Review Board 1.7.22


HBASE-5371. Introduce AccessControllerProtocol.checkPermissions(Permission[] permissons) API

Review Request #3829 - Created Feb. 9, 2012 and updated

enis
HBASE-5371
Reviewers
hbase
hbase-git
We need to introduce something like AccessControllerProtocol.checkPermissions(Permission[] permissions) API, so that clients can check access rights before carrying out the operations. We need this kind of operation for HCATALOG-245, which introduces authorization providers for hbase over hcat. We cannot use getUserPermissions() since it requires ADMIN permissions on the global/table level.

 
security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Diff Revision 2 Diff Revision 3
[20] 965 lines
[+20] [+] public void revoke(byte[] user, TablePermission permission)
966
    }
966
    }
967
  }
967
  }
968

    
   
968

   
969
  @Override
969
  @Override
970
  public void checkPermissions(Permission[] permissions) throws IOException {
970
  public void checkPermissions(Permission[] permissions) throws IOException {
971
    // TODO: there is space to do some optimization for merging permission families/columns
971
    byte[] tableName = regionEnv.getRegion().getTableDesc().getName();
972
    for (Permission permission : permissions) {
972
    for (Permission permission : permissions) {
973
      if (permission instanceof TablePermission) {
973
      if (permission instanceof TablePermission) {
974
        TablePermission tperm = (TablePermission) permission;
974
        TablePermission tperm = (TablePermission) permission;
975
        for (Permission.Action action : permission.getActions()) {
975
        for (Permission.Action action : permission.getActions()) {
976
          byte[] tableName = regionEnv.getRegion().getTableDesc().getName();

   
977
          if (!Arrays.equals(tperm.getTable(), tableName)) {
976
          if (!Arrays.equals(tperm.getTable(), tableName)) {
978
            throw new CoprocessorException(AccessController.class, "This method "
977
            throw new CoprocessorException(AccessController.class, String.format("This method "
979
                + "can only execute at the table specified in TablePermission.");
978
                + "can only execute at the table specified in TablePermission. " +

    
   
979
                "Table of the region:%s , requested table:%s", Bytes.toString(tableName),

    
   
980
                Bytes.toString(tperm.getTable())));
980
          }
981
          }
981

    
   
982

   
982
          HashMap<byte[], Set<byte[]>> familyMap = Maps.newHashMapWithExpectedSize(1);
983
          HashMap<byte[], Set<byte[]>> familyMap = Maps.newHashMapWithExpectedSize(1);
983
          if (tperm.getFamily() != null) {
984
          if (tperm.getFamily() != null) {
984
            if (tperm.getQualifier() != null) {
985
            if (tperm.getQualifier() != null) {
[+20] [20] 45 lines
security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java
Diff Revision 2 Diff Revision 3
 
  1. security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java: Loading...
  2. security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java: Loading...