Google Git
Sign in
apache / hbase-site / 0082cda45f48d1755543336c908ec6d80d4ec0a9 / . / devapidocs / src-html / org / apache / hadoop / hbase / security / access / AuthManager.PermissionCache.html
blob: 9f42d40cfcfcce6fea1fbd0f746301c3e9948613 [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="en">
<head>
<!-- Generated by javadoc (17) -->
<title>Source code</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="source: package: org.apache.hadoop.hbase.security.access, class: AuthManager, class: PermissionCache">
<meta name="generator" content="javadoc/SourceToHTMLConverter">
<link rel="stylesheet" type="text/css" href="../../../../../../../stylesheet.css" title="Style">
</head>
<body class="source-page">
<main role="main">
<div class="source-container">
<pre><span class="source-line-no">001</span><span id="line-1">/*</span>
<span class="source-line-no">002</span><span id="line-2"> * Licensed to the Apache Software Foundation (ASF) under one</span>
<span class="source-line-no">003</span><span id="line-3"> * or more contributor license agreements. See the NOTICE file</span>
<span class="source-line-no">004</span><span id="line-4"> * distributed with this work for additional information</span>
<span class="source-line-no">005</span><span id="line-5"> * regarding copyright ownership. The ASF licenses this file</span>
<span class="source-line-no">006</span><span id="line-6"> * to you under the Apache License, Version 2.0 (the</span>
<span class="source-line-no">007</span><span id="line-7"> * "License"); you may not use this file except in compliance</span>
<span class="source-line-no">008</span><span id="line-8"> * with the License. You may obtain a copy of the License at</span>
<span class="source-line-no">009</span><span id="line-9"> *</span>
<span class="source-line-no">010</span><span id="line-10"> * http://www.apache.org/licenses/LICENSE-2.0</span>
<span class="source-line-no">011</span><span id="line-11"> *</span>
<span class="source-line-no">012</span><span id="line-12"> * Unless required by applicable law or agreed to in writing, software</span>
<span class="source-line-no">013</span><span id="line-13"> * distributed under the License is distributed on an "AS IS" BASIS,</span>
<span class="source-line-no">014</span><span id="line-14"> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="source-line-no">015</span><span id="line-15"> * See the License for the specific language governing permissions and</span>
<span class="source-line-no">016</span><span id="line-16"> * limitations under the License.</span>
<span class="source-line-no">017</span><span id="line-17"> */</span>
<span class="source-line-no">018</span><span id="line-18">package org.apache.hadoop.hbase.security.access;</span>
<span class="source-line-no">019</span><span id="line-19"></span>
<span class="source-line-no">020</span><span id="line-20">import java.io.IOException;</span>
<span class="source-line-no">021</span><span id="line-21">import java.util.HashMap;</span>
<span class="source-line-no">022</span><span id="line-22">import java.util.List;</span>
<span class="source-line-no">023</span><span id="line-23">import java.util.Map;</span>
<span class="source-line-no">024</span><span id="line-24">import java.util.Set;</span>
<span class="source-line-no">025</span><span id="line-25">import java.util.concurrent.ConcurrentHashMap;</span>
<span class="source-line-no">026</span><span id="line-26">import java.util.concurrent.atomic.AtomicLong;</span>
<span class="source-line-no">027</span><span id="line-27">import org.apache.hadoop.conf.Configuration;</span>
<span class="source-line-no">028</span><span id="line-28">import org.apache.hadoop.hbase.AuthUtil;</span>
<span class="source-line-no">029</span><span id="line-29">import org.apache.hadoop.hbase.Cell;</span>
<span class="source-line-no">030</span><span id="line-30">import org.apache.hadoop.hbase.ExtendedCell;</span>
<span class="source-line-no">031</span><span id="line-31">import org.apache.hadoop.hbase.TableName;</span>
<span class="source-line-no">032</span><span id="line-32">import org.apache.hadoop.hbase.exceptions.DeserializationException;</span>
<span class="source-line-no">033</span><span id="line-33">import org.apache.hadoop.hbase.security.Superusers;</span>
<span class="source-line-no">034</span><span id="line-34">import org.apache.hadoop.hbase.security.User;</span>
<span class="source-line-no">035</span><span id="line-35">import org.apache.hadoop.hbase.util.Bytes;</span>
<span class="source-line-no">036</span><span id="line-36">import org.apache.yetus.audience.InterfaceAudience;</span>
<span class="source-line-no">037</span><span id="line-37">import org.slf4j.Logger;</span>
<span class="source-line-no">038</span><span id="line-38">import org.slf4j.LoggerFactory;</span>
<span class="source-line-no">039</span><span id="line-39"></span>
<span class="source-line-no">040</span><span id="line-40">import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;</span>
<span class="source-line-no">041</span><span id="line-41"></span>
<span class="source-line-no">042</span><span id="line-42">/**</span>
<span class="source-line-no">043</span><span id="line-43"> * Performs authorization checks for a given user's assigned permissions.</span>
<span class="source-line-no">044</span><span id="line-44"> * &lt;p&gt;</span>
<span class="source-line-no">045</span><span id="line-45"> * There're following scopes: &lt;b&gt;Global&lt;/b&gt;, &lt;b&gt;Namespace&lt;/b&gt;, &lt;b&gt;Table&lt;/b&gt;, &lt;b&gt;Family&lt;/b&gt;,</span>
<span class="source-line-no">046</span><span id="line-46"> * &lt;b&gt;Qualifier&lt;/b&gt;, &lt;b&gt;Cell&lt;/b&gt;. Generally speaking, higher scopes can overrides lower scopes,</span>
<span class="source-line-no">047</span><span id="line-47"> * except for Cell permission can be granted even a user has not permission on specified table,</span>
<span class="source-line-no">048</span><span id="line-48"> * which means the user can get/scan only those granted cells parts.</span>
<span class="source-line-no">049</span><span id="line-49"> * &lt;/p&gt;</span>
<span class="source-line-no">050</span><span id="line-50"> * e.g, if user A has global permission R(ead), he can read table T without checking table scope</span>
