Class SecurityOperation
- java.lang.Object
-
- org.apache.accumulo.server.security.SecurityOperation
-
- Direct Known Subclasses:
AuditedSecurityOperation
public class SecurityOperation extends Object
Utility class for performing various security operations with the appropriate checks
-
-
Field Summary
Fields Modifier and Type Field Description protected Authenticator
authenticator
protected Authorizor
authorizor
protected AccumuloServerContext
context
protected boolean
isKerberos
protected PermissionHandler
permHandle
-
Constructor Summary
Constructors Modifier Constructor Description protected
SecurityOperation(AccumuloServerContext context)
SecurityOperation(AccumuloServerContext context, Authorizor author, Authenticator authent, PermissionHandler pm)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
_createUser(TCredentials credentials, Credentials newUser, Authorizations authorizations)
protected boolean
_hasNamespacePermission(String user, String namespace, NamespacePermission permission, boolean useCached)
Checks if a user has a namespace permission
This cannot check if a system user has permission.protected boolean
_hasTablePermission(String user, String table, TablePermission permission, boolean useCached)
Checks if a user has a table permission
This cannot check if a system user has permission.protected void
authenticate(TCredentials credentials)
boolean
authenticatedUserHasAuthorizations(TCredentials credentials, List<ByteBuffer> list)
Check if an already authenticated user has specified authorizations.boolean
authenticateUser(TCredentials credentials, TCredentials toAuth)
boolean
canAlterNamespace(TCredentials credentials, String namespaceId)
boolean
canAlterTable(TCredentials c, String tableId, String namespaceId)
boolean
canAskAboutUser(TCredentials credentials, String user)
boolean
canBulkImport(TCredentials c, String tableId, String namespaceId)
boolean
canBulkImport(TCredentials c, String tableId, String tableName, String dir, String failDir, String namespaceId)
boolean
canChangeAuthorizations(TCredentials c, String user)
boolean
canChangePassword(TCredentials c, String user)
boolean
canCloneTable(TCredentials c, String tableId, String tableName, String destinationNamespaceId, String srcNamespaceId)
boolean
canCompact(TCredentials c, String tableId, String namespaceId)
boolean
canConditionallyUpdate(TCredentials credentials, String tableID, String namespaceId, List<ByteBuffer> authorizations)
boolean
canCreateNamespace(TCredentials credentials, String namespace)
boolean
canCreateTable(TCredentials c, String table, String namespaceId)
boolean
canCreateUser(TCredentials c, String user)
boolean
canDeleteNamespace(TCredentials credentials, String namespaceId)
boolean
canDeleteRange(TCredentials c, String tableId, String tableName, org.apache.hadoop.io.Text startRow, org.apache.hadoop.io.Text endRow, String namespaceId)
boolean
canDeleteTable(TCredentials c, String tableId, String namespaceId)
boolean
canDropUser(TCredentials c, String user)
boolean
canExport(TCredentials credentials, String tableId, String tableName, String exportDir, String namespaceId)
boolean
canFlush(TCredentials c, String tableId, String namespaceId)
boolean
canGrantNamespace(TCredentials c, String user, String namespace)
boolean
canGrantSystem(TCredentials c, String user, SystemPermission sysPerm)
boolean
canGrantTable(TCredentials c, String user, String tableId, String namespaceId)
boolean
canImport(TCredentials credentials, String tableName, String importDir, String namespaceId)
boolean
canMerge(TCredentials c, String tableId, String namespaceId)
boolean
canObtainDelegationToken(TCredentials credentials)
boolean
canOnlineOfflineTable(TCredentials c, String tableId, FateOperation op, String namespaceId)
boolean
canPerformSystemActions(TCredentials credentials)
This is the check to perform any system action.boolean
canRenameNamespace(TCredentials credentials, String namespaceId, String oldName, String newName)
boolean
canRenameTable(TCredentials c, String tableId, String oldTableName, String newTableName, String namespaceId)
boolean
canRevokeNamespace(TCredentials c, String user, String namespace)
boolean
canRevokeSystem(TCredentials c, String user, SystemPermission sysPerm)
boolean
canRevokeTable(TCredentials c, String user, String tableId, String namespaceId)
boolean
canScan(TCredentials credentials, String tableId, String namespaceId)
boolean
canScan(TCredentials credentials, String table, String namespaceId, Map<TKeyExtent,List<TRange>> tbatch, List<TColumn> tcolumns, List<IterInfo> ssiList, Map<String,Map<String,String>> ssio, List<ByteBuffer> authorizations)
boolean
canScan(TCredentials credentials, String tableId, String namespaceId, TRange range, List<TColumn> columns, List<IterInfo> ssiList, Map<String,Map<String,String>> ssio, List<ByteBuffer> authorizations)
boolean
canSplitTablet(TCredentials credentials, String tableId, String namespaceId)
boolean
canWrite(TCredentials credentials, String tableId, String namespaceId)
void
changeAuthorizations(TCredentials credentials, String user, Authorizations authorizations)
void
changePassword(TCredentials credentials, Credentials toChange)
void
createUser(TCredentials credentials, Credentials newUser, Authorizations authorizations)
void
deleteNamespace(TCredentials credentials, String namespace)
void
deleteTable(TCredentials credentials, String tableId, String namespaceId)
void
dropUser(TCredentials credentials, String user)
protected static Authenticator
getAuthenticator(String instanceId, boolean initialize)
protected static Authorizor
getAuthorizor(String instanceId, boolean initialize)
static SecurityOperation
getInstance(AccumuloServerContext context, boolean initialize)
protected static PermissionHandler
getPermHandler(String instanceId, boolean initialize)
String
getRootUsername()
Authorizations
getUserAuthorizations(TCredentials credentials)
Authorizations
getUserAuthorizations(TCredentials credentials, String user)
void
grantNamespacePermission(TCredentials c, String user, String namespace, NamespacePermission permission)
void
grantSystemPermission(TCredentials credentials, String user, SystemPermission permissionById)
void
grantTablePermission(TCredentials c, String user, String tableId, TablePermission permission, String namespaceId)
boolean
