/** * A utility used to get user table permissions. * <p> * It's also called by the shell, in case you want to find references. * * @param protocol the AccessControlService protocol proxy * @param t optional table name * @throws ServiceException */ public static List<UserPermission> getUserPermissions(RpcController controller, AccessControlService.BlockingInterface protocol, TableName t) throws ServiceException { AccessControlProtos.GetUserPermissionsRequest.Builder builder = AccessControlProtos.GetUserPermissionsRequest.newBuilder(); if (t != null) { builder.setTableName(ProtobufUtil.toProtoTableName(t)); } builder.setType(AccessControlProtos.Permission.Type.Table); AccessControlProtos.GetUserPermissionsRequest request = builder.build(); AccessControlProtos.GetUserPermissionsResponse response = protocol.getUserPermissions(controller, request); List<UserPermission> perms = new ArrayList<UserPermission>(response.getUserPermissionCount()); for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) { perms.add(ProtobufUtil.toUserPermission(perm)); } return perms; }
/** * A utility used to get permissions for selected namespace. * <p> * It's also called by the shell, in case you want to find references. * * @param protocol the AccessControlService protocol proxy * @param namespace name of the namespace * @throws ServiceException */ public static List<UserPermission> getUserPermissions(RpcController controller, AccessControlService.BlockingInterface protocol, byte[] namespace) throws ServiceException { AccessControlProtos.GetUserPermissionsRequest.Builder builder = AccessControlProtos.GetUserPermissionsRequest.newBuilder(); if (namespace != null) { builder.setNamespaceName(ByteStringer.wrap(namespace)); } builder.setType(AccessControlProtos.Permission.Type.Namespace); AccessControlProtos.GetUserPermissionsRequest request = builder.build(); AccessControlProtos.GetUserPermissionsResponse response = protocol.getUserPermissions(controller, request); List<UserPermission> perms = new ArrayList<UserPermission>(response.getUserPermissionCount()); for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) { perms.add(ProtobufUtil.toUserPermission(perm)); } return perms; }
/** * A utility used to get user table permissions. * <p> * It's also called by the shell, in case you want to find references. * * @param protocol the AccessControlService protocol proxy * @param t optional table name * @throws ServiceException */ public static List<UserPermission> getUserPermissions( AccessControlService.BlockingInterface protocol, TableName t) throws ServiceException { AccessControlProtos.GetUserPermissionsRequest.Builder builder = AccessControlProtos.GetUserPermissionsRequest.newBuilder(); if (t != null) { builder.setTableName(ProtobufUtil.toProtoTableName(t)); } builder.setType(AccessControlProtos.Permission.Type.Table); AccessControlProtos.GetUserPermissionsRequest request = builder.build(); AccessControlProtos.GetUserPermissionsResponse response = protocol.getUserPermissions(null, request); List<UserPermission> perms = new ArrayList<UserPermission>(response.getUserPermissionCount()); for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) { perms.add(ProtobufUtil.toUserPermission(perm)); } return perms; }
/** * A utility used to get permissions for selected namespace. * <p> * It's also called by the shell, in case you want to find references. * * @param protocol the AccessControlService protocol proxy * @param namespace name of the namespace * @throws ServiceException */ public static List<UserPermission> getUserPermissions( AccessControlService.BlockingInterface protocol, byte[] namespace) throws ServiceException { AccessControlProtos.GetUserPermissionsRequest.Builder builder = AccessControlProtos.GetUserPermissionsRequest.newBuilder(); if (namespace != null) { builder.setNamespaceName(ByteStringer.wrap(namespace)); } builder.setType(AccessControlProtos.Permission.Type.Namespace); AccessControlProtos.GetUserPermissionsRequest request = builder.build(); AccessControlProtos.GetUserPermissionsResponse response = protocol.getUserPermissions(null, request); List<UserPermission> perms = new ArrayList<UserPermission>(response.getUserPermissionCount()); for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) { perms.add(ProtobufUtil.toUserPermission(perm)); } return perms; }
/** * A utility used to get user table permissions. * <p> * It's also called by the shell, in case you want to find references. * * @param protocol the AccessControlService protocol proxy * @param t optional table name * @throws ServiceException */ public static List<UserPermission> getUserPermissions( AccessControlService.BlockingInterface protocol, TableName t) throws ServiceException { AccessControlProtos.GetUserPermissionsRequest.Builder builder = AccessControlProtos.GetUserPermissionsRequest.newBuilder(); if (t != null) { builder.setTableName(ProtobufUtil.toProtoTableName(t)); } builder.setType(AccessControlProtos.Permission.Type.Table); AccessControlProtos.GetUserPermissionsRequest request = builder.build(); AccessControlProtos.GetUserPermissionsResponse response = protocol.getUserPermissions(null, request); List<UserPermission> perms = new ArrayList<UserPermission>(); for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) { perms.add(ProtobufUtil.toUserPermission(perm)); } return perms; }
