/** * Returns a new {@code PermissionCache} initialized with permission assignments from the {@code * hbase.superuser} configuration key. */ private PermissionCache<Permission> initGlobal(Configuration conf) throws IOException { UserProvider userProvider = UserProvider.instantiate(conf); User user = userProvider.getCurrent(); if (user == null) { throw new IOException( "Unable to obtain the current user, " + "authorization checks for internal operations will not work correctly!"); } PermissionCache<Permission> newCache = new PermissionCache<Permission>(); String currentUser = user.getShortName(); // the system user is always included List<String> superusers = Lists.asList( currentUser, conf.getStrings(AccessControlLists.SUPERUSER_CONF_KEY, new String[0])); if (superusers != null) { for (String name : superusers) { if (AccessControlLists.isGroupPrincipal(name)) { newCache.putGroup( AccessControlLists.getGroupName(name), new Permission(Permission.Action.values())); } else { newCache.putUser(name, new Permission(Permission.Action.values())); } } } return newCache; }
@After public void tearDown() throws Exception { // Clean the _acl_ table TEST_UTIL.deleteTable(tableName); TEST_UTIL.getHBaseAdmin().deleteNamespace(namespace); // Verify all table/namespace permissions are erased assertEquals(0, AccessControlLists.getTablePermissions(conf, tableName).size()); assertEquals(0, AccessControlLists.getNamespacePermissions(conf, namespace).size()); }
/** * Updates the internal permissions cache for a single table, splitting the permissions listed * into separate caches for users and groups to optimize group lookups. * * @param table * @param tablePerms */ private void updateTableCache(byte[] table, ListMultimap<String, TablePermission> tablePerms) { PermissionCache<TablePermission> newTablePerms = new PermissionCache<TablePermission>(); for (Map.Entry<String, TablePermission> entry : tablePerms.entries()) { if (AccessControlLists.isGroupPrincipal(entry.getKey())) { newTablePerms.putGroup(AccessControlLists.getGroupName(entry.getKey()), entry.getValue()); } else { newTablePerms.putUser(entry.getKey(), entry.getValue()); } } tableCache.put(table, newTablePerms); }
public void writeToZooKeeper(byte[] table, PermissionCache<TablePermission> tablePerms) { byte[] serialized = new byte[0]; if (tablePerms != null) { serialized = AccessControlLists.writePermissionsAsBytes(tablePerms.getAllPermissions(), conf); } zkperms.writeToZookeeper(table, serialized); }
@Before public void setUp() throws Exception { TEST_UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(namespace).build()); try (Table table = TEST_UTIL.createTable( tableName, new String[] {Bytes.toString(TEST_FAMILY), Bytes.toString(TEST_FAMILY_2)})) { TEST_UTIL.waitTableEnabled(tableName); List<Put> puts = new ArrayList<Put>(5); Put put_1 = new Put(TEST_ROW); put_1.addColumn(TEST_FAMILY, Q1, value1); Put put_2 = new Put(TEST_ROW_2); put_2.addColumn(TEST_FAMILY, Q2, value2); Put put_3 = new Put(TEST_ROW_3); put_3.addColumn(TEST_FAMILY_2, Q1, value1); puts.add(put_1); puts.add(put_2); puts.add(put_3); table.put(puts); } assertEquals(1, AccessControlLists.getTablePermissions(conf, tableName).size()); try { assertEquals( 1, AccessControlClient.getUserPermissions(connection, tableName.toString()).size()); } catch (Throwable e) { LOG.error("Error during call of AccessControlClient.getUserPermissions. ", e); } // setupOperations(); }
/** * Updates the internal global permissions cache * * @param userPerms */ private void updateGlobalCache(ListMultimap<String, TablePermission> userPerms) { PermissionCache<Permission> newCache = null; try { newCache = initGlobal(conf); for (Map.Entry<String, TablePermission> entry : userPerms.entries()) { if (AccessControlLists.isGroupPrincipal(entry.getKey())) { newCache.putGroup( AccessControlLists.getGroupName(entry.getKey()), new Permission(entry.getValue().getActions())); } else { newCache.putUser(entry.getKey(), new Permission(entry.getValue().getActions())); } } globalCache = newCache; } catch (IOException e) { // Never happens LOG.error("Error occured while updating the global cache", e); } }
@Test public void testAclTableEntries() throws Exception { String userTestNamespace = "userTestNsp"; Table acl = UTIL.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME); try { ListMultimap<String, TablePermission> perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); for (Map.Entry<String, TablePermission> entry : perms.entries()) { LOG.debug(entry); } assertEquals(6, perms.size()); // Grant and check state in ACL table grantOnNamespace(UTIL, userTestNamespace, TEST_NAMESPACE, Permission.Action.WRITE); Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace))); assertTrue(result != null); perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); assertEquals(7, perms.size()); List<TablePermission> namespacePerms = perms.get(userTestNamespace); assertTrue(perms.containsKey(userTestNamespace)); assertEquals(1, namespacePerms.size()); assertEquals(TEST_NAMESPACE, namespacePerms.get(0).getNamespace()); assertEquals(null, namespacePerms.get(0).getFamily()); assertEquals(null, namespacePerms.get(0).getQualifier()); assertEquals(1, namespacePerms.get(0).getActions().length); assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getActions()[0]); // Revoke and check state in ACL table revokeFromNamespace(UTIL, userTestNamespace, TEST_NAMESPACE, Permission.Action.WRITE); perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); assertEquals(6, perms.size()); } finally { acl.close(); } }
public void refreshCacheFromWritable(byte[] table, byte[] data) throws IOException { if (data != null && data.length > 0) { DataInput in = new DataInputStream(new ByteArrayInputStream(data)); ListMultimap<String, TablePermission> perms = AccessControlLists.readPermissions(in, conf); if (perms != null) { if (Bytes.equals(table, AccessControlLists.ACL_GLOBAL_NAME)) { updateGlobalCache(perms); } else { updateTableCache(table, perms); } } } else { LOG.debug("Skipping permission cache refresh because writable data is empty"); } }
@Test public void testCreateWithCorrectOwner() throws Exception { // Create a test user final User testUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "TestUser", new String[0]); // Grant the test user the ability to create tables SecureTestUtil.grantGlobal(TEST_UTIL, testUser.getShortName(), Action.CREATE); verifyAllowed( new AccessTestAction() { @Override public Object run() throws Exception { HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName()); desc.addFamily(new HColumnDescriptor(TEST_FAMILY)); try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration(), testUser)) { try (Admin admin = connection.getAdmin()) { admin.createTable(desc); } } return null; } }, testUser); TEST_UTIL.waitTableEnabled(TEST_TABLE.getTableName()); // Verify that owner permissions have been granted to the test user on the // table just created List<TablePermission> perms = AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()) .get(testUser.getShortName()); assertNotNull(perms); assertFalse(perms.isEmpty()); // Should be RWXCA assertTrue(perms.get(0).implies(Permission.Action.READ)); assertTrue(perms.get(0).implies(Permission.Action.WRITE)); assertTrue(perms.get(0).implies(Permission.Action.EXEC)); assertTrue(perms.get(0).implies(Permission.Action.CREATE)); assertTrue(perms.get(0).implies(Permission.Action.ADMIN)); }