联系人列表为空,请先登录

  1. 查询
  2. 包列表
  3. 类列表
  4. 类:org.apache.hadoop.hbase.security.access.Permission.Action

类org.apache.hadoop.hbase.security.access.Permission.Action源码实例Demo

下面列出了怎么用org.apache.hadoop.hbase.security.access.Permission.Action的API类实例代码及写法,或者点击链接到github查看源代码。

源代码1 项目: ranger   文件: HbaseAuthUtilsImpl.java 
@Override
public String getAccess(Action action) {
	switch(action) {
		case READ:
			return ACCESS_TYPE_READ;
		case WRITE:
			return ACCESS_TYPE_WRITE;
		case CREATE:
			return ACCESS_TYPE_CREATE;
		case ADMIN:
			return ACCESS_TYPE_ADMIN;
		case EXEC:
			return ACCESS_TYPE_EXECUTE;
		default:
			return action.name().toLowerCase();
	}
}
源代码2 项目: phoenix   文件: PhoenixAccessController.java 
@Override
public void preAlterTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId,
        String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType) throws IOException {
    if (!accessCheckEnabled) { return; }
    for (MasterObserver observer : getAccessControllers()) {
        if (tableType != PTableType.VIEW) {
        observer.preModifyTable(getMasterObsevrverContext(), physicalTableName,
                TableDescriptorBuilder.newBuilder(physicalTableName).build());
        }
    }
    if (tableType == PTableType.VIEW) {
        if(execPermissionsCheckEnabled) {
            requireAccess("Alter "+tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
        } else {
            requireAccess("Alter "+tableType, parentPhysicalTableName, Action.READ);
        }
    }
}
源代码3 项目: ranger   文件: RangerAuthorizationCoprocessor.java 
boolean canSkipAccessCheck(User user, final String operation, String access, final RegionCoprocessorEnvironment regionServerEnv) throws AccessDeniedException {

		// read access to metadata tables is always allowed and isn't audited.
		if (isAccessForMetaTables(regionServerEnv) && _authUtils.isReadAccess(access)) {
			LOG.debug("isKnownAccessPattern: exiting: Read access for metadata tables allowed, not audited!");
			return true;
		}
		// if write access is desired to metatables then global create access is sufficient
		if (_authUtils.isWriteAccess(access) && isAccessForMetaTables(regionServerEnv)) {
			String createAccess = _authUtils.getAccess(Action.CREATE);
			AuthorizationSession session = new AuthorizationSession(hbasePlugin)
				.operation(operation)
				.remoteAddress(getRemoteAddress())
				.user(user)
				.access(createAccess)
				.buildRequest()
				.authorize();
			if (session.isAuthorized()) {
				// NOTE: this access isn't logged
				LOG.debug("isKnownAccessPattern: exiting: User has global create access, allowed!");
				return true;
			}
		}
		return false;
	}
源代码4 项目: hbase   文件: AccessController.java 
@Override
public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
    List<TableName> tableNamesList, List<TableDescriptor> descriptors,
    String regex) throws IOException {
  // Skipping as checks in this case are already done by preGetTableDescriptors.
  if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
    return;
  }

  // Retains only those which passes authorization checks, as the checks weren't done as part
  // of preGetTableDescriptors.
  Iterator<TableDescriptor> itr = descriptors.iterator();
  while (itr.hasNext()) {
    TableDescriptor htd = itr.next();
    try {
      requirePermission(ctx, "getTableDescriptors", htd.getTableName(), null, null,
          Action.ADMIN, Action.CREATE);
    } catch (AccessDeniedException e) {
      itr.remove();
    }
  }
}
源代码5 项目: phoenix   文件: PhoenixAccessController.java 
@Override
public void preDropTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId,
        String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType,
        List<PTable> indexes) throws IOException {
    if (!accessCheckEnabled) { return; }

    for (MasterObserver observer : getAccessControllers()) {
        if (tableType != PTableType.VIEW) {
            observer.preDeleteTable(getMasterObsevrverContext(), physicalTableName);
        }
        if (indexes != null) {
            for (PTable index : indexes) {
                observer.preDeleteTable(getMasterObsevrverContext(),
                        TableName.valueOf(index.getPhysicalName().getBytes()));
            }
        }
    }
    //checking similar permission checked during the create of the view.
    if (tableType == PTableType.VIEW || tableType == PTableType.INDEX) {
        if(execPermissionsCheckEnabled) {
            requireAccess("Drop "+tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
        } else {
            requireAccess("Drop "+tableType, parentPhysicalTableName, Action.READ);
        }
    }
}
源代码6 项目: hbase   文件: TestAccessController.java 
@Test
public void testNamespaceUserGrant() throws Exception {
  AccessTestAction getAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      try(Connection conn = ConnectionFactory.createConnection(conf);
          Table t = conn.getTable(TEST_TABLE)) {
        return t.get(new Get(TEST_ROW));
      }
    }
  };

  String namespace = TEST_TABLE.getNamespaceAsString();

  // Grant namespace READ to USER_NONE, this should supersede any table permissions
  grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
  // Now USER_NONE should be able to read
  verifyAllowed(getAction, USER_NONE);

