Class AuthManager
java.lang.Object
org.apache.hadoop.hbase.security.access.AuthManager
Performs authorization checks for a given user's assigned permissions.
There're following scopes: Global, Namespace, Table, Family, Qualifier, Cell. Generally speaking, higher scopes can overrides lower scopes, except for Cell permission can be granted even a user has not permission on specified table, which means the user can get/scan only those granted cells parts.
e.g, if user A has global permission R(ead), he can read table T without checking table scope permission, so authorization checks alway starts from Global scope.For each scope, not only user but also groups he belongs to will be checked.
-
Nested Class Summary
Modifier and TypeClassDescriptionprivate static class
AuthManager.PermissionCache<T extends Permission>
Cache of permissions, it is thread safe. -
Field Summary
Modifier and TypeFieldDescriptionprivate org.apache.hadoop.conf.Configuration
private Map<String,
GlobalPermission> Cache for global permission excluding superuser and supergroup.private static final org.slf4j.Logger
private final AtomicLong
Cache for namespace permission.(package private) AuthManager.PermissionCache<NamespacePermission>
Cache for table permission.(package private) AuthManager.PermissionCache<TablePermission>
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionboolean
accessUserTable
(User user, TableName table, Permission.Action action) Checks if the user has access to the full table or at least a family/qualifier for the specified action.boolean
authorizeCell
(User user, TableName table, Cell cell, Permission.Action action) Check if user has given action privilige in cell scope.private boolean
authorizeFamily
(Set<TablePermission> permissions, TableName table, byte[] family, Permission.Action action) private boolean
authorizeGlobal
(GlobalPermission permissions, Permission.Action action) private boolean
authorizeNamespace
(Set<NamespacePermission> permissions, String namespace, Permission.Action action) private boolean
authorizeTable
(Set<TablePermission> permissions, TableName table, byte[] family, byte[] qualifier, Permission.Action action) boolean
authorizeUserFamily
(User user, TableName table, byte[] family, Permission.Action action) Check if user has given action privilige in table:family scope.boolean
authorizeUserGlobal
(User user, Permission.Action action) Check if user has given action privilige in global scope.boolean
authorizeUserNamespace
(User user, String namespace, Permission.Action action) Check if user has given action privilige in namespace scope.boolean
authorizeUserTable
(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action) Check if user has given action privilige in table:family:qualifier scope.boolean
authorizeUserTable
(User user, TableName table, byte[] family, Permission.Action action) Check if user has given action privilige in table:family scope.boolean
authorizeUserTable
(User user, TableName table, Permission.Action action) Check if user has given action privilige in table scope.private void
clearCache
(AuthManager.PermissionCache cacheToUpdate) long
getMTime()
Last modification logical timeprivate boolean
hasAccessTable
(Set<TablePermission> permissions, Permission.Action action) void
refreshNamespaceCacheFromWritable
(String namespace, byte[] data) Update acl info for namespace.void
refreshTableCacheFromWritable
(TableName table, byte[] data) Update acl info for table.void
removeNamespace
(byte[] ns) Remove given namespace from AuthManager's namespace cache.void
removeTable
(TableName table) Remove given table from AuthManager's table cache.private void
updateCache
(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, ? extends Permission> newPermissions, AuthManager.PermissionCache cacheToUpdate) private void
updateGlobalCache
(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, Permission> globalPerms) Updates the internal global permissions cache.private void
updateNamespaceCache
(String namespace, org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, Permission> nsPerms) Updates the internal namespace permissions cache for specified namespace.private void
updateTableCache
(TableName table, org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, Permission> tablePerms) Updates the internal table permissions cache for specified table.
