org.apache.hadoop.hbase.security.access

Class PermissionStorage

java.lang.Object

org.apache.hadoop.hbase.security.access.PermissionStorage

@InterfaceAudience.Private
public final class PermissionStorage
extends Object

Maintains lists of permission grants to users and groups to allow for authorization checks by AccessController.

Access control lists are stored in an "internal" metadata table named _acl_. Each table's permission grants are stored as a separate row, keyed by the table name. KeyValues for permissions assignments are stored in one of the formats:

 Key                      Desc
 --------                 --------
 user                     table level permissions for a user [R=read, W=write]
 group                    table level permissions for a group
 user,family              column family level permissions for a user
 group,family             column family level permissions for a group
 user,family,qualifier    column qualifier level permissions for a user
 group,family,qualifier   column qualifier level permissions for a group
 

All values are encoded as byte arrays containing the codes from the org.apache.hadoop.hbase.security.access.TablePermission.Action enum.

Field Summary

Fields

Modifier and Type	Field and Description
static byte[]	ACL_GLOBAL_NAME
static char	ACL_KEY_DELIMITER Delimiter to separate user, column family, and qualifier in _acl_ table info: column keys
static byte[]	ACL_LIST_FAMILY
static String	ACL_LIST_FAMILY_STR Column family used to store ACL grants
static TableName	ACL_TABLE_NAME Internal storage table for access control lists
static byte	ACL_TAG_TYPE KV tag to store per cell access control lists
static char	NAMESPACE_PREFIX

Method Summary

Modifier and Type	Method and Description
static void	addUserPermission(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t, boolean mergeExistingPermissions) Stores a new user permission grant in the access control lists table.
static byte[]	fromNamespaceEntry(byte[] namespace)
static String	fromNamespaceEntry(String namespace)
static List<Permission>	getCellPermissionsForUser(User user, Cell cell)
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>	getGlobalPermissions(org.apache.hadoop.conf.Configuration conf)
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>	getNamespacePermissions(org.apache.hadoop.conf.Configuration conf, String namespace)
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>	getTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName)
static List<UserPermission>	getUserNamespacePermissions(org.apache.hadoop.conf.Configuration conf, String namespace, String user, boolean hasFilterUser) Returns the currently granted permissions for a given namespace as the specified user plus associated permissions.
static List<UserPermission>	getUserPermissions(org.apache.hadoop.conf.Configuration conf, byte[] entryName, byte[] cf, byte[] cq, String user, boolean hasFilterUser) Returns the currently granted permissions for a given table/namespace with associated permissions based on the specified column family, column qualifier and user name.
static List<UserPermission>	getUserTablePermissions(org.apache.hadoop.conf.Configuration conf, TableName tableName, byte[] cf, byte[] cq, String userName, boolean hasFilterUser) Returns the currently granted permissions for a given table as the specified user plus associated permissions.
static boolean	isGlobalEntry(byte[] entryName)
static boolean	isNamespaceEntry(byte[] entryName)
static boolean	isNamespaceEntry(String entryName)
static boolean	isTableEntry(byte[] entryName)
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission>	readPermissions(byte[] data, org.apache.hadoop.conf.Configuration conf)
static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission>	readUserPermission(byte[] data, org.apache.hadoop.conf.Configuration conf)
static void	removeUserPermission(org.apache.hadoop.conf.Configuration conf, UserPermission userPerm, Table t) Removes a previously granted permission from the stored access control lists.
static byte[]	toNamespaceEntry(byte[] namespace)
static String	toNamespaceEntry(String namespace)
static byte[]	writePermissionsAsBytes(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> perms, org.apache.hadoop.conf.Configuration conf) Writes a set of permissions as Writable instances and returns the resulting byte array.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ACL_TABLE_NAME

public static final TableName ACL_TABLE_NAME

Internal storage table for access control lists

ACL_GLOBAL_NAME

public static final byte[] ACL_GLOBAL_NAME

ACL_LIST_FAMILY_STR

public static final String ACL_LIST_FAMILY_STR

Column family used to store ACL grants

See Also:

Constant Field Values

ACL_LIST_FAMILY

public static final byte[] ACL_LIST_FAMILY

ACL_TAG_TYPE

public static final byte ACL_TAG_TYPE

KV tag to store per cell access control lists

See Also:

Constant Field Values

NAMESPACE_PREFIX

public static final char NAMESPACE_PREFIX

See Also:

Constant Field Values

ACL_KEY_DELIMITER

public static final char ACL_KEY_DELIMITER

Delimiter to separate user, column family, and qualifier in _acl_ table info: column keys

See Also:

Constant Field Values

Method Detail

addUserPermission

public static void addUserPermission(org.apache.hadoop.conf.Configuration conf,
                                     UserPermission userPerm,
                                     Table t,
                                     boolean mergeExistingPermissions)
                              throws IOException

Stores a new user permission grant in the access control lists table.

