org.apache.accumulo.server.security

Class SecurityOperation

java.lang.Object

org.apache.accumulo.server.security.SecurityOperation

Direct Known Subclasses:

AuditedSecurityOperation

public class SecurityOperation
extends Object

Utility class for performing various security operations with the appropriate checks

Field Summary

Fields

Modifier and Type	Field and Description
protected Authenticator	authenticator
protected Authorizor	authorizor
protected AccumuloServerContext	context
protected boolean	isKerberos
protected PermissionHandler	permHandle

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	SecurityOperation(AccumuloServerContext context)
	SecurityOperation(AccumuloServerContext context, Authorizor author, Authenticator authent, PermissionHandler pm)

Method Summary

Modifier and Type	Method and Description
protected void	_createUser(TCredentials credentials, Credentials newUser, Authorizations authorizations)
protected boolean	_hasNamespacePermission(String user, String namespace, NamespacePermission permission, boolean useCached) Checks if a user has a namespace permission This cannot check if a system user has permission.
protected boolean	_hasTablePermission(String user, String table, TablePermission permission, boolean useCached) Checks if a user has a table permission This cannot check if a system user has permission.
protected void	authenticate(TCredentials credentials)
boolean	authenticatedUserHasAuthorizations(TCredentials credentials, List<ByteBuffer> list) Check if an already authenticated user has specified authorizations.
boolean	authenticateUser(TCredentials credentials, TCredentials toAuth)
boolean	canAlterNamespace(TCredentials credentials, String namespaceId)
boolean	canAlterTable(TCredentials c, String tableId, String namespaceId)
boolean	canAskAboutUser(TCredentials credentials, String user)
boolean	canBulkImport(TCredentials c, String tableId, String namespaceId)
boolean	canBulkImport(TCredentials c, String tableId, String tableName, String dir, String failDir, String namespaceId)
boolean	canChangeAuthorizations(TCredentials c, String user)
boolean	canChangePassword(TCredentials c, String user)
boolean	canCloneTable(TCredentials c, String tableId, String tableName, String destinationNamespaceId, String srcNamespaceId)
boolean	canCompact(TCredentials c, String tableId, String namespaceId)
boolean	canConditionallyUpdate(TCredentials credentials, String tableID, String namespaceId, List<ByteBuffer> authorizations)
boolean	canCreateNamespace(TCredentials credentials, String namespace)
boolean	canCreateTable(TCredentials c, String table, String namespaceId)
boolean	canCreateUser(TCredentials c, String user)
boolean	canDeleteNamespace(TCredentials credentials, String namespaceId)
boolean	canDeleteRange(TCredentials c, String tableId, String tableName, org.apache.hadoop.io.Text startRow, org.apache.hadoop.io.Text endRow, String namespaceId)
boolean	canDeleteTable(TCredentials c, String tableId, String namespaceId)
boolean	canDropUser(TCredentials c, String user)
boolean	canExport(TCredentials credentials, String tableId, String tableName, String exportDir, String namespaceId)
boolean	canFlush(TCredentials c, String tableId, String namespaceId)
boolean	canGrantNamespace(TCredentials c, String user, String namespace)
boolean	canGrantSystem(TCredentials c, String user, SystemPermission sysPerm)
boolean	canGrantTable(TCredentials c, String user, String tableId, String namespaceId)
boolean	canImport(TCredentials credentials, String tableName, String importDir, String namespaceId)
boolean	canMerge(TCredentials c, String tableId, String namespaceId)
boolean	canObtainDelegationToken(TCredentials credentials)
boolean	canOnlineOfflineTable(TCredentials c, String tableId, FateOperation op, String namespaceId)
boolean	canPerformSystemActions(TCredentials credentials) This is the check to perform any system action.
boolean	canRenameNamespace(TCredentials credentials, String namespaceId, String oldName, String newName)
boolean	canRenameTable(TCredentials c, String tableId, String oldTableName, String newTableName, String namespaceId)
boolean	canRevokeNamespace(TCredentials c, String user, String namespace)
boolean	canRevokeSystem(TCredentials c, String user, SystemPermission sysPerm)
boolean	canRevokeTable(TCredentials c, String user, String tableId, String namespaceId)
boolean	canScan(TCredentials credentials, String tableId, String namespaceId)
boolean	canScan(TCredentials credentials, String table, String namespaceId, Map<TKeyExtent,List<TRange>> tbatch, List<TColumn> tcolumns, List<IterInfo> ssiList, Map<String,Map<String,String>> ssio, List<ByteBuffer> authorizations)
boolean	canScan(TCredentials credentials, String tableId, String namespaceId, TRange range, List<TColumn> columns, List<IterInfo> ssiList, Map<String,Map<String,String>> ssio, List<ByteBuffer> authorizations)
boolean	canSplitTablet(TCredentials credentials, String tableId, String namespaceId)
boolean	canWrite(TCredentials credentials, String tableId, String namespaceId)
void	changeAuthorizations(TCredentials credentials, String user, Authorizations authorizations)
void	changePassword(TCredentials credentials, Credentials toChange)
void	createUser(TCredentials credentials, Credentials newUser, Authorizations authorizations)
void	deleteNamespace(TCredentials credentials, String namespace)
void	deleteTable(TCredentials credentials, String tableId, String namespaceId)
void	dropUser(TCredentials credentials, String user)
protected static Authenticator	getAuthenticator(String instanceId, boolean initialize)
protected static Authorizor	getAuthorizor(String instanceId, boolean initialize)
static SecurityOperation	getInstance(AccumuloServerContext context, boolean initialize)
protected static PermissionHandler	getPermHandler(String instanceId, boolean initialize)
String	getRootUsername()
Authorizations	getUserAuthorizations(TCredentials credentials)
Authorizations	getUserAuthorizations(TCredentials credentials, String user)
void	grantNamespacePermission(TCredentials c, String user, String namespace, NamespacePermission permission)
void	grantSystemPermission(TCredentials credentials, String user, SystemPermission permissionById)
void	grantTablePermission(TCredentials c, String user, String tableId, TablePermission permission, String namespaceId)
boolean	hasNamespacePermission(TCredentials credentials, String user, String namespace, NamespacePermission permissionById)
boolean	hasSystemPermission(TCredentials credentials, String user, SystemPermission permissionById)
boolean	hasTablePermission(TCredentials credentials, String user, String tableId, TablePermission permissionById)
protected boolean	hasTablePermission(TCredentials credentials, String tableId, String namespaceId, TablePermission permission, boolean useCached) Checks if a user has a table permission
void	initializeSecurity(TCredentials credentials, String rootPrincipal, byte[] token)
boolean	isSystemUser(TCredentials credentials)
Set<String>	listUsers(TCredentials credentials)
void	revokeNamespacePermission(TCredentials c, String user, String namespace, NamespacePermission permission)
void	revokeSystemPermission(TCredentials credentials, String user, SystemPermission permission)
void	revokeTablePermission(TCredentials c, String user, String tableId, TablePermission permission, String namespaceId)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

