Examples with AccessDeniedException org.apache.hadoop.hbase.security.AccessDeniedException used on opensource projects

Example 21 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method preCheckAndDeleteAfterRowLock.

@Override
public boolean preCheckAndDeleteAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row, final byte[] family, final byte[] qualifier, final CompareFilter.CompareOp compareOp, final ByteArrayComparable comparator, final Delete delete, final boolean result) throws IOException {
    if (delete.getAttribute(CHECK_COVERING_PERM) != null) {
        // We had failure with table, cf and q perm checks and now giving a chance for cell
        // perm check
        TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
        Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
        AuthResult authResult = null;
        User user = getActiveUser(c);
        if (checkCoveringPermission(user, OpType.CHECK_AND_DELETE, c.getEnvironment(), row, families, HConstants.LATEST_TIMESTAMP, Action.READ)) {
            authResult = AuthResult.allow(OpType.CHECK_AND_DELETE.toString(), "Covering cell set", user, Action.READ, table, families);
        } else {
            authResult = AuthResult.deny(OpType.CHECK_AND_DELETE.toString(), "Covering cell set", user, Action.READ, table, families);
        }
        logResult(authResult);
        if (authorizationEnabled && !authResult.isAllowed()) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }
    return result;
}

Example 22 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method preAppendAfterRowLock.

@Override
public Result preAppendAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c, final Append append) throws IOException {
    if (append.getAttribute(CHECK_COVERING_PERM) != null) {
        // We had failure with table, cf and q perm checks and now giving a chance for cell
        // perm check
        TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
        AuthResult authResult = null;
        User user = getActiveUser(c);
        if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(), append.getFamilyCellMap(), HConstants.LATEST_TIMESTAMP, Action.WRITE)) {
            authResult = AuthResult.allow(OpType.APPEND.toString(), "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
        } else {
            authResult = AuthResult.deny(OpType.APPEND.toString(), "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
        }
        logResult(authResult);
        if (authorizationEnabled && !authResult.isAllowed()) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }
    return null;
}

Example 23 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method requireNamespacePermission.

/**
   * Checks that the user has the given global or namespace permission.
   * @param namespace
   * @param permissions Actions being requested
   */
public void requireNamespacePermission(User user, String request, String namespace, TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap, Action... permissions) throws IOException {
    AuthResult result = null;
    for (Action permission : permissions) {
        if (authManager.authorize(user, namespace, permission)) {
            result = AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);
            result.getParams().setTableName(tableName).setFamilies(familyMap);
            break;
        } else {
            // rest of the world
            result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace);
            result.getParams().setTableName(tableName).setFamilies(familyMap);
        }
    }
    logResult(result);
    if (authorizationEnabled && !result.isAllowed()) {
        throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
    }
}

Example 24 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class AccessController method preCheckAndDelete.

@Override
public boolean preCheckAndDelete(final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row, final byte[] family, final byte[] qualifier, final CompareFilter.CompareOp compareOp, final ByteArrayComparable comparator, final Delete delete, final boolean result) throws IOException {
    // An ACL on a delete is useless, we shouldn't allow it
    if (delete.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL) != null) {
        throw new DoNotRetryIOException("ACL on checkAndDelete has no effect: " + delete.toString());
    }
    // Require READ and WRITE permissions on the table, CF, and the KV covered
    // by the delete
    RegionCoprocessorEnvironment env = c.getEnvironment();
    Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
    User user = getActiveUser(c);
    AuthResult authResult = permissionGranted(OpType.CHECK_AND_DELETE, user, env, families, Action.READ, Action.WRITE);
    logResult(authResult);
    if (!authResult.isAllowed()) {
        if (cellFeaturesEnabled && !compatibleEarlyTermination) {
            delete.setAttribute(CHECK_COVERING_PERM, TRUE);
        } else if (authorizationEnabled) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }
    return result;
}

Example 25 with AccessDeniedException

use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.

the class VisibilityController method requireScannerOwner.

/**
   * Verify, when servicing an RPC, that the caller is the scanner owner. If so, we assume that
   * access control is correctly enforced based on the checks performed in preScannerOpen()
   */
private void requireScannerOwner(InternalScanner s) throws AccessDeniedException {
    if (!RpcServer.isInRpcCallContext())
        return;
    String requestUName = RpcServer.getRequestUserName();
    String owner = scannerOwners.get(s);
    if (authorizationEnabled && owner != null && !owner.equals(requestUName)) {
        throw new AccessDeniedException("User '" + requestUName + "' is not the scanner owner!");
    }
}