<span class="source-line-no">051</span><span id="line-51"> * permission, so authorization checks alway starts from Global scope.</span>
<span class="source-line-no">052</span><span id="line-52"> * &lt;p&gt;</span>
<span class="source-line-no">053</span><span id="line-53"> * For each scope, not only user but also groups he belongs to will be checked.</span>
<span class="source-line-no">054</span><span id="line-54"> * &lt;/p&gt;</span>
<span class="source-line-no">055</span><span id="line-55"> */</span>
<span class="source-line-no">056</span><span id="line-56">@InterfaceAudience.Private</span>
<span class="source-line-no">057</span><span id="line-57">public final class AuthManager {</span>
<span class="source-line-no">058</span><span id="line-58"></span>
<span class="source-line-no">059</span><span id="line-59"> /**</span>
<span class="source-line-no">060</span><span id="line-60"> * Cache of permissions, it is thread safe.</span>
<span class="source-line-no">061</span><span id="line-61"> * @param &lt;T&gt; T extends Permission</span>
<span class="source-line-no">062</span><span id="line-62"> */</span>
<span class="source-line-no">063</span><span id="line-63"> private static class PermissionCache&lt;T extends Permission&gt; {</span>
<span class="source-line-no">064</span><span id="line-64"> private final Object mutex = new Object();</span>
<span class="source-line-no">065</span><span id="line-65"> private Map&lt;String, Set&lt;T&gt;&gt; cache = new HashMap&lt;&gt;();</span>
<span class="source-line-no">066</span><span id="line-66"></span>
<span class="source-line-no">067</span><span id="line-67"> void put(String name, T perm) {</span>
<span class="source-line-no">068</span><span id="line-68"> synchronized (mutex) {</span>
<span class="source-line-no">069</span><span id="line-69"> Set&lt;T&gt; perms = cache.getOrDefault(name, ConcurrentHashMap.newKeySet());</span>
<span class="source-line-no">070</span><span id="line-70"> perms.add(perm);</span>
<span class="source-line-no">071</span><span id="line-71"> cache.put(name, perms);</span>
<span class="source-line-no">072</span><span id="line-72"> }</span>
<span class="source-line-no">073</span><span id="line-73"> }</span>
<span class="source-line-no">074</span><span id="line-74"></span>
<span class="source-line-no">075</span><span id="line-75"> Set&lt;T&gt; get(String name) {</span>
<span class="source-line-no">076</span><span id="line-76"> synchronized (mutex) {</span>
<span class="source-line-no">077</span><span id="line-77"> return cache.get(name);</span>
<span class="source-line-no">078</span><span id="line-78"> }</span>
<span class="source-line-no">079</span><span id="line-79"> }</span>
<span class="source-line-no">080</span><span id="line-80"></span>
<span class="source-line-no">081</span><span id="line-81"> void clear() {</span>
<span class="source-line-no">082</span><span id="line-82"> synchronized (mutex) {</span>
<span class="source-line-no">083</span><span id="line-83"> for (Map.Entry&lt;String, Set&lt;T&gt;&gt; entry : cache.entrySet()) {</span>
<span class="source-line-no">084</span><span id="line-84"> entry.getValue().clear();</span>
<span class="source-line-no">085</span><span id="line-85"> }</span>
<span class="source-line-no">086</span><span id="line-86"> cache.clear();</span>
<span class="source-line-no">087</span><span id="line-87"> }</span>
<span class="source-line-no">088</span><span id="line-88"> }</span>
<span class="source-line-no">089</span><span id="line-89"> }</span>
<span class="source-line-no">090</span><span id="line-90"></span>
<span class="source-line-no">091</span><span id="line-91"> PermissionCache&lt;NamespacePermission&gt; NS_NO_PERMISSION = new PermissionCache&lt;&gt;();</span>
<span class="source-line-no">092</span><span id="line-92"> PermissionCache&lt;TablePermission&gt; TBL_NO_PERMISSION = new PermissionCache&lt;&gt;();</span>
<span class="source-line-no">093</span><span id="line-93"></span>
<span class="source-line-no">094</span><span id="line-94"> /**</span>
<span class="source-line-no">095</span><span id="line-95"> * Cache for global permission excluding superuser and supergroup. Since every user/group can only</span>
<span class="source-line-no">096</span><span id="line-96"> * have one global permission, no need to use PermissionCache.</span>
<span class="source-line-no">097</span><span id="line-97"> */</span>
<span class="source-line-no">098</span><span id="line-98"> private Map&lt;String, GlobalPermission&gt; globalCache = new ConcurrentHashMap&lt;&gt;();</span>
<span class="source-line-no">099</span><span id="line-99"> /** Cache for namespace permission. */</span>
<span class="source-line-no">100</span><span id="line-100"> private ConcurrentHashMap&lt;String, PermissionCache&lt;NamespacePermission&gt;&gt; namespaceCache =</span>
<span class="source-line-no">101</span><span id="line-101"> new ConcurrentHashMap&lt;&gt;();</span>
<span class="source-line-no">102</span><span id="line-102"> /** Cache for table permission. */</span>
<span class="source-line-no">103</span><span id="line-103"> private ConcurrentHashMap&lt;TableName, PermissionCache&lt;TablePermission&gt;&gt; tableCache =</span>
<span class="source-line-no">104</span><span id="line-104"> new ConcurrentHashMap&lt;&gt;();</span>
<span class="source-line-no">105</span><span id="line-105"></span>
<span class="source-line-no">106</span><span id="line-106"> private static final Logger LOG = LoggerFactory.getLogger(AuthManager.class);</span>
<span class="source-line-no">107</span><span id="line-107"></span>
<span class="source-line-no">108</span><span id="line-108"> private Configuration conf;</span>
<span class="source-line-no">109</span><span id="line-109"> private final AtomicLong mtime = new AtomicLong(0L);</span>
<span class="source-line-no">110</span><span id="line-110"></span>
<span class="source-line-no">111</span><span id="line-111"> AuthManager(Configuration conf) {</span>
<span class="source-line-no">112</span><span id="line-112"> this.conf = conf;</span>
<span class="source-line-no">113</span><span id="line-113"> }</span>
<span class="source-line-no">114</span><span id="line-114"></span>
