Package org.apache.hadoop.hbase.security

Examples of org.apache.hadoop.hbase.security.User$SecureHadoopUser

718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
    final byte[] TEST_ROW1 = Bytes.toBytes("r1");
    final byte[] TEST_Q1 = Bytes.toBytes("q1");
    final byte[] TEST_Q2 = Bytes.toBytes("q2");
    final byte[] ZERO = Bytes.toBytes(0L);

    final User user1 = User.createUserForTesting(conf, "user1", new String[0]);
    final User user2 = User.createUserForTesting(conf, "user2", new String[0]);

    verifyAllowed(new AccessTestAction() {
      @Override
      public Object run() throws Exception {
        HTable t = new HTable(conf, TEST_TABLE.getTableName());
        try {
          Map<String, Permission> permsU1andOwner = new HashMap<String, Permission>();
          permsU1andOwner.put(user1.getShortName(), new Permission(Permission.Action.READ,
              Permission.Action.WRITE));
          permsU1andOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ,
              Permission.Action.WRITE));
          Map<String, Permission> permsU2andOwner = new HashMap<String, Permission>();
          permsU2andOwner.put(user2.getShortName(), new Permission(Permission.Action.READ,
              Permission.Action.WRITE));
          permsU2andOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ,
              Permission.Action.WRITE));
          Put p = new Put(TEST_ROW1);
          p.add(TEST_FAMILY1, TEST_Q1, 123, ZERO);
          p.setACL(permsU1andOwner);
          t.put(p);
          p = new Put(TEST_ROW1);
          p.add(TEST_FAMILY1, TEST_Q2, 123, ZERO);
          p.setACL(permsU2andOwner);
          t.put(p);

          p = new Put(TEST_ROW1);
          p.add(TEST_FAMILY1, TEST_Q1, 127, ZERO);
          p.setACL(permsU2andOwner);
          t.put(p);
          p = new Put(TEST_ROW1);
          p.add(TEST_FAMILY1, TEST_Q2, 127, ZERO);
          p.setACL(permsU1andOwner);
          t.put(p);
        } finally {
          t.close();
        }
        return null;
      }
    }, USER_OWNER);

    // new Put with TEST_Q1 column having TS=125. This covers old cell with TS 123 and user1 is
    // having RW permission. While TEST_Q2 is with latest TS and so it covers old cell with TS 127.
    // User1 is having RW permission on that too.
    user1.runAs(new PrivilegedExceptionAction<Void>() {
      @Override
      public Void run() throws Exception {
        HTable t = new HTable(conf, TEST_TABLE.getTableName());
        try {
          Put p = new Put(TEST_ROW1);
          p.add(TEST_FAMILY1, TEST_Q1, 125, ZERO);
          p.add(TEST_FAMILY1, TEST_Q2, ZERO);
          p.setACL(user2.getShortName(), new Permission(Permission.Action.READ,
              Permission.Action.WRITE));
          t.put(p);
        } finally {
          t.close();
        }
        return null;
      }
    });

    // Should be denied.
    user2.runAs(new PrivilegedExceptionAction<Void>() {
      @Override
      public Void run() throws Exception {
        HTable t = new HTable(conf, TEST_TABLE.getTableName());
        try {
          Put p = new Put(TEST_ROW1);
View Full Code Here
385
386
387
388
389
390
391
392
393
394
395
   * Returns the active user to which authorization checks should be applied.
   * If we are in the context of an RPC call, the remote user is used,
   * otherwise the currently logged in user is used.
   */
  private User getActiveUser() throws IOException {
    User user = RequestContext.getRequestUser();
    if (!RequestContext.isInRequestContext()) {
      // for non-rpc handling, fallback to system user
      user = userProvider.getCurrent();
    }
    return user;
View Full Code Here
404
405
406
407
408
409
410
411
412
413
414
   * @throws IOException if obtaining the current user fails
   * @throws AccessDeniedException if user has no authorization
   */
  private void requirePermission(String request, TableName tableName, byte[] family, byte[] qualifier,
      Action... permissions) throws IOException {
    User user = getActiveUser();
    AuthResult result = null;

    for (Action permission : permissions) {
      if (authManager.authorize(user, tableName, family, qualifier, permission)) {
        result = AuthResult.allow(request, "Table permission granted", user,
View Full Code Here
446
447
448
449
450
451
452
453
454
455
456
   */
  private void requirePermission(String request, Action perm,
        RegionCoprocessorEnvironment env,
        Map<byte[], ? extends Collection<?>> families)
      throws IOException {
    User user = getActiveUser();
    AuthResult result = permissionGranted(request, user, perm, env, families);
    logResult(result);

