@InterfaceAudience.Private public class TableAuthManager extends Object implements Closeable
Modifier and Type | Class and Description |
---|---|
private static class |
TableAuthManager.PermissionCache<T extends Permission> |
Modifier and Type | Field and Description |
---|---|
private org.apache.hadoop.conf.Configuration |
conf |
private TableAuthManager.PermissionCache<Permission> |
globalCache
Cache of global permissions
|
private static org.slf4j.Logger |
LOG |
private static Map<ZKWatcher,TableAuthManager> |
managerMap |
private AtomicLong |
mtime |
private ConcurrentSkipListMap<String,TableAuthManager.PermissionCache<TablePermission>> |
nsCache |
private static Map<TableAuthManager,Integer> |
refCount |
private ConcurrentSkipListMap<TableName,TableAuthManager.PermissionCache<TablePermission>> |
tableCache |
private ZKPermissionWatcher |
zkperms |
Modifier | Constructor and Description |
---|---|
private |
TableAuthManager(ZKWatcher watcher,
org.apache.hadoop.conf.Configuration conf) |
Modifier and Type | Method and Description |
---|---|
private boolean |
authorize(List<Permission> perms,
Permission.Action action)
Authorizes a global permission
|
private boolean |
authorize(List<TablePermission> perms,
String namespace,
Permission.Action action) |
private boolean |
authorize(List<TablePermission> perms,
TableName table,
byte[] family,
byte[] qualifier,
Permission.Action action) |
boolean |
authorize(User user,
Permission.Action action)
Authorize a global permission based on ACLs for the given user and the
user's groups.
|
boolean |
authorize(User user,
String namespace,
Permission.Action action) |
boolean |
authorize(User user,
TableName table,
byte[] family,
byte[] qualifier,
Permission.Action action) |
boolean |
authorize(User user,
TableName table,
byte[] family,
Permission.Action action) |
boolean |
authorize(User user,
TableName table,
Cell cell,
Permission.Action action)
Authorize a user for a given KV.
|
boolean |
authorizeGroup(String groupName,
Permission.Action action)
Checks global authorization for a given action for a group, based on the stored
permissions.
|
boolean |
authorizeGroup(String groupName,
TableName table,
byte[] family,
byte[] qualifier,
Permission.Action action)
Checks authorization to a given table, column family and column for a group, based
on the stored permissions.
|
boolean |
authorizeUser(User user,
TableName table,
byte[] family,
byte[] qualifier,
Permission.Action action) |
boolean |
authorizeUser(User user,
TableName table,
byte[] family,
Permission.Action action)
Checks authorization to a given table and column family for a user, based on the
stored user permissions.
|
void |
close() |
long |
getMTime() |
private TableAuthManager.PermissionCache<TablePermission> |
getNamespacePermissions(String namespace) |
static TableAuthManager |
getOrCreate(ZKWatcher watcher,
org.apache.hadoop.conf.Configuration conf)
Returns a TableAuthManager from the cache.
|
private TableAuthManager.PermissionCache<TablePermission> |
getTablePermissions(TableName table) |
static int |
getTotalRefCount() |
ZKPermissionWatcher |
getZKPermissionWatcher() |
boolean |
groupHasAccess(String groupName,
TableName table,
Permission.Action action)
Checks if the user has access to the full table or at least a family/qualifier
for the specified action.
|
private boolean |
hasAccess(List<TablePermission> perms,
TableName table,
Permission.Action action) |
boolean |
hasAccess(User user,
TableName table,
Permission.Action action) |
private TableAuthManager.PermissionCache<Permission> |
initGlobal(org.apache.hadoop.conf.Configuration conf)
Returns a new
PermissionCache initialized with permission assignments
from the hbase.superuser configuration key. |
boolean |
matchPermission(User user,
TableName table,
byte[] family,
byte[] qualifier,
Permission.Action action) |
boolean |
matchPermission(User user,
TableName table,
byte[] family,
Permission.Action action)
Returns true if the given user has a
TablePermission matching up
to the column family portion of a permission. |
void |
refreshNamespaceCacheFromWritable(String namespace,
byte[] data) |
void |
refreshTableCacheFromWritable(TableName table,
byte[] data) |
static void |
release(TableAuthManager instance)
Releases the resources for the given TableAuthManager if the reference count is down to 0.
|
void |
removeNamespace(byte[] ns) |
void |
removeTable(TableName table) |
void |
setNamespaceGroupPermissions(String group,
String namespace,
List<TablePermission> perms)
Overwrites the existing permission set for a group and triggers an update
for zookeeper synchronization.
|
void |
setNamespaceUserPermissions(String username,
String namespace,
List<TablePermission> perms)
Overwrites the existing permission set for a given user for a table, and
triggers an update for zookeeper synchronization.
|
void |
setTableGroupPermissions(String group,
TableName table,
List<TablePermission> perms)
Overwrites the existing permission set for a group and triggers an update
for zookeeper synchronization.
|
void |
setTableUserPermissions(String username,
TableName table,
List<TablePermission> perms)
Overwrites the existing permission set for a given user for a table, and
triggers an update for zookeeper synchronization.
