Class PermissionStorage
java.lang.Object
org.apache.hadoop.hbase.security.access.PermissionStorage
Maintains lists of permission grants to users and groups to allow for authorization checks by
AccessController
.
Access control lists are stored in an "internal" metadata table named _acl_
. Each table's
permission grants are stored as a separate row, keyed by the table name. KeyValues for
permissions assignments are stored in one of the formats:
Key Desc -------- -------- user table level permissions for a user [R=read, W=write] group table level permissions for a group user,family column family level permissions for a user group,family column family level permissions for a group user,family,qualifier column qualifier level permissions for a user group,family,qualifier column qualifier level permissions for a group
All values are encoded as byte arrays containing the codes from the org.apache.hadoop.hbase.security.access.TablePermission.Action enum.
-
Field Summary
Modifier and TypeFieldDescriptionstatic final byte[]
static final char
Delimiter to separate user, column family, and qualifier in _acl_ table info: column keysstatic final byte[]
static final String
Column family used to store ACL grantsstatic final TableName
Internal storage table for access control listsstatic final byte
KV tag to store per cell access control listsprivate static final int
private static final org.slf4j.Logger
static final char
private static final int
private static final int
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescription(package private) static void
addUserPermission
(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t) static void
addUserPermission
(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t, boolean mergeExistingPermissions) Stores a new user permission grant in the access control lists table.static byte[]
fromNamespaceEntry
(byte[] namespace) static String
fromNamespaceEntry
(String namespace) static List<Permission>
getCellPermissionsForUser
(User user, Cell cell) static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,
UserPermission> getGlobalPermissions
(org.apache.hadoop.conf.Configuration conf) static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,
UserPermission> getNamespacePermissions
(org.apache.hadoop.conf.Configuration conf, String namespace) (package private) static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,
UserPermission> getPermissions
(org.apache.hadoop.conf.Configuration conf, byte[] entryName, Table t, byte[] cf, byte[] cq, String user, boolean hasFilterUser) Reads user permission assignments stored in thel:
column family of the first table row in_acl_
.static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,
UserPermission> getTablePermissions
(org.apache.hadoop.conf.Configuration conf, TableName tableName) static List<UserPermission>
getUserNamespacePermissions
(org.apache.hadoop.conf.Configuration conf, String namespace, String user, boolean hasFilterUser) Returns the currently granted permissions for a given namespace as the specified user plus associated permissions.static List<UserPermission>
getUserPermissions
(org.apache.hadoop.conf.Configuration conf, byte[] entryName, byte[] cf, byte[] cq, String user, boolean hasFilterUser) Returns the currently granted permissions for a given table/namespace with associated permissions based on the specified column family, column qualifier and user name.static List<UserPermission>
getUserTablePermissions
(org.apache.hadoop.conf.Configuration conf, TableName tableName, byte[] cf, byte[] cq, String userName, boolean hasFilterUser) Returns the currently granted permissions for a given table as the specified user plus associated permissions.(package private) static boolean
isAclRegion
(Region region) Returnstrue
if the given region is part of the_acl_
metadata table.(package private) static boolean
isAclTable
(TableDescriptor desc) Returnstrue
if the given table is_acl_
metadata table.static boolean
isGlobalEntry
(byte[] entryName) static boolean
isNamespaceEntry
(byte[] entryName) static boolean
isNamespaceEntry
(String entryName) static boolean
isTableEntry
(byte[] entryName) (package private) static Map<byte[],
org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, UserPermission>> loadAll
(org.apache.hadoop.conf.Configuration conf) Load all permissions from the region server holding_acl_
, primarily intended for testing purposes.(package private) static Map<byte[],
org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, UserPermission>> Loads all of the permission grants stored in a region of the_acl_
table.private static Pair<String,
Permission> parsePermissionRecord
(byte[] entryName, Cell kv, byte[] cf, byte[] cq, boolean filterPerms, String filterUser) private static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,
UserPermission> parsePermissions
(byte[] entryName, Result result, byte[] cf, byte[] cq, String user, boolean hasFilterUser) Parse and filter permission based on the specified column family, column qualifier and user name.static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,
Permission> readPermissions
(byte[] data, org.apache.hadoop.conf.Configuration conf) static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,
UserPermission> readUserPermission
(byte[] data, org.apache.hadoop.conf.Configuration conf) private static List<Permission>
