Example 31 with AccessDeniedException
use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.
the class AccessController method internalPreRead.
private void internalPreRead(final ObserverContext<RegionCoprocessorEnvironment> c, final Query query, OpType opType) throws IOException {
Filter filter = query.getFilter();
// Don't wrap an AccessControlFilter
if (filter != null && filter instanceof AccessControlFilter) {
return;
}
User user = getActiveUser(c);
RegionCoprocessorEnvironment env = c.getEnvironment();
Map<byte[], ? extends Collection<byte[]>> families = null;
switch(opType) {
case GET:
case EXISTS:
families = ((Get) query).getFamilyMap();
break;
case SCAN:
families = ((Scan) query).getFamilyMap();
break;
default:
throw new RuntimeException("Unhandled operation " + opType);
}
AuthResult authResult = permissionGranted(opType, user, env, families, Action.READ);
Region region = getRegion(env);
TableName table = getTableName(region);
Map<ByteRange, Integer> cfVsMaxVersions = Maps.newHashMap();
for (HColumnDescriptor hcd : region.getTableDesc().getFamilies()) {
cfVsMaxVersions.put(new SimpleMutableByteRange(hcd.getName()), hcd.getMaxVersions());
}
if (!authResult.isAllowed()) {
if (!cellFeaturesEnabled || compatibleEarlyTermination) {
// filter) but that's the price of backwards compatibility.
if (hasFamilyQualifierPermission(user, Action.READ, env, families)) {
authResult.setAllowed(true);
authResult.setReason("Access allowed with filter");
// Only wrap the filter if we are enforcing authorizations
if (authorizationEnabled) {
Filter ourFilter = new AccessControlFilter(authManager, user, table, AccessControlFilter.Strategy.CHECK_TABLE_AND_CF_ONLY, cfVsMaxVersions);
// wrap any existing filter
if (filter != null) {
ourFilter = new FilterList(FilterList.Operator.MUST_PASS_ALL, Lists.newArrayList(ourFilter, filter));
}
switch(opType) {
case GET:
case EXISTS:
((Get) query).setFilter(ourFilter);
break;
case SCAN:
((Scan) query).setFilter(ourFilter);
break;
default:
throw new RuntimeException("Unhandled operation " + opType);
}
}
}
} else {
// New behavior: Any access we might be granted is more fine-grained
// than whole table or CF. Simply inject a filter and return what is
// allowed. We will not throw an AccessDeniedException. This is a
// behavioral change since 0.96.
authResult.setAllowed(true);
authResult.setReason("Access allowed with filter");
// Only wrap the filter if we are enforcing authorizations
if (authorizationEnabled) {
Filter ourFilter = new AccessControlFilter(authManager, user, table, AccessControlFilter.Strategy.CHECK_CELL_DEFAULT, cfVsMaxVersions);
// wrap any existing filter
if (filter != null) {
ourFilter = new FilterList(FilterList.Operator.MUST_PASS_ALL, Lists.newArrayList(ourFilter, filter));
}
switch(opType) {
case GET:
case EXISTS:
((Get) query).setFilter(ourFilter);
break;
case SCAN:
((Scan) query).setFilter(ourFilter);
break;
default:
throw new RuntimeException("Unhandled operation " + opType);
}
}
}
}
logResult(authResult);
if (authorizationEnabled && !authResult.isAllowed()) {
throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (table=" + table + ", action=READ)");
}
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
User(org.apache.hadoop.hbase.security.User)
ByteRange(org.apache.hadoop.hbase.util.ByteRange)
SimpleMutableByteRange(org.apache.hadoop.hbase.util.SimpleMutableByteRange)
HColumnDescriptor(org.apache.hadoop.hbase.HColumnDescriptor)
FilterList(org.apache.hadoop.hbase.filter.FilterList)
SimpleMutableByteRange(org.apache.hadoop.hbase.util.SimpleMutableByteRange)
TableName(org.apache.hadoop.hbase.TableName)
RegionCoprocessorEnvironment(org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment)
CompareFilter(org.apache.hadoop.hbase.filter.CompareFilter)
Filter(org.apache.hadoop.hbase.filter.Filter)
Get(org.apache.hadoop.hbase.client.Get)
Region(org.apache.hadoop.hbase.regionserver.Region)
Scan(org.apache.hadoop.hbase.client.Scan)
Example 32 with AccessDeniedException
use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.
the class AccessController method postListNamespaceDescriptors.
