org.apache.hadoop.hbase.security.access

Class AccessControlClient

java.lang.Object

org.apache.hadoop.hbase.security.access.AccessControlClient

@InterfaceAudience.Public
public class AccessControlClient
extends Object

Utility client for doing access control admin operations.

Field Summary

Fields

Modifier and Type	Field and Description
static TableName	ACL_TABLE_NAME

Constructor Summary

Constructors

Constructor and Description
AccessControlClient()

Method Summary

Modifier and Type	Method and Description
private static org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.BlockingInterface	getAccessControlServiceStub(Table ht)
static List<UserPermission>	getUserPermissions(Connection connection, String tableRegex) List all the userPermissions matching the given pattern.
static List<UserPermission>	getUserPermissions(Connection connection, String tableRegex, byte[] columnFamily) List all the userPermissions matching the given table pattern and column family.
static List<UserPermission>	getUserPermissions(Connection connection, String tableRegex, byte[] columnFamily, byte[] columnQualifier) List all the userPermissions matching the given table pattern, column family and column qualifier.
static List<UserPermission>	getUserPermissions(Connection connection, String tableRegex, byte[] columnFamily, byte[] columnQualifier, String userName) List all the userPermissions matching the given table pattern, column family and column qualifier.
static List<UserPermission>	getUserPermissions(Connection connection, String tableRegex, byte[] columnFamily, String userName) List all the userPermissions matching the given table pattern, column family and user name.
static List<UserPermission>	getUserPermissions(Connection connection, String tableRegex, String userName) List all the userPermissions matching the given table pattern and user name.
private static void	grant(Connection connection, String userName, boolean mergeExistingPermissions, Permission.Action... actions) Grant global permissions for the specified user.
static void	grant(Connection connection, String userName, Permission.Action... actions) Grant global permissions for the specified user.
private static void	grant(Connection connection, String namespace, String userName, boolean mergeExistingPermissions, Permission.Action... actions) Grants permission on the specified namespace for the specified user.
static void	grant(Connection connection, String namespace, String userName, Permission.Action... actions) Grants permission on the specified namespace for the specified user.
private static void	grant(Connection connection, TableName tableName, String userName, byte[] family, byte[] qual, boolean mergeExistingPermissions, Permission.Action... actions) Grants permission on the specified table for the specified user
static void	grant(Connection connection, TableName tableName, String userName, byte[] family, byte[] qual, Permission.Action... actions) Grants permission on the specified table for the specified user.
static boolean	hasPermission(Connection connection, String tableName, byte[] columnFamily, byte[] columnQualifier, String userName, Permission.Action... actions) Validates whether specified user has permission to perform actions on the mentioned table, column family or column qualifier.
static boolean	hasPermission(Connection connection, String tableName, String columnFamily, String columnQualifier, String userName, Permission.Action... actions) Validates whether specified user has permission to perform actions on the mentioned table, column family or column qualifier.
static boolean	isAccessControllerRunning(Connection connection)
static boolean	isAuthorizationEnabled(Connection connection) Return true if authorization is supported and enabled
static boolean	isCellAuthorizationEnabled(Connection connection) Return true if cell authorization is supported and enabled
static void	revoke(Connection connection, String userName, Permission.Action... actions) Revoke global permissions for the specified user.
static void	revoke(Connection connection, String namespace, String userName, Permission.Action... actions) Revokes the permission on the namespace for the specified user.
static void	revoke(Connection connection, TableName tableName, String username, byte[] family, byte[] qualifier, Permission.Action... actions) Revokes the permission on the table

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ACL_TABLE_NAME

public static final TableName ACL_TABLE_NAME

Constructor Detail

AccessControlClient

public AccessControlClient()

Method Detail

isAuthorizationEnabled

public static boolean isAuthorizationEnabled(Connection connection)
                                      throws IOException

Return true if authorization is supported and enabled

Parameters:

connection - The connection to use

Returns:

true if authorization is supported and enabled, false otherwise

Throws:

IOException

isCellAuthorizationEnabled

public static boolean isCellAuthorizationEnabled(Connection connection)
                                          throws IOException

Return true if cell authorization is supported and enabled

Parameters:

connection - The connection to use

Returns:

true if cell authorization is supported and enabled, false otherwise

Throws:

