下面列出了com.google.protobuf.BlockingRpcChannel#org.apache.hadoop.hbase.security.access.Permission.Action 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
@Override
public String getAccess(Action action) {
switch(action) {
case READ:
return ACCESS_TYPE_READ;
case WRITE:
return ACCESS_TYPE_WRITE;
case CREATE:
return ACCESS_TYPE_CREATE;
case ADMIN:
return ACCESS_TYPE_ADMIN;
case EXEC:
return ACCESS_TYPE_EXECUTE;
default:
return action.name().toLowerCase();
}
}
@Override
public void preAlterTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId,
String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType) throws IOException {
if (!accessCheckEnabled) { return; }
for (MasterObserver observer : getAccessControllers()) {
if (tableType != PTableType.VIEW) {
observer.preModifyTable(getMasterObsevrverContext(), physicalTableName,
TableDescriptorBuilder.newBuilder(physicalTableName).build());
}
}
if (tableType == PTableType.VIEW) {
if(execPermissionsCheckEnabled) {
requireAccess("Alter "+tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
} else {
requireAccess("Alter "+tableType, parentPhysicalTableName, Action.READ);
}
}
}
boolean canSkipAccessCheck(User user, final String operation, String access, final RegionCoprocessorEnvironment regionServerEnv) throws AccessDeniedException {
// read access to metadata tables is always allowed and isn't audited.
if (isAccessForMetaTables(regionServerEnv) && _authUtils.isReadAccess(access)) {
LOG.debug("isKnownAccessPattern: exiting: Read access for metadata tables allowed, not audited!");
return true;
}
// if write access is desired to metatables then global create access is sufficient
if (_authUtils.isWriteAccess(access) && isAccessForMetaTables(regionServerEnv)) {
String createAccess = _authUtils.getAccess(Action.CREATE);
AuthorizationSession session = new AuthorizationSession(hbasePlugin)
.operation(operation)
.remoteAddress(getRemoteAddress())
.user(user)
.access(createAccess)
.buildRequest()
.authorize();
if (session.isAuthorized()) {
// NOTE: this access isn't logged
LOG.debug("isKnownAccessPattern: exiting: User has global create access, allowed!");
return true;
}
}
return false;
}
@Override
public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
List<TableName> tableNamesList, List<TableDescriptor> descriptors,
String regex) throws IOException {
// Skipping as checks in this case are already done by preGetTableDescriptors.
if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
return;
}
// Retains only those which passes authorization checks, as the checks weren't done as part
// of preGetTableDescriptors.
Iterator<TableDescriptor> itr = descriptors.iterator();
while (itr.hasNext()) {
TableDescriptor htd = itr.next();
try {
requirePermission(ctx, "getTableDescriptors", htd.getTableName(), null, null,
Action.ADMIN, Action.CREATE);
} catch (AccessDeniedException e) {
itr.remove();
}
}
}
@Override
public void preDropTable(ObserverContext<PhoenixMetaDataControllerEnvironment> ctx, String tenantId,
String tableName, TableName physicalTableName, TableName parentPhysicalTableName, PTableType tableType,
List<PTable> indexes) throws IOException {
if (!accessCheckEnabled) { return; }
for (MasterObserver observer : getAccessControllers()) {
if (tableType != PTableType.VIEW) {
observer.preDeleteTable(getMasterObsevrverContext(), physicalTableName);
}
if (indexes != null) {
for (PTable index : indexes) {
observer.preDeleteTable(getMasterObsevrverContext(),
TableName.valueOf(index.getPhysicalName().getBytes()));
}
}
}
//checking similar permission checked during the create of the view.