@Override
public void postListNamespaceDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<NamespaceDescriptor> descriptors) throws IOException {
// Retains only those which passes authorization checks, as the checks weren't done as part
// of preGetTableDescriptors.
Iterator<NamespaceDescriptor> itr = descriptors.iterator();
User user = getActiveUser(ctx);
while (itr.hasNext()) {
NamespaceDescriptor desc = itr.next();
try {
requireNamespacePermission(user, "listNamespaces", desc.getName(), Action.ADMIN);
} catch (AccessDeniedException e) {
itr.remove();
}
}
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
User(org.apache.hadoop.hbase.security.User)
NamespaceDescriptor(org.apache.hadoop.hbase.NamespaceDescriptor)
Example 33 with AccessDeniedException
use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.
the class AccessController method requireAccess.
/**
* Authorizes that the current user has any of the given permissions to access the table.
*
* @param tableName Table requested
* @param permissions Actions being requested
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if user has no authorization
*/
private void requireAccess(User user, String request, TableName tableName, Action... permissions) throws IOException {
AuthResult result = null;
for (Action permission : permissions) {
if (authManager.hasAccess(user, tableName, permission)) {
result = AuthResult.allow(request, "Table permission granted", user, permission, tableName, null, null);
break;
} else {
// rest of the world
result = AuthResult.deny(request, "Insufficient permissions", user, permission, tableName, null, null);
}
}
logResult(result);
if (authorizationEnabled && !result.isAllowed()) {
throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
}
}
Also used :
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Action(org.apache.hadoop.hbase.security.access.Permission.Action)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
Example 34 with AccessDeniedException
use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.
the class TestJMXConnectorServer method testHMConnectorServerWhenStopMaster.
/**
* This tests to validate the HMaster's ConnectorServer after unauthorised stopMaster call.
*/
@Test(timeout = 180000)
public void testHMConnectorServerWhenStopMaster() throws Exception {
conf.set(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY, JMXListener.class.getName() + "," + MyAccessController.class.getName());
conf.setInt("master.rmi.registry.port", rmiRegistryPort);
UTIL.startMiniCluster();
admin = UTIL.getConnection().getAdmin();
// try to stop master
boolean accessDenied = false;
try {
hasAccess = false;
LOG.info("Stopping HMaster...");
admin.stopMaster();
} catch (AccessDeniedException e) {
LOG.info("Exception occured while stopping HMaster. ", e);
accessDenied = true;
}
Assert.assertTrue(accessDenied);
// Check whether HMaster JMX Connector server can be connected
JMXConnector connector = null;
try {
connector = JMXConnectorFactory.connect(JMXListener.buildJMXServiceURL(rmiRegistryPort, rmiRegistryPort));
} catch (IOException e) {
if (e.getCause() instanceof ServiceUnavailableException) {
Assert.fail("Can't connect to HMaster ConnectorServer.");
}
}
Assert.assertNotNull("JMXConnector should not be null.", connector);
connector.close();
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
JMXConnector(javax.management.remote.JMXConnector)
IOException(java.io.IOException)
ServiceUnavailableException(javax.naming.ServiceUnavailableException)
Test(org.junit.Test)
Example 35 with AccessDeniedException
use of org.apache.hadoop.hbase.security.AccessDeniedException in project hbase by apache.
the class SnapshotManager method getCompletedSnapshots.
/**
* Gets the list of all completed snapshots.