/** * A utility used to get permissions for selected namespace. * <p> * It's also called by the shell, in case you want to find references. * * @param protocol the AccessControlService protocol proxy * @param namespace name of the namespace * @throws ServiceException */ public static List<UserPermission> getUserPermissions( AccessControlService.BlockingInterface protocol, byte[] namespace) throws ServiceException { AccessControlProtos.GetUserPermissionsRequest.Builder builder = AccessControlProtos.GetUserPermissionsRequest.newBuilder(); if (namespace != null) { builder.setNamespaceName(HBaseZeroCopyByteString.wrap(namespace)); } builder.setType(AccessControlProtos.Permission.Type.Namespace); AccessControlProtos.GetUserPermissionsRequest request = builder.build(); AccessControlProtos.GetUserPermissionsResponse response = protocol.getUserPermissions(null, request); List<UserPermission> perms = new ArrayList<UserPermission>(); for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) { perms.add(ProtobufUtil.toUserPermission(perm)); } return perms; }
/** * Convert a client user permission to a user permission proto * * @param perm the client UserPermission * @return the protobuf UserPermission */ public static AccessControlProtos.UserPermission toUserPermission(UserPermission perm) { AccessControlProtos.Permission.Builder permissionBuilder = AccessControlProtos.Permission.newBuilder(); for (Permission.Action a : perm.getActions()) { permissionBuilder.addAction(toPermissionAction(a)); } if (perm.hasTable()) { permissionBuilder.setTable(ByteString.copyFrom(perm.getTable())); } if (perm.hasFamily()) { permissionBuilder.setFamily(ByteString.copyFrom(perm.getFamily())); } if (perm.hasQualifier()) { permissionBuilder.setQualifier(ByteString.copyFrom(perm.getQualifier())); } return AccessControlProtos.UserPermission.newBuilder() .setUser(ByteString.copyFrom(perm.getUser())) .setPermission(permissionBuilder) .build(); }
/** * Converts a user permission proto to a client user permission object. * * @param proto the protobuf UserPermission * @return the converted UserPermission */ public static UserPermission toUserPermission(AccessControlProtos.UserPermission proto) { AccessControlProtos.Permission permission = proto.getPermission(); List<Permission.Action> actions = toPermissionActions(permission.getActionList()); byte[] qualifier = null; byte[] family = null; byte[] table = null; if (permission.hasTable()) table = permission.getTable().toByteArray(); if (permission.hasFamily()) family = permission.getFamily().toByteArray(); if (permission.hasQualifier()) qualifier = permission.getQualifier().toByteArray(); return new UserPermission(proto.getUser().toByteArray(), table, family, qualifier, actions.toArray(new Permission.Action[actions.size()])); }
/** * A utility used to get user permissions. * <p> * It's also called by the shell, in case you want to find references. * * @param protocol the AccessControlService protocol proxy * @param t optional table name * @throws ServiceException */ public static List<UserPermission> getUserPermissions( AccessControlService.BlockingInterface protocol, byte[] t) throws ServiceException { AccessControlProtos.UserPermissionsRequest.Builder builder = AccessControlProtos.UserPermissionsRequest.newBuilder(); if (t != null) { builder.setTable(ByteString.copyFrom(t)); } AccessControlProtos.UserPermissionsRequest request = builder.build(); AccessControlProtos.UserPermissionsResponse response = protocol.getUserPermissions(null, request); List<UserPermission> perms = new ArrayList<UserPermission>(); for (AccessControlProtos.UserPermission perm: response.getPermissionList()) { perms.add(ProtobufUtil.toUserPermission(perm)); } return perms; }
/** * Converts the permissions list into a protocol buffer GetUserPermissionsResponse */ public static GetUserPermissionsResponse buildGetUserPermissionsResponse( final List<UserPermission> permissions) { GetUserPermissionsResponse.Builder builder = GetUserPermissionsResponse.newBuilder(); for (UserPermission perm : permissions) { builder.addUserPermission(ProtobufUtil.toUserPermission(perm)); } return builder.build(); }
/** * Convert a client user permission to a user permission proto * * @param perm the client UserPermission * @return the protobuf UserPermission */ public static AccessControlProtos.UserPermission toUserPermission(UserPermission perm) { return AccessControlProtos.UserPermission.newBuilder() .setUser(ByteStringer.wrap(perm.getUser())) .setPermission(toPermission(perm)) .build(); }
