" + action.toString() + ")");
}
}
} else {
for (Action action : permission.getActions()) {
AuthResult result;
if (authManager.authorize(user, action)) {
result = AuthResult.allow("checkPermissions", "Global action allowed", user, action, null, null);
} else {
result = AuthResult.deny("checkPermissions", "Global action denied", user, action, null, null);
}
logResult(result);
if (!result.isAllowed()) {
// effective permissions, so throw unconditionally
throw new AccessDeniedException("Insufficient permissions (action=" + action.toString() + ")");
}
}
}
}
response = AccessControlProtos.CheckPermissionsResponse.getDefaultInstance();
} catch (IOException ioe) {
CoprocessorRpcUtils.setControllerException(controller, ioe);
}
done.run(response);
}
Also used :
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Action(org.apache.hadoop.hbase.security.access.Permission.Action)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
User(org.apache.hadoop.hbase.security.User)
Set(java.util.Set)
TreeSet(java.util.TreeSet)
ImmutableSet(com.google.common.collect.ImmutableSet)
IOException(java.io.IOException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
TreeMap(java.util.TreeMap)
ReplicationEndpoint(org.apache.hadoop.hbase.replication.ReplicationEndpoint)
AccessControlProtos(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)
TableName(org.apache.hadoop.hbase.TableName)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
Example 3 with CoprocessorException
use of org.apache.hadoop.hbase.coprocessor.CoprocessorException in project hbase by apache.
the class AccessController method getUserPermissions.
@Override
public void getUserPermissions(RpcController controller, AccessControlProtos.GetUserPermissionsRequest request, RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {
AccessControlProtos.GetUserPermissionsResponse response = null;
try {
// only allowed to be called on _acl_ region
if (aclRegion) {
if (!initialized) {
throw new CoprocessorException("AccessController not yet initialized");
}
User caller = RpcServer.getRequestUser();
List<UserPermission> perms = null;
if (request.getType() == AccessControlProtos.Permission.Type.Table) {
final TableName table = request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName()) : null;
requirePermission(caller, "userPermissions", table, null, null, Action.ADMIN);
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
return AccessControlLists.getUserTablePermissions(regionEnv.getConfiguration(), table);
}
});
} else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) {
final String namespace = request.getNamespaceName().toStringUtf8();
requireNamespacePermission(caller, "userPermissions", namespace, Action.ADMIN);
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
return AccessControlLists.getUserNamespacePermissions(regionEnv.getConfiguration(), namespace);
}
});
} else {
requirePermission(caller, "userPermissions", Action.ADMIN);
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
return AccessControlLists.getUserPermissions(regionEnv.getConfiguration(), null);
}
});
// help in avoiding any leakage of information about being superusers.
for (String user : Superusers.getSuperUsers()) {
perms.add(new UserPermission(user.getBytes(), AccessControlLists.ACL_TABLE_NAME, null, Action.values()));
}
}
response = AccessControlUtil.buildGetUserPermissionsResponse(perms);
} else {
throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
}
} catch (IOException ioe) {
// pass exception back up
CoprocessorRpcUtils.setControllerException(controller, ioe);
}
done.run(response);
}
Also used :
User(org.apache.hadoop.hbase.security.User)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
IOException(java.io.IOException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
IOException(java.io.IOException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
AccessControlProtos(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)
TableName(org.apache.hadoop.hbase.TableName)
FilterList(org.apache.hadoop.hbase.filter.FilterList)
ArrayList(java.util.ArrayList)
List(java.util.List)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
Example 4 with CoprocessorException
use of org.apache.hadoop.hbase.coprocessor.CoprocessorException in project hbase by apache.
the class VisibilityController method clearAuths.
@Override
public synchronized void clearAuths(RpcController controller, SetAuthsRequest request, RpcCallback<VisibilityLabelsResponse> done) {
VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();
List<ByteString> auths = request.getAuthList();
if (!initialized) {
setExceptionResults(auths.size(), new CoprocessorException("VisibilityController not yet initialized"), response);
} else {
byte[] requestUser = request.getUser().toByteArray();
List<byte[]> labelAuths = new ArrayList<>(auths.size());
try {
// When AC is ON, do AC based user auth check
if (authorizationEnabled && accessControllerAvailable && !isSystemOrSuperUser()) {
User user = VisibilityUtils.getActiveUser();
throw new AccessDeniedException("User '" + (user != null ? user.getShortName() : "null") + " is not authorized to perform this action.");
}
if (authorizationEnabled) {
// When AC is not in place the calling user should have
checkCallingUserAuth();
// SYSTEM_LABEL auth to do this action.
