| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
| <html lang="en"> |
| <head> |
| <title>Source code</title> |
| <link rel="stylesheet" type="text/css" href="../../../../../../../stylesheet.css" title="Style"> |
| </head> |
| <body> |
| <div class="sourceContainer"> |
| <pre><span class="sourceLineNo">001</span>/*<a name="line.1"></a> |
| <span class="sourceLineNo">002</span> * Licensed to the Apache Software Foundation (ASF) under one<a name="line.2"></a> |
| <span class="sourceLineNo">003</span> * or more contributor license agreements. See the NOTICE file<a name="line.3"></a> |
| <span class="sourceLineNo">004</span> * distributed with this work for additional information<a name="line.4"></a> |
| <span class="sourceLineNo">005</span> * regarding copyright ownership. The ASF licenses this file<a name="line.5"></a> |
| <span class="sourceLineNo">006</span> * to you under the Apache License, Version 2.0 (the<a name="line.6"></a> |
| <span class="sourceLineNo">007</span> * "License"); you may not use this file except in compliance<a name="line.7"></a> |
| <span class="sourceLineNo">008</span> * with the License. You may obtain a copy of the License at<a name="line.8"></a> |
| <span class="sourceLineNo">009</span> *<a name="line.9"></a> |
| <span class="sourceLineNo">010</span> * http://www.apache.org/licenses/LICENSE-2.0<a name="line.10"></a> |
| <span class="sourceLineNo">011</span> *<a name="line.11"></a> |
| <span class="sourceLineNo">012</span> * Unless required by applicable law or agreed to in writing, software<a name="line.12"></a> |
| <span class="sourceLineNo">013</span> * distributed under the License is distributed on an "AS IS" BASIS,<a name="line.13"></a> |
| <span class="sourceLineNo">014</span> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.<a name="line.14"></a> |
| <span class="sourceLineNo">015</span> * See the License for the specific language governing permissions and<a name="line.15"></a> |
| <span class="sourceLineNo">016</span> * limitations under the License.<a name="line.16"></a> |
| <span class="sourceLineNo">017</span> */<a name="line.17"></a> |
| <span class="sourceLineNo">018</span>package org.apache.hadoop.hbase.security.access;<a name="line.18"></a> |
| <span class="sourceLineNo">019</span><a name="line.19"></a> |
| <span class="sourceLineNo">020</span>import java.io.IOException;<a name="line.20"></a> |
| <span class="sourceLineNo">021</span>import java.security.PrivilegedExceptionAction;<a name="line.21"></a> |
| <span class="sourceLineNo">022</span>import java.util.ArrayList;<a name="line.22"></a> |
| <span class="sourceLineNo">023</span>import java.util.Collection;<a name="line.23"></a> |
| <span class="sourceLineNo">024</span>import java.util.Collections;<a name="line.24"></a> |
| <span class="sourceLineNo">025</span>import java.util.HashMap;<a name="line.25"></a> |
| <span class="sourceLineNo">026</span>import java.util.Iterator;<a name="line.26"></a> |
| <span class="sourceLineNo">027</span>import java.util.List;<a name="line.27"></a> |
| <span class="sourceLineNo">028</span>import java.util.Map;<a name="line.28"></a> |
| <span class="sourceLineNo">029</span>import java.util.Map.Entry;<a name="line.29"></a> |
| <span class="sourceLineNo">030</span>import java.util.Optional;<a name="line.30"></a> |
| <span class="sourceLineNo">031</span>import java.util.Set;<a name="line.31"></a> |
| <span class="sourceLineNo">032</span>import java.util.TreeMap;<a name="line.32"></a> |
| <span class="sourceLineNo">033</span>import java.util.TreeSet;<a name="line.33"></a> |
| <span class="sourceLineNo">034</span>import java.util.stream.Collectors;<a name="line.34"></a> |
| <span class="sourceLineNo">035</span>import org.apache.hadoop.conf.Configuration;<a name="line.35"></a> |
| <span class="sourceLineNo">036</span>import org.apache.hadoop.hbase.ArrayBackedTag;<a name="line.36"></a> |
| <span class="sourceLineNo">037</span>import org.apache.hadoop.hbase.Cell;<a name="line.37"></a> |
| <span class="sourceLineNo">038</span>import org.apache.hadoop.hbase.CellScanner;<a name="line.38"></a> |
| <span class="sourceLineNo">039</span>import org.apache.hadoop.hbase.CellUtil;<a name="line.39"></a> |
| <span class="sourceLineNo">040</span>import org.apache.hadoop.hbase.CompareOperator;<a name="line.40"></a> |
| <span class="sourceLineNo">041</span>import org.apache.hadoop.hbase.CompoundConfiguration;<a name="line.41"></a> |
| <span class="sourceLineNo">042</span>import org.apache.hadoop.hbase.CoprocessorEnvironment;<a name="line.42"></a> |
| <span class="sourceLineNo">043</span>import org.apache.hadoop.hbase.DoNotRetryIOException;<a name="line.43"></a> |
| <span class="sourceLineNo">044</span>import org.apache.hadoop.hbase.HBaseInterfaceAudience;<a name="line.44"></a> |
| <span class="sourceLineNo">045</span>import org.apache.hadoop.hbase.HConstants;<a name="line.45"></a> |
| <span class="sourceLineNo">046</span>import org.apache.hadoop.hbase.KeyValue;<a name="line.46"></a> |
| <span class="sourceLineNo">047</span>import org.apache.hadoop.hbase.KeyValue.Type;<a name="line.47"></a> |
| <span class="sourceLineNo">048</span>import org.apache.hadoop.hbase.NamespaceDescriptor;<a name="line.48"></a> |
| <span class="sourceLineNo">049</span>import org.apache.hadoop.hbase.PrivateCellUtil;<a name="line.49"></a> |
| <span class="sourceLineNo">050</span>import org.apache.hadoop.hbase.ServerName;<a name="line.50"></a> |
| <span class="sourceLineNo">051</span>import org.apache.hadoop.hbase.TableName;<a name="line.51"></a> |
| <span class="sourceLineNo">052</span>import org.apache.hadoop.hbase.Tag;<a name="line.52"></a> |
| <span class="sourceLineNo">053</span>import org.apache.hadoop.hbase.client.Admin;<a name="line.53"></a> |
| <span class="sourceLineNo">054</span>import org.apache.hadoop.hbase.client.Append;<a name="line.54"></a> |
| <span class="sourceLineNo">055</span>import org.apache.hadoop.hbase.client.BalanceRequest;<a name="line.55"></a> |
| <span class="sourceLineNo">056</span>import org.apache.hadoop.hbase.client.ColumnFamilyDescriptor;<a name="line.56"></a> |
| <span class="sourceLineNo">057</span>import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;<a name="line.57"></a> |
| <span class="sourceLineNo">058</span>import org.apache.hadoop.hbase.client.Delete;<a name="line.58"></a> |
| <span class="sourceLineNo">059</span>import org.apache.hadoop.hbase.client.Durability;<a name="line.59"></a> |
| <span class="sourceLineNo">060</span>import org.apache.hadoop.hbase.client.Get;<a name="line.60"></a> |
| <span class="sourceLineNo">061</span>import org.apache.hadoop.hbase.client.Increment;<a name="line.61"></a> |
| <span class="sourceLineNo">062</span>import org.apache.hadoop.hbase.client.MasterSwitchType;<a name="line.62"></a> |
| <span class="sourceLineNo">063</span>import org.apache.hadoop.hbase.client.Mutation;<a name="line.63"></a> |
| <span class="sourceLineNo">064</span>import org.apache.hadoop.hbase.client.Put;<a name="line.64"></a> |
| <span class="sourceLineNo">065</span>import org.apache.hadoop.hbase.client.Query;<a name="line.65"></a> |
| <span class="sourceLineNo">066</span>import org.apache.hadoop.hbase.client.RegionInfo;<a name="line.66"></a> |
| <span class="sourceLineNo">067</span>import org.apache.hadoop.hbase.client.Result;<a name="line.67"></a> |
| <span class="sourceLineNo">068</span>import org.apache.hadoop.hbase.client.Scan;<a name="line.68"></a> |
| <span class="sourceLineNo">069</span>import org.apache.hadoop.hbase.client.SnapshotDescription;<a name="line.69"></a> |
| <span class="sourceLineNo">070</span>import org.apache.hadoop.hbase.client.Table;<a name="line.70"></a> |
| <span class="sourceLineNo">071</span>import org.apache.hadoop.hbase.client.TableDescriptor;<a name="line.71"></a> |
| <span class="sourceLineNo">072</span>import org.apache.hadoop.hbase.client.TableDescriptorBuilder;<a name="line.72"></a> |
| <span class="sourceLineNo">073</span>import org.apache.hadoop.hbase.coprocessor.BulkLoadObserver;<a name="line.73"></a> |
| <span class="sourceLineNo">074</span>import org.apache.hadoop.hbase.coprocessor.CoprocessorException;<a name="line.74"></a> |
| <span class="sourceLineNo">075</span>import org.apache.hadoop.hbase.coprocessor.CoreCoprocessor;<a name="line.75"></a> |
| <span class="sourceLineNo">076</span>import org.apache.hadoop.hbase.coprocessor.EndpointObserver;<a name="line.76"></a> |
| <span class="sourceLineNo">077</span>import org.apache.hadoop.hbase.coprocessor.HasMasterServices;<a name="line.77"></a> |
| <span class="sourceLineNo">078</span>import org.apache.hadoop.hbase.coprocessor.HasRegionServerServices;<a name="line.78"></a> |
| <span class="sourceLineNo">079</span>import org.apache.hadoop.hbase.coprocessor.MasterCoprocessor;<a name="line.79"></a> |
| <span class="sourceLineNo">080</span>import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;<a name="line.80"></a> |
| <span class="sourceLineNo">081</span>import org.apache.hadoop.hbase.coprocessor.MasterObserver;<a name="line.81"></a> |
| <span class="sourceLineNo">082</span>import org.apache.hadoop.hbase.coprocessor.ObserverContext;<a name="line.82"></a> |
| <span class="sourceLineNo">083</span>import org.apache.hadoop.hbase.coprocessor.RegionCoprocessor;<a name="line.83"></a> |
| <span class="sourceLineNo">084</span>import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;<a name="line.84"></a> |
| <span class="sourceLineNo">085</span>import org.apache.hadoop.hbase.coprocessor.RegionObserver;<a name="line.85"></a> |
| <span class="sourceLineNo">086</span>import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessor;<a name="line.86"></a> |
| <span class="sourceLineNo">087</span>import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment;<a name="line.87"></a> |
| <span class="sourceLineNo">088</span>import org.apache.hadoop.hbase.coprocessor.RegionServerObserver;<a name="line.88"></a> |
| <span class="sourceLineNo">089</span>import org.apache.hadoop.hbase.filter.ByteArrayComparable;<a name="line.89"></a> |
| <span class="sourceLineNo">090</span>import org.apache.hadoop.hbase.filter.Filter;<a name="line.90"></a> |
| <span class="sourceLineNo">091</span>import org.apache.hadoop.hbase.filter.FilterList;<a name="line.91"></a> |
| <span class="sourceLineNo">092</span>import org.apache.hadoop.hbase.io.hfile.HFile;<a name="line.92"></a> |
| <span class="sourceLineNo">093</span>import org.apache.hadoop.hbase.ipc.CoprocessorRpcUtils;<a name="line.93"></a> |
| <span class="sourceLineNo">094</span>import org.apache.hadoop.hbase.ipc.RpcServer;<a name="line.94"></a> |
| <span class="sourceLineNo">095</span>import org.apache.hadoop.hbase.master.MasterServices;<a name="line.95"></a> |
| <span class="sourceLineNo">096</span>import org.apache.hadoop.hbase.net.Address;<a name="line.96"></a> |
| <span class="sourceLineNo">097</span>import org.apache.hadoop.hbase.quotas.GlobalQuotaSettings;<a name="line.97"></a> |
| <span class="sourceLineNo">098</span>import org.apache.hadoop.hbase.regionserver.BloomType;<a name="line.98"></a> |
| <span class="sourceLineNo">099</span>import org.apache.hadoop.hbase.regionserver.FlushLifeCycleTracker;<a name="line.99"></a> |
| <span class="sourceLineNo">100</span>import org.apache.hadoop.hbase.regionserver.InternalScanner;<a name="line.100"></a> |
| <span class="sourceLineNo">101</span>import org.apache.hadoop.hbase.regionserver.MiniBatchOperationInProgress;<a name="line.101"></a> |
| <span class="sourceLineNo">102</span>import org.apache.hadoop.hbase.regionserver.Region;<a name="line.102"></a> |
| <span class="sourceLineNo">103</span>import org.apache.hadoop.hbase.regionserver.RegionScanner;<a name="line.103"></a> |
| <span class="sourceLineNo">104</span>import org.apache.hadoop.hbase.regionserver.RegionServerServices;<a name="line.104"></a> |
| <span class="sourceLineNo">105</span>import org.apache.hadoop.hbase.regionserver.ScanType;<a name="line.105"></a> |
| <span class="sourceLineNo">106</span>import org.apache.hadoop.hbase.regionserver.ScannerContext;<a name="line.106"></a> |
| <span class="sourceLineNo">107</span>import org.apache.hadoop.hbase.regionserver.Store;<a name="line.107"></a> |
| <span class="sourceLineNo">108</span>import org.apache.hadoop.hbase.regionserver.compactions.CompactionLifeCycleTracker;<a name="line.108"></a> |
| <span class="sourceLineNo">109</span>import org.apache.hadoop.hbase.regionserver.compactions.CompactionRequest;<a name="line.109"></a> |
| <span class="sourceLineNo">110</span>import org.apache.hadoop.hbase.replication.ReplicationEndpoint;<a name="line.110"></a> |
| <span class="sourceLineNo">111</span>import org.apache.hadoop.hbase.replication.ReplicationPeerConfig;<a name="line.111"></a> |
| <span class="sourceLineNo">112</span>import org.apache.hadoop.hbase.replication.SyncReplicationState;<a name="line.112"></a> |
| <span class="sourceLineNo">113</span>import org.apache.hadoop.hbase.security.AccessDeniedException;<a name="line.113"></a> |
| <span class="sourceLineNo">114</span>import org.apache.hadoop.hbase.security.Superusers;<a name="line.114"></a> |
| <span class="sourceLineNo">115</span>import org.apache.hadoop.hbase.security.User;<a name="line.115"></a> |
| <span class="sourceLineNo">116</span>import org.apache.hadoop.hbase.security.UserProvider;<a name="line.116"></a> |
| <span class="sourceLineNo">117</span>import org.apache.hadoop.hbase.security.access.Permission.Action;<a name="line.117"></a> |
| <span class="sourceLineNo">118</span>import org.apache.hadoop.hbase.snapshot.SnapshotDescriptionUtils;<a name="line.118"></a> |
| <span class="sourceLineNo">119</span>import org.apache.hadoop.hbase.util.ByteRange;<a name="line.119"></a> |
| <span class="sourceLineNo">120</span>import org.apache.hadoop.hbase.util.Bytes;<a name="line.120"></a> |
| <span class="sourceLineNo">121</span>import org.apache.hadoop.hbase.util.EnvironmentEdgeManager;<a name="line.121"></a> |
| <span class="sourceLineNo">122</span>import org.apache.hadoop.hbase.util.Pair;<a name="line.122"></a> |
| <span class="sourceLineNo">123</span>import org.apache.hadoop.hbase.util.SimpleMutableByteRange;<a name="line.123"></a> |
| <span class="sourceLineNo">124</span>import org.apache.hadoop.hbase.wal.WALEdit;<a name="line.124"></a> |
| <span class="sourceLineNo">125</span>import org.apache.yetus.audience.InterfaceAudience;<a name="line.125"></a> |
| <span class="sourceLineNo">126</span>import org.slf4j.Logger;<a name="line.126"></a> |
| <span class="sourceLineNo">127</span>import org.slf4j.LoggerFactory;<a name="line.127"></a> |
| <span class="sourceLineNo">128</span><a name="line.128"></a> |
| <span class="sourceLineNo">129</span>import org.apache.hbase.thirdparty.com.google.common.base.Preconditions;<a name="line.129"></a> |
| <span class="sourceLineNo">130</span>import org.apache.hbase.thirdparty.com.google.common.collect.ImmutableSet;<a name="line.130"></a> |
| <span class="sourceLineNo">131</span>import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;<a name="line.131"></a> |
| <span class="sourceLineNo">132</span>import org.apache.hbase.thirdparty.com.google.common.collect.Lists;<a name="line.132"></a> |
| <span class="sourceLineNo">133</span>import org.apache.hbase.thirdparty.com.google.common.collect.MapMaker;<a name="line.133"></a> |
| <span class="sourceLineNo">134</span>import org.apache.hbase.thirdparty.com.google.common.collect.Maps;<a name="line.134"></a> |
| <span class="sourceLineNo">135</span>import org.apache.hbase.thirdparty.com.google.protobuf.Message;<a name="line.135"></a> |
| <span class="sourceLineNo">136</span>import org.apache.hbase.thirdparty.com.google.protobuf.RpcCallback;<a name="line.136"></a> |
| <span class="sourceLineNo">137</span>import org.apache.hbase.thirdparty.com.google.protobuf.RpcController;<a name="line.137"></a> |
| <span class="sourceLineNo">138</span>import org.apache.hbase.thirdparty.com.google.protobuf.Service;<a name="line.138"></a> |
| <span class="sourceLineNo">139</span><a name="line.139"></a> |
| <span class="sourceLineNo">140</span>import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;<a name="line.140"></a> |
| <span class="sourceLineNo">141</span>import org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter;<a name="line.141"></a> |
| <span class="sourceLineNo">142</span>import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos;<a name="line.142"></a> |
| <span class="sourceLineNo">143</span>import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.AccessControlService;<a name="line.143"></a> |
| <span class="sourceLineNo">144</span>import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.HasPermissionRequest;<a name="line.144"></a> |
| <span class="sourceLineNo">145</span>import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.HasPermissionResponse;<a name="line.145"></a> |
| <span class="sourceLineNo">146</span><a name="line.146"></a> |
| <span class="sourceLineNo">147</span>/**<a name="line.147"></a> |
| <span class="sourceLineNo">148</span> * Provides basic authorization checks for data access and administrative operations.<a name="line.148"></a> |
| <span class="sourceLineNo">149</span> * <p><a name="line.149"></a> |
| <span class="sourceLineNo">150</span> * {@code AccessController} performs authorization checks for HBase operations based on:<a name="line.150"></a> |
| <span class="sourceLineNo">151</span> * </p><a name="line.151"></a> |
| <span class="sourceLineNo">152</span> * <ul><a name="line.152"></a> |
| <span class="sourceLineNo">153</span> * <li>the identity of the user performing the operation</li><a name="line.153"></a> |
| <span class="sourceLineNo">154</span> * <li>the scope over which the operation is performed, in increasing specificity: global, table,<a name="line.154"></a> |
| <span class="sourceLineNo">155</span> * column family, or qualifier</li><a name="line.155"></a> |
| <span class="sourceLineNo">156</span> * <li>the type of action being performed (as mapped to {@link Permission.Action} values)</li><a name="line.156"></a> |
| <span class="sourceLineNo">157</span> * </ul><a name="line.157"></a> |
| <span class="sourceLineNo">158</span> * <p><a name="line.158"></a> |
| <span class="sourceLineNo">159</span> * If the authorization check fails, an {@link AccessDeniedException} will be thrown for the<a name="line.159"></a> |
| <span class="sourceLineNo">160</span> * operation.<a name="line.160"></a> |
| <span class="sourceLineNo">161</span> * </p><a name="line.161"></a> |
| <span class="sourceLineNo">162</span> * <p><a name="line.162"></a> |
| <span class="sourceLineNo">163</span> * To perform authorization checks, {@code AccessController} relies on the RpcServerEngine being<a name="line.163"></a> |
| <span class="sourceLineNo">164</span> * loaded to provide the user identities for remote requests.<a name="line.164"></a> |
| <span class="sourceLineNo">165</span> * </p><a name="line.165"></a> |
| <span class="sourceLineNo">166</span> * <p><a name="line.166"></a> |
| <span class="sourceLineNo">167</span> * The access control lists used for authorization can be manipulated via the exposed<a name="line.167"></a> |
| <span class="sourceLineNo">168</span> * {@link AccessControlService} Interface implementation, and the associated {@code grant},<a name="line.168"></a> |
| <span class="sourceLineNo">169</span> * {@code revoke}, and {@code user_permission} HBase shell commands.<a name="line.169"></a> |
| <span class="sourceLineNo">170</span> * </p><a name="line.170"></a> |
| <span class="sourceLineNo">171</span> */<a name="line.171"></a> |
| <span class="sourceLineNo">172</span>@CoreCoprocessor<a name="line.172"></a> |
| <span class="sourceLineNo">173</span>@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG)<a name="line.173"></a> |
| <span class="sourceLineNo">174</span>public class AccessController implements MasterCoprocessor, RegionCoprocessor,<a name="line.174"></a> |
| <span class="sourceLineNo">175</span> RegionServerCoprocessor, AccessControlService.Interface, MasterObserver, RegionObserver,<a name="line.175"></a> |
| <span class="sourceLineNo">176</span> RegionServerObserver, EndpointObserver, BulkLoadObserver {<a name="line.176"></a> |
| <span class="sourceLineNo">177</span> // TODO: encapsulate observer functions into separate class/sub-class.<a name="line.177"></a> |
| <span class="sourceLineNo">178</span><a name="line.178"></a> |
| <span class="sourceLineNo">179</span> private static final Logger LOG = LoggerFactory.getLogger(AccessController.class);<a name="line.179"></a> |
| <span class="sourceLineNo">180</span><a name="line.180"></a> |
| <span class="sourceLineNo">181</span> private static final Logger AUDITLOG =<a name="line.181"></a> |
| <span class="sourceLineNo">182</span> LoggerFactory.getLogger("SecurityLogger." + AccessController.class.getName());<a name="line.182"></a> |
| <span class="sourceLineNo">183</span> private static final String CHECK_COVERING_PERM = "check_covering_perm";<a name="line.183"></a> |
| <span class="sourceLineNo">184</span> private static final String TAG_CHECK_PASSED = "tag_check_passed";<a name="line.184"></a> |
| <span class="sourceLineNo">185</span> private static final byte[] TRUE = Bytes.toBytes(true);<a name="line.185"></a> |
| <span class="sourceLineNo">186</span><a name="line.186"></a> |
| <span class="sourceLineNo">187</span> private AccessChecker accessChecker;<a name="line.187"></a> |
| <span class="sourceLineNo">188</span> private ZKPermissionWatcher zkPermissionWatcher;<a name="line.188"></a> |
| <span class="sourceLineNo">189</span><a name="line.189"></a> |
| <span class="sourceLineNo">190</span> /** flags if we are running on a region of the _acl_ table */<a name="line.190"></a> |
| <span class="sourceLineNo">191</span> private boolean aclRegion = false;<a name="line.191"></a> |
| <span class="sourceLineNo">192</span><a name="line.192"></a> |
| <span class="sourceLineNo">193</span> /**<a name="line.193"></a> |
| <span class="sourceLineNo">194</span> * defined only for Endpoint implementation, so it can have way to access region services<a name="line.194"></a> |
| <span class="sourceLineNo">195</span> */<a name="line.195"></a> |
| <span class="sourceLineNo">196</span> private RegionCoprocessorEnvironment regionEnv;<a name="line.196"></a> |
| <span class="sourceLineNo">197</span><a name="line.197"></a> |
| <span class="sourceLineNo">198</span> /** Mapping of scanner instances to the user who created them */<a name="line.198"></a> |
| <span class="sourceLineNo">199</span> private Map<InternalScanner, String> scannerOwners = new MapMaker().weakKeys().makeMap();<a name="line.199"></a> |
| <span class="sourceLineNo">200</span><a name="line.200"></a> |
| <span class="sourceLineNo">201</span> private Map<TableName, List<UserPermission>> tableAcls;<a name="line.201"></a> |
| <span class="sourceLineNo">202</span><a name="line.202"></a> |
| <span class="sourceLineNo">203</span> /** Provider for mapping principal names to Users */<a name="line.203"></a> |
| <span class="sourceLineNo">204</span> private UserProvider userProvider;<a name="line.204"></a> |
| <span class="sourceLineNo">205</span><a name="line.205"></a> |
| <span class="sourceLineNo">206</span> /**<a name="line.206"></a> |
| <span class="sourceLineNo">207</span> * if we are active, usually false, only true if "hbase.security.authorization" has been set to<a name="line.207"></a> |
| <span class="sourceLineNo">208</span> * true in site configuration<a name="line.208"></a> |
| <span class="sourceLineNo">209</span> */<a name="line.209"></a> |
| <span class="sourceLineNo">210</span> private boolean authorizationEnabled;<a name="line.210"></a> |
| <span class="sourceLineNo">211</span><a name="line.211"></a> |
| <span class="sourceLineNo">212</span> /** if we are able to support cell ACLs */<a name="line.212"></a> |
| <span class="sourceLineNo">213</span> private boolean cellFeaturesEnabled;<a name="line.213"></a> |
| <span class="sourceLineNo">214</span><a name="line.214"></a> |
| <span class="sourceLineNo">215</span> /** if we should check EXEC permissions */<a name="line.215"></a> |
| <span class="sourceLineNo">216</span> private boolean shouldCheckExecPermission;<a name="line.216"></a> |
| <span class="sourceLineNo">217</span><a name="line.217"></a> |
| <span class="sourceLineNo">218</span> /**<a name="line.218"></a> |
| <span class="sourceLineNo">219</span> * if we should terminate access checks early as soon as table or CF grants allow access; pre-0.98<a name="line.219"></a> |
| <span class="sourceLineNo">220</span> * compatible behavior<a name="line.220"></a> |
| <span class="sourceLineNo">221</span> */<a name="line.221"></a> |
| <span class="sourceLineNo">222</span> private boolean compatibleEarlyTermination;<a name="line.222"></a> |
| <span class="sourceLineNo">223</span><a name="line.223"></a> |
| <span class="sourceLineNo">224</span> /** if we have been successfully initialized */<a name="line.224"></a> |
| <span class="sourceLineNo">225</span> private volatile boolean initialized = false;<a name="line.225"></a> |
| <span class="sourceLineNo">226</span><a name="line.226"></a> |
| <span class="sourceLineNo">227</span> /** if the ACL table is available, only relevant in the master */<a name="line.227"></a> |
| <span class="sourceLineNo">228</span> private volatile boolean aclTabAvailable = false;<a name="line.228"></a> |
| <span class="sourceLineNo">229</span><a name="line.229"></a> |
| <span class="sourceLineNo">230</span> public static boolean isCellAuthorizationSupported(Configuration conf) {<a name="line.230"></a> |
| <span class="sourceLineNo">231</span> return AccessChecker.isAuthorizationSupported(conf)<a name="line.231"></a> |
| <span class="sourceLineNo">232</span> && (HFile.getFormatVersion(conf) >= HFile.MIN_FORMAT_VERSION_WITH_TAGS);<a name="line.232"></a> |
| <span class="sourceLineNo">233</span> }<a name="line.233"></a> |
| <span class="sourceLineNo">234</span><a name="line.234"></a> |
| <span class="sourceLineNo">235</span> public Region getRegion() {<a name="line.235"></a> |
| <span class="sourceLineNo">236</span> return regionEnv != null ? regionEnv.getRegion() : null;<a name="line.236"></a> |
| <span class="sourceLineNo">237</span> }<a name="line.237"></a> |
| <span class="sourceLineNo">238</span><a name="line.238"></a> |
| <span class="sourceLineNo">239</span> public AuthManager getAuthManager() {<a name="line.239"></a> |
| <span class="sourceLineNo">240</span> return accessChecker.getAuthManager();<a name="line.240"></a> |
| <span class="sourceLineNo">241</span> }<a name="line.241"></a> |
| <span class="sourceLineNo">242</span><a name="line.242"></a> |
| <span class="sourceLineNo">243</span> private void initialize(RegionCoprocessorEnvironment e) throws IOException {<a name="line.243"></a> |
| <span class="sourceLineNo">244</span> final Region region = e.getRegion();<a name="line.244"></a> |
| <span class="sourceLineNo">245</span> Configuration conf = e.getConfiguration();<a name="line.245"></a> |
| <span class="sourceLineNo">246</span> Map<byte[], ListMultimap<String, UserPermission>> tables = PermissionStorage.loadAll(region);<a name="line.246"></a> |
| <span class="sourceLineNo">247</span> // For each table, write out the table's permissions to the respective<a name="line.247"></a> |
| <span class="sourceLineNo">248</span> // znode for that table.<a name="line.248"></a> |
| <span class="sourceLineNo">249</span> for (Map.Entry<byte[], ListMultimap<String, UserPermission>> t : tables.entrySet()) {<a name="line.249"></a> |
| <span class="sourceLineNo">250</span> byte[] entry = t.getKey();<a name="line.250"></a> |
| <span class="sourceLineNo">251</span> ListMultimap<String, UserPermission> perms = t.getValue();<a name="line.251"></a> |
| <span class="sourceLineNo">252</span> byte[] serialized = PermissionStorage.writePermissionsAsBytes(perms, conf);<a name="line.252"></a> |
| <span class="sourceLineNo">253</span> zkPermissionWatcher.writeToZookeeper(entry, serialized);<a name="line.253"></a> |
| <span class="sourceLineNo">254</span> }<a name="line.254"></a> |
| <span class="sourceLineNo">255</span> initialized = true;<a name="line.255"></a> |
| <span class="sourceLineNo">256</span> }<a name="line.256"></a> |
| <span class="sourceLineNo">257</span><a name="line.257"></a> |
| <span class="sourceLineNo">258</span> /**<a name="line.258"></a> |
| <span class="sourceLineNo">259</span> * Writes all table ACLs for the tables in the given Map up into ZooKeeper znodes. This is called<a name="line.259"></a> |
| <span class="sourceLineNo">260</span> * to synchronize ACL changes following {@code _acl_} table updates.<a name="line.260"></a> |
| <span class="sourceLineNo">261</span> */<a name="line.261"></a> |
| <span class="sourceLineNo">262</span> private void updateACL(RegionCoprocessorEnvironment e, final Map<byte[], List<Cell>> familyMap) {<a name="line.262"></a> |
| <span class="sourceLineNo">263</span> Set<byte[]> entries = new TreeSet<>(Bytes.BYTES_RAWCOMPARATOR);<a name="line.263"></a> |
| <span class="sourceLineNo">264</span> for (Map.Entry<byte[], List<Cell>> f : familyMap.entrySet()) {<a name="line.264"></a> |
| <span class="sourceLineNo">265</span> List<Cell> cells = f.getValue();<a name="line.265"></a> |
| <span class="sourceLineNo">266</span> for (Cell cell : cells) {<a name="line.266"></a> |
| <span class="sourceLineNo">267</span> if (CellUtil.matchingFamily(cell, PermissionStorage.ACL_LIST_FAMILY)) {<a name="line.267"></a> |
| <span class="sourceLineNo">268</span> entries.add(CellUtil.cloneRow(cell));<a name="line.268"></a> |
| <span class="sourceLineNo">269</span> }<a name="line.269"></a> |
| <span class="sourceLineNo">270</span> }<a name="line.270"></a> |
| <span class="sourceLineNo">271</span> }<a name="line.271"></a> |
| <span class="sourceLineNo">272</span> Configuration conf = regionEnv.getConfiguration();<a name="line.272"></a> |
| <span class="sourceLineNo">273</span> byte[] currentEntry = null;<a name="line.273"></a> |
| <span class="sourceLineNo">274</span> // TODO: Here we are already on the ACL region. (And it is single<a name="line.274"></a> |
| <span class="sourceLineNo">275</span> // region) We can even just get the region from the env and do get<a name="line.275"></a> |
| <span class="sourceLineNo">276</span> // directly. The short circuit connection would avoid the RPC overhead<a name="line.276"></a> |
| <span class="sourceLineNo">277</span> // so no socket communication, req write/read .. But we have the PB<a name="line.277"></a> |
| <span class="sourceLineNo">278</span> // to and fro conversion overhead. get req is converted to PB req<a name="line.278"></a> |
| <span class="sourceLineNo">279</span> // and results are converted to PB results 1st and then to POJOs<a name="line.279"></a> |