/** * A utility used to get user's global permissions. * <p> * It's also called by the shell, in case you want to find references. * * @param protocol the AccessControlService protocol proxy * @throws ServiceException */ public static List<UserPermission> getUserPermissions(RpcController controller, AccessControlService.BlockingInterface protocol) throws ServiceException { AccessControlProtos.GetUserPermissionsRequest.Builder builder = AccessControlProtos.GetUserPermissionsRequest.newBuilder(); builder.setType(AccessControlProtos.Permission.Type.Global); AccessControlProtos.GetUserPermissionsRequest request = builder.build(); AccessControlProtos.GetUserPermissionsResponse response = protocol.getUserPermissions(controller, request); List<UserPermission> perms = new ArrayList<UserPermission>(response.getUserPermissionCount()); for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) { perms.add(ProtobufUtil.toUserPermission(perm)); } return perms; }
/** * A utility used to get user's global permissions. * <p> * It's also called by the shell, in case you want to find references. * * @param protocol the AccessControlService protocol proxy * @throws ServiceException */ public static List<UserPermission> getUserPermissions( AccessControlService.BlockingInterface protocol) throws ServiceException { AccessControlProtos.GetUserPermissionsRequest.Builder builder = AccessControlProtos.GetUserPermissionsRequest.newBuilder(); builder.setType(AccessControlProtos.Permission.Type.Global); AccessControlProtos.GetUserPermissionsRequest request = builder.build(); AccessControlProtos.GetUserPermissionsResponse response = protocol.getUserPermissions(null, request); List<UserPermission> perms = new ArrayList<UserPermission>(response.getUserPermissionCount()); for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) { perms.add(ProtobufUtil.toUserPermission(perm)); } return perms; }
/** * Convert a client user permission to a user permission proto * * @param perm the client UserPermission * @return the protobuf UserPermission */ public static AccessControlProtos.UserPermission toUserPermission(UserPermission perm) { return AccessControlProtos.UserPermission.newBuilder() .setUser(HBaseZeroCopyByteString.wrap(perm.getUser())) .setPermission(toPermission(perm)) .build(); }
/** * A utility used to get user's global permissions. * <p> * It's also called by the shell, in case you want to find references. * * @param protocol the AccessControlService protocol proxy * @throws ServiceException */ public static List<UserPermission> getUserPermissions( AccessControlService.BlockingInterface protocol) throws ServiceException { AccessControlProtos.GetUserPermissionsRequest.Builder builder = AccessControlProtos.GetUserPermissionsRequest.newBuilder(); builder.setType(AccessControlProtos.Permission.Type.Global); AccessControlProtos.GetUserPermissionsRequest request = builder.build(); AccessControlProtos.GetUserPermissionsResponse response = protocol.getUserPermissions(null, request); List<UserPermission> perms = new ArrayList<UserPermission>(); for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) { perms.add(ProtobufUtil.toUserPermission(perm)); } return perms; }
/** * Convert a client user permission to a user permission proto * * @param perm the client UserPermission * @return the protobuf UserPermission */ public static AccessControlProtos.UserPermission toUserPermission(UserPermission perm) { return AccessControlProtos.UserPermission.newBuilder() .setUser(ZeroCopyLiteralByteString.wrap(perm.getUser())) .setPermission(toPermission(perm)) .build(); }
/** * Converts the permissions list into a protocol buffer UserPermissionsResponse */ public static UserPermissionsResponse buildUserPermissionsResponse( final List<UserPermission> permissions) { UserPermissionsResponse.Builder builder = UserPermissionsResponse.newBuilder(); for (UserPermission perm : permissions) { builder.addPermission(ProtobufUtil.toUserPermission(perm)); } return builder.build(); }
@BeforeClass public static void setupBeforeClass() throws Exception { // setup configuration conf = TEST_UTIL.getConfiguration(); conf.set("hbase.master.hfilecleaner.plugins", "org.apache.hadoop.hbase.master.cleaner.HFileLinkCleaner," + "org.apache.hadoop.hbase.master.snapshot.SnapshotHFileCleaner"); conf.set("hbase.master.logcleaner.plugins", "org.apache.hadoop.hbase.master.snapshot.SnapshotLogCleaner"); SecureTestUtil.enableSecurity(conf); TEST_UTIL.startMiniCluster(); MasterCoprocessorHost cpHost = TEST_UTIL.getMiniHBaseCluster().getMaster().getCoprocessorHost(); cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf); ACCESS_CONTROLLER = (AccessController) cpHost.findCoprocessor(AccessController.class.getName()); CP_ENV = cpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); RegionServerCoprocessorHost rsHost = TEST_UTIL.getMiniHBaseCluster().getRegionServer(0) .getCoprocessorHost(); RSCP_ENV = rsHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); // Wait for the ACL table to become available TEST_UTIL.waitTableAvailable(AccessControlLists.ACL_TABLE_NAME, 5000); // create a set of test users SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); USER_ADMIN = User.createUserForTesting(conf, "admin2", new String[0]); USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]); USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); USER_RW_ON_TABLE = User.createUserForTesting(conf, "rwuser_1", new String[0]); USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); HBaseAdmin admin = TEST_UTIL.getHBaseAdmin(); HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); htd.setOwner(USER_OWNER); admin.createTable(htd); TEST_UTIL.waitTableEnabled(TEST_TABLE, 5000); HRegion region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0); RegionCoprocessorHost rcpHost = region.getCoprocessorHost(); RCP_ENV = rcpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); // initilize access control HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class, TEST_TABLE); protocol.grant(new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE)); protocol.grant(new UserPermission(Bytes.toBytes(USER_RW.getShortName()), TEST_TABLE, TEST_FAMILY, Permission.Action.READ, Permission.Action.WRITE)); protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()), TEST_TABLE, TEST_FAMILY, Permission.Action.READ)); protocol.grant(new UserPermission(Bytes.toBytes(USER_CREATE.getShortName()), TEST_TABLE, null, Permission.Action.CREATE)); protocol.grant(new UserPermission(Bytes.toBytes(USER_RW_ON_TABLE.getShortName()), TEST_TABLE, null, Permission.Action.READ, Permission.Action.WRITE)); } finally { acl.close(); } }
private boolean hasFoundUserPermission(UserPermission userPermission, List<UserPermission> perms) { return perms.contains(userPermission); }
public void grant(AccessControllerProtocol protocol, User user, byte[] t, byte[] f, byte[] q, Permission.Action... actions) throws IOException { protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), t, f, q, actions)); }
@Test public void testGlobalAuthorizationForNewRegisteredRS() throws Exception { LOG.debug("Test for global authorization for a new registered RegionServer."); MiniHBaseCluster hbaseCluster = TEST_UTIL.getHBaseCluster(); final HRegionServer oldRs = hbaseCluster.getRegionServer(0); // Since each RegionServer running on different user, add global // permissions for the new user. HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { AccessControllerProtocol protocol = acl.coprocessorProxy( AccessControllerProtocol.class, TEST_TABLE); String currentUser = User.getCurrent().getShortName(); // User name for the new RegionServer we plan to add. String activeUserForNewRs = currentUser + ".hfs." + hbaseCluster.getLiveRegionServerThreads().size(); protocol.grant(new UserPermission(Bytes.toBytes(activeUserForNewRs), Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE)); } finally { acl.close(); } final HBaseAdmin admin = TEST_UTIL.getHBaseAdmin(); HTableDescriptor htd = new HTableDescriptor(TEST_TABLE2); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); htd.setOwner(USER_OWNER); admin.createTable(htd); // Starting a new RegionServer. JVMClusterUtil.RegionServerThread newRsThread = hbaseCluster .startRegionServer(); final HRegionServer newRs = newRsThread.getRegionServer(); // Move region to the new RegionServer. final HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE2); try { NavigableMap<HRegionInfo, ServerName> regions = table .getRegionLocations(); final Map.Entry<HRegionInfo, ServerName> firstRegion = regions.entrySet() .iterator().next(); PrivilegedExceptionAction moveAction = new PrivilegedExceptionAction() { public Object run() throws Exception { admin.move(firstRegion.getKey().getEncodedNameAsBytes(), Bytes.toBytes(newRs.getServerName().getServerName())); return null; } }; SUPERUSER.runAs(moveAction); final int RETRIES_LIMIT = 10; int retries = 0; while (newRs.getOnlineRegions().size() < 1 && retries < RETRIES_LIMIT) { LOG.debug("Waiting for region to be opened. Already retried " + retries + " times."); try { Thread.sleep(200); } catch (InterruptedException e) { } retries++; if (retries == RETRIES_LIMIT - 1) { fail("Retry exhaust for waiting region to be opened."); } } // Verify write permission for user "admin2" who has the global // permissions. PrivilegedExceptionAction putAction = new PrivilegedExceptionAction() { public Object run() throws Exception { Put put = new Put(Bytes.toBytes("test")); put.add(TEST_FAMILY, Bytes.toBytes("qual"), Bytes.toBytes("value")); table.put(put); return null; } }; USER_ADMIN.runAs(putAction); } finally { table.close(); } }