IOException

getAccessControlServiceStub

private static org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.BlockingInterface getAccessControlServiceStub(Table ht)
                                                                                                                                          throws IOException

Throws:

IOException

grant

private static void grant(Connection connection,
                          TableName tableName,
                          String userName,
                          byte[] family,
                          byte[] qual,
                          boolean mergeExistingPermissions,
                          Permission.Action... actions)
                   throws Throwable

Grants permission on the specified table for the specified user

Parameters:

connection - The Connection instance to use

tableName -

userName -

family -

qual -

mergeExistingPermissions - If set to false, later granted permissions will override previous granted permissions. otherwise, it'll merge with previous granted permissions.

actions -

Throws:

Throwable

grant

public static void grant(Connection connection,
                         TableName tableName,
                         String userName,
                         byte[] family,
                         byte[] qual,
                         Permission.Action... actions)
                  throws Throwable

Grants permission on the specified table for the specified user. If permissions for a specified user exists, later granted permissions will override previous granted permissions.

Parameters:

connection - The Connection instance to use

tableName -

userName -

family -

qual -

actions -

Throws:

Throwable

grant

private static void grant(Connection connection,
                          String namespace,
                          String userName,
                          boolean mergeExistingPermissions,
                          Permission.Action... actions)
                   throws Throwable

Grants permission on the specified namespace for the specified user.

Parameters:

connection -

namespace -

userName -

mergeExistingPermissions - If set to false, later granted permissions will override previous granted permissions. otherwise, it'll merge with previous granted permissions.

actions -

Throws:

Throwable

grant

public static void grant(Connection connection,
                         String namespace,
                         String userName,
                         Permission.Action... actions)
                  throws Throwable

Grants permission on the specified namespace for the specified user. If permissions on the specified namespace exists, later granted permissions will override previous granted permissions.

Parameters:

connection - The Connection instance to use

namespace -

userName -

actions -

Throws:

Throwable

grant

private static void grant(Connection connection,
                          String userName,
                          boolean mergeExistingPermissions,
                          Permission.Action... actions)
                   throws Throwable

Grant global permissions for the specified user.

Parameters:

connection -

userName -

mergeExistingPermissions - If set to false, later granted permissions will override previous granted permissions. otherwise, it'll merge with previous granted permissions.

actions -

Throws:

Throwable

grant

public static void grant(Connection connection,
                         String userName,
                         Permission.Action... actions)
                  throws Throwable

Grant global permissions for the specified user. If permissions for the specified user exists, later granted permissions will override previous granted permissions.

Parameters:

connection -

userName -

actions -

Throws:

Throwable

isAccessControllerRunning

public static boolean isAccessControllerRunning(Connection connection)
                                         throws MasterNotRunningException,
                                                ZooKeeperConnectionException,
                                                IOException

Throws:

MasterNotRunningException

ZooKeeperConnectionException

IOException

revoke

public static void revoke(Connection connection,
                          TableName tableName,
                          String username,
                          byte[] family,
                          byte[] qualifier,
                          Permission.Action... actions)
                   throws Throwable

Revokes the permission on the table

Parameters:

connection - The Connection instance to use

tableName -

username -

family -

qualifier -

actions -

Throws:

Throwable

revoke

public static void revoke(Connection connection,
                          String namespace,
                          String userName,
                          Permission.Action... actions)
                   throws Throwable

Revokes the permission on the namespace for the specified user.

Parameters:

connection - The Connection instance to use

namespace -

userName -

actions -

Throws:

Throwable

revoke

public static void revoke(Connection connection,
                          String userName,
                          Permission.Action... actions)
                   throws Throwable

Revoke global permissions for the specified user.

Parameters:

connection - The Connection instance to use

Throws:

Throwable

getUserPermissions

public static List<UserPermission> getUserPermissions(Connection connection,
                                                      String tableRegex)
                                               throws Throwable

List all the userPermissions matching the given pattern. If pattern is null, the behavior is dependent on whether user has global admin privileges or not. If yes, the global permissions along with the list of superusers would be returned. Else, no rows get returned.