if (tableType == PTableType.VIEW || tableType == PTableType.INDEX) {
if(execPermissionsCheckEnabled) {
requireAccess("Drop "+tableType, parentPhysicalTableName, Action.READ, Action.EXEC);
} else {
requireAccess("Drop "+tableType, parentPhysicalTableName, Action.READ);
}
}
}
@Test
public void testNamespaceUserGrant() throws Exception {
AccessTestAction getAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE)) {
return t.get(new Get(TEST_ROW));
}
}
};
String namespace = TEST_TABLE.getNamespaceAsString();
// Grant namespace READ to USER_NONE, this should supersede any table permissions
grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
// Now USER_NONE should be able to read
verifyAllowed(getAction, USER_NONE);
// Revoke namespace READ to USER_NONE
revokeFromNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
verifyDenied(getAction, USER_NONE);
}
@Test
public void testCreateTableWithGroupPermissions() throws Exception {
grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
try {
AccessTestAction createAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
new TableDescriptorBuilder.ModifyableTableDescriptor(testTable.getTableName());
tableDescriptor.setColumnFamily(
new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(TEST_FAMILY));
try (Connection connection =
ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
try (Admin admin = connection.getAdmin()) {
admin.createTable(tableDescriptor);
}
}
return null;
}
};
verifyAllowed(createAction, TESTGROUP1_USER1);
verifyDenied(createAction, TESTGROUP2_USER1);
} finally {
revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
}
}
@Override
public Result preAppendAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,
final Append append) throws IOException {
if (append.getAttribute(CHECK_COVERING_PERM) != null) {
// We had failure with table, cf and q perm checks and now giving a chance for cell
// perm check
TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
AuthResult authResult = null;
User user = getActiveUser(c);
if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(),
append.getFamilyCellMap(), append.getTimeRange().getMax(), Action.WRITE)) {
authResult = AuthResult.allow(OpType.APPEND.toString(),
"Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
} else {
authResult = AuthResult.deny(OpType.APPEND.toString(),
"Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
}
AccessChecker.logResult(authResult);
if (authorizationEnabled && !authResult.isAllowed()) {
throw new AccessDeniedException("Insufficient permissions " +
authResult.toContextString());
}
}
return null;
}
@Override
public void postGetProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
/*if(!procInfoList.isEmpty()) {
Iterator<Procedure<?>> itr = procInfoList.iterator();
User user = this.getActiveUser();
while(itr.hasNext()) {
Procedure procInfo = itr.next();
try {
String owner = procInfo.getOwner();
if (owner == null || !owner.equals(user.getShortName())) {
requirePermission("getProcedures", Action.ADMIN);
}
} catch (AccessDeniedException var7) {
itr.remove();
}
}
}*/
requirePermission(observerContext, "getProcedures", Action.ADMIN);
}
@Override
public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
List<TableName> tableNamesList, List<TableDescriptor> descriptors,
String regex) throws IOException {
// We are delegating the authorization check to postGetTableDescriptors as we don't have
// any concrete set of table names when a regex is present or the full list is requested.
if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
// Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the
// request can be granted.
try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
for (TableName tableName : tableNamesList) {
// Skip checks for a table that does not exist
if (!admin.tableExists(tableName)) {
continue;
}
requirePermission(ctx, "getTableDescriptors", tableName, null, null, Action.ADMIN,
Action.CREATE);
}
}
}
}
@Test
public void testGlobalPermissionList() throws Exception {
List<UserPermission> perms = systemUserConnection.getAdmin()
.getUserPermissions(GetUserPermissionsRequest.newBuilder().build());
Collection<String> superUsers = Superusers.getSuperUsers();
List<UserPermission> adminPerms = new ArrayList<>(superUsers.size() + 1);
adminPerms.add(new UserPermission(USER_ADMIN.getShortName(), Permission.newBuilder()
.withActions(Action.ADMIN, Action.CREATE, Action.READ, Action.WRITE).build()));
for (String user : superUsers) {
// Global permission
adminPerms.add(
new UserPermission(user, Permission.newBuilder().withActions(Action.values()).build()));
}
assertTrue("Only super users, global users and user admin has permission on table hbase:acl " +
"per setup", perms.size() == 5 + superUsers.size() &&
hasFoundUserPermission(adminPerms, perms));
}
/**
* Checks that the user has the given global or namespace permission.
* @param user Active user to which authorization checks should be applied
* @param request Request type
* @param namespace Name space as requested
* @param filterUser User name to be filtered from permission as requested
* @param permissions Actions being requested
*/
public void requireNamespacePermission(User user, String request, String namespace,
String filterUser, Action... permissions) throws IOException {
AuthResult result = null;
for (Action permission : permissions) {
if (authManager.authorizeUserNamespace(user, namespace, permission)) {
result =
AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);
break;
} else {
// rest of the world
result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace);
}
}
result.getParams().addExtraParam("filterUser", filterUser);
logResult(result);
if (!result.isAllowed()) {
throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
}
}
/**
* Convert a client user permission to a user permission shaded proto.
*/
public static AccessControlProtos.Permission.Action toPermissionAction(Permission.Action action) {
switch (action) {
case READ:
return AccessControlProtos.Permission.Action.READ;
case WRITE:
return AccessControlProtos.Permission.Action.WRITE;
case EXEC:
return AccessControlProtos.Permission.Action.EXEC;
case CREATE:
return AccessControlProtos.Permission.Action.CREATE;
case ADMIN:
return AccessControlProtos.Permission.Action.ADMIN;
}
throw new IllegalArgumentException("Unknown action value " + action.name());
}
/**
* Authorizes that the current user has any of the given permissions for the
* given table, column family and column qualifier.