}
for (ByteString authBS : auths) {
labelAuths.add(authBS.toByteArray());
}
OperationStatus[] opStatus = this.visibilityLabelService.clearAuths(requestUser, labelAuths);
logResult(true, "clearAuths", "Removing authorization for labels allowed", requestUser, labelAuths, null);
RegionActionResult successResult = RegionActionResult.newBuilder().build();
for (OperationStatus status : opStatus) {
if (status.getOperationStatusCode() == SUCCESS) {
response.addResult(successResult);
} else {
RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();
failureResultBuilder.setException(buildException(new DoNotRetryIOException(status.getExceptionMsg())));
response.addResult(failureResultBuilder.build());
}
}
} catch (AccessDeniedException e) {
logResult(false, "clearAuths", e.getMessage(), requestUser, labelAuths, null);
LOG.error("User is not having required permissions to clear authorization", e);
setExceptionResults(auths.size(), e, response);
} catch (IOException e) {
LOG.error(e);
setExceptionResults(auths.size(), e, response);
}
}
done.run(response.build());
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
User(org.apache.hadoop.hbase.security.User)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
ByteString(com.google.protobuf.ByteString)
ArrayList(java.util.ArrayList)
RegionActionResult(org.apache.hadoop.hbase.protobuf.generated.ClientProtos.RegionActionResult)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
IOException(java.io.IOException)
OperationStatus(org.apache.hadoop.hbase.regionserver.OperationStatus)
VisibilityLabelsResponse(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
Example 5 with CoprocessorException
use of org.apache.hadoop.hbase.coprocessor.CoprocessorException in project hbase by apache.
the class AccessController method revoke.
@Override
public void revoke(RpcController controller, AccessControlProtos.RevokeRequest request, RpcCallback<AccessControlProtos.RevokeResponse> done) {
final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission());
AccessControlProtos.RevokeResponse response = null;
try {
// only allowed to be called on _acl_ region
if (aclRegion) {
if (!initialized) {
throw new CoprocessorException("AccessController not yet initialized");
}
if (LOG.isDebugEnabled()) {
LOG.debug("Received request to revoke access permission " + perm.toString());
}
User caller = RpcServer.getRequestUser();
switch(request.getUserPermission().getPermission().getType()) {
case Global:
case Table:
requirePermission(caller, "revoke", perm.getTableName(), perm.getFamily(), perm.getQualifier(), Action.ADMIN);
break;
case Namespace:
requireNamespacePermission(caller, "revoke", perm.getNamespace(), Action.ADMIN);
break;
}
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm, regionEnv.getTable(AccessControlLists.ACL_TABLE_NAME));
return null;
}
});
if (AUDITLOG.isTraceEnabled()) {
// audit log should record all permission changes
AUDITLOG.trace("Revoked permission " + perm.toString());
}
} else {
throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
}
response = AccessControlProtos.RevokeResponse.getDefaultInstance();
} catch (IOException ioe) {
// pass exception back up
CoprocessorRpcUtils.setControllerException(controller, ioe);
}
done.run(response);
}
Also used :
AccessControlProtos(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)
User(org.apache.hadoop.hbase.security.User)
IOException(java.io.IOException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
IOException(java.io.IOException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
Aggregations
IOException (java.io.IOException)5
DoNotRetryIOException (org.apache.hadoop.hbase.DoNotRetryIOException)5
CoprocessorException (org.apache.hadoop.hbase.coprocessor.CoprocessorException)5
AccessDeniedException (org.apache.hadoop.hbase.security.AccessDeniedException)5
User (org.apache.hadoop.hbase.security.User)5
AccessControlProtos (org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)4
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2
ArrayList (java.util.ArrayList)2
TableName (org.apache.hadoop.hbase.TableName)2
ImmutableSet (com.google.common.collect.ImmutableSet)1
ByteString (com.google.protobuf.ByteString)1
List (java.util.List)1
Set (java.util.Set)1
TreeMap (java.util.TreeMap)1
TreeSet (java.util.TreeSet)1
FilterList (org.apache.hadoop.hbase.filter.FilterList)1
RegionActionResult (org.apache.hadoop.hbase.protobuf.generated.ClientProtos.RegionActionResult)1
VisibilityLabelsResponse (org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)1
OperationStatus (org.apache.hadoop.hbase.regionserver.OperationStatus)1
ReplicationEndpoint (org.apache.hadoop.hbase.replication.ReplicationEndpoint)1
