Example 1 with UserPermission
use of org.apache.hadoop.hbase.security.access.UserPermission in project phoenix by apache.
the class PhoenixAccessController method preCreateTable.
@Override
public void preCreateTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId, String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType, Set<byte[]> familySet, Set<TableName> indexes) throws IOException {
if (!accessCheckEnabled) {
return;
}
if (tableType != PTableType.VIEW) {
final HTableDescriptor htd = new HTableDescriptor(physicalTableName);
for (byte[] familyName : familySet) {
htd.addFamily(new HColumnDescriptor(familyName));
}
for (BaseMasterAndRegionObserver observer : getAccessControllers()) {
observer.preCreateTable(new ObserverContext<MasterCoprocessorEnvironment>(), htd, null);
}
}
// Index and view require read access on parent physical table.
Set<TableName> physicalTablesChecked = new HashSet<TableName>();
if (tableType == PTableType.VIEW || tableType == PTableType.INDEX) {
physicalTablesChecked.add(parentPhysicalTableName);
requireAccess("Create" + tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
}
if (tableType == PTableType.VIEW) {
Action[] requiredActions = { Action.READ, Action.EXEC };
for (TableName index : indexes) {
if (!physicalTablesChecked.add(index)) {
// And for same physical table multiple times like view index table
continue;
}
User user = getActiveUser();
List<UserPermission> permissionForUser = getPermissionForUser(getUserPermissions(index), Bytes.toBytes(user.getShortName()));
Set<Action> requireAccess = new HashSet<>();
Set<Action> accessExists = new HashSet<>();
if (permissionForUser != null) {
for (UserPermission userPermission : permissionForUser) {
for (Action action : Arrays.asList(requiredActions)) {
if (!userPermission.implies(action)) {
requireAccess.add(action);
}
}
}
if (!requireAccess.isEmpty()) {
for (UserPermission userPermission : permissionForUser) {
accessExists.addAll(Arrays.asList(userPermission.getActions()));
}
}
} else {
requireAccess.addAll(Arrays.asList(requiredActions));
}
if (!requireAccess.isEmpty()) {
byte[] indexPhysicalTable = index.getName();
handleRequireAccessOnDependentTable("Create" + tableType, user.getName(), TableName.valueOf(indexPhysicalTable), tableName, requireAccess, accessExists);
}
}
}
if (tableType == PTableType.INDEX) {
// skip check for local index
if (physicalTableName != null && !parentPhysicalTableName.equals(physicalTableName) && !MetaDataUtil.isViewIndex(physicalTableName.getNameAsString())) {
authorizeOrGrantAccessToUsers("Create" + tableType, parentPhysicalTableName, Arrays.asList(Action.READ, Action.WRITE, Action.CREATE, Action.EXEC, Action.ADMIN), physicalTableName);
}
}
}
Also used :
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Action(org.apache.hadoop.hbase.security.access.Permission.Action)
User(org.apache.hadoop.hbase.security.User)
HColumnDescriptor(org.apache.hadoop.hbase.HColumnDescriptor)
BaseMasterAndRegionObserver(org.apache.hadoop.hbase.coprocessor.BaseMasterAndRegionObserver)
HTableDescriptor(org.apache.hadoop.hbase.HTableDescriptor)
TableName(org.apache.hadoop.hbase.TableName)
MasterCoprocessorEnvironment(org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment)
HashSet(java.util.HashSet)
UserPermission(org.apache.hadoop.hbase.security.access.UserPermission)
Example 2 with UserPermission
use of org.apache.hadoop.hbase.security.access.UserPermission in project hbase by apache.
the class MasterRpcServices method revoke.