| <span class="sourceLineNo">280</span> // again. We could have avoided such at least in ACL table context..<a name="line.280"></a> |
| <span class="sourceLineNo">281</span> try (Table t = e.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {<a name="line.281"></a> |
| <span class="sourceLineNo">282</span> for (byte[] entry : entries) {<a name="line.282"></a> |
| <span class="sourceLineNo">283</span> currentEntry = entry;<a name="line.283"></a> |
| <span class="sourceLineNo">284</span> ListMultimap<String, UserPermission> perms =<a name="line.284"></a> |
| <span class="sourceLineNo">285</span> PermissionStorage.getPermissions(conf, entry, t, null, null, null, false);<a name="line.285"></a> |
| <span class="sourceLineNo">286</span> byte[] serialized = PermissionStorage.writePermissionsAsBytes(perms, conf);<a name="line.286"></a> |
| <span class="sourceLineNo">287</span> zkPermissionWatcher.writeToZookeeper(entry, serialized);<a name="line.287"></a> |
| <span class="sourceLineNo">288</span> }<a name="line.288"></a> |
| <span class="sourceLineNo">289</span> } catch (IOException ex) {<a name="line.289"></a> |
| <span class="sourceLineNo">290</span> LOG.error("Failed updating permissions mirror for '"<a name="line.290"></a> |
| <span class="sourceLineNo">291</span> + (currentEntry == null ? "null" : Bytes.toString(currentEntry)) + "'", ex);<a name="line.291"></a> |
| <span class="sourceLineNo">292</span> }<a name="line.292"></a> |
| <span class="sourceLineNo">293</span> }<a name="line.293"></a> |
| <span class="sourceLineNo">294</span><a name="line.294"></a> |
| <span class="sourceLineNo">295</span> /**<a name="line.295"></a> |
| <span class="sourceLineNo">296</span> * Check the current user for authorization to perform a specific action against the given set of<a name="line.296"></a> |
| <span class="sourceLineNo">297</span> * row data.<a name="line.297"></a> |
| <span class="sourceLineNo">298</span> * @param opType the operation type<a name="line.298"></a> |
| <span class="sourceLineNo">299</span> * @param user the user<a name="line.299"></a> |
| <span class="sourceLineNo">300</span> * @param e the coprocessor environment<a name="line.300"></a> |
| <span class="sourceLineNo">301</span> * @param families the map of column families to qualifiers present in the request<a name="line.301"></a> |
| <span class="sourceLineNo">302</span> * @param actions the desired actions<a name="line.302"></a> |
| <span class="sourceLineNo">303</span> * @return an authorization result<a name="line.303"></a> |
| <span class="sourceLineNo">304</span> */<a name="line.304"></a> |
| <span class="sourceLineNo">305</span> private AuthResult permissionGranted(OpType opType, User user, RegionCoprocessorEnvironment e,<a name="line.305"></a> |
| <span class="sourceLineNo">306</span> Map<byte[], ? extends Collection<?>> families, Action... actions) {<a name="line.306"></a> |
| <span class="sourceLineNo">307</span> AuthResult result = null;<a name="line.307"></a> |
| <span class="sourceLineNo">308</span> for (Action action : actions) {<a name="line.308"></a> |
| <span class="sourceLineNo">309</span> result = accessChecker.permissionGranted(opType.toString(), user, action,<a name="line.309"></a> |
| <span class="sourceLineNo">310</span> e.getRegion().getRegionInfo().getTable(), families);<a name="line.310"></a> |
| <span class="sourceLineNo">311</span> if (!result.isAllowed()) {<a name="line.311"></a> |
| <span class="sourceLineNo">312</span> return result;<a name="line.312"></a> |
| <span class="sourceLineNo">313</span> }<a name="line.313"></a> |
| <span class="sourceLineNo">314</span> }<a name="line.314"></a> |
| <span class="sourceLineNo">315</span> return result;<a name="line.315"></a> |
| <span class="sourceLineNo">316</span> }<a name="line.316"></a> |
| <span class="sourceLineNo">317</span><a name="line.317"></a> |
| <span class="sourceLineNo">318</span> public void requireAccess(ObserverContext<?> ctx, String request, TableName tableName,<a name="line.318"></a> |
| <span class="sourceLineNo">319</span> Action... permissions) throws IOException {<a name="line.319"></a> |
| <span class="sourceLineNo">320</span> accessChecker.requireAccess(getActiveUser(ctx), request, tableName, permissions);<a name="line.320"></a> |
| <span class="sourceLineNo">321</span> }<a name="line.321"></a> |
| <span class="sourceLineNo">322</span><a name="line.322"></a> |
| <span class="sourceLineNo">323</span> public void requirePermission(ObserverContext<?> ctx, String request, Action perm)<a name="line.323"></a> |
| <span class="sourceLineNo">324</span> throws IOException {<a name="line.324"></a> |
| <span class="sourceLineNo">325</span> accessChecker.requirePermission(getActiveUser(ctx), request, null, perm);<a name="line.325"></a> |
| <span class="sourceLineNo">326</span> }<a name="line.326"></a> |
| <span class="sourceLineNo">327</span><a name="line.327"></a> |
| <span class="sourceLineNo">328</span> public void requireGlobalPermission(ObserverContext<?> ctx, String request, Action perm,<a name="line.328"></a> |
| <span class="sourceLineNo">329</span> TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException {<a name="line.329"></a> |
| <span class="sourceLineNo">330</span> accessChecker.requireGlobalPermission(getActiveUser(ctx), request, perm, tableName, familyMap,<a name="line.330"></a> |
| <span class="sourceLineNo">331</span> null);<a name="line.331"></a> |
| <span class="sourceLineNo">332</span> }<a name="line.332"></a> |
| <span class="sourceLineNo">333</span><a name="line.333"></a> |
| <span class="sourceLineNo">334</span> public void requireGlobalPermission(ObserverContext<?> ctx, String request, Action perm,<a name="line.334"></a> |
| <span class="sourceLineNo">335</span> String namespace) throws IOException {<a name="line.335"></a> |
| <span class="sourceLineNo">336</span> accessChecker.requireGlobalPermission(getActiveUser(ctx), request, perm, namespace);<a name="line.336"></a> |
| <span class="sourceLineNo">337</span> }<a name="line.337"></a> |
| <span class="sourceLineNo">338</span><a name="line.338"></a> |
| <span class="sourceLineNo">339</span> public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace,<a name="line.339"></a> |
| <span class="sourceLineNo">340</span> Action... permissions) throws IOException {<a name="line.340"></a> |
| <span class="sourceLineNo">341</span> accessChecker.requireNamespacePermission(getActiveUser(ctx), request, namespace, null,<a name="line.341"></a> |
| <span class="sourceLineNo">342</span> permissions);<a name="line.342"></a> |
| <span class="sourceLineNo">343</span> }<a name="line.343"></a> |
| <span class="sourceLineNo">344</span><a name="line.344"></a> |
| <span class="sourceLineNo">345</span> public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace,<a name="line.345"></a> |
| <span class="sourceLineNo">346</span> TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap, Action... permissions)<a name="line.346"></a> |
| <span class="sourceLineNo">347</span> throws IOException {<a name="line.347"></a> |
| <span class="sourceLineNo">348</span> accessChecker.requireNamespacePermission(getActiveUser(ctx), request, namespace, tableName,<a name="line.348"></a> |
| <span class="sourceLineNo">349</span> familyMap, permissions);<a name="line.349"></a> |
| <span class="sourceLineNo">350</span> }<a name="line.350"></a> |
| <span class="sourceLineNo">351</span><a name="line.351"></a> |
| <span class="sourceLineNo">352</span> public void requirePermission(ObserverContext<?> ctx, String request, TableName tableName,<a name="line.352"></a> |
| <span class="sourceLineNo">353</span> byte[] family, byte[] qualifier, Action... permissions) throws IOException {<a name="line.353"></a> |
| <span class="sourceLineNo">354</span> accessChecker.requirePermission(getActiveUser(ctx), request, tableName, family, qualifier, null,<a name="line.354"></a> |
| <span class="sourceLineNo">355</span> permissions);<a name="line.355"></a> |
| <span class="sourceLineNo">356</span> }<a name="line.356"></a> |
| <span class="sourceLineNo">357</span><a name="line.357"></a> |
| <span class="sourceLineNo">358</span> public void requireTablePermission(ObserverContext<?> ctx, String request, TableName tableName,<a name="line.358"></a> |
| <span class="sourceLineNo">359</span> byte[] family, byte[] qualifier, Action... permissions) throws IOException {<a name="line.359"></a> |
| <span class="sourceLineNo">360</span> accessChecker.requireTablePermission(getActiveUser(ctx), request, tableName, family, qualifier,<a name="line.360"></a> |
| <span class="sourceLineNo">361</span> permissions);<a name="line.361"></a> |
| <span class="sourceLineNo">362</span> }<a name="line.362"></a> |
| <span class="sourceLineNo">363</span><a name="line.363"></a> |
| <span class="sourceLineNo">364</span> public void checkLockPermissions(ObserverContext<?> ctx, String namespace, TableName tableName,<a name="line.364"></a> |
| <span class="sourceLineNo">365</span> RegionInfo[] regionInfos, String reason) throws IOException {<a name="line.365"></a> |
| <span class="sourceLineNo">366</span> accessChecker.checkLockPermissions(getActiveUser(ctx), namespace, tableName, regionInfos,<a name="line.366"></a> |
| <span class="sourceLineNo">367</span> reason);<a name="line.367"></a> |
| <span class="sourceLineNo">368</span> }<a name="line.368"></a> |
| <span class="sourceLineNo">369</span><a name="line.369"></a> |
| <span class="sourceLineNo">370</span> /**<a name="line.370"></a> |
| <span class="sourceLineNo">371</span> * Returns <code>true</code> if the current user is allowed the given action over at least one of<a name="line.371"></a> |
| <span class="sourceLineNo">372</span> * the column qualifiers in the given column families.<a name="line.372"></a> |
| <span class="sourceLineNo">373</span> */<a name="line.373"></a> |
| <span class="sourceLineNo">374</span> private boolean hasFamilyQualifierPermission(User user, Action perm,<a name="line.374"></a> |
| <span class="sourceLineNo">375</span> RegionCoprocessorEnvironment env, Map<byte[], ? extends Collection<byte[]>> familyMap)<a name="line.375"></a> |
| <span class="sourceLineNo">376</span> throws IOException {<a name="line.376"></a> |
| <span class="sourceLineNo">377</span> RegionInfo hri = env.getRegion().getRegionInfo();<a name="line.377"></a> |
| <span class="sourceLineNo">378</span> TableName tableName = hri.getTable();<a name="line.378"></a> |
| <span class="sourceLineNo">379</span><a name="line.379"></a> |
| <span class="sourceLineNo">380</span> if (user == null) {<a name="line.380"></a> |
| <span class="sourceLineNo">381</span> return false;<a name="line.381"></a> |
| <span class="sourceLineNo">382</span> }<a name="line.382"></a> |
| <span class="sourceLineNo">383</span><a name="line.383"></a> |
| <span class="sourceLineNo">384</span> if (familyMap != null && familyMap.size() > 0) {<a name="line.384"></a> |
| <span class="sourceLineNo">385</span> // at least one family must be allowed<a name="line.385"></a> |
| <span class="sourceLineNo">386</span> for (Map.Entry<byte[], ? extends Collection<byte[]>> family : familyMap.entrySet()) {<a name="line.386"></a> |
| <span class="sourceLineNo">387</span> if (family.getValue() != null && !family.getValue().isEmpty()) {<a name="line.387"></a> |
| <span class="sourceLineNo">388</span> for (byte[] qualifier : family.getValue()) {<a name="line.388"></a> |
| <span class="sourceLineNo">389</span> if (<a name="line.389"></a> |
| <span class="sourceLineNo">390</span> getAuthManager().authorizeUserTable(user, tableName, family.getKey(), qualifier, perm)<a name="line.390"></a> |
| <span class="sourceLineNo">391</span> ) {<a name="line.391"></a> |
| <span class="sourceLineNo">392</span> return true;<a name="line.392"></a> |
| <span class="sourceLineNo">393</span> }<a name="line.393"></a> |
| <span class="sourceLineNo">394</span> }<a name="line.394"></a> |
| <span class="sourceLineNo">395</span> } else {<a name="line.395"></a> |
| <span class="sourceLineNo">396</span> if (getAuthManager().authorizeUserFamily(user, tableName, family.getKey(), perm)) {<a name="line.396"></a> |
| <span class="sourceLineNo">397</span> return true;<a name="line.397"></a> |
| <span class="sourceLineNo">398</span> }<a name="line.398"></a> |
| <span class="sourceLineNo">399</span> }<a name="line.399"></a> |
| <span class="sourceLineNo">400</span> }<a name="line.400"></a> |
| <span class="sourceLineNo">401</span> } else if (LOG.isDebugEnabled()) {<a name="line.401"></a> |
| <span class="sourceLineNo">402</span> LOG.debug("Empty family map passed for permission check");<a name="line.402"></a> |
| <span class="sourceLineNo">403</span> }<a name="line.403"></a> |
| <span class="sourceLineNo">404</span><a name="line.404"></a> |
| <span class="sourceLineNo">405</span> return false;<a name="line.405"></a> |
| <span class="sourceLineNo">406</span> }<a name="line.406"></a> |
| <span class="sourceLineNo">407</span><a name="line.407"></a> |
| <span class="sourceLineNo">408</span> private enum OpType {<a name="line.408"></a> |
| <span class="sourceLineNo">409</span> GET("get"),<a name="line.409"></a> |
| <span class="sourceLineNo">410</span> EXISTS("exists"),<a name="line.410"></a> |
| <span class="sourceLineNo">411</span> SCAN("scan"),<a name="line.411"></a> |
| <span class="sourceLineNo">412</span> PUT("put"),<a name="line.412"></a> |
| <span class="sourceLineNo">413</span> DELETE("delete"),<a name="line.413"></a> |
| <span class="sourceLineNo">414</span> CHECK_AND_PUT("checkAndPut"),<a name="line.414"></a> |
| <span class="sourceLineNo">415</span> CHECK_AND_DELETE("checkAndDelete"),<a name="line.415"></a> |
| <span class="sourceLineNo">416</span> APPEND("append"),<a name="line.416"></a> |
| <span class="sourceLineNo">417</span> INCREMENT("increment");<a name="line.417"></a> |
| <span class="sourceLineNo">418</span><a name="line.418"></a> |
| <span class="sourceLineNo">419</span> private String type;<a name="line.419"></a> |
| <span class="sourceLineNo">420</span><a name="line.420"></a> |
| <span class="sourceLineNo">421</span> private OpType(String type) {<a name="line.421"></a> |
| <span class="sourceLineNo">422</span> this.type = type;<a name="line.422"></a> |
| <span class="sourceLineNo">423</span> }<a name="line.423"></a> |
| <span class="sourceLineNo">424</span><a name="line.424"></a> |
| <span class="sourceLineNo">425</span> @Override<a name="line.425"></a> |
| <span class="sourceLineNo">426</span> public String toString() {<a name="line.426"></a> |
| <span class="sourceLineNo">427</span> return type;<a name="line.427"></a> |
| <span class="sourceLineNo">428</span> }<a name="line.428"></a> |
| <span class="sourceLineNo">429</span> }<a name="line.429"></a> |
| <span class="sourceLineNo">430</span><a name="line.430"></a> |
| <span class="sourceLineNo">431</span> /**<a name="line.431"></a> |
| <span class="sourceLineNo">432</span> * Determine if cell ACLs covered by the operation grant access. This is expensive.<a name="line.432"></a> |
| <span class="sourceLineNo">433</span> * @return false if cell ACLs failed to grant access, true otherwise<a name="line.433"></a> |
| <span class="sourceLineNo">434</span> */<a name="line.434"></a> |
| <span class="sourceLineNo">435</span> private boolean checkCoveringPermission(User user, OpType request, RegionCoprocessorEnvironment e,<a name="line.435"></a> |
| <span class="sourceLineNo">436</span> byte[] row, Map<byte[], ? extends Collection<?>> familyMap, long opTs, Action... actions)<a name="line.436"></a> |
| <span class="sourceLineNo">437</span> throws IOException {<a name="line.437"></a> |
| <span class="sourceLineNo">438</span> if (!cellFeaturesEnabled) {<a name="line.438"></a> |
| <span class="sourceLineNo">439</span> return false;<a name="line.439"></a> |
| <span class="sourceLineNo">440</span> }<a name="line.440"></a> |
| <span class="sourceLineNo">441</span> long cellGrants = 0;<a name="line.441"></a> |
| <span class="sourceLineNo">442</span> long latestCellTs = 0;<a name="line.442"></a> |
| <span class="sourceLineNo">443</span> Get get = new Get(row);<a name="line.443"></a> |
| <span class="sourceLineNo">444</span> // Only in case of Put/Delete op, consider TS within cell (if set for individual cells).<a name="line.444"></a> |
| <span class="sourceLineNo">445</span> // When every cell, within a Mutation, can be linked with diff TS we can not rely on only one<a name="line.445"></a> |
| <span class="sourceLineNo">446</span> // version. We have to get every cell version and check its TS against the TS asked for in<a name="line.446"></a> |
| <span class="sourceLineNo">447</span> // Mutation and skip those Cells which is outside this Mutation TS.In case of Put, we have to<a name="line.447"></a> |
| <span class="sourceLineNo">448</span> // consider only one such passing cell. In case of Delete we have to consider all the cell<a name="line.448"></a> |
| <span class="sourceLineNo">449</span> // versions under this passing version. When Delete Mutation contains columns which are a<a name="line.449"></a> |
| <span class="sourceLineNo">450</span> // version delete just consider only one version for those column cells.<a name="line.450"></a> |
| <span class="sourceLineNo">451</span> boolean considerCellTs = (request == OpType.PUT || request == OpType.DELETE);<a name="line.451"></a> |
| <span class="sourceLineNo">452</span> if (considerCellTs) {<a name="line.452"></a> |
| <span class="sourceLineNo">453</span> get.readAllVersions();<a name="line.453"></a> |
| <span class="sourceLineNo">454</span> } else {<a name="line.454"></a> |
| <span class="sourceLineNo">455</span> get.readVersions(1);<a name="line.455"></a> |
| <span class="sourceLineNo">456</span> }<a name="line.456"></a> |
| <span class="sourceLineNo">457</span> boolean diffCellTsFromOpTs = false;<a name="line.457"></a> |
| <span class="sourceLineNo">458</span> for (Map.Entry<byte[], ? extends Collection<?>> entry : familyMap.entrySet()) {<a name="line.458"></a> |
| <span class="sourceLineNo">459</span> byte[] col = entry.getKey();<a name="line.459"></a> |
| <span class="sourceLineNo">460</span> // TODO: HBASE-7114 could possibly unify the collection type in family<a name="line.460"></a> |
| <span class="sourceLineNo">461</span> // maps so we would not need to do this<a name="line.461"></a> |
| <span class="sourceLineNo">462</span> if (entry.getValue() instanceof Set) {<a name="line.462"></a> |
| <span class="sourceLineNo">463</span> Set<byte[]> set = (Set<byte[]>) entry.getValue();<a name="line.463"></a> |
| <span class="sourceLineNo">464</span> if (set == null || set.isEmpty()) {<a name="line.464"></a> |
| <span class="sourceLineNo">465</span> get.addFamily(col);<a name="line.465"></a> |
| <span class="sourceLineNo">466</span> } else {<a name="line.466"></a> |
| <span class="sourceLineNo">467</span> for (byte[] qual : set) {<a name="line.467"></a> |
| <span class="sourceLineNo">468</span> get.addColumn(col, qual);<a name="line.468"></a> |
| <span class="sourceLineNo">469</span> }<a name="line.469"></a> |
| <span class="sourceLineNo">470</span> }<a name="line.470"></a> |
| <span class="sourceLineNo">471</span> } else if (entry.getValue() instanceof List) {<a name="line.471"></a> |
| <span class="sourceLineNo">472</span> List<Cell> list = (List<Cell>) entry.getValue();<a name="line.472"></a> |
| <span class="sourceLineNo">473</span> if (list == null || list.isEmpty()) {<a name="line.473"></a> |
| <span class="sourceLineNo">474</span> get.addFamily(col);<a name="line.474"></a> |
| <span class="sourceLineNo">475</span> } else {<a name="line.475"></a> |
| <span class="sourceLineNo">476</span> // In case of family delete, a Cell will be added into the list with Qualifier as null.<a name="line.476"></a> |
| <span class="sourceLineNo">477</span> for (Cell cell : list) {<a name="line.477"></a> |
| <span class="sourceLineNo">478</span> if (<a name="line.478"></a> |
| <span class="sourceLineNo">479</span> cell.getQualifierLength() == 0 && (cell.getTypeByte() == Type.DeleteFamily.getCode()<a name="line.479"></a> |
| <span class="sourceLineNo">480</span> || cell.getTypeByte() == Type.DeleteFamilyVersion.getCode())<a name="line.480"></a> |
| <span class="sourceLineNo">481</span> ) {<a name="line.481"></a> |
| <span class="sourceLineNo">482</span> get.addFamily(col);<a name="line.482"></a> |
| <span class="sourceLineNo">483</span> } else {<a name="line.483"></a> |
| <span class="sourceLineNo">484</span> get.addColumn(col, CellUtil.cloneQualifier(cell));<a name="line.484"></a> |
| <span class="sourceLineNo">485</span> }<a name="line.485"></a> |
| <span class="sourceLineNo">486</span> if (considerCellTs) {<a name="line.486"></a> |
| <span class="sourceLineNo">487</span> long cellTs = cell.getTimestamp();<a name="line.487"></a> |
| <span class="sourceLineNo">488</span> latestCellTs = Math.max(latestCellTs, cellTs);<a name="line.488"></a> |
| <span class="sourceLineNo">489</span> diffCellTsFromOpTs = diffCellTsFromOpTs || (opTs != cellTs);<a name="line.489"></a> |
| <span class="sourceLineNo">490</span> }<a name="line.490"></a> |
| <span class="sourceLineNo">491</span> }<a name="line.491"></a> |
| <span class="sourceLineNo">492</span> }<a name="line.492"></a> |
| <span class="sourceLineNo">493</span> } else if (entry.getValue() == null) {<a name="line.493"></a> |
| <span class="sourceLineNo">494</span> get.addFamily(col);<a name="line.494"></a> |
| <span class="sourceLineNo">495</span> } else {<a name="line.495"></a> |
| <span class="sourceLineNo">496</span> throw new RuntimeException(<a name="line.496"></a> |
| <span class="sourceLineNo">497</span> "Unhandled collection type " + entry.getValue().getClass().getName());<a name="line.497"></a> |
| <span class="sourceLineNo">498</span> }<a name="line.498"></a> |
| <span class="sourceLineNo">499</span> }<a name="line.499"></a> |
| <span class="sourceLineNo">500</span> // We want to avoid looking into the future. So, if the cells of the<a name="line.500"></a> |
| <span class="sourceLineNo">501</span> // operation specify a timestamp, or the operation itself specifies a<a name="line.501"></a> |
| <span class="sourceLineNo">502</span> // timestamp, then we use the maximum ts found. Otherwise, we bound<a name="line.502"></a> |
| <span class="sourceLineNo">503</span> // the Get to the current server time. We add 1 to the timerange since<a name="line.503"></a> |
| <span class="sourceLineNo">504</span> // the upper bound of a timerange is exclusive yet we need to examine<a name="line.504"></a> |
| <span class="sourceLineNo">505</span> // any cells found there inclusively.<a name="line.505"></a> |
| <span class="sourceLineNo">506</span> long latestTs = Math.max(opTs, latestCellTs);<a name="line.506"></a> |
| <span class="sourceLineNo">507</span> if (latestTs == 0 || latestTs == HConstants.LATEST_TIMESTAMP) {<a name="line.507"></a> |
| <span class="sourceLineNo">508</span> latestTs = EnvironmentEdgeManager.currentTime();<a name="line.508"></a> |
| <span class="sourceLineNo">509</span> }<a name="line.509"></a> |
| <span class="sourceLineNo">510</span> get.setTimeRange(0, latestTs + 1);<a name="line.510"></a> |
| <span class="sourceLineNo">511</span> // In case of Put operation we set to read all versions. This was done to consider the case<a name="line.511"></a> |
| <span class="sourceLineNo">512</span> // where columns are added with TS other than the Mutation TS. But normally this wont be the<a name="line.512"></a> |
| <span class="sourceLineNo">513</span> // case with Put. There no need to get all versions but get latest version only.<a name="line.513"></a> |
| <span class="sourceLineNo">514</span> if (!diffCellTsFromOpTs && request == OpType.PUT) {<a name="line.514"></a> |
| <span class="sourceLineNo">515</span> get.readVersions(1);<a name="line.515"></a> |
| <span class="sourceLineNo">516</span> }<a name="line.516"></a> |
| <span class="sourceLineNo">517</span> if (LOG.isTraceEnabled()) {<a name="line.517"></a> |
| <span class="sourceLineNo">518</span> LOG.trace("Scanning for cells with " + get);<a name="line.518"></a> |
| <span class="sourceLineNo">519</span> }<a name="line.519"></a> |
| <span class="sourceLineNo">520</span> // This Map is identical to familyMap. The key is a BR rather than byte[].<a name="line.520"></a> |
| <span class="sourceLineNo">521</span> // It will be easy to do gets over this new Map as we can create get keys over the Cell cf by<a name="line.521"></a> |
| <span class="sourceLineNo">522</span> // new SimpleByteRange(cell.familyArray, cell.familyOffset, cell.familyLen)<a name="line.522"></a> |
| <span class="sourceLineNo">523</span> Map<ByteRange, List<Cell>> familyMap1 = new HashMap<>();<a name="line.523"></a> |
| <span class="sourceLineNo">524</span> for (Entry<byte[], ? extends Collection<?>> entry : familyMap.entrySet()) {<a name="line.524"></a> |
| <span class="sourceLineNo">525</span> if (entry.getValue() instanceof List) {<a name="line.525"></a> |
| <span class="sourceLineNo">526</span> familyMap1.put(new SimpleMutableByteRange(entry.getKey()), (List<Cell>) entry.getValue());<a name="line.526"></a> |
| <span class="sourceLineNo">527</span> }<a name="line.527"></a> |
| <span class="sourceLineNo">528</span> }<a name="line.528"></a> |
| <span class="sourceLineNo">529</span> RegionScanner scanner = getRegion(e).getScanner(new Scan(get));<a name="line.529"></a> |
| <span class="sourceLineNo">530</span> List<Cell> cells = Lists.newArrayList();<a name="line.530"></a> |
| <span class="sourceLineNo">531</span> Cell prevCell = null;<a name="line.531"></a> |
| <span class="sourceLineNo">532</span> ByteRange curFam = new SimpleMutableByteRange();<a name="line.532"></a> |
| <span class="sourceLineNo">533</span> boolean curColAllVersions = (request == OpType.DELETE);<a name="line.533"></a> |
| <span class="sourceLineNo">534</span> long curColCheckTs = opTs;<a name="line.534"></a> |
| <span class="sourceLineNo">535</span> boolean foundColumn = false;<a name="line.535"></a> |
| <span class="sourceLineNo">536</span> try {<a name="line.536"></a> |
| <span class="sourceLineNo">537</span> boolean more = false;<a name="line.537"></a> |
| <span class="sourceLineNo">538</span> ScannerContext scannerContext = ScannerContext.newBuilder().setBatchLimit(1).build();<a name="line.538"></a> |
| <span class="sourceLineNo">539</span><a name="line.539"></a> |
| <span class="sourceLineNo">540</span> do {<a name="line.540"></a> |
| <span class="sourceLineNo">541</span> cells.clear();<a name="line.541"></a> |
| <span class="sourceLineNo">542</span> // scan with limit as 1 to hold down memory use on wide rows<a name="line.542"></a> |
| <span class="sourceLineNo">543</span> more = scanner.next(cells, scannerContext);<a name="line.543"></a> |
| <span class="sourceLineNo">544</span> for (Cell cell : cells) {<a name="line.544"></a> |
| <span class="sourceLineNo">545</span> if (LOG.isTraceEnabled()) {<a name="line.545"></a> |
| <span class="sourceLineNo">546</span> LOG.trace("Found cell " + cell);<a name="line.546"></a> |
| <span class="sourceLineNo">547</span> }<a name="line.547"></a> |
| <span class="sourceLineNo">548</span> boolean colChange = prevCell == null || !CellUtil.matchingColumn(prevCell, cell);<a name="line.548"></a> |
| <span class="sourceLineNo">549</span> if (colChange) foundColumn = false;<a name="line.549"></a> |
| <span class="sourceLineNo">550</span> prevCell = cell;<a name="line.550"></a> |
| <span class="sourceLineNo">551</span> if (!curColAllVersions && foundColumn) {<a name="line.551"></a> |
| <span class="sourceLineNo">552</span> continue;<a name="line.552"></a> |
| <span class="sourceLineNo">553</span> }<a name="line.553"></a> |
| <span class="sourceLineNo">554</span> if (colChange && considerCellTs) {<a name="line.554"></a> |
| <span class="sourceLineNo">555</span> curFam.set(cell.getFamilyArray(), cell.getFamilyOffset(), cell.getFamilyLength());<a name="line.555"></a> |
| <span class="sourceLineNo">556</span> List<Cell> cols = familyMap1.get(curFam);<a name="line.556"></a> |
| <span class="sourceLineNo">557</span> for (Cell col : cols) {<a name="line.557"></a> |
| <span class="sourceLineNo">558</span> // null/empty qualifier is used to denote a Family delete. The TS and delete type<a name="line.558"></a> |
| <span class="sourceLineNo">559</span> // associated with this is applicable for all columns within the family. That is<a name="line.559"></a> |
| <span class="sourceLineNo">560</span> // why the below (col.getQualifierLength() == 0) check.<a name="line.560"></a> |
| <span class="sourceLineNo">561</span> if (<a name="line.561"></a> |
| <span class="sourceLineNo">562</span> (col.getQualifierLength() == 0 && request == OpType.DELETE)<a name="line.562"></a> |
| <span class="sourceLineNo">563</span> || CellUtil.matchingQualifier(cell, col)<a name="line.563"></a> |
| <span class="sourceLineNo">564</span> ) {<a name="line.564"></a> |
| <span class="sourceLineNo">565</span> byte type = col.getTypeByte();<a name="line.565"></a> |
| <span class="sourceLineNo">566</span> if (considerCellTs) {<a name="line.566"></a> |
| <span class="sourceLineNo">567</span> curColCheckTs = col.getTimestamp();<a name="line.567"></a> |
| <span class="sourceLineNo">568</span> }<a name="line.568"></a> |
| <span class="sourceLineNo">569</span> // For a Delete op we pass allVersions as true. When a Delete Mutation contains<a name="line.569"></a> |
| <span class="sourceLineNo">570</span> // a version delete for a column no need to check all the covering cells within<a name="line.570"></a> |
| <span class="sourceLineNo">571</span> // that column. Check all versions when Type is DeleteColumn or DeleteFamily<a name="line.571"></a> |
| <span class="sourceLineNo">572</span> // One version delete types are Delete/DeleteFamilyVersion<a name="line.572"></a> |
| <span class="sourceLineNo">573</span> curColAllVersions = (KeyValue.Type.DeleteColumn.getCode() == type)<a name="line.573"></a> |
| <span class="sourceLineNo">574</span> || (KeyValue.Type.DeleteFamily.getCode() == type);<a name="line.574"></a> |
| <span class="sourceLineNo">575</span> break;<a name="line.575"></a> |
| <span class="sourceLineNo">576</span> }<a name="line.576"></a> |
| <span class="sourceLineNo">577</span> }<a name="line.577"></a> |
| <span class="sourceLineNo">578</span> }<a name="line.578"></a> |
| <span class="sourceLineNo">579</span> if (cell.getTimestamp() > curColCheckTs) {<a name="line.579"></a> |
| <span class="sourceLineNo">580</span> // Just ignore this cell. This is not a covering cell.<a name="line.580"></a> |
| <span class="sourceLineNo">581</span> continue;<a name="line.581"></a> |
| <span class="sourceLineNo">582</span> }<a name="line.582"></a> |
| <span class="sourceLineNo">583</span> foundColumn = true;<a name="line.583"></a> |
