Search in sources :

Example 6 with Permission

use of org.apache.hadoop.hbase.security.access.Permission in project hbase by apache.

the class TestAsyncAccessControlAdminApi method test.

@Test
public void test() throws Exception {
    TableName tableName = TableName.valueOf("test-table");
    String userName1 = "user1";
    String userName2 = "user2";
    User user2 = User.createUserForTesting(TEST_UTIL.getConfiguration(), userName2, new String[0]);
    Permission permission = Permission.newBuilder(tableName).withActions(Permission.Action.READ).build();
    UserPermission userPermission = new UserPermission(userName1, permission);
    // grant user1 table permission
    admin.grant(userPermission, false).get();
    // get table permissions
    List<UserPermission> userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()).get();
    assertEquals(1, userPermissions.size());
    assertEquals(userPermission, userPermissions.get(0));
    // get table permissions
    userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName1).build()).get();
    assertEquals(1, userPermissions.size());
    assertEquals(userPermission, userPermissions.get(0));
    userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName2).build()).get();
    assertEquals(0, userPermissions.size());
    // has user permission
    List<Permission> permissions = Lists.newArrayList(permission);
    boolean hasPermission = admin.hasUserPermissions(userName1, permissions).get().get(0).booleanValue();
    assertTrue(hasPermission);
    hasPermission = admin.hasUserPermissions(userName2, permissions).get().get(0).booleanValue();
    assertFalse(hasPermission);
    AccessTestAction hasPermissionAction = new AccessTestAction() {

        @Override
        public Object run() throws Exception {
            try (AsyncConnection conn = ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
                return conn.getAdmin().hasUserPermissions(userName1, permissions).get().get(0);
            }
        }
    };
    try {
        user2.runAs(hasPermissionAction);
        fail("Should not come here");
    } catch (Exception e) {
        LOG.error("Call has permission error", e);
    }
    // check permission
    admin.hasUserPermissions(permissions);
    AccessTestAction checkPermissionsAction = new AccessTestAction() {

        @Override
        public Object run() throws Exception {
            try (AsyncConnection conn = ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
                return conn.getAdmin().hasUserPermissions(permissions).get().get(0);
            }
        }
    };
    assertFalse((Boolean) user2.runAs(checkPermissionsAction));
}
Also used : TableName(org.apache.hadoop.hbase.TableName) User(org.apache.hadoop.hbase.security.User) AccessTestAction(org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction) UserPermission(org.apache.hadoop.hbase.security.access.UserPermission) Permission(org.apache.hadoop.hbase.security.access.Permission) UserPermission(org.apache.hadoop.hbase.security.access.UserPermission) Test(org.junit.Test)

Example 7 with Permission

use of org.apache.hadoop.hbase.security.access.Permission in project hbase by apache.

the class RestoreSnapshotHelper method restoreSnapshotAcl.

public static void restoreSnapshotAcl(SnapshotDescription snapshot, TableName newTableName, Configuration conf) throws IOException {
    if (snapshot.hasUsersAndPermissions() && snapshot.getUsersAndPermissions() != null) {
        LOG.info("Restore snapshot acl to table. snapshot: " + snapshot + ", table: " + newTableName);
        ListMultimap<String, Permission> perms = ShadedAccessControlUtil.toUserTablePermissions(snapshot.getUsersAndPermissions());
        try (Connection conn = ConnectionFactory.createConnection(conf)) {
            for (Entry<String, Permission> e : perms.entries()) {
                String user = e.getKey();
                TablePermission tablePerm = (TablePermission) e.getValue();
                AccessControlClient.grant(conn, newTableName, user, tablePerm.getFamily(), tablePerm.getQualifier(), tablePerm.getActions());
            }
        } catch (Throwable e) {
            throw new IOException("Grant acl into newly creatd table failed. snapshot: " + snapshot + ", table: " + newTableName, e);
        }
    }
}
Also used : TablePermission(org.apache.hadoop.hbase.security.access.TablePermission) Permission(org.apache.hadoop.hbase.security.access.Permission) Connection(org.apache.hadoop.hbase.client.Connection) TablePermission(org.apache.hadoop.hbase.security.access.TablePermission) IOException(java.io.IOException)

Example 8 with Permission

use of org.apache.hadoop.hbase.security.access.Permission in project hbase by apache.

the class MasterRpcServices method hasUserPermissions.