Parameters:

conf - the configuration

userPerm - the details of the permission to be granted

t - acl table instance. It is closed upon method return.

Throws:

IOException - in the case of an error accessing the metadata table

removeUserPermission

public static void removeUserPermission(org.apache.hadoop.conf.Configuration conf,
                                        UserPermission userPerm,
                                        Table t)
                                 throws IOException

Removes a previously granted permission from the stored access control lists. The TablePermission being removed must exactly match what is stored -- no wildcard matching is attempted. Ie, if user "bob" has been granted "READ" access to the "data" table, but only to column family plus qualifier "info:colA", then trying to call this method with only user "bob" and the table name "data" (but without specifying the column qualifier "info:colA") will have no effect.

Parameters:

conf - the configuration

userPerm - the details of the permission to be revoked

t - acl table

Throws:

IOException - if there is an error accessing the metadata table

getTablePermissions

public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> getTablePermissions(org.apache.hadoop.conf.Configuration conf,
                                                                                                                            TableName tableName)
                                                                                                                     throws IOException

Throws:

IOException

getNamespacePermissions

public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> getNamespacePermissions(org.apache.hadoop.conf.Configuration conf,
                                                                                                                                String namespace)
                                                                                                                         throws IOException

Throws:

IOException

getGlobalPermissions

public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> getGlobalPermissions(org.apache.hadoop.conf.Configuration conf)
                                                                                                                      throws IOException

Throws:

IOException

getUserTablePermissions

public static List<UserPermission> getUserTablePermissions(org.apache.hadoop.conf.Configuration conf,
                                                           TableName tableName,
                                                           byte[] cf,
                                                           byte[] cq,
                                                           String userName,
                                                           boolean hasFilterUser)
                                                    throws IOException

Returns the currently granted permissions for a given table as the specified user plus associated permissions.

Throws:

IOException

getUserNamespacePermissions

public static List<UserPermission> getUserNamespacePermissions(org.apache.hadoop.conf.Configuration conf,
                                                               String namespace,
                                                               String user,
                                                               boolean hasFilterUser)
                                                        throws IOException

Returns the currently granted permissions for a given namespace as the specified user plus associated permissions.

Throws:

IOException

getUserPermissions

public static List<UserPermission> getUserPermissions(org.apache.hadoop.conf.Configuration conf,
                                                      byte[] entryName,
                                                      byte[] cf,
                                                      byte[] cq,
                                                      String user,
                                                      boolean hasFilterUser)
                                               throws IOException

Returns the currently granted permissions for a given table/namespace with associated permissions based on the specified column family, column qualifier and user name.

Parameters:

conf - the configuration

entryName - Table name or the namespace

cf - Column family

cq - Column qualifier

user - User name to be filtered from permission as requested

hasFilterUser - true if filter user is provided, otherwise false.

Returns:

List of UserPermissions

Throws:

IOException - on failure

writePermissionsAsBytes

public static byte[] writePermissionsAsBytes(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> perms,
                                             org.apache.hadoop.conf.Configuration conf)

Writes a set of permissions as Writable instances and returns the resulting byte array. Writes a set of permission [user: table permission]

readUserPermission

public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> readUserPermission(byte[] data,
                                                                                                                           org.apache.hadoop.conf.Configuration conf)
                                                                                                                    throws DeserializationException

Throws:

DeserializationException

readPermissions

public static org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,Permission> readPermissions(byte[] data,
                                                                                                                    org.apache.hadoop.conf.Configuration conf)
                                                                                                             throws DeserializationException

Throws:

DeserializationException

isGlobalEntry

public static boolean isGlobalEntry(byte[] entryName)

isNamespaceEntry

public static boolean isNamespaceEntry(String entryName)

isNamespaceEntry

public static boolean isNamespaceEntry(byte[] entryName)

isTableEntry

public static boolean isTableEntry(byte[] entryName)

toNamespaceEntry

public static String toNamespaceEntry(String namespace)

fromNamespaceEntry

public static String fromNamespaceEntry(String namespace)

toNamespaceEntry

public static byte[] toNamespaceEntry(byte[] namespace)

fromNamespaceEntry

public static byte[] fromNamespaceEntry(byte[] namespace)

getCellPermissionsForUser

public static List<Permission> getCellPermissionsForUser(User user,
                                                         Cell cell)
                                                  throws IOException

Throws:

IOException