<span class="source-line-no">115</span><span id="line-115"> /**</span>
<span class="source-line-no">116</span><span id="line-116"> * Update acl info for table.</span>
<span class="source-line-no">117</span><span id="line-117"> * @param table name of table</span>
<span class="source-line-no">118</span><span id="line-118"> * @param data updated acl data</span>
<span class="source-line-no">119</span><span id="line-119"> * @throws IOException exception when deserialize data</span>
<span class="source-line-no">120</span><span id="line-120"> */</span>
<span class="source-line-no">121</span><span id="line-121"> public void refreshTableCacheFromWritable(TableName table, byte[] data) throws IOException {</span>
<span class="source-line-no">122</span><span id="line-122"> if (data != null &amp;&amp; data.length &gt; 0) {</span>
<span class="source-line-no">123</span><span id="line-123"> try {</span>
<span class="source-line-no">124</span><span id="line-124"> ListMultimap&lt;String, Permission&gt; perms = PermissionStorage.readPermissions(data, conf);</span>
<span class="source-line-no">125</span><span id="line-125"> if (perms != null) {</span>
<span class="source-line-no">126</span><span id="line-126"> if (Bytes.equals(table.getName(), PermissionStorage.ACL_GLOBAL_NAME)) {</span>
<span class="source-line-no">127</span><span id="line-127"> updateGlobalCache(perms);</span>
<span class="source-line-no">128</span><span id="line-128"> } else {</span>
<span class="source-line-no">129</span><span id="line-129"> updateTableCache(table, perms);</span>
<span class="source-line-no">130</span><span id="line-130"> }</span>
<span class="source-line-no">131</span><span id="line-131"> }</span>
<span class="source-line-no">132</span><span id="line-132"> } catch (DeserializationException e) {</span>
<span class="source-line-no">133</span><span id="line-133"> throw new IOException(e);</span>
<span class="source-line-no">134</span><span id="line-134"> }</span>
<span class="source-line-no">135</span><span id="line-135"> } else {</span>
<span class="source-line-no">136</span><span id="line-136"> LOG.info("Skipping permission cache refresh because writable data is empty");</span>
<span class="source-line-no">137</span><span id="line-137"> }</span>
<span class="source-line-no">138</span><span id="line-138"> }</span>
<span class="source-line-no">139</span><span id="line-139"></span>
<span class="source-line-no">140</span><span id="line-140"> /**</span>
<span class="source-line-no">141</span><span id="line-141"> * Update acl info for namespace.</span>
<span class="source-line-no">142</span><span id="line-142"> * @param namespace namespace</span>
<span class="source-line-no">143</span><span id="line-143"> * @param data updated acl data</span>
<span class="source-line-no">144</span><span id="line-144"> * @throws IOException exception when deserialize data</span>
<span class="source-line-no">145</span><span id="line-145"> */</span>
<span class="source-line-no">146</span><span id="line-146"> public void refreshNamespaceCacheFromWritable(String namespace, byte[] data) throws IOException {</span>
<span class="source-line-no">147</span><span id="line-147"> if (data != null &amp;&amp; data.length &gt; 0) {</span>
<span class="source-line-no">148</span><span id="line-148"> try {</span>
<span class="source-line-no">149</span><span id="line-149"> ListMultimap&lt;String, Permission&gt; perms = PermissionStorage.readPermissions(data, conf);</span>
<span class="source-line-no">150</span><span id="line-150"> if (perms != null) {</span>
<span class="source-line-no">151</span><span id="line-151"> updateNamespaceCache(namespace, perms);</span>
<span class="source-line-no">152</span><span id="line-152"> }</span>
<span class="source-line-no">153</span><span id="line-153"> } catch (DeserializationException e) {</span>
<span class="source-line-no">154</span><span id="line-154"> throw new IOException(e);</span>
<span class="source-line-no">155</span><span id="line-155"> }</span>
<span class="source-line-no">156</span><span id="line-156"> } else {</span>
<span class="source-line-no">157</span><span id="line-157"> LOG.debug("Skipping permission cache refresh because writable data is empty");</span>
<span class="source-line-no">158</span><span id="line-158"> }</span>
<span class="source-line-no">159</span><span id="line-159"> }</span>
<span class="source-line-no">160</span><span id="line-160"></span>
<span class="source-line-no">161</span><span id="line-161"> /**</span>
<span class="source-line-no">162</span><span id="line-162"> * Updates the internal global permissions cache.</span>
<span class="source-line-no">163</span><span id="line-163"> * @param globalPerms new global permissions</span>
<span class="source-line-no">164</span><span id="line-164"> */</span>
<span class="source-line-no">165</span><span id="line-165"> private void updateGlobalCache(ListMultimap&lt;String, Permission&gt; globalPerms) {</span>
<span class="source-line-no">166</span><span id="line-166"> globalCache.clear();</span>
<span class="source-line-no">167</span><span id="line-167"> for (String name : globalPerms.keySet()) {</span>
<span class="source-line-no">168</span><span id="line-168"> for (Permission permission : globalPerms.get(name)) {</span>
<span class="source-line-no">169</span><span id="line-169"> // Before 2.2, the global permission which storage in zk is not right. It was saved as a</span>
<span class="source-line-no">170</span><span id="line-170"> // table permission. So here need to handle this for compatibility. See HBASE-22503.</span>
<span class="source-line-no">171</span><span id="line-171"> if (permission instanceof TablePermission) {</span>
<span class="source-line-no">172</span><span id="line-172"> globalCache.put(name, new GlobalPermission(permission.getActions()));</span>
<span class="source-line-no">173</span><span id="line-173"> } else {</span>
<span class="source-line-no">174</span><span id="line-174"> globalCache.put(name, (GlobalPermission) permission);</span>
<span class="source-line-no">175</span><span id="line-175"> }</span>
<span class="source-line-no">176</span><span id="line-176"> }</span>