@Override
public HasUserPermissionsResponse hasUserPermissions(RpcController controller, HasUserPermissionsRequest request) throws ServiceException {
    try {
        server.checkInitialized();
        if (server.cpHost != null && hasAccessControlServiceCoprocessor(server.cpHost)) {
            User caller = RpcServer.getRequestUser().orElse(null);
            String userName = request.hasUserName() ? request.getUserName().toStringUtf8() : caller.getShortName();
            List<Permission> permissions = new ArrayList<>();
            for (int i = 0; i < request.getPermissionCount(); i++) {
                permissions.add(ShadedAccessControlUtil.toPermission(request.getPermission(i)));
            }
            server.getMasterCoprocessorHost().preHasUserPermissions(userName, permissions);
            if (!caller.getShortName().equals(userName)) {
                List<String> groups = AccessChecker.getUserGroups(userName);
                caller = new InputUser(userName, groups.toArray(new String[groups.size()]));
            }
            List<Boolean> hasUserPermissions = new ArrayList<>();
            if (getAccessChecker() != null) {
                for (Permission permission : permissions) {
                    boolean hasUserPermission = getAccessChecker().hasUserPermission(caller, "hasUserPermissions", permission);
                    hasUserPermissions.add(hasUserPermission);
                }
            } else {
                for (int i = 0; i < permissions.size(); i++) {
                    hasUserPermissions.add(true);
                }
            }
            server.getMasterCoprocessorHost().postHasUserPermissions(userName, permissions);
            HasUserPermissionsResponse.Builder builder = HasUserPermissionsResponse.newBuilder().addAllHasUserPermission(hasUserPermissions);
            return builder.build();
        } else {
            throw new DoNotRetryIOException(new UnsupportedOperationException(AccessController.class.getName() + " is not loaded"));
        }
    } catch (IOException ioe) {
        throw new ServiceException(ioe);
    }
}
Also used : HasUserPermissionsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.HasUserPermissionsResponse) InputUser(org.apache.hadoop.hbase.security.access.AccessChecker.InputUser) User(org.apache.hadoop.hbase.security.User) InputUser(org.apache.hadoop.hbase.security.access.AccessChecker.InputUser) DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException) ArrayList(java.util.ArrayList) ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString) IOException(java.io.IOException) DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException) AccessController(org.apache.hadoop.hbase.security.access.AccessController) ServiceException(org.apache.hbase.thirdparty.com.google.protobuf.ServiceException) Permission(org.apache.hadoop.hbase.security.access.Permission) UserPermission(org.apache.hadoop.hbase.security.access.UserPermission)

Example 9 with Permission

use of org.apache.hadoop.hbase.security.access.Permission in project hbase by apache.

the class TestScan method testScanCopyConstructor.