    if (!result.isAllowed()) {
      throw new AccessDeniedException("Insufficient permissions (table=" +
View Full Code Here
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
   * @param tableName Affected table name.
   * @param familyMap Affected column families.
   */
  private void requireGlobalPermission(String request, Action perm, TableName tableName,
      Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException {
    User user = getActiveUser();
    if (authManager.authorize(user, perm)) {
      logResult(AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap));
    } else {
      logResult(AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap));
      throw new AccessDeniedException("Insufficient permissions for user '" +
          (user != null ? user.getShortName() : "null") +"' (global, action=" +
          perm.toString() + ")");
    }
  }
View Full Code Here
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
   * @param perm Action being requested
   * @param namespace
   */
  private void requireGlobalPermission(String request, Action perm,
                                       String namespace) throws IOException {
    User user = getActiveUser();
    if (authManager.authorize(user, perm)) {
      logResult(AuthResult.allow(request, "Global check allowed", user, perm, namespace));
    } else {
      logResult(AuthResult.deny(request, "Global check failed", user, perm, namespace));
      throw new AccessDeniedException("Insufficient permissions for user '" +
          (user != null ? user.getShortName() : "null") +"' (global, action=" +
          perm.toString() + ")");
    }
  }
View Full Code Here
578
579
580
581
582
583
584
585
586
587
588
      throws IOException {
    if (!cellFeaturesEnabled) {
      return false;
    }
    long cellGrants = 0;
    User user = getActiveUser();
    long latestCellTs = 0;
    Get get = new Get(row);
    // Only in case of Put/Delete op, consider TS within cell (if set for individual cells).
    // When every cell, within a Mutation, can be linked with diff TS we can not rely on only one
    // version. We have to get every cell version and check its TS against the TS asked for in
View Full Code Here
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
      final byte [] row, final byte [] family, final Result result)
      throws IOException {
    assert family != null;
    RegionCoprocessorEnvironment env = c.getEnvironment();
    Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, null);
    User user = getActiveUser();
    AuthResult authResult = permissionGranted(OpType.GET_CLOSEST_ROW_BEFORE, user, env, families,
      Action.READ);
    if (!authResult.isAllowed() && cellFeaturesEnabled && !compatibleEarlyTermination) {
      authResult.setAllowed(checkCoveringPermission(OpType.GET_CLOSEST_ROW_BEFORE, env, row,
        families, HConstants.LATEST_TIMESTAMP, Action.READ));
View Full Code Here
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
    Filter filter = query.getFilter();
    // Don't wrap an AccessControlFilter
    if (filter != null && filter instanceof AccessControlFilter) {
      return;
    }
    User user = getActiveUser();
    RegionCoprocessorEnvironment env = c.getEnvironment();
    Map<byte[],? extends Collection<byte[]>> families = null;
    switch (opType) {
    case GET:
    case EXISTS:
View Full Code Here
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
    // HBase value. A new ACL in a new Put applies to that Put. It doesn't
    // change the ACL of any previous Put. This allows simple evolution of
    // security policy over time without requiring expensive updates.
    RegionCoprocessorEnvironment env = c.getEnvironment();
    Map<byte[],? extends Collection<Cell>> families = put.getFamilyCellMap();
    User user = getActiveUser();
    AuthResult authResult = permissionGranted(OpType.PUT, user, env, families, Action.WRITE);
    if (!authResult.isAllowed() && cellFeaturesEnabled && !compatibleEarlyTermination) {
      authResult.setAllowed(checkCoveringPermission(OpType.PUT, env, put.getRow(), families,
        put.getTimeStamp(), Action.WRITE));
      authResult.setReason("Covering cell set");
View Full Code Here
TOP

Related Classes of org.apache.hadoop.hbase.security.User$SecureHadoopUser

  • org.apache.flume.sink.hbase.HBaseSinkSecurityManager
  • org.apache.hadoop.conf.Configuration
  • org.apache.hadoop.hbase.client.HConnectionKey
  • org.apache.hadoop.hbase.client.HConnectionManager$HConnectionKey
  • org.apache.hadoop.hbase.client.UserProvider
  • org.apache.hadoop.hbase.coprocessor.TestWALObserver
  • org.apache.hadoop.hbase.HBaseTestingUtility
  • org.apache.hadoop.hbase.ipc.HBaseClient$Connection
  • org.apache.hadoop.hbase.ipc.HBaseServer$Handler
  • org.apache.hadoop.hbase.ipc.RequestContext
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.