| <span class="sourceLineNo">584</span> for (Action action : actions) {<a name="line.584"></a> |
| <span class="sourceLineNo">585</span> // Are there permissions for this user for the cell?<a name="line.585"></a> |
| <span class="sourceLineNo">586</span> if (!getAuthManager().authorizeCell(user, getTableName(e), cell, action)) {<a name="line.586"></a> |
| <span class="sourceLineNo">587</span> // We can stop if the cell ACL denies access<a name="line.587"></a> |
| <span class="sourceLineNo">588</span> return false;<a name="line.588"></a> |
| <span class="sourceLineNo">589</span> }<a name="line.589"></a> |
| <span class="sourceLineNo">590</span> }<a name="line.590"></a> |
| <span class="sourceLineNo">591</span> cellGrants++;<a name="line.591"></a> |
| <span class="sourceLineNo">592</span> }<a name="line.592"></a> |
| <span class="sourceLineNo">593</span> } while (more);<a name="line.593"></a> |
| <span class="sourceLineNo">594</span> } catch (AccessDeniedException ex) {<a name="line.594"></a> |
| <span class="sourceLineNo">595</span> throw ex;<a name="line.595"></a> |
| <span class="sourceLineNo">596</span> } catch (IOException ex) {<a name="line.596"></a> |
| <span class="sourceLineNo">597</span> LOG.error("Exception while getting cells to calculate covering permission", ex);<a name="line.597"></a> |
| <span class="sourceLineNo">598</span> } finally {<a name="line.598"></a> |
| <span class="sourceLineNo">599</span> scanner.close();<a name="line.599"></a> |
| <span class="sourceLineNo">600</span> }<a name="line.600"></a> |
| <span class="sourceLineNo">601</span> // We should not authorize unless we have found one or more cell ACLs that<a name="line.601"></a> |
| <span class="sourceLineNo">602</span> // grant access. This code is used to check for additional permissions<a name="line.602"></a> |
| <span class="sourceLineNo">603</span> // after no table or CF grants are found.<a name="line.603"></a> |
| <span class="sourceLineNo">604</span> return cellGrants > 0;<a name="line.604"></a> |
| <span class="sourceLineNo">605</span> }<a name="line.605"></a> |
| <span class="sourceLineNo">606</span><a name="line.606"></a> |
| <span class="sourceLineNo">607</span> private static void addCellPermissions(final byte[] perms, Map<byte[], List<Cell>> familyMap) {<a name="line.607"></a> |
| <span class="sourceLineNo">608</span> // Iterate over the entries in the familyMap, replacing the cells therein<a name="line.608"></a> |
| <span class="sourceLineNo">609</span> // with new cells including the ACL data<a name="line.609"></a> |
| <span class="sourceLineNo">610</span> for (Map.Entry<byte[], List<Cell>> e : familyMap.entrySet()) {<a name="line.610"></a> |
| <span class="sourceLineNo">611</span> List<Cell> newCells = Lists.newArrayList();<a name="line.611"></a> |
| <span class="sourceLineNo">612</span> for (Cell cell : e.getValue()) {<a name="line.612"></a> |
| <span class="sourceLineNo">613</span> // Prepend the supplied perms in a new ACL tag to an update list of tags for the cell<a name="line.613"></a> |
| <span class="sourceLineNo">614</span> List<Tag> tags = new ArrayList<>();<a name="line.614"></a> |
| <span class="sourceLineNo">615</span> tags.add(new ArrayBackedTag(PermissionStorage.ACL_TAG_TYPE, perms));<a name="line.615"></a> |
| <span class="sourceLineNo">616</span> Iterator<Tag> tagIterator = PrivateCellUtil.tagsIterator(cell);<a name="line.616"></a> |
| <span class="sourceLineNo">617</span> while (tagIterator.hasNext()) {<a name="line.617"></a> |
| <span class="sourceLineNo">618</span> tags.add(tagIterator.next());<a name="line.618"></a> |
| <span class="sourceLineNo">619</span> }<a name="line.619"></a> |
| <span class="sourceLineNo">620</span> newCells.add(PrivateCellUtil.createCell(cell, tags));<a name="line.620"></a> |
| <span class="sourceLineNo">621</span> }<a name="line.621"></a> |
| <span class="sourceLineNo">622</span> // This is supposed to be safe, won't CME<a name="line.622"></a> |
| <span class="sourceLineNo">623</span> e.setValue(newCells);<a name="line.623"></a> |
| <span class="sourceLineNo">624</span> }<a name="line.624"></a> |
| <span class="sourceLineNo">625</span> }<a name="line.625"></a> |
| <span class="sourceLineNo">626</span><a name="line.626"></a> |
| <span class="sourceLineNo">627</span> // Checks whether incoming cells contain any tag with type as ACL_TAG_TYPE. This tag<a name="line.627"></a> |
| <span class="sourceLineNo">628</span> // type is reserved and should not be explicitly set by user.<a name="line.628"></a> |
| <span class="sourceLineNo">629</span> private void checkForReservedTagPresence(User user, Mutation m) throws IOException {<a name="line.629"></a> |
| <span class="sourceLineNo">630</span> // No need to check if we're not going to throw<a name="line.630"></a> |
| <span class="sourceLineNo">631</span> if (!authorizationEnabled) {<a name="line.631"></a> |
| <span class="sourceLineNo">632</span> m.setAttribute(TAG_CHECK_PASSED, TRUE);<a name="line.632"></a> |
| <span class="sourceLineNo">633</span> return;<a name="line.633"></a> |
| <span class="sourceLineNo">634</span> }<a name="line.634"></a> |
| <span class="sourceLineNo">635</span> // Superusers are allowed to store cells unconditionally.<a name="line.635"></a> |
| <span class="sourceLineNo">636</span> if (Superusers.isSuperUser(user)) {<a name="line.636"></a> |
| <span class="sourceLineNo">637</span> m.setAttribute(TAG_CHECK_PASSED, TRUE);<a name="line.637"></a> |
| <span class="sourceLineNo">638</span> return;<a name="line.638"></a> |
| <span class="sourceLineNo">639</span> }<a name="line.639"></a> |
| <span class="sourceLineNo">640</span> // We already checked (prePut vs preBatchMutation)<a name="line.640"></a> |
| <span class="sourceLineNo">641</span> if (m.getAttribute(TAG_CHECK_PASSED) != null) {<a name="line.641"></a> |
| <span class="sourceLineNo">642</span> return;<a name="line.642"></a> |
| <span class="sourceLineNo">643</span> }<a name="line.643"></a> |
| <span class="sourceLineNo">644</span> for (CellScanner cellScanner = m.cellScanner(); cellScanner.advance();) {<a name="line.644"></a> |
| <span class="sourceLineNo">645</span> Iterator<Tag> tagsItr = PrivateCellUtil.tagsIterator(cellScanner.current());<a name="line.645"></a> |
| <span class="sourceLineNo">646</span> while (tagsItr.hasNext()) {<a name="line.646"></a> |
| <span class="sourceLineNo">647</span> if (tagsItr.next().getType() == PermissionStorage.ACL_TAG_TYPE) {<a name="line.647"></a> |
| <span class="sourceLineNo">648</span> throw new AccessDeniedException("Mutation contains cell with reserved type tag");<a name="line.648"></a> |
| <span class="sourceLineNo">649</span> }<a name="line.649"></a> |
| <span class="sourceLineNo">650</span> }<a name="line.650"></a> |
| <span class="sourceLineNo">651</span> }<a name="line.651"></a> |
| <span class="sourceLineNo">652</span> m.setAttribute(TAG_CHECK_PASSED, TRUE);<a name="line.652"></a> |
| <span class="sourceLineNo">653</span> }<a name="line.653"></a> |
| <span class="sourceLineNo">654</span><a name="line.654"></a> |
| <span class="sourceLineNo">655</span> /* ---- MasterObserver implementation ---- */<a name="line.655"></a> |
| <span class="sourceLineNo">656</span> @Override<a name="line.656"></a> |
| <span class="sourceLineNo">657</span> public void start(CoprocessorEnvironment env) throws IOException {<a name="line.657"></a> |
| <span class="sourceLineNo">658</span> CompoundConfiguration conf = new CompoundConfiguration();<a name="line.658"></a> |
| <span class="sourceLineNo">659</span> conf.add(env.getConfiguration());<a name="line.659"></a> |
| <span class="sourceLineNo">660</span><a name="line.660"></a> |
| <span class="sourceLineNo">661</span> authorizationEnabled = AccessChecker.isAuthorizationSupported(conf);<a name="line.661"></a> |
| <span class="sourceLineNo">662</span> if (!authorizationEnabled) {<a name="line.662"></a> |
| <span class="sourceLineNo">663</span> LOG.warn("AccessController has been loaded with authorization checks DISABLED!");<a name="line.663"></a> |
| <span class="sourceLineNo">664</span> }<a name="line.664"></a> |
| <span class="sourceLineNo">665</span><a name="line.665"></a> |
| <span class="sourceLineNo">666</span> shouldCheckExecPermission = conf.getBoolean(AccessControlConstants.EXEC_PERMISSION_CHECKS_KEY,<a name="line.666"></a> |
| <span class="sourceLineNo">667</span> AccessControlConstants.DEFAULT_EXEC_PERMISSION_CHECKS);<a name="line.667"></a> |
| <span class="sourceLineNo">668</span><a name="line.668"></a> |
| <span class="sourceLineNo">669</span> cellFeaturesEnabled = (HFile.getFormatVersion(conf) >= HFile.MIN_FORMAT_VERSION_WITH_TAGS);<a name="line.669"></a> |
| <span class="sourceLineNo">670</span> if (!cellFeaturesEnabled) {<a name="line.670"></a> |
| <span class="sourceLineNo">671</span> LOG.info("A minimum HFile version of " + HFile.MIN_FORMAT_VERSION_WITH_TAGS<a name="line.671"></a> |
| <span class="sourceLineNo">672</span> + " is required to persist cell ACLs. Consider setting " + HFile.FORMAT_VERSION_KEY<a name="line.672"></a> |
| <span class="sourceLineNo">673</span> + " accordingly.");<a name="line.673"></a> |
| <span class="sourceLineNo">674</span> }<a name="line.674"></a> |
| <span class="sourceLineNo">675</span><a name="line.675"></a> |
| <span class="sourceLineNo">676</span> if (env instanceof MasterCoprocessorEnvironment) {<a name="line.676"></a> |
| <span class="sourceLineNo">677</span> // if running on HMaster<a name="line.677"></a> |
| <span class="sourceLineNo">678</span> MasterCoprocessorEnvironment mEnv = (MasterCoprocessorEnvironment) env;<a name="line.678"></a> |
| <span class="sourceLineNo">679</span> if (mEnv instanceof HasMasterServices) {<a name="line.679"></a> |
| <span class="sourceLineNo">680</span> MasterServices masterServices = ((HasMasterServices) mEnv).getMasterServices();<a name="line.680"></a> |
| <span class="sourceLineNo">681</span> zkPermissionWatcher = masterServices.getZKPermissionWatcher();<a name="line.681"></a> |
| <span class="sourceLineNo">682</span> accessChecker = masterServices.getAccessChecker();<a name="line.682"></a> |
| <span class="sourceLineNo">683</span> }<a name="line.683"></a> |
| <span class="sourceLineNo">684</span> } else if (env instanceof RegionServerCoprocessorEnvironment) {<a name="line.684"></a> |
| <span class="sourceLineNo">685</span> RegionServerCoprocessorEnvironment rsEnv = (RegionServerCoprocessorEnvironment) env;<a name="line.685"></a> |
| <span class="sourceLineNo">686</span> if (rsEnv instanceof HasRegionServerServices) {<a name="line.686"></a> |
| <span class="sourceLineNo">687</span> RegionServerServices rsServices =<a name="line.687"></a> |
| <span class="sourceLineNo">688</span> ((HasRegionServerServices) rsEnv).getRegionServerServices();<a name="line.688"></a> |
| <span class="sourceLineNo">689</span> zkPermissionWatcher = rsServices.getZKPermissionWatcher();<a name="line.689"></a> |
| <span class="sourceLineNo">690</span> accessChecker = rsServices.getAccessChecker();<a name="line.690"></a> |
| <span class="sourceLineNo">691</span> }<a name="line.691"></a> |
| <span class="sourceLineNo">692</span> } else if (env instanceof RegionCoprocessorEnvironment) {<a name="line.692"></a> |
| <span class="sourceLineNo">693</span> // if running at region<a name="line.693"></a> |
| <span class="sourceLineNo">694</span> regionEnv = (RegionCoprocessorEnvironment) env;<a name="line.694"></a> |
| <span class="sourceLineNo">695</span> conf.addBytesMap(regionEnv.getRegion().getTableDescriptor().getValues());<a name="line.695"></a> |
| <span class="sourceLineNo">696</span> compatibleEarlyTermination = conf.getBoolean(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT,<a name="line.696"></a> |
| <span class="sourceLineNo">697</span> AccessControlConstants.DEFAULT_ATTRIBUTE_EARLY_OUT);<a name="line.697"></a> |
| <span class="sourceLineNo">698</span> if (regionEnv instanceof HasRegionServerServices) {<a name="line.698"></a> |
| <span class="sourceLineNo">699</span> RegionServerServices rsServices =<a name="line.699"></a> |
| <span class="sourceLineNo">700</span> ((HasRegionServerServices) regionEnv).getRegionServerServices();<a name="line.700"></a> |
| <span class="sourceLineNo">701</span> zkPermissionWatcher = rsServices.getZKPermissionWatcher();<a name="line.701"></a> |
| <span class="sourceLineNo">702</span> accessChecker = rsServices.getAccessChecker();<a name="line.702"></a> |
| <span class="sourceLineNo">703</span> }<a name="line.703"></a> |
| <span class="sourceLineNo">704</span> }<a name="line.704"></a> |
| <span class="sourceLineNo">705</span><a name="line.705"></a> |
| <span class="sourceLineNo">706</span> Preconditions.checkState(zkPermissionWatcher != null, "ZKPermissionWatcher is null");<a name="line.706"></a> |
| <span class="sourceLineNo">707</span> Preconditions.checkState(accessChecker != null, "AccessChecker is null");<a name="line.707"></a> |
| <span class="sourceLineNo">708</span><a name="line.708"></a> |
| <span class="sourceLineNo">709</span> // set the user-provider.<a name="line.709"></a> |
| <span class="sourceLineNo">710</span> this.userProvider = UserProvider.instantiate(env.getConfiguration());<a name="line.710"></a> |
| <span class="sourceLineNo">711</span> tableAcls = new MapMaker().weakValues().makeMap();<a name="line.711"></a> |
| <span class="sourceLineNo">712</span> }<a name="line.712"></a> |
| <span class="sourceLineNo">713</span><a name="line.713"></a> |
| <span class="sourceLineNo">714</span> @Override<a name="line.714"></a> |
| <span class="sourceLineNo">715</span> public void stop(CoprocessorEnvironment env) {<a name="line.715"></a> |
| <span class="sourceLineNo">716</span> }<a name="line.716"></a> |
| <span class="sourceLineNo">717</span><a name="line.717"></a> |
| <span class="sourceLineNo">718</span> /*********************************** Observer/Service Getters ***********************************/<a name="line.718"></a> |
| <span class="sourceLineNo">719</span> @Override<a name="line.719"></a> |
| <span class="sourceLineNo">720</span> public Optional<RegionObserver> getRegionObserver() {<a name="line.720"></a> |
| <span class="sourceLineNo">721</span> return Optional.of(this);<a name="line.721"></a> |
| <span class="sourceLineNo">722</span> }<a name="line.722"></a> |
| <span class="sourceLineNo">723</span><a name="line.723"></a> |
| <span class="sourceLineNo">724</span> @Override<a name="line.724"></a> |
| <span class="sourceLineNo">725</span> public Optional<MasterObserver> getMasterObserver() {<a name="line.725"></a> |
| <span class="sourceLineNo">726</span> return Optional.of(this);<a name="line.726"></a> |
| <span class="sourceLineNo">727</span> }<a name="line.727"></a> |
| <span class="sourceLineNo">728</span><a name="line.728"></a> |
| <span class="sourceLineNo">729</span> @Override<a name="line.729"></a> |
| <span class="sourceLineNo">730</span> public Optional<EndpointObserver> getEndpointObserver() {<a name="line.730"></a> |
| <span class="sourceLineNo">731</span> return Optional.of(this);<a name="line.731"></a> |
| <span class="sourceLineNo">732</span> }<a name="line.732"></a> |
| <span class="sourceLineNo">733</span><a name="line.733"></a> |
| <span class="sourceLineNo">734</span> @Override<a name="line.734"></a> |
| <span class="sourceLineNo">735</span> public Optional<BulkLoadObserver> getBulkLoadObserver() {<a name="line.735"></a> |
| <span class="sourceLineNo">736</span> return Optional.of(this);<a name="line.736"></a> |
| <span class="sourceLineNo">737</span> }<a name="line.737"></a> |
| <span class="sourceLineNo">738</span><a name="line.738"></a> |
| <span class="sourceLineNo">739</span> @Override<a name="line.739"></a> |
| <span class="sourceLineNo">740</span> public Optional<RegionServerObserver> getRegionServerObserver() {<a name="line.740"></a> |
| <span class="sourceLineNo">741</span> return Optional.of(this);<a name="line.741"></a> |
| <span class="sourceLineNo">742</span> }<a name="line.742"></a> |
| <span class="sourceLineNo">743</span><a name="line.743"></a> |
| <span class="sourceLineNo">744</span> @Override<a name="line.744"></a> |
| <span class="sourceLineNo">745</span> public Iterable<Service> getServices() {<a name="line.745"></a> |
| <span class="sourceLineNo">746</span> return Collections<a name="line.746"></a> |
| <span class="sourceLineNo">747</span> .singleton(AccessControlProtos.AccessControlService.newReflectiveService(this));<a name="line.747"></a> |
| <span class="sourceLineNo">748</span> }<a name="line.748"></a> |
| <span class="sourceLineNo">749</span><a name="line.749"></a> |
| <span class="sourceLineNo">750</span> /*********************************** Observer implementations ***********************************/<a name="line.750"></a> |
| <span class="sourceLineNo">751</span><a name="line.751"></a> |
| <span class="sourceLineNo">752</span> @Override<a name="line.752"></a> |
| <span class="sourceLineNo">753</span> public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> c, TableDescriptor desc,<a name="line.753"></a> |
| <span class="sourceLineNo">754</span> RegionInfo[] regions) throws IOException {<a name="line.754"></a> |
| <span class="sourceLineNo">755</span> Set<byte[]> families = desc.getColumnFamilyNames();<a name="line.755"></a> |
| <span class="sourceLineNo">756</span> Map<byte[], Set<byte[]>> familyMap = new TreeMap<>(Bytes.BYTES_COMPARATOR);<a name="line.756"></a> |
| <span class="sourceLineNo">757</span> for (byte[] family : families) {<a name="line.757"></a> |
| <span class="sourceLineNo">758</span> familyMap.put(family, null);<a name="line.758"></a> |
| <span class="sourceLineNo">759</span> }<a name="line.759"></a> |
| <span class="sourceLineNo">760</span> requireNamespacePermission(c, "createTable", desc.getTableName().getNamespaceAsString(),<a name="line.760"></a> |
| <span class="sourceLineNo">761</span> desc.getTableName(), familyMap, Action.ADMIN, Action.CREATE);<a name="line.761"></a> |
| <span class="sourceLineNo">762</span> }<a name="line.762"></a> |
| <span class="sourceLineNo">763</span><a name="line.763"></a> |
| <span class="sourceLineNo">764</span> @Override<a name="line.764"></a> |
| <span class="sourceLineNo">765</span> public void postCompletedCreateTableAction(final ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.765"></a> |
| <span class="sourceLineNo">766</span> final TableDescriptor desc, final RegionInfo[] regions) throws IOException {<a name="line.766"></a> |
| <span class="sourceLineNo">767</span> // When AC is used, it should be configured as the 1st CP.<a name="line.767"></a> |
| <span class="sourceLineNo">768</span> // In Master, the table operations like create, are handled by a Thread pool but the max size<a name="line.768"></a> |
| <span class="sourceLineNo">769</span> // for this pool is 1. So if multiple CPs create tables on startup, these creations will happen<a name="line.769"></a> |
| <span class="sourceLineNo">770</span> // sequentially only.<a name="line.770"></a> |
| <span class="sourceLineNo">771</span> // Related code in HMaster#startServiceThreads<a name="line.771"></a> |
| <span class="sourceLineNo">772</span> // {code}<a name="line.772"></a> |
| <span class="sourceLineNo">773</span> // // We depend on there being only one instance of this executor running<a name="line.773"></a> |
| <span class="sourceLineNo">774</span> // // at a time. To do concurrency, would need fencing of enable/disable of<a name="line.774"></a> |
| <span class="sourceLineNo">775</span> // // tables.<a name="line.775"></a> |
| <span class="sourceLineNo">776</span> // this.service.startExecutorService(ExecutorType.MASTER_TABLE_OPERATIONS, 1);<a name="line.776"></a> |
| <span class="sourceLineNo">777</span> // {code}<a name="line.777"></a> |
| <span class="sourceLineNo">778</span> // In future if we change this pool to have more threads, then there is a chance for thread,<a name="line.778"></a> |
| <span class="sourceLineNo">779</span> // creating acl table, getting delayed and by that time another table creation got over and<a name="line.779"></a> |
| <span class="sourceLineNo">780</span> // this hook is getting called. In such a case, we will need a wait logic here which will<a name="line.780"></a> |
| <span class="sourceLineNo">781</span> // wait till the acl table is created.<a name="line.781"></a> |
| <span class="sourceLineNo">782</span> if (PermissionStorage.isAclTable(desc)) {<a name="line.782"></a> |
| <span class="sourceLineNo">783</span> this.aclTabAvailable = true;<a name="line.783"></a> |
| <span class="sourceLineNo">784</span> } else {<a name="line.784"></a> |
| <span class="sourceLineNo">785</span> if (!aclTabAvailable) {<a name="line.785"></a> |
| <span class="sourceLineNo">786</span> LOG.warn("Not adding owner permission for table " + desc.getTableName() + ". "<a name="line.786"></a> |
| <span class="sourceLineNo">787</span> + PermissionStorage.ACL_TABLE_NAME + " is not yet created. " + getClass().getSimpleName()<a name="line.787"></a> |
| <span class="sourceLineNo">788</span> + " should be configured as the first Coprocessor");<a name="line.788"></a> |
| <span class="sourceLineNo">789</span> } else {<a name="line.789"></a> |
| <span class="sourceLineNo">790</span> String owner = getActiveUser(c).getShortName();<a name="line.790"></a> |
| <span class="sourceLineNo">791</span> final UserPermission userPermission = new UserPermission(owner,<a name="line.791"></a> |
| <span class="sourceLineNo">792</span> Permission.newBuilder(desc.getTableName()).withActions(Action.values()).build());<a name="line.792"></a> |
| <span class="sourceLineNo">793</span> // switch to the real hbase master user for doing the RPC on the ACL table<a name="line.793"></a> |
| <span class="sourceLineNo">794</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.794"></a> |
| <span class="sourceLineNo">795</span> @Override<a name="line.795"></a> |
| <span class="sourceLineNo">796</span> public Void run() throws Exception {<a name="line.796"></a> |
| <span class="sourceLineNo">797</span> try (Table table =<a name="line.797"></a> |
| <span class="sourceLineNo">798</span> c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {<a name="line.798"></a> |
| <span class="sourceLineNo">799</span> PermissionStorage.addUserPermission(c.getEnvironment().getConfiguration(),<a name="line.799"></a> |
| <span class="sourceLineNo">800</span> userPermission, table);<a name="line.800"></a> |
| <span class="sourceLineNo">801</span> }<a name="line.801"></a> |
| <span class="sourceLineNo">802</span> return null;<a name="line.802"></a> |
| <span class="sourceLineNo">803</span> }<a name="line.803"></a> |
| <span class="sourceLineNo">804</span> });<a name="line.804"></a> |
| <span class="sourceLineNo">805</span> }<a name="line.805"></a> |
| <span class="sourceLineNo">806</span> }<a name="line.806"></a> |
| <span class="sourceLineNo">807</span> }<a name="line.807"></a> |
| <span class="sourceLineNo">808</span><a name="line.808"></a> |
| <span class="sourceLineNo">809</span> @Override<a name="line.809"></a> |
| <span class="sourceLineNo">810</span> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)<a name="line.810"></a> |
| <span class="sourceLineNo">811</span> throws IOException {<a name="line.811"></a> |
| <span class="sourceLineNo">812</span> requirePermission(c, "deleteTable", tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.812"></a> |
| <span class="sourceLineNo">813</span> }<a name="line.813"></a> |
| <span class="sourceLineNo">814</span><a name="line.814"></a> |
| <span class="sourceLineNo">815</span> @Override<a name="line.815"></a> |
| <span class="sourceLineNo">816</span> public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.816"></a> |
| <span class="sourceLineNo">817</span> final TableName tableName) throws IOException {<a name="line.817"></a> |
| <span class="sourceLineNo">818</span> final Configuration conf = c.getEnvironment().getConfiguration();<a name="line.818"></a> |
| <span class="sourceLineNo">819</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.819"></a> |
| <span class="sourceLineNo">820</span> @Override<a name="line.820"></a> |
| <span class="sourceLineNo">821</span> public Void run() throws Exception {<a name="line.821"></a> |
| <span class="sourceLineNo">822</span> try (Table table =<a name="line.822"></a> |
| <span class="sourceLineNo">823</span> c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {<a name="line.823"></a> |
| <span class="sourceLineNo">824</span> PermissionStorage.removeTablePermissions(conf, tableName, table);<a name="line.824"></a> |
| <span class="sourceLineNo">825</span> }<a name="line.825"></a> |
| <span class="sourceLineNo">826</span> return null;<a name="line.826"></a> |
| <span class="sourceLineNo">827</span> }<a name="line.827"></a> |
| <span class="sourceLineNo">828</span> });<a name="line.828"></a> |
| <span class="sourceLineNo">829</span> zkPermissionWatcher.deleteTableACLNode(tableName);<a name="line.829"></a> |
| <span class="sourceLineNo">830</span> }<a name="line.830"></a> |
| <span class="sourceLineNo">831</span><a name="line.831"></a> |
| <span class="sourceLineNo">832</span> @Override<a name="line.832"></a> |
| <span class="sourceLineNo">833</span> public void preTruncateTable(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.833"></a> |
| <span class="sourceLineNo">834</span> final TableName tableName) throws IOException {<a name="line.834"></a> |
| <span class="sourceLineNo">835</span> requirePermission(c, "truncateTable", tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.835"></a> |
| <span class="sourceLineNo">836</span><a name="line.836"></a> |
| <span class="sourceLineNo">837</span> final Configuration conf = c.getEnvironment().getConfiguration();<a name="line.837"></a> |
| <span class="sourceLineNo">838</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.838"></a> |
| <span class="sourceLineNo">839</span> @Override<a name="line.839"></a> |
| <span class="sourceLineNo">840</span> public Void run() throws Exception {<a name="line.840"></a> |
| <span class="sourceLineNo">841</span> List<UserPermission> acls =<a name="line.841"></a> |
| <span class="sourceLineNo">842</span> PermissionStorage.getUserTablePermissions(conf, tableName, null, null, null, false);<a name="line.842"></a> |
| <span class="sourceLineNo">843</span> if (acls != null) {<a name="line.843"></a> |
| <span class="sourceLineNo">844</span> tableAcls.put(tableName, acls);<a name="line.844"></a> |
| <span class="sourceLineNo">845</span> }<a name="line.845"></a> |
| <span class="sourceLineNo">846</span> return null;<a name="line.846"></a> |
| <span class="sourceLineNo">847</span> }<a name="line.847"></a> |
| <span class="sourceLineNo">848</span> });<a name="line.848"></a> |
| <span class="sourceLineNo">849</span> }<a name="line.849"></a> |
| <span class="sourceLineNo">850</span><a name="line.850"></a> |
| <span class="sourceLineNo">851</span> @Override<a name="line.851"></a> |
| <span class="sourceLineNo">852</span> public void postTruncateTable(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.852"></a> |
| <span class="sourceLineNo">853</span> final TableName tableName) throws IOException {<a name="line.853"></a> |
| <span class="sourceLineNo">854</span> final Configuration conf = ctx.getEnvironment().getConfiguration();<a name="line.854"></a> |
| <span class="sourceLineNo">855</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.855"></a> |
| <span class="sourceLineNo">856</span> @Override<a name="line.856"></a> |
| <span class="sourceLineNo">857</span> public Void run() throws Exception {<a name="line.857"></a> |
| <span class="sourceLineNo">858</span> List<UserPermission> perms = tableAcls.get(tableName);<a name="line.858"></a> |
| <span class="sourceLineNo">859</span> if (perms != null) {<a name="line.859"></a> |
| <span class="sourceLineNo">860</span> for (UserPermission perm : perms) {<a name="line.860"></a> |
| <span class="sourceLineNo">861</span> try (Table table =<a name="line.861"></a> |
| <span class="sourceLineNo">862</span> ctx.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {<a name="line.862"></a> |
| <span class="sourceLineNo">863</span> PermissionStorage.addUserPermission(conf, perm, table);<a name="line.863"></a> |
| <span class="sourceLineNo">864</span> }<a name="line.864"></a> |
| <span class="sourceLineNo">865</span> }<a name="line.865"></a> |
| <span class="sourceLineNo">866</span> }<a name="line.866"></a> |
| <span class="sourceLineNo">867</span> tableAcls.remove(tableName);<a name="line.867"></a> |
| <span class="sourceLineNo">868</span> return null;<a name="line.868"></a> |
| <span class="sourceLineNo">869</span> }<a name="line.869"></a> |
| <span class="sourceLineNo">870</span> });<a name="line.870"></a> |
| <span class="sourceLineNo">871</span> }<a name="line.871"></a> |
| <span class="sourceLineNo">872</span><a name="line.872"></a> |
| <span class="sourceLineNo">873</span> @Override<a name="line.873"></a> |
| <span class="sourceLineNo">874</span> public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.874"></a> |
| <span class="sourceLineNo">875</span> TableName tableName, TableDescriptor currentDesc, TableDescriptor newDesc) throws IOException {<a name="line.875"></a> |
| <span class="sourceLineNo">876</span> // TODO: potentially check if this is a add/modify/delete column operation<a name="line.876"></a> |
| <span class="sourceLineNo">877</span> requirePermission(c, "modifyTable", tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.877"></a> |
| <span class="sourceLineNo">878</span> return newDesc;<a name="line.878"></a> |
| <span class="sourceLineNo">879</span> }<a name="line.879"></a> |
| <span class="sourceLineNo">880</span><a name="line.880"></a> |
| <span class="sourceLineNo">881</span> @Override<a name="line.881"></a> |
| <span class="sourceLineNo">882</span> public String preModifyTableStoreFileTracker(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.882"></a> |
| <span class="sourceLineNo">883</span> TableName tableName, String dstSFT) throws IOException {<a name="line.883"></a> |
| <span class="sourceLineNo">884</span> requirePermission(c, "modifyTableStoreFileTracker", tableName, null, null, Action.ADMIN,<a name="line.884"></a> |
| <span class="sourceLineNo">885</span> Action.CREATE);<a name="line.885"></a> |
| <span class="sourceLineNo">886</span> return dstSFT;<a name="line.886"></a> |
| <span class="sourceLineNo">887</span> }<a name="line.887"></a> |
| <span class="sourceLineNo">888</span><a name="line.888"></a> |
| <span class="sourceLineNo">889</span> @Override<a name="line.889"></a> |
| <span class="sourceLineNo">890</span> public String preModifyColumnFamilyStoreFileTracker(<a name="line.890"></a> |
