Example 26 with AccessDeniedException
use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.
the class VisibilityController method getAuths.
@Override
public synchronized void getAuths(RpcController controller, GetAuthsRequest request, RpcCallback<GetAuthsResponse> done) {
GetAuthsResponse.Builder response = GetAuthsResponse.newBuilder();
if (!initialized) {
controller.setFailed("VisibilityController not yet initialized");
} else {
byte[] user = request.getUser().toByteArray();
List<String> labels = null;
try {
// AccessController CP methods.
if (authorizationEnabled && accessControllerAvailable && !isSystemOrSuperUser()) {
User requestingUser = VisibilityUtils.getActiveUser();
throw new AccessDeniedException("User '" + (requestingUser != null ? requestingUser.getShortName() : "null") + "' is not authorized to perform this action.");
}
if (AuthUtil.isGroupPrincipal(Bytes.toString(user))) {
String group = AuthUtil.getGroupName(Bytes.toString(user));
labels = this.visibilityLabelService.getGroupAuths(new String[] { group }, false);
} else {
labels = this.visibilityLabelService.getUserAuths(user, false);
}
logResult(true, "getAuths", "Get authorizations for user allowed", user, null, null);
} catch (AccessDeniedException e) {
logResult(false, "getAuths", e.getMessage(), user, null, null);
CoprocessorRpcUtils.setControllerException(controller, e);
} catch (IOException e) {
CoprocessorRpcUtils.setControllerException(controller, e);
}
response.setUser(request.getUser());
if (labels != null) {
for (String label : labels) {
response.addAuth(ByteStringer.wrap(Bytes.toBytes(label)));
}
}
}
done.run(response.build());
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
User(org.apache.hadoop.hbase.security.User)
GetAuthsResponse(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse)
ByteString(com.google.protobuf.ByteString)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
IOException(java.io.IOException)
Example 27 with AccessDeniedException
use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.
the class VisibilityController method addLabels.
/****************************** VisibilityEndpoint service related methods ******************************/
@Override
public synchronized void addLabels(RpcController controller, VisibilityLabelsRequest request, RpcCallback<VisibilityLabelsResponse> done) {
VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();
List<VisibilityLabel> visLabels = request.getVisLabelList();
if (!initialized) {
setExceptionResults(visLabels.size(), new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"), response);
} else {
List<byte[]> labels = new ArrayList<>(visLabels.size());
try {
if (authorizationEnabled) {
checkCallingUserAuth();
}
RegionActionResult successResult = RegionActionResult.newBuilder().build();
for (VisibilityLabel visLabel : visLabels) {
byte[] label = visLabel.getLabel().toByteArray();
labels.add(label);
// Just mark as success. Later it will get reset
response.addResult(successResult);
// based on the result from
// visibilityLabelService.addLabels ()
}
if (!labels.isEmpty()) {
OperationStatus[] opStatus = this.visibilityLabelService.addLabels(labels);
logResult(true, "addLabels", "Adding labels allowed", null, labels, null);
int i = 0;
for (OperationStatus status : opStatus) {
while (response.getResult(i) != successResult) i++;
if (status.getOperationStatusCode() != SUCCESS) {
RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();
failureResultBuilder.setException(buildException(new DoNotRetryIOException(status.getExceptionMsg())));
response.setResult(i, failureResultBuilder.build());
}
i++;
}
}
} catch (AccessDeniedException e) {
logResult(false, "addLabels", e.getMessage(), null, labels, null);
LOG.error("User is not having required permissions to add labels", e);
setExceptionResults(visLabels.size(), e, response);
} catch (IOException e) {
LOG.error(e);
setExceptionResults(visLabels.size(), e, response);
}
}
done.run(response.build());
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
ArrayList(java.util.ArrayList)
RegionActionResult(org.apache.hadoop.hbase.protobuf.generated.ClientProtos.RegionActionResult)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
IOException(java.io.IOException)
ReplicationEndpoint(org.apache.hadoop.hbase.replication.ReplicationEndpoint)
VisibilityLabel(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabel)
OperationStatus(org.apache.hadoop.hbase.regionserver.OperationStatus)
VisibilityLabelsResponse(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)
Example 28 with AccessDeniedException
use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.
the class VisibilityController method clearAuths.
@Override
public synchronized void clearAuths(RpcController controller, SetAuthsRequest request, RpcCallback<VisibilityLabelsResponse> done) {
VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();
List<ByteString> auths = request.getAuthList();
if (!initialized) {
setExceptionResults(auths.size(), new CoprocessorException("VisibilityController not yet initialized"), response);
} else {
byte[] requestUser = request.getUser().toByteArray();
List<byte[]> labelAuths = new ArrayList<>(auths.size());
try {
// When AC is ON, do AC based user auth check
if (authorizationEnabled && accessControllerAvailable && !isSystemOrSuperUser()) {
User user = VisibilityUtils.getActiveUser();
throw new AccessDeniedException("User '" + (user != null ? user.getShortName() : "null") + " is not authorized to perform this action.");
}
if (authorizationEnabled) {
// When AC is not in place the calling user should have
checkCallingUserAuth();
// SYSTEM_LABEL auth to do this action.
