org.apache.hadoop.hbase.security.access

Class AccessControlLists

java.lang.Object

org.apache.hadoop.hbase.security.access.AccessControlLists

@InterfaceAudience.Private
public class AccessControlLists
extends Object

Maintains lists of permission grants to users and groups to allow for authorization checks by AccessController.

Access control lists are stored in an "internal" metadata table named _acl_. Each table's permission grants are stored as a separate row, keyed by the table name. KeyValues for permissions assignments are stored in one of the formats:

 Key                      Desc
 --------                 --------
 user                     table level permissions for a user [R=read, W=write]
 group                    table level permissions for a group
 user,family              column family level permissions for a user
 group,family             column family level permissions for a group
 user,family,qualifier    column qualifier level permissions for a user
 group,family,qualifier   column qualifier level permissions for a group
 

All values are encoded as byte arrays containing the codes from the org.apache.hadoop.hbase.security.access.TablePermission.Action enum.

Field Summary

Fields

Modifier and Type	Field and Description
static byte[]	ACL_GLOBAL_NAME
static char	ACL_KEY_DELIMITER Delimiter to separate user, column family, and qualifier in _acl_ table info: column keys
static byte[]	ACL_LIST_FAMILY
static String	ACL_LIST_FAMILY_STR Column family used to store ACL grants
static TableName	ACL_TABLE_NAME Internal storage table for access control lists
static byte	ACL_TAG_TYPE KV tag to store per cell access control lists
private static int	LIST_CODE
private static org.slf4j.Logger	LOG
static char	NAMESPACE_PREFIX
private static int	WRITABLE_CODE
private static int	WRITABLE_NOT_ENCODED

Constructor Summary

Constructors

Constructor and Description
AccessControlLists()

Method Summary

Modifier and Type	Method and Description
(package private) static void	addUserPermission(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t)
static void	addUserPermission(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t, boolean mergeExistingPermissions) Stores a new user permission grant in the access control lists table.
static byte[]	fromNamespaceEntry(byte[] namespace)
static String	fromNamespaceEntry(String namespace)
static List<Permission>	getCellPermissionsForUser(User user, Cell cell)
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>	getNamespacePermissions(org.apache.hadoop.conf.Configuration conf, String namespace)
(package private) static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>	getPermissions(org.apache.hadoop.conf.Configuration conf, byte[] entryName, Table t, byte[] cf, byte[] cq, String user, boolean hasFilterUser) Reads user permission assignments stored in the l: column family of the first table row in _acl_.
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>	getTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName)
static List<UserPermission>	getUserNamespacePermissions(org.apache.hadoop.conf.Configuration conf, String namespace, String user, boolean hasFilterUser) Returns the currently granted permissions for a given namespace as the specified user plus associated permissions.
static List<UserPermission>	getUserPermissions(org.apache.hadoop.conf.Configuration conf, byte[] entryName, byte[] cf, byte[] cq, String user, boolean hasFilterUser) Returns the currently granted permissions for a given table/namespace with associated permissions based on the specified column family, column qualifier and user name.
static List<UserPermission>	getUserTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName, byte[] cf, byte[] cq, String userName, boolean hasFilterUser) Returns the currently granted permissions for a given table as the specified user plus associated permissions.
(package private) static boolean	isAclRegion(Region region) Returns true if the given region is part of the _acl_ metadata table.
(package private) static boolean	isAclTable(TableDescriptor desc) Returns true if the given table is _acl_ metadata table.
static boolean	isGlobalEntry(byte[] entryName)
static boolean	isNamespaceEntry(byte[] entryName)
static boolean	isNamespaceEntry(String entryName)
(package private) static Map<byte[],org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>>	loadAll(org.apache.hadoop.conf.Configuration conf) Load all permissions from the region server holding _acl_, primarily intended for testing purposes.
(package private) static Map<byte[],org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>>	loadAll(Region aclRegion) Loads all of the permission grants stored in a region of the _acl_ table.
private static Pair<String,Permission>	parsePermissionRecord(byte[] entryName, Cell kv, byte[] cf, byte[] cq, boolean filterPerms, String filterUser)
private static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>	parsePermissions(byte[] entryName, Result result, byte[] cf, byte[] cq, String user, boolean hasFilterUser) Parse and filter permission based on the specified column family, column qualifier and user name.
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission>	readPermissions(byte[] data, org.apache.hadoop.conf.Configuration conf)
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>	readUserPermission(byte[] data, org.apache.hadoop.conf.Configuration conf)
private static List<Permission>	readWritableUserPermission(DataInput in, org.apache.hadoop.conf.Configuration conf)
(package private) static void	removeNamespacePermissions(org.apache.hadoop.conf.Configuration conf, String namespace, Table t) Remove specified namespace from the acl table.
private static void	removePermissionRecord(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t)
(package private) static void	removeTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName, byte[] column, Table t) Remove specified table column from the acl table.
(package private) static void	removeTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName, Table t) Remove specified table from the _acl_ table.
private static void	removeTablePermissions(TableName tableName, byte[] column, Table table, boolean closeTable)
static void	removeUserPermission(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t) Removes a previously granted permission from the stored access control lists.
static byte[]	toNamespaceEntry(byte[] namespace)
static String	toNamespaceEntry(String namespace)
(package private) static byte[]	userPermissionKey(UserPermission permission) Build qualifier key from user permission: username username,family username,family,qualifier
(package private) static byte[]	userPermissionRowKey(Permission permission)
private static boolean	validateCFAndCQ(byte[] permFamily, byte[] cf, byte[] permQualifier, byte[] cq)
private static boolean	validateFilterUser(String username, String filterUser, List<String> filterUserGroups)
static byte[]	writePermissionsAsBytes(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> perms, org.apache.hadoop.conf.Configuration conf) Writes a set of permissions as Writable instances and returns the resulting byte array.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ACL_TABLE_NAME

