Example 6 with Action
use of org.apache.hadoop.hbase.security.access.Permission.Action in project hbase by apache.
the class AccessChecker method requireNamespacePermission.
/**
* Checks that the user has the given global or namespace permission.
*
* @param user Active user to which authorization checks should be applied
* @param request Request type
* @param namespace The given namespace
* @param tableName Table requested
* @param familyMap Column family map requested
* @param permissions Actions being requested
*/
public void requireNamespacePermission(User user, String request, String namespace, TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap, Action... permissions) throws IOException {
AuthResult result = null;
for (Action permission : permissions) {
if (authManager.authorizeUserNamespace(user, namespace, permission)) {
result = AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);
result.getParams().setTableName(tableName).setFamilies(familyMap);
break;
} else {
// rest of the world
result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace);
result.getParams().setTableName(tableName).setFamilies(familyMap);
}
}
logResult(result);
if (!result.isAllowed()) {
throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
}
}
Also used :
PrivilegedAction(java.security.PrivilegedAction)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Action(org.apache.hadoop.hbase.security.access.Permission.Action)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
Example 7 with Action
use of org.apache.hadoop.hbase.security.access.Permission.Action in project ranger by apache.
the class RangerHBasePlugin method createGrantData.
private GrantRevokeRequest createGrantData(AccessControlProtos.GrantRequest request) throws Exception {
AccessControlProtos.UserPermission up = request.getUserPermission();
AccessControlProtos.Permission perm = up == null ? null : up.getPermission();
UserPermission userPerm = up == null ? null : AccessControlUtil.toUserPermission(up);
Permission.Action[] actions = userPerm == null ? null : userPerm.getPermission().getActions();
String userName = userPerm == null ? null : userPerm.getUser();
String nameSpace = null;
String tableName = null;
String colFamily = null;
String qualifier = null;
if (perm == null) {
throw new Exception("grant(): invalid data - permission is null");
}
if (StringUtil.isEmpty(userName)) {
throw new Exception("grant(): invalid data - username empty");
}
if ((actions == null) || (actions.length == 0)) {
throw new Exception("grant(): invalid data - no action specified");
}
switch(perm.getType()) {
case Global:
tableName = colFamily = qualifier = RangerHBaseResource.WILDCARD;
break;
case Table:
TablePermission tablePerm = (TablePermission) userPerm.getPermission();
tableName = Bytes.toString(tablePerm.getTableName().getName());
colFamily = Bytes.toString(tablePerm.getFamily());
qualifier = Bytes.toString(tablePerm.getQualifier());
break;
case Namespace:
NamespacePermission namepsacePermission = (NamespacePermission) userPerm.getPermission();
nameSpace = namepsacePermission.getNamespace();
break;
}
if (StringUtil.isEmpty(nameSpace) && StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) {
throw new Exception("grant(): namespace/table/columnFamily/columnQualifier not specified");
}
tableName = StringUtil.isEmpty(tableName) ? RangerHBaseResource.WILDCARD : tableName;
colFamily = StringUtil.isEmpty(colFamily) ? RangerHBaseResource.WILDCARD : colFamily;
qualifier = StringUtil.isEmpty(qualifier) ? RangerHBaseResource.WILDCARD : qualifier;
if (!StringUtil.isEmpty(nameSpace)) {
tableName = nameSpace + RangerHBaseResource.NAMESPACE_SEPARATOR + tableName;
}
User activeUser = getActiveUser(null);
String grantor = activeUser != null ? activeUser.getShortName() : null;
String[] groups = activeUser != null ? activeUser.getGroupNames() : null;
Set<String> grantorGroups = null;
if (groups != null && groups.length > 0) {
grantorGroups = new HashSet<>(Arrays.asList(groups));
}
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put(RangerHBaseResource.KEY_TABLE, tableName);
mapResource.put(RangerHBaseResource.KEY_COLUMN_FAMILY, colFamily);
mapResource.put(RangerHBaseResource.KEY_COLUMN, qualifier);
GrantRevokeRequest ret = new GrantRevokeRequest();
ret.setGrantor(grantor);
ret.setGrantorGroups(grantorGroups);
ret.setDelegateAdmin(Boolean.FALSE);
ret.setEnableAudit(Boolean.TRUE);
ret.setReplaceExistingPermissions(Boolean.TRUE);
ret.setResource(mapResource);
ret.setClientIPAddress(getRemoteAddress());
// TODO: Need to check with Knox proxy how they handle forwarded add.
ret.setForwardedAddresses(null);
ret.setRemoteIPAddress(getRemoteAddress());
ret.setRequestData(up.toString());
if (userName.startsWith(GROUP_PREFIX)) {
ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
} else {
ret.getUsers().add(userName);
}
for (Permission.Action action : actions) {
switch(action.code()) {
case 'R':
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_READ);
break;
case 'W':
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
break;
case 'C':
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
break;
case 'A':
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
ret.setDelegateAdmin(Boolean.TRUE);
break;
case 'X':
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
break;
default:
LOG.warn("grant(): ignoring action '" + action.name() + "' for user '" + userName + "'");
}
}
return ret;
}
Also used :
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Action(org.apache.hadoop.hbase.security.access.Permission.Action)
User(org.apache.hadoop.hbase.security.User)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
IOException(java.io.IOException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
AccessControlProtos(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)
Action(org.apache.hadoop.hbase.security.access.Permission.Action)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
Example 8 with Action
use of org.apache.hadoop.hbase.security.access.Permission.Action in project hbase by apache.
the class AccessController method requireNamespacePermission.