<span class="source-line-no">177</span><span id="line-177"> }</span>
<span class="source-line-no">178</span><span id="line-178"> mtime.incrementAndGet();</span>
<span class="source-line-no">179</span><span id="line-179"> }</span>
<span class="source-line-no">180</span><span id="line-180"></span>
<span class="source-line-no">181</span><span id="line-181"> /**</span>
<span class="source-line-no">182</span><span id="line-182"> * Updates the internal table permissions cache for specified table.</span>
<span class="source-line-no">183</span><span id="line-183"> * @param table updated table name</span>
<span class="source-line-no">184</span><span id="line-184"> * @param tablePerms new table permissions</span>
<span class="source-line-no">185</span><span id="line-185"> */</span>
<span class="source-line-no">186</span><span id="line-186"> private void updateTableCache(TableName table, ListMultimap&lt;String, Permission&gt; tablePerms) {</span>
<span class="source-line-no">187</span><span id="line-187"> PermissionCache&lt;TablePermission&gt; cacheToUpdate =</span>
<span class="source-line-no">188</span><span id="line-188"> tableCache.getOrDefault(table, new PermissionCache&lt;&gt;());</span>
<span class="source-line-no">189</span><span id="line-189"> clearCache(cacheToUpdate);</span>
<span class="source-line-no">190</span><span id="line-190"> updateCache(tablePerms, cacheToUpdate);</span>
<span class="source-line-no">191</span><span id="line-191"> tableCache.put(table, cacheToUpdate);</span>
<span class="source-line-no">192</span><span id="line-192"> mtime.incrementAndGet();</span>
<span class="source-line-no">193</span><span id="line-193"> }</span>
<span class="source-line-no">194</span><span id="line-194"></span>
<span class="source-line-no">195</span><span id="line-195"> /**</span>
<span class="source-line-no">196</span><span id="line-196"> * Updates the internal namespace permissions cache for specified namespace.</span>
<span class="source-line-no">197</span><span id="line-197"> * @param namespace updated namespace</span>
<span class="source-line-no">198</span><span id="line-198"> * @param nsPerms new namespace permissions</span>
<span class="source-line-no">199</span><span id="line-199"> */</span>
<span class="source-line-no">200</span><span id="line-200"> private void updateNamespaceCache(String namespace, ListMultimap&lt;String, Permission&gt; nsPerms) {</span>
<span class="source-line-no">201</span><span id="line-201"> PermissionCache&lt;NamespacePermission&gt; cacheToUpdate =</span>
<span class="source-line-no">202</span><span id="line-202"> namespaceCache.getOrDefault(namespace, new PermissionCache&lt;&gt;());</span>
<span class="source-line-no">203</span><span id="line-203"> clearCache(cacheToUpdate);</span>
<span class="source-line-no">204</span><span id="line-204"> updateCache(nsPerms, cacheToUpdate);</span>
<span class="source-line-no">205</span><span id="line-205"> namespaceCache.put(namespace, cacheToUpdate);</span>
<span class="source-line-no">206</span><span id="line-206"> mtime.incrementAndGet();</span>
<span class="source-line-no">207</span><span id="line-207"> }</span>
<span class="source-line-no">208</span><span id="line-208"></span>
<span class="source-line-no">209</span><span id="line-209"> private void clearCache(PermissionCache cacheToUpdate) {</span>
<span class="source-line-no">210</span><span id="line-210"> cacheToUpdate.clear();</span>
<span class="source-line-no">211</span><span id="line-211"> }</span>
<span class="source-line-no">212</span><span id="line-212"></span>
<span class="source-line-no">213</span><span id="line-213"> @SuppressWarnings("unchecked")</span>
<span class="source-line-no">214</span><span id="line-214"> private void updateCache(ListMultimap&lt;String, ? extends Permission&gt; newPermissions,</span>
<span class="source-line-no">215</span><span id="line-215"> PermissionCache cacheToUpdate) {</span>
<span class="source-line-no">216</span><span id="line-216"> for (String name : newPermissions.keySet()) {</span>
<span class="source-line-no">217</span><span id="line-217"> for (Permission permission : newPermissions.get(name)) {</span>
<span class="source-line-no">218</span><span id="line-218"> cacheToUpdate.put(name, permission);</span>
<span class="source-line-no">219</span><span id="line-219"> }</span>
<span class="source-line-no">220</span><span id="line-220"> }</span>
<span class="source-line-no">221</span><span id="line-221"> }</span>
<span class="source-line-no">222</span><span id="line-222"></span>
<span class="source-line-no">223</span><span id="line-223"> /**</span>
<span class="source-line-no">224</span><span id="line-224"> * Check if user has given action privilige in global scope.</span>
<span class="source-line-no">225</span><span id="line-225"> * @param user user name</span>
<span class="source-line-no">226</span><span id="line-226"> * @param action one of action in [Read, Write, Create, Exec, Admin]</span>
<span class="source-line-no">227</span><span id="line-227"> * @return true if user has, false otherwise</span>
<span class="source-line-no">228</span><span id="line-228"> */</span>
<span class="source-line-no">229</span><span id="line-229"> public boolean authorizeUserGlobal(User user, Permission.Action action) {</span>
<span class="source-line-no">230</span><span id="line-230"> if (user == null) {</span>
<span class="source-line-no">231</span><span id="line-231"> return false;</span>
<span class="source-line-no">232</span><span id="line-232"> }</span>
<span class="source-line-no">233</span><span id="line-233"> if (Superusers.isSuperUser(user)) {</span>
<span class="source-line-no">234</span><span id="line-234"> return true;</span>
<span class="source-line-no">235</span><span id="line-235"> }</span>
<span class="source-line-no">236</span><span id="line-236"> if (authorizeGlobal(globalCache.get(user.getShortName()), action)) {</span>
<span class="source-line-no">237</span><span id="line-237"> return true;</span>
<span class="source-line-no">238</span><span id="line-238"> }</span>
<span class="source-line-no">239</span><span id="line-239"> for (String group : user.getGroupNames()) {</span>
