AuthManager (Apache HBase - Server 2.2.2 API)

java.lang.Object
- org.apache.hadoop.hbase.security.access.AuthManager

All Implemented Interfaces:

Closeable, AutoCloseable
```
@InterfaceAudience.Private
public final class AuthManager
extends Object
implements Closeable
```
Performs authorization checks for a given user's assigned permissions.
There're following scopes: Global, Namespace, Table, Family, Qualifier, Cell. Generally speaking, higher scopes can overrides lower scopes, except for Cell permission can be granted even a user has not permission on specified table, which means the user can get/scan only those granted cells parts.
e.g, if user A has global permission R(ead), he can read table T without checking table scope permission, so authorization checks alway starts from Global scope.
For each scope, not only user but also groups he belongs to will be checked.

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`boolean`	`accessUserTable(User user, TableName table, Permission.Action action)` Checks if the user has access to the full table or at least a family/qualifier for the specified action.
`boolean`	`authorizeCell(User user, TableName table, Cell cell, Permission.Action action)` Check if user has given action privilige in cell scope.
`boolean`	`authorizeUserFamily(User user, TableName table, byte[] family, Permission.Action action)` Check if user has given action privilige in table:family scope.
`boolean`	`authorizeUserGlobal(User user, Permission.Action action)` Check if user has given action privilige in global scope.
`boolean`	`authorizeUserNamespace(User user, String namespace, Permission.Action action)` Check if user has given action privilige in namespace scope.
`boolean`	`authorizeUserTable(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)` Check if user has given action privilige in table:family:qualifier scope.
`boolean`	`authorizeUserTable(User user, TableName table, byte[] family, Permission.Action action)` Check if user has given action privilige in table:family scope.
`boolean`	`authorizeUserTable(User user, TableName table, Permission.Action action)` Check if user has given action privilige in table scope.
`void`	`close()`
`long`	`getMTime()` Last modification logical time
`static AuthManager`	`getOrCreate(ZKWatcher watcher, org.apache.hadoop.conf.Configuration conf)` Returns a AuthManager from the cache.
`static int`	`getTotalRefCount()`
`ZKPermissionWatcher`	`getZKPermissionWatcher()`
`void`	`refreshNamespaceCacheFromWritable(String namespace, byte[] data)` Update acl info for namespace.
`void`	`refreshTableCacheFromWritable(TableName table, byte[] data)` Update acl info for table.
`static void`	`release(AuthManager instance)` Releases the resources for the given AuthManager if the reference count is down to 0.
`void`	`removeNamespace(byte[] ns)` Remove given namespace from AuthManager's namespace cache.
`void`	`removeTable(TableName table)` Remove given table from AuthManager's table cache.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Method Detail
  - close
```
public void close()
```
    Specified by:
    
    close in interface Closeable
    
    Specified by:
    
    close in interface AutoCloseable
  - getZKPermissionWatcher
```
public ZKPermissionWatcher getZKPermissionWatcher()
```
  - refreshTableCacheFromWritable
```
public void refreshTableCacheFromWritable(TableName table,
                                          byte[] data)
                                   throws IOException
```
    Update acl info for table.
    
    Parameters:
    
    table - name of table
    
    data - updated acl data
    
    Throws:
    
    IOException - exception when deserialize data
  - refreshNamespaceCacheFromWritable
```
public void refreshNamespaceCacheFromWritable(String namespace,
                                              byte[] data)
                                       throws IOException
```
    Update acl info for namespace.
    
    Parameters:
    
    namespace - namespace
    
    data - updated acl data
    
    Throws:
    
    IOException - exception when deserialize data
  - authorizeUserGlobal
```
public boolean authorizeUserGlobal(User user,
                                   Permission.Action action)
```
    Check if user has given action privilige in global scope.
    
    Parameters:
    
    user - user name
    
    action - one of action in [Read, Write, Create, Exec, Admin]
    
    Returns:
    
    true if user has, false otherwise
  - authorizeUserNamespace
```
public boolean authorizeUserNamespace(User user,
                                      String namespace,
                                      Permission.Action action)
```
    Check if user has given action privilige in namespace scope.
    