*
* @param user Active user to which authorization checks should be applied
* @param request Request type
* @param tableName Table requested
* @param family Column family requested
* @param qualifier Column qualifier requested
* @param filterUser User name to be filtered from permission as requested
* @param permissions Actions being requested
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if user has no authorization
*/
public void requirePermission(User user, String request, TableName tableName, byte[] family,
byte[] qualifier, String filterUser, Action... permissions) throws IOException {
AuthResult result = null;
for (Action permission : permissions) {
if (authManager.authorizeUserTable(user, tableName, family, qualifier, permission)) {
result = AuthResult.allow(request, "Table permission granted",
user, permission, tableName, family, qualifier);
break;
} else {
// rest of the world
result = AuthResult.deny(request, "Insufficient permissions",
user, permission, tableName, family, qualifier);
}
}
result.getParams().addExtraParam("filterUser", filterUser);
logResult(result);
if (!result.isAllowed()) {
throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
}
}
@Test
public void testBuildTablePermission() {
TableName tableName = TableName.valueOf("ns", "table");
byte[] family = Bytes.toBytes("f");
byte[] qualifier = Bytes.toBytes("q");
// check table permission without family or qualifier
Permission permission =
Permission.newBuilder(tableName).withActions(Action.WRITE, Action.READ).build();
assertTrue(permission instanceof TablePermission);
assertEquals(2, permission.getActions().length);
assertEquals(Action.READ, permission.getActions()[0]);
assertEquals(Action.WRITE, permission.getActions()[1]);
TablePermission tPerm = (TablePermission) permission;
assertEquals(tableName, tPerm.getTableName());
assertEquals(null, tPerm.getFamily());
assertEquals(null, tPerm.getQualifier());
// check table permission with family
permission =
Permission.newBuilder(tableName).withFamily(family).withActions(Action.EXEC).build();
assertTrue(permission instanceof TablePermission);
assertEquals(1, permission.getActions().length);
assertEquals(Action.EXEC, permission.getActions()[0]);
tPerm = (TablePermission) permission;
assertEquals(tableName, tPerm.getTableName());
assertTrue(Bytes.equals(family, tPerm.getFamily()));
assertTrue(Bytes.equals(null, tPerm.getQualifier()));
// check table permission with family and qualifier
permission =
Permission.newBuilder(tableName).withFamily(family).withQualifier(qualifier).build();
assertTrue(permission instanceof TablePermission);
assertEquals(0, permission.getActions().length);
tPerm = (TablePermission) permission;
assertEquals(tableName, tPerm.getTableName());
assertTrue(Bytes.equals(family, tPerm.getFamily()));
assertTrue(Bytes.equals(qualifier, tPerm.getQualifier()));
}
@Test
public void testBuildGlobalPermission() {
// check global permission with empty action
Permission permission = Permission.newBuilder().build();
assertTrue(permission instanceof GlobalPermission);
assertEquals(0, permission.getActions().length);
// check global permission with ADMIN action
permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("A")).build();
assertTrue(permission instanceof GlobalPermission);
assertEquals(1, permission.getActions().length);
assertTrue(permission.getActions()[0] == Action.ADMIN);
byte[] qualifier = Bytes.toBytes("q");
try {
permission = Permission.newBuilder().withQualifier(qualifier)
.withActions(Action.CREATE, Action.READ).build();
fail("Should throw NPE");
} catch (NullPointerException e) {
// catch NPE because set qualifier but table name is null
}
permission = Permission.newBuilder().withActionCodes(Bytes.toBytes("ACP"))
.withActions(Action.READ, Action.ADMIN).build();
assertEquals(3, permission.getActions().length);
assertEquals(Action.READ, permission.getActions()[0]);
assertEquals(Action.CREATE, permission.getActions()[1]);
assertEquals(Action.ADMIN, permission.getActions()[2]);
}
/**
* Returns <code>true</code> if the current user is allowed the given action
* over at least one of the column qualifiers in the given column families.
