下面列出了org.apache.hadoop.hbase.security.User#getGroupNames ( ) 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
/**
* Check if user has given action privilige in global scope.
* @param user user name
* @param action one of action in [Read, Write, Create, Exec, Admin]
* @return true if user has, false otherwise
*/
public boolean authorizeUserGlobal(User user, Permission.Action action) {
if (user == null) {
return false;
}
if (Superusers.isSuperUser(user)) {
return true;
}
if (authorizeGlobal(globalCache.get(user.getShortName()), action)) {
return true;
}
for (String group : user.getGroupNames()) {
if (authorizeGlobal(globalCache.get(AuthUtil.toGroupEntry(group)), action)) {
return true;
}
}
return false;
}
/**
* Check if user has given action privilige in namespace scope.
* @param user user name
* @param namespace namespace
* @param action one of action in [Read, Write, Create, Exec, Admin]
* @return true if user has, false otherwise
*/
public boolean authorizeUserNamespace(User user, String namespace, Permission.Action action) {
if (user == null) {
return false;
}
if (authorizeUserGlobal(user, action)) {
return true;
}
PermissionCache<NamespacePermission> nsPermissions = namespaceCache.getOrDefault(namespace,
NS_NO_PERMISSION);
if (authorizeNamespace(nsPermissions.get(user.getShortName()), namespace, action)) {
return true;
}
for (String group : user.getGroupNames()) {
if (authorizeNamespace(nsPermissions.get(AuthUtil.toGroupEntry(group)), namespace, action)) {
return true;
}
}
return false;
}
/**
* Checks if the user has access to the full table or at least a family/qualifier
* for the specified action.
* @param user user name
* @param table table name
* @param action action in one of [Read, Write, Create, Exec, Admin]
* @return true if the user has access to the table, false otherwise
*/
public boolean accessUserTable(User user, TableName table, Permission.Action action) {
if (user == null) {
return false;
}
if (table == null) {
table = PermissionStorage.ACL_TABLE_NAME;
}
if (authorizeUserNamespace(user, table.getNamespaceAsString(), action)) {
return true;
}
PermissionCache<TablePermission> tblPermissions = tableCache.getOrDefault(table,
TBL_NO_PERMISSION);
if (hasAccessTable(tblPermissions.get(user.getShortName()), action)) {
return true;
}
for (String group : user.getGroupNames()) {
if (hasAccessTable(tblPermissions.get(AuthUtil.toGroupEntry(group)), action)) {
return true;
}
}
return false;
}
/**
* Check if user has given action privilige in table:family:qualifier scope.
* @param user user name
* @param table table name
* @param family family name
* @param qualifier qualifier name
* @param action one of action in [Read, Write, Create, Exec, Admin]
* @return true if user has, false otherwise
*/
public boolean authorizeUserTable(User user, TableName table, byte[] family,
byte[] qualifier, Permission.Action action) {
if (user == null) {
return false;
}
if (table == null) {
table = PermissionStorage.ACL_TABLE_NAME;
}
if (authorizeUserNamespace(user, table.getNamespaceAsString(), action)) {
return true;
}
PermissionCache<TablePermission> tblPermissions = tableCache.getOrDefault(table,
TBL_NO_PERMISSION);
if (authorizeTable(tblPermissions.get(user.getShortName()), table, family, qualifier, action)) {
return true;
}
for (String group : user.getGroupNames()) {
if (authorizeTable(tblPermissions.get(AuthUtil.toGroupEntry(group)),
table, family, qualifier, action)) {
return true;
}
}
return false;
}
/**
* Check if user has given action privilige in table:family scope.
* This method is for backward compatibility.
* @param user user name
* @param table table name
* @param family family names
* @param action one of action in [Read, Write, Create, Exec, Admin]
* @return true if user has, false otherwise
*/
public boolean authorizeUserFamily(User user, TableName table,
byte[] family, Permission.Action action) {
PermissionCache<TablePermission> tblPermissions = tableCache.getOrDefault(table,
TBL_NO_PERMISSION);
if (authorizeFamily(tblPermissions.get(user.getShortName()), table, family, action)) {
return true;
}
for (String group : user.getGroupNames()) {
if (authorizeFamily(tblPermissions.get(AuthUtil.toGroupEntry(group)),
table, family, action)) {
return true;
}
}
return false;
}
/**
* @return true if current user is a super user (whether as user running process,
* declared as individual superuser or member of supergroup), false otherwise.