  // Revoke namespace READ to USER_NONE
  revokeFromNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
  verifyDenied(getAction, USER_NONE);
}
源代码7 项目: hbase   文件: TestAccessController2.java 
@Test
public void testCreateTableWithGroupPermissions() throws Exception {
  grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
  try {
    AccessTestAction createAction = new AccessTestAction() {
      @Override
      public Object run() throws Exception {
        TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
          new TableDescriptorBuilder.ModifyableTableDescriptor(testTable.getTableName());
        tableDescriptor.setColumnFamily(
          new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(TEST_FAMILY));
        try (Connection connection =
            ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
          try (Admin admin = connection.getAdmin()) {
            admin.createTable(tableDescriptor);
          }
        }
        return null;
      }
    };
    verifyAllowed(createAction, TESTGROUP1_USER1);
    verifyDenied(createAction, TESTGROUP2_USER1);
  } finally {
    revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
  }
}
源代码8 项目: hbase   文件: AccessController.java 
@Override
public Result preAppendAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,
    final Append append) throws IOException {
  if (append.getAttribute(CHECK_COVERING_PERM) != null) {
    // We had failure with table, cf and q perm checks and now giving a chance for cell
    // perm check
    TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
    AuthResult authResult = null;
    User user = getActiveUser(c);
    if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(),
        append.getFamilyCellMap(), append.getTimeRange().getMax(), Action.WRITE)) {
      authResult = AuthResult.allow(OpType.APPEND.toString(),
          "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
    } else {
      authResult = AuthResult.deny(OpType.APPEND.toString(),
          "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
    }
    AccessChecker.logResult(authResult);
    if (authorizationEnabled && !authResult.isAllowed()) {
      throw new AccessDeniedException("Insufficient permissions " +
        authResult.toContextString());
    }
  }
  return null;
}
源代码9 项目: ranger   文件: RangerAuthorizationCoprocessor.java 
@Override
public void postGetProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
	/*if(!procInfoList.isEmpty()) {
		Iterator<Procedure<?>> itr = procInfoList.iterator();
		User user = this.getActiveUser();

		while(itr.hasNext()) {
			Procedure procInfo = itr.next();
			try {
				String owner = procInfo.getOwner();
				if (owner == null || !owner.equals(user.getShortName())) {
					requirePermission("getProcedures", Action.ADMIN);
				}
			} catch (AccessDeniedException var7) {
				itr.remove();
			}
		}

	}*/
	requirePermission(observerContext, "getProcedures", Action.ADMIN);
}
源代码10 项目: hbase   文件: AccessController.java 
@Override
public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
     List<TableName> tableNamesList, List<TableDescriptor> descriptors,
     String regex) throws IOException {
  // We are delegating the authorization check to postGetTableDescriptors as we don't have
  // any concrete set of table names when a regex is present or the full list is requested.
  if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
    // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the
    // request can be granted.
    try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
      for (TableName tableName : tableNamesList) {
        // Skip checks for a table that does not exist
        if (!admin.tableExists(tableName)) {
          continue;
        }
        requirePermission(ctx, "getTableDescriptors", tableName, null, null, Action.ADMIN,
          Action.CREATE);
      }
    }
  }
}
源代码11 项目: hbase   文件: TestAccessController.java 
@Test
public void testGlobalPermissionList() throws Exception {
  List<UserPermission> perms = systemUserConnection.getAdmin()
      .getUserPermissions(GetUserPermissionsRequest.newBuilder().build());

  Collection<String> superUsers = Superusers.getSuperUsers();
  List<UserPermission> adminPerms = new ArrayList<>(superUsers.size() + 1);
  adminPerms.add(new UserPermission(USER_ADMIN.getShortName(), Permission.newBuilder()
      .withActions(Action.ADMIN, Action.CREATE, Action.READ, Action.WRITE).build()));
  for (String user : superUsers) {
    // Global permission
    adminPerms.add(
      new UserPermission(user, Permission.newBuilder().withActions(Action.values()).build()));
  }
  assertTrue("Only super users, global users and user admin has permission on table hbase:acl " +
      "per setup", perms.size() == 5 + superUsers.size() &&
      hasFoundUserPermission(adminPerms, perms));
}
源代码12 项目: hbase   文件: AccessChecker.java 
/**
 * Checks that the user has the given global or namespace permission.
 * @param user Active user to which authorization checks should be applied
 * @param request Request type
 * @param namespace Name space as requested
 * @param filterUser User name to be filtered from permission as requested
 * @param permissions Actions being requested
 */
public void requireNamespacePermission(User user, String request, String namespace,
    String filterUser, Action... permissions) throws IOException {
  AuthResult result = null;