*/
private boolean hasFamilyQualifierPermission(User user,
Action perm,
RegionCoprocessorEnvironment env,
Map<byte[], ? extends Collection<byte[]>> familyMap)
throws IOException {
RegionInfo hri = env.getRegion().getRegionInfo();
TableName tableName = hri.getTable();
if (user == null) {
return false;
}
if (familyMap != null && familyMap.size() > 0) {
// at least one family must be allowed
for (Map.Entry<byte[], ? extends Collection<byte[]>> family :
familyMap.entrySet()) {
if (family.getValue() != null && !family.getValue().isEmpty()) {
for (byte[] qualifier : family.getValue()) {
if (getAuthManager().authorizeUserTable(user, tableName,
family.getKey(), qualifier, perm)) {
return true;
}
}
} else {
if (getAuthManager().authorizeUserFamily(user, tableName, family.getKey(), perm)) {
return true;
}
}
}
} else if (LOG.isDebugEnabled()) {
LOG.debug("Empty family map passed for permission check");
}
return false;
}
@Test
public void testAclTableEntries() throws Exception {
String userTestNamespace = "userTestNsp";
Table acl = UTIL.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
try {
ListMultimap<String, UserPermission> perms =
PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
for (Map.Entry<String, UserPermission> entry : perms.entries()) {
LOG.debug(Objects.toString(entry));
}
assertEquals(6, perms.size());
// Grant and check state in ACL table
grantOnNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
Permission.Action.WRITE);
Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
assertTrue(result != null);
perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
assertEquals(7, perms.size());
List<UserPermission> namespacePerms = perms.get(userTestNamespace);
assertTrue(perms.containsKey(userTestNamespace));
assertEquals(1, namespacePerms.size());
assertEquals(TEST_NAMESPACE,
((NamespacePermission) namespacePerms.get(0).getPermission()).getNamespace());
assertEquals(1, namespacePerms.get(0).getPermission().getActions().length);
assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getPermission().getActions()[0]);
// Revoke and check state in ACL table
revokeFromNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
Permission.Action.WRITE);
perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
assertEquals(6, perms.size());
} finally {
acl.close();
}
}
@Test
public void testTableDeletion() throws Exception {
User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]);
final TableName tableName = TableName.valueOf(name.getMethodName());
createTestTable(tableName);
// Grant TABLE ADMIN privs
grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), tableName, null, null, Permission.Action.ADMIN);
AccessTestAction deleteTableAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
Connection unmanagedConnection =
ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
Admin admin = unmanagedConnection.getAdmin();
try {
deleteTable(TEST_UTIL, admin, tableName);
} finally {
admin.close();
unmanagedConnection.close();
}
return null;
}
};
verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE);
verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
@Override
public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
TableName tableName, TableDescriptor currentDesc, TableDescriptor newDesc)
throws IOException {
// TODO: potentially check if this is a add/modify/delete column operation
requirePermission(c, "modifyTable", tableName, null, null, Action.ADMIN, Action.CREATE);
return newDesc;
}
@Override
public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c,
final Increment increment)
throws IOException {
User user = getActiveUser(c);
checkForReservedTagPresence(user, increment);
// Require WRITE permission to the table, CF, and the KV to be replaced by
// the incremented value
RegionCoprocessorEnvironment env = c.getEnvironment();
Map<byte[],? extends Collection<Cell>> families = increment.getFamilyCellMap();
AuthResult authResult = permissionGranted(OpType.INCREMENT,
user, env, families, Action.WRITE);
AccessChecker.logResult(authResult);
if (!authResult.isAllowed()) {
if (cellFeaturesEnabled && !compatibleEarlyTermination) {
increment.setAttribute(CHECK_COVERING_PERM, TRUE);
} else if (authorizationEnabled) {
throw new AccessDeniedException("Insufficient permissions " +
authResult.toContextString());
}
}
byte[] bytes = increment.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
if (bytes != null) {
if (cellFeaturesEnabled) {
addCellPermissions(bytes, increment.getFamilyCellMap());
} else {
throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
}
}
return null;
}
/**
* Check the current user for authorization to perform a specific action
* against the given set of row data.