| <span class="sourceLineNo">891</span> ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, byte[] family,<a name="line.891"></a> |
| <span class="sourceLineNo">892</span> String dstSFT) throws IOException {<a name="line.892"></a> |
| <span class="sourceLineNo">893</span> requirePermission(c, "modifyColumnFamilyStoreFileTracker", tableName, family, null,<a name="line.893"></a> |
| <span class="sourceLineNo">894</span> Action.ADMIN, Action.CREATE);<a name="line.894"></a> |
| <span class="sourceLineNo">895</span> return dstSFT;<a name="line.895"></a> |
| <span class="sourceLineNo">896</span> }<a name="line.896"></a> |
| <span class="sourceLineNo">897</span><a name="line.897"></a> |
| <span class="sourceLineNo">898</span> @Override<a name="line.898"></a> |
| <span class="sourceLineNo">899</span> public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,<a name="line.899"></a> |
| <span class="sourceLineNo">900</span> TableDescriptor oldDesc, TableDescriptor currentDesc) throws IOException {<a name="line.900"></a> |
| <span class="sourceLineNo">901</span> final Configuration conf = c.getEnvironment().getConfiguration();<a name="line.901"></a> |
| <span class="sourceLineNo">902</span> // default the table owner to current user, if not specified.<a name="line.902"></a> |
| <span class="sourceLineNo">903</span> final String owner = getActiveUser(c).getShortName();<a name="line.903"></a> |
| <span class="sourceLineNo">904</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.904"></a> |
| <span class="sourceLineNo">905</span> @Override<a name="line.905"></a> |
| <span class="sourceLineNo">906</span> public Void run() throws Exception {<a name="line.906"></a> |
| <span class="sourceLineNo">907</span> UserPermission userperm = new UserPermission(owner,<a name="line.907"></a> |
| <span class="sourceLineNo">908</span> Permission.newBuilder(currentDesc.getTableName()).withActions(Action.values()).build());<a name="line.908"></a> |
| <span class="sourceLineNo">909</span> try (Table table =<a name="line.909"></a> |
| <span class="sourceLineNo">910</span> c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {<a name="line.910"></a> |
| <span class="sourceLineNo">911</span> PermissionStorage.addUserPermission(conf, userperm, table);<a name="line.911"></a> |
| <span class="sourceLineNo">912</span> }<a name="line.912"></a> |
| <span class="sourceLineNo">913</span> return null;<a name="line.913"></a> |
| <span class="sourceLineNo">914</span> }<a name="line.914"></a> |
| <span class="sourceLineNo">915</span> });<a name="line.915"></a> |
| <span class="sourceLineNo">916</span> }<a name="line.916"></a> |
| <span class="sourceLineNo">917</span><a name="line.917"></a> |
| <span class="sourceLineNo">918</span> @Override<a name="line.918"></a> |
| <span class="sourceLineNo">919</span> public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)<a name="line.919"></a> |
| <span class="sourceLineNo">920</span> throws IOException {<a name="line.920"></a> |
| <span class="sourceLineNo">921</span> requirePermission(c, "enableTable", tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.921"></a> |
| <span class="sourceLineNo">922</span> }<a name="line.922"></a> |
| <span class="sourceLineNo">923</span><a name="line.923"></a> |
| <span class="sourceLineNo">924</span> @Override<a name="line.924"></a> |
| <span class="sourceLineNo">925</span> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)<a name="line.925"></a> |
| <span class="sourceLineNo">926</span> throws IOException {<a name="line.926"></a> |
| <span class="sourceLineNo">927</span> if (Bytes.equals(tableName.getName(), PermissionStorage.ACL_GLOBAL_NAME)) {<a name="line.927"></a> |
| <span class="sourceLineNo">928</span> // We have to unconditionally disallow disable of the ACL table when we are installed,<a name="line.928"></a> |
| <span class="sourceLineNo">929</span> // even if not enforcing authorizations. We are still allowing grants and revocations,<a name="line.929"></a> |
| <span class="sourceLineNo">930</span> // checking permissions and logging audit messages, etc. If the ACL table is not<a name="line.930"></a> |
| <span class="sourceLineNo">931</span> // available we will fail random actions all over the place.<a name="line.931"></a> |
| <span class="sourceLineNo">932</span> throw new AccessDeniedException("Not allowed to disable " + PermissionStorage.ACL_TABLE_NAME<a name="line.932"></a> |
| <span class="sourceLineNo">933</span> + " table with AccessController installed");<a name="line.933"></a> |
| <span class="sourceLineNo">934</span> }<a name="line.934"></a> |
| <span class="sourceLineNo">935</span> requirePermission(c, "disableTable", tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.935"></a> |
| <span class="sourceLineNo">936</span> }<a name="line.936"></a> |
| <span class="sourceLineNo">937</span><a name="line.937"></a> |
| <span class="sourceLineNo">938</span> @Override<a name="line.938"></a> |
| <span class="sourceLineNo">939</span> public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.939"></a> |
| <span class="sourceLineNo">940</span> final long procId) throws IOException {<a name="line.940"></a> |
| <span class="sourceLineNo">941</span> requirePermission(ctx, "abortProcedure", Action.ADMIN);<a name="line.941"></a> |
| <span class="sourceLineNo">942</span> }<a name="line.942"></a> |
| <span class="sourceLineNo">943</span><a name="line.943"></a> |
| <span class="sourceLineNo">944</span> @Override<a name="line.944"></a> |
| <span class="sourceLineNo">945</span> public void postAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.945"></a> |
| <span class="sourceLineNo">946</span> throws IOException {<a name="line.946"></a> |
| <span class="sourceLineNo">947</span> // There is nothing to do at this time after the procedure abort request was sent.<a name="line.947"></a> |
| <span class="sourceLineNo">948</span> }<a name="line.948"></a> |
| <span class="sourceLineNo">949</span><a name="line.949"></a> |
| <span class="sourceLineNo">950</span> @Override<a name="line.950"></a> |
| <span class="sourceLineNo">951</span> public void preGetProcedures(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.951"></a> |
| <span class="sourceLineNo">952</span> throws IOException {<a name="line.952"></a> |
| <span class="sourceLineNo">953</span> requirePermission(ctx, "getProcedure", Action.ADMIN);<a name="line.953"></a> |
| <span class="sourceLineNo">954</span> }<a name="line.954"></a> |
| <span class="sourceLineNo">955</span><a name="line.955"></a> |
| <span class="sourceLineNo">956</span> @Override<a name="line.956"></a> |
| <span class="sourceLineNo">957</span> public void preGetLocks(ObserverContext<MasterCoprocessorEnvironment> ctx) throws IOException {<a name="line.957"></a> |
| <span class="sourceLineNo">958</span> User user = getActiveUser(ctx);<a name="line.958"></a> |
| <span class="sourceLineNo">959</span> accessChecker.requirePermission(user, "getLocks", null, Action.ADMIN);<a name="line.959"></a> |
| <span class="sourceLineNo">960</span> }<a name="line.960"></a> |
| <span class="sourceLineNo">961</span><a name="line.961"></a> |
| <span class="sourceLineNo">962</span> @Override<a name="line.962"></a> |
| <span class="sourceLineNo">963</span> public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo region,<a name="line.963"></a> |
| <span class="sourceLineNo">964</span> ServerName srcServer, ServerName destServer) throws IOException {<a name="line.964"></a> |
| <span class="sourceLineNo">965</span> requirePermission(c, "move", region.getTable(), null, null, Action.ADMIN);<a name="line.965"></a> |
| <span class="sourceLineNo">966</span> }<a name="line.966"></a> |
| <span class="sourceLineNo">967</span><a name="line.967"></a> |
| <span class="sourceLineNo">968</span> @Override<a name="line.968"></a> |
| <span class="sourceLineNo">969</span> public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo)<a name="line.969"></a> |
| <span class="sourceLineNo">970</span> throws IOException {<a name="line.970"></a> |
| <span class="sourceLineNo">971</span> requirePermission(c, "assign", regionInfo.getTable(), null, null, Action.ADMIN);<a name="line.971"></a> |
| <span class="sourceLineNo">972</span> }<a name="line.972"></a> |
| <span class="sourceLineNo">973</span><a name="line.973"></a> |
| <span class="sourceLineNo">974</span> @Override<a name="line.974"></a> |
| <span class="sourceLineNo">975</span> public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo)<a name="line.975"></a> |
| <span class="sourceLineNo">976</span> throws IOException {<a name="line.976"></a> |
| <span class="sourceLineNo">977</span> requirePermission(c, "unassign", regionInfo.getTable(), null, null, Action.ADMIN);<a name="line.977"></a> |
| <span class="sourceLineNo">978</span> }<a name="line.978"></a> |
| <span class="sourceLineNo">979</span><a name="line.979"></a> |
| <span class="sourceLineNo">980</span> @Override<a name="line.980"></a> |
| <span class="sourceLineNo">981</span> public void preRegionOffline(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.981"></a> |
| <span class="sourceLineNo">982</span> RegionInfo regionInfo) throws IOException {<a name="line.982"></a> |
| <span class="sourceLineNo">983</span> requirePermission(c, "regionOffline", regionInfo.getTable(), null, null, Action.ADMIN);<a name="line.983"></a> |
| <span class="sourceLineNo">984</span> }<a name="line.984"></a> |
| <span class="sourceLineNo">985</span><a name="line.985"></a> |
| <span class="sourceLineNo">986</span> @Override<a name="line.986"></a> |
| <span class="sourceLineNo">987</span> public void preSetSplitOrMergeEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.987"></a> |
| <span class="sourceLineNo">988</span> final boolean newValue, final MasterSwitchType switchType) throws IOException {<a name="line.988"></a> |
| <span class="sourceLineNo">989</span> requirePermission(ctx, "setSplitOrMergeEnabled", Action.ADMIN);<a name="line.989"></a> |
| <span class="sourceLineNo">990</span> }<a name="line.990"></a> |
| <span class="sourceLineNo">991</span><a name="line.991"></a> |
| <span class="sourceLineNo">992</span> @Override<a name="line.992"></a> |
| <span class="sourceLineNo">993</span> public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c, BalanceRequest request)<a name="line.993"></a> |
| <span class="sourceLineNo">994</span> throws IOException {<a name="line.994"></a> |
| <span class="sourceLineNo">995</span> requirePermission(c, "balance", Action.ADMIN);<a name="line.995"></a> |
| <span class="sourceLineNo">996</span> }<a name="line.996"></a> |
| <span class="sourceLineNo">997</span><a name="line.997"></a> |
| <span class="sourceLineNo">998</span> @Override<a name="line.998"></a> |
| <span class="sourceLineNo">999</span> public void preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c, boolean newValue)<a name="line.999"></a> |
| <span class="sourceLineNo">1000</span> throws IOException {<a name="line.1000"></a> |
| <span class="sourceLineNo">1001</span> requirePermission(c, "balanceSwitch", Action.ADMIN);<a name="line.1001"></a> |
| <span class="sourceLineNo">1002</span> }<a name="line.1002"></a> |
| <span class="sourceLineNo">1003</span><a name="line.1003"></a> |
| <span class="sourceLineNo">1004</span> @Override<a name="line.1004"></a> |
| <span class="sourceLineNo">1005</span> public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException {<a name="line.1005"></a> |
| <span class="sourceLineNo">1006</span> requirePermission(c, "shutdown", Action.ADMIN);<a name="line.1006"></a> |
| <span class="sourceLineNo">1007</span> }<a name="line.1007"></a> |
| <span class="sourceLineNo">1008</span><a name="line.1008"></a> |
| <span class="sourceLineNo">1009</span> @Override<a name="line.1009"></a> |
| <span class="sourceLineNo">1010</span> public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException {<a name="line.1010"></a> |
| <span class="sourceLineNo">1011</span> requirePermission(c, "stopMaster", Action.ADMIN);<a name="line.1011"></a> |
| <span class="sourceLineNo">1012</span> }<a name="line.1012"></a> |
| <span class="sourceLineNo">1013</span><a name="line.1013"></a> |
| <span class="sourceLineNo">1014</span> @Override<a name="line.1014"></a> |
| <span class="sourceLineNo">1015</span> public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1015"></a> |
| <span class="sourceLineNo">1016</span> throws IOException {<a name="line.1016"></a> |
| <span class="sourceLineNo">1017</span> try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {<a name="line.1017"></a> |
| <span class="sourceLineNo">1018</span> if (!admin.tableExists(PermissionStorage.ACL_TABLE_NAME)) {<a name="line.1018"></a> |
| <span class="sourceLineNo">1019</span> createACLTable(admin);<a name="line.1019"></a> |
| <span class="sourceLineNo">1020</span> } else {<a name="line.1020"></a> |
| <span class="sourceLineNo">1021</span> this.aclTabAvailable = true;<a name="line.1021"></a> |
| <span class="sourceLineNo">1022</span> }<a name="line.1022"></a> |
| <span class="sourceLineNo">1023</span> }<a name="line.1023"></a> |
| <span class="sourceLineNo">1024</span> }<a name="line.1024"></a> |
| <span class="sourceLineNo">1025</span><a name="line.1025"></a> |
| <span class="sourceLineNo">1026</span> /**<a name="line.1026"></a> |
| <span class="sourceLineNo">1027</span> * Create the ACL table<a name="line.1027"></a> |
| <span class="sourceLineNo">1028</span> */<a name="line.1028"></a> |
| <span class="sourceLineNo">1029</span> private static void createACLTable(Admin admin) throws IOException {<a name="line.1029"></a> |
| <span class="sourceLineNo">1030</span> /** Table descriptor for ACL table */<a name="line.1030"></a> |
| <span class="sourceLineNo">1031</span> ColumnFamilyDescriptor cfd =<a name="line.1031"></a> |
| <span class="sourceLineNo">1032</span> ColumnFamilyDescriptorBuilder.newBuilder(PermissionStorage.ACL_LIST_FAMILY).setMaxVersions(1)<a name="line.1032"></a> |
| <span class="sourceLineNo">1033</span> .setInMemory(true).setBlockCacheEnabled(true).setBlocksize(8 * 1024)<a name="line.1033"></a> |
| <span class="sourceLineNo">1034</span> .setBloomFilterType(BloomType.NONE).setScope(HConstants.REPLICATION_SCOPE_LOCAL).build();<a name="line.1034"></a> |
| <span class="sourceLineNo">1035</span> TableDescriptor td = TableDescriptorBuilder.newBuilder(PermissionStorage.ACL_TABLE_NAME)<a name="line.1035"></a> |
| <span class="sourceLineNo">1036</span> .setColumnFamily(cfd).build();<a name="line.1036"></a> |
| <span class="sourceLineNo">1037</span> admin.createTable(td);<a name="line.1037"></a> |
| <span class="sourceLineNo">1038</span> }<a name="line.1038"></a> |
| <span class="sourceLineNo">1039</span><a name="line.1039"></a> |
| <span class="sourceLineNo">1040</span> @Override<a name="line.1040"></a> |
| <span class="sourceLineNo">1041</span> public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1041"></a> |
| <span class="sourceLineNo">1042</span> final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor) throws IOException {<a name="line.1042"></a> |
| <span class="sourceLineNo">1043</span> // Move this ACL check to SnapshotManager#checkPermissions as part of AC deprecation.<a name="line.1043"></a> |
| <span class="sourceLineNo">1044</span> requirePermission(ctx, "snapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null,<a name="line.1044"></a> |
| <span class="sourceLineNo">1045</span> null, Permission.Action.ADMIN);<a name="line.1045"></a> |
| <span class="sourceLineNo">1046</span> }<a name="line.1046"></a> |
| <span class="sourceLineNo">1047</span><a name="line.1047"></a> |
| <span class="sourceLineNo">1048</span> @Override<a name="line.1048"></a> |
| <span class="sourceLineNo">1049</span> public void preListSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1049"></a> |
| <span class="sourceLineNo">1050</span> final SnapshotDescription snapshot) throws IOException {<a name="line.1050"></a> |
| <span class="sourceLineNo">1051</span> User user = getActiveUser(ctx);<a name="line.1051"></a> |
| <span class="sourceLineNo">1052</span> if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {<a name="line.1052"></a> |
| <span class="sourceLineNo">1053</span> // list it, if user is the owner of snapshot<a name="line.1053"></a> |
| <span class="sourceLineNo">1054</span> AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(),<a name="line.1054"></a> |
| <span class="sourceLineNo">1055</span> "Snapshot owner check allowed", user, null, null, null);<a name="line.1055"></a> |
| <span class="sourceLineNo">1056</span> AccessChecker.logResult(result);<a name="line.1056"></a> |
| <span class="sourceLineNo">1057</span> } else {<a name="line.1057"></a> |
| <span class="sourceLineNo">1058</span> accessChecker.requirePermission(user, "listSnapshot " + snapshot.getName(), null,<a name="line.1058"></a> |
| <span class="sourceLineNo">1059</span> Action.ADMIN);<a name="line.1059"></a> |
| <span class="sourceLineNo">1060</span> }<a name="line.1060"></a> |
| <span class="sourceLineNo">1061</span> }<a name="line.1061"></a> |
| <span class="sourceLineNo">1062</span><a name="line.1062"></a> |
| <span class="sourceLineNo">1063</span> @Override<a name="line.1063"></a> |
| <span class="sourceLineNo">1064</span> public void preCloneSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1064"></a> |
| <span class="sourceLineNo">1065</span> final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor) throws IOException {<a name="line.1065"></a> |
| <span class="sourceLineNo">1066</span> User user = getActiveUser(ctx);<a name="line.1066"></a> |
| <span class="sourceLineNo">1067</span> if (<a name="line.1067"></a> |
| <span class="sourceLineNo">1068</span> SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)<a name="line.1068"></a> |
| <span class="sourceLineNo">1069</span> && hTableDescriptor.getTableName().getNameAsString().equals(snapshot.getTableNameAsString())<a name="line.1069"></a> |
| <span class="sourceLineNo">1070</span> ) {<a name="line.1070"></a> |
| <span class="sourceLineNo">1071</span> // Snapshot owner is allowed to create a table with the same name as the snapshot he took<a name="line.1071"></a> |
| <span class="sourceLineNo">1072</span> AuthResult result = AuthResult.allow("cloneSnapshot " + snapshot.getName(),<a name="line.1072"></a> |
| <span class="sourceLineNo">1073</span> "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null);<a name="line.1073"></a> |
| <span class="sourceLineNo">1074</span> AccessChecker.logResult(result);<a name="line.1074"></a> |
| <span class="sourceLineNo">1075</span> } else if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {<a name="line.1075"></a> |
| <span class="sourceLineNo">1076</span> requireNamespacePermission(ctx, "cloneSnapshot",<a name="line.1076"></a> |
| <span class="sourceLineNo">1077</span> hTableDescriptor.getTableName().getNamespaceAsString(), Action.ADMIN);<a name="line.1077"></a> |
| <span class="sourceLineNo">1078</span> } else {<a name="line.1078"></a> |
| <span class="sourceLineNo">1079</span> accessChecker.requirePermission(user, "cloneSnapshot " + snapshot.getName(), null,<a name="line.1079"></a> |
| <span class="sourceLineNo">1080</span> Action.ADMIN);<a name="line.1080"></a> |
| <span class="sourceLineNo">1081</span> }<a name="line.1081"></a> |
| <span class="sourceLineNo">1082</span> }<a name="line.1082"></a> |
| <span class="sourceLineNo">1083</span><a name="line.1083"></a> |
| <span class="sourceLineNo">1084</span> @Override<a name="line.1084"></a> |
| <span class="sourceLineNo">1085</span> public void preRestoreSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1085"></a> |
| <span class="sourceLineNo">1086</span> final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor) throws IOException {<a name="line.1086"></a> |
| <span class="sourceLineNo">1087</span> User user = getActiveUser(ctx);<a name="line.1087"></a> |
| <span class="sourceLineNo">1088</span> if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {<a name="line.1088"></a> |
| <span class="sourceLineNo">1089</span> accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(),<a name="line.1089"></a> |
| <span class="sourceLineNo">1090</span> hTableDescriptor.getTableName(), null, null, null, Permission.Action.ADMIN);<a name="line.1090"></a> |
| <span class="sourceLineNo">1091</span> } else {<a name="line.1091"></a> |
| <span class="sourceLineNo">1092</span> accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(), null,<a name="line.1092"></a> |
| <span class="sourceLineNo">1093</span> Action.ADMIN);<a name="line.1093"></a> |
| <span class="sourceLineNo">1094</span> }<a name="line.1094"></a> |
| <span class="sourceLineNo">1095</span> }<a name="line.1095"></a> |
| <span class="sourceLineNo">1096</span><a name="line.1096"></a> |
| <span class="sourceLineNo">1097</span> @Override<a name="line.1097"></a> |
| <span class="sourceLineNo">1098</span> public void preDeleteSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1098"></a> |
| <span class="sourceLineNo">1099</span> final SnapshotDescription snapshot) throws IOException {<a name="line.1099"></a> |
| <span class="sourceLineNo">1100</span> User user = getActiveUser(ctx);<a name="line.1100"></a> |
| <span class="sourceLineNo">1101</span> if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {<a name="line.1101"></a> |
| <span class="sourceLineNo">1102</span> // Snapshot owner is allowed to delete the snapshot<a name="line.1102"></a> |
| <span class="sourceLineNo">1103</span> AuthResult result = AuthResult.allow("deleteSnapshot " + snapshot.getName(),<a name="line.1103"></a> |
| <span class="sourceLineNo">1104</span> "Snapshot owner check allowed", user, null, null, null);<a name="line.1104"></a> |
| <span class="sourceLineNo">1105</span> AccessChecker.logResult(result);<a name="line.1105"></a> |
| <span class="sourceLineNo">1106</span> } else {<a name="line.1106"></a> |
| <span class="sourceLineNo">1107</span> accessChecker.requirePermission(user, "deleteSnapshot " + snapshot.getName(), null,<a name="line.1107"></a> |
| <span class="sourceLineNo">1108</span> Action.ADMIN);<a name="line.1108"></a> |
| <span class="sourceLineNo">1109</span> }<a name="line.1109"></a> |
| <span class="sourceLineNo">1110</span> }<a name="line.1110"></a> |
| <span class="sourceLineNo">1111</span><a name="line.1111"></a> |
| <span class="sourceLineNo">1112</span> @Override<a name="line.1112"></a> |
| <span class="sourceLineNo">1113</span> public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1113"></a> |
| <span class="sourceLineNo">1114</span> NamespaceDescriptor ns) throws IOException {<a name="line.1114"></a> |
| <span class="sourceLineNo">1115</span> requireGlobalPermission(ctx, "createNamespace", Action.ADMIN, ns.getName());<a name="line.1115"></a> |
| <span class="sourceLineNo">1116</span> }<a name="line.1116"></a> |
| <span class="sourceLineNo">1117</span><a name="line.1117"></a> |
| <span class="sourceLineNo">1118</span> @Override<a name="line.1118"></a> |
| <span class="sourceLineNo">1119</span> public void preDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1119"></a> |
| <span class="sourceLineNo">1120</span> String namespace) throws IOException {<a name="line.1120"></a> |
| <span class="sourceLineNo">1121</span> requireGlobalPermission(ctx, "deleteNamespace", Action.ADMIN, namespace);<a name="line.1121"></a> |
| <span class="sourceLineNo">1122</span> }<a name="line.1122"></a> |
| <span class="sourceLineNo">1123</span><a name="line.1123"></a> |
| <span class="sourceLineNo">1124</span> @Override<a name="line.1124"></a> |
| <span class="sourceLineNo">1125</span> public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1125"></a> |
| <span class="sourceLineNo">1126</span> final String namespace) throws IOException {<a name="line.1126"></a> |
| <span class="sourceLineNo">1127</span> final Configuration conf = ctx.getEnvironment().getConfiguration();<a name="line.1127"></a> |
| <span class="sourceLineNo">1128</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.1128"></a> |
| <span class="sourceLineNo">1129</span> @Override<a name="line.1129"></a> |
| <span class="sourceLineNo">1130</span> public Void run() throws Exception {<a name="line.1130"></a> |
| <span class="sourceLineNo">1131</span> try (Table table =<a name="line.1131"></a> |
| <span class="sourceLineNo">1132</span> ctx.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {<a name="line.1132"></a> |
| <span class="sourceLineNo">1133</span> PermissionStorage.removeNamespacePermissions(conf, namespace, table);<a name="line.1133"></a> |
| <span class="sourceLineNo">1134</span> }<a name="line.1134"></a> |
| <span class="sourceLineNo">1135</span> return null;<a name="line.1135"></a> |
| <span class="sourceLineNo">1136</span> }<a name="line.1136"></a> |
| <span class="sourceLineNo">1137</span> });<a name="line.1137"></a> |
| <span class="sourceLineNo">1138</span> zkPermissionWatcher.deleteNamespaceACLNode(namespace);<a name="line.1138"></a> |
| <span class="sourceLineNo">1139</span> LOG.info(namespace + " entry deleted in " + PermissionStorage.ACL_TABLE_NAME + " table.");<a name="line.1139"></a> |
| <span class="sourceLineNo">1140</span> }<a name="line.1140"></a> |
| <span class="sourceLineNo">1141</span><a name="line.1141"></a> |
| <span class="sourceLineNo">1142</span> @Override<a name="line.1142"></a> |
| <span class="sourceLineNo">1143</span> public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1143"></a> |
| <span class="sourceLineNo">1144</span> NamespaceDescriptor currentNsDesc, NamespaceDescriptor newNsDesc) throws IOException {<a name="line.1144"></a> |
| <span class="sourceLineNo">1145</span> // We require only global permission so that<a name="line.1145"></a> |
| <span class="sourceLineNo">1146</span> // a user with NS admin cannot altering namespace configurations. i.e. namespace quota<a name="line.1146"></a> |
| <span class="sourceLineNo">1147</span> requireGlobalPermission(ctx, "modifyNamespace", Action.ADMIN, newNsDesc.getName());<a name="line.1147"></a> |
| <span class="sourceLineNo">1148</span> }<a name="line.1148"></a> |
| <span class="sourceLineNo">1149</span><a name="line.1149"></a> |
| <span class="sourceLineNo">1150</span> @Override<a name="line.1150"></a> |
| <span class="sourceLineNo">1151</span> public void preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1151"></a> |
| <span class="sourceLineNo">1152</span> String namespace) throws IOException {<a name="line.1152"></a> |
| <span class="sourceLineNo">1153</span> requireNamespacePermission(ctx, "getNamespaceDescriptor", namespace, Action.ADMIN);<a name="line.1153"></a> |
| <span class="sourceLineNo">1154</span> }<a name="line.1154"></a> |
| <span class="sourceLineNo">1155</span><a name="line.1155"></a> |
| <span class="sourceLineNo">1156</span> @Override<a name="line.1156"></a> |
| <span class="sourceLineNo">1157</span> public void postListNamespaces(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1157"></a> |
| <span class="sourceLineNo">1158</span> List<String> namespaces) throws IOException {<a name="line.1158"></a> |
| <span class="sourceLineNo">1159</span> /* always allow namespace listing */<a name="line.1159"></a> |
| <span class="sourceLineNo">1160</span> }<a name="line.1160"></a> |
| <span class="sourceLineNo">1161</span><a name="line.1161"></a> |
| <span class="sourceLineNo">1162</span> @Override<a name="line.1162"></a> |
| <span class="sourceLineNo">1163</span> public void postListNamespaceDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1163"></a> |
| <span class="sourceLineNo">1164</span> List<NamespaceDescriptor> descriptors) throws IOException {<a name="line.1164"></a> |
| <span class="sourceLineNo">1165</span> // Retains only those which passes authorization checks, as the checks weren't done as part<a name="line.1165"></a> |
| <span class="sourceLineNo">1166</span> // of preGetTableDescriptors.<a name="line.1166"></a> |
| <span class="sourceLineNo">1167</span> Iterator<NamespaceDescriptor> itr = descriptors.iterator();<a name="line.1167"></a> |
| <span class="sourceLineNo">1168</span> User user = getActiveUser(ctx);<a name="line.1168"></a> |
| <span class="sourceLineNo">1169</span> while (itr.hasNext()) {<a name="line.1169"></a> |
| <span class="sourceLineNo">1170</span> NamespaceDescriptor desc = itr.next();<a name="line.1170"></a> |
| <span class="sourceLineNo">1171</span> try {<a name="line.1171"></a> |
| <span class="sourceLineNo">1172</span> accessChecker.requireNamespacePermission(user, "listNamespaces", desc.getName(), null,<a name="line.1172"></a> |
| <span class="sourceLineNo">1173</span> Action.ADMIN);<a name="line.1173"></a> |
| <span class="sourceLineNo">1174</span> } catch (AccessDeniedException e) {<a name="line.1174"></a> |
| <span class="sourceLineNo">1175</span> itr.remove();<a name="line.1175"></a> |
| <span class="sourceLineNo">1176</span> }<a name="line.1176"></a> |
| <span class="sourceLineNo">1177</span> }<a name="line.1177"></a> |
| <span class="sourceLineNo">1178</span> }<a name="line.1178"></a> |
| <span class="sourceLineNo">1179</span><a name="line.1179"></a> |
| <span class="sourceLineNo">1180</span> @Override<a name="line.1180"></a> |
| <span class="sourceLineNo">1181</span> public void preTableFlush(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1181"></a> |
| <span class="sourceLineNo">1182</span> final TableName tableName) throws IOException {<a name="line.1182"></a> |
| <span class="sourceLineNo">1183</span> // Move this ACL check to MasterFlushTableProcedureManager#checkPermissions as part of AC<a name="line.1183"></a> |
| <span class="sourceLineNo">1184</span> // deprecation.<a name="line.1184"></a> |
| <span class="sourceLineNo">1185</span> requirePermission(ctx, "flushTable", tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.1185"></a> |
| <span class="sourceLineNo">1186</span> }<a name="line.1186"></a> |
| <span class="sourceLineNo">1187</span><a name="line.1187"></a> |
| <span class="sourceLineNo">1188</span> @Override<a name="line.1188"></a> |
| <span class="sourceLineNo">1189</span> public void preSplitRegion(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1189"></a> |
| <span class="sourceLineNo">1190</span> final TableName tableName, final byte[] splitRow) throws IOException {<a name="line.1190"></a> |
| <span class="sourceLineNo">1191</span> requirePermission(ctx, "split", tableName, null, null, Action.ADMIN);<a name="line.1191"></a> |
| <span class="sourceLineNo">1192</span> }<a name="line.1192"></a> |
| <span class="sourceLineNo">1193</span><a name="line.1193"></a> |
| <span class="sourceLineNo">1194</span> @Override<a name="line.1194"></a> |
| <span class="sourceLineNo">1195</span> public void preClearDeadServers(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1195"></a> |