* @param user to check
* @throws IllegalStateException if lists of superusers/super groups
* haven't been initialized properly
*/
public static boolean isSuperUser(User user) {
if (superUsers == null) {
throw new IllegalStateException("Super users/super groups lists"
+ " haven't been initialized properly.");
}
if (superUsers.contains(user.getShortName())) {
return true;
}
for (String group : user.getGroupNames()) {
if (superGroups.contains(group)) {
return true;
}
}
return false;
}
@Override
public Set<String> getUserGroups(User user) {
if (user == null) {
throw new IllegalArgumentException("User is null!");
}
else {
String[] groupsArray = user.getGroupNames();
return new HashSet<String>(Arrays.asList(groupsArray));
}
}
public static boolean authorizeUserTable(AccessChecker accessChecker, User user,
TableName table, Permission.Action action) {
if(accessChecker.getAuthManager().userHasAccess(user, table, action)) {
return true;
}
String[] groupNames = user.getGroupNames();
if (groupNames != null) {
for (String group : groupNames) {
if(accessChecker.getAuthManager().groupHasAccess(group, table, action)) {
return true;
}
}
}
return false;
}
public static boolean authorizeUserTable(AccessChecker accessChecker, User user,
TableName table, Permission.Action action) {
if(accessChecker.getAuthManager().userHasAccess(user, table, action)) {
return true;
}
String[] groupNames = user.getGroupNames();
if (groupNames != null) {
for (String group : groupNames) {
if(accessChecker.getAuthManager().groupHasAccess(group, table, action)) {
return true;
}
}
}
return false;
}
private GrantRevokeRequest createRevokeData(AccessControlProtos.RevokeRequest request) throws Exception {
AccessControlProtos.UserPermission up = request.getUserPermission();
AccessControlProtos.Permission perm = up == null ? null : up.getPermission();
UserPermission userPerm = up == null ? null : AccessControlUtil.toUserPermission(up);
String userName = userPerm == null ? null : Bytes.toString(userPerm.getUser());
String nameSpace = null;
String tableName = null;
String colFamily = null;
String qualifier = null;
if(perm == null) {
throw new Exception("revoke(): invalid data - permission is null");
}
if(StringUtil.isEmpty(userName)) {
throw new Exception("revoke(): invalid data - username empty");
}
switch(perm.getType()) {
case Global :
tableName = colFamily = qualifier = RangerHBaseResource.WILDCARD;
break;
case Table :
tableName = Bytes.toString(userPerm.getTableName().getName());
colFamily = Bytes.toString(userPerm.getFamily());
qualifier = Bytes.toString(userPerm.getQualifier());
break;
case Namespace:
nameSpace = userPerm.getNamespace();
break;
}
if(StringUtil.isEmpty(nameSpace) && StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) {
throw new Exception("revoke(): table/columnFamily/columnQualifier not specified");
}
tableName = StringUtil.isEmpty(tableName) ? RangerHBaseResource.WILDCARD : tableName;
colFamily = StringUtil.isEmpty(colFamily) ? RangerHBaseResource.WILDCARD : colFamily;
qualifier = StringUtil.isEmpty(qualifier) ? RangerHBaseResource.WILDCARD : qualifier;
if(! StringUtil.isEmpty(nameSpace)) {
tableName = nameSpace + RangerHBaseResource.NAMESPACE_SEPARATOR + tableName;
}
User activeUser = getActiveUser(null);
String grantor = activeUser != null ? activeUser.getShortName() : null;
String[] groups = activeUser != null ? activeUser.getGroupNames() : null;
Set<String> grantorGroups = null;
if (groups != null && groups.length > 0) {
grantorGroups = new HashSet<>(Arrays.asList(groups));
}
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put(RangerHBaseResource.KEY_TABLE, tableName);
mapResource.put(RangerHBaseResource.KEY_COLUMN_FAMILY, colFamily);
mapResource.put(RangerHBaseResource.KEY_COLUMN, qualifier);
GrantRevokeRequest ret = new GrantRevokeRequest();
ret.setGrantor(grantor);
ret.setGrantorGroups(grantorGroups);
ret.setDelegateAdmin(Boolean.TRUE); // remove delegateAdmin privilege as well
ret.setEnableAudit(Boolean.TRUE);
ret.setReplaceExistingPermissions(Boolean.TRUE);
ret.setResource(mapResource);
ret.setClientIPAddress(getRemoteAddress());
ret.setForwardedAddresses(null);//TODO: Need to check with Knox proxy how they handle forwarded add.
ret.setRemoteIPAddress(getRemoteAddress());
ret.setRequestData(up.toString());
if(userName.startsWith(GROUP_PREFIX)) {
ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
} else {
ret.getUsers().add(userName);
}
// revoke removes all permissions
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_READ);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
return ret;
}
public static List<Permission> getCellPermissionsForUser(User user, Cell cell)
throws IOException {
// Save an object allocation where we can
if (cell.getTagsLength() == 0) {
return null;
}
List<Permission> results = Lists.newArrayList();
Iterator<Tag> tagsIterator = PrivateCellUtil.tagsIterator(cell);
while (tagsIterator.hasNext()) {
Tag tag = tagsIterator.next();
if (tag.getType() == ACL_TAG_TYPE) {
// Deserialize the table permissions from the KV
// TODO: This can be improved. Don't build UsersAndPermissions just to unpack it again,
// use the builder
AccessControlProtos.UsersAndPermissions.Builder builder =
AccessControlProtos.UsersAndPermissions.newBuilder();
if (tag.hasArray()) {
ProtobufUtil.mergeFrom(builder, tag.getValueArray(), tag.getValueOffset(),
tag.getValueLength());
} else {
ProtobufUtil.mergeFrom(builder, Tag.cloneValue(tag));
}
ListMultimap<String,Permission> kvPerms =
AccessControlUtil.toUsersAndPermissions(builder.build());
// Are there permissions for this user?
List<Permission> userPerms = kvPerms.get(user.getShortName());
if (userPerms != null) {
results.addAll(userPerms);
}
// Are there permissions for any of the groups this user belongs to?
String[] groupNames = user.getGroupNames();
if (groupNames != null) {
for (String group : groupNames) {
List<Permission> groupPerms = kvPerms.get(AuthUtil.toGroupEntry(group));
if (results != null) {
results.addAll(groupPerms);
}
}
}
}
}
return results;
}