-
Field Details
-
NS_NO_PERMISSION
-
TBL_NO_PERMISSION
-
globalCache
Cache for global permission excluding superuser and supergroup. Since every user/group can only have one global permission, no need to use PermissionCache. -
namespaceCache
Cache for namespace permission. -
tableCache
Cache for table permission. -
LOG
-
conf
-
mtime
-
-
Constructor Details
-
AuthManager
AuthManager(org.apache.hadoop.conf.Configuration conf)
-
-
Method Details
-
refreshTableCacheFromWritable
Update acl info for table.- Parameters:
table
- name of tabledata
- updated acl data- Throws:
IOException
- exception when deserialize data
-
refreshNamespaceCacheFromWritable
Update acl info for namespace.- Parameters:
namespace
- namespacedata
- updated acl data- Throws:
IOException
- exception when deserialize data
-
updateGlobalCache
private void updateGlobalCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, Permission> globalPerms) Updates the internal global permissions cache.- Parameters:
globalPerms
- new global permissions
-
updateTableCache
private void updateTableCache(TableName table, org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, Permission> tablePerms) Updates the internal table permissions cache for specified table.- Parameters:
table
- updated table nametablePerms
- new table permissions
-
updateNamespaceCache
private void updateNamespaceCache(String namespace, org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, Permission> nsPerms) Updates the internal namespace permissions cache for specified namespace.- Parameters:
namespace
- updated namespacensPerms
- new namespace permissions
-
clearCache
-
updateCache
private void updateCache(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, ? extends Permission> newPermissions, AuthManager.PermissionCache cacheToUpdate) -
authorizeUserGlobal
Check if user has given action privilige in global scope.- Parameters:
user
- user nameaction
- one of action in [Read, Write, Create, Exec, Admin]- Returns:
- true if user has, false otherwise
-
authorizeGlobal
-
authorizeUserNamespace
Check if user has given action privilige in namespace scope.- Parameters:
user
- user namenamespace
- namespaceaction
- one of action in [Read, Write, Create, Exec, Admin]- Returns:
- true if user has, false otherwise
-
authorizeNamespace
private boolean authorizeNamespace(Set<NamespacePermission> permissions, String namespace, Permission.Action action) -
accessUserTable
Checks if the user has access to the full table or at least a family/qualifier for the specified action.- Parameters:
user
- user nametable
- table nameaction
- action in one of [Read, Write, Create, Exec, Admin]- Returns:
- true if the user has access to the table, false otherwise
-
hasAccessTable
-
authorizeUserTable
Check if user has given action privilige in table scope.- Parameters:
user
- user nametable
- table nameaction
- one of action in [Read, Write, Create, Exec, Admin]- Returns:
- true if user has, false otherwise
-
authorizeUserTable
public boolean authorizeUserTable(User user, TableName table, byte[] family, Permission.Action action) Check if user has given action privilige in table:family scope.- Parameters:
user
- user nametable
- table namefamily
- family nameaction
- one of action in [Read, Write, Create, Exec, Admin]- Returns:
- true if user has, false otherwise
-
authorizeUserTable
public boolean authorizeUserTable(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action) Check if user has given action privilige in table:family:qualifier scope.- Parameters:
user
- user nametable
- table namefamily
- family namequalifier
- qualifier nameaction
- one of action in [Read, Write, Create, Exec, Admin]- Returns:
- true if user has, false otherwise
-
authorizeTable
private boolean authorizeTable(Set<TablePermission> permissions, TableName table, byte[] family, byte[] qualifier, Permission.Action action) -
authorizeUserFamily
public boolean authorizeUserFamily(User user, TableName table, byte[] family, Permission.Action action) Check if user has given action privilige in table:family scope. This method is for backward compatibility.- Parameters:
user
- user nametable
- table namefamily
- family namesaction
- one of action in [Read, Write, Create, Exec, Admin]- Returns:
- true if user has, false otherwise
-
authorizeFamily
private boolean authorizeFamily(Set<TablePermission> permissions, TableName table, byte[] family, Permission.Action action) -
authorizeCell
Check if user has given action privilige in cell scope.- Parameters:
user
- user nametable
- table namecell
- cell to be checkedaction
- one of action in [Read, Write, Create, Exec, Admin]- Returns:
- true if user has, false otherwise
-
removeNamespace
Remove given namespace from AuthManager's namespace cache.- Parameters:
ns
- namespace
-
removeTable
Remove given table from AuthManager's table cache.- Parameters:
table
- table name
-
getMTime
Last modification logical time
-