@Override
public RevokeResponse revoke(RpcController controller, RevokeRequest request) throws ServiceException {
try {
server.checkInitialized();
if (server.cpHost != null && hasAccessControlServiceCoprocessor(server.cpHost)) {
final UserPermission userPermission = ShadedAccessControlUtil.toUserPermission(request.getUserPermission());
server.cpHost.preRevoke(userPermission);
try (Table table = server.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.removeUserPermission(server.getConfiguration(), userPermission, table);
}
server.cpHost.postRevoke(userPermission);
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should record all permission changes
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress, userPermission);
}
return RevokeResponse.getDefaultInstance();
} else {
throw new DoNotRetryIOException(new UnsupportedOperationException(AccessController.class.getName() + " is not loaded"));
}
} catch (IOException ioe) {
throw new ServiceException(ioe);
}
}
Also used :
Table(org.apache.hadoop.hbase.client.Table)
InputUser(org.apache.hadoop.hbase.security.access.AccessChecker.InputUser)
User(org.apache.hadoop.hbase.security.User)
AccessController(org.apache.hadoop.hbase.security.access.AccessController)
ServiceException(org.apache.hbase.thirdparty.com.google.protobuf.ServiceException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString)
IOException(java.io.IOException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
UserPermission(org.apache.hadoop.hbase.security.access.UserPermission)
Example 3 with UserPermission
use of org.apache.hadoop.hbase.security.access.UserPermission in project hbase by apache.
the class TestThriftHBaseServiceHandler method testPerformNamespacePermissions.
@Test
public void testPerformNamespacePermissions() throws Throwable {
// initialize fake objects. We test the permission grant and revoke on default NS.
String fakeUser = "user";
String defaultNameSpace = "default";
TAccessControlEntity tce = new TAccessControlEntity();
tce.setActions("R");
tce.setNsName(defaultNameSpace);
tce.setScope(TPermissionScope.NAMESPACE);
tce.setUsername(fakeUser);
ThriftHBaseServiceHandler handler = createHandler();
handler.grant(tce);
List<UserPermission> permissionList = AccessControlClient.getUserPermissions(UTIL.getConnection(), "@" + defaultNameSpace, fakeUser);
// we only grant one R permission
assertEquals(permissionList.size(), 1);
Permission.Action[] actions = permissionList.get(0).getPermission().getActions();
assertEquals(actions.length, 1);
assertEquals(actions[0], Permission.Action.READ);
// revoke the permission
handler.revoke(tce);
permissionList = AccessControlClient.getUserPermissions(UTIL.getConnection(), "@" + defaultNameSpace, fakeUser);
// it should return an empty list
assertEquals(0, permissionList.size());
}
Also used :
TAccessControlEntity(org.apache.hadoop.hbase.thrift2.generated.TAccessControlEntity)
UserPermission(org.apache.hadoop.hbase.security.access.UserPermission)
Test(org.junit.Test)
Example 4 with UserPermission
use of org.apache.hadoop.hbase.security.access.UserPermission in project hbase by apache.
the class TestAsyncAccessControlAdminApi method test.
