Review Board 1.7.22


HBASE-5371. Introduce AccessControllerProtocol.checkPermissions(Permission[] permissons) API

Review Request #3829 - Created Feb. 9, 2012 and updated

enis
HBASE-5371
Reviewers
hbase
hbase-git
We need to introduce something like AccessControllerProtocol.checkPermissions(Permission[] permissions) API, so that clients can check access rights before carrying out the operations. We need this kind of operation for HCATALOG-245, which introduces authorization providers for hbase over hcat. We cannot use getUserPermissions() since it requires ADMIN permissions on the global/table level.

 
security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Revision 5091b7d New Change
[20] 11 lines
[+20]
12
 * limitations under the License.
12
 * limitations under the License.
13
 */
13
 */
14

    
   
14

   
15
package org.apache.hadoop.hbase.security.access;
15
package org.apache.hadoop.hbase.security.access;
16

    
   
16

   
17
import com.google.common.collect.ListMultimap;
17
import java.io.IOException;
18
import com.google.common.collect.Lists;
18
import java.util.Arrays;
19
import com.google.common.collect.MapMaker;
19
import java.util.Collection;

    
   
20
import java.util.HashMap;

    
   
21
import java.util.HashSet;

    
   
22
import java.util.List;

    
   
23
import java.util.Map;

    
   
24
import java.util.Set;

    
   
25

   
20
import org.apache.commons.logging.Log;
26
import org.apache.commons.logging.Log;
21
import org.apache.commons.logging.LogFactory;
27
import org.apache.commons.logging.LogFactory;
22
import org.apache.hadoop.hbase.CoprocessorEnvironment;
28
import org.apache.hadoop.hbase.CoprocessorEnvironment;
23
import org.apache.hadoop.hbase.HColumnDescriptor;
29
import org.apache.hadoop.hbase.HColumnDescriptor;
24
import org.apache.hadoop.hbase.HConstants;
30
import org.apache.hadoop.hbase.HRegionInfo;
25
import org.apache.hadoop.hbase.HTableDescriptor;
31
import org.apache.hadoop.hbase.HTableDescriptor;
26
import org.apache.hadoop.hbase.KeyValue;
32
import org.apache.hadoop.hbase.KeyValue;
27
import org.apache.hadoop.hbase.HRegionInfo;

   
28
import org.apache.hadoop.hbase.ServerName;
33
import org.apache.hadoop.hbase.ServerName;
29
import org.apache.hadoop.hbase.client.Delete;
34
import org.apache.hadoop.hbase.client.Delete;
30
import org.apache.hadoop.hbase.client.Get;
35
import org.apache.hadoop.hbase.client.Get;
31
import org.apache.hadoop.hbase.client.Increment;
36
import org.apache.hadoop.hbase.client.Increment;
32
import org.apache.hadoop.hbase.client.Put;
37
import org.apache.hadoop.hbase.client.Put;
[+20] [20] 17 lines
[+20]
50
import org.apache.hadoop.hbase.regionserver.wal.WALEdit;
55
import org.apache.hadoop.hbase.regionserver.wal.WALEdit;
51
import org.apache.hadoop.hbase.security.AccessDeniedException;
56
import org.apache.hadoop.hbase.security.AccessDeniedException;
52
import org.apache.hadoop.hbase.security.User;
57
import org.apache.hadoop.hbase.security.User;
53
import org.apache.hadoop.hbase.util.Bytes;
58
import org.apache.hadoop.hbase.util.Bytes;
54

    
   
59

   
55
import java.io.IOException;
60
import com.google.common.collect.ListMultimap;
56
import java.util.*;
61
import com.google.common.collect.Lists;

    
   
62
import com.google.common.collect.MapMaker;

    
   
63
import com.google.common.collect.Maps;

    
   
64
import com.google.common.collect.Sets;
57

    
   
65

   
58
/**
66
/**
59
 * Provides basic authorization checks for data access and administrative
67
 * Provides basic authorization checks for data access and administrative
60
 * operations.
68
 * operations.
61
 *
69
 *
[+20] [20] 91 lines
[+20] [+] public static AuthResult deny(String reason, User user,
153
    LogFactory.getLog("SecurityLogger."+AccessController.class.getName());
161
    LogFactory.getLog("SecurityLogger."+AccessController.class.getName());
154

    
   
162

   
155
  /**
163
  /**
156
   * Version number for AccessControllerProtocol
164
   * Version number for AccessControllerProtocol
157
   */
165
   */
158
  private static final long PROTOCOL_VERSION = 1L;
166
  private static final long PROTOCOL_VERSION = 2L;
159

    
   
167

   
160
  TableAuthManager authManager = null;
168
  TableAuthManager authManager = null;
161

    
   
169

   
162
  // flags if we are running on a region of the _acl_ table
170
  // flags if we are running on a region of the _acl_ table
163
  boolean aclRegion = false;
171
  boolean aclRegion = false;
[+20] [20] 793 lines
[+20] [+] public void revoke(byte[] user, TablePermission permission)
957
          Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
965
          Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
958
    }
966
    }
959
  }
967
  }
960

    
   
968

   
961
  @Override
969
  @Override

    
   
970
  public void checkPermissions(Permission[] permissions) throws IOException {

    
   
971
    // TODO: there is space to do some optimization for merging permission families/columns

    
   
972
    for (Permission permission : permissions) {

    
   
973
      if (permission instanceof TablePermission) {

    
   
974
        TablePermission tperm = (TablePermission) permission;

    
   
975
        for (Permission.Action action : permission.getActions()) {

    
   
976
          byte[] tableName = regionEnv.getRegion().getTableDesc().getName();

    
   
977
          if (!Arrays.equals(tperm.getTable(), tableName)) {

    
   
978
            throw new CoprocessorException(AccessController.class, "This method "

    
   
979
                + "can only execute at the table specified in TablePermission.");

    
   
980
          }

    
   
981

   

    
   
982
          HashMap<byte[], Set<byte[]>> familyMap = Maps.newHashMapWithExpectedSize(1);

    
   
983
          if (tperm.getFamily() != null) {

    
   
984
            if (tperm.getQualifier() != null) {

    
   
985
              familyMap.put(tperm.getFamily(), Sets.newHashSet(tperm.getQualifier()));

    
   
986
            } else {

    
   
987
              familyMap.put(tperm.getFamily(), null);

    
   
988
            }

    
   
989
          }

    
   
990

   

    
   
991
          requirePermission(action, regionEnv, familyMap);

    
   
992
        }

    
   
993

   

    
   
994
      } else {

    
   
995
        for (Permission.Action action : permission.getActions()) {

    
   
996
          requirePermission(action);

    
   
997
        }

    
   
998
      }

    
   
999
    }

    
   
1000
  }

    
   
1001

   

    
   
1002
  @Override
962
  public long getProtocolVersion(String protocol, long clientVersion) throws IOException {
1003
  public long getProtocolVersion(String protocol, long clientVersion) throws IOException {
963
    return PROTOCOL_VERSION;
1004
    return PROTOCOL_VERSION;
964
  }
1005
  }
965

    
   
1006

   
966
  @Override
1007
  @Override
[+20] [20] 22 lines
security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java
Revision 5fa2edb New Change
 
security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Revision f864373 New Change
 
  1. security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java: Loading...
  2. security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java: Loading...
  3. security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java: Loading...