1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.security.access;
19
20 import java.io.IOException;
21 import java.util.ArrayList;
22 import java.util.List;
23 import java.util.regex.Pattern;
24
25 import org.apache.hadoop.conf.Configuration;
26 import org.apache.hadoop.hbase.HConstants;
27 import org.apache.hadoop.hbase.HTableDescriptor;
28 import org.apache.hadoop.hbase.MasterNotRunningException;
29 import org.apache.hadoop.hbase.NamespaceDescriptor;
30 import org.apache.hadoop.hbase.TableName;
31 import org.apache.hadoop.hbase.ZooKeeperConnectionException;
32 import org.apache.hadoop.hbase.classification.InterfaceAudience;
33 import org.apache.hadoop.hbase.classification.InterfaceStability;
34 import org.apache.hadoop.hbase.client.Admin;
35 import org.apache.hadoop.hbase.client.ClusterConnection;
36 import org.apache.hadoop.hbase.client.Connection;
37 import org.apache.hadoop.hbase.client.ConnectionFactory;
38 import org.apache.hadoop.hbase.client.Table;
39 import org.apache.hadoop.hbase.client.security.SecurityCapability;
40 import org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel;
41 import org.apache.hadoop.hbase.ipc.PayloadCarryingRpcController;
42 import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
43 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
44 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.BlockingInterface;
45 import org.apache.hadoop.hbase.util.Bytes;
46
47
48
49
50 @InterfaceAudience.Public
51 @InterfaceStability.Evolving
52 public class AccessControlClient {
53 public static final TableName ACL_TABLE_NAME =
54 TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
55
56
57
58
59
60
61
62 public static boolean isAuthorizationEnabled(Connection connection) throws IOException {
63 return connection.getAdmin().getSecurityCapabilities()
64 .contains(SecurityCapability.AUTHORIZATION);
65 }
66
67
68
69
70
71
72
73 public static boolean isCellAuthorizationEnabled(Connection connection) throws IOException {
74 return connection.getAdmin().getSecurityCapabilities()
75 .contains(SecurityCapability.CELL_AUTHORIZATION);
76 }
77
78 private static BlockingInterface getAccessControlServiceStub(Table ht)
79 throws IOException {
80 CoprocessorRpcChannel service = ht.coprocessorService(HConstants.EMPTY_START_ROW);
81 BlockingInterface protocol =
82 AccessControlProtos.AccessControlService.newBlockingStub(service);
83 return protocol;
84 }
85
86
87
88
89
90
91
92
93
94
95
96 public static void grant(final Connection connection, final TableName tableName,
97 final String userName, final byte[] family, final byte[] qual,
98 final Permission.Action... actions) throws Throwable {
99 PayloadCarryingRpcController controller
100 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
101 controller.setPriority(tableName);
102 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
103 ProtobufUtil.grant(controller, getAccessControlServiceStub(table), userName, tableName,
104 family, qual, actions);
105 }
106 }
107
108
109
110
111
112
113
114
115
116 public static void grant(final Connection connection, final String namespace,
117 final String userName, final Permission.Action... actions) throws Throwable {
118 PayloadCarryingRpcController controller
119 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
120
121 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
122 ProtobufUtil.grant(controller, getAccessControlServiceStub(table), userName, namespace,
123 actions);
124 }
125 }
126
127
128
129
130
131 public static void grant(final Connection connection, final String userName,
132 final Permission.Action... actions) throws Throwable {
133 PayloadCarryingRpcController controller
134 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
135 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
136 ProtobufUtil.grant(controller, getAccessControlServiceStub(table), userName, actions);
137 }
138 }
139
140 public static boolean isAccessControllerRunning(final Connection connection)
141 throws MasterNotRunningException, ZooKeeperConnectionException, IOException {
142 try (Admin admin = connection.getAdmin()) {
143 return admin.isTableAvailable(ACL_TABLE_NAME);
144 }
145 }
146
147
148
149
150
151
152
153
154
155
156
157 public static void revoke(final Connection connection, final TableName tableName,
158 final String username, final byte[] family, final byte[] qualifier,
159 final Permission.Action... actions) throws Throwable {
160 PayloadCarryingRpcController controller
161 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
162 controller.setPriority(tableName);
163 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
164 ProtobufUtil.revoke(controller, getAccessControlServiceStub(table), username, tableName,
165 family, qualifier, actions);
166 }
167 }
168
169
170
171
172
173
174
175
176
177 public static void revoke(final Connection connection, final String namespace,