public static final TableName ACL_TABLE_NAME

Internal storage table for access control lists

ACL_GLOBAL_NAME

public static final byte[] ACL_GLOBAL_NAME

ACL_LIST_FAMILY_STR

public static final String ACL_LIST_FAMILY_STR

Column family used to store ACL grants

See Also:

Constant Field Values

ACL_LIST_FAMILY

public static final byte[] ACL_LIST_FAMILY

ACL_TAG_TYPE

public static final byte ACL_TAG_TYPE

KV tag to store per cell access control lists

See Also:

Constant Field Values

NAMESPACE_PREFIX

public static final char NAMESPACE_PREFIX

See Also:

Constant Field Values

ACL_KEY_DELIMITER

public static final char ACL_KEY_DELIMITER

Delimiter to separate user, column family, and qualifier in _acl_ table info: column keys

See Also:

Constant Field Values

LOG

private static final org.slf4j.Logger LOG

LIST_CODE

private static final int LIST_CODE

See Also:

Constant Field Values

WRITABLE_CODE

private static final int WRITABLE_CODE

See Also:

Constant Field Values

WRITABLE_NOT_ENCODED

private static final int WRITABLE_NOT_ENCODED

See Also:

Constant Field Values

Constructor Detail

AccessControlLists

public AccessControlLists()

Method Detail

addUserPermission

public static void addUserPermission(org.apache.hadoop.conf.Configuration conf,
                                     UserPermission userPerm,
                                     Table t,
                                     boolean mergeExistingPermissions)
                              throws IOException

Stores a new user permission grant in the access control lists table.

Parameters:

conf - the configuration

userPerm - the details of the permission to be granted

t - acl table instance. It is closed upon method return.