| <span class="sourceLineNo">1196</span> throws IOException {<a name="line.1196"></a> |
| <span class="sourceLineNo">1197</span> requirePermission(ctx, "clearDeadServers", Action.ADMIN);<a name="line.1197"></a> |
| <span class="sourceLineNo">1198</span> }<a name="line.1198"></a> |
| <span class="sourceLineNo">1199</span><a name="line.1199"></a> |
| <span class="sourceLineNo">1200</span> @Override<a name="line.1200"></a> |
| <span class="sourceLineNo">1201</span> public void preDecommissionRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1201"></a> |
| <span class="sourceLineNo">1202</span> List<ServerName> servers, boolean offload) throws IOException {<a name="line.1202"></a> |
| <span class="sourceLineNo">1203</span> requirePermission(ctx, "decommissionRegionServers", Action.ADMIN);<a name="line.1203"></a> |
| <span class="sourceLineNo">1204</span> }<a name="line.1204"></a> |
| <span class="sourceLineNo">1205</span><a name="line.1205"></a> |
| <span class="sourceLineNo">1206</span> @Override<a name="line.1206"></a> |
| <span class="sourceLineNo">1207</span> public void preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1207"></a> |
| <span class="sourceLineNo">1208</span> throws IOException {<a name="line.1208"></a> |
| <span class="sourceLineNo">1209</span> requirePermission(ctx, "listDecommissionedRegionServers", Action.ADMIN);<a name="line.1209"></a> |
| <span class="sourceLineNo">1210</span> }<a name="line.1210"></a> |
| <span class="sourceLineNo">1211</span><a name="line.1211"></a> |
| <span class="sourceLineNo">1212</span> @Override<a name="line.1212"></a> |
| <span class="sourceLineNo">1213</span> public void preRecommissionRegionServer(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1213"></a> |
| <span class="sourceLineNo">1214</span> ServerName server, List<byte[]> encodedRegionNames) throws IOException {<a name="line.1214"></a> |
| <span class="sourceLineNo">1215</span> requirePermission(ctx, "recommissionRegionServers", Action.ADMIN);<a name="line.1215"></a> |
| <span class="sourceLineNo">1216</span> }<a name="line.1216"></a> |
| <span class="sourceLineNo">1217</span><a name="line.1217"></a> |
| <span class="sourceLineNo">1218</span> /* ---- RegionObserver implementation ---- */<a name="line.1218"></a> |
| <span class="sourceLineNo">1219</span><a name="line.1219"></a> |
| <span class="sourceLineNo">1220</span> @Override<a name="line.1220"></a> |
| <span class="sourceLineNo">1221</span> public void preOpen(ObserverContext<RegionCoprocessorEnvironment> c) throws IOException {<a name="line.1221"></a> |
| <span class="sourceLineNo">1222</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1222"></a> |
| <span class="sourceLineNo">1223</span> final Region region = env.getRegion();<a name="line.1223"></a> |
| <span class="sourceLineNo">1224</span> if (region == null) {<a name="line.1224"></a> |
| <span class="sourceLineNo">1225</span> LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");<a name="line.1225"></a> |
| <span class="sourceLineNo">1226</span> } else {<a name="line.1226"></a> |
| <span class="sourceLineNo">1227</span> RegionInfo regionInfo = region.getRegionInfo();<a name="line.1227"></a> |
| <span class="sourceLineNo">1228</span> if (regionInfo.getTable().isSystemTable()) {<a name="line.1228"></a> |
| <span class="sourceLineNo">1229</span> checkSystemOrSuperUser(getActiveUser(c));<a name="line.1229"></a> |
| <span class="sourceLineNo">1230</span> } else {<a name="line.1230"></a> |
| <span class="sourceLineNo">1231</span> requirePermission(c, "preOpen", Action.ADMIN);<a name="line.1231"></a> |
| <span class="sourceLineNo">1232</span> }<a name="line.1232"></a> |
| <span class="sourceLineNo">1233</span> }<a name="line.1233"></a> |
| <span class="sourceLineNo">1234</span> }<a name="line.1234"></a> |
| <span class="sourceLineNo">1235</span><a name="line.1235"></a> |
| <span class="sourceLineNo">1236</span> @Override<a name="line.1236"></a> |
| <span class="sourceLineNo">1237</span> public void postOpen(ObserverContext<RegionCoprocessorEnvironment> c) {<a name="line.1237"></a> |
| <span class="sourceLineNo">1238</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1238"></a> |
| <span class="sourceLineNo">1239</span> final Region region = env.getRegion();<a name="line.1239"></a> |
| <span class="sourceLineNo">1240</span> if (region == null) {<a name="line.1240"></a> |
| <span class="sourceLineNo">1241</span> LOG.error("NULL region from RegionCoprocessorEnvironment in postOpen()");<a name="line.1241"></a> |
| <span class="sourceLineNo">1242</span> return;<a name="line.1242"></a> |
| <span class="sourceLineNo">1243</span> }<a name="line.1243"></a> |
| <span class="sourceLineNo">1244</span> if (PermissionStorage.isAclRegion(region)) {<a name="line.1244"></a> |
| <span class="sourceLineNo">1245</span> aclRegion = true;<a name="line.1245"></a> |
| <span class="sourceLineNo">1246</span> try {<a name="line.1246"></a> |
| <span class="sourceLineNo">1247</span> initialize(env);<a name="line.1247"></a> |
| <span class="sourceLineNo">1248</span> } catch (IOException ex) {<a name="line.1248"></a> |
| <span class="sourceLineNo">1249</span> // if we can't obtain permissions, it's better to fail<a name="line.1249"></a> |
| <span class="sourceLineNo">1250</span> // than perform checks incorrectly<a name="line.1250"></a> |
| <span class="sourceLineNo">1251</span> throw new RuntimeException("Failed to initialize permissions cache", ex);<a name="line.1251"></a> |
| <span class="sourceLineNo">1252</span> }<a name="line.1252"></a> |
| <span class="sourceLineNo">1253</span> } else {<a name="line.1253"></a> |
| <span class="sourceLineNo">1254</span> initialized = true;<a name="line.1254"></a> |
| <span class="sourceLineNo">1255</span> }<a name="line.1255"></a> |
| <span class="sourceLineNo">1256</span> }<a name="line.1256"></a> |
| <span class="sourceLineNo">1257</span><a name="line.1257"></a> |
| <span class="sourceLineNo">1258</span> @Override<a name="line.1258"></a> |
| <span class="sourceLineNo">1259</span> public void preFlush(ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1259"></a> |
| <span class="sourceLineNo">1260</span> FlushLifeCycleTracker tracker) throws IOException {<a name="line.1260"></a> |
| <span class="sourceLineNo">1261</span> requirePermission(c, "flush", getTableName(c.getEnvironment()), null, null, Action.ADMIN,<a name="line.1261"></a> |
| <span class="sourceLineNo">1262</span> Action.CREATE);<a name="line.1262"></a> |
| <span class="sourceLineNo">1263</span> }<a name="line.1263"></a> |
| <span class="sourceLineNo">1264</span><a name="line.1264"></a> |
| <span class="sourceLineNo">1265</span> @Override<a name="line.1265"></a> |
| <span class="sourceLineNo">1266</span> public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> c, Store store,<a name="line.1266"></a> |
| <span class="sourceLineNo">1267</span> InternalScanner scanner, ScanType scanType, CompactionLifeCycleTracker tracker,<a name="line.1267"></a> |
| <span class="sourceLineNo">1268</span> CompactionRequest request) throws IOException {<a name="line.1268"></a> |
| <span class="sourceLineNo">1269</span> requirePermission(c, "compact", getTableName(c.getEnvironment()), null, null, Action.ADMIN,<a name="line.1269"></a> |
| <span class="sourceLineNo">1270</span> Action.CREATE);<a name="line.1270"></a> |
| <span class="sourceLineNo">1271</span> return scanner;<a name="line.1271"></a> |
| <span class="sourceLineNo">1272</span> }<a name="line.1272"></a> |
| <span class="sourceLineNo">1273</span><a name="line.1273"></a> |
| <span class="sourceLineNo">1274</span> private void internalPreRead(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1274"></a> |
| <span class="sourceLineNo">1275</span> final Query query, OpType opType) throws IOException {<a name="line.1275"></a> |
| <span class="sourceLineNo">1276</span> Filter filter = query.getFilter();<a name="line.1276"></a> |
| <span class="sourceLineNo">1277</span> // Don't wrap an AccessControlFilter<a name="line.1277"></a> |
| <span class="sourceLineNo">1278</span> if (filter != null && filter instanceof AccessControlFilter) {<a name="line.1278"></a> |
| <span class="sourceLineNo">1279</span> return;<a name="line.1279"></a> |
| <span class="sourceLineNo">1280</span> }<a name="line.1280"></a> |
| <span class="sourceLineNo">1281</span> User user = getActiveUser(c);<a name="line.1281"></a> |
| <span class="sourceLineNo">1282</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1282"></a> |
| <span class="sourceLineNo">1283</span> Map<byte[], ? extends Collection<byte[]>> families = null;<a name="line.1283"></a> |
| <span class="sourceLineNo">1284</span> switch (opType) {<a name="line.1284"></a> |
| <span class="sourceLineNo">1285</span> case GET:<a name="line.1285"></a> |
| <span class="sourceLineNo">1286</span> case EXISTS:<a name="line.1286"></a> |
| <span class="sourceLineNo">1287</span> families = ((Get) query).getFamilyMap();<a name="line.1287"></a> |
| <span class="sourceLineNo">1288</span> break;<a name="line.1288"></a> |
| <span class="sourceLineNo">1289</span> case SCAN:<a name="line.1289"></a> |
| <span class="sourceLineNo">1290</span> families = ((Scan) query).getFamilyMap();<a name="line.1290"></a> |
| <span class="sourceLineNo">1291</span> break;<a name="line.1291"></a> |
| <span class="sourceLineNo">1292</span> default:<a name="line.1292"></a> |
| <span class="sourceLineNo">1293</span> throw new RuntimeException("Unhandled operation " + opType);<a name="line.1293"></a> |
| <span class="sourceLineNo">1294</span> }<a name="line.1294"></a> |
| <span class="sourceLineNo">1295</span> AuthResult authResult = permissionGranted(opType, user, env, families, Action.READ);<a name="line.1295"></a> |
| <span class="sourceLineNo">1296</span> Region region = getRegion(env);<a name="line.1296"></a> |
| <span class="sourceLineNo">1297</span> TableName table = getTableName(region);<a name="line.1297"></a> |
| <span class="sourceLineNo">1298</span> Map<ByteRange, Integer> cfVsMaxVersions = Maps.newHashMap();<a name="line.1298"></a> |
| <span class="sourceLineNo">1299</span> for (ColumnFamilyDescriptor hcd : region.getTableDescriptor().getColumnFamilies()) {<a name="line.1299"></a> |
| <span class="sourceLineNo">1300</span> cfVsMaxVersions.put(new SimpleMutableByteRange(hcd.getName()), hcd.getMaxVersions());<a name="line.1300"></a> |
| <span class="sourceLineNo">1301</span> }<a name="line.1301"></a> |
| <span class="sourceLineNo">1302</span> if (!authResult.isAllowed()) {<a name="line.1302"></a> |
| <span class="sourceLineNo">1303</span> if (!cellFeaturesEnabled || compatibleEarlyTermination) {<a name="line.1303"></a> |
| <span class="sourceLineNo">1304</span> // Old behavior: Scan with only qualifier checks if we have partial<a name="line.1304"></a> |
| <span class="sourceLineNo">1305</span> // permission. Backwards compatible behavior is to throw an<a name="line.1305"></a> |
| <span class="sourceLineNo">1306</span> // AccessDeniedException immediately if there are no grants for table<a name="line.1306"></a> |
| <span class="sourceLineNo">1307</span> // or CF or CF+qual. Only proceed with an injected filter if there are<a name="line.1307"></a> |
| <span class="sourceLineNo">1308</span> // grants for qualifiers. Otherwise we will fall through below and log<a name="line.1308"></a> |
| <span class="sourceLineNo">1309</span> // the result and throw an ADE. We may end up checking qualifier<a name="line.1309"></a> |
| <span class="sourceLineNo">1310</span> // grants three times (permissionGranted above, here, and in the<a name="line.1310"></a> |
| <span class="sourceLineNo">1311</span> // filter) but that's the price of backwards compatibility.<a name="line.1311"></a> |
| <span class="sourceLineNo">1312</span> if (hasFamilyQualifierPermission(user, Action.READ, env, families)) {<a name="line.1312"></a> |
| <span class="sourceLineNo">1313</span> authResult.setAllowed(true);<a name="line.1313"></a> |
| <span class="sourceLineNo">1314</span> authResult.setReason("Access allowed with filter");<a name="line.1314"></a> |
| <span class="sourceLineNo">1315</span> // Only wrap the filter if we are enforcing authorizations<a name="line.1315"></a> |
| <span class="sourceLineNo">1316</span> if (authorizationEnabled) {<a name="line.1316"></a> |
| <span class="sourceLineNo">1317</span> Filter ourFilter = new AccessControlFilter(getAuthManager(), user, table,<a name="line.1317"></a> |
| <span class="sourceLineNo">1318</span> AccessControlFilter.Strategy.CHECK_TABLE_AND_CF_ONLY, cfVsMaxVersions);<a name="line.1318"></a> |
| <span class="sourceLineNo">1319</span> // wrap any existing filter<a name="line.1319"></a> |
| <span class="sourceLineNo">1320</span> if (filter != null) {<a name="line.1320"></a> |
| <span class="sourceLineNo">1321</span> ourFilter = new FilterList(FilterList.Operator.MUST_PASS_ALL,<a name="line.1321"></a> |
| <span class="sourceLineNo">1322</span> Lists.newArrayList(ourFilter, filter));<a name="line.1322"></a> |
| <span class="sourceLineNo">1323</span> }<a name="line.1323"></a> |
| <span class="sourceLineNo">1324</span> switch (opType) {<a name="line.1324"></a> |
| <span class="sourceLineNo">1325</span> case GET:<a name="line.1325"></a> |
| <span class="sourceLineNo">1326</span> case EXISTS:<a name="line.1326"></a> |
| <span class="sourceLineNo">1327</span> ((Get) query).setFilter(ourFilter);<a name="line.1327"></a> |
| <span class="sourceLineNo">1328</span> break;<a name="line.1328"></a> |
| <span class="sourceLineNo">1329</span> case SCAN:<a name="line.1329"></a> |
| <span class="sourceLineNo">1330</span> ((Scan) query).setFilter(ourFilter);<a name="line.1330"></a> |
| <span class="sourceLineNo">1331</span> break;<a name="line.1331"></a> |
| <span class="sourceLineNo">1332</span> default:<a name="line.1332"></a> |
| <span class="sourceLineNo">1333</span> throw new RuntimeException("Unhandled operation " + opType);<a name="line.1333"></a> |
| <span class="sourceLineNo">1334</span> }<a name="line.1334"></a> |
| <span class="sourceLineNo">1335</span> }<a name="line.1335"></a> |
| <span class="sourceLineNo">1336</span> }<a name="line.1336"></a> |
| <span class="sourceLineNo">1337</span> } else {<a name="line.1337"></a> |
| <span class="sourceLineNo">1338</span> // New behavior: Any access we might be granted is more fine-grained<a name="line.1338"></a> |
| <span class="sourceLineNo">1339</span> // than whole table or CF. Simply inject a filter and return what is<a name="line.1339"></a> |
| <span class="sourceLineNo">1340</span> // allowed. We will not throw an AccessDeniedException. This is a<a name="line.1340"></a> |
| <span class="sourceLineNo">1341</span> // behavioral change since 0.96.<a name="line.1341"></a> |
| <span class="sourceLineNo">1342</span> authResult.setAllowed(true);<a name="line.1342"></a> |
| <span class="sourceLineNo">1343</span> authResult.setReason("Access allowed with filter");<a name="line.1343"></a> |
| <span class="sourceLineNo">1344</span> // Only wrap the filter if we are enforcing authorizations<a name="line.1344"></a> |
| <span class="sourceLineNo">1345</span> if (authorizationEnabled) {<a name="line.1345"></a> |
| <span class="sourceLineNo">1346</span> Filter ourFilter = new AccessControlFilter(getAuthManager(), user, table,<a name="line.1346"></a> |
| <span class="sourceLineNo">1347</span> AccessControlFilter.Strategy.CHECK_CELL_DEFAULT, cfVsMaxVersions);<a name="line.1347"></a> |
| <span class="sourceLineNo">1348</span> // wrap any existing filter<a name="line.1348"></a> |
| <span class="sourceLineNo">1349</span> if (filter != null) {<a name="line.1349"></a> |
| <span class="sourceLineNo">1350</span> ourFilter = new FilterList(FilterList.Operator.MUST_PASS_ALL,<a name="line.1350"></a> |
| <span class="sourceLineNo">1351</span> Lists.newArrayList(ourFilter, filter));<a name="line.1351"></a> |
| <span class="sourceLineNo">1352</span> }<a name="line.1352"></a> |
| <span class="sourceLineNo">1353</span> switch (opType) {<a name="line.1353"></a> |
| <span class="sourceLineNo">1354</span> case GET:<a name="line.1354"></a> |
| <span class="sourceLineNo">1355</span> case EXISTS:<a name="line.1355"></a> |
| <span class="sourceLineNo">1356</span> ((Get) query).setFilter(ourFilter);<a name="line.1356"></a> |
| <span class="sourceLineNo">1357</span> break;<a name="line.1357"></a> |
| <span class="sourceLineNo">1358</span> case SCAN:<a name="line.1358"></a> |
| <span class="sourceLineNo">1359</span> ((Scan) query).setFilter(ourFilter);<a name="line.1359"></a> |
| <span class="sourceLineNo">1360</span> break;<a name="line.1360"></a> |
| <span class="sourceLineNo">1361</span> default:<a name="line.1361"></a> |
| <span class="sourceLineNo">1362</span> throw new RuntimeException("Unhandled operation " + opType);<a name="line.1362"></a> |
| <span class="sourceLineNo">1363</span> }<a name="line.1363"></a> |
| <span class="sourceLineNo">1364</span> }<a name="line.1364"></a> |
| <span class="sourceLineNo">1365</span> }<a name="line.1365"></a> |
| <span class="sourceLineNo">1366</span> }<a name="line.1366"></a> |
| <span class="sourceLineNo">1367</span><a name="line.1367"></a> |
| <span class="sourceLineNo">1368</span> AccessChecker.logResult(authResult);<a name="line.1368"></a> |
| <span class="sourceLineNo">1369</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1369"></a> |
| <span class="sourceLineNo">1370</span> throw new AccessDeniedException("Insufficient permissions for user '"<a name="line.1370"></a> |
| <span class="sourceLineNo">1371</span> + (user != null ? user.getShortName() : "null") + "' (table=" + table + ", action=READ)");<a name="line.1371"></a> |
| <span class="sourceLineNo">1372</span> }<a name="line.1372"></a> |
| <span class="sourceLineNo">1373</span> }<a name="line.1373"></a> |
| <span class="sourceLineNo">1374</span><a name="line.1374"></a> |
| <span class="sourceLineNo">1375</span> @Override<a name="line.1375"></a> |
| <span class="sourceLineNo">1376</span> public void preGetOp(final ObserverContext<RegionCoprocessorEnvironment> c, final Get get,<a name="line.1376"></a> |
| <span class="sourceLineNo">1377</span> final List<Cell> result) throws IOException {<a name="line.1377"></a> |
| <span class="sourceLineNo">1378</span> internalPreRead(c, get, OpType.GET);<a name="line.1378"></a> |
| <span class="sourceLineNo">1379</span> }<a name="line.1379"></a> |
| <span class="sourceLineNo">1380</span><a name="line.1380"></a> |
| <span class="sourceLineNo">1381</span> @Override<a name="line.1381"></a> |
| <span class="sourceLineNo">1382</span> public boolean preExists(final ObserverContext<RegionCoprocessorEnvironment> c, final Get get,<a name="line.1382"></a> |
| <span class="sourceLineNo">1383</span> final boolean exists) throws IOException {<a name="line.1383"></a> |
| <span class="sourceLineNo">1384</span> internalPreRead(c, get, OpType.EXISTS);<a name="line.1384"></a> |
| <span class="sourceLineNo">1385</span> return exists;<a name="line.1385"></a> |
| <span class="sourceLineNo">1386</span> }<a name="line.1386"></a> |
| <span class="sourceLineNo">1387</span><a name="line.1387"></a> |
| <span class="sourceLineNo">1388</span> @Override<a name="line.1388"></a> |
| <span class="sourceLineNo">1389</span> public void prePut(final ObserverContext<RegionCoprocessorEnvironment> c, final Put put,<a name="line.1389"></a> |
| <span class="sourceLineNo">1390</span> final WALEdit edit, final Durability durability) throws IOException {<a name="line.1390"></a> |
| <span class="sourceLineNo">1391</span> User user = getActiveUser(c);<a name="line.1391"></a> |
| <span class="sourceLineNo">1392</span> checkForReservedTagPresence(user, put);<a name="line.1392"></a> |
| <span class="sourceLineNo">1393</span><a name="line.1393"></a> |
| <span class="sourceLineNo">1394</span> // Require WRITE permission to the table, CF, or top visible value, if any.<a name="line.1394"></a> |
| <span class="sourceLineNo">1395</span> // NOTE: We don't need to check the permissions for any earlier Puts<a name="line.1395"></a> |
| <span class="sourceLineNo">1396</span> // because we treat the ACLs in each Put as timestamped like any other<a name="line.1396"></a> |
| <span class="sourceLineNo">1397</span> // HBase value. A new ACL in a new Put applies to that Put. It doesn't<a name="line.1397"></a> |
| <span class="sourceLineNo">1398</span> // change the ACL of any previous Put. This allows simple evolution of<a name="line.1398"></a> |
| <span class="sourceLineNo">1399</span> // security policy over time without requiring expensive updates.<a name="line.1399"></a> |
| <span class="sourceLineNo">1400</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1400"></a> |
| <span class="sourceLineNo">1401</span> Map<byte[], ? extends Collection<Cell>> families = put.getFamilyCellMap();<a name="line.1401"></a> |
| <span class="sourceLineNo">1402</span> AuthResult authResult = permissionGranted(OpType.PUT, user, env, families, Action.WRITE);<a name="line.1402"></a> |
| <span class="sourceLineNo">1403</span> AccessChecker.logResult(authResult);<a name="line.1403"></a> |
| <span class="sourceLineNo">1404</span> if (!authResult.isAllowed()) {<a name="line.1404"></a> |
| <span class="sourceLineNo">1405</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1405"></a> |
| <span class="sourceLineNo">1406</span> put.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1406"></a> |
| <span class="sourceLineNo">1407</span> } else if (authorizationEnabled) {<a name="line.1407"></a> |
| <span class="sourceLineNo">1408</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1408"></a> |
| <span class="sourceLineNo">1409</span> }<a name="line.1409"></a> |
| <span class="sourceLineNo">1410</span> }<a name="line.1410"></a> |
| <span class="sourceLineNo">1411</span><a name="line.1411"></a> |
| <span class="sourceLineNo">1412</span> // Add cell ACLs from the operation to the cells themselves<a name="line.1412"></a> |
| <span class="sourceLineNo">1413</span> byte[] bytes = put.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1413"></a> |
| <span class="sourceLineNo">1414</span> if (bytes != null) {<a name="line.1414"></a> |
| <span class="sourceLineNo">1415</span> if (cellFeaturesEnabled) {<a name="line.1415"></a> |
| <span class="sourceLineNo">1416</span> addCellPermissions(bytes, put.getFamilyCellMap());<a name="line.1416"></a> |
| <span class="sourceLineNo">1417</span> } else {<a name="line.1417"></a> |
| <span class="sourceLineNo">1418</span> throw new DoNotRetryIOException("Cell ACLs cannot be persisted");<a name="line.1418"></a> |
| <span class="sourceLineNo">1419</span> }<a name="line.1419"></a> |
| <span class="sourceLineNo">1420</span> }<a name="line.1420"></a> |
| <span class="sourceLineNo">1421</span> }<a name="line.1421"></a> |
| <span class="sourceLineNo">1422</span><a name="line.1422"></a> |
| <span class="sourceLineNo">1423</span> @Override<a name="line.1423"></a> |
| <span class="sourceLineNo">1424</span> public void postPut(final ObserverContext<RegionCoprocessorEnvironment> c, final Put put,<a name="line.1424"></a> |
| <span class="sourceLineNo">1425</span> final WALEdit edit, final Durability durability) {<a name="line.1425"></a> |
| <span class="sourceLineNo">1426</span> if (aclRegion) {<a name="line.1426"></a> |
| <span class="sourceLineNo">1427</span> updateACL(c.getEnvironment(), put.getFamilyCellMap());<a name="line.1427"></a> |
| <span class="sourceLineNo">1428</span> }<a name="line.1428"></a> |
| <span class="sourceLineNo">1429</span> }<a name="line.1429"></a> |
| <span class="sourceLineNo">1430</span><a name="line.1430"></a> |
| <span class="sourceLineNo">1431</span> @Override<a name="line.1431"></a> |
| <span class="sourceLineNo">1432</span> public void preDelete(final ObserverContext<RegionCoprocessorEnvironment> c, final Delete delete,<a name="line.1432"></a> |
| <span class="sourceLineNo">1433</span> final WALEdit edit, final Durability durability) throws IOException {<a name="line.1433"></a> |
| <span class="sourceLineNo">1434</span> // An ACL on a delete is useless, we shouldn't allow it<a name="line.1434"></a> |
| <span class="sourceLineNo">1435</span> if (delete.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL) != null) {<a name="line.1435"></a> |
| <span class="sourceLineNo">1436</span> throw new DoNotRetryIOException("ACL on delete has no effect: " + delete.toString());<a name="line.1436"></a> |
| <span class="sourceLineNo">1437</span> }<a name="line.1437"></a> |
| <span class="sourceLineNo">1438</span> // Require WRITE permissions on all cells covered by the delete. Unlike<a name="line.1438"></a> |
| <span class="sourceLineNo">1439</span> // for Puts we need to check all visible prior versions, because a major<a name="line.1439"></a> |
| <span class="sourceLineNo">1440</span> // compaction could remove them. If the user doesn't have permission to<a name="line.1440"></a> |
| <span class="sourceLineNo">1441</span> // overwrite any of the visible versions ('visible' defined as not covered<a name="line.1441"></a> |
| <span class="sourceLineNo">1442</span> // by a tombstone already) then we have to disallow this operation.<a name="line.1442"></a> |
| <span class="sourceLineNo">1443</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1443"></a> |
| <span class="sourceLineNo">1444</span> Map<byte[], ? extends Collection<Cell>> families = delete.getFamilyCellMap();<a name="line.1444"></a> |
| <span class="sourceLineNo">1445</span> User user = getActiveUser(c);<a name="line.1445"></a> |
| <span class="sourceLineNo">1446</span> AuthResult authResult = permissionGranted(OpType.DELETE, user, env, families, Action.WRITE);<a name="line.1446"></a> |
| <span class="sourceLineNo">1447</span> AccessChecker.logResult(authResult);<a name="line.1447"></a> |
| <span class="sourceLineNo">1448</span> if (!authResult.isAllowed()) {<a name="line.1448"></a> |
| <span class="sourceLineNo">1449</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1449"></a> |
| <span class="sourceLineNo">1450</span> delete.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1450"></a> |
| <span class="sourceLineNo">1451</span> } else if (authorizationEnabled) {<a name="line.1451"></a> |
| <span class="sourceLineNo">1452</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1452"></a> |
| <span class="sourceLineNo">1453</span> }<a name="line.1453"></a> |
| <span class="sourceLineNo">1454</span> }<a name="line.1454"></a> |
| <span class="sourceLineNo">1455</span> }<a name="line.1455"></a> |
| <span class="sourceLineNo">1456</span><a name="line.1456"></a> |
| <span class="sourceLineNo">1457</span> @Override<a name="line.1457"></a> |
| <span class="sourceLineNo">1458</span> public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1458"></a> |
| <span class="sourceLineNo">1459</span> MiniBatchOperationInProgress<Mutation> miniBatchOp) throws IOException {<a name="line.1459"></a> |
| <span class="sourceLineNo">1460</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1460"></a> |
| <span class="sourceLineNo">1461</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1461"></a> |
| <span class="sourceLineNo">1462</span> User user = getActiveUser(c);<a name="line.1462"></a> |
| <span class="sourceLineNo">1463</span> for (int i = 0; i < miniBatchOp.size(); i++) {<a name="line.1463"></a> |
| <span class="sourceLineNo">1464</span> Mutation m = miniBatchOp.getOperation(i);<a name="line.1464"></a> |
| <span class="sourceLineNo">1465</span> if (m.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1465"></a> |
| <span class="sourceLineNo">1466</span> // We have a failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1466"></a> |
| <span class="sourceLineNo">1467</span> // perm check<a name="line.1467"></a> |
| <span class="sourceLineNo">1468</span> OpType opType;<a name="line.1468"></a> |
| <span class="sourceLineNo">1469</span> long timestamp;<a name="line.1469"></a> |
| <span class="sourceLineNo">1470</span> if (m instanceof Put) {<a name="line.1470"></a> |
| <span class="sourceLineNo">1471</span> checkForReservedTagPresence(user, m);<a name="line.1471"></a> |
| <span class="sourceLineNo">1472</span> opType = OpType.PUT;<a name="line.1472"></a> |
| <span class="sourceLineNo">1473</span> timestamp = m.getTimestamp();<a name="line.1473"></a> |
| <span class="sourceLineNo">1474</span> } else if (m instanceof Delete) {<a name="line.1474"></a> |
| <span class="sourceLineNo">1475</span> opType = OpType.DELETE;<a name="line.1475"></a> |
| <span class="sourceLineNo">1476</span> timestamp = m.getTimestamp();<a name="line.1476"></a> |
| <span class="sourceLineNo">1477</span> } else if (m instanceof Increment) {<a name="line.1477"></a> |
| <span class="sourceLineNo">1478</span> opType = OpType.INCREMENT;<a name="line.1478"></a> |
| <span class="sourceLineNo">1479</span> timestamp = ((Increment) m).getTimeRange().getMax();<a name="line.1479"></a> |
| <span class="sourceLineNo">1480</span> } else if (m instanceof Append) {<a name="line.1480"></a> |
| <span class="sourceLineNo">1481</span> opType = OpType.APPEND;<a name="line.1481"></a> |
| <span class="sourceLineNo">1482</span> timestamp = ((Append) m).getTimeRange().getMax();<a name="line.1482"></a> |
| <span class="sourceLineNo">1483</span> } else {<a name="line.1483"></a> |
| <span class="sourceLineNo">1484</span> // If the operation type is not Put/Delete/Increment/Append, do nothing<a name="line.1484"></a> |
| <span class="sourceLineNo">1485</span> continue;<a name="line.1485"></a> |
| <span class="sourceLineNo">1486</span> }<a name="line.1486"></a> |
| <span class="sourceLineNo">1487</span> AuthResult authResult = null;<a name="line.1487"></a> |
| <span class="sourceLineNo">1488</span> if (<a name="line.1488"></a> |
| <span class="sourceLineNo">1489</span> checkCoveringPermission(user, opType, c.getEnvironment(), m.getRow(),<a name="line.1489"></a> |
| <span class="sourceLineNo">1490</span> m.getFamilyCellMap(), timestamp, Action.WRITE)<a name="line.1490"></a> |
| <span class="sourceLineNo">1491</span> ) {<a name="line.1491"></a> |
| <span class="sourceLineNo">1492</span> authResult = AuthResult.allow(opType.toString(), "Covering cell set", user,<a name="line.1492"></a> |
| <span class="sourceLineNo">1493</span> Action.WRITE, table, m.getFamilyCellMap());<a name="line.1493"></a> |
| <span class="sourceLineNo">1494</span> } else {<a name="line.1494"></a> |
| <span class="sourceLineNo">1495</span> authResult = AuthResult.deny(opType.toString(), "Covering cell set", user, Action.WRITE,<a name="line.1495"></a> |
| <span class="sourceLineNo">1496</span> table, m.getFamilyCellMap());<a name="line.1496"></a> |
| <span class="sourceLineNo">1497</span> }<a name="line.1497"></a> |
| <span class="sourceLineNo">1498</span> AccessChecker.logResult(authResult);<a name="line.1498"></a> |