178 final String userName, final Permission.Action... actions) throws Throwable {
179 PayloadCarryingRpcController controller
180 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
181 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
182 ProtobufUtil.revoke(controller, getAccessControlServiceStub(table), userName, namespace,
183 actions);
184 }
185 }
186
187
188
189
190
191 public static void revoke(final Connection connection, final String userName,
192 final Permission.Action... actions) throws Throwable {
193 PayloadCarryingRpcController controller
194 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
195 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
196 ProtobufUtil.revoke(controller, getAccessControlServiceStub(table), userName, actions);
197 }
198 }
199
200
201
202
203
204
205
206
207 public static List<UserPermission> getUserPermissions(Connection connection, String tableRegex)
208 throws Throwable {
209 PayloadCarryingRpcController controller
210 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
211 List<UserPermission> permList = new ArrayList<UserPermission>();
212 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
213 try (Admin admin = connection.getAdmin()) {
214 CoprocessorRpcChannel service = table.coprocessorService(HConstants.EMPTY_START_ROW);
215 BlockingInterface protocol =
216 AccessControlProtos.AccessControlService.newBlockingStub(service);
217 HTableDescriptor[] htds = null;
218 if (tableRegex == null || tableRegex.isEmpty()) {
219 permList = ProtobufUtil.getUserPermissions(controller, protocol);
220 } else if (tableRegex.charAt(0) == '@') {
221 String namespace = tableRegex.substring(1);
222 permList = ProtobufUtil.getUserPermissions(controller, protocol,
223 Bytes.toBytes(namespace));
224 } else {
225 htds = admin.listTables(Pattern.compile(tableRegex), true);
226 for (HTableDescriptor hd : htds) {
227 permList.addAll(ProtobufUtil.getUserPermissions(controller, protocol,
228 hd.getTableName()));
229 }
230 }
231 }
232 }
233 return permList;
234 }
235
236
237
238
239
240
241
242
243
244
245
246
247
248 @Deprecated
249 public static void grant(Configuration conf, final TableName tableName,
250 final String userName, final byte[] family, final byte[] qual,
251 final Permission.Action... actions) throws Throwable {
252 try (Connection connection = ConnectionFactory.createConnection(conf)) {
253 grant(connection, tableName, userName, family, qual, actions);
254 }
255 }
256
257
258
259
260
261
262
263
264
265
266
267 @Deprecated
268 public static void grant(Configuration conf, final String namespace,
269 final String userName, final Permission.Action... actions) throws Throwable {
270 try (Connection connection = ConnectionFactory.createConnection(conf)) {
271 grant(connection, namespace, userName, actions);
272 }
273 }
274
275
276
277
278
279 @Deprecated
280 public static void grant(Configuration conf, final String userName,
281 final Permission.Action... actions) throws Throwable {
282 try (Connection connection = ConnectionFactory.createConnection(conf)) {
283 grant(connection, userName, actions);
284 }
285 }
286
287
288
289
290 @Deprecated
291 public static boolean isAccessControllerRunning(Configuration conf)
292 throws MasterNotRunningException, ZooKeeperConnectionException, IOException {
293 try (Connection connection = ConnectionFactory.createConnection(conf)) {
294 return isAccessControllerRunning(connection);
295 }
296 }
297
298
299
300
301
302
303
304
305
306
307
308
309
310 @Deprecated
311 public static void revoke(Configuration conf, final TableName tableName,
312 final String username, final byte[] family, final byte[] qualifier,
313 final Permission.Action... actions) throws Throwable {
314 try (Connection connection = ConnectionFactory.createConnection(conf)) {
315 revoke(connection, tableName, username, family, qualifier, actions);
316 }
317 }
318
319
320
321
322
323
324
325
326
327
328 @Deprecated
329 public static void revoke(Configuration conf, final String namespace,
330 final String userName, final Permission.Action... actions) throws Throwable {
331 try (Connection connection = ConnectionFactory.createConnection(conf)) {
332 revoke(connection, namespace, userName, actions);
333 }
334 }
335
336
337
338
339
340 @Deprecated
341 public static void revoke(Configuration conf, final String userName,
342 final Permission.Action... actions) throws Throwable {
343 try (Connection connection = ConnectionFactory.createConnection(conf)) {
344 revoke(connection, userName, actions);
345 }
346 }
347
348
349
350
351
352
353
354
355
356 @Deprecated
357 public static List<UserPermission> getUserPermissions(Configuration conf, String tableRegex)
358 throws Throwable {
359 try (Connection connection = ConnectionFactory.createConnection(conf)) {
360 return getUserPermissions(connection, tableRegex);
361 }
362 }
363 }