org.apache.hadoop.hbase.security.access.AccessControlClient源码实例Demo

类org.apache.hadoop.hbase.security.access.AccessControlClient源码实例Demo

下面列出了org.apache.hadoop.hbase.security.access.AccessControlClient 类实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。

private void createTable(Admin admin, TableName tableName, boolean setVersion,
    boolean acl) throws IOException {
  if (!admin.tableExists(tableName)) {
    TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
      new TableDescriptorBuilder.ModifyableTableDescriptor(tableName);
    ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor familyDescriptor =
      new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(FAMILY_NAME);
    if (setVersion) {
      familyDescriptor.setMaxVersions(DEFAULT_TABLES_COUNT);
    }
    tableDescriptor.setColumnFamily(familyDescriptor);
    admin.createTable(tableDescriptor);
    if (acl) {
      LOG.info("Granting permissions for user " + USER.getShortName());
      Permission.Action[] actions = { Permission.Action.READ };
      try {
        AccessControlClient.grant(ConnectionFactory.createConnection(getConf()), tableName,
            USER.getShortName(), null, null, actions);
      } catch (Throwable e) {
        LOG.error(HBaseMarkers.FATAL, "Error in granting permission for the user " +
            USER.getShortName(), e);
        throw new IOException(e);
      }
    }
  }
}
 
源代码2 项目: spliceengine   文件: HBasePartitionAdmin.java
private void grantPrivilegesIfNeeded(String userName, String spliceNamespace) throws Throwable {
    if (hasPrivileges(userName, spliceNamespace)) {
        LOG.info("User " + userName + " already has privileges on namespace " + spliceNamespace);
        return;
    }
    
    LOG.info("User " + userName + " lacks some privileges on namespace " + spliceNamespace + ", granting them");

    for (String user : Arrays.asList(userName, userName.toUpperCase(), userName.toLowerCase())) {
        AccessControlClient.grant(admin.getConnection(), spliceNamespace, user,
                Permission.Action.WRITE
                , Permission.Action.READ
                , Permission.Action.EXEC
        );
    }
}
 
源代码3 项目: phoenix   文件: PhoenixAccessController.java
private void grantPermissions(final String toUser, final byte[] table, final Action... actions) throws IOException {
    User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(env.getConfiguration())) {
                AccessControlClient.grant(conn, TableName.valueOf(table), toUser , null, null,
                        actions);
            } catch (Throwable e) {
                new DoNotRetryIOException(e);
            }
            return null;
        }
    });
}
 
源代码4 项目: phoenix   文件: PermissionNSEnabledIT.java
@Test
public void testSchemaPermissions() throws Throwable{
    try {
        grantSystemTableAccess();
        final String schemaName = "S_" + generateUniqueName();
        superUser1.runAs(new PrivilegedExceptionAction<Void>() {
            @Override
            public Void run() throws Exception {
                try {
                    AccessControlClient.grant(getUtility().getConnection(), regularUser1.getShortName(),
                            Permission.Action.ADMIN);
                } catch (Throwable e) {
                    if (e instanceof Exception) {
                        throw (Exception)e;
                    } else {
                        throw new Exception(e);
                    }
                }
                return null;
            }
        });
        verifyAllowed(createSchema(schemaName), regularUser1);
        // Unprivileged user cannot drop a schema
        verifyDenied(dropSchema(schemaName), AccessDeniedException.class, unprivilegedUser);
        verifyDenied(createSchema(schemaName), AccessDeniedException.class, unprivilegedUser);

        verifyAllowed(dropSchema(schemaName), regularUser1);
    } finally {
        revokeAll();
    }
}
 
