org.apache.hadoop.hbase.security.access

Class AccessChecker

java.lang.Object

org.apache.hadoop.hbase.security.access.AccessChecker

@InterfaceAudience.LimitedPrivate(value="Coprocesssor")
 @InterfaceStability.Evolving
public class AccessChecker
extends Object

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	AccessChecker.InputUser A temporary user class to instantiate User instance based on the name and groups.

Constructor Summary

Constructors

Constructor and Description
AccessChecker(org.apache.hadoop.conf.Configuration conf, ZKWatcher zkw) Constructor with existing configuration

Method Summary

Modifier and Type	Method and Description
void	checkLockPermissions(User user, String namespace, TableName tableName, RegionInfo[] regionInfos, String reason)
AuthManager	getAuthManager()
static List<String>	getUserGroups(String user) Retrieve the groups of the given user.
boolean	hasUserPermission(User user, String request, Permission permission) Authorizes that if the current user has the given permissions.
static boolean	isAuthorizationSupported(org.apache.hadoop.conf.Configuration conf)
static void	logResult(AuthResult result)
void	performOnSuperuser(String request, User caller, String userToBeChecked) Check if caller is granting or revoking superusers's or supergroups's permissions.
AuthResult	permissionGranted(String request, User user, Permission.Action permRequest, TableName tableName, Map<byte[],? extends Collection<?>> families) Check the current user for authorization to perform a specific action against the given set of row data.
void	requireAccess(User user, String request, TableName tableName, Permission.Action... permissions) Authorizes that the current user has any of the given permissions to access the table.
void	requireGlobalPermission(User user, String request, Permission.Action perm, String namespace) Checks that the user has the given global permission.
void	requireGlobalPermission(User user, String request, Permission.Action perm, TableName tableName, Map<byte[],? extends Collection<byte[]>> familyMap, String filterUser) Checks that the user has the given global permission.
void	requireNamespacePermission(User user, String request, String namespace, String filterUser, Permission.Action... permissions) Checks that the user has the given global or namespace permission.
void	requireNamespacePermission(User user, String request, String namespace, TableName tableName, Map<byte[],? extends Collection<byte[]>> familyMap, Permission.Action... permissions) Checks that the user has the given global or namespace permission.
void	requirePermission(User user, String request, String filterUser, Permission.Action perm) Authorizes that the current user has global privileges for the given action.
void	requirePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, String filterUser, Permission.Action... permissions) Authorizes that the current user has any of the given permissions for the given table, column family and column qualifier.
void	requireTablePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, Permission.Action... permissions) Authorizes that the current user has any of the given permissions for the given table, column family and column qualifier.
void	stop() Releases AuthManager's reference.
User	validateCallerWithFilterUser(User caller, TablePermission tPerm, String inputUserName)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AccessChecker

public AccessChecker(org.apache.hadoop.conf.Configuration conf,
                     ZKWatcher zkw)
              throws RuntimeException

Constructor with existing configuration

Parameters:

conf - Existing configuration to use

zkw - reference to the ZKWatcher

Throws:

RuntimeException

Method Detail

isAuthorizationSupported

public static boolean isAuthorizationSupported(org.apache.hadoop.conf.Configuration conf)

stop

public void stop()

Releases AuthManager's reference.

getAuthManager

public AuthManager getAuthManager()

requireAccess

public void requireAccess(User user,
                          String request,
                          TableName tableName,
                          Permission.Action... permissions)
                   throws IOException

Authorizes that the current user has any of the given permissions to access the table.

Parameters:

user - Active user to which authorization checks should be applied

request - Request type.

tableName - Table requested

permissions - Actions being requested

Throws:

IOException - if obtaining the current user fails

AccessDeniedException - if user has no authorization

requirePermission

public void requirePermission(User user,
                              String request,
                              String filterUser,
                              Permission.Action perm)
                       throws IOException

Authorizes that the current user has global privileges for the given action.

Parameters:

user - Active user to which authorization checks should be applied

request - Request type

filterUser - User name to be filtered from permission as requested

perm - The action being requested

Throws:

IOException - if obtaining the current user fails

AccessDeniedException - if authorization is denied

requireGlobalPermission

public void requireGlobalPermission(User user,
                                    String request,
                                    Permission.Action perm,
                                    TableName tableName,
                                    Map<byte[],? extends Collection<byte[]>> familyMap,
                                    String filterUser)
                             throws IOException

Checks that the user has the given global permission. The generated audit log message will contain context information for the operation being authorized, based on the given parameters.