readWritableUserPermission
(DataInput in, org.apache.hadoop.conf.Configuration conf) (package private) static void
removeNamespacePermissions
(org.apache.hadoop.conf.Configuration conf, String namespace, Table t) Remove specified namespace from the acl table.private static void
removePermissionRecord
(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t) (package private) static void
removeTablePermissions
(org.apache.hadoop.conf.Configuration conf, TableName tableName, byte[] column, Table t) Remove specified table column from the acl table.(package private) static void
removeTablePermissions
(org.apache.hadoop.conf.Configuration conf, TableName tableName, Table t) Remove specified table from the _acl_ table.private static void
removeTablePermissions
(TableName tableName, byte[] column, Table table, boolean closeTable) static void
removeUserPermission
(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t) Removes a previously granted permission from the stored access control lists.static byte[]
toNamespaceEntry
(byte[] namespace) static String
toNamespaceEntry
(String namespace) (package private) static byte[]
userPermissionKey
(UserPermission permission) Build qualifier key from user permission: username username,family username,family,qualifier(package private) static byte[]
userPermissionRowKey
(Permission permission) private static boolean
validateCFAndCQ
(byte[] permFamily, byte[] cf, byte[] permQualifier, byte[] cq) private static boolean
validateFilterUser
(String username, String filterUser, List<String> filterUserGroups) static byte[]
writePermissionsAsBytes
(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, UserPermission> perms, org.apache.hadoop.conf.Configuration conf) Writes a set of permissions asWritable
instances and returns the resulting byte array.
-
Field Details
-
ACL_TABLE_NAME
Internal storage table for access control lists -
ACL_GLOBAL_NAME
-
ACL_LIST_FAMILY_STR
Column family used to store ACL grants- See Also:
-
ACL_LIST_FAMILY
-
ACL_TAG_TYPE
KV tag to store per cell access control lists- See Also:
-
NAMESPACE_PREFIX
- See Also:
-
ACL_KEY_DELIMITER
Delimiter to separate user, column family, and qualifier in _acl_ table info: column keys- See Also:
-
LOG
-
LIST_CODE
- See Also:
-
WRITABLE_CODE
- See Also:
-
WRITABLE_NOT_ENCODED
- See Also:
-
-
Constructor Details
-
PermissionStorage
private PermissionStorage()
-
-
Method Details
-
addUserPermission
public static void addUserPermission(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t, boolean mergeExistingPermissions) throws IOException Stores a new user permission grant in the access control lists table.- Parameters:
conf
- the configurationuserPerm
- the details of the permission to be grantedt
- acl table instance. It is closed upon method return.- Throws:
IOException
- in the case of an error accessing the metadata table
-
addUserPermission
static void addUserPermission(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t) throws IOException - Throws:
IOException
-
removeUserPermission
public static void removeUserPermission(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t) throws IOException Removes a previously granted permission from the stored access control lists. TheTablePermission
being removed must exactly match what is stored -- no wildcard matching is attempted. Ie, if user "bob" has been granted "READ" access to the "data" table, but only to column family plus qualifier "info:colA", then trying to call this method with only user "bob" and the table name "data" (but without specifying the column qualifier "info:colA") will have no effect.- Parameters:
conf
- the configurationuserPerm
- the details of the permission to be revokedt
- acl table- Throws:
IOException
- if there is an error accessing the metadata table
-
removePermissionRecord
private static void removePermissionRecord(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t) throws IOException - Throws:
IOException
-
removeTablePermissions
static void removeTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName, Table t) throws IOException Remove specified table from the _acl_ table.- Throws:
IOException
-
removeNamespacePermissions
static void removeNamespacePermissions(org.apache.hadoop.conf.Configuration conf, String namespace, Table t) throws IOException Remove specified namespace from the acl table.- Throws:
IOException
-
removeTablePermissions
private static void removeTablePermissions(TableName tableName, byte[] column, Table table, boolean closeTable) throws IOException - Throws:
IOException
-
removeTablePermissions
static void removeTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName, byte[] column, Table t) throws IOException Remove specified table column from the acl table.- Throws:
IOException
-
userPermissionRowKey
-
userPermissionKey
Build qualifier key from user permission: username username,family username,family,qualifier -
isAclRegion
Returnstrue
if the given region is part of the_acl_
metadata table. -
isAclTable
Returnstrue
if the given table is_acl_
metadata table. -
loadAll
static Map<byte[],org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, loadAllUserPermission>> (Region aclRegion) throws IOException Loads all of the permission grants stored in a region of the_acl_
table.- Parameters:
aclRegion
- the acl region- Returns:
- a map of the permissions for this table.