hasNamespacePermission(TCredentials credentials, String user, String namespace, NamespacePermission permissionById)
boolean
hasSystemPermission(TCredentials credentials, String user, SystemPermission permissionById)
boolean
hasTablePermission(TCredentials credentials, String user, String tableId, TablePermission permissionById)
protected boolean
hasTablePermission(TCredentials credentials, String tableId, String namespaceId, TablePermission permission, boolean useCached)
Checks if a user has a table permissionvoid
initializeSecurity(TCredentials credentials, String rootPrincipal, byte[] token)
boolean
isSystemUser(TCredentials credentials)
Set<String>
listUsers(TCredentials credentials)
void
revokeNamespacePermission(TCredentials c, String user, String namespace, NamespacePermission permission)
void
revokeSystemPermission(TCredentials credentials, String user, SystemPermission permission)
void
revokeTablePermission(TCredentials c, String user, String tableId, TablePermission permission, String namespaceId)
-
-
-
Field Detail
-
authorizor
protected Authorizor authorizor
-
authenticator
protected Authenticator authenticator
-
permHandle
protected PermissionHandler permHandle
-
isKerberos
protected boolean isKerberos
-
context
protected final AccumuloServerContext context
-
-
Constructor Detail
-
SecurityOperation
protected SecurityOperation(AccumuloServerContext context)
-
SecurityOperation
public SecurityOperation(AccumuloServerContext context, Authorizor author, Authenticator authent, PermissionHandler pm)
-
-
Method Detail
-
getInstance
public static SecurityOperation getInstance(AccumuloServerContext context, boolean initialize)
-
getAuthorizor
protected static Authorizor getAuthorizor(String instanceId, boolean initialize)
-
getAuthenticator
protected static Authenticator getAuthenticator(String instanceId, boolean initialize)
-
getPermHandler
protected static PermissionHandler getPermHandler(String instanceId, boolean initialize)
-
initializeSecurity
public void initializeSecurity(TCredentials credentials, String rootPrincipal, byte[] token) throws AccumuloSecurityException, ThriftSecurityException
-
getRootUsername
public String getRootUsername()
-
isSystemUser
public boolean isSystemUser(TCredentials credentials)
-
authenticate
protected void authenticate(TCredentials credentials) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canAskAboutUser
public boolean canAskAboutUser(TCredentials credentials, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
authenticateUser
public boolean authenticateUser(TCredentials credentials, TCredentials toAuth) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
getUserAuthorizations
public Authorizations getUserAuthorizations(TCredentials credentials, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
getUserAuthorizations
public Authorizations getUserAuthorizations(TCredentials credentials) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
authenticatedUserHasAuthorizations
public boolean authenticatedUserHasAuthorizations(TCredentials credentials, List<ByteBuffer> list) throws ThriftSecurityException
Check if an already authenticated user has specified authorizations.- Throws:
ThriftSecurityException
-
hasTablePermission
protected boolean hasTablePermission(TCredentials credentials, String tableId, String namespaceId, TablePermission permission, boolean useCached) throws ThriftSecurityException
Checks if a user has a table permission- Returns:
- true if a user exists and has permission; false otherwise
- Throws:
ThriftSecurityException
-
_hasTablePermission
protected boolean _hasTablePermission(String user, String table, TablePermission permission, boolean useCached) throws ThriftSecurityException
Checks if a user has a table permission
This cannot check if a system user has permission.- Returns:
- true if a user exists and has permission; false otherwise
- Throws:
ThriftSecurityException
-
_hasNamespacePermission
protected boolean _hasNamespacePermission(String user, String namespace, NamespacePermission permission, boolean useCached) throws ThriftSecurityException
Checks if a user has a namespace permission
This cannot check if a system user has permission.- Returns:
- true if a user exists and has permission; false otherwise
- Throws:
ThriftSecurityException
-
canScan
public boolean canScan(TCredentials credentials, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canScan
public boolean canScan(TCredentials credentials, String tableId, String namespaceId, TRange range, List<TColumn> columns, List<IterInfo> ssiList, Map<String,Map<String,String>> ssio, List<ByteBuffer> authorizations) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canScan
public boolean canScan(TCredentials credentials, String table, String namespaceId, Map<TKeyExtent,List<TRange>> tbatch, List<TColumn> tcolumns, List<IterInfo> ssiList, Map<String,Map<String,String>> ssio, List<ByteBuffer> authorizations) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canWrite
public boolean canWrite(TCredentials credentials, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canConditionallyUpdate
public boolean canConditionallyUpdate(TCredentials credentials, String tableID, String namespaceId, List<ByteBuffer> authorizations) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canSplitTablet
public boolean canSplitTablet(TCredentials credentials, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canPerformSystemActions
public boolean canPerformSystemActions(TCredentials credentials) throws ThriftSecurityException
This is the check to perform any system action. This includes tserver's loading of a tablet, shutting the system down, or altering system properties.- Throws:
ThriftSecurityException
-
canFlush
public boolean canFlush(TCredentials c, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canAlterTable
public boolean canAlterTable(TCredentials c, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canCreateTable
public boolean canCreateTable(TCredentials c, String table, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canRenameTable
public boolean canRenameTable(TCredentials c, String tableId, String oldTableName, String newTableName, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canCloneTable
