@Override public void grant(UserPermission perm) throws IOException { // verify it's only running at .acl. if (aclRegion) { if (LOG.isDebugEnabled()) { LOG.debug("Received request to grant access permission " + perm.toString()); } requirePermission("grant", perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm); if (AUDITLOG.isTraceEnabled()) { // audit log should store permission changes in addition to auth results AUDITLOG.trace("Granted permission " + perm.toString()); } } else { throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table."); } }
@Override public void revoke(UserPermission perm) throws IOException { // only allowed to be called on _acl_ region if (aclRegion) { if (LOG.isDebugEnabled()) { LOG.debug("Received request to revoke access permission " + perm.toString()); } requirePermission("revoke", perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm); if (AUDITLOG.isTraceEnabled()) { // audit log should record all permission changes AUDITLOG.trace("Revoked permission " + perm.toString()); } } else { throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table."); } }
@Override public void start(CoprocessorEnvironment env) throws IOException { if (env instanceof RegionCoprocessorEnvironment) { this.env = (RegionCoprocessorEnvironment) env; } else { throw new CoprocessorException("Must be loaded on a table region!"); } }
@Override public void getUserPermissions(RpcController controller, AccessControlProtos.GetUserPermissionsRequest request, RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) { AccessControlProtos.GetUserPermissionsResponse response = null; try { // only allowed to be called on _acl_ region if (aclRegion) { if (!initialized) { throw new CoprocessorException("AccessController not yet initialized"); } List<UserPermission> perms = null; if(request.getType() == AccessControlProtos.Permission.Type.Table) { TableName table = null; if (request.hasTableName()) { table = ProtobufUtil.toTableName(request.getTableName()); } requirePermission("userPermissions", table, null, null, Action.ADMIN); perms = AccessControlLists.getUserTablePermissions( regionEnv.getConfiguration(), table); } else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) { perms = AccessControlLists.getUserNamespacePermissions( regionEnv.getConfiguration(), request.getNamespaceName().toStringUtf8()); } else { perms = AccessControlLists.getUserPermissions( regionEnv.getConfiguration(), null); } response = ResponseConverter.buildGetUserPermissionsResponse(perms); } else { throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table."); } } catch (IOException ioe) { // pass exception back up ResponseConverter.setControllerException(controller, ioe); } done.run(response); }
@Override public void start(CoprocessorEnvironment env) throws IOException { if (env instanceof RegionCoprocessorEnvironment) { this.env = (RegionCoprocessorEnvironment) env; Configuration conf = env.getConfiguration(); String rows = conf.get("com.larsgeorge.copro.stoprows", "5"); for (String row : rows.split(",")) { stopRows.set(Integer.parseInt(row)); } } else { throw new CoprocessorException("Must be loaded on a table region!"); } }
@Override public List<UserPermission> getUserPermissions(final byte[] tableName) throws IOException { // only allowed to be called on _acl_ region if (aclRegion) { requirePermission("userPermissions", tableName, null, null, Action.ADMIN); List<UserPermission> perms = AccessControlLists.getUserPermissions( regionEnv.getConfiguration(), tableName); return perms; } else { throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table."); } }
/** * Creates the scanner for compacting the pipeline. * @return the scanner */ private InternalScanner createScanner(HStore store, List<KeyValueScanner> scanners) throws IOException { InternalScanner scanner = null; boolean success = false; try { RegionCoprocessorHost cpHost = store.getCoprocessorHost(); ScanInfo scanInfo; if (cpHost != null) { scanInfo = cpHost.preMemStoreCompactionCompactScannerOpen(store); } else { scanInfo = store.getScanInfo(); } scanner = new StoreScanner(store, scanInfo, scanners, ScanType.COMPACT_RETAIN_DELETES, store.getSmallestReadPoint(), HConstants.OLDEST_TIMESTAMP); if (cpHost != null) { InternalScanner scannerFromCp = cpHost.preMemStoreCompactionCompact(store, scanner); if (scannerFromCp == null) { throw new CoprocessorException("Got a null InternalScanner when calling" + " preMemStoreCompactionCompact which is not acceptable"); } success = true; return scannerFromCp; } else { success = true; return scanner; } } finally { if (!success) { Closeables.close(scanner, true); scanners.forEach(KeyValueScanner::close); } } }
@Override public void start( final CoprocessorEnvironment env ) throws IOException { if (env instanceof RegionCoprocessorEnvironment) { this.env = (RegionCoprocessorEnvironment) env; } else { throw new CoprocessorException( "Must be loaded on a table region!"); } }
@Override public void grant(RpcController controller, AccessControlProtos.GrantRequest request, RpcCallback<AccessControlProtos.GrantResponse> done) { final UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission()); AccessControlProtos.GrantResponse response = null; try { // verify it's only running at .acl. if (aclRegion) { if (!initialized) { throw new CoprocessorException("AccessController not yet initialized"); } if (LOG.isDebugEnabled()) { LOG.debug("Received request to grant access permission " + perm.toString()); } switch(request.getUserPermission().getPermission().getType()) { case Global : case Table : requirePermission("grant", perm.getTableName(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); break; case Namespace : requireNamespacePermission("grant", perm.getNamespace(), Action.ADMIN); break; } User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm); return null; } }); if (AUDITLOG.isTraceEnabled()) { // audit log should store permission changes in addition to auth results AUDITLOG.trace("Granted permission " + perm.toString()); } } else { throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table."); } response = AccessControlProtos.GrantResponse.getDefaultInstance(); } catch (IOException ioe) { // pass exception back up ResponseConverter.setControllerException(controller, ioe); } done.run(response); }