<span class="source-line-no">240</span><span id="line-240"> if (authorizeGlobal(globalCache.get(AuthUtil.toGroupEntry(group)), action)) {</span>
<span class="source-line-no">241</span><span id="line-241"> return true;</span>
<span class="source-line-no">242</span><span id="line-242"> }</span>
<span class="source-line-no">243</span><span id="line-243"> }</span>
<span class="source-line-no">244</span><span id="line-244"> return false;</span>
<span class="source-line-no">245</span><span id="line-245"> }</span>
<span class="source-line-no">246</span><span id="line-246"></span>
<span class="source-line-no">247</span><span id="line-247"> private boolean authorizeGlobal(GlobalPermission permissions, Permission.Action action) {</span>
<span class="source-line-no">248</span><span id="line-248"> return permissions != null &amp;&amp; permissions.implies(action);</span>
<span class="source-line-no">249</span><span id="line-249"> }</span>
<span class="source-line-no">250</span><span id="line-250"></span>
<span class="source-line-no">251</span><span id="line-251"> /**</span>
<span class="source-line-no">252</span><span id="line-252"> * Check if user has given action privilige in namespace scope.</span>
<span class="source-line-no">253</span><span id="line-253"> * @param user user name</span>
<span class="source-line-no">254</span><span id="line-254"> * @param namespace namespace</span>
<span class="source-line-no">255</span><span id="line-255"> * @param action one of action in [Read, Write, Create, Exec, Admin]</span>
<span class="source-line-no">256</span><span id="line-256"> * @return true if user has, false otherwise</span>
<span class="source-line-no">257</span><span id="line-257"> */</span>
<span class="source-line-no">258</span><span id="line-258"> public boolean authorizeUserNamespace(User user, String namespace, Permission.Action action) {</span>
<span class="source-line-no">259</span><span id="line-259"> if (user == null) {</span>
<span class="source-line-no">260</span><span id="line-260"> return false;</span>
<span class="source-line-no">261</span><span id="line-261"> }</span>
<span class="source-line-no">262</span><span id="line-262"> if (authorizeUserGlobal(user, action)) {</span>
<span class="source-line-no">263</span><span id="line-263"> return true;</span>
<span class="source-line-no">264</span><span id="line-264"> }</span>
<span class="source-line-no">265</span><span id="line-265"> PermissionCache&lt;NamespacePermission&gt; nsPermissions =</span>
<span class="source-line-no">266</span><span id="line-266"> namespaceCache.getOrDefault(namespace, NS_NO_PERMISSION);</span>
<span class="source-line-no">267</span><span id="line-267"> if (authorizeNamespace(nsPermissions.get(user.getShortName()), namespace, action)) {</span>
<span class="source-line-no">268</span><span id="line-268"> return true;</span>
<span class="source-line-no">269</span><span id="line-269"> }</span>
<span class="source-line-no">270</span><span id="line-270"> for (String group : user.getGroupNames()) {</span>
<span class="source-line-no">271</span><span id="line-271"> if (authorizeNamespace(nsPermissions.get(AuthUtil.toGroupEntry(group)), namespace, action)) {</span>
<span class="source-line-no">272</span><span id="line-272"> return true;</span>
<span class="source-line-no">273</span><span id="line-273"> }</span>
<span class="source-line-no">274</span><span id="line-274"> }</span>
<span class="source-line-no">275</span><span id="line-275"> return false;</span>
<span class="source-line-no">276</span><span id="line-276"> }</span>
<span class="source-line-no">277</span><span id="line-277"></span>
<span class="source-line-no">278</span><span id="line-278"> private boolean authorizeNamespace(Set&lt;NamespacePermission&gt; permissions, String namespace,</span>
<span class="source-line-no">279</span><span id="line-279"> Permission.Action action) {</span>
<span class="source-line-no">280</span><span id="line-280"> if (permissions == null) {</span>
<span class="source-line-no">281</span><span id="line-281"> return false;</span>
<span class="source-line-no">282</span><span id="line-282"> }</span>
<span class="source-line-no">283</span><span id="line-283"> for (NamespacePermission permission : permissions) {</span>
<span class="source-line-no">284</span><span id="line-284"> if (permission.implies(namespace, action)) {</span>
<span class="source-line-no">285</span><span id="line-285"> return true;</span>
<span class="source-line-no">286</span><span id="line-286"> }</span>
<span class="source-line-no">287</span><span id="line-287"> }</span>
<span class="source-line-no">288</span><span id="line-288"> return false;</span>
<span class="source-line-no">289</span><span id="line-289"> }</span>
<span class="source-line-no">290</span><span id="line-290"></span>
<span class="source-line-no">291</span><span id="line-291"> /**</span>
<span class="source-line-no">292</span><span id="line-292"> * Checks if the user has access to the full table or at least a family/qualifier for the</span>
<span class="source-line-no">293</span><span id="line-293"> * specified action.</span>
<span class="source-line-no">294</span><span id="line-294"> * @param user user name</span>
<span class="source-line-no">295</span><span id="line-295"> * @param table table name</span>
<span class="source-line-no">296</span><span id="line-296"> * @param action action in one of [Read, Write, Create, Exec, Admin]</span>
<span class="source-line-no">297</span><span id="line-297"> * @return true if the user has access to the table, false otherwise</span>
<span class="source-line-no">298</span><span id="line-298"> */</span>
<span class="source-line-no">299</span><span id="line-299"> public boolean accessUserTable(User user, TableName table, Permission.Action action) {</span>
<span class="source-line-no">300</span><span id="line-300"> if (user == null) {</span>
<span class="source-line-no">301</span><span id="line-301"> return false;</span>
<span class="source-line-no">302</span><span id="line-302"> }</span>
<span class="source-line-no">303</span><span id="line-303"> if (table == null) {</span>
<span class="source-line-no">304</span><span id="line-304"> table = PermissionStorage.ACL_TABLE_NAME;</span>