authorizor

protected Authorizor authorizor

authenticator

protected Authenticator authenticator

permHandle

protected PermissionHandler permHandle

isKerberos

protected boolean isKerberos

context

protected final AccumuloServerContext context

Constructor Detail

SecurityOperation

protected SecurityOperation(AccumuloServerContext context)

SecurityOperation

public SecurityOperation(AccumuloServerContext context,
                         Authorizor author,
                         Authenticator authent,
                         PermissionHandler pm)

Method Detail

getInstance

public static SecurityOperation getInstance(AccumuloServerContext context,
                                            boolean initialize)

getAuthorizor

protected static Authorizor getAuthorizor(String instanceId,
                                          boolean initialize)

getAuthenticator

protected static Authenticator getAuthenticator(String instanceId,
                                                boolean initialize)

getPermHandler

protected static PermissionHandler getPermHandler(String instanceId,
                                                  boolean initialize)

initializeSecurity

public void initializeSecurity(TCredentials credentials,
                               String rootPrincipal,
                               byte[] token)
                        throws AccumuloSecurityException,
                               ThriftSecurityException

Throws:

AccumuloSecurityException

ThriftSecurityException

getRootUsername

public String getRootUsername()

isSystemUser

public boolean isSystemUser(TCredentials credentials)

authenticate

protected void authenticate(TCredentials credentials)
                     throws ThriftSecurityException

Throws:

ThriftSecurityException

canAskAboutUser

public boolean canAskAboutUser(TCredentials credentials,
                               String user)
                        throws ThriftSecurityException