Parameters:

connection - The Connection instance to use

tableRegex - The regular expression string to match against

Returns:

List of UserPermissions

Throws:

Throwable

getUserPermissions

public static List<UserPermission> getUserPermissions(Connection connection,
                                                      String tableRegex,
                                                      String userName)
                                               throws Throwable

List all the userPermissions matching the given table pattern and user name.

Parameters:

connection - Connection

tableRegex - The regular expression string to match against

userName - User name, if empty then all user permissions will be retrieved.

Returns:

List of UserPermissions

Throws:

Throwable - on failure

getUserPermissions

public static List<UserPermission> getUserPermissions(Connection connection,
                                                      String tableRegex,
                                                      byte[] columnFamily)
                                               throws Throwable

List all the userPermissions matching the given table pattern and column family.

Parameters:

connection - Connection

tableRegex - The regular expression string to match against. It shouldn't be null, empty or a namespace regular expression.

columnFamily - Column family

Returns:

List of UserPermissions

Throws:

Throwable - on failure

getUserPermissions

public static List<UserPermission> getUserPermissions(Connection connection,
                                                      String tableRegex,
                                                      byte[] columnFamily,
                                                      String userName)
                                               throws Throwable

List all the userPermissions matching the given table pattern, column family and user name.

Parameters:

connection - Connection

tableRegex - The regular expression string to match against. It shouldn't be null, empty or a namespace regular expression.

columnFamily - Column family

userName - User name, if empty then all user permissions will be retrieved.

Returns:

List of UserPermissions

Throws:

Throwable - on failure

getUserPermissions

public static List<UserPermission> getUserPermissions(Connection connection,
                                                      String tableRegex,
                                                      byte[] columnFamily,
                                                      byte[] columnQualifier)
                                               throws Throwable

List all the userPermissions matching the given table pattern, column family and column qualifier.

Parameters:

connection - Connection

tableRegex - The regular expression string to match against. It shouldn't be null, empty or a namespace regular expression.

columnFamily - Column family

columnQualifier - Column qualifier

Returns:

List of UserPermissions

Throws:

Throwable - on failure

getUserPermissions

public static List<UserPermission> getUserPermissions(Connection connection,
                                                      String tableRegex,
                                                      byte[] columnFamily,
                                                      byte[] columnQualifier,
                                                      String userName)
                                               throws Throwable

List all the userPermissions matching the given table pattern, column family and column qualifier.

Parameters:

connection - Connection

tableRegex - The regular expression string to match against. It shouldn't be null, empty or a namespace regular expression.

columnFamily - Column family

columnQualifier - Column qualifier

userName - User name, if empty then all user permissions will be retrieved.

Returns:

List of UserPermissions

Throws:

Throwable - on failure

hasPermission

public static boolean hasPermission(Connection connection,
                                    String tableName,
                                    String columnFamily,
                                    String columnQualifier,
                                    String userName,
                                    Permission.Action... actions)
                             throws Throwable

Validates whether specified user has permission to perform actions on the mentioned table, column family or column qualifier.

Parameters:

connection - Connection

tableName - Table name, it shouldn't be null or empty.

columnFamily - The column family. Optional argument, can be empty. If empty then validation will happen at table level.

columnQualifier - The column qualifier. Optional argument, can be empty. If empty then validation will happen at table and column family level. columnQualifier will not be considered if columnFamily is passed as null or empty.

userName - User name, it shouldn't be null or empty.

actions - Actions

Returns:

true if access allowed to the specified user, otherwise false.

Throws:

Throwable - on failure

hasPermission

public static boolean hasPermission(Connection connection,
                                    String tableName,
                                    byte[] columnFamily,
                                    byte[] columnQualifier,
                                    String userName,
                                    Permission.Action... actions)
                             throws Throwable

Validates whether specified user has permission to perform actions on the mentioned table, column family or column qualifier.

Parameters:

connection - Connection

tableName - Table name, it shouldn't be null or empty.

columnFamily - The column family. Optional argument, can be empty. If empty then validation will happen at table level.

columnQualifier - The column qualifier. Optional argument, can be empty. If empty then validation will happen at table and column family level. columnQualifier will not be considered if columnFamily is passed as null or empty.

userName - User name, it shouldn't be null or empty.

actions - Actions

Returns:

true if access allowed to the specified user, otherwise false.

Throws:

Throwable - on failure