- Throws:
IOException
- if an error occurs
-
loadAll
static Map<byte[],org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, loadAllUserPermission>> (org.apache.hadoop.conf.Configuration conf) throws IOException Load all permissions from the region server holding_acl_
, primarily intended for testing purposes.- Throws:
IOException
-
getTablePermissions
public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> getTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName) throws IOException - Throws:
IOException
-
getNamespacePermissions
public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> getNamespacePermissions(org.apache.hadoop.conf.Configuration conf, String namespace) throws IOException - Throws:
IOException
-
getGlobalPermissions
public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> getGlobalPermissions(org.apache.hadoop.conf.Configuration conf) throws IOException - Throws:
IOException
-
getPermissions
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> getPermissions(org.apache.hadoop.conf.Configuration conf, byte[] entryName, Table t, byte[] cf, byte[] cq, String user, boolean hasFilterUser) throws IOException Reads user permission assignments stored in thel:
column family of the first table row in_acl_
.See
class documentation
for the key structure used for storage.- Throws:
IOException
-
getUserTablePermissions
public static List<UserPermission> getUserTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName, byte[] cf, byte[] cq, String userName, boolean hasFilterUser) throws IOException Returns the currently granted permissions for a given table as the specified user plus associated permissions.- Throws:
IOException
-
getUserNamespacePermissions
public static List<UserPermission> getUserNamespacePermissions(org.apache.hadoop.conf.Configuration conf, String namespace, String user, boolean hasFilterUser) throws IOException Returns the currently granted permissions for a given namespace as the specified user plus associated permissions.- Throws:
IOException
-
getUserPermissions
public static List<UserPermission> getUserPermissions(org.apache.hadoop.conf.Configuration conf, byte[] entryName, byte[] cf, byte[] cq, String user, boolean hasFilterUser) throws IOException Returns the currently granted permissions for a given table/namespace with associated permissions based on the specified column family, column qualifier and user name.- Parameters:
conf
- the configurationentryName
- Table name or the namespacecf
- Column familycq
- Column qualifieruser
- User name to be filtered from permission as requestedhasFilterUser
- true if filter user is provided, otherwise false.- Returns:
- List of UserPermissions
- Throws:
IOException
- on failure
-
parsePermissions
private static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> parsePermissions(byte[] entryName, Result result, byte[] cf, byte[] cq, String user, boolean hasFilterUser) Parse and filter permission based on the specified column family, column qualifier and user name. -
parsePermissionRecord
private static Pair<String,Permission> parsePermissionRecord(byte[] entryName, Cell kv, byte[] cf, byte[] cq, boolean filterPerms, String filterUser) -
validateFilterUser
private static boolean validateFilterUser(String username, String filterUser, List<String> filterUserGroups) -
validateCFAndCQ
private static boolean validateCFAndCQ(byte[] permFamily, byte[] cf, byte[] permQualifier, byte[] cq) -
writePermissionsAsBytes
public static byte[] writePermissionsAsBytes(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String, UserPermission> perms, org.apache.hadoop.conf.Configuration conf) Writes a set of permissions asWritable
instances and returns the resulting byte array. Writes a set of permission [user: table permission] -
readWritableUserPermission
private static List<Permission> readWritableUserPermission(DataInput in, org.apache.hadoop.conf.Configuration conf) throws IOException, ClassNotFoundException - Throws:
IOException
ClassNotFoundException
-
readUserPermission
public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> readUserPermission(byte[] data, org.apache.hadoop.conf.Configuration conf) throws DeserializationException - Throws:
DeserializationException
-
readPermissions
public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> readPermissions(byte[] data, org.apache.hadoop.conf.Configuration conf) throws DeserializationException - Throws:
DeserializationException
-
isGlobalEntry
-
isNamespaceEntry
-
isNamespaceEntry
-
isTableEntry
-
toNamespaceEntry
-
fromNamespaceEntry
-
toNamespaceEntry
-
fromNamespaceEntry
-
getCellPermissionsForUser
- Throws:
IOException
-