@InterfaceAudience.LimitedPrivate(value="Coprocesssor") @InterfaceStability.Evolving public class AccessChecker extends Object
Modifier and Type | Class and Description |
---|---|
static class |
AccessChecker.InputUser
A temporary user class to instantiate User instance based on the name and groups.
|
Modifier and Type | Field and Description |
---|---|
private static org.slf4j.Logger |
AUDITLOG |
private AuthManager |
authManager |
private boolean |
authorizationEnabled
if we are active, usually false, only true if "hbase.security.authorization"
has been set to true in site configuration.see HBASE-19483.
|
private static org.apache.hadoop.security.Groups |
groupService
Group service to retrieve the user group information
|
private static org.slf4j.Logger |
LOG |
Constructor and Description |
---|
AccessChecker(org.apache.hadoop.conf.Configuration conf,
ZKWatcher zkw)
Constructor with existing configuration
|
Modifier and Type | Method and Description |
---|---|
void |
checkLockPermissions(User user,
String namespace,
TableName tableName,
RegionInfo[] regionInfos,
String reason) |
AuthManager |
getAuthManager() |
static List<String> |
getUserGroups(String user)
Retrieve the groups of the given user.
|
boolean |
hasUserPermission(User user,
String request,
Permission permission)
Authorizes that if the current user has the given permissions.
|
private void |
initGroupService(org.apache.hadoop.conf.Configuration conf) |
static boolean |
isAuthorizationSupported(org.apache.hadoop.conf.Configuration conf) |
static void |
logResult(AuthResult result) |
private Map<byte[],? extends Collection<byte[]>> |
makeFamilyMap(byte[] family,
byte[] qualifier) |
void |
performOnSuperuser(String request,
User caller,
String userToBeChecked)
Check if caller is granting or revoking superusers's or supergroups's permissions.
|
private AuthResult |
permissionGranted(String request,
User user,
Permission.Action permRequest,
TableName tableName,
byte[] family,
byte[] qualifier) |
AuthResult |
permissionGranted(String request,
User user,
Permission.Action permRequest,
TableName tableName,
Map<byte[],? extends Collection<?>> families)
Check the current user for authorization to perform a specific action against the given set of
row data.
|
void |
requireAccess(User user,
String request,
TableName tableName,
Permission.Action... permissions)
Authorizes that the current user has any of the given permissions to access the table.
|
void |
requireGlobalPermission(User user,
String request,
Permission.Action perm,
String namespace)
Checks that the user has the given global permission.
|
void |
requireGlobalPermission(User user,
String request,
Permission.Action perm,
TableName tableName,
Map<byte[],? extends Collection<byte[]>> familyMap,
String filterUser)
Checks that the user has the given global permission.
|
void |
requireNamespacePermission(User user,
String request,
String namespace,
String filterUser,
Permission.Action... permissions)
Checks that the user has the given global or namespace permission.
|
void |
requireNamespacePermission(User user,
String request,
String namespace,
TableName tableName,
Map<byte[],? extends Collection<byte[]>> familyMap,
Permission.Action... permissions)
Checks that the user has the given global or namespace permission.
|
void |
requirePermission(User user,
String request,
String filterUser,
Permission.Action perm)
Authorizes that the current user has global privileges for the given action.
|
void |
requirePermission(User user,
String request,
TableName tableName,
byte[] family,
byte[] qualifier,
String filterUser,
Permission.Action... permissions)
Authorizes that the current user has any of the given permissions for the
given table, column family and column qualifier.
|
void |
requireTablePermission(User user,
String request,
TableName tableName,
byte[] family,
byte[] qualifier,
Permission.Action... permissions)
Authorizes that the current user has any of the given permissions for the
given table, column family and column qualifier.
