Examples with AccessDeniedException org.apache.hadoop.hbase.security.AccessDeniedException used on opensource projects

Example 1 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method preDelete.

@Override
public void preDelete(final ObserverContext<RegionCoprocessorEnvironment> c, final Delete delete, final WALEdit edit, final Durability durability) throws IOException {
    // An ACL on a delete is useless, we shouldn't allow it
    if (delete.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL) != null) {
        throw new DoNotRetryIOException("ACL on delete has no effect: " + delete.toString());
    }
    // Require WRITE permissions on all cells covered by the delete. Unlike
    // for Puts we need to check all visible prior versions, because a major
    // compaction could remove them. If the user doesn't have permission to
    // overwrite any of the visible versions ('visible' defined as not covered
    // by a tombstone already) then we have to disallow this operation.
    RegionCoprocessorEnvironment env = c.getEnvironment();
    Map<byte[], ? extends Collection<Cell>> families = delete.getFamilyCellMap();
    User user = getActiveUser(c);
    AuthResult authResult = permissionGranted(OpType.DELETE, user, env, families, Action.WRITE);
    logResult(authResult);
    if (!authResult.isAllowed()) {
        if (cellFeaturesEnabled && !compatibleEarlyTermination) {
            delete.setAttribute(CHECK_COVERING_PERM, TRUE);
        } else if (authorizationEnabled) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }
}

Example 2 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method preIncrementColumnValue.

@Override
public long preIncrementColumnValue(final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row, final byte[] family, final byte[] qualifier, final long amount, final boolean writeToWAL) throws IOException {
    // Require WRITE permission to the table, CF, and the KV to be replaced by the
    // incremented value
    RegionCoprocessorEnvironment env = c.getEnvironment();
    Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
    User user = getActiveUser(c);
    AuthResult authResult = permissionGranted(OpType.INCREMENT_COLUMN_VALUE, user, env, families, Action.WRITE);
    if (!authResult.isAllowed() && cellFeaturesEnabled && !compatibleEarlyTermination) {
        authResult.setAllowed(checkCoveringPermission(user, OpType.INCREMENT_COLUMN_VALUE, env, row, families, HConstants.LATEST_TIMESTAMP, Action.WRITE));
        authResult.setReason("Covering cell set");
    }
    logResult(authResult);
    if (authorizationEnabled && !authResult.isAllowed()) {
        throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
    }
    return -1;
}

Example 3 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method requireNamespacePermission.

/**
   * Checks that the user has the given global or namespace permission.
   * @param namespace
   * @param permissions Actions being requested
   */
public void requireNamespacePermission(User user, String request, String namespace, Action... permissions) throws IOException {
    AuthResult result = null;
    for (Action permission : permissions) {
        if (authManager.authorize(user, namespace, permission)) {
            result = AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);
            break;
        } else {
            // rest of the world
            result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace);
        }
    }
    logResult(result);
    if (authorizationEnabled && !result.isAllowed()) {
        throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
    }
}

Example 4 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class VisibilityController method setAuths.

@Override
public synchronized void setAuths(RpcController controller, SetAuthsRequest request, RpcCallback<VisibilityLabelsResponse> done) {
    VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();
    List<ByteString> auths = request.getAuthList();
    if (!initialized) {
        setExceptionResults(auths.size(), new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"), response);
    } else {
        byte[] user = request.getUser().toByteArray();
        List<byte[]> labelAuths = new ArrayList<>(auths.size());
        try {
            if (authorizationEnabled) {
                checkCallingUserAuth();
            }
            for (ByteString authBS : auths) {
                labelAuths.add(authBS.toByteArray());
            }
            OperationStatus[] opStatus = this.visibilityLabelService.setAuths(user, labelAuths);
            logResult(true, "setAuths", "Setting authorization for labels allowed", user, labelAuths, null);
            RegionActionResult successResult = RegionActionResult.newBuilder().build();
            for (OperationStatus status : opStatus) {
                if (status.getOperationStatusCode() == SUCCESS) {
                    response.addResult(successResult);
                } else {
                    RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();
                    failureResultBuilder.setException(buildException(new DoNotRetryIOException(status.getExceptionMsg())));
                    response.addResult(failureResultBuilder.build());
                }
            }
        } catch (AccessDeniedException e) {
            logResult(false, "setAuths", e.getMessage(), user, labelAuths, null);
            LOG.error("User is not having required permissions to set authorization", e);
            setExceptionResults(auths.size(), e, response);
        } catch (IOException e) {
            LOG.error(e);
            setExceptionResults(auths.size(), e, response);
        }
    }
    done.run(response.build());
}

Example 5 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class VisibilityController method listLabels.

@Override
public synchronized void listLabels(RpcController controller, ListLabelsRequest request, RpcCallback<ListLabelsResponse> done) {
    ListLabelsResponse.Builder response = ListLabelsResponse.newBuilder();
    if (!initialized) {
        controller.setFailed("VisibilityController not yet initialized");
    } else {
        List<String> labels = null;
        String regex = request.hasRegex() ? request.getRegex() : null;
        try {
            // AccessController CP methods.
            if (authorizationEnabled && accessControllerAvailable && !isSystemOrSuperUser()) {
                User requestingUser = VisibilityUtils.getActiveUser();
                throw new AccessDeniedException("User '" + (requestingUser != null ? requestingUser.getShortName() : "null") + "' is not authorized to perform this action.");
            }
            labels = this.visibilityLabelService.listLabels(regex);
            logResult(false, "listLabels", "Listing labels allowed", null, null, regex);
        } catch (AccessDeniedException e) {
            logResult(false, "listLabels", e.getMessage(), null, null, regex);
            CoprocessorRpcUtils.setControllerException(controller, e);
        } catch (IOException e) {
            CoprocessorRpcUtils.setControllerException(controller, e);
        }
        if (labels != null && !labels.isEmpty()) {
            for (String label : labels) {
                response.addLabel(ByteStringer.wrap(Bytes.toBytes(label)));
            }
        }
    }
    done.run(response.build());
}