Throws:

IOException - in the case of an error accessing the metadata table

addUserPermission

static void addUserPermission(org.apache.hadoop.conf.Configuration conf,
                              UserPermission userPerm,
                              Table t)
                       throws IOException

Throws:

IOException

removeUserPermission

public static void removeUserPermission(org.apache.hadoop.conf.Configuration conf,
                                        UserPermission userPerm,
                                        Table t)
                                 throws IOException

Removes a previously granted permission from the stored access control lists. The TablePermission being removed must exactly match what is stored -- no wildcard matching is attempted. Ie, if user "bob" has been granted "READ" access to the "data" table, but only to column family plus qualifier "info:colA", then trying to call this method with only user "bob" and the table name "data" (but without specifying the column qualifier "info:colA") will have no effect.

Parameters:

conf - the configuration

userPerm - the details of the permission to be revoked

t - acl table

Throws:

IOException - if there is an error accessing the metadata table

removePermissionRecord

private static void removePermissionRecord(org.apache.hadoop.conf.Configuration conf,
                                           UserPermission userPerm,
                                           Table t)
                                    throws IOException

Throws:

IOException

removeTablePermissions

static void removeTablePermissions(org.apache.hadoop.conf.Configuration conf,
                                   TableName tableName,
                                   Table t)
                            throws IOException

Remove specified table from the _acl_ table.

Throws:

IOException

removeNamespacePermissions

static void removeNamespacePermissions(org.apache.hadoop.conf.Configuration conf,
                                       String namespace,
                                       Table t)
                                throws IOException

Remove specified namespace from the acl table.

Throws:

IOException

removeTablePermissions

private static void removeTablePermissions(TableName tableName,
                                           byte[] column,
                                           Table table,
                                           boolean closeTable)
                                    throws IOException

Throws:

IOException

removeTablePermissions

static void removeTablePermissions(org.apache.hadoop.conf.Configuration conf,
                                   TableName tableName,
                                   byte[] column,
                                   Table t)
                            throws IOException

Remove specified table column from the acl table.

Throws:

IOException

userPermissionRowKey

static byte[] userPermissionRowKey(Permission permission)

userPermissionKey

static byte[] userPermissionKey(UserPermission permission)

Build qualifier key from user permission: username username,family username,family,qualifier

isAclRegion

static boolean isAclRegion(Region region)

Returns true if the given region is part of the _acl_ metadata table.

isAclTable

static boolean isAclTable(TableDescriptor desc)

Returns true if the given table is _acl_ metadata table.

loadAll

static Map<byte[],org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>> loadAll(Region aclRegion)
                                                                                                              throws IOException

Loads all of the permission grants stored in a region of the _acl_ table.

Parameters:

aclRegion -

Returns:

a map of the permissions for this table.

Throws:

IOException

loadAll

static Map<byte[],org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>> loadAll(org.apache.hadoop.conf.Configuration conf)
                                                                                                              throws IOException

Load all permissions from the region server holding _acl_, primarily intended for testing purposes.

Throws:

IOException

getTablePermissions

public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> getTablePermissions(org.apache.hadoop.conf.Configuration conf,
                                                                                                                            TableName tableName)
                                                                                                                     throws IOException

Throws:

IOException

getNamespacePermissions

public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> getNamespacePermissions(org.apache.hadoop.conf.Configuration conf,
                                                                                                                                String namespace)
                                                                                                                         throws IOException

Throws:

IOException

getPermissions

static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> getPermissions(org.apache.hadoop.conf.Configuration conf,
                                                                                                                byte[] entryName,
                                                                                                                Table t,
                                                                                                                byte[] cf,
                                                                                                                byte[] cq,
                                                                                                                String user,
                                                                                                                boolean hasFilterUser)
                                                                                                         throws IOException

Reads user permission assignments stored in the l: column family of the first table row in _acl_.

See class documentation for the key structure used for storage.

