Examples with Action org.apache.hadoop.hbase.security.access.Permission.Action used on opensource projects

Example 1 with Action

use of org.apache.hadoop.hbase.security.access.Permission.Action in project hbase by apache.

the class AccessController method requireNamespacePermission.

/**
   * Checks that the user has the given global or namespace permission.
   * @param namespace
   * @param permissions Actions being requested
   */
public void requireNamespacePermission(User user, String request, String namespace, Action... permissions) throws IOException {
    AuthResult result = null;
    for (Action permission : permissions) {
        if (authManager.authorize(user, namespace, permission)) {
            result = AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);
            break;
        } else {
            // rest of the world
            result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace);
        }
    }
    logResult(result);
    if (authorizationEnabled && !result.isAllowed()) {
        throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
    }
}

Example 2 with Action

use of org.apache.hadoop.hbase.security.access.Permission.Action in project hbase by apache.

the class AccessController method requirePermission.

/**
   * Authorizes that the current user has any of the given permissions for the
   * given table, column family and column qualifier.
   * @param tableName Table requested
   * @param family Column family requested
   * @param qualifier Column qualifier requested
   * @throws IOException if obtaining the current user fails
   * @throws AccessDeniedException if user has no authorization
   */
private void requirePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, Action... permissions) throws IOException {
    AuthResult result = null;
    for (Action permission : permissions) {
        if (authManager.authorize(user, tableName, family, qualifier, permission)) {
            result = AuthResult.allow(request, "Table permission granted", user, permission, tableName, family, qualifier);
            break;
        } else {
            // rest of the world
            result = AuthResult.deny(request, "Insufficient permissions", user, permission, tableName, family, qualifier);
        }
    }
    logResult(result);
    if (authorizationEnabled && !result.isAllowed()) {
        throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
    }
}

Example 3 with Action

use of org.apache.hadoop.hbase.security.access.Permission.Action in project hbase by apache.

the class AccessController method requireTablePermission.

/**
   * Authorizes that the current user has any of the given permissions for the
   * given table, column family and column qualifier.
   * @param tableName Table requested
   * @param family Column family param
   * @param qualifier Column qualifier param
   * @throws IOException if obtaining the current user fails
   * @throws AccessDeniedException if user has no authorization
   */
private void requireTablePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, Action... permissions) throws IOException {
    AuthResult result = null;
    for (Action permission : permissions) {
        if (authManager.authorize(user, tableName, null, null, permission)) {
            result = AuthResult.allow(request, "Table permission granted", user, permission, tableName, null, null);
            result.getParams().setFamily(family).setQualifier(qualifier);
            break;
        } else {
            // rest of the world
            result = AuthResult.deny(request, "Insufficient permissions", user, permission, tableName, family, qualifier);
            result.getParams().setFamily(family).setQualifier(qualifier);
        }
    }
    logResult(result);
    if (authorizationEnabled && !result.isAllowed()) {
        throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
    }
}

Example 4 with Action

use of org.apache.hadoop.hbase.security.access.Permission.Action in project hbase by apache.

the class SecureTestUtil method checkGlobalPerms.

public static void checkGlobalPerms(HBaseTestingUtility testUtil, Permission.Action... actions) throws IOException {
    Permission[] perms = new Permission[actions.length];
    for (int i = 0; i < actions.length; i++) {
        perms[i] = new Permission(actions[i]);
    }
    CheckPermissionsRequest.Builder request = CheckPermissionsRequest.newBuilder();
    for (Action a : actions) {
        request.addPermission(AccessControlProtos.Permission.newBuilder().setType(AccessControlProtos.Permission.Type.Global).setGlobalPermission(AccessControlProtos.GlobalPermission.newBuilder().addAction(AccessControlUtil.toPermissionAction(a)).build()));
    }
    try (Connection conn = ConnectionFactory.createConnection(testUtil.getConfiguration());
        Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
        BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
        AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(channel);
        try {
            protocol.checkPermissions(null, request.build());
        } catch (ServiceException se) {
            ProtobufUtil.toIOException(se);
        }
    }
}

Example 5 with Action

use of org.apache.hadoop.hbase.security.access.Permission.Action in project phoenix by apache.

the class PhoenixAccessController method preCreateTable.

@Override
public void preCreateTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId, String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType, Set<byte[]> familySet, Set<TableName> indexes) throws IOException {
    if (!accessCheckEnabled) {
        return;
    }
    if (tableType != PTableType.VIEW) {
        final HTableDescriptor htd = new HTableDescriptor(physicalTableName);
        for (byte[] familyName : familySet) {
            htd.addFamily(new HColumnDescriptor(familyName));
        }
        for (BaseMasterAndRegionObserver observer : getAccessControllers()) {
            observer.preCreateTable(new ObserverContext<MasterCoprocessorEnvironment>(), htd, null);
        }
    }
    // Index and view require read access on parent physical table.
    Set<TableName> physicalTablesChecked = new HashSet<TableName>();
    if (tableType == PTableType.VIEW || tableType == PTableType.INDEX) {
        physicalTablesChecked.add(parentPhysicalTableName);
        requireAccess("Create" + tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
    }
    if (tableType == PTableType.VIEW) {
        Action[] requiredActions = { Action.READ, Action.EXEC };
        for (TableName index : indexes) {
            if (!physicalTablesChecked.add(index)) {
                // And for same physical table multiple times like view index table
                continue;
            }
            User user = getActiveUser();
            List<UserPermission> permissionForUser = getPermissionForUser(getUserPermissions(index), Bytes.toBytes(user.getShortName()));
            Set<Action> requireAccess = new HashSet<>();
            Set<Action> accessExists = new HashSet<>();
            if (permissionForUser != null) {
                for (UserPermission userPermission : permissionForUser) {
                    for (Action action : Arrays.asList(requiredActions)) {
                        if (!userPermission.implies(action)) {
                            requireAccess.add(action);
                        }
                    }
                }
                if (!requireAccess.isEmpty()) {
                    for (UserPermission userPermission : permissionForUser) {
                        accessExists.addAll(Arrays.asList(userPermission.getActions()));
                    }
                }
            } else {
                requireAccess.addAll(Arrays.asList(requiredActions));
            }
            if (!requireAccess.isEmpty()) {
                byte[] indexPhysicalTable = index.getName();
                handleRequireAccessOnDependentTable("Create" + tableType, user.getName(), TableName.valueOf(indexPhysicalTable), tableName, requireAccess, accessExists);
            }
        }
    }
    if (tableType == PTableType.INDEX) {
        // skip check for local index
        if (physicalTableName != null && !parentPhysicalTableName.equals(physicalTableName) && !MetaDataUtil.isViewIndex(physicalTableName.getNameAsString())) {
            authorizeOrGrantAccessToUsers("Create" + tableType, parentPhysicalTableName, Arrays.asList(Action.READ, Action.WRITE, Action.CREATE, Action.EXEC, Action.ADMIN), physicalTableName);
        }
    }
}