Throws:

ThriftSecurityException

authenticateUser

public boolean authenticateUser(TCredentials credentials,
                                TCredentials toAuth)
                         throws ThriftSecurityException

Throws:

ThriftSecurityException

getUserAuthorizations

public Authorizations getUserAuthorizations(TCredentials credentials,
                                            String user)
                                     throws ThriftSecurityException

Throws:

ThriftSecurityException

getUserAuthorizations

public Authorizations getUserAuthorizations(TCredentials credentials)
                                     throws ThriftSecurityException

Throws:

ThriftSecurityException

authenticatedUserHasAuthorizations

public boolean authenticatedUserHasAuthorizations(TCredentials credentials,
                                                  List<ByteBuffer> list)
                                           throws ThriftSecurityException

Check if an already authenticated user has specified authorizations.

Throws:

ThriftSecurityException

hasTablePermission

protected boolean hasTablePermission(TCredentials credentials,
                                     String tableId,
                                     String namespaceId,
                                     TablePermission permission,
                                     boolean useCached)
                              throws ThriftSecurityException

Checks if a user has a table permission

Returns:

true if a user exists and has permission; false otherwise

Throws:

ThriftSecurityException

_hasTablePermission

protected boolean _hasTablePermission(String user,
                                      String table,
                                      TablePermission permission,
                                      boolean useCached)
                               throws ThriftSecurityException

Checks if a user has a table permission
This cannot check if a system user has permission.

Returns:

true if a user exists and has permission; false otherwise

Throws:

ThriftSecurityException

_hasNamespacePermission

protected boolean _hasNamespacePermission(String user,
                                          String namespace,
                                          NamespacePermission permission,
                                          boolean useCached)
                                   throws ThriftSecurityException

Checks if a user has a namespace permission
This cannot check if a system user has permission.

Returns:

true if a user exists and has permission; false otherwise

Throws:

ThriftSecurityException

canScan

public boolean canScan(TCredentials credentials,
                       String tableId,
                       String namespaceId)
                throws ThriftSecurityException

Throws:

ThriftSecurityException

canScan

public boolean canScan(TCredentials credentials,
                       String tableId,
                       String namespaceId,
                       TRange range,
                       List<TColumn> columns,
                       List<IterInfo> ssiList,
                       Map<String,Map<String,String>> ssio,
                       List<ByteBuffer> authorizations)
                throws ThriftSecurityException

Throws:

ThriftSecurityException

canScan

public boolean canScan(TCredentials credentials,
                       String table,
                       String namespaceId,
                       Map<TKeyExtent,List<TRange>> tbatch,
                       List<TColumn> tcolumns,
                       List<IterInfo> ssiList,
                       Map<String,Map<String,String>> ssio,
                       List<ByteBuffer> authorizations)
                throws ThriftSecurityException

Throws:

ThriftSecurityException

canWrite

public boolean canWrite(TCredentials credentials,
                        String tableId,
                        String namespaceId)
                 throws ThriftSecurityException

Throws:

ThriftSecurityException

canConditionallyUpdate

public boolean canConditionallyUpdate(TCredentials credentials,
                                      String tableID,
                                      String namespaceId,
                                      List<ByteBuffer> authorizations)
                               throws ThriftSecurityException

Throws:

ThriftSecurityException

canSplitTablet

public boolean canSplitTablet(TCredentials credentials,
                              String tableId,
                              String namespaceId)
                       throws ThriftSecurityException

Throws:

ThriftSecurityException

canPerformSystemActions

public boolean canPerformSystemActions(TCredentials credentials)
                                throws ThriftSecurityException

This is the check to perform any system action. This includes tserver's loading of a tablet, shutting the system down, or altering system properties.