Throws:

IOException

getUserTablePermissions

public static List<UserPermission> getUserTablePermissions(org.apache.hadoop.conf.Configuration conf,
                                                           TableName tableName,
                                                           byte[] cf,
                                                           byte[] cq,
                                                           String userName,
                                                           boolean hasFilterUser)
                                                    throws IOException

Returns the currently granted permissions for a given table as the specified user plus associated permissions.

Throws:

IOException

getUserNamespacePermissions

public static List<UserPermission> getUserNamespacePermissions(org.apache.hadoop.conf.Configuration conf,
                                                               String namespace,
                                                               String user,
                                                               boolean hasFilterUser)
                                                        throws IOException

Returns the currently granted permissions for a given namespace as the specified user plus associated permissions.

Throws:

IOException

getUserPermissions

public static List<UserPermission> getUserPermissions(org.apache.hadoop.conf.Configuration conf,
                                                      byte[] entryName,
                                                      byte[] cf,
                                                      byte[] cq,
                                                      String user,
                                                      boolean hasFilterUser)
                                               throws IOException

Returns the currently granted permissions for a given table/namespace with associated permissions based on the specified column family, column qualifier and user name.

Parameters:

conf - the configuration

entryName - Table name or the namespace

cf - Column family

cq - Column qualifier

user - User name to be filtered from permission as requested

hasFilterUser - true if filter user is provided, otherwise false.

Returns:

List of UserPermissions

Throws:

IOException - on failure

parsePermissions

private static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> parsePermissions(byte[] entryName,
                                                                                                                          Result result,
                                                                                                                          byte[] cf,
                                                                                                                          byte[] cq,
                                                                                                                          String user,
                                                                                                                          boolean hasFilterUser)

Parse and filter permission based on the specified column family, column qualifier and user name.

parsePermissionRecord

private static Pair<String,Permission> parsePermissionRecord(byte[] entryName,
                                                             Cell kv,
                                                             byte[] cf,
                                                             byte[] cq,
                                                             boolean filterPerms,
                                                             String filterUser)

validateFilterUser

private static boolean validateFilterUser(String username,
                                          String filterUser,
                                          List<String> filterUserGroups)

validateCFAndCQ

private static boolean validateCFAndCQ(byte[] permFamily,
                                       byte[] cf,
                                       byte[] permQualifier,
                                       byte[] cq)

writePermissionsAsBytes

public static byte[] writePermissionsAsBytes(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> perms,
                                             org.apache.hadoop.conf.Configuration conf)

Writes a set of permissions as Writable instances and returns the resulting byte array. Writes a set of permission [user: table permission]

readWritableUserPermission

private static List<Permission> readWritableUserPermission(DataInput in,
                                                           org.apache.hadoop.conf.Configuration conf)
                                                    throws IOException,
                                                           ClassNotFoundException

Throws:

IOException

ClassNotFoundException

readUserPermission

public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> readUserPermission(byte[] data,
                                                                                                                           org.apache.hadoop.conf.Configuration conf)
                                                                                                                    throws DeserializationException

Throws:

DeserializationException

readPermissions

public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> readPermissions(byte[] data,
                                                                                                                    org.apache.hadoop.conf.Configuration conf)
                                                                                                             throws DeserializationException

Throws:

DeserializationException

isGlobalEntry

public static boolean isGlobalEntry(byte[] entryName)

isNamespaceEntry

public static boolean isNamespaceEntry(String entryName)

isNamespaceEntry

public static boolean isNamespaceEntry(byte[] entryName)

toNamespaceEntry

public static String toNamespaceEntry(String namespace)

fromNamespaceEntry

public static String fromNamespaceEntry(String namespace)

toNamespaceEntry

public static byte[] toNamespaceEntry(byte[] namespace)

fromNamespaceEntry

public static byte[] fromNamespaceEntry(byte[] namespace)

getCellPermissionsForUser

public static List<Permission> getCellPermissionsForUser(User user,
                                                         Cell cell)
                                                  throws IOException

Throws:

IOException