  for (Action permission : permissions) {
    if (authManager.authorizeUserNamespace(user, namespace, permission)) {
      result =
          AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);
      break;
    } else {
      // rest of the world
      result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace);
    }
  }
  result.getParams().addExtraParam("filterUser", filterUser);
  logResult(result);
  if (!result.isAllowed()) {
    throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
  }
}
源代码13 项目: hbase   文件: ShadedAccessControlUtil.java 
/**
 * Convert a client user permission to a user permission shaded proto.
 */
public static AccessControlProtos.Permission.Action toPermissionAction(Permission.Action action) {
  switch (action) {
    case READ:
      return AccessControlProtos.Permission.Action.READ;
    case WRITE:
      return AccessControlProtos.Permission.Action.WRITE;
    case EXEC:
      return AccessControlProtos.Permission.Action.EXEC;
    case CREATE:
      return AccessControlProtos.Permission.Action.CREATE;
    case ADMIN:
      return AccessControlProtos.Permission.Action.ADMIN;
  }
  throw new IllegalArgumentException("Unknown action value " + action.name());
}
源代码14 项目: hbase   文件: AccessChecker.java 
/**
 * Authorizes that the current user has any of the given permissions for the
 * given table, column family and column qualifier.
 *
 * @param user Active user to which authorization checks should be applied
 * @param request Request type
 * @param tableName Table requested
 * @param family    Column family requested
 * @param qualifier Column qualifier requested
 * @param filterUser User name to be filtered from permission as requested
 * @param permissions Actions being requested
 * @throws IOException if obtaining the current user fails
 * @throws AccessDeniedException if user has no authorization
 */
public void requirePermission(User user, String request, TableName tableName, byte[] family,
    byte[] qualifier, String filterUser, Action... permissions) throws IOException {
  AuthResult result = null;

  for (Action permission : permissions) {
    if (authManager.authorizeUserTable(user, tableName, family, qualifier, permission)) {
      result = AuthResult.allow(request, "Table permission granted",
          user, permission, tableName, family, qualifier);
      break;
    } else {
      // rest of the world
      result = AuthResult.deny(request, "Insufficient permissions",
        user, permission, tableName, family, qualifier);
    }
  }
  result.getParams().addExtraParam("filterUser", filterUser);
  logResult(result);
  if (!result.isAllowed()) {
    throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
  }
}
源代码15 项目: hbase   文件: TestPermissionBuilder.java 
@Test
public void testBuildTablePermission() {
  TableName tableName = TableName.valueOf("ns", "table");
  byte[] family = Bytes.toBytes("f");
  byte[] qualifier = Bytes.toBytes("q");
  // check table permission without family or qualifier
  Permission permission =
      Permission.newBuilder(tableName).withActions(Action.WRITE, Action.READ).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(2, permission.getActions().length);
  assertEquals(Action.READ, permission.getActions()[0]);
  assertEquals(Action.WRITE, permission.getActions()[1]);
  TablePermission tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertEquals(null, tPerm.getFamily());
  assertEquals(null, tPerm.getQualifier());

  // check table permission with family
  permission =
      Permission.newBuilder(tableName).withFamily(family).withActions(Action.EXEC).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(1, permission.getActions().length);
  assertEquals(Action.EXEC, permission.getActions()[0]);
  tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertTrue(Bytes.equals(family, tPerm.getFamily()));
  assertTrue(Bytes.equals(null, tPerm.getQualifier()));

  // check table permission with family and qualifier
  permission =
      Permission.newBuilder(tableName).withFamily(family).withQualifier(qualifier).build();
  assertTrue(permission instanceof TablePermission);
  assertEquals(0, permission.getActions().length);
  tPerm = (TablePermission) permission;
  assertEquals(tableName, tPerm.getTableName());
  assertTrue(Bytes.equals(family, tPerm.getFamily()));
  assertTrue(Bytes.equals(qualifier, tPerm.getQualifier()));
}
源代码16 项目: hbase   文件: TestPermissionBuilder.java 
@Test
public void testBuildGlobalPermission() {
  // check global permission with empty action
  Permission permission = Permission.newBuilder().build();
  assertTrue(permission instanceof GlobalPermission);
  assertEquals(0, permission.getActions().length);

  // check global permission with ADMIN action
  permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("A")).build();
  assertTrue(permission instanceof GlobalPermission);
  assertEquals(1, permission.getActions().length);
  assertTrue(permission.getActions()[0] == Action.ADMIN);

  byte[] qualifier = Bytes.toBytes("q");
  try {
    permission = Permission.newBuilder().withQualifier(qualifier)
        .withActions(Action.CREATE, Action.READ).build();
    fail("Should throw NPE");
  } catch (NullPointerException e) {
    // catch NPE because set qualifier but table name is null
  }

  permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("ACP"))
      .withActions(Action.READ, Action.ADMIN).build();
  assertEquals(3, permission.getActions().length);
  assertEquals(Action.READ, permission.getActions()[0]);
  assertEquals(Action.CREATE, permission.getActions()[1]);
  assertEquals(Action.ADMIN, permission.getActions()[2]);
}
源代码17 项目: hbase   文件: AccessController.java 
/**
 * Returns <code>true</code> if the current user is allowed the given action
 * over at least one of the column qualifiers in the given column families.
 */
private boolean hasFamilyQualifierPermission(User user,
    Action perm,
    RegionCoprocessorEnvironment env,
    Map<byte[], ? extends Collection<byte[]>> familyMap)
  throws IOException {
  RegionInfo hri = env.getRegion().getRegionInfo();
  TableName tableName = hri.getTable();

  if (user == null) {
    return false;
  }

  if (familyMap != null && familyMap.size() > 0) {
    // at least one family must be allowed
    for (Map.Entry<byte[], ? extends Collection<byte[]>> family :
        familyMap.entrySet()) {
      if (family.getValue() != null && !family.getValue().isEmpty()) {
        for (byte[] qualifier : family.getValue()) {
          if (getAuthManager().authorizeUserTable(user, tableName,
                family.getKey(), qualifier, perm)) {
            return true;
          }
        }
      } else {
        if (getAuthManager().authorizeUserFamily(user, tableName, family.getKey(), perm)) {
          return true;
        }
      }
    }
  } else if (LOG.isDebugEnabled()) {
    LOG.debug("Empty family map passed for permission check");
  }

  return false;
}
源代码18 项目: hbase   文件: TestNamespaceCommands.java 
@Test
public void testAclTableEntries() throws Exception {
  String userTestNamespace = "userTestNsp";
  Table acl = UTIL.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
  try {
    ListMultimap<String, UserPermission> perms =
        PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    for (Map.Entry<String, UserPermission> entry : perms.entries()) {
      LOG.debug(Objects.toString(entry));
    }
    assertEquals(6, perms.size());