@Override public void revoke(RpcController controller, AccessControlProtos.RevokeRequest request, RpcCallback<AccessControlProtos.RevokeResponse> done) { final UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission()); AccessControlProtos.RevokeResponse response = null; try { // only allowed to be called on _acl_ region if (aclRegion) { if (!initialized) { throw new CoprocessorException("AccessController not yet initialized"); } if (LOG.isDebugEnabled()) { LOG.debug("Received request to revoke access permission " + perm.toString()); } switch(request.getUserPermission().getPermission().getType()) { case Global : case Table : requirePermission("revoke", perm.getTableName(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); break; case Namespace : requireNamespacePermission("revoke", perm.getNamespace(), Action.ADMIN); break; } User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm); return null; } }); if (AUDITLOG.isTraceEnabled()) { // audit log should record all permission changes AUDITLOG.trace("Revoked permission " + perm.toString()); } } else { throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table."); } response = AccessControlProtos.RevokeResponse.getDefaultInstance(); } catch (IOException ioe) { // pass exception back up ResponseConverter.setControllerException(controller, ioe); } done.run(response); }
@Override public void start(CoprocessorEnvironment env) throws IOException { if (env instanceof RegionCoprocessorEnvironment) return; throw new CoprocessorException("Must be loaded on a table region!"); }
@Override public void grant(RpcController controller, AccessControlProtos.GrantRequest request, RpcCallback<AccessControlProtos.GrantResponse> done) { final UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission()); AccessControlProtos.GrantResponse response = null; try { // verify it's only running at .acl. if (aclRegion) { if (!initialized) { throw new CoprocessorException("AccessController not yet initialized"); } if (LOG.isDebugEnabled()) { LOG.debug("Received request to grant access permission " + perm.toString()); } switch(request.getUserPermission().getPermission().getType()) { case Global : case Table : requirePermission("grant", perm.getTableName(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); break; case Namespace : requireGlobalPermission("grant", Action.ADMIN, perm.getNamespace()); break; } User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm); return null; } }); if (AUDITLOG.isTraceEnabled()) { // audit log should store permission changes in addition to auth results AUDITLOG.trace("Granted permission " + perm.toString()); } } else { throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table."); } response = AccessControlProtos.GrantResponse.getDefaultInstance(); } catch (IOException ioe) { // pass exception back up ResponseConverter.setControllerException(controller, ioe); } done.run(response); }
@Override public void revoke(RpcController controller, AccessControlProtos.RevokeRequest request, RpcCallback<AccessControlProtos.RevokeResponse> done) { final UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission()); AccessControlProtos.RevokeResponse response = null; try { // only allowed to be called on _acl_ region if (aclRegion) { if (!initialized) { throw new CoprocessorException("AccessController not yet initialized"); } if (LOG.isDebugEnabled()) { LOG.debug("Received request to revoke access permission " + perm.toString()); } switch(request.getUserPermission().getPermission().getType()) { case Global : case Table : requirePermission("revoke", perm.getTableName(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); break; case Namespace : requireGlobalPermission("revoke", Action.ADMIN, perm.getNamespace()); break; } User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm); return null; } }); if (AUDITLOG.isTraceEnabled()) { // audit log should record all permission changes AUDITLOG.trace("Revoked permission " + perm.toString()); } } else { throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table."); } response = AccessControlProtos.RevokeResponse.getDefaultInstance(); } catch (IOException ioe) { // pass exception back up ResponseConverter.setControllerException(controller, ioe); } done.run(response); }
@Override public void grant(RpcController controller, AccessControlProtos.GrantRequest request, RpcCallback<AccessControlProtos.GrantResponse> done) { UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission()); AccessControlProtos.GrantResponse response = null; try { // verify it's only running at .acl. if (aclRegion) { if (!initialized) { throw new CoprocessorException("AccessController not yet initialized"); } if (LOG.isDebugEnabled()) { LOG.debug("Received request to grant access permission " + perm.toString()); } switch(request.getUserPermission().getPermission().getType()) { case Global : case Table : requirePermission("grant", perm.getTableName(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); break; case Namespace : requireGlobalPermission("grant", Action.ADMIN, perm.getNamespace()); } AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm); if (AUDITLOG.isTraceEnabled()) { // audit log should store permission changes in addition to auth results AUDITLOG.trace("Granted permission " + perm.toString()); } } else { throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table."); } response = AccessControlProtos.GrantResponse.getDefaultInstance(); } catch (IOException ioe) { // pass exception back up ResponseConverter.setControllerException(controller, ioe); } done.run(response); }
@Override public void revoke(RpcController controller, AccessControlProtos.RevokeRequest request, RpcCallback<AccessControlProtos.RevokeResponse> done) { UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission()); AccessControlProtos.RevokeResponse response = null; try { // only allowed to be called on _acl_ region if (aclRegion) { if (!initialized) { throw new CoprocessorException("AccessController not yet initialized"); } if (LOG.isDebugEnabled()) { LOG.debug("Received request to revoke access permission " + perm.toString()); } switch(request.getUserPermission().getPermission().getType()) { case Global : case Table : requirePermission("revoke", perm.getTableName(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); break; case Namespace : requireGlobalPermission("revoke", Action.ADMIN, perm.getNamespace()); } AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm); if (AUDITLOG.isTraceEnabled()) { // audit log should record all permission changes AUDITLOG.trace("Revoked permission " + perm.toString()); } } else { throw new CoprocessorException(AccessController.class, "This method " + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table."); } response = AccessControlProtos.RevokeResponse.getDefaultInstance(); } catch (IOException ioe) { // pass exception back up ResponseConverter.setControllerException(controller, ioe); } done.run(response); }