| <span class="sourceLineNo">1499</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1499"></a> |
| <span class="sourceLineNo">1500</span> throw new AccessDeniedException(<a name="line.1500"></a> |
| <span class="sourceLineNo">1501</span> "Insufficient permissions " + authResult.toContextString());<a name="line.1501"></a> |
| <span class="sourceLineNo">1502</span> }<a name="line.1502"></a> |
| <span class="sourceLineNo">1503</span> }<a name="line.1503"></a> |
| <span class="sourceLineNo">1504</span> }<a name="line.1504"></a> |
| <span class="sourceLineNo">1505</span> }<a name="line.1505"></a> |
| <span class="sourceLineNo">1506</span> }<a name="line.1506"></a> |
| <span class="sourceLineNo">1507</span><a name="line.1507"></a> |
| <span class="sourceLineNo">1508</span> @Override<a name="line.1508"></a> |
| <span class="sourceLineNo">1509</span> public void postDelete(final ObserverContext<RegionCoprocessorEnvironment> c, final Delete delete,<a name="line.1509"></a> |
| <span class="sourceLineNo">1510</span> final WALEdit edit, final Durability durability) throws IOException {<a name="line.1510"></a> |
| <span class="sourceLineNo">1511</span> if (aclRegion) {<a name="line.1511"></a> |
| <span class="sourceLineNo">1512</span> updateACL(c.getEnvironment(), delete.getFamilyCellMap());<a name="line.1512"></a> |
| <span class="sourceLineNo">1513</span> }<a name="line.1513"></a> |
| <span class="sourceLineNo">1514</span> }<a name="line.1514"></a> |
| <span class="sourceLineNo">1515</span><a name="line.1515"></a> |
| <span class="sourceLineNo">1516</span> @Override<a name="line.1516"></a> |
| <span class="sourceLineNo">1517</span> public boolean preCheckAndPut(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1517"></a> |
| <span class="sourceLineNo">1518</span> final byte[] row, final byte[] family, final byte[] qualifier, final CompareOperator op,<a name="line.1518"></a> |
| <span class="sourceLineNo">1519</span> final ByteArrayComparable comparator, final Put put, final boolean result) throws IOException {<a name="line.1519"></a> |
| <span class="sourceLineNo">1520</span> User user = getActiveUser(c);<a name="line.1520"></a> |
| <span class="sourceLineNo">1521</span> checkForReservedTagPresence(user, put);<a name="line.1521"></a> |
| <span class="sourceLineNo">1522</span><a name="line.1522"></a> |
| <span class="sourceLineNo">1523</span> // Require READ and WRITE permissions on the table, CF, and KV to update<a name="line.1523"></a> |
| <span class="sourceLineNo">1524</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1524"></a> |
| <span class="sourceLineNo">1525</span> Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1525"></a> |
| <span class="sourceLineNo">1526</span> AuthResult authResult =<a name="line.1526"></a> |
| <span class="sourceLineNo">1527</span> permissionGranted(OpType.CHECK_AND_PUT, user, env, families, Action.READ, Action.WRITE);<a name="line.1527"></a> |
| <span class="sourceLineNo">1528</span> AccessChecker.logResult(authResult);<a name="line.1528"></a> |
| <span class="sourceLineNo">1529</span> if (!authResult.isAllowed()) {<a name="line.1529"></a> |
| <span class="sourceLineNo">1530</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1530"></a> |
| <span class="sourceLineNo">1531</span> put.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1531"></a> |
| <span class="sourceLineNo">1532</span> } else if (authorizationEnabled) {<a name="line.1532"></a> |
| <span class="sourceLineNo">1533</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1533"></a> |
| <span class="sourceLineNo">1534</span> }<a name="line.1534"></a> |
| <span class="sourceLineNo">1535</span> }<a name="line.1535"></a> |
| <span class="sourceLineNo">1536</span><a name="line.1536"></a> |
| <span class="sourceLineNo">1537</span> byte[] bytes = put.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1537"></a> |
| <span class="sourceLineNo">1538</span> if (bytes != null) {<a name="line.1538"></a> |
| <span class="sourceLineNo">1539</span> if (cellFeaturesEnabled) {<a name="line.1539"></a> |
| <span class="sourceLineNo">1540</span> addCellPermissions(bytes, put.getFamilyCellMap());<a name="line.1540"></a> |
| <span class="sourceLineNo">1541</span> } else {<a name="line.1541"></a> |
| <span class="sourceLineNo">1542</span> throw new DoNotRetryIOException("Cell ACLs cannot be persisted");<a name="line.1542"></a> |
| <span class="sourceLineNo">1543</span> }<a name="line.1543"></a> |
| <span class="sourceLineNo">1544</span> }<a name="line.1544"></a> |
| <span class="sourceLineNo">1545</span> return result;<a name="line.1545"></a> |
| <span class="sourceLineNo">1546</span> }<a name="line.1546"></a> |
| <span class="sourceLineNo">1547</span><a name="line.1547"></a> |
| <span class="sourceLineNo">1548</span> @Override<a name="line.1548"></a> |
| <span class="sourceLineNo">1549</span> public boolean preCheckAndPutAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1549"></a> |
| <span class="sourceLineNo">1550</span> final byte[] row, final byte[] family, final byte[] qualifier, final CompareOperator opp,<a name="line.1550"></a> |
| <span class="sourceLineNo">1551</span> final ByteArrayComparable comparator, final Put put, final boolean result) throws IOException {<a name="line.1551"></a> |
| <span class="sourceLineNo">1552</span> if (put.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1552"></a> |
| <span class="sourceLineNo">1553</span> // We had failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1553"></a> |
| <span class="sourceLineNo">1554</span> // perm check<a name="line.1554"></a> |
| <span class="sourceLineNo">1555</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1555"></a> |
| <span class="sourceLineNo">1556</span> Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1556"></a> |
| <span class="sourceLineNo">1557</span> AuthResult authResult = null;<a name="line.1557"></a> |
| <span class="sourceLineNo">1558</span> User user = getActiveUser(c);<a name="line.1558"></a> |
| <span class="sourceLineNo">1559</span> if (<a name="line.1559"></a> |
| <span class="sourceLineNo">1560</span> checkCoveringPermission(user, OpType.CHECK_AND_PUT, c.getEnvironment(), row, families,<a name="line.1560"></a> |
| <span class="sourceLineNo">1561</span> HConstants.LATEST_TIMESTAMP, Action.READ)<a name="line.1561"></a> |
| <span class="sourceLineNo">1562</span> ) {<a name="line.1562"></a> |
| <span class="sourceLineNo">1563</span> authResult = AuthResult.allow(OpType.CHECK_AND_PUT.toString(), "Covering cell set", user,<a name="line.1563"></a> |
| <span class="sourceLineNo">1564</span> Action.READ, table, families);<a name="line.1564"></a> |
| <span class="sourceLineNo">1565</span> } else {<a name="line.1565"></a> |
| <span class="sourceLineNo">1566</span> authResult = AuthResult.deny(OpType.CHECK_AND_PUT.toString(), "Covering cell set", user,<a name="line.1566"></a> |
| <span class="sourceLineNo">1567</span> Action.READ, table, families);<a name="line.1567"></a> |
| <span class="sourceLineNo">1568</span> }<a name="line.1568"></a> |
| <span class="sourceLineNo">1569</span> AccessChecker.logResult(authResult);<a name="line.1569"></a> |
| <span class="sourceLineNo">1570</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1570"></a> |
| <span class="sourceLineNo">1571</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1571"></a> |
| <span class="sourceLineNo">1572</span> }<a name="line.1572"></a> |
| <span class="sourceLineNo">1573</span> }<a name="line.1573"></a> |
| <span class="sourceLineNo">1574</span> return result;<a name="line.1574"></a> |
| <span class="sourceLineNo">1575</span> }<a name="line.1575"></a> |
| <span class="sourceLineNo">1576</span><a name="line.1576"></a> |
| <span class="sourceLineNo">1577</span> @Override<a name="line.1577"></a> |
| <span class="sourceLineNo">1578</span> public boolean preCheckAndDelete(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1578"></a> |
| <span class="sourceLineNo">1579</span> final byte[] row, final byte[] family, final byte[] qualifier, final CompareOperator op,<a name="line.1579"></a> |
| <span class="sourceLineNo">1580</span> final ByteArrayComparable comparator, final Delete delete, final boolean result)<a name="line.1580"></a> |
| <span class="sourceLineNo">1581</span> throws IOException {<a name="line.1581"></a> |
| <span class="sourceLineNo">1582</span> // An ACL on a delete is useless, we shouldn't allow it<a name="line.1582"></a> |
| <span class="sourceLineNo">1583</span> if (delete.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL) != null) {<a name="line.1583"></a> |
| <span class="sourceLineNo">1584</span> throw new DoNotRetryIOException("ACL on checkAndDelete has no effect: " + delete.toString());<a name="line.1584"></a> |
| <span class="sourceLineNo">1585</span> }<a name="line.1585"></a> |
| <span class="sourceLineNo">1586</span> // Require READ and WRITE permissions on the table, CF, and the KV covered<a name="line.1586"></a> |
| <span class="sourceLineNo">1587</span> // by the delete<a name="line.1587"></a> |
| <span class="sourceLineNo">1588</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1588"></a> |
| <span class="sourceLineNo">1589</span> Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1589"></a> |
| <span class="sourceLineNo">1590</span> User user = getActiveUser(c);<a name="line.1590"></a> |
| <span class="sourceLineNo">1591</span> AuthResult authResult =<a name="line.1591"></a> |
| <span class="sourceLineNo">1592</span> permissionGranted(OpType.CHECK_AND_DELETE, user, env, families, Action.READ, Action.WRITE);<a name="line.1592"></a> |
| <span class="sourceLineNo">1593</span> AccessChecker.logResult(authResult);<a name="line.1593"></a> |
| <span class="sourceLineNo">1594</span> if (!authResult.isAllowed()) {<a name="line.1594"></a> |
| <span class="sourceLineNo">1595</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1595"></a> |
| <span class="sourceLineNo">1596</span> delete.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1596"></a> |
| <span class="sourceLineNo">1597</span> } else if (authorizationEnabled) {<a name="line.1597"></a> |
| <span class="sourceLineNo">1598</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1598"></a> |
| <span class="sourceLineNo">1599</span> }<a name="line.1599"></a> |
| <span class="sourceLineNo">1600</span> }<a name="line.1600"></a> |
| <span class="sourceLineNo">1601</span> return result;<a name="line.1601"></a> |
| <span class="sourceLineNo">1602</span> }<a name="line.1602"></a> |
| <span class="sourceLineNo">1603</span><a name="line.1603"></a> |
| <span class="sourceLineNo">1604</span> @Override<a name="line.1604"></a> |
| <span class="sourceLineNo">1605</span> public boolean preCheckAndDeleteAfterRowLock(<a name="line.1605"></a> |
| <span class="sourceLineNo">1606</span> final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row, final byte[] family,<a name="line.1606"></a> |
| <span class="sourceLineNo">1607</span> final byte[] qualifier, final CompareOperator op, final ByteArrayComparable comparator,<a name="line.1607"></a> |
| <span class="sourceLineNo">1608</span> final Delete delete, final boolean result) throws IOException {<a name="line.1608"></a> |
| <span class="sourceLineNo">1609</span> if (delete.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1609"></a> |
| <span class="sourceLineNo">1610</span> // We had failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1610"></a> |
| <span class="sourceLineNo">1611</span> // perm check<a name="line.1611"></a> |
| <span class="sourceLineNo">1612</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1612"></a> |
| <span class="sourceLineNo">1613</span> Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1613"></a> |
| <span class="sourceLineNo">1614</span> AuthResult authResult = null;<a name="line.1614"></a> |
| <span class="sourceLineNo">1615</span> User user = getActiveUser(c);<a name="line.1615"></a> |
| <span class="sourceLineNo">1616</span> if (<a name="line.1616"></a> |
| <span class="sourceLineNo">1617</span> checkCoveringPermission(user, OpType.CHECK_AND_DELETE, c.getEnvironment(), row, families,<a name="line.1617"></a> |
| <span class="sourceLineNo">1618</span> HConstants.LATEST_TIMESTAMP, Action.READ)<a name="line.1618"></a> |
| <span class="sourceLineNo">1619</span> ) {<a name="line.1619"></a> |
| <span class="sourceLineNo">1620</span> authResult = AuthResult.allow(OpType.CHECK_AND_DELETE.toString(), "Covering cell set", user,<a name="line.1620"></a> |
| <span class="sourceLineNo">1621</span> Action.READ, table, families);<a name="line.1621"></a> |
| <span class="sourceLineNo">1622</span> } else {<a name="line.1622"></a> |
| <span class="sourceLineNo">1623</span> authResult = AuthResult.deny(OpType.CHECK_AND_DELETE.toString(), "Covering cell set", user,<a name="line.1623"></a> |
| <span class="sourceLineNo">1624</span> Action.READ, table, families);<a name="line.1624"></a> |
| <span class="sourceLineNo">1625</span> }<a name="line.1625"></a> |
| <span class="sourceLineNo">1626</span> AccessChecker.logResult(authResult);<a name="line.1626"></a> |
| <span class="sourceLineNo">1627</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1627"></a> |
| <span class="sourceLineNo">1628</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1628"></a> |
| <span class="sourceLineNo">1629</span> }<a name="line.1629"></a> |
| <span class="sourceLineNo">1630</span> }<a name="line.1630"></a> |
| <span class="sourceLineNo">1631</span> return result;<a name="line.1631"></a> |
| <span class="sourceLineNo">1632</span> }<a name="line.1632"></a> |
| <span class="sourceLineNo">1633</span><a name="line.1633"></a> |
| <span class="sourceLineNo">1634</span> @Override<a name="line.1634"></a> |
| <span class="sourceLineNo">1635</span> public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> c, Append append)<a name="line.1635"></a> |
| <span class="sourceLineNo">1636</span> throws IOException {<a name="line.1636"></a> |
| <span class="sourceLineNo">1637</span> User user = getActiveUser(c);<a name="line.1637"></a> |
| <span class="sourceLineNo">1638</span> checkForReservedTagPresence(user, append);<a name="line.1638"></a> |
| <span class="sourceLineNo">1639</span><a name="line.1639"></a> |
| <span class="sourceLineNo">1640</span> // Require WRITE permission to the table, CF, and the KV to be appended<a name="line.1640"></a> |
| <span class="sourceLineNo">1641</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1641"></a> |
| <span class="sourceLineNo">1642</span> Map<byte[], ? extends Collection<Cell>> families = append.getFamilyCellMap();<a name="line.1642"></a> |
| <span class="sourceLineNo">1643</span> AuthResult authResult = permissionGranted(OpType.APPEND, user, env, families, Action.WRITE);<a name="line.1643"></a> |
| <span class="sourceLineNo">1644</span> AccessChecker.logResult(authResult);<a name="line.1644"></a> |
| <span class="sourceLineNo">1645</span> if (!authResult.isAllowed()) {<a name="line.1645"></a> |
| <span class="sourceLineNo">1646</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1646"></a> |
| <span class="sourceLineNo">1647</span> append.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1647"></a> |
| <span class="sourceLineNo">1648</span> } else if (authorizationEnabled) {<a name="line.1648"></a> |
| <span class="sourceLineNo">1649</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1649"></a> |
| <span class="sourceLineNo">1650</span> }<a name="line.1650"></a> |
| <span class="sourceLineNo">1651</span> }<a name="line.1651"></a> |
| <span class="sourceLineNo">1652</span><a name="line.1652"></a> |
| <span class="sourceLineNo">1653</span> byte[] bytes = append.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1653"></a> |
| <span class="sourceLineNo">1654</span> if (bytes != null) {<a name="line.1654"></a> |
| <span class="sourceLineNo">1655</span> if (cellFeaturesEnabled) {<a name="line.1655"></a> |
| <span class="sourceLineNo">1656</span> addCellPermissions(bytes, append.getFamilyCellMap());<a name="line.1656"></a> |
| <span class="sourceLineNo">1657</span> } else {<a name="line.1657"></a> |
| <span class="sourceLineNo">1658</span> throw new DoNotRetryIOException("Cell ACLs cannot be persisted");<a name="line.1658"></a> |
| <span class="sourceLineNo">1659</span> }<a name="line.1659"></a> |
| <span class="sourceLineNo">1660</span> }<a name="line.1660"></a> |
| <span class="sourceLineNo">1661</span><a name="line.1661"></a> |
| <span class="sourceLineNo">1662</span> return null;<a name="line.1662"></a> |
| <span class="sourceLineNo">1663</span> }<a name="line.1663"></a> |
| <span class="sourceLineNo">1664</span><a name="line.1664"></a> |
| <span class="sourceLineNo">1665</span> @Override<a name="line.1665"></a> |
| <span class="sourceLineNo">1666</span> public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1666"></a> |
| <span class="sourceLineNo">1667</span> final Increment increment) throws IOException {<a name="line.1667"></a> |
| <span class="sourceLineNo">1668</span> User user = getActiveUser(c);<a name="line.1668"></a> |
| <span class="sourceLineNo">1669</span> checkForReservedTagPresence(user, increment);<a name="line.1669"></a> |
| <span class="sourceLineNo">1670</span><a name="line.1670"></a> |
| <span class="sourceLineNo">1671</span> // Require WRITE permission to the table, CF, and the KV to be replaced by<a name="line.1671"></a> |
| <span class="sourceLineNo">1672</span> // the incremented value<a name="line.1672"></a> |
| <span class="sourceLineNo">1673</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1673"></a> |
| <span class="sourceLineNo">1674</span> Map<byte[], ? extends Collection<Cell>> families = increment.getFamilyCellMap();<a name="line.1674"></a> |
| <span class="sourceLineNo">1675</span> AuthResult authResult = permissionGranted(OpType.INCREMENT, user, env, families, Action.WRITE);<a name="line.1675"></a> |
| <span class="sourceLineNo">1676</span> AccessChecker.logResult(authResult);<a name="line.1676"></a> |
| <span class="sourceLineNo">1677</span> if (!authResult.isAllowed()) {<a name="line.1677"></a> |
| <span class="sourceLineNo">1678</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1678"></a> |
| <span class="sourceLineNo">1679</span> increment.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1679"></a> |
| <span class="sourceLineNo">1680</span> } else if (authorizationEnabled) {<a name="line.1680"></a> |
| <span class="sourceLineNo">1681</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1681"></a> |
| <span class="sourceLineNo">1682</span> }<a name="line.1682"></a> |
| <span class="sourceLineNo">1683</span> }<a name="line.1683"></a> |
| <span class="sourceLineNo">1684</span><a name="line.1684"></a> |
| <span class="sourceLineNo">1685</span> byte[] bytes = increment.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1685"></a> |
| <span class="sourceLineNo">1686</span> if (bytes != null) {<a name="line.1686"></a> |
| <span class="sourceLineNo">1687</span> if (cellFeaturesEnabled) {<a name="line.1687"></a> |
| <span class="sourceLineNo">1688</span> addCellPermissions(bytes, increment.getFamilyCellMap());<a name="line.1688"></a> |
| <span class="sourceLineNo">1689</span> } else {<a name="line.1689"></a> |
| <span class="sourceLineNo">1690</span> throw new DoNotRetryIOException("Cell ACLs cannot be persisted");<a name="line.1690"></a> |
| <span class="sourceLineNo">1691</span> }<a name="line.1691"></a> |
| <span class="sourceLineNo">1692</span> }<a name="line.1692"></a> |
| <span class="sourceLineNo">1693</span><a name="line.1693"></a> |
| <span class="sourceLineNo">1694</span> return null;<a name="line.1694"></a> |
| <span class="sourceLineNo">1695</span> }<a name="line.1695"></a> |
| <span class="sourceLineNo">1696</span><a name="line.1696"></a> |
| <span class="sourceLineNo">1697</span> @Override<a name="line.1697"></a> |
| <span class="sourceLineNo">1698</span> public List<Pair<Cell, Cell>> postIncrementBeforeWAL(<a name="line.1698"></a> |
| <span class="sourceLineNo">1699</span> ObserverContext<RegionCoprocessorEnvironment> ctx, Mutation mutation,<a name="line.1699"></a> |
| <span class="sourceLineNo">1700</span> List<Pair<Cell, Cell>> cellPairs) throws IOException {<a name="line.1700"></a> |
| <span class="sourceLineNo">1701</span> // If the HFile version is insufficient to persist tags, we won't have any<a name="line.1701"></a> |
| <span class="sourceLineNo">1702</span> // work to do here<a name="line.1702"></a> |
| <span class="sourceLineNo">1703</span> if (!cellFeaturesEnabled || mutation.getACL() == null) {<a name="line.1703"></a> |
| <span class="sourceLineNo">1704</span> return cellPairs;<a name="line.1704"></a> |
| <span class="sourceLineNo">1705</span> }<a name="line.1705"></a> |
| <span class="sourceLineNo">1706</span> return cellPairs.stream()<a name="line.1706"></a> |
| <span class="sourceLineNo">1707</span> .map(pair -> new Pair<>(pair.getFirst(),<a name="line.1707"></a> |
| <span class="sourceLineNo">1708</span> createNewCellWithTags(mutation, pair.getFirst(), pair.getSecond())))<a name="line.1708"></a> |
| <span class="sourceLineNo">1709</span> .collect(Collectors.toList());<a name="line.1709"></a> |
| <span class="sourceLineNo">1710</span> }<a name="line.1710"></a> |
| <span class="sourceLineNo">1711</span><a name="line.1711"></a> |
| <span class="sourceLineNo">1712</span> @Override<a name="line.1712"></a> |
| <span class="sourceLineNo">1713</span> public List<Pair<Cell, Cell>> postAppendBeforeWAL(<a name="line.1713"></a> |
| <span class="sourceLineNo">1714</span> ObserverContext<RegionCoprocessorEnvironment> ctx, Mutation mutation,<a name="line.1714"></a> |
| <span class="sourceLineNo">1715</span> List<Pair<Cell, Cell>> cellPairs) throws IOException {<a name="line.1715"></a> |
| <span class="sourceLineNo">1716</span> // If the HFile version is insufficient to persist tags, we won't have any<a name="line.1716"></a> |
| <span class="sourceLineNo">1717</span> // work to do here<a name="line.1717"></a> |
| <span class="sourceLineNo">1718</span> if (!cellFeaturesEnabled || mutation.getACL() == null) {<a name="line.1718"></a> |
| <span class="sourceLineNo">1719</span> return cellPairs;<a name="line.1719"></a> |
| <span class="sourceLineNo">1720</span> }<a name="line.1720"></a> |
| <span class="sourceLineNo">1721</span> return cellPairs.stream()<a name="line.1721"></a> |
| <span class="sourceLineNo">1722</span> .map(pair -> new Pair<>(pair.getFirst(),<a name="line.1722"></a> |
| <span class="sourceLineNo">1723</span> createNewCellWithTags(mutation, pair.getFirst(), pair.getSecond())))<a name="line.1723"></a> |
| <span class="sourceLineNo">1724</span> .collect(Collectors.toList());<a name="line.1724"></a> |
| <span class="sourceLineNo">1725</span> }<a name="line.1725"></a> |
| <span class="sourceLineNo">1726</span><a name="line.1726"></a> |
| <span class="sourceLineNo">1727</span> private Cell createNewCellWithTags(Mutation mutation, Cell oldCell, Cell newCell) {<a name="line.1727"></a> |
| <span class="sourceLineNo">1728</span> // As Increment and Append operations have already copied the tags of oldCell to the newCell,<a name="line.1728"></a> |
| <span class="sourceLineNo">1729</span> // there is no need to rewrite them again. Just extract non-acl tags of newCell if we need to<a name="line.1729"></a> |
| <span class="sourceLineNo">1730</span> // add a new acl tag for the cell. Actually, oldCell is useless here.<a name="line.1730"></a> |
| <span class="sourceLineNo">1731</span> List<Tag> tags = Lists.newArrayList();<a name="line.1731"></a> |
| <span class="sourceLineNo">1732</span> if (newCell != null) {<a name="line.1732"></a> |
| <span class="sourceLineNo">1733</span> Iterator<Tag> tagIterator = PrivateCellUtil.tagsIterator(newCell);<a name="line.1733"></a> |
| <span class="sourceLineNo">1734</span> while (tagIterator.hasNext()) {<a name="line.1734"></a> |
| <span class="sourceLineNo">1735</span> Tag tag = tagIterator.next();<a name="line.1735"></a> |
| <span class="sourceLineNo">1736</span> if (tag.getType() != PermissionStorage.ACL_TAG_TYPE) {<a name="line.1736"></a> |
| <span class="sourceLineNo">1737</span> // Not an ACL tag, just carry it through<a name="line.1737"></a> |
| <span class="sourceLineNo">1738</span> if (LOG.isTraceEnabled()) {<a name="line.1738"></a> |
| <span class="sourceLineNo">1739</span> LOG.trace("Carrying forward tag from " + newCell + ": type " + tag.getType()<a name="line.1739"></a> |
| <span class="sourceLineNo">1740</span> + " length " + tag.getValueLength());<a name="line.1740"></a> |
| <span class="sourceLineNo">1741</span> }<a name="line.1741"></a> |
| <span class="sourceLineNo">1742</span> tags.add(tag);<a name="line.1742"></a> |
| <span class="sourceLineNo">1743</span> }<a name="line.1743"></a> |
| <span class="sourceLineNo">1744</span> }<a name="line.1744"></a> |
| <span class="sourceLineNo">1745</span> }<a name="line.1745"></a> |
| <span class="sourceLineNo">1746</span><a name="line.1746"></a> |
| <span class="sourceLineNo">1747</span> // We have checked the ACL tag of mutation is not null.<a name="line.1747"></a> |
| <span class="sourceLineNo">1748</span> // So that the tags could not be empty.<a name="line.1748"></a> |
| <span class="sourceLineNo">1749</span> tags.add(new ArrayBackedTag(PermissionStorage.ACL_TAG_TYPE, mutation.getACL()));<a name="line.1749"></a> |
| <span class="sourceLineNo">1750</span> return PrivateCellUtil.createCell(newCell, tags);<a name="line.1750"></a> |
| <span class="sourceLineNo">1751</span> }<a name="line.1751"></a> |
| <span class="sourceLineNo">1752</span><a name="line.1752"></a> |
| <span class="sourceLineNo">1753</span> @Override<a name="line.1753"></a> |
| <span class="sourceLineNo">1754</span> public void preScannerOpen(final ObserverContext<RegionCoprocessorEnvironment> c, final Scan scan)<a name="line.1754"></a> |
| <span class="sourceLineNo">1755</span> throws IOException {<a name="line.1755"></a> |
| <span class="sourceLineNo">1756</span> internalPreRead(c, scan, OpType.SCAN);<a name="line.1756"></a> |
| <span class="sourceLineNo">1757</span> }<a name="line.1757"></a> |
| <span class="sourceLineNo">1758</span><a name="line.1758"></a> |
| <span class="sourceLineNo">1759</span> @Override<a name="line.1759"></a> |
| <span class="sourceLineNo">1760</span> public RegionScanner postScannerOpen(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1760"></a> |
| <span class="sourceLineNo">1761</span> final Scan scan, final RegionScanner s) throws IOException {<a name="line.1761"></a> |
| <span class="sourceLineNo">1762</span> User user = getActiveUser(c);<a name="line.1762"></a> |
| <span class="sourceLineNo">1763</span> if (user != null && user.getShortName() != null) {<a name="line.1763"></a> |
| <span class="sourceLineNo">1764</span> // store reference to scanner owner for later checks<a name="line.1764"></a> |
| <span class="sourceLineNo">1765</span> scannerOwners.put(s, user.getShortName());<a name="line.1765"></a> |
| <span class="sourceLineNo">1766</span> }<a name="line.1766"></a> |
| <span class="sourceLineNo">1767</span> return s;<a name="line.1767"></a> |
| <span class="sourceLineNo">1768</span> }<a name="line.1768"></a> |
| <span class="sourceLineNo">1769</span><a name="line.1769"></a> |
| <span class="sourceLineNo">1770</span> @Override<a name="line.1770"></a> |
| <span class="sourceLineNo">1771</span> public boolean preScannerNext(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1771"></a> |
| <span class="sourceLineNo">1772</span> final InternalScanner s, final List<Result> result, final int limit, final boolean hasNext)<a name="line.1772"></a> |
| <span class="sourceLineNo">1773</span> throws IOException {<a name="line.1773"></a> |
| <span class="sourceLineNo">1774</span> requireScannerOwner(s);<a name="line.1774"></a> |
| <span class="sourceLineNo">1775</span> return hasNext;<a name="line.1775"></a> |
| <span class="sourceLineNo">1776</span> }<a name="line.1776"></a> |
| <span class="sourceLineNo">1777</span><a name="line.1777"></a> |
| <span class="sourceLineNo">1778</span> @Override<a name="line.1778"></a> |
| <span class="sourceLineNo">1779</span> public void preScannerClose(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1779"></a> |
| <span class="sourceLineNo">1780</span> final InternalScanner s) throws IOException {<a name="line.1780"></a> |
| <span class="sourceLineNo">1781</span> requireScannerOwner(s);<a name="line.1781"></a> |
| <span class="sourceLineNo">1782</span> }<a name="line.1782"></a> |
| <span class="sourceLineNo">1783</span><a name="line.1783"></a> |
| <span class="sourceLineNo">1784</span> @Override<a name="line.1784"></a> |
| <span class="sourceLineNo">1785</span> public void postScannerClose(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1785"></a> |
| <span class="sourceLineNo">1786</span> final InternalScanner s) throws IOException {<a name="line.1786"></a> |
| <span class="sourceLineNo">1787</span> // clean up any associated owner mapping<a name="line.1787"></a> |
| <span class="sourceLineNo">1788</span> scannerOwners.remove(s);<a name="line.1788"></a> |
| <span class="sourceLineNo">1789</span> }<a name="line.1789"></a> |
| <span class="sourceLineNo">1790</span><a name="line.1790"></a> |
| <span class="sourceLineNo">1791</span> /**<a name="line.1791"></a> |
| <span class="sourceLineNo">1792</span> * Verify, when servicing an RPC, that the caller is the scanner owner. If so, we assume that<a name="line.1792"></a> |
| <span class="sourceLineNo">1793</span> * access control is correctly enforced based on the checks performed in preScannerOpen()<a name="line.1793"></a> |
| <span class="sourceLineNo">1794</span> */<a name="line.1794"></a> |
| <span class="sourceLineNo">1795</span> private void requireScannerOwner(InternalScanner s) throws AccessDeniedException {<a name="line.1795"></a> |
| <span class="sourceLineNo">1796</span> if (!RpcServer.isInRpcCallContext()) {<a name="line.1796"></a> |
| <span class="sourceLineNo">1797</span> return;<a name="line.1797"></a> |
| <span class="sourceLineNo">1798</span> }<a name="line.1798"></a> |
| <span class="sourceLineNo">1799</span> String requestUserName = RpcServer.getRequestUserName().orElse(null);<a name="line.1799"></a> |
| <span class="sourceLineNo">1800</span> String owner = scannerOwners.get(s);<a name="line.1800"></a> |
| <span class="sourceLineNo">1801</span> if (authorizationEnabled && owner != null && !owner.equals(requestUserName)) {<a name="line.1801"></a> |
| <span class="sourceLineNo">1802</span> throw new AccessDeniedException("User '" + requestUserName + "' is not the scanner owner!");<a name="line.1802"></a> |
| <span class="sourceLineNo">1803</span> }<a name="line.1803"></a> |