<span class="source-line-no">305</span><span id="line-305"> }</span>
<span class="source-line-no">306</span><span id="line-306"> if (authorizeUserNamespace(user, table.getNamespaceAsString(), action)) {</span>
<span class="source-line-no">307</span><span id="line-307"> return true;</span>
<span class="source-line-no">308</span><span id="line-308"> }</span>
<span class="source-line-no">309</span><span id="line-309"> PermissionCache&lt;TablePermission&gt; tblPermissions =</span>
<span class="source-line-no">310</span><span id="line-310"> tableCache.getOrDefault(table, TBL_NO_PERMISSION);</span>
<span class="source-line-no">311</span><span id="line-311"> if (hasAccessTable(tblPermissions.get(user.getShortName()), action)) {</span>
<span class="source-line-no">312</span><span id="line-312"> return true;</span>
<span class="source-line-no">313</span><span id="line-313"> }</span>
<span class="source-line-no">314</span><span id="line-314"> for (String group : user.getGroupNames()) {</span>
<span class="source-line-no">315</span><span id="line-315"> if (hasAccessTable(tblPermissions.get(AuthUtil.toGroupEntry(group)), action)) {</span>
<span class="source-line-no">316</span><span id="line-316"> return true;</span>
<span class="source-line-no">317</span><span id="line-317"> }</span>
<span class="source-line-no">318</span><span id="line-318"> }</span>
<span class="source-line-no">319</span><span id="line-319"> return false;</span>
<span class="source-line-no">320</span><span id="line-320"> }</span>
<span class="source-line-no">321</span><span id="line-321"></span>
<span class="source-line-no">322</span><span id="line-322"> private boolean hasAccessTable(Set&lt;TablePermission&gt; permissions, Permission.Action action) {</span>
<span class="source-line-no">323</span><span id="line-323"> if (permissions == null) {</span>
<span class="source-line-no">324</span><span id="line-324"> return false;</span>
<span class="source-line-no">325</span><span id="line-325"> }</span>
<span class="source-line-no">326</span><span id="line-326"> for (TablePermission permission : permissions) {</span>
<span class="source-line-no">327</span><span id="line-327"> if (permission.implies(action)) {</span>
<span class="source-line-no">328</span><span id="line-328"> return true;</span>
<span class="source-line-no">329</span><span id="line-329"> }</span>
<span class="source-line-no">330</span><span id="line-330"> }</span>
<span class="source-line-no">331</span><span id="line-331"> return false;</span>
<span class="source-line-no">332</span><span id="line-332"> }</span>
<span class="source-line-no">333</span><span id="line-333"></span>
<span class="source-line-no">334</span><span id="line-334"> /**</span>
<span class="source-line-no">335</span><span id="line-335"> * Check if user has given action privilige in table scope.</span>
<span class="source-line-no">336</span><span id="line-336"> * @param user user name</span>
<span class="source-line-no">337</span><span id="line-337"> * @param table table name</span>
<span class="source-line-no">338</span><span id="line-338"> * @param action one of action in [Read, Write, Create, Exec, Admin]</span>
<span class="source-line-no">339</span><span id="line-339"> * @return true if user has, false otherwise</span>
<span class="source-line-no">340</span><span id="line-340"> */</span>
<span class="source-line-no">341</span><span id="line-341"> public boolean authorizeUserTable(User user, TableName table, Permission.Action action) {</span>
<span class="source-line-no">342</span><span id="line-342"> return authorizeUserTable(user, table, null, null, action);</span>
<span class="source-line-no">343</span><span id="line-343"> }</span>
<span class="source-line-no">344</span><span id="line-344"></span>
<span class="source-line-no">345</span><span id="line-345"> /**</span>
<span class="source-line-no">346</span><span id="line-346"> * Check if user has given action privilige in table:family scope.</span>
<span class="source-line-no">347</span><span id="line-347"> * @param user user name</span>
<span class="source-line-no">348</span><span id="line-348"> * @param table table name</span>
<span class="source-line-no">349</span><span id="line-349"> * @param family family name</span>
<span class="source-line-no">350</span><span id="line-350"> * @param action one of action in [Read, Write, Create, Exec, Admin]</span>
<span class="source-line-no">351</span><span id="line-351"> * @return true if user has, false otherwise</span>
<span class="source-line-no">352</span><span id="line-352"> */</span>
<span class="source-line-no">353</span><span id="line-353"> public boolean authorizeUserTable(User user, TableName table, byte[] family,</span>
<span class="source-line-no">354</span><span id="line-354"> Permission.Action action) {</span>
<span class="source-line-no">355</span><span id="line-355"> return authorizeUserTable(user, table, family, null, action);</span>
<span class="source-line-no">356</span><span id="line-356"> }</span>
<span class="source-line-no">357</span><span id="line-357"></span>
<span class="source-line-no">358</span><span id="line-358"> /**</span>
<span class="source-line-no">359</span><span id="line-359"> * Check if user has given action privilige in table:family:qualifier scope.</span>
<span class="source-line-no">360</span><span id="line-360"> * @param user user name</span>
<span class="source-line-no">361</span><span id="line-361"> * @param table table name</span>
<span class="source-line-no">362</span><span id="line-362"> * @param family family name</span>
<span class="source-line-no">363</span><span id="line-363"> * @param qualifier qualifier name</span>
<span class="source-line-no">364</span><span id="line-364"> * @param action one of action in [Read, Write, Create, Exec, Admin]</span>
<span class="source-line-no">365</span><span id="line-365"> * @return true if user has, false otherwise</span>
<span class="source-line-no">366</span><span id="line-366"> */</span>
<span class="source-line-no">367</span><span id="line-367"> public boolean authorizeUserTable(User user, TableName table, byte[] family, byte[] qualifier,</span>
<span class="source-line-no">368</span><span id="line-368"> Permission.Action action) {</span>