    Parameters:
    
    user - user name
    
    namespace - namespace
    
    action - one of action in [Read, Write, Create, Exec, Admin]
    
    Returns:
    
    true if user has, false otherwise
  - accessUserTable
```
public boolean accessUserTable(User user,
                               TableName table,
                               Permission.Action action)
```
    Checks if the user has access to the full table or at least a family/qualifier for the specified action.
    
    Parameters:
    
    user - user name
    
    table - table name
    
    action - action in one of [Read, Write, Create, Exec, Admin]
    
    Returns:
    
    true if the user has access to the table, false otherwise
  - authorizeUserTable
```
public boolean authorizeUserTable(User user,
                                  TableName table,
                                  Permission.Action action)
```
    Check if user has given action privilige in table scope.
    
    Parameters:
    
    user - user name
    
    table - table name
    
    action - one of action in [Read, Write, Create, Exec, Admin]
    
    Returns:
    
    true if user has, false otherwise
  - authorizeUserTable
```
public boolean authorizeUserTable(User user,
                                  TableName table,
                                  byte[] family,
                                  Permission.Action action)
```
    Check if user has given action privilige in table:family scope.
    
    Parameters:
    
    user - user name
    
    table - table name
    
    family - family name
    
    action - one of action in [Read, Write, Create, Exec, Admin]
    
    Returns:
    
    true if user has, false otherwise
  - authorizeUserTable
```
public boolean authorizeUserTable(User user,
                                  TableName table,
                                  byte[] family,
                                  byte[] qualifier,
                                  Permission.Action action)
```
    Check if user has given action privilige in table:family:qualifier scope.
    
    Parameters:
    
    user - user name
    
    table - table name
    
    family - family name
    
    qualifier - qualifier name
    
    action - one of action in [Read, Write, Create, Exec, Admin]
    
    Returns:
    
    true if user has, false otherwise
  - authorizeUserFamily
```
public boolean authorizeUserFamily(User user,
                                   TableName table,
                                   byte[] family,
                                   Permission.Action action)
```
    Check if user has given action privilige in table:family scope. This method is for backward compatibility.
    
    Parameters:
    
    user - user name
    
    table - table name
    
    family - family names
    
    action - one of action in [Read, Write, Create, Exec, Admin]
    
    Returns:
    
    true if user has, false otherwise
  - authorizeCell
```
public boolean authorizeCell(User user,
                             TableName table,
                             Cell cell,
                             Permission.Action action)
```
    Check if user has given action privilige in cell scope.
    
    Parameters:
    
    user - user name
    
    table - table name
    
    cell - cell to be checked
    
    action - one of action in [Read, Write, Create, Exec, Admin]
    
    Returns:
    
    true if user has, false otherwise
  - removeNamespace
```
public void removeNamespace(byte[] ns)
```
    Remove given namespace from AuthManager's namespace cache.
    
    Parameters:
    
    ns - namespace
  - removeTable
```
public void removeTable(TableName table)
```
    Remove given table from AuthManager's table cache.
    
    Parameters:
    
    table - table name
  - getMTime
```
public long getMTime()
```
    Last modification logical time
    
    Returns:
    
    time
  - getOrCreate
```
public static AuthManager getOrCreate(ZKWatcher watcher,
                                      org.apache.hadoop.conf.Configuration conf)
                               throws IOException
```
    Returns a AuthManager from the cache. If not cached, constructs a new one. Returned instance should be released back by calling release(AuthManager).
    
    Parameters:
    
    watcher - zk watcher
    
    conf - configuration
    
    Returns:
    
    an AuthManager
    
    Throws:
    
    IOException - zookeeper initialization failed
  - getTotalRefCount
```
public static int getTotalRefCount()
```
  - release
```
public static void release(AuthManager instance)
```
    Releases the resources for the given AuthManager if the reference count is down to 0.
    
    Parameters:
    
    instance - AuthManager to be released

Class AuthManager

Method Summary

Methods inherited from class java.lang.Object

Method Detail

close

getZKPermissionWatcher

refreshTableCacheFromWritable

refreshNamespaceCacheFromWritable

authorizeUserGlobal

authorizeUserNamespace

accessUserTable

authorizeUserTable

authorizeUserTable

authorizeUserTable

authorizeUserFamily

authorizeCell

removeNamespace

removeTable

getMTime

getOrCreate

getTotalRefCount

release