}
for (ByteString authBS : auths) {
labelAuths.add(authBS.toByteArray());
}
OperationStatus[] opStatus = this.visibilityLabelService.clearAuths(requestUser, labelAuths);
logResult(true, "clearAuths", "Removing authorization for labels allowed", requestUser, labelAuths, null);
RegionActionResult successResult = RegionActionResult.newBuilder().build();
for (OperationStatus status : opStatus) {
if (status.getOperationStatusCode() == SUCCESS) {
response.addResult(successResult);
} else {
RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();
failureResultBuilder.setException(buildException(new DoNotRetryIOException(status.getExceptionMsg())));
response.addResult(failureResultBuilder.build());
}
}
} catch (AccessDeniedException e) {
logResult(false, "clearAuths", e.getMessage(), requestUser, labelAuths, null);
LOG.error("User is not having required permissions to clear authorization", e);
setExceptionResults(auths.size(), e, response);
} catch (IOException e) {
LOG.error(e);
setExceptionResults(auths.size(), e, response);
}
}
done.run(response.build());
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
User(org.apache.hadoop.hbase.security.User)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
ByteString(com.google.protobuf.ByteString)
ArrayList(java.util.ArrayList)
RegionActionResult(org.apache.hadoop.hbase.protobuf.generated.ClientProtos.RegionActionResult)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
IOException(java.io.IOException)
OperationStatus(org.apache.hadoop.hbase.regionserver.OperationStatus)
VisibilityLabelsResponse(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
Example 29 with AccessDeniedException
use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.
the class AccessController method preBatchMutate.
@Override
public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> c, MiniBatchOperationInProgress<Mutation> miniBatchOp) throws IOException {
if (cellFeaturesEnabled && !compatibleEarlyTermination) {
TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
User user = getActiveUser(c);
for (int i = 0; i < miniBatchOp.size(); i++) {
Mutation m = miniBatchOp.getOperation(i);
if (m.getAttribute(CHECK_COVERING_PERM) != null) {
// We have a failure with table, cf and q perm checks and now giving a chance for cell
// perm check
OpType opType;
if (m instanceof Put) {
checkForReservedTagPresence(user, m);
opType = OpType.PUT;
} else {
opType = OpType.DELETE;
}
AuthResult authResult = null;
if (checkCoveringPermission(user, opType, c.getEnvironment(), m.getRow(), m.getFamilyCellMap(), m.getTimeStamp(), Action.WRITE)) {
authResult = AuthResult.allow(opType.toString(), "Covering cell set", user, Action.WRITE, table, m.getFamilyCellMap());
} else {
authResult = AuthResult.deny(opType.toString(), "Covering cell set", user, Action.WRITE, table, m.getFamilyCellMap());
}
logResult(authResult);
if (authorizationEnabled && !authResult.isAllowed()) {
throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
}
}
}
}
}
Also used :
TableName(org.apache.hadoop.hbase.TableName)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
User(org.apache.hadoop.hbase.security.User)
Mutation(org.apache.hadoop.hbase.client.Mutation)
ReplicationEndpoint(org.apache.hadoop.hbase.replication.ReplicationEndpoint)
Put(org.apache.hadoop.hbase.client.Put)
Example 30 with AccessDeniedException
use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.
the class AccessController method preAppend.
@Override
public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> c, Append append) throws IOException {
User user = getActiveUser(c);
checkForReservedTagPresence(user, append);
// Require WRITE permission to the table, CF, and the KV to be appended
RegionCoprocessorEnvironment env = c.getEnvironment();
Map<byte[], ? extends Collection<Cell>> families = append.getFamilyCellMap();
AuthResult authResult = permissionGranted(OpType.APPEND, user, env, families, Action.WRITE);
logResult(authResult);
if (!authResult.isAllowed()) {
if (cellFeaturesEnabled && !compatibleEarlyTermination) {
append.setAttribute(CHECK_COVERING_PERM, TRUE);
} else if (authorizationEnabled) {
throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
}
}
byte[] bytes = append.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
if (bytes != null) {
if (cellFeaturesEnabled) {
addCellPermissions(bytes, append.getFamilyCellMap());
} else {
throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
}
}
return null;
}
Also used :
RegionCoprocessorEnvironment(org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
User(org.apache.hadoop.hbase.security.User)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
Cell(org.apache.hadoop.hbase.Cell)
Aggregations
AccessDeniedException (org.apache.hadoop.hbase.security.AccessDeniedException)35
User (org.apache.hadoop.hbase.security.User)20
DoNotRetryIOException (org.apache.hadoop.hbase.DoNotRetryIOException)13
IOException (java.io.IOException)12
TableName (org.apache.hadoop.hbase.TableName)8
RegionCoprocessorEnvironment (org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment)8
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)7
Action (org.apache.hadoop.hbase.security.access.Permission.Action)7
ArrayList (java.util.ArrayList)6
ByteString (com.google.protobuf.ByteString)5
Cell (org.apache.hadoop.hbase.Cell)5
Path (org.apache.hadoop.fs.Path)3
RegionActionResult (org.apache.hadoop.hbase.protobuf.generated.ClientProtos.RegionActionResult)3
VisibilityLabelsResponse (org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)3
OperationStatus (org.apache.hadoop.hbase.regionserver.OperationStatus)3
ReplicationEndpoint (org.apache.hadoop.hbase.replication.ReplicationEndpoint)3
ImmutableSet (com.google.common.collect.ImmutableSet)2
Set (java.util.Set)2
TreeMap (java.util.TreeMap)2
TreeSet (java.util.TreeSet)2
