org.apache.hadoop.hbase.security.access

Class AuthManager

java.lang.Object

org.apache.hadoop.hbase.security.access.AuthManager

@InterfaceAudience.Private
public final class AuthManager
extends Object

Performs authorization checks for a given user's assigned permissions.

There're following scopes: Global, Namespace, Table, Family, Qualifier, Cell. Generally speaking, higher scopes can overrides lower scopes, except for Cell permission can be granted even a user has not permission on specified table, which means the user can get/scan only those granted cells parts.

e.g, if user A has global permission R(ead), he can read table T without checking table scope permission, so authorization checks alway starts from Global scope.

For each scope, not only user but also groups he belongs to will be checked.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private static class	AuthManager.PermissionCache<T extends Permission> Cache of permissions, it is thread safe.

Field Summary

Fields

Modifier and Type	Field and Description
private org.apache.hadoop.conf.Configuration	conf
private Map<String,GlobalPermission>	globalCache Cache for global permission excluding superuser and supergroup.
private static org.slf4j.Logger	LOG
private AtomicLong	mtime
private ConcurrentHashMap<String,AuthManager.PermissionCache<NamespacePermission>>	namespaceCache Cache for namespace permission.
(package private) AuthManager.PermissionCache<NamespacePermission>	NS_NO_PERMISSION
private ConcurrentHashMap<TableName,AuthManager.PermissionCache<TablePermission>>	tableCache Cache for table permission.
(package private) AuthManager.PermissionCache<TablePermission>	TBL_NO_PERMISSION

Constructor Summary

Constructors

Constructor and Description
AuthManager(org.apache.hadoop.conf.Configuration conf)

Method Summary

Modifier and Type	Method and Description
boolean	accessUserTable(User user, TableName table, Permission.Action action) Checks if the user has access to the full table or at least a family/qualifier for the specified action.
boolean	authorizeCell(User user, TableName table, Cell cell, Permission.Action action) Check if user has given action privilige in cell scope.
private boolean	authorizeFamily(Set<TablePermission> permissions, TableName table, byte[] family, Permission.Action action)
private boolean	authorizeGlobal(GlobalPermission permissions, Permission.Action action)
private boolean	authorizeNamespace(Set<NamespacePermission> permissions, String namespace, Permission.Action action)
private boolean	authorizeTable(Set<TablePermission> permissions, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
boolean	authorizeUserFamily(User user, TableName table, byte[] family, Permission.Action action) Check if user has given action privilige in table:family scope.
boolean	authorizeUserGlobal(User user, Permission.Action action) Check if user has given action privilige in global scope.
boolean	authorizeUserNamespace(User user, String namespace, Permission.Action action) Check if user has given action privilige in namespace scope.
boolean	authorizeUserTable(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action) Check if user has given action privilige in table:family:qualifier scope.
boolean	authorizeUserTable(User user, TableName table, byte[] family, Permission.Action action) Check if user has given action privilige in table:family scope.
boolean	authorizeUserTable(User user, TableName table, Permission.Action action) Check if user has given action privilige in table scope.
private void	clearCache(AuthManager.PermissionCache cacheToUpdate)
long	getMTime() Last modification logical time n
private boolean	hasAccessTable(Set<TablePermission> permissions, Permission.Action action)
void	refreshNamespaceCacheFromWritable(String namespace, byte[] data) Update acl info for namespace.
void	refreshTableCacheFromWritable(TableName table, byte[] data) Update acl info for table.
void	removeNamespace(byte[] ns) Remove given namespace from AuthManager's namespace cache.
void	removeTable(TableName table) Remove given table from AuthManager's table cache.
private void	updateCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,? extends Permission> newPermissions, AuthManager.PermissionCache cacheToUpdate)
private void	updateGlobalCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> globalPerms) Updates the internal global permissions cache.
private void	updateNamespaceCache(String namespace, org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> nsPerms) Updates the internal namespace permissions cache for specified namespace.
private void	updateTableCache(TableName table, org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> tablePerms) Updates the internal table permissions cache for specified table.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

NS_NO_PERMISSION

AuthManager.PermissionCache<NamespacePermission> NS_NO_PERMISSION

TBL_NO_PERMISSION

AuthManager.PermissionCache<TablePermission> TBL_NO_PERMISSION

globalCache

private Map<String,GlobalPermission> globalCache

Cache for global permission excluding superuser and supergroup. Since every user/group can only have one global permission, no need to use PermissionCache.

namespaceCache

private ConcurrentHashMap<String,AuthManager.PermissionCache<NamespacePermission>> namespaceCache

Cache for namespace permission.

tableCache

private ConcurrentHashMap<TableName,AuthManager.PermissionCache<TablePermission>> tableCache

Cache for table permission.

LOG

private static final org.slf4j.Logger LOG

conf

private org.apache.hadoop.conf.Configuration conf

mtime

private final AtomicLong mtime

Constructor Detail

AuthManager

AuthManager(org.apache.hadoop.conf.Configuration conf)

Method Detail

refreshTableCacheFromWritable

public void refreshTableCacheFromWritable(TableName table,
                                          byte[] data)
                                   throws IOException

Update acl info for table.