    // Grant and check state in ACL table
    grantOnNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
      Permission.Action.WRITE);

    Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
    assertTrue(result != null);
    perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    assertEquals(7, perms.size());
    List<UserPermission> namespacePerms = perms.get(userTestNamespace);
    assertTrue(perms.containsKey(userTestNamespace));
    assertEquals(1, namespacePerms.size());
    assertEquals(TEST_NAMESPACE,
      ((NamespacePermission) namespacePerms.get(0).getPermission()).getNamespace());
    assertEquals(1, namespacePerms.get(0).getPermission().getActions().length);
    assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getPermission().getActions()[0]);

    // Revoke and check state in ACL table
    revokeFromNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
      Permission.Action.WRITE);

    perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
    assertEquals(6, perms.size());
  } finally {
    acl.close();
  }
}
源代码19 项目: hbase   文件: TestAccessController.java 
@Test
public void testTableDeletion() throws Exception {
  User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]);
  final TableName tableName = TableName.valueOf(name.getMethodName());
  createTestTable(tableName);

  // Grant TABLE ADMIN privs
  grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), tableName, null, null, Permission.Action.ADMIN);

  AccessTestAction deleteTableAction = new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      Connection unmanagedConnection =
          ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
      Admin admin = unmanagedConnection.getAdmin();
      try {
        deleteTable(TEST_UTIL, admin, tableName);
      } finally {
        admin.close();
        unmanagedConnection.close();
      }
      return null;
    }
  };

  verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
    USER_GROUP_WRITE);
  verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
源代码20 项目: hbase   文件: AccessController.java 
@Override
public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
    TableName tableName, TableDescriptor currentDesc, TableDescriptor newDesc)
    throws IOException {
  // TODO: potentially check if this is a add/modify/delete column operation
  requirePermission(c, "modifyTable", tableName, null, null, Action.ADMIN, Action.CREATE);
  return newDesc;
}
源代码21 项目: hbase   文件: AccessController.java 
@Override
public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c,
    final Increment increment)
    throws IOException {
  User user = getActiveUser(c);
  checkForReservedTagPresence(user, increment);

  // Require WRITE permission to the table, CF, and the KV to be replaced by
  // the incremented value
  RegionCoprocessorEnvironment env = c.getEnvironment();
  Map<byte[],? extends Collection<Cell>> families = increment.getFamilyCellMap();
  AuthResult authResult = permissionGranted(OpType.INCREMENT,
      user, env, families, Action.WRITE);
  AccessChecker.logResult(authResult);
  if (!authResult.isAllowed()) {
    if (cellFeaturesEnabled && !compatibleEarlyTermination) {
      increment.setAttribute(CHECK_COVERING_PERM, TRUE);
    } else if (authorizationEnabled) {
      throw new AccessDeniedException("Insufficient permissions " +
        authResult.toContextString());
    }
  }

  byte[] bytes = increment.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
  if (bytes != null) {
    if (cellFeaturesEnabled) {
      addCellPermissions(bytes, increment.getFamilyCellMap());
    } else {
      throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
    }
  }