源代码5 项目: phoenix   文件: PermissionNSEnabledIT.java
@Test
public void testConnectionCreationFailsWhenNoExecPermsOnSystemCatalog() throws Throwable {
    try {
        grantSystemTableAccess();
        superUser1.runAs((PrivilegedExceptionAction<Object>) () -> {
            TableName systemCatalogTableName =
                    TableName.valueOf(SchemaUtil.getPhysicalHBaseTableName(
                            SYSTEM_SCHEMA_NAME, SYSTEM_CATALOG_TABLE, true).getString());
            try {
                // Revoke Exec permissions for SYSTEM CATALOG for the unprivileged user
                AccessControlClient.revoke(getUtility().getConnection(), systemCatalogTableName,
                        unprivilegedUser.getShortName(), null, null, Permission.Action.EXEC);
            } catch (Throwable t) {
                if (t instanceof Exception) {
                    throw (Exception)t;
                } else {
                    throw new Exception(t);
                }
            }
            return null;
        });
        unprivilegedUser.runAs((PrivilegedExceptionAction<Void>) () -> {
            try (Connection ignored = getConnection()) {
                // We expect this to throw a wrapped AccessDeniedException.
                fail("Should have failed with a wrapped AccessDeniedException");
            } catch (Throwable ex) {
                assertTrue("Should not get an incompatible jars exception",
                        ex instanceof SQLException && ((SQLException)ex).getErrorCode() !=
                                SQLExceptionCode.INCOMPATIBLE_CLIENT_SERVER_JAR.getErrorCode());
                assertTrue("Expected a wrapped AccessDeniedException",
                        ex.getCause() instanceof AccessDeniedException);
            }
            return null;
        });
    } finally {
        revokeAll();
    }
}
 
源代码6 项目: phoenix   文件: BasePermissionsIT.java
@Override
public void start(CoprocessorEnvironment env) throws IOException {
    super.start(env);
    configuration = env.getConfiguration();
    if(env instanceof RegionCoprocessorEnvironment) {
        aclRegion = AccessControlClient.ACL_TABLE_NAME.
                equals(((RegionCoprocessorEnvironment) env).getRegion().
                        getTableDescriptor().getTableName());
    }
}
 
源代码7 项目: spliceengine   文件: HBasePartitionAdmin.java
private boolean grantCreatePrivilege(String tableName, String userName) throws Throwable{

        if (hasCreatePrivilege(tableName, userName)){
            SpliceLogUtils.info(LOG, "User %s already has create privilege for table %s. Ignore grant request.",
                    userName, tableName);
            return false;
        }

        SpliceLogUtils.info(LOG, "granting create privilege to user %s on table %s", userName, tableName);
        for (String user : Arrays.asList(userName, userName.toUpperCase(), userName.toLowerCase())) {
            AccessControlClient.grant(admin.getConnection(), TableName.valueOf(tableName), user,null, null,
                    Permission.Action.CREATE);
        }
        return true;
    }
 
源代码8 项目: spliceengine   文件: HBasePartitionAdmin.java
private boolean hasCreatePrivilege(String tableName, String userName) throws Throwable{
    List<UserPermission> permissions = AccessControlClient.getUserPermissions(admin.getConnection(), tableName);
    for (String user : Arrays.asList(userName, userName.toUpperCase(), userName.toLowerCase())) {
        UserPermission up = getPermission(permissions, user);
        if (up == null || !up.implies(TableName.valueOf(tableName), null, null, Permission.Action.CREATE))
            return false;
    }
    return true;
}
 
源代码9 项目: spliceengine   文件: HBasePartitionAdmin.java
private boolean revokeCreatePrivilege(String tableName, String userName) throws Throwable{

        if (!hasCreatePrivilege(tableName, userName)){
            SpliceLogUtils.info(LOG, "User %s does not have create privilege for table %s. Ignore revoke request.",
                    userName, tableName);
            return false;
        }

        SpliceLogUtils.info(LOG, "revoking create privilege on table %s from user %s", tableName, userName);
        for (String user : Arrays.asList(userName, userName.toUpperCase(), userName.toLowerCase())) {
            AccessControlClient.revoke(admin.getConnection(), TableName.valueOf(tableName), user,null, null,
                    Permission.Action.CREATE);
        }
        return true;
    }
 