@Test
public void test() throws Exception {
TableName tableName = TableName.valueOf("test-table");
String userName1 = "user1";
String userName2 = "user2";
User user2 = User.createUserForTesting(TEST_UTIL.getConfiguration(), userName2, new String[0]);
Permission permission = Permission.newBuilder(tableName).withActions(Permission.Action.READ).build();
UserPermission userPermission = new UserPermission(userName1, permission);
// grant user1 table permission
admin.grant(userPermission, false).get();
// get table permissions
List<UserPermission> userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()).get();
assertEquals(1, userPermissions.size());
assertEquals(userPermission, userPermissions.get(0));
// get table permissions
userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName1).build()).get();
assertEquals(1, userPermissions.size());
assertEquals(userPermission, userPermissions.get(0));
userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName2).build()).get();
assertEquals(0, userPermissions.size());
// has user permission
List<Permission> permissions = Lists.newArrayList(permission);
boolean hasPermission = admin.hasUserPermissions(userName1, permissions).get().get(0).booleanValue();
assertTrue(hasPermission);
hasPermission = admin.hasUserPermissions(userName2, permissions).get().get(0).booleanValue();
assertFalse(hasPermission);
AccessTestAction hasPermissionAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (AsyncConnection conn = ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
return conn.getAdmin().hasUserPermissions(userName1, permissions).get().get(0);
}
}
};
try {
user2.runAs(hasPermissionAction);
fail("Should not come here");
} catch (Exception e) {
LOG.error("Call has permission error", e);
}
// check permission
admin.hasUserPermissions(permissions);
AccessTestAction checkPermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (AsyncConnection conn = ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
return conn.getAdmin().hasUserPermissions(permissions).get().get(0);
}
}
};
assertFalse((Boolean) user2.runAs(checkPermissionsAction));
}
Also used :
TableName(org.apache.hadoop.hbase.TableName)
User(org.apache.hadoop.hbase.security.User)
AccessTestAction(org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction)
UserPermission(org.apache.hadoop.hbase.security.access.UserPermission)
Permission(org.apache.hadoop.hbase.security.access.Permission)
UserPermission(org.apache.hadoop.hbase.security.access.UserPermission)
Test(org.junit.Test)
Example 5 with UserPermission
use of org.apache.hadoop.hbase.security.access.UserPermission in project phoenix by apache.
the class PhoenixAccessController method hasAccess.
/**
* Checks if the user has access to the table for the specified action.
* @param perms All table and table's namespace permissions
* @param table tablename
* @param action action for access is required
* @return true if the user has access to the table for specified action, false otherwise
*/
private boolean hasAccess(List<UserPermission> perms, TableName table, Permission.Action action, User user) {
if (Superusers.isSuperUser(user)) {
return true;
}
if (perms != null) {
List<UserPermission> permissionsForUser = getPermissionForUser(perms, user.getShortName().getBytes());
if (permissionsForUser != null) {
for (UserPermission permissionForUser : permissionsForUser) {
if (permissionForUser.implies(action)) {
return true;
}
}
}
String[] groupNames = user.getGroupNames();
if (groupNames != null) {
for (String group : groupNames) {
List<UserPermission> groupPerms = getPermissionForUser(perms, (AuthUtil.toGroupEntry(group)).getBytes());
if (groupPerms != null)
for (UserPermission permissionForUser : groupPerms) {
if (permissionForUser.implies(action)) {
return true;
}
}
}
}
} else if (LOG.isDebugEnabled()) {
LOG.debug("No permissions found for table=" + table + " or namespace=" + table.getNamespaceAsString());
}
return false;
}
Also used :
ByteString(com.google.protobuf.ByteString)
UserPermission(org.apache.hadoop.hbase.security.access.UserPermission)
Aggregations
UserPermission (org.apache.hadoop.hbase.security.access.UserPermission)9
IOException (java.io.IOException)4
User (org.apache.hadoop.hbase.security.User)4
Test (org.junit.Test)4
DoNotRetryIOException (org.apache.hadoop.hbase.DoNotRetryIOException)3
TableName (org.apache.hadoop.hbase.TableName)3
AccessController (org.apache.hadoop.hbase.security.access.AccessController)3
ByteString (org.apache.hbase.thirdparty.com.google.protobuf.ByteString)3
ServiceException (org.apache.hbase.thirdparty.com.google.protobuf.ServiceException)3
Table (org.apache.hadoop.hbase.client.Table)2
InputUser (org.apache.hadoop.hbase.security.access.AccessChecker.InputUser)2
TAccessControlEntity (org.apache.hadoop.hbase.thrift2.generated.TAccessControlEntity)2
ByteString (com.google.protobuf.ByteString)1
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1
HashSet (java.util.HashSet)1
List (java.util.List)1
Configuration (org.apache.hadoop.conf.Configuration)1
HBaseConfiguration (org.apache.hadoop.hbase.HBaseConfiguration)1
HColumnDescriptor (org.apache.hadoop.hbase.HColumnDescriptor)1
HTableDescriptor (org.apache.hadoop.hbase.HTableDescriptor)1
