AuthManager (Apache HBase 2.4.0 API)

java.lang.Object
- org.apache.hadoop.hbase.security.access.AuthManager

```
@InterfaceAudience.Private
public final class AuthManager
extends Object
```
Performs authorization checks for a given user's assigned permissions.
There're following scopes: Global, Namespace, Table, Family, Qualifier, Cell. Generally speaking, higher scopes can overrides lower scopes, except for Cell permission can be granted even a user has not permission on specified table, which means the user can get/scan only those granted cells parts.
e.g, if user A has global permission R(ead), he can read table T without checking table scope permission, so authorization checks alway starts from Global scope.
For each scope, not only user but also groups he belongs to will be checked.

Nested Class Summary

Nested Classes
Modifier and Type Class and Description

private static class AuthManager.PermissionCache<T extends Permission>
Cache of permissions, it is thread safe.

Nested Classes
Modifier and Type	Class and Description
`private static class`	`AuthManager.PermissionCache<T extends Permission>` Cache of permissions, it is thread safe.

Field Summary

Fields
Modifier and Type	Field and Description
`private org.apache.hadoop.conf.Configuration`	`conf`
`private Map<String,GlobalPermission>`	`globalCache` Cache for global permission excluding superuser and supergroup.
`private static org.slf4j.Logger`	`LOG`
`private AtomicLong`	`mtime`
`private ConcurrentHashMap<String,AuthManager.PermissionCache<NamespacePermission>>`	`namespaceCache` Cache for namespace permission.
`(package private) AuthManager.PermissionCache<NamespacePermission>`	`NS_NO_PERMISSION`
`private ConcurrentHashMap<TableName,AuthManager.PermissionCache<TablePermission>>`	`tableCache` Cache for table permission.
`(package private) AuthManager.PermissionCache<TablePermission>`	`TBL_NO_PERMISSION`

Constructor Summary

Constructors
Constructor and Description

AuthManager(org.apache.hadoop.conf.Configuration conf)

Constructors
Constructor and Description
`AuthManager(org.apache.hadoop.conf.Configuration conf)`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`boolean`	`accessUserTable(User user, TableName table, Permission.Action action)` Checks if the user has access to the full table or at least a family/qualifier for the specified action.
`boolean`	`authorizeCell(User user, TableName table, Cell cell, Permission.Action action)` Check if user has given action privilige in cell scope.
`private boolean`	`authorizeFamily(Set<TablePermission> permissions, TableName table, byte[] family, Permission.Action action)`
`private boolean`	`authorizeGlobal(GlobalPermission permissions, Permission.Action action)`
`private boolean`	`authorizeNamespace(Set<NamespacePermission> permissions, String namespace, Permission.Action action)`
`private boolean`	`authorizeTable(Set<TablePermission> permissions, TableName table, byte[] family, byte[] qualifier, Permission.Action action)`
`boolean`	`authorizeUserFamily(User user, TableName table, byte[] family, Permission.Action action)` Check if user has given action privilige in table:family scope.
`boolean`	`authorizeUserGlobal(User user, Permission.Action action)` Check if user has given action privilige in global scope.
`boolean`	`authorizeUserNamespace(User user, String namespace, Permission.Action action)` Check if user has given action privilige in namespace scope.
`boolean`	`authorizeUserTable(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)` Check if user has given action privilige in table:family:qualifier scope.
`boolean`	`authorizeUserTable(User user, TableName table, byte[] family, Permission.Action action)` Check if user has given action privilige in table:family scope.
`boolean`	`authorizeUserTable(User user, TableName table, Permission.Action action)` Check if user has given action privilige in table scope.
`private void`	`clearCache(AuthManager.PermissionCache cacheToUpdate)`
`long`	`getMTime()` Last modification logical time
`private boolean`	`hasAccessTable(Set<TablePermission> permissions, Permission.Action action)`
`void`	`refreshNamespaceCacheFromWritable(String namespace, byte[] data)` Update acl info for namespace.
`void`	`refreshTableCacheFromWritable(TableName table, byte[] data)` Update acl info for table.
`void`	`removeNamespace(byte[] ns)` Remove given namespace from AuthManager's namespace cache.
`void`	`removeTable(TableName table)` Remove given table from AuthManager's table cache.
`private void`	`updateCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,? extends Permission> newPermissions, AuthManager.PermissionCache cacheToUpdate)`
`private void`	`updateGlobalCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> globalPerms)` Updates the internal global permissions cache.
`private void`	`updateNamespaceCache(String namespace, org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> nsPerms)` Updates the internal namespace permissions cache for specified namespace.
`private void`	`updateTableCache(TableName table, org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> tablePerms)` Updates the internal table permissions cache for specified table.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

NS_NO_PERMISSION

AuthManager.PermissionCache<NamespacePermission> NS_NO_PERMISSION

TBL_NO_PERMISSION

AuthManager.PermissionCache<TablePermission> TBL_NO_PERMISSION

globalCache
```
private Map<String,GlobalPermission> globalCache
```
Cache for global permission excluding superuser and supergroup. Since every user/group can only have one global permission, no need to use PermissionCache.

namespaceCache

private ConcurrentHashMap<String,AuthManager.PermissionCache<NamespacePermission>> namespaceCache

Cache for namespace permission.

tableCache

private ConcurrentHashMap<TableName,AuthManager.PermissionCache<TablePermission>> tableCache

Cache for table permission.

LOG

private static final org.slf4j.Logger LOG

conf

private org.apache.hadoop.conf.Configuration conf

mtime
```
private final AtomicLong mtime
```

Constructor Detail

AuthManager

AuthManager(org.apache.hadoop.conf.Configuration conf)

Method Detail

refreshTableCacheFromWritable

public void refreshTableCacheFromWritable(TableName table,
                                          byte[] data)
                                   throws IOException

Update acl info for table.