* @param snapshotDir snapshot directory
* @return list of SnapshotDescriptions
* @throws IOException File system exception
*/
private List<SnapshotDescription> getCompletedSnapshots(Path snapshotDir) throws IOException {
List<SnapshotDescription> snapshotDescs = new ArrayList<>();
// first create the snapshot root path and check to see if it exists
FileSystem fs = master.getMasterFileSystem().getFileSystem();
if (snapshotDir == null)
snapshotDir = SnapshotDescriptionUtils.getSnapshotsDir(rootDir);
// if there are no snapshots, return an empty list
if (!fs.exists(snapshotDir)) {
return snapshotDescs;
}
// ignore all the snapshots in progress
FileStatus[] snapshots = fs.listStatus(snapshotDir, new SnapshotDescriptionUtils.CompletedSnaphotDirectoriesFilter(fs));
MasterCoprocessorHost cpHost = master.getMasterCoprocessorHost();
// loop through all the completed snapshots
for (FileStatus snapshot : snapshots) {
Path info = new Path(snapshot.getPath(), SnapshotDescriptionUtils.SNAPSHOTINFO_FILE);
// if the snapshot is bad
if (!fs.exists(info)) {
LOG.error("Snapshot information for " + snapshot.getPath() + " doesn't exist");
continue;
}
FSDataInputStream in = null;
try {
in = fs.open(info);
SnapshotDescription desc = SnapshotDescription.parseFrom(in);
if (cpHost != null) {
try {
cpHost.preListSnapshot(desc);
} catch (AccessDeniedException e) {
LOG.warn("Current user does not have access to " + desc.getName() + " snapshot. " + "Either you should be owner of this snapshot or admin user.");
// Skip this and try for next snapshot
continue;
}
}
snapshotDescs.add(desc);
// call coproc post hook
if (cpHost != null) {
cpHost.postListSnapshot(desc);
}
} catch (IOException e) {
LOG.warn("Found a corrupted snapshot " + snapshot.getPath(), e);
} finally {
if (in != null) {
in.close();
}
}
}
return snapshotDescs;
}
Also used :
Path(org.apache.hadoop.fs.Path)
MasterCoprocessorHost(org.apache.hadoop.hbase.master.MasterCoprocessorHost)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
FileStatus(org.apache.hadoop.fs.FileStatus)
ClientSnapshotDescriptionUtils(org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils)
SnapshotDescriptionUtils(org.apache.hadoop.hbase.snapshot.SnapshotDescriptionUtils)
ArrayList(java.util.ArrayList)
SnapshotDescription(org.apache.hadoop.hbase.shaded.protobuf.generated.HBaseProtos.SnapshotDescription)
IOException(java.io.IOException)
FileSystem(org.apache.hadoop.fs.FileSystem)
MasterFileSystem(org.apache.hadoop.hbase.master.MasterFileSystem)
FSDataInputStream(org.apache.hadoop.fs.FSDataInputStream)
Aggregations
AccessDeniedException (org.apache.hadoop.hbase.security.AccessDeniedException)35
User (org.apache.hadoop.hbase.security.User)20
DoNotRetryIOException (org.apache.hadoop.hbase.DoNotRetryIOException)13
IOException (java.io.IOException)12
TableName (org.apache.hadoop.hbase.TableName)8
RegionCoprocessorEnvironment (org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment)8
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)7
Action (org.apache.hadoop.hbase.security.access.Permission.Action)7
ArrayList (java.util.ArrayList)6
ByteString (com.google.protobuf.ByteString)5
Cell (org.apache.hadoop.hbase.Cell)5
Path (org.apache.hadoop.fs.Path)3
RegionActionResult (org.apache.hadoop.hbase.protobuf.generated.ClientProtos.RegionActionResult)3
VisibilityLabelsResponse (org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)3
OperationStatus (org.apache.hadoop.hbase.regionserver.OperationStatus)3
ReplicationEndpoint (org.apache.hadoop.hbase.replication.ReplicationEndpoint)3
ImmutableSet (com.google.common.collect.ImmutableSet)2
Set (java.util.Set)2
TreeMap (java.util.TreeMap)2
TreeSet (java.util.TreeSet)2