Throws:

ThriftSecurityException

canFlush

public boolean canFlush(TCredentials c,
                        String tableId,
                        String namespaceId)
                 throws ThriftSecurityException

Throws:

ThriftSecurityException

canAlterTable

public boolean canAlterTable(TCredentials c,
                             String tableId,
                             String namespaceId)
                      throws ThriftSecurityException

Throws:

ThriftSecurityException

canCreateTable

public boolean canCreateTable(TCredentials c,
                              String table,
                              String namespaceId)
                       throws ThriftSecurityException

Throws:

ThriftSecurityException

canRenameTable

public boolean canRenameTable(TCredentials c,
                              String tableId,
                              String oldTableName,
                              String newTableName,
                              String namespaceId)
                       throws ThriftSecurityException

Throws:

ThriftSecurityException

canCloneTable

public boolean canCloneTable(TCredentials c,
                             String tableId,
                             String tableName,
                             String destinationNamespaceId,
                             String srcNamespaceId)
                      throws ThriftSecurityException

Throws:

ThriftSecurityException

canDeleteTable

public boolean canDeleteTable(TCredentials c,
                              String tableId,
                              String namespaceId)
                       throws ThriftSecurityException

Throws:

ThriftSecurityException

canOnlineOfflineTable

public boolean canOnlineOfflineTable(TCredentials c,
                                     String tableId,
                                     FateOperation op,
                                     String namespaceId)
                              throws ThriftSecurityException

Throws:

ThriftSecurityException

canMerge

public boolean canMerge(TCredentials c,
                        String tableId,
                        String namespaceId)
                 throws ThriftSecurityException

Throws:

ThriftSecurityException

canDeleteRange

public boolean canDeleteRange(TCredentials c,
                              String tableId,
                              String tableName,
                              org.apache.hadoop.io.Text startRow,
                              org.apache.hadoop.io.Text endRow,
                              String namespaceId)
                       throws ThriftSecurityException

Throws:

ThriftSecurityException

canBulkImport

public boolean canBulkImport(TCredentials c,
                             String tableId,
                             String tableName,
                             String dir,
                             String failDir,
                             String namespaceId)
                      throws ThriftSecurityException

Throws:

ThriftSecurityException

canBulkImport

public boolean canBulkImport(TCredentials c,
                             String tableId,
                             String namespaceId)
                      throws ThriftSecurityException

Throws:

ThriftSecurityException

canCompact

public boolean canCompact(TCredentials c,
                          String tableId,
                          String namespaceId)
                   throws ThriftSecurityException

Throws:

ThriftSecurityException

canChangeAuthorizations

public boolean canChangeAuthorizations(TCredentials c,
                                       String user)
                                throws ThriftSecurityException

Throws:

ThriftSecurityException

canChangePassword

public boolean canChangePassword(TCredentials c,
                                 String user)
                          throws ThriftSecurityException

Throws:

ThriftSecurityException

canCreateUser

public boolean canCreateUser(TCredentials c,
                             String user)
                      throws ThriftSecurityException

Throws:

ThriftSecurityException

canDropUser

public boolean canDropUser(TCredentials c,
                           String user)
                    throws ThriftSecurityException

Throws:

ThriftSecurityException

canGrantSystem

public boolean canGrantSystem(TCredentials c,
                              String user,
                              SystemPermission sysPerm)
                       throws ThriftSecurityException

Throws:

ThriftSecurityException

canGrantTable

public boolean canGrantTable(TCredentials c,
                             String user,
                             String tableId,
                             String namespaceId)
                      throws ThriftSecurityException

Throws:

ThriftSecurityException

canGrantNamespace

public boolean canGrantNamespace(TCredentials c,
                                 String user,
                                 String namespace)
                          throws ThriftSecurityException

Throws:

ThriftSecurityException

canRevokeSystem

public boolean canRevokeSystem(TCredentials c,
                               String user,
                               SystemPermission sysPerm)
                        throws ThriftSecurityException

Throws:

ThriftSecurityException

canRevokeTable

public boolean canRevokeTable(TCredentials c,
                              String user,
                              String tableId,
                              String namespaceId)
                       throws ThriftSecurityException

Throws:

ThriftSecurityException

canRevokeNamespace

public boolean canRevokeNamespace(TCredentials c,
                                  String user,
                                  String namespace)
                           throws ThriftSecurityException

Throws:

ThriftSecurityException

changeAuthorizations

public void changeAuthorizations(TCredentials credentials,
                                 String user,
                                 Authorizations authorizations)
                          throws ThriftSecurityException

Throws:

ThriftSecurityException

changePassword

public void changePassword(TCredentials credentials,
                           Credentials toChange)
                    throws ThriftSecurityException

Throws:

ThriftSecurityException

createUser

public void createUser(TCredentials credentials,
                       Credentials newUser,
                       Authorizations authorizations)
                throws ThriftSecurityException