public boolean canCloneTable(TCredentials c, String tableId, String tableName, String destinationNamespaceId, String srcNamespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canDeleteTable
public boolean canDeleteTable(TCredentials c, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canOnlineOfflineTable
public boolean canOnlineOfflineTable(TCredentials c, String tableId, FateOperation op, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canMerge
public boolean canMerge(TCredentials c, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canDeleteRange
public boolean canDeleteRange(TCredentials c, String tableId, String tableName, org.apache.hadoop.io.Text startRow, org.apache.hadoop.io.Text endRow, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canBulkImport
public boolean canBulkImport(TCredentials c, String tableId, String tableName, String dir, String failDir, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canBulkImport
public boolean canBulkImport(TCredentials c, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canCompact
public boolean canCompact(TCredentials c, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canChangeAuthorizations
public boolean canChangeAuthorizations(TCredentials c, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canChangePassword
public boolean canChangePassword(TCredentials c, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canCreateUser
public boolean canCreateUser(TCredentials c, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canDropUser
public boolean canDropUser(TCredentials c, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canGrantSystem
public boolean canGrantSystem(TCredentials c, String user, SystemPermission sysPerm) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canGrantTable
public boolean canGrantTable(TCredentials c, String user, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canGrantNamespace
public boolean canGrantNamespace(TCredentials c, String user, String namespace) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canRevokeSystem
public boolean canRevokeSystem(TCredentials c, String user, SystemPermission sysPerm) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canRevokeTable
public boolean canRevokeTable(TCredentials c, String user, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canRevokeNamespace
public boolean canRevokeNamespace(TCredentials c, String user, String namespace) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
changeAuthorizations
public void changeAuthorizations(TCredentials credentials, String user, Authorizations authorizations) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
changePassword
public void changePassword(TCredentials credentials, Credentials toChange) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
createUser
public void createUser(TCredentials credentials, Credentials newUser, Authorizations authorizations) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
_createUser
protected void _createUser(TCredentials credentials, Credentials newUser, Authorizations authorizations) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
dropUser
public void dropUser(TCredentials credentials, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
grantSystemPermission
public void grantSystemPermission(TCredentials credentials, String user, SystemPermission permissionById) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
grantTablePermission
public void grantTablePermission(TCredentials c, String user, String tableId, TablePermission permission, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
grantNamespacePermission
public void grantNamespacePermission(TCredentials c, String user, String namespace, NamespacePermission permission) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
revokeSystemPermission
public void revokeSystemPermission(TCredentials credentials, String user, SystemPermission permission) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
revokeTablePermission
public void revokeTablePermission(TCredentials c, String user, String tableId, TablePermission permission, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
revokeNamespacePermission
public void revokeNamespacePermission(TCredentials c, String user, String namespace, NamespacePermission permission) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
hasSystemPermission
public boolean hasSystemPermission(TCredentials credentials, String user, SystemPermission permissionById) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
hasTablePermission
public boolean hasTablePermission(TCredentials credentials, String user, String tableId, TablePermission permissionById) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
hasNamespacePermission
public boolean hasNamespacePermission(TCredentials credentials, String user, String namespace, NamespacePermission permissionById) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
listUsers
public Set<String> listUsers(TCredentials credentials) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
deleteTable
public void deleteTable(TCredentials credentials, String tableId, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
deleteNamespace
public void deleteNamespace(TCredentials credentials, String namespace) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canExport
public boolean canExport(TCredentials credentials, String tableId, String tableName, String exportDir, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canImport
public boolean canImport(TCredentials credentials, String tableName, String importDir, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canAlterNamespace
public boolean canAlterNamespace(TCredentials credentials, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canCreateNamespace
public boolean canCreateNamespace(TCredentials credentials, String namespace) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canDeleteNamespace
public boolean canDeleteNamespace(TCredentials credentials, String namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canRenameNamespace
public boolean canRenameNamespace(TCredentials credentials, String namespaceId, String oldName, String newName) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canObtainDelegationToken
public boolean canObtainDelegationToken(TCredentials credentials) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
-