Class AccessChecker

java.lang.Object
org.apache.hadoop.hbase.security.access.AccessChecker
Direct Known Subclasses:
NoopAccessChecker

@LimitedPrivate("Coprocesssor") @Evolving public class AccessChecker extends Object
  • Field Details

    • LOG

      private static final org.slf4j.Logger LOG
    • AUDITLOG

      private static final org.slf4j.Logger AUDITLOG
    • authManager

      private final AuthManager authManager
    • groupService

      private static org.apache.hadoop.security.Groups groupService
      Group service to retrieve the user group information
  • Constructor Details

    • AccessChecker

      public AccessChecker(org.apache.hadoop.conf.Configuration conf)
      Constructor with existing configuration
      Parameters:
      conf - Existing configuration to use
  • Method Details

    • isAuthorizationSupported

      public static boolean isAuthorizationSupported(org.apache.hadoop.conf.Configuration conf)
    • getAuthManager

    • requireAccess

      public void requireAccess(User user, String request, TableName tableName, Permission.Action... permissions) throws IOException
      Authorizes that the current user has any of the given permissions to access the table.
      Parameters:
      user - Active user to which authorization checks should be applied
      request - Request type.
      tableName - Table requested
      permissions - Actions being requested
      Throws:
      IOException - if obtaining the current user fails
      AccessDeniedException - if user has no authorization
    • requirePermission

      public void requirePermission(User user, String request, String filterUser, Permission.Action perm) throws IOException
      Authorizes that the current user has global privileges for the given action.
      Parameters:
      user - Active user to which authorization checks should be applied
      request - Request type
      filterUser - User name to be filtered from permission as requested
      perm - The action being requested
      Throws:
      IOException - if obtaining the current user fails
      AccessDeniedException - if authorization is denied
    • requireGlobalPermission

      public void requireGlobalPermission(User user, String request, Permission.Action perm, TableName tableName, Map<byte[],? extends Collection<byte[]>> familyMap, String filterUser) throws IOException
      Checks that the user has the given global permission. The generated audit log message will contain context information for the operation being authorized, based on the given parameters.
      Parameters:
      user - Active user to which authorization checks should be applied
      request - Request type
      perm - Action being requested
      tableName - Affected table name.
      familyMap - Affected column families.
      filterUser - User name to be filtered from permission as requested
      Throws:
      IOException
    • requireGlobalPermission

      public void requireGlobalPermission(User user, String request, Permission.Action perm, String namespace) throws IOException
      Checks that the user has the given global permission. The generated audit log message will contain context information for the operation being authorized, based on the given parameters.
      Parameters:
      user - Active user to which authorization checks should be applied
      request - Request type
      perm - Action being requested
      namespace - The given namespace
      Throws:
      IOException
    • requireNamespacePermission

      public void requireNamespacePermission(User user, String request, String namespace, String filterUser, Permission.Action... permissions) throws IOException
      Checks that the user has the given global or namespace permission.
      Parameters:
      user - Active user to which authorization checks should be applied
      request - Request type
      namespace - Name space as requested
      filterUser - User name to be filtered from permission as requested
      permissions - Actions being requested
      Throws:
      IOException
    • requireNamespacePermission

      public void requireNamespacePermission(User user, String request, String namespace, TableName tableName, Map<byte[],? extends Collection<byte[]>> familyMap, Permission.Action... permissions) throws IOException
      Checks that the user has the given global or namespace permission.
      Parameters:
      user - Active user to which authorization checks should be applied
      request - Request type
      namespace - The given namespace
      tableName - Table requested
      familyMap - Column family map requested
      permissions - Actions being requested
      Throws:
      IOException
    • requirePermission

      public void requirePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, String filterUser, Permission.Action... permissions) throws IOException
      Authorizes that the current user has any of the given permissions for the given table, column family and column qualifier.
      Parameters:
      user - Active user to which authorization checks should be applied
      request - Request type
      tableName - Table requested
      family - Column family requested
      qualifier - Column qualifier requested
      filterUser - User name to be filtered from permission as requested
      permissions - Actions being requested
      Throws:
      IOException - if obtaining the current user fails
      AccessDeniedException - if user has no authorization
    • requireTablePermission

      public void requireTablePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, Permission.Action... permissions) throws IOException
      Authorizes that the current user has any of the given permissions for the given table, column family and column qualifier.
      Parameters:
      user - Active user to which authorization checks should be applied
      request - Request type
      tableName - Table requested
      family - Column family param
      qualifier - Column qualifier param
      Throws:
      IOException - if obtaining the current user fails
      AccessDeniedException - if user has no authorization
    • performOnSuperuser

      public void performOnSuperuser(String request, User caller, String userToBeChecked) throws IOException
      Check if caller is granting or revoking superusers's or supergroups's permissions.
      Parameters:
      request - request name
      caller - caller
      userToBeChecked - target user or group
      Throws:
      IOException - AccessDeniedException if target user is superuser
    • checkLockPermissions

      public void checkLockPermissions(User user, String namespace, TableName tableName, RegionInfo[] regionInfos, String reason) throws IOException
      Throws:
      IOException
    • logResult

      public static void logResult(AuthResult result)
    • validateCallerWithFilterUser

      public User validateCallerWithFilterUser(User caller, TablePermission tPerm, String inputUserName) throws IOException
      Throws:
      IOException
    • initGroupService

      private void initGroupService(org.apache.hadoop.conf.Configuration conf)
    • getUserGroups

      public static List<String> getUserGroups(String user)
      Retrieve the groups of the given user.
      Parameters:
      user - User name
    • hasUserPermission

      public boolean hasUserPermission(User user, String request, Permission permission)
      Authorizes that if the current user has the given permissions.
      Parameters:
      user - Active user to which authorization checks should be applied
      request - Request type
      permission - Actions being requested
      Returns:
      True if the user has the specific permission
    • permissionGranted

      private AuthResult permissionGranted(String request, User user, Permission.Action permRequest, TableName tableName, byte[] family, byte[] qualifier)
    • permissionGranted

      public AuthResult permissionGranted(String request, User user, Permission.Action permRequest, TableName tableName, Map<byte[],? extends Collection<?>> families)
      Check the current user for authorization to perform a specific action against the given set of row data.

      Note: Ordering of the authorization checks has been carefully optimized to short-circuit the most common requests and minimize the amount of processing required.

      Parameters:
      request - User request
      user - User name
      permRequest - the action being requested
      tableName - Table name
      families - the map of column families to qualifiers present in the request
      Returns:
      an authorization result
    • makeFamilyMap

      private Map<byte[],? extends Collection<byte[]>> makeFamilyMap(byte[] family, byte[] qualifier)