<span class="source-line-no">369</span><span id="line-369"> if (user == null) {</span>
<span class="source-line-no">370</span><span id="line-370"> return false;</span>
<span class="source-line-no">371</span><span id="line-371"> }</span>
<span class="source-line-no">372</span><span id="line-372"> if (table == null) {</span>
<span class="source-line-no">373</span><span id="line-373"> table = PermissionStorage.ACL_TABLE_NAME;</span>
<span class="source-line-no">374</span><span id="line-374"> }</span>
<span class="source-line-no">375</span><span id="line-375"> if (authorizeUserNamespace(user, table.getNamespaceAsString(), action)) {</span>
<span class="source-line-no">376</span><span id="line-376"> return true;</span>
<span class="source-line-no">377</span><span id="line-377"> }</span>
<span class="source-line-no">378</span><span id="line-378"> PermissionCache&lt;TablePermission&gt; tblPermissions =</span>
<span class="source-line-no">379</span><span id="line-379"> tableCache.getOrDefault(table, TBL_NO_PERMISSION);</span>
<span class="source-line-no">380</span><span id="line-380"> if (authorizeTable(tblPermissions.get(user.getShortName()), table, family, qualifier, action)) {</span>
<span class="source-line-no">381</span><span id="line-381"> return true;</span>
<span class="source-line-no">382</span><span id="line-382"> }</span>
<span class="source-line-no">383</span><span id="line-383"> for (String group : user.getGroupNames()) {</span>
<span class="source-line-no">384</span><span id="line-384"> if (</span>
<span class="source-line-no">385</span><span id="line-385"> authorizeTable(tblPermissions.get(AuthUtil.toGroupEntry(group)), table, family, qualifier,</span>
<span class="source-line-no">386</span><span id="line-386"> action)</span>
<span class="source-line-no">387</span><span id="line-387"> ) {</span>
<span class="source-line-no">388</span><span id="line-388"> return true;</span>
<span class="source-line-no">389</span><span id="line-389"> }</span>
<span class="source-line-no">390</span><span id="line-390"> }</span>
<span class="source-line-no">391</span><span id="line-391"> return false;</span>
<span class="source-line-no">392</span><span id="line-392"> }</span>
<span class="source-line-no">393</span><span id="line-393"></span>
<span class="source-line-no">394</span><span id="line-394"> private boolean authorizeTable(Set&lt;TablePermission&gt; permissions, TableName table, byte[] family,</span>
<span class="source-line-no">395</span><span id="line-395"> byte[] qualifier, Permission.Action action) {</span>
<span class="source-line-no">396</span><span id="line-396"> if (permissions == null) {</span>
<span class="source-line-no">397</span><span id="line-397"> return false;</span>
<span class="source-line-no">398</span><span id="line-398"> }</span>
<span class="source-line-no">399</span><span id="line-399"> for (TablePermission permission : permissions) {</span>
<span class="source-line-no">400</span><span id="line-400"> if (permission.implies(table, family, qualifier, action)) {</span>
<span class="source-line-no">401</span><span id="line-401"> return true;</span>
<span class="source-line-no">402</span><span id="line-402"> }</span>
<span class="source-line-no">403</span><span id="line-403"> }</span>
<span class="source-line-no">404</span><span id="line-404"> return false;</span>
<span class="source-line-no">405</span><span id="line-405"> }</span>
<span class="source-line-no">406</span><span id="line-406"></span>
<span class="source-line-no">407</span><span id="line-407"> /**</span>
<span class="source-line-no">408</span><span id="line-408"> * Check if user has given action privilige in table:family scope. This method is for backward</span>
<span class="source-line-no">409</span><span id="line-409"> * compatibility.</span>
<span class="source-line-no">410</span><span id="line-410"> * @param user user name</span>
<span class="source-line-no">411</span><span id="line-411"> * @param table table name</span>
<span class="source-line-no">412</span><span id="line-412"> * @param family family names</span>
<span class="source-line-no">413</span><span id="line-413"> * @param action one of action in [Read, Write, Create, Exec, Admin]</span>
<span class="source-line-no">414</span><span id="line-414"> * @return true if user has, false otherwise</span>
<span class="source-line-no">415</span><span id="line-415"> */</span>
<span class="source-line-no">416</span><span id="line-416"> public boolean authorizeUserFamily(User user, TableName table, byte[] family,</span>
<span class="source-line-no">417</span><span id="line-417"> Permission.Action action) {</span>
<span class="source-line-no">418</span><span id="line-418"> PermissionCache&lt;TablePermission&gt; tblPermissions =</span>
<span class="source-line-no">419</span><span id="line-419"> tableCache.getOrDefault(table, TBL_NO_PERMISSION);</span>
<span class="source-line-no">420</span><span id="line-420"> if (authorizeFamily(tblPermissions.get(user.getShortName()), table, family, action)) {</span>
<span class="source-line-no">421</span><span id="line-421"> return true;</span>
<span class="source-line-no">422</span><span id="line-422"> }</span>
<span class="source-line-no">423</span><span id="line-423"> for (String group : user.getGroupNames()) {</span>
<span class="source-line-no">424</span><span id="line-424"> if (</span>
<span class="source-line-no">425</span><span id="line-425"> authorizeFamily(tblPermissions.get(AuthUtil.toGroupEntry(group)), table, family, action)</span>
<span class="source-line-no">426</span><span id="line-426"> ) {</span>
<span class="source-line-no">427</span><span id="line-427"> return true;</span>
<span class="source-line-no">428</span><span id="line-428"> }</span>
<span class="source-line-no">429</span><span id="line-429"> }</span>
<span class="source-line-no">430</span><span id="line-430"> return false;</span>
<span class="source-line-no">431</span><span id="line-431"> }</span>
<span class="source-line-no">432</span><span id="line-432"></span>
<span class="source-line-no">433</span><span id="line-433"> private boolean authorizeFamily(Set&lt;TablePermission&gt; permissions, TableName table, byte[] family,</span>