源代码10 项目: spliceengine   文件: HBasePartitionAdmin.java
private boolean hasPrivileges(String userName, String spliceNamespace) throws Throwable {
    List<UserPermission> permissions = AccessControlClient.getUserPermissions(admin.getConnection(), "@"+spliceNamespace);
    for (String user : Arrays.asList(userName, userName.toUpperCase(), userName.toLowerCase())) {
        UserPermission up = getPermission(permissions, user);
        if (up == null)
            return false;
        
        for (Permission.Action action : Arrays.asList(Permission.Action.WRITE, Permission.Action.READ, Permission.Action.EXEC)) {
            if (!up.implies(spliceNamespace, action))
                return false;
        }
    }
    return true;
}
 
源代码11 项目: hbase   文件: TestSecureRESTServer.java
@Test
public void testPositiveAuthorization() throws Exception {
  // Create a table, write a row to it, grant read perms to the client
  UserGroupInformation superuser = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
      SERVICE_PRINCIPAL, serviceKeytab.getAbsolutePath());
  final TableName table = TableName.valueOf("publicTable");
  superuser.doAs(new PrivilegedExceptionAction<Void>() {
    @Override
    public Void run() throws Exception {
      try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
        TableDescriptor desc = TableDescriptorBuilder.newBuilder(table)
            .setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1"))
            .build();
        conn.getAdmin().createTable(desc);
        try (Table t = conn.getTable(table)) {
          Put p = new Put(Bytes.toBytes("a"));
          p.addColumn(Bytes.toBytes("f1"), new byte[0], Bytes.toBytes("1"));
          t.put(p);
        }
        AccessControlClient.grant(conn, CLIENT_PRINCIPAL, Action.READ);
      } catch (Throwable e) {
        if (e instanceof Exception) {
          throw (Exception) e;
        } else {
          throw new Exception(e);
        }
      }
      return null;
    }
  });

  // Read that row as the client
  Pair<CloseableHttpClient,HttpClientContext> pair = getClient();
  CloseableHttpClient client = pair.getFirst();
  HttpClientContext context = pair.getSecond();

  HttpGet get = new HttpGet(new URL("http://localhost:"+ REST_TEST.getServletPort()).toURI()
      + "/" + table + "/a");
  get.addHeader("Accept", "application/json");
  UserGroupInformation user = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
      CLIENT_PRINCIPAL, clientKeytab.getAbsolutePath());
  String jsonResponse = user.doAs(new PrivilegedExceptionAction<String>() {
    @Override
    public String run() throws Exception {
      try (CloseableHttpResponse response = client.execute(get, context)) {
        final int statusCode = response.getStatusLine().getStatusCode();
        assertEquals(response.getStatusLine().toString(), HttpURLConnection.HTTP_OK, statusCode);
        HttpEntity entity = response.getEntity();
        return EntityUtils.toString(entity);
      }
    }
  });
  ObjectMapper mapper = new JacksonJaxbJsonProvider()
      .locateMapper(CellSetModel.class, MediaType.APPLICATION_JSON_TYPE);
  CellSetModel model = mapper.readValue(jsonResponse, CellSetModel.class);
  assertEquals(1, model.getRows().size());
  RowModel row = model.getRows().get(0);
  assertEquals("a", Bytes.toString(row.getKey()));
  assertEquals(1, row.getCells().size());
  CellModel cell = row.getCells().get(0);
  assertEquals("1", Bytes.toString(cell.getValue()));
}
 
源代码12 项目: phoenix   文件: BasePermissionsIT.java
void grantPermissions(String toUser, Set<String> tablesToGrant, Permission.Action... actions) throws Throwable {
    for (String table : tablesToGrant) {
        AccessControlClient.grant(getUtility().getConnection(), TableName.valueOf(table), toUser, null, null,
                actions);
    }
}
 
源代码13 项目: phoenix   文件: BasePermissionsIT.java
void grantPermissions(String toUser, String namespace, Permission.Action... actions) throws Throwable {
    AccessControlClient.grant(getUtility().getConnection(), namespace, toUser, actions);
}
 
源代码14 项目: phoenix   文件: BasePermissionsIT.java
void grantPermissions(String groupEntry, Permission.Action... actions) throws IOException, Throwable {
    AccessControlClient.grant(getUtility().getConnection(), groupEntry, actions);
}
 