Throws:

ThriftSecurityException

_createUser

protected void _createUser(TCredentials credentials,
                           Credentials newUser,
                           Authorizations authorizations)
                    throws ThriftSecurityException

Throws:

ThriftSecurityException

dropUser

public void dropUser(TCredentials credentials,
                     String user)
              throws ThriftSecurityException

Throws:

ThriftSecurityException

grantSystemPermission

public void grantSystemPermission(TCredentials credentials,
                                  String user,
                                  SystemPermission permissionById)
                           throws ThriftSecurityException

Throws:

ThriftSecurityException

grantTablePermission

public void grantTablePermission(TCredentials c,
                                 String user,
                                 String tableId,
                                 TablePermission permission,
                                 String namespaceId)
                          throws ThriftSecurityException

Throws:

ThriftSecurityException

grantNamespacePermission

public void grantNamespacePermission(TCredentials c,
                                     String user,
                                     String namespace,
                                     NamespacePermission permission)
                              throws ThriftSecurityException

Throws:

ThriftSecurityException

revokeSystemPermission

public void revokeSystemPermission(TCredentials credentials,
                                   String user,
                                   SystemPermission permission)
                            throws ThriftSecurityException

Throws:

ThriftSecurityException

revokeTablePermission

public void revokeTablePermission(TCredentials c,
                                  String user,
                                  String tableId,
                                  TablePermission permission,
                                  String namespaceId)
                           throws ThriftSecurityException

Throws:

ThriftSecurityException

revokeNamespacePermission

public void revokeNamespacePermission(TCredentials c,
                                      String user,
                                      String namespace,
                                      NamespacePermission permission)
                               throws ThriftSecurityException

Throws:

ThriftSecurityException

hasSystemPermission

public boolean hasSystemPermission(TCredentials credentials,
                                   String user,
                                   SystemPermission permissionById)
                            throws ThriftSecurityException

Throws:

ThriftSecurityException

hasTablePermission

public boolean hasTablePermission(TCredentials credentials,
                                  String user,
                                  String tableId,
                                  TablePermission permissionById)
                           throws ThriftSecurityException

Throws:

ThriftSecurityException

hasNamespacePermission

public boolean hasNamespacePermission(TCredentials credentials,
                                      String user,
                                      String namespace,
                                      NamespacePermission permissionById)
                               throws ThriftSecurityException

Throws:

ThriftSecurityException

listUsers

public Set<String> listUsers(TCredentials credentials)
                      throws ThriftSecurityException

Throws:

ThriftSecurityException

deleteTable

public void deleteTable(TCredentials credentials,
                        String tableId,
                        String namespaceId)
                 throws ThriftSecurityException

Throws:

ThriftSecurityException

deleteNamespace

public void deleteNamespace(TCredentials credentials,
                            String namespace)
                     throws ThriftSecurityException

Throws:

ThriftSecurityException

canExport

public boolean canExport(TCredentials credentials,
                         String tableId,
                         String tableName,
                         String exportDir,
                         String namespaceId)
                  throws ThriftSecurityException

Throws:

ThriftSecurityException

canImport

public boolean canImport(TCredentials credentials,
                         String tableName,
                         String importDir,
                         String namespaceId)
                  throws ThriftSecurityException

Throws:

ThriftSecurityException

canAlterNamespace

public boolean canAlterNamespace(TCredentials credentials,
                                 String namespaceId)
                          throws ThriftSecurityException

Throws:

ThriftSecurityException

canCreateNamespace

public boolean canCreateNamespace(TCredentials credentials,
                                  String namespace)
                           throws ThriftSecurityException

Throws:

ThriftSecurityException

canDeleteNamespace

public boolean canDeleteNamespace(TCredentials credentials,
                                  String namespaceId)
                           throws ThriftSecurityException

Throws:

ThriftSecurityException

canRenameNamespace

public boolean canRenameNamespace(TCredentials credentials,
                                  String namespaceId,
                                  String oldName,
                                  String newName)
                           throws ThriftSecurityException

Throws:

ThriftSecurityException

canObtainDelegationToken

public boolean canObtainDelegationToken(TCredentials credentials)
                                 throws ThriftSecurityException

Throws:

ThriftSecurityException