* @param opType the operation type
* @param user the user
* @param e the coprocessor environment
* @param families the map of column families to qualifiers present in
* the request
* @param actions the desired actions
* @return an authorization result
*/
private AuthResult permissionGranted(OpType opType, User user, RegionCoprocessorEnvironment e,
Map<byte [], ? extends Collection<?>> families, Action... actions) {
AuthResult result = null;
for (Action action: actions) {
result = accessChecker.permissionGranted(opType.toString(), user, action,
e.getRegion().getRegionInfo().getTable(), families);
if (!result.isAllowed()) {
return result;
}
}
return result;
}
@Override
public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> c,
MiniBatchOperationInProgress<Mutation> miniBatchOp) throws IOException {
if (cellFeaturesEnabled && !compatibleEarlyTermination) {
TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();
User user = getActiveUser(c);
for (int i = 0; i < miniBatchOp.size(); i++) {
Mutation m = miniBatchOp.getOperation(i);
if (m.getAttribute(CHECK_COVERING_PERM) != null) {
// We have a failure with table, cf and q perm checks and now giving a chance for cell
// perm check
OpType opType;
if (m instanceof Put) {
checkForReservedTagPresence(user, m);
opType = OpType.PUT;
} else {
opType = OpType.DELETE;
}
AuthResult authResult = null;
if (checkCoveringPermission(user, opType, c.getEnvironment(), m.getRow(),
m.getFamilyCellMap(), m.getTimestamp(), Action.WRITE)) {
authResult = AuthResult.allow(opType.toString(), "Covering cell set",
user, Action.WRITE, table, m.getFamilyCellMap());
} else {
authResult = AuthResult.deny(opType.toString(), "Covering cell set",
user, Action.WRITE, table, m.getFamilyCellMap());
}
AccessChecker.logResult(authResult);
if (authorizationEnabled && !authResult.isAllowed()) {
throw new AccessDeniedException("Insufficient permissions "
+ authResult.toContextString());
}
}
}
}
}
@Override
public void preOpen(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
RegionCoprocessorEnvironment env = e.getEnvironment();
final Region region = env.getRegion();
if (region == null) {
LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");
} else {
RegionInfo regionInfo = region.getRegionInfo();
if (isSpecialTable(regionInfo)) {
requireSystemOrSuperUser(regionEnv.getConfiguration(),e);
} else {
requirePermission(e, "open", getTableName(e.getEnvironment()), Action.ADMIN);
}
}
}
@Test
public void testCreateWithCorrectOwner() throws Exception {
// Create a test user
final User testUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "TestUser",
new String[0]);
// Grant the test user the ability to create tables
SecureTestUtil.grantGlobal(TEST_UTIL, testUser.getShortName(), Action.CREATE);
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
new TableDescriptorBuilder.ModifyableTableDescriptor(testTable.getTableName());
tableDescriptor.setColumnFamily(
new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(TEST_FAMILY));
try (Connection connection =
ConnectionFactory.createConnection(TEST_UTIL.getConfiguration(), testUser)) {
try (Admin admin = connection.getAdmin()) {
createTable(TEST_UTIL, admin, tableDescriptor);
}
}
return null;
}
}, testUser);
TEST_UTIL.waitTableAvailable(testTable.getTableName());
// Verify that owner permissions have been granted to the test user on the
// table just created
List<UserPermission> perms = PermissionStorage
.getTablePermissions(conf, testTable.getTableName()).get(testUser.getShortName());
assertNotNull(perms);
assertFalse(perms.isEmpty());
// Should be RWXCA
assertTrue(perms.get(0).getPermission().implies(Permission.Action.READ));
assertTrue(perms.get(0).getPermission().implies(Permission.Action.WRITE));
assertTrue(perms.get(0).getPermission().implies(Permission.Action.EXEC));
assertTrue(perms.get(0).getPermission().implies(Permission.Action.CREATE));
assertTrue(perms.get(0).getPermission().implies(Permission.Action.ADMIN));
}
/**
* Authorization check for
* SecureBulkLoadProtocol.prepareBulkLoad()
* @param ctx the context
* @throws IOException
*/
@Override
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
requireAccess(ctx, "prePrepareBulkLoad",
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
Action.CREATE);
}
private void preGetUserPermissions(User caller, String userName, String namespace,
TableName tableName, byte[] family, byte[] qualifier) throws IOException {
if (tableName != null) {
accessChecker.requirePermission(caller, "getUserPermissions", tableName, family, qualifier,
userName, Action.ADMIN);
} else if (namespace != null) {
accessChecker.requireNamespacePermission(caller, "getUserPermissions", namespace, userName,
Action.ADMIN);
} else {
accessChecker.requirePermission(caller, "getUserPermissions", userName, Action.ADMIN);
}
}
public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace,
TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap,
Action... permissions) throws IOException {
accessChecker.requireNamespacePermission(getActiveUser(ctx),
request, namespace, tableName, familyMap,
permissions);
}
/**
* Converts a list of Permission.Action shaded proto to an array of client Permission.Action
* objects.
* @param protoActions the list of shaded protobuf Actions
* @return the converted array of Actions
*/
public static Permission.Action[]
toPermissionActions(List<AccessControlProtos.Permission.Action> protoActions) {
Permission.Action[] actions = new Permission.Action[protoActions.size()];
for (int i = 0; i < protoActions.size(); i++) {
actions[i] = toPermissionAction(protoActions.get(i));
}
return actions;
}
@Override
public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)
throws IOException {
// Move this ACL check to SnapshotManager#checkPermissions as part of AC deprecation.
requirePermission(ctx, "snapshot " + snapshot.getName(),
hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);
}