  return null;
}
源代码22 项目: hbase   文件: AccessController.java 
/**
 * Check the current user for authorization to perform a specific action
 * against the given set of row data.
 * @param opType the operation type
 * @param user the user
 * @param e the coprocessor environment
 * @param families the map of column families to qualifiers present in
 * the request
 * @param actions the desired actions
 * @return an authorization result
 */
private AuthResult permissionGranted(OpType opType, User user, RegionCoprocessorEnvironment e,
    Map<byte [], ? extends Collection<?>> families, Action... actions) {
  AuthResult result = null;
  for (Action action: actions) {
    result = accessChecker.permissionGranted(opType.toString(), user, action,
      e.getRegion().getRegionInfo().getTable(), families);
    if (!result.isAllowed()) {
      return result;
    }
  }
  return result;
}
源代码23 项目: hbase   文件: AccessController.java 
@Override
public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> c,
    MiniBatchOperationInProgress<Mutation> miniBatchOp) throws IOException {
  if (cellFeaturesEnabled && !compatibleEarlyTermination) {
    TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
    User user = getActiveUser(c);
    for (int i = 0; i < miniBatchOp.size(); i++) {
      Mutation m = miniBatchOp.getOperation(i);
      if (m.getAttribute(CHECK_COVERING_PERM) != null) {
        // We have a failure with table, cf and q perm checks and now giving a chance for cell
        // perm check
        OpType opType;
        if (m instanceof Put) {
          checkForReservedTagPresence(user, m);
          opType = OpType.PUT;
        } else {
          opType = OpType.DELETE;
        }
        AuthResult authResult = null;
        if (checkCoveringPermission(user, opType, c.getEnvironment(), m.getRow(),
          m.getFamilyCellMap(), m.getTimestamp(), Action.WRITE)) {
          authResult = AuthResult.allow(opType.toString(), "Covering cell set",
            user, Action.WRITE, table, m.getFamilyCellMap());
        } else {
          authResult = AuthResult.deny(opType.toString(), "Covering cell set",
            user, Action.WRITE, table, m.getFamilyCellMap());
        }
        AccessChecker.logResult(authResult);
        if (authorizationEnabled && !authResult.isAllowed()) {
          throw new AccessDeniedException("Insufficient permissions "
            + authResult.toContextString());
        }
      }
    }
  }
}
源代码24 项目: ranger   文件: RangerAuthorizationCoprocessor.java 
@Override
public void preOpen(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
	RegionCoprocessorEnvironment env = e.getEnvironment();
	final Region region = env.getRegion();
	if (region == null) {
		LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");
	} else {
		RegionInfo regionInfo = region.getRegionInfo();
		if (isSpecialTable(regionInfo)) {
			requireSystemOrSuperUser(regionEnv.getConfiguration(),e);
		} else {
			requirePermission(e, "open", getTableName(e.getEnvironment()), Action.ADMIN);
		}
	}
}
源代码25 项目: hbase   文件: TestAccessController2.java 
@Test
public void testCreateWithCorrectOwner() throws Exception {
  // Create a test user
  final User testUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "TestUser",
    new String[0]);
  // Grant the test user the ability to create tables
  SecureTestUtil.grantGlobal(TEST_UTIL, testUser.getShortName(), Action.CREATE);
  verifyAllowed(new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
        new TableDescriptorBuilder.ModifyableTableDescriptor(testTable.getTableName());
      tableDescriptor.setColumnFamily(
        new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(TEST_FAMILY));
      try (Connection connection =
          ConnectionFactory.createConnection(TEST_UTIL.getConfiguration(), testUser)) {
        try (Admin admin = connection.getAdmin()) {
          createTable(TEST_UTIL, admin, tableDescriptor);
        }
      }
      return null;
    }
  }, testUser);
  TEST_UTIL.waitTableAvailable(testTable.getTableName());
  // Verify that owner permissions have been granted to the test user on the
  // table just created
  List<UserPermission> perms = PermissionStorage
      .getTablePermissions(conf, testTable.getTableName()).get(testUser.getShortName());
  assertNotNull(perms);
  assertFalse(perms.isEmpty());
  // Should be RWXCA
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.READ));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.WRITE));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.EXEC));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.CREATE));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.ADMIN));
}
源代码26 项目: hbase   文件: AccessController.java 
/**
 * Authorization check for
 * SecureBulkLoadProtocol.prepareBulkLoad()
 * @param ctx the context
 * @throws IOException
 */
@Override
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
  requireAccess(ctx, "prePrepareBulkLoad",
      ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
      Action.CREATE);
}
源代码27 项目: hbase   文件: AccessController.java 
private void preGetUserPermissions(User caller, String userName, String namespace,
    TableName tableName, byte[] family, byte[] qualifier) throws IOException {
  if (tableName != null) {
    accessChecker.requirePermission(caller, "getUserPermissions", tableName, family, qualifier,
      userName, Action.ADMIN);
  } else if (namespace != null) {
    accessChecker.requireNamespacePermission(caller, "getUserPermissions", namespace, userName,
      Action.ADMIN);
  } else {
    accessChecker.requirePermission(caller, "getUserPermissions", userName, Action.ADMIN);
  }
}
源代码28 项目: hbase   文件: AccessController.java 
public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace,
    TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap,
    Action... permissions) throws IOException {
  accessChecker.requireNamespacePermission(getActiveUser(ctx),
      request, namespace, tableName, familyMap,
      permissions);
}
源代码29 项目: hbase   文件: ShadedAccessControlUtil.java 
/**
 * Converts a list of Permission.Action shaded proto to an array of client Permission.Action
 * objects.
 * @param protoActions the list of shaded protobuf Actions
 * @return the converted array of Actions
 */
public static Permission.Action[]
    toPermissionActions(List<AccessControlProtos.Permission.Action> protoActions) {
  Permission.Action[] actions = new Permission.Action[protoActions.size()];
  for (int i = 0; i < protoActions.size(); i++) {
    actions[i] = toPermissionAction(protoActions.get(i));
  }
  return actions;
}
源代码30 项目: hbase   文件: AccessController.java 
@Override
public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
    final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)
    throws IOException {
  // Move this ACL check to SnapshotManager#checkPermissions as part of AC deprecation.
  requirePermission(ctx, "snapshot " + snapshot.getName(),
      hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);
}
 类所在包
org.apache.hadoop.hbase
 类方法
 同包方法
org.apache.hadoop.hbase.util.Bytes
org.apache.hadoop.hbase.HBaseConfiguration
org.apache.hadoop.hbase.TableName
org.apache.hadoop.hbase.HTableDescriptor
org.apache.hadoop.hbase.HColumnDescriptor
org.apache.hadoop.hbase.Cell
org.apache.hadoop.hbase.HConstants
org.apache.hadoop.hbase.filter.Filter
org.apache.hadoop.hbase.KeyValue
org.apache.hadoop.hbase.HBaseTestingUtility
org.apache.hadoop.hbase.CellUtil
org.apache.hadoop.hbase.filter.FilterList
org.apache.hadoop.hbase.io.ImmutableBytesWritable
org.apache.hadoop.hbase.filter.SingleColumnValueFilter
org.apache.hadoop.hbase.filter.CompareFilter
org.apache.hadoop.hbase.util.Pair
org.apache.hadoop.hbase.ZooKeeperConnectionException
org.apache.hadoop.hbase.mapreduce.TableMapReduceUtil
org.apache.hadoop.hbase.ServerName
org.apache.hadoop.hbase.HRegionInfo
org.apache.hadoop.hbase.TableNotFoundException
org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment
org.apache.hadoop.hbase.security.User
org.apache.hadoop.hbase.HRegionLocation
org.apache.hadoop.hbase.filter.CompareFilter.CompareOp
org.apache.hadoop.hbase.MasterNotRunningException
org.apache.hadoop.hbase.mapreduce.TableMapper
org.apache.hadoop.hbase.MiniHBaseCluster
org.apache.hadoop.hbase.CoprocessorEnvironment
org.apache.hadoop.hbase.io.compress.Compression
org.apache.hadoop.hbase.Coprocessor
org.apache.hadoop.hbase.coprocessor.ObserverContext
org.apache.hadoop.hbase.filter.BinaryComparator
org.apache.hadoop.hbase.filter.PageFilter
org.apache.hadoop.hbase.filter.RowFilter
org.apache.hadoop.hbase.regionserver.HRegion
org.apache.hadoop.hbase.mapreduce.LoadIncrementalHFiles
org.apache.hadoop.hbase.regionserver.BloomType
org.apache.hadoop.hbase.ClusterStatus
org.apache.hadoop.hbase.TableExistsException
org.apache.hadoop.hbase.io.hfile.CacheConfig
org.apache.hadoop.hbase.NamespaceDescriptor
org.apache.hadoop.hbase.filter.FilterBase
org.apache.hadoop.hbase.mapreduce.TableOutputFormat
org.apache.hadoop.hbase.io.encoding.DataBlockEncoding
org.apache.hadoop.hbase.regionserver.InternalScanner
org.apache.hadoop.hbase.coprocessor.CoprocessorException
org.apache.hadoop.hbase.regionserver.RegionScanner
org.apache.hadoop.hbase.protobuf.ProtobufUtil
org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel
org.apache.hadoop.hbase.filter.PrefixFilter
org.apache.hadoop.hbase.coprocessor.BaseRegionObserver
org.apache.hadoop.hbase.util.FSUtils
org.apache.hadoop.hbase.filter.FirstKeyOnlyFilter
org.apache.hadoop.hbase.exceptions.DeserializationException
org.apache.hadoop.hbase.regionserver.StoreFile
org.apache.hadoop.hbase.mapreduce.TableInputFormat
org.apache.hadoop.hbase.DoNotRetryIOException
org.apache.hadoop.hbase.protobuf.generated.ClientProtos
org.apache.hadoop.hbase.filter.KeyOnlyFilter
org.apache.hadoop.hbase.ipc.BlockingRpcCallback
org.apache.hadoop.hbase.io.hfile.HFile
org.apache.hadoop.hbase.zookeeper.MiniZooKeeperCluster
