@InterfaceAudience.Private public class AccessControlLists extends Object
AccessController
.
Access control lists are stored in an "internal" metadata table named
_acl_
. Each table's permission grants are stored as a separate row,
keyed by the table name. KeyValues for permissions assignments are stored
in one of the formats:
Key Desc -------- -------- user table level permissions for a user [R=read, W=write] group table level permissions for a group user,family column family level permissions for a user group,family column family level permissions for a group user,family,qualifier column qualifier level permissions for a user group,family,qualifier column qualifier level permissions for a group
All values are encoded as byte arrays containing the codes from the org.apache.hadoop.hbase.security.access.TablePermission.Action enum.
Modifier and Type | Field and Description |
---|---|
static byte[] |
ACL_GLOBAL_NAME |
static char |
ACL_KEY_DELIMITER
Delimiter to separate user, column family, and qualifier in
_acl_ table info: column keys
|
static byte[] |
ACL_LIST_FAMILY |
static String |
ACL_LIST_FAMILY_STR
Column family used to store ACL grants
|
static TableName |
ACL_TABLE_NAME
Internal storage table for access control lists
|
static byte |
ACL_TAG_TYPE
KV tag to store per cell access control lists
|
private static int |
LIST_CODE |
private static org.slf4j.Logger |
LOG |
static char |
NAMESPACE_PREFIX |
private static int |
WRITABLE_CODE |
private static int |
WRITABLE_NOT_ENCODED |
Constructor and Description |
---|
AccessControlLists() |
Modifier and Type | Method and Description |
---|---|
(package private) static void |
addUserPermission(org.apache.hadoop.conf.Configuration conf,
UserPermission userPerm,
Table t) |
(package private) static void |
addUserPermission(org.apache.hadoop.conf.Configuration conf,
UserPermission userPerm,
Table t,
boolean mergeExistingPermissions)
Stores a new user permission grant in the access control lists table.
|
static byte[] |
fromNamespaceEntry(byte[] namespace) |
static String |
fromNamespaceEntry(String namespace) |
static List<Permission> |
getCellPermissionsForUser(User user,
Cell cell) |
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> |
getNamespacePermissions(org.apache.hadoop.conf.Configuration conf,
String namespace) |
(package private) static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> |
getPermissions(org.apache.hadoop.conf.Configuration conf,
byte[] entryName,
Table t)
Reads user permission assignments stored in the
l: column
family of the first table row in _acl_ . |
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> |
getTablePermissions(org.apache.hadoop.conf.Configuration conf,
TableName tableName) |
(package private) static List<UserPermission> |
getUserNamespacePermissions(org.apache.hadoop.conf.Configuration conf,
String namespace) |
(package private) static List<UserPermission> |
getUserPermissions(org.apache.hadoop.conf.Configuration conf,
byte[] entryName) |
(package private) static List<UserPermission> |
getUserTablePermissions(org.apache.hadoop.conf.Configuration conf,
TableName tableName)
Returns the currently granted permissions for a given table as a list of
user plus associated permissions.
|
(package private) static boolean |
isAclRegion(Region region)
Returns
true if the given region is part of the _acl_
metadata table. |
(package private) static boolean |
isAclTable(TableDescriptor desc)
Returns
true if the given table is _acl_ metadata table. |
static boolean |
isNamespaceEntry(byte[] entryName) |
static boolean |
isNamespaceEntry(String entryName) |
(package private) static Map<byte[],org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission>> |
loadAll(org.apache.hadoop.conf.Configuration conf)
Load all permissions from the region server holding
_acl_ ,
primarily intended for testing purposes. |
(package private) static Map<byte[],org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission>> |
loadAll(Region aclRegion)
Loads all of the permission grants stored in a region of the
_acl_
table. |
private static Pair<String,TablePermission> |
parsePermissionRecord(byte[] entryName,
Cell kv) |
private static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> |
parsePermissions(byte[] entryName,
Result result) |
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> |
readPermissions(byte[] data,
org.apache.hadoop.conf.Configuration conf)
Reads a set of permissions as
Writable instances from the input
stream. |
private static List<TablePermission> |
readWritablePermissions(DataInput in,
org.apache.hadoop.conf.Configuration conf) |
(package private) static void |
removeNamespacePermissions(org.apache.hadoop.conf.Configuration conf,
String namespace,
Table t)
Remove specified namespace from the acl table.
|
private static void |
removePermissionRecord(org.apache.hadoop.conf.Configuration conf,
UserPermission userPerm,
Table t) |
(package private) static void |
removeTablePermissions(org.apache.hadoop.conf.Configuration conf,
TableName tableName,
byte[] column,
Table t)
Remove specified table column from the acl table.
|
(package private) static void |
removeTablePermissions(org.apache.hadoop.conf.Configuration conf,
TableName tableName,
Table t)
Remove specified table from the _acl_ table.
|
private static void |
removeTablePermissions(TableName tableName,
byte[] column,
Table table,
boolean closeTable) |
(package private) static void |
removeUserPermission(org.apache.hadoop.conf.Configuration conf,
UserPermission userPerm,
Table t)
Removes a previously granted permission from the stored access control
lists.