@Test
public void testScanCopyConstructor() throws Exception {
    Scan scan = new Scan();
    scan.addColumn(Bytes.toBytes("cf"), Bytes.toBytes("q")).setACL("test_user", new Permission(Permission.Action.READ)).setAllowPartialResults(true).setAsyncPrefetch(false).setAttribute("test_key", Bytes.toBytes("test_value")).setAuthorizations(new Authorizations("test_label")).setBatch(10).setCacheBlocks(false).setCaching(10).setConsistency(Consistency.TIMELINE).setFilter(new FilterList()).setId("scan_copy_constructor").setIsolationLevel(IsolationLevel.READ_COMMITTED).setLimit(100).setLoadColumnFamiliesOnDemand(false).setMaxResultSize(100).setMaxResultsPerColumnFamily(1000).readVersions(9999).setMvccReadPoint(5).setNeedCursorResult(true).setPriority(1).setRaw(true).setReplicaId(3).setReversed(true).setRowOffsetPerColumnFamily(5).setRowPrefixFilter(Bytes.toBytes("row_")).setScanMetricsEnabled(true).setReadType(ReadType.STREAM).withStartRow(Bytes.toBytes("row_1")).withStopRow(Bytes.toBytes("row_2")).setTimeRange(0, 13);
    // create a copy of existing scan object
    Scan scanCopy = new Scan(scan);
    // validate fields of copied scan object match with the original scan object
    assertEquals(scan.getACL(), scanCopy.getACL());
    assertEquals(scan.getAllowPartialResults(), scanCopy.getAllowPartialResults());
    assertEquals(scan.getAttribute("test_key"), scanCopy.getAttribute("test_key"));
    assertEquals(scan.getAttributeSize(), scanCopy.getAttributeSize());
    assertEquals(scan.getAttributesMap(), scanCopy.getAttributesMap());
    assertEquals(scan.getAuthorizations().getLabels(), scanCopy.getAuthorizations().getLabels());
    assertEquals(scan.getBatch(), scanCopy.getBatch());
    assertEquals(scan.getCacheBlocks(), scanCopy.getCacheBlocks());
    assertEquals(scan.getCaching(), scanCopy.getCaching());
    assertEquals(scan.getConsistency(), scanCopy.getConsistency());
    assertEquals(scan.getFamilies().length, scanCopy.getFamilies().length);
    assertEquals(scan.getFamilies()[0], scanCopy.getFamilies()[0]);
    assertEquals(scan.getFamilyMap(), scanCopy.getFamilyMap());
    assertEquals(scan.getFilter(), scanCopy.getFilter());
    assertEquals(scan.getId(), scanCopy.getId());
    assertEquals(scan.getIsolationLevel(), scanCopy.getIsolationLevel());
    assertEquals(scan.getLimit(), scanCopy.getLimit());
    assertEquals(scan.getLoadColumnFamiliesOnDemandValue(), scanCopy.getLoadColumnFamiliesOnDemandValue());
    assertEquals(scan.getMaxResultSize(), scanCopy.getMaxResultSize());
    assertEquals(scan.getMaxResultsPerColumnFamily(), scanCopy.getMaxResultsPerColumnFamily());
    assertEquals(scan.getMaxVersions(), scanCopy.getMaxVersions());
    assertEquals(scan.getMvccReadPoint(), scanCopy.getMvccReadPoint());
    assertEquals(scan.getPriority(), scanCopy.getPriority());
    assertEquals(scan.getReadType(), scanCopy.getReadType());
    assertEquals(scan.getReplicaId(), scanCopy.getReplicaId());
    assertEquals(scan.getRowOffsetPerColumnFamily(), scanCopy.getRowOffsetPerColumnFamily());
    assertEquals(scan.getStartRow(), scanCopy.getStartRow());
    assertEquals(scan.getStopRow(), scanCopy.getStopRow());
    assertEquals(scan.getTimeRange(), scanCopy.getTimeRange());
    assertTrue("Make sure copy constructor adds all the fields in the copied object", EqualsBuilder.reflectionEquals(scan, scanCopy));
}
Also used : Authorizations(org.apache.hadoop.hbase.security.visibility.Authorizations) Permission(org.apache.hadoop.hbase.security.access.Permission) FilterList(org.apache.hadoop.hbase.filter.FilterList) Test(org.junit.Test)

Aggregations

Permission (org.apache.hadoop.hbase.security.access.Permission)9 Test (org.junit.Test)6 Authorizations (org.apache.hadoop.hbase.security.visibility.Authorizations)5 IOException (java.io.IOException)4 User (org.apache.hadoop.hbase.security.User)4 FilterList (org.apache.hadoop.hbase.filter.FilterList)3 UserPermission (org.apache.hadoop.hbase.security.access.UserPermission)3 TableName (org.apache.hadoop.hbase.TableName)2 Connection (org.apache.hadoop.hbase.client.Connection)2 AccessTestAction (org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction)2 TablePermission (org.apache.hadoop.hbase.security.access.TablePermission)2 File (java.io.File)1 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1 ArrayList (java.util.ArrayList)1 Arrays (java.util.Arrays)1 HashMap (java.util.HashMap)1 LinkedList (java.util.LinkedList)1 List (java.util.List)1 Map (java.util.Map)1 Configuration (org.apache.hadoop.conf.Configuration)1