org.apache.hadoop.hbase.coprocessor.CoprocessorService
org.apache.hadoop.hbase.filter.SubstringComparator
org.apache.hadoop.hbase.util.VersionInfo
org.apache.hadoop.hbase.filter.QualifierFilter
org.apache.hadoop.hbase.ipc.ServerRpcController
org.apache.hadoop.hbase.regionserver.compactions.CompactionRequest
org.apache.hadoop.hbase.filter.FilterList.Operator
org.apache.hadoop.hbase.KeyValue.Type
org.apache.hadoop.hbase.filter.RegexStringComparator
org.apache.hadoop.hbase.KeyValueUtil
org.apache.hadoop.hbase.CellScanner
org.apache.hadoop.hbase.regionserver.wal.WALEdit
org.apache.hadoop.hbase.filter.Filter.ReturnCode
org.apache.hadoop.hbase.regionserver.Store
org.apache.hadoop.hbase.mapreduce.HFileOutputFormat
org.apache.hadoop.hbase.filter.FamilyFilter
org.apache.hadoop.hbase.filter.ByteArrayComparable
org.apache.hadoop.hbase.ipc.RpcServer
org.apache.hadoop.hbase.io.compress.Compression.Algorithm
org.apache.hadoop.hbase.filter.MultiRowRangeFilter
org.apache.hadoop.hbase.coprocessor.CoprocessorHost
org.apache.hadoop.hbase.regionserver.ScanType
org.apache.hadoop.hbase.ServerLoad
org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher
org.apache.hadoop.hbase.RegionLoad
org.apache.hadoop.hbase.util.Threads
org.apache.hadoop.hbase.TableNotEnabledException
org.apache.hadoop.hbase.regionserver.ConstantSizeRegionSplitPolicy
org.apache.hadoop.hbase.regionserver.HRegionServer
org.apache.hadoop.hbase.CompareOperator
org.apache.hadoop.hbase.filter.ValueFilter
org.apache.hadoop.hbase.io.hfile.HFileContextBuilder
org.apache.hadoop.hbase.regionserver.compactions.CompactionLifeCycleTracker
org.apache.hadoop.hbase.filter.MultiRowRangeFilter.RowRange
org.apache.hadoop.hbase.filter.BinaryPrefixComparator
org.apache.hadoop.hbase.regionserver.Region
org.apache.hadoop.hbase.mapreduce.TableSplit
org.apache.hadoop.hbase.protobuf.ResponseConverter
org.apache.hadoop.hbase.mapreduce.HFileOutputFormat2
org.apache.hadoop.hbase.regionserver.KeyValueScanner
org.apache.hadoop.hbase.filter.ColumnPaginationFilter
org.apache.hadoop.hbase.master.HMaster
org.apache.hadoop.hbase.classification.InterfaceAudience
org.apache.hadoop.hbase.io.TimeRange
org.apache.hadoop.hbase.io.hfile.HFileScanner
org.apache.hadoop.hbase.util.EnvironmentEdgeManager
org.apache.hadoop.hbase.util.Base64
org.apache.hadoop.hbase.TableNotDisabledException
org.apache.hadoop.hbase.io.hfile.HFileContext
org.apache.hadoop.hbase.CellComparator
org.apache.hadoop.hbase.zookeeper.ZKUtil
org.apache.hadoop.hbase.security.UserProvider
org.apache.hadoop.hbase.util.Writables
org.apache.hadoop.hbase.wal.WAL
org.apache.hadoop.hbase.regionserver.RegionServerServices
org.apache.hadoop.hbase.mapreduce.ResultSerialization
org.apache.hadoop.hbase.io.hfile.Compression
org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment
org.apache.hadoop.hbase.security.AccessDeniedException
org.apache.hadoop.hbase.wal.WALFactory
org.apache.hadoop.hbase.NotServingRegionException
org.apache.hadoop.hbase.filter.FuzzyRowFilter
org.apache.hadoop.hbase.regionserver.HStore
org.apache.hadoop.hbase.Stoppable
org.apache.hadoop.hbase.protobuf.generated.HBaseProtos
org.apache.hadoop.hbase.replication.ReplicationPeerConfig
org.apache.hadoop.hbase.fs.HFileSystem
org.apache.hadoop.hbase.filter.ColumnRangeFilter
org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment
org.apache.hadoop.hbase.zookeeper.ZKWatcher
org.apache.hadoop.hbase.zookeeper.ZKConfig
org.apache.hadoop.hbase.LocalHBaseCluster
org.apache.hadoop.hbase.classification.InterfaceStability
org.apache.hadoop.hbase.Abortable
org.apache.hadoop.hbase.util.RegionSplitter
org.apache.hadoop.hbase.coprocessor.RegionObserver
org.apache.hadoop.hbase.HBaseIOException
org.apache.hadoop.hbase.wal.WALEdit
org.apache.hadoop.hbase.Server
org.apache.hadoop.hbase.KeepDeletedCells
org.apache.hadoop.hbase.regionserver.ScannerContext
org.apache.hadoop.hbase.regionserver.OperationStatus
org.apache.hadoop.hbase.regionserver.RegionServerAccounting
org.apache.hadoop.hbase.codec.BaseDecoder
org.apache.hadoop.hbase.regionserver.MiniBatchOperationInProgress
org.apache.hadoop.hbase.security.access.Permission.Action
org.apache.hadoop.hbase.util.JVMClusterUtil.RegionServerThread
org.apache.hadoop.hbase.MetaTableAccessor
org.apache.hadoop.hbase.util.Order
org.apache.hadoop.hbase.regionserver.SimpleRpcSchedulerFactory
org.apache.hadoop.hbase.filter.InclusiveStopFilter
org.apache.hadoop.hbase.util.Strings
org.apache.hadoop.hbase.ipc.PriorityFunction
org.apache.hadoop.hbase.regionserver.DisabledRegionSplitPolicy
org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil
org.apache.hadoop.hbase.security.access.UserPermission
org.apache.hadoop.hbase.codec.BaseEncoder
org.apache.hadoop.hbase.util.Addressing
org.apache.hadoop.hbase.regionserver.RpcSchedulerFactory
org.apache.hadoop.hbase.mapreduce.MutationSerialization
org.apache.hadoop.hbase.regionserver.StoreFile.BloomType
org.apache.hadoop.hbase.master.balancer.StochasticLoadBalancer