/**
* Checks that the user has the given global or namespace permission.
* @param namespace
* @param permissions Actions being requested
*/
public void requireNamespacePermission(User user, String request, String namespace, TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap, Action... permissions) throws IOException {
AuthResult result = null;
for (Action permission : permissions) {
if (authManager.authorize(user, namespace, permission)) {
result = AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);
result.getParams().setTableName(tableName).setFamilies(familyMap);
break;
} else {
// rest of the world
result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace);
result.getParams().setTableName(tableName).setFamilies(familyMap);
}
}
logResult(result);
if (authorizationEnabled && !result.isAllowed()) {
throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
}
}
Also used :
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Action(org.apache.hadoop.hbase.security.access.Permission.Action)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
Example 9 with Action
use of org.apache.hadoop.hbase.security.access.Permission.Action in project hbase by apache.
the class AccessController method requireAccess.
/**
* Authorizes that the current user has any of the given permissions to access the table.
*
* @param tableName Table requested
* @param permissions Actions being requested
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if user has no authorization
*/
private void requireAccess(User user, String request, TableName tableName, Action... permissions) throws IOException {
AuthResult result = null;
for (Action permission : permissions) {
if (authManager.hasAccess(user, tableName, permission)) {
result = AuthResult.allow(request, "Table permission granted", user, permission, tableName, null, null);
break;
} else {
// rest of the world
result = AuthResult.deny(request, "Insufficient permissions", user, permission, tableName, null, null);
}
}
logResult(result);
if (authorizationEnabled && !result.isAllowed()) {
throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
}
}
Also used :
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Action(org.apache.hadoop.hbase.security.access.Permission.Action)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
Example 10 with Action
use of org.apache.hadoop.hbase.security.access.Permission.Action in project phoenix by apache.
the class PhoenixAccessController method requireAccess.
/**
* Authorizes that the current user has all the given permissions for the
* given table and for the hbase namespace of the table
* @param tableName Table requested
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if user has no authorization
*/
private void requireAccess(String request, TableName tableName, Action... permissions) throws IOException {
User user = getActiveUser();
AuthResult result = null;
List<Action> requiredAccess = new ArrayList<Action>();
for (Action permission : permissions) {
if (hasAccess(getUserPermissions(tableName), tableName, permission, user)) {
result = AuthResult.allow(request, "Table permission granted", user, permission, tableName, null, null);
} else {
result = AuthResult.deny(request, "Insufficient permissions", user, permission, tableName, null, null);
requiredAccess.add(permission);
}
logResult(result);
}
if (!requiredAccess.isEmpty()) {
result = AuthResult.deny(request, "Insufficient permissions", user, requiredAccess.get(0), tableName, null, null);
}
if (!result.isAllowed()) {
throw new AccessDeniedException("Insufficient permissions " + authString(user.getName(), tableName, new HashSet<Permission.Action>(Arrays.asList(permissions))));
}
}
Also used :
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Action(org.apache.hadoop.hbase.security.access.Permission.Action)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
User(org.apache.hadoop.hbase.security.User)
ArrayList(java.util.ArrayList)
AuthResult(org.apache.hadoop.hbase.security.access.AuthResult)
Aggregations
Action (org.apache.hadoop.hbase.security.access.Permission.Action)19
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)17
AccessDeniedException (org.apache.hadoop.hbase.security.AccessDeniedException)13
PrivilegedAction (java.security.PrivilegedAction)7
User (org.apache.hadoop.hbase.security.User)4
IOException (java.io.IOException)2
ArrayList (java.util.ArrayList)2
TableName (org.apache.hadoop.hbase.TableName)2
Connection (org.apache.hadoop.hbase.client.Connection)2
Table (org.apache.hadoop.hbase.client.Table)2
BlockingRpcChannel (com.google.protobuf.BlockingRpcChannel)1
ServiceException (com.google.protobuf.ServiceException)1
HashMap (java.util.HashMap)1
HashSet (java.util.HashSet)1
List (java.util.List)1
Map (java.util.Map)1
Set (java.util.Set)1
TreeMap (java.util.TreeMap)1
TreeSet (java.util.TreeSet)1
Cell (org.apache.hadoop.hbase.Cell)1