|
void |
stop()
Releases
AuthManager 's reference. |
User |
validateCallerWithFilterUser(User caller,
TablePermission tPerm,
String inputUserName) |
private static final org.slf4j.Logger LOG
private static final org.slf4j.Logger AUDITLOG
private AuthManager authManager
private static org.apache.hadoop.security.Groups groupService
private boolean authorizationEnabled
public AccessChecker(org.apache.hadoop.conf.Configuration conf, ZKWatcher zkw) throws RuntimeException
conf
- Existing configuration to usezkw
- reference to the ZKWatcher
RuntimeException
public static boolean isAuthorizationSupported(org.apache.hadoop.conf.Configuration conf)
public void stop()
AuthManager
's reference.public AuthManager getAuthManager()
public void requireAccess(User user, String request, TableName tableName, Permission.Action... permissions) throws IOException
user
- Active user to which authorization checks should be appliedrequest
- Request type.tableName
- Table requestedpermissions
- Actions being requestedIOException
- if obtaining the current user failsAccessDeniedException
- if user has no authorizationpublic void requirePermission(User user, String request, String filterUser, Permission.Action perm) throws IOException
user
- Active user to which authorization checks should be appliedrequest
- Request typefilterUser
- User name to be filtered from permission as requestedperm
- The action being requestedIOException
- if obtaining the current user failsAccessDeniedException
- if authorization is deniedpublic void requireGlobalPermission(User user, String request, Permission.Action perm, TableName tableName, Map<byte[],? extends Collection<byte[]>> familyMap, String filterUser) throws IOException
user
- Active user to which authorization checks should be appliedrequest
- Request typeperm
- Action being requestedtableName
- Affected table name.familyMap
- Affected column families.filterUser
- User name to be filtered from permission as requestedIOException
public void requireGlobalPermission(User user, String request, Permission.Action perm, String namespace) throws IOException
user
- Active user to which authorization checks should be appliedrequest
- Request typeperm
- Action being requestednamespace
- The given namespaceIOException
public void requireNamespacePermission(User user, String request, String namespace, String filterUser, Permission.Action... permissions) throws IOException
user
- Active user to which authorization checks should be appliedrequest
- Request typenamespace
- Name space as requestedfilterUser
- User name to be filtered from permission as requestedpermissions
- Actions being requestedIOException
public void requireNamespacePermission(User user, String request, String namespace, TableName tableName, Map<byte[],? extends Collection<byte[]>> familyMap, Permission.Action... permissions) throws IOException
user
- Active user to which authorization checks should be appliedrequest
- Request typenamespace
- The given namespacetableName
- Table requestedfamilyMap
- Column family map requestedpermissions
- Actions being requestedIOException
public void requirePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, String filterUser, Permission.Action... permissions) throws IOException
user
- Active user to which authorization checks should be appliedrequest
- Request typetableName
- Table requestedfamily
- Column family requestedqualifier
- Column qualifier requestedfilterUser
- User name to be filtered from permission as requestedpermissions
- Actions being requestedIOException
- if obtaining the current user failsAccessDeniedException
- if user has no authorizationpublic void requireTablePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, Permission.Action... permissions) throws IOException
user
- Active user to which authorization checks should be appliedrequest
- Request typetableName
- Table requestedfamily
- Column family paramqualifier
- Column qualifier paramIOException
- if obtaining the current user failsAccessDeniedException
- if user has no authorizationpublic void performOnSuperuser(String request, User caller, String userToBeChecked) throws IOException
request
- request namecaller
- calleruserToBeChecked
- target user or groupIOException
- AccessDeniedException if target user is superuserpublic void checkLockPermissions(User user, String namespace, TableName tableName, RegionInfo[] regionInfos, String reason) throws IOException
IOException
public static void logResult(AuthResult result)
public User validateCallerWithFilterUser(User caller, TablePermission tPerm, String inputUserName) throws IOException
IOException
private void initGroupService(org.apache.hadoop.conf.Configuration conf)
public static List<String> getUserGroups(String user)
user
- User namepublic boolean hasUserPermission(User user, String request, Permission permission)
user
- Active user to which authorization checks should be appliedrequest
- Request typepermission
- Actions being requestedprivate AuthResult permissionGranted(String request, User user, Permission.Action permRequest, TableName tableName, byte[] family, byte[] qualifier)
public AuthResult permissionGranted(String request, User user, Permission.Action permRequest, TableName tableName, Map<byte[],? extends Collection<?>> families)
Note: Ordering of the authorization checks has been carefully optimized to short-circuit the most common requests and minimize the amount of processing required.
request
- User requestuser
- User namepermRequest
- the action being requestedtableName
- Table namefamilies
- the map of column families to qualifiers present in the requestprivate Map<byte[],? extends Collection<byte[]>> makeFamilyMap(byte[] family, byte[] qualifier)
Copyright © 2007–2020 The Apache Software Foundation. All rights reserved.