|
static byte[] |
toNamespaceEntry(byte[] namespace) |
static String |
toNamespaceEntry(String namespace) |
(package private) static byte[] |
userPermissionKey(UserPermission userPerm)
Build qualifier key from user permission:
username
username,family
username,family,qualifier
|
(package private) static byte[] |
userPermissionRowKey(UserPermission userPerm) |
static byte[] |
writePermissionsAsBytes(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> perms,
org.apache.hadoop.conf.Configuration conf)
Writes a set of permissions as
Writable instances
and returns the resulting byte array. |
public static final TableName ACL_TABLE_NAME
public static final byte[] ACL_GLOBAL_NAME
public static final String ACL_LIST_FAMILY_STR
public static final byte[] ACL_LIST_FAMILY
public static final byte ACL_TAG_TYPE
public static final char NAMESPACE_PREFIX
public static final char ACL_KEY_DELIMITER
private static final org.slf4j.Logger LOG
private static final int LIST_CODE
private static final int WRITABLE_CODE
private static final int WRITABLE_NOT_ENCODED
public AccessControlLists()
static void addUserPermission(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t, boolean mergeExistingPermissions) throws IOException
conf
- the configurationuserPerm
- the details of the permission to be grantedt
- acl table instance. It is closed upon method return.IOException
- in the case of an error accessing the metadata tablestatic void addUserPermission(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t) throws IOException
IOException
static void removeUserPermission(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t) throws IOException
TablePermission
being removed must exactly match what
is stored -- no wildcard matching is attempted. Ie, if user "bob" has
been granted "READ" access to the "data" table, but only to column family
plus qualifier "info:colA", then trying to call this method with only
user "bob" and the table name "data" (but without specifying the
column qualifier "info:colA") will have no effect.conf
- the configurationuserPerm
- the details of the permission to be revokedt
- acl tableIOException
- if there is an error accessing the metadata tableprivate static void removePermissionRecord(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t) throws IOException
IOException
static void removeTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName, Table t) throws IOException
IOException
static void removeNamespacePermissions(org.apache.hadoop.conf.Configuration conf, String namespace, Table t) throws IOException
IOException
private static void removeTablePermissions(TableName tableName, byte[] column, Table table, boolean closeTable) throws IOException
IOException
static void removeTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName, byte[] column, Table t) throws IOException
IOException
static byte[] userPermissionRowKey(UserPermission userPerm)
static byte[] userPermissionKey(UserPermission userPerm)
static boolean isAclRegion(Region region)
true
if the given region is part of the _acl_
metadata table.static boolean isAclTable(TableDescriptor desc)
true
if the given table is _acl_
metadata table.static Map<byte[],org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission>> loadAll(Region aclRegion) throws IOException
_acl_
table.aclRegion
- IOException
static Map<byte[],org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission>> loadAll(org.apache.hadoop.conf.Configuration conf) throws IOException
_acl_
,
primarily intended for testing purposes.IOException
public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> getTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName) throws IOException
IOException
public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> getNamespacePermissions(org.apache.hadoop.conf.Configuration conf, String namespace) throws IOException
IOException
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> getPermissions(org.apache.hadoop.conf.Configuration conf, byte[] entryName, Table t) throws IOException
l:
column
family of the first table row in _acl_
.
See class documentation
for the key structure
used for storage.
IOException
static List<UserPermission> getUserTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName) throws IOException
IOException
static List<UserPermission> getUserNamespacePermissions(org.apache.hadoop.conf.Configuration conf, String namespace) throws IOException
IOException
static List<UserPermission> getUserPermissions(org.apache.hadoop.conf.Configuration conf, byte[] entryName) throws IOException
IOException
private static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> parsePermissions(byte[] entryName, Result result)
private static Pair<String,TablePermission> parsePermissionRecord(byte[] entryName, Cell kv)
public static byte[] writePermissionsAsBytes(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> perms, org.apache.hadoop.conf.Configuration conf)
Writable
instances
and returns the resulting byte array.
Writes a set of permission [user: table permission]private static List<TablePermission> readWritablePermissions(DataInput in, org.apache.hadoop.conf.Configuration conf) throws IOException, ClassNotFoundException
IOException
ClassNotFoundException
public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> readPermissions(byte[] data, org.apache.hadoop.conf.Configuration conf) throws DeserializationException
Writable
instances from the input
stream.DeserializationException
public static boolean isNamespaceEntry(String entryName)
public static boolean isNamespaceEntry(byte[] entryName)
public static String toNamespaceEntry(String namespace)
public static String fromNamespaceEntry(String namespace)
public static byte[] toNamespaceEntry(byte[] namespace)
public static byte[] fromNamespaceEntry(byte[] namespace)
public static List<Permission> getCellPermissionsForUser(User user, Cell cell) throws IOException
IOException
Copyright © 2007–2019 The Apache Software Foundation. All rights reserved.