|
private void |
updateGlobalCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> userPerms)
Updates the internal global permissions cache
|
private void |
updateNsCache(String namespace,
org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> tablePerms)
Updates the internal permissions cache for a single table, splitting
the permissions listed into separate caches for users and groups to optimize
group lookups.
|
private void |
updateTableCache(TableName table,
org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> tablePerms)
Updates the internal permissions cache for a single table, splitting
the permissions listed into separate caches for users and groups to optimize
group lookups.
|
boolean |
userHasAccess(User user,
TableName table,
Permission.Action action)
Checks if the user has access to the full table or at least a family/qualifier
for the specified action.
|
void |
writeNamespaceToZooKeeper(String namespace,
TableAuthManager.PermissionCache<TablePermission> tablePerms) |
void |
writeTableToZooKeeper(TableName table,
TableAuthManager.PermissionCache<TablePermission> tablePerms) |
private static final org.slf4j.Logger LOG
private volatile TableAuthManager.PermissionCache<Permission> globalCache
private ConcurrentSkipListMap<TableName,TableAuthManager.PermissionCache<TablePermission>> tableCache
private ConcurrentSkipListMap<String,TableAuthManager.PermissionCache<TablePermission>> nsCache
private org.apache.hadoop.conf.Configuration conf
private ZKPermissionWatcher zkperms
private final AtomicLong mtime
private static Map<ZKWatcher,TableAuthManager> managerMap
private static Map<TableAuthManager,Integer> refCount
private TableAuthManager(ZKWatcher watcher, org.apache.hadoop.conf.Configuration conf) throws IOException
IOException
public void close()
close
in interface Closeable
close
in interface AutoCloseable
private TableAuthManager.PermissionCache<Permission> initGlobal(org.apache.hadoop.conf.Configuration conf) throws IOException
PermissionCache
initialized with permission assignments
from the hbase.superuser
configuration key.IOException
public ZKPermissionWatcher getZKPermissionWatcher()
public void refreshTableCacheFromWritable(TableName table, byte[] data) throws IOException
IOException
public void refreshNamespaceCacheFromWritable(String namespace, byte[] data) throws IOException
IOException
private void updateGlobalCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> userPerms)
userPerms
- private void updateTableCache(TableName table, org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> tablePerms)
table
- tablePerms
- private void updateNsCache(String namespace, org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,TablePermission> tablePerms)
namespace
- tablePerms
- private TableAuthManager.PermissionCache<TablePermission> getTablePermissions(TableName table)
private TableAuthManager.PermissionCache<TablePermission> getNamespacePermissions(String namespace)
private boolean authorize(List<Permission> perms, Permission.Action action)
perms
- action
- public boolean authorize(User user, Permission.Action action)
user
- action
- private boolean authorize(List<TablePermission> perms, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
private boolean hasAccess(List<TablePermission> perms, TableName table, Permission.Action action)
public boolean authorize(User user, TableName table, Cell cell, Permission.Action action)
public boolean authorize(User user, String namespace, Permission.Action action)
private boolean authorize(List<TablePermission> perms, String namespace, Permission.Action action)
public boolean authorizeUser(User user, TableName table, byte[] family, Permission.Action action)
user
- table
- family
- action
- public boolean authorizeUser(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
public boolean userHasAccess(User user, TableName table, Permission.Action action)
user
- table
- action
- public boolean authorizeGroup(String groupName, Permission.Action action)
public boolean authorizeGroup(String groupName, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
groupName
- table
- family
- qualifier
- action
- public boolean groupHasAccess(String groupName, TableName table, Permission.Action action)
groupName
- table
- action
- public boolean authorize(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
public boolean hasAccess(User user, TableName table, Permission.Action action)
public boolean authorize(User user, TableName table, byte[] family, Permission.Action action)
public boolean matchPermission(User user, TableName table, byte[] family, Permission.Action action)
TablePermission
matching up
to the column family portion of a permission. Note that this permission
may be scoped to a given column qualifier and does not guarantee that
authorize() on the same column family would return true.public boolean matchPermission(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
public void removeNamespace(byte[] ns)
public void removeTable(TableName table)
public void setTableUserPermissions(String username, TableName table, List<TablePermission> perms)
username
- table
- perms
- public void setTableGroupPermissions(String group, TableName table, List<TablePermission> perms)
group
- table
- perms
- public void setNamespaceUserPermissions(String username, String namespace, List<TablePermission> perms)
username
- namespace
- perms
- public void setNamespaceGroupPermissions(String group, String namespace, List<TablePermission> perms)
group
- namespace
- perms
- public void writeTableToZooKeeper(TableName table, TableAuthManager.PermissionCache<TablePermission> tablePerms)
public void writeNamespaceToZooKeeper(String namespace, TableAuthManager.PermissionCache<TablePermission> tablePerms)
public long getMTime()
public static TableAuthManager getOrCreate(ZKWatcher watcher, org.apache.hadoop.conf.Configuration conf) throws IOException
release(TableAuthManager)
.IOException
public static int getTotalRefCount()
public static void release(TableAuthManager instance)
instance
- TableAuthManager to be releasedCopyright © 2007–2019 The Apache Software Foundation. All rights reserved.