Parameters:: table - name of table; data - updated acl data
Throws:: IOException - exception when deserialize data

refreshNamespaceCacheFromWritable

public void refreshNamespaceCacheFromWritable(String namespace,
                                              byte[] data)
                                       throws IOException

Update acl info for namespace.

Parameters:: namespace - namespace; data - updated acl data
Throws:: IOException - exception when deserialize data

updateGlobalCache

private void updateGlobalCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> globalPerms)

Updates the internal global permissions cache.

Parameters:: globalPerms - new global permissions

updateTableCache

private void updateTableCache(TableName table,
                              org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> tablePerms)

Updates the internal table permissions cache for specified table.

Parameters:: table - updated table name; tablePerms - new table permissions

updateNamespaceCache

private void updateNamespaceCache(String namespace,
                                  org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> nsPerms)

Updates the internal namespace permissions cache for specified namespace.

Parameters:: namespace - updated namespace; nsPerms - new namespace permissions

clearCache

private void clearCache(AuthManager.PermissionCache cacheToUpdate)

updateCache

private void updateCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,? extends Permission> newPermissions,
                         AuthManager.PermissionCache cacheToUpdate)

authorizeUserGlobal
```
public boolean authorizeUserGlobal(User user,
                                   Permission.Action action)
```
Check if user has given action privilige in global scope.

Parameters:

user - user name

action - one of action in [Read, Write, Create, Exec, Admin]

Returns:

true if user has, false otherwise

authorizeGlobal

private boolean authorizeGlobal(GlobalPermission permissions,
                                Permission.Action action)

authorizeUserNamespace

public boolean authorizeUserNamespace(User user,
                                      String namespace,
                                      Permission.Action action)

Check if user has given action privilige in namespace scope.

Parameters:: user - user name; namespace - namespace; action - one of action in [Read, Write, Create, Exec, Admin]
Returns:: true if user has, false otherwise

authorizeNamespace

private boolean authorizeNamespace(Set<NamespacePermission> permissions,
                                   String namespace,
                                   Permission.Action action)

accessUserTable
```
public boolean accessUserTable(User user,
                               TableName table,
                               Permission.Action action)
```
Checks if the user has access to the full table or at least a family/qualifier for the specified action.

Parameters:

user - user name

table - table name

action - action in one of [Read, Write, Create, Exec, Admin]

Returns:

true if the user has access to the table, false otherwise

hasAccessTable

private boolean hasAccessTable(Set<TablePermission> permissions,
                               Permission.Action action)

authorizeUserTable

public boolean authorizeUserTable(User user,
                                  TableName table,
                                  Permission.Action action)

Check if user has given action privilige in table scope.

Parameters:: user - user name; table - table name; action - one of action in [Read, Write, Create, Exec, Admin]
Returns:: true if user has, false otherwise

authorizeUserTable

public boolean authorizeUserTable(User user,
                                  TableName table,
                                  byte[] family,
                                  Permission.Action action)

Check if user has given action privilige in table:family scope.

Parameters:: user - user name; table - table name; family - family name; action - one of action in [Read, Write, Create, Exec, Admin]
Returns:: true if user has, false otherwise

authorizeUserTable

public boolean authorizeUserTable(User user,
                                  TableName table,
                                  byte[] family,
                                  byte[] qualifier,
                                  Permission.Action action)

Check if user has given action privilige in table:family:qualifier scope.

Parameters:: user - user name; table - table name; family - family name; qualifier - qualifier name; action - one of action in [Read, Write, Create, Exec, Admin]
Returns:: true if user has, false otherwise

authorizeTable

private boolean authorizeTable(Set<TablePermission> permissions,
                               TableName table,
                               byte[] family,
                               byte[] qualifier,
                               Permission.Action action)

authorizeUserFamily

public boolean authorizeUserFamily(User user,
                                   TableName table,
                                   byte[] family,
                                   Permission.Action action)

Check if user has given action privilige in table:family scope. This method is for backward compatibility.

Parameters:: user - user name; table - table name; family - family names; action - one of action in [Read, Write, Create, Exec, Admin]
Returns:: true if user has, false otherwise

authorizeFamily

private boolean authorizeFamily(Set<TablePermission> permissions,
                                TableName table,
                                byte[] family,
                                Permission.Action action)

authorizeCell

public boolean authorizeCell(User user,
                             TableName table,
                             Cell cell,
                             Permission.Action action)

Check if user has given action privilige in cell scope.

Parameters:: user - user name; table - table name; cell - cell to be checked; action - one of action in [Read, Write, Create, Exec, Admin]
Returns:: true if user has, false otherwise

removeNamespace
```
public void removeNamespace(byte[] ns)
```
Remove given namespace from AuthManager's namespace cache.

Parameters:

ns - namespace

removeTable
```
public void removeTable(TableName table)
```
Remove given table from AuthManager's table cache.

Parameters:

table - table name

getMTime
```
public long getMTime()
```
Last modification logical time

Returns:

time

Class AuthManager

Nested Class Summary

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

NS_NO_PERMISSION

TBL_NO_PERMISSION

globalCache

namespaceCache

tableCache

LOG

conf

mtime

Constructor Detail

AuthManager

Method Detail

refreshTableCacheFromWritable

refreshNamespaceCacheFromWritable

updateGlobalCache

updateTableCache

updateNamespaceCache

clearCache

updateCache

authorizeUserGlobal

authorizeGlobal

authorizeUserNamespace

authorizeNamespace

accessUserTable

hasAccessTable

authorizeUserTable

authorizeUserTable

authorizeUserTable

authorizeTable

authorizeUserFamily

authorizeFamily

authorizeCell

removeNamespace

removeTable

getMTime