| <span class="sourceLineNo">1804</span> }<a name="line.1804"></a> |
| <span class="sourceLineNo">1805</span><a name="line.1805"></a> |
| <span class="sourceLineNo">1806</span> /**<a name="line.1806"></a> |
| <span class="sourceLineNo">1807</span> * Verifies user has CREATE or ADMIN privileges on the Column Families involved in the<a name="line.1807"></a> |
| <span class="sourceLineNo">1808</span> * bulkLoadHFile request. Specific Column Write privileges are presently ignored.<a name="line.1808"></a> |
| <span class="sourceLineNo">1809</span> */<a name="line.1809"></a> |
| <span class="sourceLineNo">1810</span> @Override<a name="line.1810"></a> |
| <span class="sourceLineNo">1811</span> public void preBulkLoadHFile(ObserverContext<RegionCoprocessorEnvironment> ctx,<a name="line.1811"></a> |
| <span class="sourceLineNo">1812</span> List<Pair<byte[], String>> familyPaths) throws IOException {<a name="line.1812"></a> |
| <span class="sourceLineNo">1813</span> User user = getActiveUser(ctx);<a name="line.1813"></a> |
| <span class="sourceLineNo">1814</span> for (Pair<byte[], String> el : familyPaths) {<a name="line.1814"></a> |
| <span class="sourceLineNo">1815</span> accessChecker.requirePermission(user, "preBulkLoadHFile",<a name="line.1815"></a> |
| <span class="sourceLineNo">1816</span> ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null,<a name="line.1816"></a> |
| <span class="sourceLineNo">1817</span> null, Action.ADMIN, Action.CREATE);<a name="line.1817"></a> |
| <span class="sourceLineNo">1818</span> }<a name="line.1818"></a> |
| <span class="sourceLineNo">1819</span> }<a name="line.1819"></a> |
| <span class="sourceLineNo">1820</span><a name="line.1820"></a> |
| <span class="sourceLineNo">1821</span> /**<a name="line.1821"></a> |
| <span class="sourceLineNo">1822</span> * Authorization check for SecureBulkLoadProtocol.prepareBulkLoad()<a name="line.1822"></a> |
| <span class="sourceLineNo">1823</span> * @param ctx the context<a name="line.1823"></a> |
| <span class="sourceLineNo">1824</span> */<a name="line.1824"></a> |
| <span class="sourceLineNo">1825</span> @Override<a name="line.1825"></a> |
| <span class="sourceLineNo">1826</span> public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)<a name="line.1826"></a> |
| <span class="sourceLineNo">1827</span> throws IOException {<a name="line.1827"></a> |
| <span class="sourceLineNo">1828</span> requireAccess(ctx, "prePrepareBulkLoad",<a name="line.1828"></a> |
| <span class="sourceLineNo">1829</span> ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,<a name="line.1829"></a> |
| <span class="sourceLineNo">1830</span> Action.CREATE);<a name="line.1830"></a> |
| <span class="sourceLineNo">1831</span> }<a name="line.1831"></a> |
| <span class="sourceLineNo">1832</span><a name="line.1832"></a> |
| <span class="sourceLineNo">1833</span> /**<a name="line.1833"></a> |
| <span class="sourceLineNo">1834</span> * Authorization security check for SecureBulkLoadProtocol.cleanupBulkLoad()<a name="line.1834"></a> |
| <span class="sourceLineNo">1835</span> * @param ctx the context<a name="line.1835"></a> |
| <span class="sourceLineNo">1836</span> */<a name="line.1836"></a> |
| <span class="sourceLineNo">1837</span> @Override<a name="line.1837"></a> |
| <span class="sourceLineNo">1838</span> public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)<a name="line.1838"></a> |
| <span class="sourceLineNo">1839</span> throws IOException {<a name="line.1839"></a> |
| <span class="sourceLineNo">1840</span> requireAccess(ctx, "preCleanupBulkLoad",<a name="line.1840"></a> |
| <span class="sourceLineNo">1841</span> ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,<a name="line.1841"></a> |
| <span class="sourceLineNo">1842</span> Action.CREATE);<a name="line.1842"></a> |
| <span class="sourceLineNo">1843</span> }<a name="line.1843"></a> |
| <span class="sourceLineNo">1844</span><a name="line.1844"></a> |
| <span class="sourceLineNo">1845</span> /* ---- EndpointObserver implementation ---- */<a name="line.1845"></a> |
| <span class="sourceLineNo">1846</span><a name="line.1846"></a> |
| <span class="sourceLineNo">1847</span> @Override<a name="line.1847"></a> |
| <span class="sourceLineNo">1848</span> public Message preEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> ctx,<a name="line.1848"></a> |
| <span class="sourceLineNo">1849</span> Service service, String methodName, Message request) throws IOException {<a name="line.1849"></a> |
| <span class="sourceLineNo">1850</span> // Don't intercept calls to our own AccessControlService, we check for<a name="line.1850"></a> |
| <span class="sourceLineNo">1851</span> // appropriate permissions in the service handlers<a name="line.1851"></a> |
| <span class="sourceLineNo">1852</span> if (shouldCheckExecPermission && !(service instanceof AccessControlService)) {<a name="line.1852"></a> |
| <span class="sourceLineNo">1853</span> requirePermission(ctx,<a name="line.1853"></a> |
| <span class="sourceLineNo">1854</span> "invoke(" + service.getDescriptorForType().getName() + "." + methodName + ")",<a name="line.1854"></a> |
| <span class="sourceLineNo">1855</span> getTableName(ctx.getEnvironment()), null, null, Action.EXEC);<a name="line.1855"></a> |
| <span class="sourceLineNo">1856</span> }<a name="line.1856"></a> |
| <span class="sourceLineNo">1857</span> return request;<a name="line.1857"></a> |
| <span class="sourceLineNo">1858</span> }<a name="line.1858"></a> |
| <span class="sourceLineNo">1859</span><a name="line.1859"></a> |
| <span class="sourceLineNo">1860</span> @Override<a name="line.1860"></a> |
| <span class="sourceLineNo">1861</span> public void postEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> ctx,<a name="line.1861"></a> |
| <span class="sourceLineNo">1862</span> Service service, String methodName, Message request, Message.Builder responseBuilder)<a name="line.1862"></a> |
| <span class="sourceLineNo">1863</span> throws IOException {<a name="line.1863"></a> |
| <span class="sourceLineNo">1864</span> }<a name="line.1864"></a> |
| <span class="sourceLineNo">1865</span><a name="line.1865"></a> |
| <span class="sourceLineNo">1866</span> /* ---- Protobuf AccessControlService implementation ---- */<a name="line.1866"></a> |
| <span class="sourceLineNo">1867</span><a name="line.1867"></a> |
| <span class="sourceLineNo">1868</span> /**<a name="line.1868"></a> |
| <span class="sourceLineNo">1869</span> * @deprecated since 2.2.0 and will be removed in 4.0.0. Use<a name="line.1869"></a> |
| <span class="sourceLineNo">1870</span> * {@link Admin#grant(UserPermission, boolean)} instead.<a name="line.1870"></a> |
| <span class="sourceLineNo">1871</span> * @see Admin#grant(UserPermission, boolean)<a name="line.1871"></a> |
| <span class="sourceLineNo">1872</span> * @see <a href="https://issues.apache.org/jira/browse/HBASE-21739">HBASE-21739</a><a name="line.1872"></a> |
| <span class="sourceLineNo">1873</span> */<a name="line.1873"></a> |
| <span class="sourceLineNo">1874</span> @Deprecated<a name="line.1874"></a> |
| <span class="sourceLineNo">1875</span> @Override<a name="line.1875"></a> |
| <span class="sourceLineNo">1876</span> public void grant(RpcController controller, AccessControlProtos.GrantRequest request,<a name="line.1876"></a> |
| <span class="sourceLineNo">1877</span> RpcCallback<AccessControlProtos.GrantResponse> done) {<a name="line.1877"></a> |
| <span class="sourceLineNo">1878</span> final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission());<a name="line.1878"></a> |
| <span class="sourceLineNo">1879</span> AccessControlProtos.GrantResponse response = null;<a name="line.1879"></a> |
| <span class="sourceLineNo">1880</span> try {<a name="line.1880"></a> |
| <span class="sourceLineNo">1881</span> // verify it's only running at .acl.<a name="line.1881"></a> |
| <span class="sourceLineNo">1882</span> if (aclRegion) {<a name="line.1882"></a> |
| <span class="sourceLineNo">1883</span> if (!initialized) {<a name="line.1883"></a> |
| <span class="sourceLineNo">1884</span> throw new CoprocessorException("AccessController not yet initialized");<a name="line.1884"></a> |
| <span class="sourceLineNo">1885</span> }<a name="line.1885"></a> |
| <span class="sourceLineNo">1886</span> User caller = RpcServer.getRequestUser().orElse(null);<a name="line.1886"></a> |
| <span class="sourceLineNo">1887</span> if (LOG.isDebugEnabled()) {<a name="line.1887"></a> |
| <span class="sourceLineNo">1888</span> LOG.debug("Received request from {} to grant access permission {}", caller.getName(),<a name="line.1888"></a> |
| <span class="sourceLineNo">1889</span> perm.toString());<a name="line.1889"></a> |
| <span class="sourceLineNo">1890</span> }<a name="line.1890"></a> |
| <span class="sourceLineNo">1891</span> preGrantOrRevoke(caller, "grant", perm);<a name="line.1891"></a> |
| <span class="sourceLineNo">1892</span><a name="line.1892"></a> |
| <span class="sourceLineNo">1893</span> // regionEnv is set at #start. Hopefully not null at this point.<a name="line.1893"></a> |
| <span class="sourceLineNo">1894</span> regionEnv.getConnection().getAdmin().grant(<a name="line.1894"></a> |
| <span class="sourceLineNo">1895</span> new UserPermission(perm.getUser(), perm.getPermission()),<a name="line.1895"></a> |
| <span class="sourceLineNo">1896</span> request.getMergeExistingPermissions());<a name="line.1896"></a> |
| <span class="sourceLineNo">1897</span> if (AUDITLOG.isTraceEnabled()) {<a name="line.1897"></a> |
| <span class="sourceLineNo">1898</span> // audit log should store permission changes in addition to auth results<a name="line.1898"></a> |
| <span class="sourceLineNo">1899</span> AUDITLOG.trace("Granted permission " + perm.toString());<a name="line.1899"></a> |
| <span class="sourceLineNo">1900</span> }<a name="line.1900"></a> |
| <span class="sourceLineNo">1901</span> } else {<a name="line.1901"></a> |
| <span class="sourceLineNo">1902</span> throw new CoprocessorException(AccessController.class,<a name="line.1902"></a> |
| <span class="sourceLineNo">1903</span> "This method " + "can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");<a name="line.1903"></a> |
| <span class="sourceLineNo">1904</span> }<a name="line.1904"></a> |
| <span class="sourceLineNo">1905</span> response = AccessControlProtos.GrantResponse.getDefaultInstance();<a name="line.1905"></a> |
| <span class="sourceLineNo">1906</span> } catch (IOException ioe) {<a name="line.1906"></a> |
| <span class="sourceLineNo">1907</span> // pass exception back up<a name="line.1907"></a> |
| <span class="sourceLineNo">1908</span> CoprocessorRpcUtils.setControllerException(controller, ioe);<a name="line.1908"></a> |
| <span class="sourceLineNo">1909</span> }<a name="line.1909"></a> |
| <span class="sourceLineNo">1910</span> done.run(response);<a name="line.1910"></a> |
| <span class="sourceLineNo">1911</span> }<a name="line.1911"></a> |
| <span class="sourceLineNo">1912</span><a name="line.1912"></a> |
| <span class="sourceLineNo">1913</span> /**<a name="line.1913"></a> |
| <span class="sourceLineNo">1914</span> * @deprecated since 2.2.0 and will be removed in 4.0.0. Use {@link Admin#revoke(UserPermission)}<a name="line.1914"></a> |
| <span class="sourceLineNo">1915</span> * instead.<a name="line.1915"></a> |
| <span class="sourceLineNo">1916</span> * @see Admin#revoke(UserPermission)<a name="line.1916"></a> |
| <span class="sourceLineNo">1917</span> * @see <a href="https://issues.apache.org/jira/browse/HBASE-21739">HBASE-21739</a><a name="line.1917"></a> |
| <span class="sourceLineNo">1918</span> */<a name="line.1918"></a> |
| <span class="sourceLineNo">1919</span> @Deprecated<a name="line.1919"></a> |
| <span class="sourceLineNo">1920</span> @Override<a name="line.1920"></a> |
| <span class="sourceLineNo">1921</span> public void revoke(RpcController controller, AccessControlProtos.RevokeRequest request,<a name="line.1921"></a> |
| <span class="sourceLineNo">1922</span> RpcCallback<AccessControlProtos.RevokeResponse> done) {<a name="line.1922"></a> |
| <span class="sourceLineNo">1923</span> final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission());<a name="line.1923"></a> |
| <span class="sourceLineNo">1924</span> AccessControlProtos.RevokeResponse response = null;<a name="line.1924"></a> |
| <span class="sourceLineNo">1925</span> try {<a name="line.1925"></a> |
| <span class="sourceLineNo">1926</span> // only allowed to be called on _acl_ region<a name="line.1926"></a> |
| <span class="sourceLineNo">1927</span> if (aclRegion) {<a name="line.1927"></a> |
| <span class="sourceLineNo">1928</span> if (!initialized) {<a name="line.1928"></a> |
| <span class="sourceLineNo">1929</span> throw new CoprocessorException("AccessController not yet initialized");<a name="line.1929"></a> |
| <span class="sourceLineNo">1930</span> }<a name="line.1930"></a> |
| <span class="sourceLineNo">1931</span> User caller = RpcServer.getRequestUser().orElse(null);<a name="line.1931"></a> |
| <span class="sourceLineNo">1932</span> if (LOG.isDebugEnabled()) {<a name="line.1932"></a> |
| <span class="sourceLineNo">1933</span> LOG.debug("Received request from {} to revoke access permission {}",<a name="line.1933"></a> |
| <span class="sourceLineNo">1934</span> caller.getShortName(), perm.toString());<a name="line.1934"></a> |
| <span class="sourceLineNo">1935</span> }<a name="line.1935"></a> |
| <span class="sourceLineNo">1936</span> preGrantOrRevoke(caller, "revoke", perm);<a name="line.1936"></a> |
| <span class="sourceLineNo">1937</span> // regionEnv is set at #start. Hopefully not null here.<a name="line.1937"></a> |
| <span class="sourceLineNo">1938</span> regionEnv.getConnection().getAdmin()<a name="line.1938"></a> |
| <span class="sourceLineNo">1939</span> .revoke(new UserPermission(perm.getUser(), perm.getPermission()));<a name="line.1939"></a> |
| <span class="sourceLineNo">1940</span> if (AUDITLOG.isTraceEnabled()) {<a name="line.1940"></a> |
| <span class="sourceLineNo">1941</span> // audit log should record all permission changes<a name="line.1941"></a> |
| <span class="sourceLineNo">1942</span> AUDITLOG.trace("Revoked permission " + perm.toString());<a name="line.1942"></a> |
| <span class="sourceLineNo">1943</span> }<a name="line.1943"></a> |
| <span class="sourceLineNo">1944</span> } else {<a name="line.1944"></a> |
| <span class="sourceLineNo">1945</span> throw new CoprocessorException(AccessController.class,<a name="line.1945"></a> |
| <span class="sourceLineNo">1946</span> "This method " + "can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");<a name="line.1946"></a> |
| <span class="sourceLineNo">1947</span> }<a name="line.1947"></a> |
| <span class="sourceLineNo">1948</span> response = AccessControlProtos.RevokeResponse.getDefaultInstance();<a name="line.1948"></a> |
| <span class="sourceLineNo">1949</span> } catch (IOException ioe) {<a name="line.1949"></a> |
| <span class="sourceLineNo">1950</span> // pass exception back up<a name="line.1950"></a> |
| <span class="sourceLineNo">1951</span> CoprocessorRpcUtils.setControllerException(controller, ioe);<a name="line.1951"></a> |
| <span class="sourceLineNo">1952</span> }<a name="line.1952"></a> |
| <span class="sourceLineNo">1953</span> done.run(response);<a name="line.1953"></a> |
| <span class="sourceLineNo">1954</span> }<a name="line.1954"></a> |
| <span class="sourceLineNo">1955</span><a name="line.1955"></a> |
| <span class="sourceLineNo">1956</span> /**<a name="line.1956"></a> |
| <span class="sourceLineNo">1957</span> * @deprecated since 2.2.0 and will be removed in 4.0.0. Use<a name="line.1957"></a> |
| <span class="sourceLineNo">1958</span> * {@link Admin#getUserPermissions(GetUserPermissionsRequest)} instead.<a name="line.1958"></a> |
| <span class="sourceLineNo">1959</span> * @see Admin#getUserPermissions(GetUserPermissionsRequest)<a name="line.1959"></a> |
| <span class="sourceLineNo">1960</span> * @see <a href="https://issues.apache.org/jira/browse/HBASE-21911">HBASE-21911</a><a name="line.1960"></a> |
| <span class="sourceLineNo">1961</span> */<a name="line.1961"></a> |
| <span class="sourceLineNo">1962</span> @Deprecated<a name="line.1962"></a> |
| <span class="sourceLineNo">1963</span> @Override<a name="line.1963"></a> |
| <span class="sourceLineNo">1964</span> public void getUserPermissions(RpcController controller,<a name="line.1964"></a> |
| <span class="sourceLineNo">1965</span> AccessControlProtos.GetUserPermissionsRequest request,<a name="line.1965"></a> |
| <span class="sourceLineNo">1966</span> RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {<a name="line.1966"></a> |
| <span class="sourceLineNo">1967</span> AccessControlProtos.GetUserPermissionsResponse response = null;<a name="line.1967"></a> |
| <span class="sourceLineNo">1968</span> try {<a name="line.1968"></a> |
| <span class="sourceLineNo">1969</span> // only allowed to be called on _acl_ region<a name="line.1969"></a> |
| <span class="sourceLineNo">1970</span> if (aclRegion) {<a name="line.1970"></a> |
| <span class="sourceLineNo">1971</span> if (!initialized) {<a name="line.1971"></a> |
| <span class="sourceLineNo">1972</span> throw new CoprocessorException("AccessController not yet initialized");<a name="line.1972"></a> |
| <span class="sourceLineNo">1973</span> }<a name="line.1973"></a> |
| <span class="sourceLineNo">1974</span> User caller = RpcServer.getRequestUser().orElse(null);<a name="line.1974"></a> |
| <span class="sourceLineNo">1975</span> final String userName = request.hasUserName() ? request.getUserName().toStringUtf8() : null;<a name="line.1975"></a> |
| <span class="sourceLineNo">1976</span> final String namespace =<a name="line.1976"></a> |
| <span class="sourceLineNo">1977</span> request.hasNamespaceName() ? request.getNamespaceName().toStringUtf8() : null;<a name="line.1977"></a> |
| <span class="sourceLineNo">1978</span> final TableName table =<a name="line.1978"></a> |
| <span class="sourceLineNo">1979</span> request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName()) : null;<a name="line.1979"></a> |
| <span class="sourceLineNo">1980</span> final byte[] cf =<a name="line.1980"></a> |
| <span class="sourceLineNo">1981</span> request.hasColumnFamily() ? request.getColumnFamily().toByteArray() : null;<a name="line.1981"></a> |
| <span class="sourceLineNo">1982</span> final byte[] cq =<a name="line.1982"></a> |
| <span class="sourceLineNo">1983</span> request.hasColumnQualifier() ? request.getColumnQualifier().toByteArray() : null;<a name="line.1983"></a> |
| <span class="sourceLineNo">1984</span> preGetUserPermissions(caller, userName, namespace, table, cf, cq);<a name="line.1984"></a> |
| <span class="sourceLineNo">1985</span> GetUserPermissionsRequest getUserPermissionsRequest = null;<a name="line.1985"></a> |
| <span class="sourceLineNo">1986</span> if (request.getType() == AccessControlProtos.Permission.Type.Table) {<a name="line.1986"></a> |
| <span class="sourceLineNo">1987</span> getUserPermissionsRequest = GetUserPermissionsRequest.newBuilder(table).withFamily(cf)<a name="line.1987"></a> |
| <span class="sourceLineNo">1988</span> .withQualifier(cq).withUserName(userName).build();<a name="line.1988"></a> |
| <span class="sourceLineNo">1989</span> } else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) {<a name="line.1989"></a> |
| <span class="sourceLineNo">1990</span> getUserPermissionsRequest =<a name="line.1990"></a> |
| <span class="sourceLineNo">1991</span> GetUserPermissionsRequest.newBuilder(namespace).withUserName(userName).build();<a name="line.1991"></a> |
| <span class="sourceLineNo">1992</span> } else {<a name="line.1992"></a> |
| <span class="sourceLineNo">1993</span> getUserPermissionsRequest =<a name="line.1993"></a> |
| <span class="sourceLineNo">1994</span> GetUserPermissionsRequest.newBuilder().withUserName(userName).build();<a name="line.1994"></a> |
| <span class="sourceLineNo">1995</span> }<a name="line.1995"></a> |
| <span class="sourceLineNo">1996</span> List<UserPermission> perms =<a name="line.1996"></a> |
| <span class="sourceLineNo">1997</span> regionEnv.getConnection().getAdmin().getUserPermissions(getUserPermissionsRequest);<a name="line.1997"></a> |
| <span class="sourceLineNo">1998</span> response = AccessControlUtil.buildGetUserPermissionsResponse(perms);<a name="line.1998"></a> |
| <span class="sourceLineNo">1999</span> } else {<a name="line.1999"></a> |
| <span class="sourceLineNo">2000</span> throw new CoprocessorException(AccessController.class,<a name="line.2000"></a> |
| <span class="sourceLineNo">2001</span> "This method " + "can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");<a name="line.2001"></a> |
| <span class="sourceLineNo">2002</span> }<a name="line.2002"></a> |
| <span class="sourceLineNo">2003</span> } catch (IOException ioe) {<a name="line.2003"></a> |
| <span class="sourceLineNo">2004</span> // pass exception back up<a name="line.2004"></a> |
| <span class="sourceLineNo">2005</span> CoprocessorRpcUtils.setControllerException(controller, ioe);<a name="line.2005"></a> |
| <span class="sourceLineNo">2006</span> }<a name="line.2006"></a> |
| <span class="sourceLineNo">2007</span> done.run(response);<a name="line.2007"></a> |
| <span class="sourceLineNo">2008</span> }<a name="line.2008"></a> |
| <span class="sourceLineNo">2009</span><a name="line.2009"></a> |
| <span class="sourceLineNo">2010</span> /**<a name="line.2010"></a> |
| <span class="sourceLineNo">2011</span> * @deprecated since 2.2.0 and will be removed 4.0.0. Use {@link Admin#hasUserPermissions(List)}<a name="line.2011"></a> |
| <span class="sourceLineNo">2012</span> * instead.<a name="line.2012"></a> |
| <span class="sourceLineNo">2013</span> * @see Admin#hasUserPermissions(List)<a name="line.2013"></a> |
| <span class="sourceLineNo">2014</span> * @see <a href="https://issues.apache.org/jira/browse/HBASE-22117">HBASE-22117</a><a name="line.2014"></a> |
| <span class="sourceLineNo">2015</span> */<a name="line.2015"></a> |
| <span class="sourceLineNo">2016</span> @Deprecated<a name="line.2016"></a> |
| <span class="sourceLineNo">2017</span> @Override<a name="line.2017"></a> |
| <span class="sourceLineNo">2018</span> public void checkPermissions(RpcController controller,<a name="line.2018"></a> |
| <span class="sourceLineNo">2019</span> AccessControlProtos.CheckPermissionsRequest request,<a name="line.2019"></a> |
| <span class="sourceLineNo">2020</span> RpcCallback<AccessControlProtos.CheckPermissionsResponse> done) {<a name="line.2020"></a> |
| <span class="sourceLineNo">2021</span> AccessControlProtos.CheckPermissionsResponse response = null;<a name="line.2021"></a> |
| <span class="sourceLineNo">2022</span> try {<a name="line.2022"></a> |
| <span class="sourceLineNo">2023</span> User user = RpcServer.getRequestUser().orElse(null);<a name="line.2023"></a> |
| <span class="sourceLineNo">2024</span> TableName tableName = regionEnv.getRegion().getTableDescriptor().getTableName();<a name="line.2024"></a> |
| <span class="sourceLineNo">2025</span> List<Permission> permissions = new ArrayList<>();<a name="line.2025"></a> |
| <span class="sourceLineNo">2026</span> for (int i = 0; i < request.getPermissionCount(); i++) {<a name="line.2026"></a> |
| <span class="sourceLineNo">2027</span> Permission permission = AccessControlUtil.toPermission(request.getPermission(i));<a name="line.2027"></a> |
| <span class="sourceLineNo">2028</span> permissions.add(permission);<a name="line.2028"></a> |
| <span class="sourceLineNo">2029</span> if (permission instanceof TablePermission) {<a name="line.2029"></a> |
| <span class="sourceLineNo">2030</span> TablePermission tperm = (TablePermission) permission;<a name="line.2030"></a> |
| <span class="sourceLineNo">2031</span> if (!tperm.getTableName().equals(tableName)) {<a name="line.2031"></a> |
| <span class="sourceLineNo">2032</span> throw new CoprocessorException(AccessController.class,<a name="line.2032"></a> |
| <span class="sourceLineNo">2033</span> String.format(<a name="line.2033"></a> |
| <span class="sourceLineNo">2034</span> "This method can only execute at the table specified in "<a name="line.2034"></a> |
| <span class="sourceLineNo">2035</span> + "TablePermission. Table of the region:%s , requested table:%s",<a name="line.2035"></a> |
| <span class="sourceLineNo">2036</span> tableName, tperm.getTableName()));<a name="line.2036"></a> |
| <span class="sourceLineNo">2037</span> }<a name="line.2037"></a> |
| <span class="sourceLineNo">2038</span> }<a name="line.2038"></a> |
| <span class="sourceLineNo">2039</span> }<a name="line.2039"></a> |
| <span class="sourceLineNo">2040</span> for (Permission permission : permissions) {<a name="line.2040"></a> |
| <span class="sourceLineNo">2041</span> boolean hasPermission =<a name="line.2041"></a> |
| <span class="sourceLineNo">2042</span> accessChecker.hasUserPermission(user, "checkPermissions", permission);<a name="line.2042"></a> |
| <span class="sourceLineNo">2043</span> if (!hasPermission) {<a name="line.2043"></a> |
| <span class="sourceLineNo">2044</span> throw new AccessDeniedException("Insufficient permissions " + permission.toString());<a name="line.2044"></a> |
| <span class="sourceLineNo">2045</span> }<a name="line.2045"></a> |
| <span class="sourceLineNo">2046</span> }<a name="line.2046"></a> |
| <span class="sourceLineNo">2047</span> response = AccessControlProtos.CheckPermissionsResponse.getDefaultInstance();<a name="line.2047"></a> |
| <span class="sourceLineNo">2048</span> } catch (IOException ioe) {<a name="line.2048"></a> |
| <span class="sourceLineNo">2049</span> CoprocessorRpcUtils.setControllerException(controller, ioe);<a name="line.2049"></a> |
| <span class="sourceLineNo">2050</span> }<a name="line.2050"></a> |
| <span class="sourceLineNo">2051</span> done.run(response);<a name="line.2051"></a> |
| <span class="sourceLineNo">2052</span> }<a name="line.2052"></a> |
| <span class="sourceLineNo">2053</span><a name="line.2053"></a> |
| <span class="sourceLineNo">2054</span> private Region getRegion(RegionCoprocessorEnvironment e) {<a name="line.2054"></a> |
| <span class="sourceLineNo">2055</span> return e.getRegion();<a name="line.2055"></a> |
| <span class="sourceLineNo">2056</span> }<a name="line.2056"></a> |
| <span class="sourceLineNo">2057</span><a name="line.2057"></a> |
| <span class="sourceLineNo">2058</span> private TableName getTableName(RegionCoprocessorEnvironment e) {<a name="line.2058"></a> |
| <span class="sourceLineNo">2059</span> Region region = e.getRegion();<a name="line.2059"></a> |
| <span class="sourceLineNo">2060</span> if (region != null) {<a name="line.2060"></a> |
| <span class="sourceLineNo">2061</span> return getTableName(region);<a name="line.2061"></a> |
| <span class="sourceLineNo">2062</span> }<a name="line.2062"></a> |
| <span class="sourceLineNo">2063</span> return null;<a name="line.2063"></a> |
| <span class="sourceLineNo">2064</span> }<a name="line.2064"></a> |
| <span class="sourceLineNo">2065</span><a name="line.2065"></a> |
| <span class="sourceLineNo">2066</span> private TableName getTableName(Region region) {<a name="line.2066"></a> |
| <span class="sourceLineNo">2067</span> RegionInfo regionInfo = region.getRegionInfo();<a name="line.2067"></a> |
| <span class="sourceLineNo">2068</span> if (regionInfo != null) {<a name="line.2068"></a> |
| <span class="sourceLineNo">2069</span> return regionInfo.getTable();<a name="line.2069"></a> |
| <span class="sourceLineNo">2070</span> }<a name="line.2070"></a> |
| <span class="sourceLineNo">2071</span> return null;<a name="line.2071"></a> |
| <span class="sourceLineNo">2072</span> }<a name="line.2072"></a> |
| <span class="sourceLineNo">2073</span><a name="line.2073"></a> |
| <span class="sourceLineNo">2074</span> @Override<a name="line.2074"></a> |
| <span class="sourceLineNo">2075</span> public void preClose(ObserverContext<RegionCoprocessorEnvironment> c, boolean abortRequested)<a name="line.2075"></a> |
| <span class="sourceLineNo">2076</span> throws IOException {<a name="line.2076"></a> |
| <span class="sourceLineNo">2077</span> requirePermission(c, "preClose", Action.ADMIN);<a name="line.2077"></a> |
| <span class="sourceLineNo">2078</span> }<a name="line.2078"></a> |
| <span class="sourceLineNo">2079</span><a name="line.2079"></a> |
| <span class="sourceLineNo">2080</span> private void checkSystemOrSuperUser(User activeUser) throws IOException {<a name="line.2080"></a> |
| <span class="sourceLineNo">2081</span> // No need to check if we're not going to throw<a name="line.2081"></a> |
| <span class="sourceLineNo">2082</span> if (!authorizationEnabled) {<a name="line.2082"></a> |
| <span class="sourceLineNo">2083</span> return;<a name="line.2083"></a> |
| <span class="sourceLineNo">2084</span> }<a name="line.2084"></a> |
| <span class="sourceLineNo">2085</span> if (!Superusers.isSuperUser(activeUser)) {<a name="line.2085"></a> |
| <span class="sourceLineNo">2086</span> throw new AccessDeniedException(<a name="line.2086"></a> |
| <span class="sourceLineNo">2087</span> "User '" + (activeUser != null ? activeUser.getShortName() : "null")<a name="line.2087"></a> |
| <span class="sourceLineNo">2088</span> + "' is not system or super user.");<a name="line.2088"></a> |
| <span class="sourceLineNo">2089</span> }<a name="line.2089"></a> |
| <span class="sourceLineNo">2090</span> }<a name="line.2090"></a> |
| <span class="sourceLineNo">2091</span><a name="line.2091"></a> |
| <span class="sourceLineNo">2092</span> @Override<a name="line.2092"></a> |
| <span class="sourceLineNo">2093</span> public void preStopRegionServer(ObserverContext<RegionServerCoprocessorEnvironment> ctx)<a name="line.2093"></a> |
| <span class="sourceLineNo">2094</span> throws IOException {<a name="line.2094"></a> |
| <span class="sourceLineNo">2095</span> requirePermission(ctx, "preStopRegionServer", Action.ADMIN);<a name="line.2095"></a> |
| <span class="sourceLineNo">2096</span> }<a name="line.2096"></a> |
| <span class="sourceLineNo">2097</span><a name="line.2097"></a> |
| <span class="sourceLineNo">2098</span> private Map<byte[], ? extends Collection<byte[]>> makeFamilyMap(byte[] family, byte[] qualifier) {<a name="line.2098"></a> |
| <span class="sourceLineNo">2099</span> if (family == null) {<a name="line.2099"></a> |
| <span class="sourceLineNo">2100</span> return null;<a name="line.2100"></a> |
| <span class="sourceLineNo">2101</span> }<a name="line.2101"></a> |
| <span class="sourceLineNo">2102</span><a name="line.2102"></a> |
| <span class="sourceLineNo">2103</span> Map<byte[], Collection<byte[]>> familyMap = new TreeMap<>(Bytes.BYTES_COMPARATOR);<a name="line.2103"></a> |
| <span class="sourceLineNo">2104</span> familyMap.put(family, qualifier != null ? ImmutableSet.of(qualifier) : null);<a name="line.2104"></a> |