Parameters:

table - name of table

data - updated acl data

Throws:

IOException - exception when deserialize data

refreshNamespaceCacheFromWritable

public void refreshNamespaceCacheFromWritable(String namespace,
                                              byte[] data)
                                       throws IOException

Update acl info for namespace.

Parameters:

namespace - namespace

data - updated acl data

Throws:

IOException - exception when deserialize data

updateGlobalCache

private void updateGlobalCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> globalPerms)

Updates the internal global permissions cache.

Parameters:

globalPerms - new global permissions

updateTableCache

private void updateTableCache(TableName table,
                              org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> tablePerms)

Updates the internal table permissions cache for specified table.

Parameters:

table - updated table name

tablePerms - new table permissions

updateNamespaceCache

private void updateNamespaceCache(String namespace,
                                  org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> nsPerms)

Updates the internal namespace permissions cache for specified namespace.

Parameters:

namespace - updated namespace

nsPerms - new namespace permissions

clearCache

private void clearCache(AuthManager.PermissionCache cacheToUpdate)

updateCache

private void updateCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,? extends Permission> newPermissions,
                         AuthManager.PermissionCache cacheToUpdate)

authorizeUserGlobal

public boolean authorizeUserGlobal(User user,
                                   Permission.Action action)

Check if user has given action privilige in global scope.

Parameters:

user - user name

action - one of action in [Read, Write, Create, Exec, Admin]

Returns:

true if user has, false otherwise

authorizeGlobal

private boolean authorizeGlobal(GlobalPermission permissions,
                                Permission.Action action)

authorizeUserNamespace

public boolean authorizeUserNamespace(User user,
                                      String namespace,
                                      Permission.Action action)

Check if user has given action privilige in namespace scope.

Parameters:

user - user name

namespace - namespace

action - one of action in [Read, Write, Create, Exec, Admin]

Returns:

true if user has, false otherwise

authorizeNamespace

private boolean authorizeNamespace(Set<NamespacePermission> permissions,
                                   String namespace,
                                   Permission.Action action)

accessUserTable

public boolean accessUserTable(User user,
                               TableName table,
                               Permission.Action action)

Checks if the user has access to the full table or at least a family/qualifier for the specified action.

Parameters:

user - user name

table - table name

action - action in one of [Read, Write, Create, Exec, Admin]

Returns:

true if the user has access to the table, false otherwise

hasAccessTable

private boolean hasAccessTable(Set<TablePermission> permissions,
                               Permission.Action action)

authorizeUserTable

public boolean authorizeUserTable(User user,
                                  TableName table,
                                  Permission.Action action)

Check if user has given action privilige in table scope.

Parameters:

user - user name

table - table name

action - one of action in [Read, Write, Create, Exec, Admin]

Returns:

true if user has, false otherwise

authorizeUserTable

public boolean authorizeUserTable(User user,
                                  TableName table,
                                  byte[] family,
                                  Permission.Action action)

Check if user has given action privilige in table:family scope.

Parameters:

user - user name

table - table name

family - family name

action - one of action in [Read, Write, Create, Exec, Admin]

Returns:

true if user has, false otherwise

authorizeUserTable

public boolean authorizeUserTable(User user,
                                  TableName table,
                                  byte[] family,
                                  byte[] qualifier,
                                  Permission.Action action)

Check if user has given action privilige in table:family:qualifier scope.

Parameters:

user - user name

table - table name

family - family name

qualifier - qualifier name

action - one of action in [Read, Write, Create, Exec, Admin]

Returns:

true if user has, false otherwise

authorizeTable

private boolean authorizeTable(Set<TablePermission> permissions,
                               TableName table,
                               byte[] family,
                               byte[] qualifier,
                               Permission.Action action)

authorizeUserFamily

public boolean authorizeUserFamily(User user,
                                   TableName table,
                                   byte[] family,
                                   Permission.Action action)

Check if user has given action privilige in table:family scope. This method is for backward compatibility.

Parameters:

user - user name

table - table name

family - family names

action - one of action in [Read, Write, Create, Exec, Admin]

Returns:

true if user has, false otherwise

authorizeFamily

private boolean authorizeFamily(Set<TablePermission> permissions,
                                TableName table,
                                byte[] family,
                                Permission.Action action)

authorizeCell

public boolean authorizeCell(User user,
                             TableName table,
                             Cell cell,
                             Permission.Action action)

Check if user has given action privilige in cell scope.

Parameters:

user - user name

table - table name

cell - cell to be checked

action - one of action in [Read, Write, Create, Exec, Admin]

Returns:

true if user has, false otherwise

removeNamespace

public void removeNamespace(byte[] ns)

Remove given namespace from AuthManager's namespace cache.

Parameters:

ns - namespace

removeTable

public void removeTable(TableName table)

Remove given table from AuthManager's table cache.

Parameters:

table - table name

getMTime

public long getMTime()

Last modification logical time n