Examples with AccessDeniedException org.apache.hadoop.hbase.security.AccessDeniedException used on opensource projects

Example 6 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method checkPermissions.

@Override
public void checkPermissions(RpcController controller, AccessControlProtos.CheckPermissionsRequest request, RpcCallback<AccessControlProtos.CheckPermissionsResponse> done) {
    Permission[] permissions = new Permission[request.getPermissionCount()];
    for (int i = 0; i < request.getPermissionCount(); i++) {
        permissions[i] = AccessControlUtil.toPermission(request.getPermission(i));
    }
    AccessControlProtos.CheckPermissionsResponse response = null;
    try {
        User user = RpcServer.getRequestUser();
        TableName tableName = regionEnv.getRegion().getTableDesc().getTableName();
        for (Permission permission : permissions) {
            if (permission instanceof TablePermission) {
                // Check table permissions
                TablePermission tperm = (TablePermission) permission;
                for (Action action : permission.getActions()) {
                    if (!tperm.getTableName().equals(tableName)) {
                        throw new CoprocessorException(AccessController.class, String.format("This method " + "can only execute at the table specified in TablePermission. " + "Table of the region:%s , requested table:%s", tableName, tperm.getTableName()));
                    }
                    Map<byte[], Set<byte[]>> familyMap = new TreeMap<>(Bytes.BYTES_COMPARATOR);
                    if (tperm.getFamily() != null) {
                        if (tperm.getQualifier() != null) {
                            Set<byte[]> qualifiers = Sets.newTreeSet(Bytes.BYTES_COMPARATOR);
                            qualifiers.add(tperm.getQualifier());
                            familyMap.put(tperm.getFamily(), qualifiers);
                        } else {
                            familyMap.put(tperm.getFamily(), null);
                        }
                    }
                    AuthResult result = permissionGranted("checkPermissions", user, action, regionEnv, familyMap);
                    logResult(result);
                    if (!result.isAllowed()) {
                        // effective permissions, so throw unconditionally
                        throw new AccessDeniedException("Insufficient permissions (table=" + tableName + (familyMap.size() > 0 ? ", family: " + result.toFamilyString() : "") + ", action=" + action.toString() + ")");
                    }
                }
            } else {
                for (Action action : permission.getActions()) {
                    AuthResult result;
                    if (authManager.authorize(user, action)) {
                        result = AuthResult.allow("checkPermissions", "Global action allowed", user, action, null, null);
                    } else {
                        result = AuthResult.deny("checkPermissions", "Global action denied", user, action, null, null);
                    }
                    logResult(result);
                    if (!result.isAllowed()) {
                        // effective permissions, so throw unconditionally
                        throw new AccessDeniedException("Insufficient permissions (action=" + action.toString() + ")");
                    }
                }
            }
        }
        response = AccessControlProtos.CheckPermissionsResponse.getDefaultInstance();
    } catch (IOException ioe) {
        CoprocessorRpcUtils.setControllerException(controller, ioe);
    }
    done.run(response);
}

Example 7 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method preCheckAndPut.

@Override
public boolean preCheckAndPut(final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row, final byte[] family, final byte[] qualifier, final CompareFilter.CompareOp compareOp, final ByteArrayComparable comparator, final Put put, final boolean result) throws IOException {
    User user = getActiveUser(c);
    checkForReservedTagPresence(user, put);
    // Require READ and WRITE permissions on the table, CF, and KV to update
    RegionCoprocessorEnvironment env = c.getEnvironment();
    Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
    AuthResult authResult = permissionGranted(OpType.CHECK_AND_PUT, user, env, families, Action.READ, Action.WRITE);
    logResult(authResult);
    if (!authResult.isAllowed()) {
        if (cellFeaturesEnabled && !compatibleEarlyTermination) {
            put.setAttribute(CHECK_COVERING_PERM, TRUE);
        } else if (authorizationEnabled) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }
    byte[] bytes = put.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
    if (bytes != null) {
        if (cellFeaturesEnabled) {
            addCellPermissions(bytes, put.getFamilyCellMap());
        } else {
            throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
        }
    }
    return result;
}

Example 8 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method postListProcedures.

@Override
public void postListProcedures(ObserverContext<MasterCoprocessorEnvironment> ctx, List<ProcedureInfo> procInfoList) throws IOException {
    if (procInfoList.isEmpty()) {
        return;
    }
    // Retains only those which passes authorization checks, as the checks weren't done as part
    // of preListProcedures.
    Iterator<ProcedureInfo> itr = procInfoList.iterator();
    User user = getActiveUser(ctx);
    while (itr.hasNext()) {
        ProcedureInfo procInfo = itr.next();
        try {
            if (!ProcedureInfo.isProcedureOwner(procInfo, user)) {
                // If the user is not the procedure owner, then we should further probe whether
                // he can see the procedure.
                requirePermission(user, "listProcedures", Action.ADMIN);
            }
        } catch (AccessDeniedException e) {
            itr.remove();
        }
    }
}

Example 9 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method requirePermission.

/**
   * Authorizes that the current user has any of the given permissions for the
   * given table, column family and column qualifier.
   * @param tableName Table requested
   * @param family Column family requested
   * @param qualifier Column qualifier requested
   * @throws IOException if obtaining the current user fails
   * @throws AccessDeniedException if user has no authorization
   */
private void requirePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, Action... permissions) throws IOException {
    AuthResult result = null;
    for (Action permission : permissions) {
        if (authManager.authorize(user, tableName, family, qualifier, permission)) {
            result = AuthResult.allow(request, "Table permission granted", user, permission, tableName, family, qualifier);
            break;
        } else {
            // rest of the world
            result = AuthResult.deny(request, "Insufficient permissions", user, permission, tableName, family, qualifier);
        }
    }
    logResult(result);
    if (authorizationEnabled && !result.isAllowed()) {
        throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
    }
}

Example 10 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method requireTablePermission.

/**
   * Authorizes that the current user has any of the given permissions for the
   * given table, column family and column qualifier.
   * @param tableName Table requested
   * @param family Column family param
   * @param qualifier Column qualifier param
   * @throws IOException if obtaining the current user fails
   * @throws AccessDeniedException if user has no authorization
   */
private void requireTablePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, Action... permissions) throws IOException {
    AuthResult result = null;
    for (Action permission : permissions) {
        if (authManager.authorize(user, tableName, null, null, permission)) {
            result = AuthResult.allow(request, "Table permission granted", user, permission, tableName, null, null);
            result.getParams().setFamily(family).setQualifier(qualifier);
            break;
        } else {
            // rest of the world
            result = AuthResult.deny(request, "Insufficient permissions", user, permission, tableName, family, qualifier);
            result.getParams().setFamily(family).setQualifier(qualifier);
        }
    }
    logResult(result);
    if (authorizationEnabled && !result.isAllowed()) {
        throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
    }
}