org.apache.hadoop.hbase.coprocessor.RegionServerObserver
org.apache.hadoop.hbase.master.RegionPlan
org.apache.hadoop.hbase.security.token.TokenUtil
org.apache.hadoop.hbase.io.Reference
org.apache.hadoop.hbase.ipc.HBaseRpcController
org.apache.hadoop.hbase.IntegrationTestingUtility
org.apache.hadoop.hbase.ipc.RpcControllerFactory
org.apache.hadoop.hbase.coprocessor.RegionCoprocessor
org.apache.hadoop.hbase.filter.WhileMatchFilter
org.apache.hadoop.hbase.security.access.AccessControlClient
org.apache.hadoop.hbase.coprocessor.MasterObserver
org.apache.hadoop.hbase.ipc.PayloadCarryingRpcController
org.apache.hadoop.hbase.security.access.Permission
org.apache.hadoop.hbase.CellScannable
org.apache.hadoop.hbase.util.PositionedByteRange
org.apache.hadoop.hbase.regionserver.HRegionFileSystem
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost
org.apache.hadoop.hbase.util.Bytes.ByteArrayComparator
org.apache.hadoop.hbase.filter.ColumnPrefixFilter
org.apache.hadoop.hbase.CellComparatorImpl
org.apache.hadoop.hbase.replication.ReplicationException
org.apache.hadoop.hbase.io.FSDataInputStreamWrapper
org.apache.hadoop.hbase.regionserver.ScanOptions
org.apache.hadoop.hbase.zookeeper.MetaTableLocator
org.apache.hadoop.hbase.regionserver.IndexKeyValueSkipListSet
org.apache.hadoop.hbase.master.RegionState
org.apache.hadoop.hbase.snapshot.SnapshotManifest
org.apache.hadoop.hbase.Waiter
org.apache.hadoop.hbase.protobuf.generated.AdminProtos
org.apache.hadoop.hbase.util.PairOfSameType
org.apache.hadoop.hbase.mapreduce.PutSortReducer
org.apache.hadoop.hbase.regionserver.wal.WALActionsListener
org.apache.hadoop.hbase.util.AbstractHBaseTool
org.apache.hadoop.hbase.mapreduce.TableReducer
org.apache.hadoop.hbase.CellBuilderType
org.apache.hadoop.hbase.ipc.CoprocessorProtocol
org.apache.hadoop.hbase.codec.Codec
org.apache.hadoop.hbase.protobuf.generated.ClientProtos.MutationProto.MutationType
org.apache.hadoop.hbase.exceptions.TimeoutIOException
org.apache.hadoop.hbase.util.CancelableProgressable
org.apache.hadoop.hbase.zookeeper.RecoverableZooKeeper
org.apache.hadoop.hbase.HConstants.OperationStatusCode
org.apache.hadoop.hbase.regionserver.wal.HLog
org.apache.hadoop.hbase.regionserver.wal.WALCellCodec
org.apache.hadoop.hbase.regionserver.wal.IndexedHLogReader
org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter
org.apache.hadoop.hbase.ipc.FifoRpcScheduler
org.apache.hadoop.hbase.ipc.DelegatingHBaseRpcController
org.apache.hadoop.hbase.Size
org.apache.hadoop.hbase.RegionException
org.apache.hadoop.hbase.coprocessor.MultiRowMutationEndpoint
org.apache.hadoop.hbase.filter.ParseFilter
org.apache.hadoop.hbase.ChoreService
org.apache.hadoop.hbase.ExtendedCell
org.apache.hadoop.hbase.mapreduce.KeyValueSerialization
org.apache.hadoop.hbase.filter.SingleColumnValueExcludeFilter
org.apache.hadoop.hbase.NamespaceNotFoundException
org.apache.hadoop.hbase.shaded.protobuf.generated.HBaseProtos
org.apache.hadoop.hbase.regionserver.NoSuchColumnFamilyException
org.apache.hadoop.hbase.ClusterMetrics
org.apache.hadoop.hbase.io.util.LRUDictionary
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos
org.apache.hadoop.hbase.coprocessor.ObserverContextImpl
org.apache.hadoop.hbase.metrics.MetricRegistry
org.apache.hadoop.hbase.master.ServerManager
org.apache.hadoop.hbase.regionserver.Region.Operation
org.apache.hadoop.hbase.ipc.RpcScheduler
org.apache.hadoop.hbase.catalog.CatalogTracker
org.apache.hadoop.hbase.wal.WALSplitter
org.apache.hadoop.hbase.CellBuilderFactory
org.apache.hadoop.hbase.security.access.AccessController
org.apache.hadoop.hbase.mapreduce.TableRecordReader
org.apache.hadoop.hbase.regionserver.wal.HLogKey
org.apache.hadoop.hbase.replication.ReplicationEndpoint
org.apache.hadoop.hbase.protobuf.generated.ClientProtos.MutationProto
org.apache.hadoop.hbase.RegionMetrics
org.apache.hadoop.hbase.NamespaceExistException
org.apache.hadoop.hbase.filter.TimestampsFilter
org.apache.hadoop.hbase.regionserver.wal.IndexedWALEditCodec
org.apache.hadoop.hbase.regionserver.MemStore
org.apache.hadoop.hbase.ipc.RpcCall
org.apache.hadoop.hbase.ipc.CoprocessorRpcUtils.BlockingRpcCallback
org.apache.hadoop.hbase.mapred.TableOutputFormat
org.apache.hadoop.hbase.CellBuilder
org.apache.hadoop.hbase.regionserver.querymatcher.DeleteTracker
org.apache.hadoop.hbase.security.access.AccessControlLists
org.apache.hadoop.hbase.Tag
org.apache.hadoop.hbase.regionserver.FlushRequester
org.apache.hadoop.hbase.io.hfile.Compression.Algorithm
org.apache.hadoop.hbase.filter.MultipleColumnPrefixFilter
org.apache.hadoop.hbase.wal.WALKey
org.apache.hadoop.hbase.snapshot.SnapshotDescriptionUtils
org.apache.hadoop.hbase.master.MasterServices
org.apache.hadoop.hbase.zookeeper.MasterAddressTracker
org.apache.hadoop.hbase.mapreduce.KeyValueSortReducer
org.apache.hadoop.hbase.security.visibility.CellVisibility
org.apache.hadoop.hbase.security.visibility.Authorizations
org.apache.hadoop.hbase.util.DynamicClassLoader
org.apache.hadoop.hbase.coprocessor.MasterCoprocessor