<span class="source-line-no">434</span><span id="line-434"> Permission.Action action) {</span>
<span class="source-line-no">435</span><span id="line-435"> if (permissions == null) {</span>
<span class="source-line-no">436</span><span id="line-436"> return false;</span>
<span class="source-line-no">437</span><span id="line-437"> }</span>
<span class="source-line-no">438</span><span id="line-438"> for (TablePermission permission : permissions) {</span>
<span class="source-line-no">439</span><span id="line-439"> if (permission.implies(table, family, action)) {</span>
<span class="source-line-no">440</span><span id="line-440"> return true;</span>
<span class="source-line-no">441</span><span id="line-441"> }</span>
<span class="source-line-no">442</span><span id="line-442"> }</span>
<span class="source-line-no">443</span><span id="line-443"> return false;</span>
<span class="source-line-no">444</span><span id="line-444"> }</span>
<span class="source-line-no">445</span><span id="line-445"></span>
<span class="source-line-no">446</span><span id="line-446"> /**</span>
<span class="source-line-no">447</span><span id="line-447"> * Check if user has given action privilige in cell scope.</span>
<span class="source-line-no">448</span><span id="line-448"> * @param user user name</span>
<span class="source-line-no">449</span><span id="line-449"> * @param table table name</span>
<span class="source-line-no">450</span><span id="line-450"> * @param cell cell to be checked</span>
<span class="source-line-no">451</span><span id="line-451"> * @param action one of action in [Read, Write, Create, Exec, Admin]</span>
<span class="source-line-no">452</span><span id="line-452"> * @return true if user has, false otherwise</span>
<span class="source-line-no">453</span><span id="line-453"> */</span>
<span class="source-line-no">454</span><span id="line-454"> public boolean authorizeCell(User user, TableName table, Cell cell, Permission.Action action) {</span>
<span class="source-line-no">455</span><span id="line-455"> try {</span>
<span class="source-line-no">456</span><span id="line-456"> assert cell instanceof ExtendedCell;</span>
<span class="source-line-no">457</span><span id="line-457"> List&lt;Permission&gt; perms =</span>
<span class="source-line-no">458</span><span id="line-458"> PermissionStorage.getCellPermissionsForUser(user, (ExtendedCell) cell);</span>
<span class="source-line-no">459</span><span id="line-459"> if (LOG.isTraceEnabled()) {</span>
<span class="source-line-no">460</span><span id="line-460"> LOG.trace("Perms for user {} in table {} in cell {}: {}", user.getShortName(), table, cell,</span>
<span class="source-line-no">461</span><span id="line-461"> (perms != null ? perms : ""));</span>
<span class="source-line-no">462</span><span id="line-462"> }</span>
<span class="source-line-no">463</span><span id="line-463"> if (perms != null) {</span>
<span class="source-line-no">464</span><span id="line-464"> for (Permission p : perms) {</span>
<span class="source-line-no">465</span><span id="line-465"> if (p.implies(action)) {</span>
<span class="source-line-no">466</span><span id="line-466"> return true;</span>
<span class="source-line-no">467</span><span id="line-467"> }</span>
<span class="source-line-no">468</span><span id="line-468"> }</span>
<span class="source-line-no">469</span><span id="line-469"> }</span>
<span class="source-line-no">470</span><span id="line-470"> } catch (IOException e) {</span>
<span class="source-line-no">471</span><span id="line-471"> // We failed to parse the KV tag</span>
<span class="source-line-no">472</span><span id="line-472"> LOG.error("Failed parse of ACL tag in cell " + cell);</span>
<span class="source-line-no">473</span><span id="line-473"> // Fall through to check with the table and CF perms we were able</span>
<span class="source-line-no">474</span><span id="line-474"> // to collect regardless</span>
<span class="source-line-no">475</span><span id="line-475"> }</span>
<span class="source-line-no">476</span><span id="line-476"> return false;</span>
<span class="source-line-no">477</span><span id="line-477"> }</span>
<span class="source-line-no">478</span><span id="line-478"></span>
<span class="source-line-no">479</span><span id="line-479"> /**</span>
<span class="source-line-no">480</span><span id="line-480"> * Remove given namespace from AuthManager's namespace cache.</span>
<span class="source-line-no">481</span><span id="line-481"> * @param ns namespace</span>
<span class="source-line-no">482</span><span id="line-482"> */</span>
<span class="source-line-no">483</span><span id="line-483"> public void removeNamespace(byte[] ns) {</span>
<span class="source-line-no">484</span><span id="line-484"> namespaceCache.remove(Bytes.toString(ns));</span>
<span class="source-line-no">485</span><span id="line-485"> }</span>
<span class="source-line-no">486</span><span id="line-486"></span>
<span class="source-line-no">487</span><span id="line-487"> /**</span>
<span class="source-line-no">488</span><span id="line-488"> * Remove given table from AuthManager's table cache.</span>
<span class="source-line-no">489</span><span id="line-489"> * @param table table name</span>
<span class="source-line-no">490</span><span id="line-490"> */</span>
<span class="source-line-no">491</span><span id="line-491"> public void removeTable(TableName table) {</span>
<span class="source-line-no">492</span><span id="line-492"> tableCache.remove(table);</span>
<span class="source-line-no">493</span><span id="line-493"> }</span>
<span class="source-line-no">494</span><span id="line-494"></span>
<span class="source-line-no">495</span><span id="line-495"> /**</span>
<span class="source-line-no">496</span><span id="line-496"> * Last modification logical time</span>
<span class="source-line-no">497</span><span id="line-497"> */</span>
<span class="source-line-no">498</span><span id="line-498"> public long getMTime() {</span>
<span class="source-line-no">499</span><span id="line-499"> return mtime.get();</span>
<span class="source-line-no">500</span><span id="line-500"> }</span>
<span class="source-line-no">501</span><span id="line-501">}</span>
</pre>
</div>
</main>
</body>
</html>