Examples with AccessDeniedException org.apache.hadoop.hbase.security.AccessDeniedException used on opensource projects

Example 11 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method preIncrement.

@Override
public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c, final Increment increment) throws IOException {
    User user = getActiveUser(c);
    checkForReservedTagPresence(user, increment);
    // Require WRITE permission to the table, CF, and the KV to be replaced by
    // the incremented value
    RegionCoprocessorEnvironment env = c.getEnvironment();
    Map<byte[], ? extends Collection<Cell>> families = increment.getFamilyCellMap();
    AuthResult authResult = permissionGranted(OpType.INCREMENT, user, env, families, Action.WRITE);
    logResult(authResult);
    if (!authResult.isAllowed()) {
        if (cellFeaturesEnabled && !compatibleEarlyTermination) {
            increment.setAttribute(CHECK_COVERING_PERM, TRUE);
        } else if (authorizationEnabled) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }
    byte[] bytes = increment.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
    if (bytes != null) {
        if (cellFeaturesEnabled) {
            addCellPermissions(bytes, increment.getFamilyCellMap());
        } else {
            throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
        }
    }
    return null;
}

Example 12 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method prePut.

@Override
public void prePut(final ObserverContext<RegionCoprocessorEnvironment> c, final Put put, final WALEdit edit, final Durability durability) throws IOException {
    User user = getActiveUser(c);
    checkForReservedTagPresence(user, put);
    // Require WRITE permission to the table, CF, or top visible value, if any.
    // NOTE: We don't need to check the permissions for any earlier Puts
    // because we treat the ACLs in each Put as timestamped like any other
    // HBase value. A new ACL in a new Put applies to that Put. It doesn't
    // change the ACL of any previous Put. This allows simple evolution of
    // security policy over time without requiring expensive updates.
    RegionCoprocessorEnvironment env = c.getEnvironment();
    Map<byte[], ? extends Collection<Cell>> families = put.getFamilyCellMap();
    AuthResult authResult = permissionGranted(OpType.PUT, user, env, families, Action.WRITE);
    logResult(authResult);
    if (!authResult.isAllowed()) {
        if (cellFeaturesEnabled && !compatibleEarlyTermination) {
            put.setAttribute(CHECK_COVERING_PERM, TRUE);
        } else if (authorizationEnabled) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }
    // Add cell ACLs from the operation to the cells themselves
    byte[] bytes = put.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
    if (bytes != null) {
        if (cellFeaturesEnabled) {
            addCellPermissions(bytes, put.getFamilyCellMap());
        } else {
            throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
        }
    }
}

Example 13 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method preIncrementAfterRowLock.

@Override
public Result preIncrementAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c, final Increment increment) throws IOException {
    if (increment.getAttribute(CHECK_COVERING_PERM) != null) {
        // We had failure with table, cf and q perm checks and now giving a chance for cell
        // perm check
        TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
        AuthResult authResult = null;
        User user = getActiveUser(c);
        if (checkCoveringPermission(user, OpType.INCREMENT, c.getEnvironment(), increment.getRow(), increment.getFamilyCellMap(), increment.getTimeRange().getMax(), Action.WRITE)) {
            authResult = AuthResult.allow(OpType.INCREMENT.toString(), "Covering cell set", user, Action.WRITE, table, increment.getFamilyCellMap());
        } else {
            authResult = AuthResult.deny(OpType.INCREMENT.toString(), "Covering cell set", user, Action.WRITE, table, increment.getFamilyCellMap());
        }
        logResult(authResult);
        if (authorizationEnabled && !authResult.isAllowed()) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }
    return null;
}

Example 14 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method preCheckAndPutAfterRowLock.

@Override
public boolean preCheckAndPutAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row, final byte[] family, final byte[] qualifier, final CompareFilter.CompareOp compareOp, final ByteArrayComparable comparator, final Put put, final boolean result) throws IOException {
    if (put.getAttribute(CHECK_COVERING_PERM) != null) {
        // We had failure with table, cf and q perm checks and now giving a chance for cell
        // perm check
        TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
        Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
        AuthResult authResult = null;
        User user = getActiveUser(c);
        if (checkCoveringPermission(user, OpType.CHECK_AND_PUT, c.getEnvironment(), row, families, HConstants.LATEST_TIMESTAMP, Action.READ)) {
            authResult = AuthResult.allow(OpType.CHECK_AND_PUT.toString(), "Covering cell set", user, Action.READ, table, families);
        } else {
            authResult = AuthResult.deny(OpType.CHECK_AND_PUT.toString(), "Covering cell set", user, Action.READ, table, families);
        }
        logResult(authResult);
        if (authorizationEnabled && !authResult.isAllowed()) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }
    return result;
}

Example 15 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class TokenProvider method getAuthenticationToken.

@Override
public void getAuthenticationToken(RpcController controller, AuthenticationProtos.GetAuthenticationTokenRequest request, RpcCallback<AuthenticationProtos.GetAuthenticationTokenResponse> done) {
    AuthenticationProtos.GetAuthenticationTokenResponse.Builder response = AuthenticationProtos.GetAuthenticationTokenResponse.newBuilder();
    try {
        if (secretManager == null) {
            throw new IOException("No secret manager configured for token authentication");
        }
        User currentUser = RpcServer.getRequestUser();
        UserGroupInformation ugi = null;
        if (currentUser != null) {
            ugi = currentUser.getUGI();
        }
        if (currentUser == null) {
            throw new AccessDeniedException("No authenticated user for request!");
        } else if (!isAllowedDelegationTokenOp(ugi)) {
            LOG.warn("Token generation denied for user=" + currentUser.getName() + ", authMethod=" + ugi.getAuthenticationMethod());
            throw new AccessDeniedException("Token generation only allowed for Kerberos authenticated clients");
        }
        Token<AuthenticationTokenIdentifier> token = secretManager.generateToken(currentUser.getName());
        response.setToken(TokenUtil.toToken(token)).build();
    } catch (IOException ioe) {
        CoprocessorRpcUtils.setControllerException(controller, ioe);
    }
    done.run(response.build());
}