源代码15 项目: phoenix   文件: BasePermissionsIT.java
void revokeAll() throws Throwable {
    AccessControlClient.revoke(getUtility().getConnection(), AuthUtil.toGroupEntry(GROUP_SYSTEM_ACCESS), Permission.Action.values() );
    AccessControlClient.revoke(getUtility().getConnection(), regularUser1.getShortName(), Permission.Action.values() );
    AccessControlClient.revoke(getUtility().getConnection(), unprivilegedUser.getShortName(), Permission.Action.values() );
}
 
源代码16 项目: phoenix   文件: BasePermissionsIT.java
@Test
public void testDeletingStatsShouldNotFailWithADEWhenTableDropped() throws Throwable {
    final String schema = "STATS_ENABLED";
    final String tableName = "DELETE_TABLE_IT";
    final String phoenixTableName = schema + "." + tableName;
    final String indexName1 = tableName + "_IDX1";
    final String lIndexName1 = tableName + "_LIDX1";
    final String viewName1 = schema+"."+tableName + "_V1";
    final String viewIndexName1 = tableName + "_VIDX1";
    grantSystemTableAccess();
    try {
        superUser1.runAs(new PrivilegedExceptionAction<Void>() {
            @Override
            public Void run() throws Exception {
                try {
                    verifyAllowed(createSchema(schema), superUser1);
                    //Neded Global ADMIN for flush operation during drop table
                    AccessControlClient.grant(getUtility().getConnection(),regularUser1.getName(), Permission.Action.ADMIN);
                    if (isNamespaceMapped) {
                        grantPermissions(regularUser1.getName(), schema, Permission.Action.CREATE);
                        grantPermissions(AuthUtil.toGroupEntry(GROUP_SYSTEM_ACCESS), schema, Permission.Action.CREATE);
                    } else {
                        grantPermissions(regularUser1.getName(),
                                NamespaceDescriptor.DEFAULT_NAMESPACE.getName(), Permission.Action.CREATE);
                        grantPermissions(AuthUtil.toGroupEntry(GROUP_SYSTEM_ACCESS),
                                NamespaceDescriptor.DEFAULT_NAMESPACE.getName(), Permission.Action.CREATE);
                    }
                } catch (Throwable e) {
                    if (e instanceof Exception) {
                        throw (Exception)e;
                    } else {
                        throw new Exception(e);
                    }
                }
                return null;
            }
        });

        verifyAllowed(createTable(phoenixTableName, 100), regularUser1);
        verifyAllowed(createIndex(indexName1,phoenixTableName),regularUser1);
        verifyAllowed(createLocalIndex(lIndexName1, phoenixTableName), regularUser1);
        verifyAllowed(createView(viewName1,phoenixTableName),regularUser1);
        verifyAllowed(createIndex(viewIndexName1, viewName1), regularUser1);
        verifyAllowed(updateStatsOnTable(phoenixTableName), regularUser1);
        Thread.sleep(10000);
        // Normal deletes should  fail when no write permissions given on stats table.
        verifyDenied(deleteDataFromStatsTable(), AccessDeniedException.class, regularUser1);
        verifyAllowed(dropIndex(viewIndexName1, viewName1), regularUser1);
        verifyAllowed(dropView(viewName1),regularUser1);
        verifyAllowed(dropIndex(indexName1, phoenixTableName), regularUser1);
        Thread.sleep(3000);
        verifyAllowed(readStatsAfterTableDelete(SchemaUtil.getPhysicalHBaseTableName(
                schema, indexName1, isNamespaceMapped).getString()), regularUser1);
        verifyAllowed(dropIndex(lIndexName1,  phoenixTableName), regularUser1);
        verifyAllowed(dropTable(phoenixTableName), regularUser1);
        Thread.sleep(3000);
        verifyAllowed(readStatsAfterTableDelete(SchemaUtil.getPhysicalHBaseTableName(
                schema, tableName, isNamespaceMapped).getString()), regularUser1);
    } finally {
        revokeAll();
    }
}
 
如果文章对您有帮助,请点击页面广告。以鼓励作者做出的努力。
 类所在包
 类方法
 同包方法