Parameters:

user - Active user to which authorization checks should be applied

request - Request type

perm - Action being requested

tableName - Affected table name.

familyMap - Affected column families.

filterUser - User name to be filtered from permission as requested

Throws:

IOException

requireGlobalPermission

public void requireGlobalPermission(User user,
                                    String request,
                                    Permission.Action perm,
                                    String namespace)
                             throws IOException

Checks that the user has the given global permission. The generated audit log message will contain context information for the operation being authorized, based on the given parameters.

Parameters:

user - Active user to which authorization checks should be applied

request - Request type

perm - Action being requested

namespace - The given namespace

Throws:

IOException

requireNamespacePermission

public void requireNamespacePermission(User user,
                                       String request,
                                       String namespace,
                                       String filterUser,
                                       Permission.Action... permissions)
                                throws IOException

Checks that the user has the given global or namespace permission.

Parameters:

user - Active user to which authorization checks should be applied

request - Request type

namespace - Name space as requested

filterUser - User name to be filtered from permission as requested

permissions - Actions being requested

Throws:

IOException

requireNamespacePermission

public void requireNamespacePermission(User user,
                                       String request,
                                       String namespace,
                                       TableName tableName,
                                       Map<byte[],? extends Collection<byte[]>> familyMap,
                                       Permission.Action... permissions)
                                throws IOException

Checks that the user has the given global or namespace permission.

Parameters:

user - Active user to which authorization checks should be applied

request - Request type

namespace - The given namespace

tableName - Table requested

familyMap - Column family map requested

permissions - Actions being requested

Throws:

IOException

requirePermission

public void requirePermission(User user,
                              String request,
                              TableName tableName,
                              byte[] family,
                              byte[] qualifier,
                              String filterUser,
                              Permission.Action... permissions)
                       throws IOException

Authorizes that the current user has any of the given permissions for the given table, column family and column qualifier.

Parameters:

user - Active user to which authorization checks should be applied

request - Request type

tableName - Table requested

family - Column family requested

qualifier - Column qualifier requested

filterUser - User name to be filtered from permission as requested

permissions - Actions being requested

Throws:

IOException - if obtaining the current user fails

AccessDeniedException - if user has no authorization

requireTablePermission

public void requireTablePermission(User user,
                                   String request,
                                   TableName tableName,
                                   byte[] family,
                                   byte[] qualifier,
                                   Permission.Action... permissions)
                            throws IOException

Authorizes that the current user has any of the given permissions for the given table, column family and column qualifier.

Parameters:

user - Active user to which authorization checks should be applied

request - Request type

tableName - Table requested

family - Column family param

qualifier - Column qualifier param

Throws:

IOException - if obtaining the current user fails

AccessDeniedException - if user has no authorization

performOnSuperuser

public void performOnSuperuser(String request,
                               User caller,
                               String userToBeChecked)
                        throws IOException

Check if caller is granting or revoking superusers's or supergroups's permissions.

Parameters:

request - request name

caller - caller

userToBeChecked - target user or group

Throws:

IOException - AccessDeniedException if target user is superuser

checkLockPermissions

public void checkLockPermissions(User user,
                                 String namespace,
                                 TableName tableName,
                                 RegionInfo[] regionInfos,
                                 String reason)
                          throws IOException

Throws:

IOException

logResult

public static void logResult(AuthResult result)

validateCallerWithFilterUser

public User validateCallerWithFilterUser(User caller,
                                         TablePermission tPerm,
                                         String inputUserName)
                                  throws IOException

Throws:

IOException

getUserGroups

public static List<String> getUserGroups(String user)

Retrieve the groups of the given user.

Parameters:

user - User name

Returns:

Groups

hasUserPermission

public boolean hasUserPermission(User user,
                                 String request,
                                 Permission permission)

Authorizes that if the current user has the given permissions.

Parameters:

user - Active user to which authorization checks should be applied

request - Request type

permission - Actions being requested

Returns:

True if the user has the specific permission

permissionGranted

public AuthResult permissionGranted(String request,
                                    User user,
                                    Permission.Action permRequest,
                                    TableName tableName,
                                    Map<byte[],? extends Collection<?>> families)

Check the current user for authorization to perform a specific action against the given set of row data.

Note: Ordering of the authorization checks has been carefully optimized to short-circuit the most common requests and minimize the amount of processing required.

Parameters:

request - User request

user - User name

permRequest - the action being requested

tableName - Table name

families - the map of column families to qualifiers present in the request

Returns:

an authorization result