| <span class="sourceLineNo">2105</span> return familyMap;<a name="line.2105"></a> |
| <span class="sourceLineNo">2106</span> }<a name="line.2106"></a> |
| <span class="sourceLineNo">2107</span><a name="line.2107"></a> |
| <span class="sourceLineNo">2108</span> @Override<a name="line.2108"></a> |
| <span class="sourceLineNo">2109</span> public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2109"></a> |
| <span class="sourceLineNo">2110</span> List<TableName> tableNamesList, List<TableDescriptor> descriptors, String regex)<a name="line.2110"></a> |
| <span class="sourceLineNo">2111</span> throws IOException {<a name="line.2111"></a> |
| <span class="sourceLineNo">2112</span> // We are delegating the authorization check to postGetTableDescriptors as we don't have<a name="line.2112"></a> |
| <span class="sourceLineNo">2113</span> // any concrete set of table names when a regex is present or the full list is requested.<a name="line.2113"></a> |
| <span class="sourceLineNo">2114</span> if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {<a name="line.2114"></a> |
| <span class="sourceLineNo">2115</span> // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the<a name="line.2115"></a> |
| <span class="sourceLineNo">2116</span> // request can be granted.<a name="line.2116"></a> |
| <span class="sourceLineNo">2117</span> try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {<a name="line.2117"></a> |
| <span class="sourceLineNo">2118</span> for (TableName tableName : tableNamesList) {<a name="line.2118"></a> |
| <span class="sourceLineNo">2119</span> // Skip checks for a table that does not exist<a name="line.2119"></a> |
| <span class="sourceLineNo">2120</span> if (!admin.tableExists(tableName)) {<a name="line.2120"></a> |
| <span class="sourceLineNo">2121</span> continue;<a name="line.2121"></a> |
| <span class="sourceLineNo">2122</span> }<a name="line.2122"></a> |
| <span class="sourceLineNo">2123</span> requirePermission(ctx, "getTableDescriptors", tableName, null, null, Action.ADMIN,<a name="line.2123"></a> |
| <span class="sourceLineNo">2124</span> Action.CREATE);<a name="line.2124"></a> |
| <span class="sourceLineNo">2125</span> }<a name="line.2125"></a> |
| <span class="sourceLineNo">2126</span> }<a name="line.2126"></a> |
| <span class="sourceLineNo">2127</span> }<a name="line.2127"></a> |
| <span class="sourceLineNo">2128</span> }<a name="line.2128"></a> |
| <span class="sourceLineNo">2129</span><a name="line.2129"></a> |
| <span class="sourceLineNo">2130</span> @Override<a name="line.2130"></a> |
| <span class="sourceLineNo">2131</span> public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2131"></a> |
| <span class="sourceLineNo">2132</span> List<TableName> tableNamesList, List<TableDescriptor> descriptors, String regex)<a name="line.2132"></a> |
| <span class="sourceLineNo">2133</span> throws IOException {<a name="line.2133"></a> |
| <span class="sourceLineNo">2134</span> // Skipping as checks in this case are already done by preGetTableDescriptors.<a name="line.2134"></a> |
| <span class="sourceLineNo">2135</span> if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {<a name="line.2135"></a> |
| <span class="sourceLineNo">2136</span> return;<a name="line.2136"></a> |
| <span class="sourceLineNo">2137</span> }<a name="line.2137"></a> |
| <span class="sourceLineNo">2138</span><a name="line.2138"></a> |
| <span class="sourceLineNo">2139</span> // Retains only those which passes authorization checks, as the checks weren't done as part<a name="line.2139"></a> |
| <span class="sourceLineNo">2140</span> // of preGetTableDescriptors.<a name="line.2140"></a> |
| <span class="sourceLineNo">2141</span> Iterator<TableDescriptor> itr = descriptors.iterator();<a name="line.2141"></a> |
| <span class="sourceLineNo">2142</span> while (itr.hasNext()) {<a name="line.2142"></a> |
| <span class="sourceLineNo">2143</span> TableDescriptor htd = itr.next();<a name="line.2143"></a> |
| <span class="sourceLineNo">2144</span> try {<a name="line.2144"></a> |
| <span class="sourceLineNo">2145</span> requirePermission(ctx, "getTableDescriptors", htd.getTableName(), null, null, Action.ADMIN,<a name="line.2145"></a> |
| <span class="sourceLineNo">2146</span> Action.CREATE);<a name="line.2146"></a> |
| <span class="sourceLineNo">2147</span> } catch (AccessDeniedException e) {<a name="line.2147"></a> |
| <span class="sourceLineNo">2148</span> itr.remove();<a name="line.2148"></a> |
| <span class="sourceLineNo">2149</span> }<a name="line.2149"></a> |
| <span class="sourceLineNo">2150</span> }<a name="line.2150"></a> |
| <span class="sourceLineNo">2151</span> }<a name="line.2151"></a> |
| <span class="sourceLineNo">2152</span><a name="line.2152"></a> |
| <span class="sourceLineNo">2153</span> @Override<a name="line.2153"></a> |
| <span class="sourceLineNo">2154</span> public void postGetTableNames(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2154"></a> |
| <span class="sourceLineNo">2155</span> List<TableDescriptor> descriptors, String regex) throws IOException {<a name="line.2155"></a> |
| <span class="sourceLineNo">2156</span> // Retains only those which passes authorization checks.<a name="line.2156"></a> |
| <span class="sourceLineNo">2157</span> Iterator<TableDescriptor> itr = descriptors.iterator();<a name="line.2157"></a> |
| <span class="sourceLineNo">2158</span> while (itr.hasNext()) {<a name="line.2158"></a> |
| <span class="sourceLineNo">2159</span> TableDescriptor htd = itr.next();<a name="line.2159"></a> |
| <span class="sourceLineNo">2160</span> try {<a name="line.2160"></a> |
| <span class="sourceLineNo">2161</span> requireAccess(ctx, "getTableNames", htd.getTableName(), Action.values());<a name="line.2161"></a> |
| <span class="sourceLineNo">2162</span> } catch (AccessDeniedException e) {<a name="line.2162"></a> |
| <span class="sourceLineNo">2163</span> itr.remove();<a name="line.2163"></a> |
| <span class="sourceLineNo">2164</span> }<a name="line.2164"></a> |
| <span class="sourceLineNo">2165</span> }<a name="line.2165"></a> |
| <span class="sourceLineNo">2166</span> }<a name="line.2166"></a> |
| <span class="sourceLineNo">2167</span><a name="line.2167"></a> |
| <span class="sourceLineNo">2168</span> @Override<a name="line.2168"></a> |
| <span class="sourceLineNo">2169</span> public void preMergeRegions(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2169"></a> |
| <span class="sourceLineNo">2170</span> final RegionInfo[] regionsToMerge) throws IOException {<a name="line.2170"></a> |
| <span class="sourceLineNo">2171</span> requirePermission(ctx, "mergeRegions", regionsToMerge[0].getTable(), null, null, Action.ADMIN);<a name="line.2171"></a> |
| <span class="sourceLineNo">2172</span> }<a name="line.2172"></a> |
| <span class="sourceLineNo">2173</span><a name="line.2173"></a> |
| <span class="sourceLineNo">2174</span> @Override<a name="line.2174"></a> |
| <span class="sourceLineNo">2175</span> public void preRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)<a name="line.2175"></a> |
| <span class="sourceLineNo">2176</span> throws IOException {<a name="line.2176"></a> |
| <span class="sourceLineNo">2177</span> requirePermission(ctx, "preRollLogWriterRequest", Permission.Action.ADMIN);<a name="line.2177"></a> |
| <span class="sourceLineNo">2178</span> }<a name="line.2178"></a> |
| <span class="sourceLineNo">2179</span><a name="line.2179"></a> |
| <span class="sourceLineNo">2180</span> @Override<a name="line.2180"></a> |
| <span class="sourceLineNo">2181</span> public void postRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)<a name="line.2181"></a> |
| <span class="sourceLineNo">2182</span> throws IOException {<a name="line.2182"></a> |
| <span class="sourceLineNo">2183</span> }<a name="line.2183"></a> |
| <span class="sourceLineNo">2184</span><a name="line.2184"></a> |
| <span class="sourceLineNo">2185</span> @Override<a name="line.2185"></a> |
| <span class="sourceLineNo">2186</span> public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2186"></a> |
| <span class="sourceLineNo">2187</span> final String userName, final GlobalQuotaSettings quotas) throws IOException {<a name="line.2187"></a> |
| <span class="sourceLineNo">2188</span> requirePermission(ctx, "setUserQuota", Action.ADMIN);<a name="line.2188"></a> |
| <span class="sourceLineNo">2189</span> }<a name="line.2189"></a> |
| <span class="sourceLineNo">2190</span><a name="line.2190"></a> |
| <span class="sourceLineNo">2191</span> @Override<a name="line.2191"></a> |
| <span class="sourceLineNo">2192</span> public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2192"></a> |
| <span class="sourceLineNo">2193</span> final String userName, final TableName tableName, final GlobalQuotaSettings quotas)<a name="line.2193"></a> |
| <span class="sourceLineNo">2194</span> throws IOException {<a name="line.2194"></a> |
| <span class="sourceLineNo">2195</span> requirePermission(ctx, "setUserTableQuota", tableName, null, null, Action.ADMIN);<a name="line.2195"></a> |
| <span class="sourceLineNo">2196</span> }<a name="line.2196"></a> |
| <span class="sourceLineNo">2197</span><a name="line.2197"></a> |
| <span class="sourceLineNo">2198</span> @Override<a name="line.2198"></a> |
| <span class="sourceLineNo">2199</span> public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2199"></a> |
| <span class="sourceLineNo">2200</span> final String userName, final String namespace, final GlobalQuotaSettings quotas)<a name="line.2200"></a> |
| <span class="sourceLineNo">2201</span> throws IOException {<a name="line.2201"></a> |
| <span class="sourceLineNo">2202</span> requirePermission(ctx, "setUserNamespaceQuota", Action.ADMIN);<a name="line.2202"></a> |
| <span class="sourceLineNo">2203</span> }<a name="line.2203"></a> |
| <span class="sourceLineNo">2204</span><a name="line.2204"></a> |
| <span class="sourceLineNo">2205</span> @Override<a name="line.2205"></a> |
| <span class="sourceLineNo">2206</span> public void preSetTableQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2206"></a> |
| <span class="sourceLineNo">2207</span> final TableName tableName, final GlobalQuotaSettings quotas) throws IOException {<a name="line.2207"></a> |
| <span class="sourceLineNo">2208</span> requirePermission(ctx, "setTableQuota", tableName, null, null, Action.ADMIN);<a name="line.2208"></a> |
| <span class="sourceLineNo">2209</span> }<a name="line.2209"></a> |
| <span class="sourceLineNo">2210</span><a name="line.2210"></a> |
| <span class="sourceLineNo">2211</span> @Override<a name="line.2211"></a> |
| <span class="sourceLineNo">2212</span> public void preSetNamespaceQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2212"></a> |
| <span class="sourceLineNo">2213</span> final String namespace, final GlobalQuotaSettings quotas) throws IOException {<a name="line.2213"></a> |
| <span class="sourceLineNo">2214</span> requirePermission(ctx, "setNamespaceQuota", Action.ADMIN);<a name="line.2214"></a> |
| <span class="sourceLineNo">2215</span> }<a name="line.2215"></a> |
| <span class="sourceLineNo">2216</span><a name="line.2216"></a> |
| <span class="sourceLineNo">2217</span> @Override<a name="line.2217"></a> |
| <span class="sourceLineNo">2218</span> public void preSetRegionServerQuota(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2218"></a> |
| <span class="sourceLineNo">2219</span> final String regionServer, GlobalQuotaSettings quotas) throws IOException {<a name="line.2219"></a> |
| <span class="sourceLineNo">2220</span> requirePermission(ctx, "setRegionServerQuota", Action.ADMIN);<a name="line.2220"></a> |
| <span class="sourceLineNo">2221</span> }<a name="line.2221"></a> |
| <span class="sourceLineNo">2222</span><a name="line.2222"></a> |
| <span class="sourceLineNo">2223</span> @Override<a name="line.2223"></a> |
| <span class="sourceLineNo">2224</span> public ReplicationEndpoint postCreateReplicationEndPoint(<a name="line.2224"></a> |
| <span class="sourceLineNo">2225</span> ObserverContext<RegionServerCoprocessorEnvironment> ctx, ReplicationEndpoint endpoint) {<a name="line.2225"></a> |
| <span class="sourceLineNo">2226</span> return endpoint;<a name="line.2226"></a> |
| <span class="sourceLineNo">2227</span> }<a name="line.2227"></a> |
| <span class="sourceLineNo">2228</span><a name="line.2228"></a> |
| <span class="sourceLineNo">2229</span> @Override<a name="line.2229"></a> |
| <span class="sourceLineNo">2230</span> public void preReplicateLogEntries(ObserverContext<RegionServerCoprocessorEnvironment> ctx)<a name="line.2230"></a> |
| <span class="sourceLineNo">2231</span> throws IOException {<a name="line.2231"></a> |
| <span class="sourceLineNo">2232</span> requirePermission(ctx, "replicateLogEntries", Action.WRITE);<a name="line.2232"></a> |
| <span class="sourceLineNo">2233</span> }<a name="line.2233"></a> |
| <span class="sourceLineNo">2234</span><a name="line.2234"></a> |
| <span class="sourceLineNo">2235</span> @Override<a name="line.2235"></a> |
| <span class="sourceLineNo">2236</span> public void preClearCompactionQueues(ObserverContext<RegionServerCoprocessorEnvironment> ctx)<a name="line.2236"></a> |
| <span class="sourceLineNo">2237</span> throws IOException {<a name="line.2237"></a> |
| <span class="sourceLineNo">2238</span> requirePermission(ctx, "preClearCompactionQueues", Permission.Action.ADMIN);<a name="line.2238"></a> |
| <span class="sourceLineNo">2239</span> }<a name="line.2239"></a> |
| <span class="sourceLineNo">2240</span><a name="line.2240"></a> |
| <span class="sourceLineNo">2241</span> @Override<a name="line.2241"></a> |
| <span class="sourceLineNo">2242</span> public void preAddReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2242"></a> |
| <span class="sourceLineNo">2243</span> String peerId, ReplicationPeerConfig peerConfig) throws IOException {<a name="line.2243"></a> |
| <span class="sourceLineNo">2244</span> requirePermission(ctx, "addReplicationPeer", Action.ADMIN);<a name="line.2244"></a> |
| <span class="sourceLineNo">2245</span> }<a name="line.2245"></a> |
| <span class="sourceLineNo">2246</span><a name="line.2246"></a> |
| <span class="sourceLineNo">2247</span> @Override<a name="line.2247"></a> |
| <span class="sourceLineNo">2248</span> public void preRemoveReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2248"></a> |
| <span class="sourceLineNo">2249</span> String peerId) throws IOException {<a name="line.2249"></a> |
| <span class="sourceLineNo">2250</span> requirePermission(ctx, "removeReplicationPeer", Action.ADMIN);<a name="line.2250"></a> |
| <span class="sourceLineNo">2251</span> }<a name="line.2251"></a> |
| <span class="sourceLineNo">2252</span><a name="line.2252"></a> |
| <span class="sourceLineNo">2253</span> @Override<a name="line.2253"></a> |
| <span class="sourceLineNo">2254</span> public void preEnableReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2254"></a> |
| <span class="sourceLineNo">2255</span> String peerId) throws IOException {<a name="line.2255"></a> |
| <span class="sourceLineNo">2256</span> requirePermission(ctx, "enableReplicationPeer", Action.ADMIN);<a name="line.2256"></a> |
| <span class="sourceLineNo">2257</span> }<a name="line.2257"></a> |
| <span class="sourceLineNo">2258</span><a name="line.2258"></a> |
| <span class="sourceLineNo">2259</span> @Override<a name="line.2259"></a> |
| <span class="sourceLineNo">2260</span> public void preDisableReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2260"></a> |
| <span class="sourceLineNo">2261</span> String peerId) throws IOException {<a name="line.2261"></a> |
| <span class="sourceLineNo">2262</span> requirePermission(ctx, "disableReplicationPeer", Action.ADMIN);<a name="line.2262"></a> |
| <span class="sourceLineNo">2263</span> }<a name="line.2263"></a> |
| <span class="sourceLineNo">2264</span><a name="line.2264"></a> |
| <span class="sourceLineNo">2265</span> @Override<a name="line.2265"></a> |
| <span class="sourceLineNo">2266</span> public void preGetReplicationPeerConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2266"></a> |
| <span class="sourceLineNo">2267</span> String peerId) throws IOException {<a name="line.2267"></a> |
| <span class="sourceLineNo">2268</span> requirePermission(ctx, "getReplicationPeerConfig", Action.ADMIN);<a name="line.2268"></a> |
| <span class="sourceLineNo">2269</span> }<a name="line.2269"></a> |
| <span class="sourceLineNo">2270</span><a name="line.2270"></a> |
| <span class="sourceLineNo">2271</span> @Override<a name="line.2271"></a> |
| <span class="sourceLineNo">2272</span> public void preUpdateReplicationPeerConfig(<a name="line.2272"></a> |
| <span class="sourceLineNo">2273</span> final ObserverContext<MasterCoprocessorEnvironment> ctx, String peerId,<a name="line.2273"></a> |
| <span class="sourceLineNo">2274</span> ReplicationPeerConfig peerConfig) throws IOException {<a name="line.2274"></a> |
| <span class="sourceLineNo">2275</span> requirePermission(ctx, "updateReplicationPeerConfig", Action.ADMIN);<a name="line.2275"></a> |
| <span class="sourceLineNo">2276</span> }<a name="line.2276"></a> |
| <span class="sourceLineNo">2277</span><a name="line.2277"></a> |
| <span class="sourceLineNo">2278</span> @Override<a name="line.2278"></a> |
| <span class="sourceLineNo">2279</span> public void preTransitReplicationPeerSyncReplicationState(<a name="line.2279"></a> |
| <span class="sourceLineNo">2280</span> final ObserverContext<MasterCoprocessorEnvironment> ctx, String peerId,<a name="line.2280"></a> |
| <span class="sourceLineNo">2281</span> SyncReplicationState clusterState) throws IOException {<a name="line.2281"></a> |
| <span class="sourceLineNo">2282</span> requirePermission(ctx, "transitSyncReplicationPeerState", Action.ADMIN);<a name="line.2282"></a> |
| <span class="sourceLineNo">2283</span> }<a name="line.2283"></a> |
| <span class="sourceLineNo">2284</span><a name="line.2284"></a> |
| <span class="sourceLineNo">2285</span> @Override<a name="line.2285"></a> |
| <span class="sourceLineNo">2286</span> public void preListReplicationPeers(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2286"></a> |
| <span class="sourceLineNo">2287</span> String regex) throws IOException {<a name="line.2287"></a> |
| <span class="sourceLineNo">2288</span> requirePermission(ctx, "listReplicationPeers", Action.ADMIN);<a name="line.2288"></a> |
| <span class="sourceLineNo">2289</span> }<a name="line.2289"></a> |
| <span class="sourceLineNo">2290</span><a name="line.2290"></a> |
| <span class="sourceLineNo">2291</span> @Override<a name="line.2291"></a> |
| <span class="sourceLineNo">2292</span> public void preRequestLock(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace,<a name="line.2292"></a> |
| <span class="sourceLineNo">2293</span> TableName tableName, RegionInfo[] regionInfos, String description) throws IOException {<a name="line.2293"></a> |
| <span class="sourceLineNo">2294</span> // There are operations in the CREATE and ADMIN domain which may require lock, READ<a name="line.2294"></a> |
| <span class="sourceLineNo">2295</span> // or WRITE. So for any lock request, we check for these two perms irrespective of lock type.<a name="line.2295"></a> |
| <span class="sourceLineNo">2296</span> String reason = String.format("Description=%s", description);<a name="line.2296"></a> |
| <span class="sourceLineNo">2297</span> checkLockPermissions(ctx, namespace, tableName, regionInfos, reason);<a name="line.2297"></a> |
| <span class="sourceLineNo">2298</span> }<a name="line.2298"></a> |
| <span class="sourceLineNo">2299</span><a name="line.2299"></a> |
| <span class="sourceLineNo">2300</span> @Override<a name="line.2300"></a> |
| <span class="sourceLineNo">2301</span> public void preLockHeartbeat(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2301"></a> |
| <span class="sourceLineNo">2302</span> TableName tableName, String description) throws IOException {<a name="line.2302"></a> |
| <span class="sourceLineNo">2303</span> checkLockPermissions(ctx, null, tableName, null, description);<a name="line.2303"></a> |
| <span class="sourceLineNo">2304</span> }<a name="line.2304"></a> |
| <span class="sourceLineNo">2305</span><a name="line.2305"></a> |
| <span class="sourceLineNo">2306</span> @Override<a name="line.2306"></a> |
| <span class="sourceLineNo">2307</span> public void preExecuteProcedures(ObserverContext<RegionServerCoprocessorEnvironment> ctx)<a name="line.2307"></a> |
| <span class="sourceLineNo">2308</span> throws IOException {<a name="line.2308"></a> |
| <span class="sourceLineNo">2309</span> checkSystemOrSuperUser(getActiveUser(ctx));<a name="line.2309"></a> |
| <span class="sourceLineNo">2310</span> }<a name="line.2310"></a> |
| <span class="sourceLineNo">2311</span><a name="line.2311"></a> |
| <span class="sourceLineNo">2312</span> @Override<a name="line.2312"></a> |
| <span class="sourceLineNo">2313</span> public void preSwitchRpcThrottle(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2313"></a> |
| <span class="sourceLineNo">2314</span> boolean enable) throws IOException {<a name="line.2314"></a> |
| <span class="sourceLineNo">2315</span> requirePermission(ctx, "switchRpcThrottle", Action.ADMIN);<a name="line.2315"></a> |
| <span class="sourceLineNo">2316</span> }<a name="line.2316"></a> |
| <span class="sourceLineNo">2317</span><a name="line.2317"></a> |
| <span class="sourceLineNo">2318</span> @Override<a name="line.2318"></a> |
| <span class="sourceLineNo">2319</span> public void preIsRpcThrottleEnabled(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.2319"></a> |
| <span class="sourceLineNo">2320</span> throws IOException {<a name="line.2320"></a> |
| <span class="sourceLineNo">2321</span> requirePermission(ctx, "isRpcThrottleEnabled", Action.ADMIN);<a name="line.2321"></a> |
| <span class="sourceLineNo">2322</span> }<a name="line.2322"></a> |
| <span class="sourceLineNo">2323</span><a name="line.2323"></a> |
| <span class="sourceLineNo">2324</span> @Override<a name="line.2324"></a> |
| <span class="sourceLineNo">2325</span> public void preSwitchExceedThrottleQuota(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2325"></a> |
| <span class="sourceLineNo">2326</span> boolean enable) throws IOException {<a name="line.2326"></a> |
| <span class="sourceLineNo">2327</span> requirePermission(ctx, "switchExceedThrottleQuota", Action.ADMIN);<a name="line.2327"></a> |
| <span class="sourceLineNo">2328</span> }<a name="line.2328"></a> |
| <span class="sourceLineNo">2329</span><a name="line.2329"></a> |
| <span class="sourceLineNo">2330</span> /**<a name="line.2330"></a> |
| <span class="sourceLineNo">2331</span> * Returns the active user to which authorization checks should be applied. If we are in the<a name="line.2331"></a> |
| <span class="sourceLineNo">2332</span> * context of an RPC call, the remote user is used, otherwise the currently logged in user is<a name="line.2332"></a> |
| <span class="sourceLineNo">2333</span> * used.<a name="line.2333"></a> |
| <span class="sourceLineNo">2334</span> */<a name="line.2334"></a> |
| <span class="sourceLineNo">2335</span> private User getActiveUser(ObserverContext<?> ctx) throws IOException {<a name="line.2335"></a> |
| <span class="sourceLineNo">2336</span> // for non-rpc handling, fallback to system user<a name="line.2336"></a> |
| <span class="sourceLineNo">2337</span> Optional<User> optionalUser = ctx.getCaller();<a name="line.2337"></a> |
| <span class="sourceLineNo">2338</span> if (optionalUser.isPresent()) {<a name="line.2338"></a> |
| <span class="sourceLineNo">2339</span> return optionalUser.get();<a name="line.2339"></a> |
| <span class="sourceLineNo">2340</span> }<a name="line.2340"></a> |
| <span class="sourceLineNo">2341</span> return userProvider.getCurrent();<a name="line.2341"></a> |
| <span class="sourceLineNo">2342</span> }<a name="line.2342"></a> |
| <span class="sourceLineNo">2343</span><a name="line.2343"></a> |
| <span class="sourceLineNo">2344</span> /**<a name="line.2344"></a> |
| <span class="sourceLineNo">2345</span> * @deprecated since 2.2.0 and will be removed in 4.0.0. Use<a name="line.2345"></a> |
| <span class="sourceLineNo">2346</span> * {@link Admin#hasUserPermissions(String, List)} instead.<a name="line.2346"></a> |
| <span class="sourceLineNo">2347</span> * @see Admin#hasUserPermissions(String, List)<a name="line.2347"></a> |
| <span class="sourceLineNo">2348</span> * @see <a href="https://issues.apache.org/jira/browse/HBASE-22117">HBASE-22117</a><a name="line.2348"></a> |
| <span class="sourceLineNo">2349</span> */<a name="line.2349"></a> |
| <span class="sourceLineNo">2350</span> @Deprecated<a name="line.2350"></a> |
| <span class="sourceLineNo">2351</span> @Override<a name="line.2351"></a> |
| <span class="sourceLineNo">2352</span> public void hasPermission(RpcController controller, HasPermissionRequest request,<a name="line.2352"></a> |
| <span class="sourceLineNo">2353</span> RpcCallback<HasPermissionResponse> done) {<a name="line.2353"></a> |
| <span class="sourceLineNo">2354</span> // Converts proto to a TablePermission object.<a name="line.2354"></a> |
| <span class="sourceLineNo">2355</span> TablePermission tPerm = AccessControlUtil.toTablePermission(request.getTablePermission());<a name="line.2355"></a> |
| <span class="sourceLineNo">2356</span> // Check input user name<a name="line.2356"></a> |
| <span class="sourceLineNo">2357</span> if (!request.hasUserName()) {<a name="line.2357"></a> |
| <span class="sourceLineNo">2358</span> throw new IllegalStateException("Input username cannot be empty");<a name="line.2358"></a> |
| <span class="sourceLineNo">2359</span> }<a name="line.2359"></a> |
| <span class="sourceLineNo">2360</span> final String inputUserName = request.getUserName().toStringUtf8();<a name="line.2360"></a> |
| <span class="sourceLineNo">2361</span> AccessControlProtos.HasPermissionResponse response = null;<a name="line.2361"></a> |
| <span class="sourceLineNo">2362</span> try {<a name="line.2362"></a> |
| <span class="sourceLineNo">2363</span> User caller = RpcServer.getRequestUser().orElse(null);<a name="line.2363"></a> |
| <span class="sourceLineNo">2364</span> List<Permission> permissions = Lists.newArrayList(tPerm);<a name="line.2364"></a> |
| <span class="sourceLineNo">2365</span> preHasUserPermissions(caller, inputUserName, permissions);<a name="line.2365"></a> |
| <span class="sourceLineNo">2366</span> boolean hasPermission =<a name="line.2366"></a> |
| <span class="sourceLineNo">2367</span> regionEnv.getConnection().getAdmin().hasUserPermissions(inputUserName, permissions).get(0);<a name="line.2367"></a> |
| <span class="sourceLineNo">2368</span> response = ResponseConverter.buildHasPermissionResponse(hasPermission);<a name="line.2368"></a> |
| <span class="sourceLineNo">2369</span> } catch (IOException ioe) {<a name="line.2369"></a> |
| <span class="sourceLineNo">2370</span> ResponseConverter.setControllerException(controller, ioe);<a name="line.2370"></a> |
| <span class="sourceLineNo">2371</span> }<a name="line.2371"></a> |
| <span class="sourceLineNo">2372</span> done.run(response);<a name="line.2372"></a> |
| <span class="sourceLineNo">2373</span> }<a name="line.2373"></a> |
| <span class="sourceLineNo">2374</span><a name="line.2374"></a> |
| <span class="sourceLineNo">2375</span> @Override<a name="line.2375"></a> |
| <span class="sourceLineNo">2376</span> public void preGrant(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2376"></a> |
| <span class="sourceLineNo">2377</span> UserPermission userPermission, boolean mergeExistingPermissions) throws IOException {<a name="line.2377"></a> |
| <span class="sourceLineNo">2378</span> preGrantOrRevoke(getActiveUser(ctx), "grant", userPermission);<a name="line.2378"></a> |
| <span class="sourceLineNo">2379</span> }<a name="line.2379"></a> |
| <span class="sourceLineNo">2380</span><a name="line.2380"></a> |
| <span class="sourceLineNo">2381</span> @Override<a name="line.2381"></a> |
| <span class="sourceLineNo">2382</span> public void preRevoke(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2382"></a> |
| <span class="sourceLineNo">2383</span> UserPermission userPermission) throws IOException {<a name="line.2383"></a> |
| <span class="sourceLineNo">2384</span> preGrantOrRevoke(getActiveUser(ctx), "revoke", userPermission);<a name="line.2384"></a> |
| <span class="sourceLineNo">2385</span> }<a name="line.2385"></a> |
| <span class="sourceLineNo">2386</span><a name="line.2386"></a> |
| <span class="sourceLineNo">2387</span> private void preGrantOrRevoke(User caller, String request, UserPermission userPermission)<a name="line.2387"></a> |
| <span class="sourceLineNo">2388</span> throws IOException {<a name="line.2388"></a> |
| <span class="sourceLineNo">2389</span> switch (userPermission.getPermission().scope) {<a name="line.2389"></a> |
| <span class="sourceLineNo">2390</span> case GLOBAL:<a name="line.2390"></a> |
| <span class="sourceLineNo">2391</span> accessChecker.requireGlobalPermission(caller, request, Action.ADMIN, "");<a name="line.2391"></a> |
| <span class="sourceLineNo">2392</span> break;<a name="line.2392"></a> |
| <span class="sourceLineNo">2393</span> case NAMESPACE:<a name="line.2393"></a> |
| <span class="sourceLineNo">2394</span> NamespacePermission namespacePerm = (NamespacePermission) userPermission.getPermission();<a name="line.2394"></a> |
| <span class="sourceLineNo">2395</span> accessChecker.requireNamespacePermission(caller, request, namespacePerm.getNamespace(),<a name="line.2395"></a> |
| <span class="sourceLineNo">2396</span> null, Action.ADMIN);<a name="line.2396"></a> |
| <span class="sourceLineNo">2397</span> break;<a name="line.2397"></a> |
| <span class="sourceLineNo">2398</span> case TABLE:<a name="line.2398"></a> |
| <span class="sourceLineNo">2399</span> TablePermission tablePerm = (TablePermission) userPermission.getPermission();<a name="line.2399"></a> |
| <span class="sourceLineNo">2400</span> accessChecker.requirePermission(caller, request, tablePerm.getTableName(),<a name="line.2400"></a> |
| <span class="sourceLineNo">2401</span> tablePerm.getFamily(), tablePerm.getQualifier(), null, Action.ADMIN);<a name="line.2401"></a> |
| <span class="sourceLineNo">2402</span> break;<a name="line.2402"></a> |
| <span class="sourceLineNo">2403</span> default:<a name="line.2403"></a> |
| <span class="sourceLineNo">2404</span> }<a name="line.2404"></a> |
| <span class="sourceLineNo">2405</span> if (!Superusers.isSuperUser(caller)) {<a name="line.2405"></a> |
| <span class="sourceLineNo">2406</span> accessChecker.performOnSuperuser(request, caller, userPermission.getUser());<a name="line.2406"></a> |
| <span class="sourceLineNo">2407</span> }<a name="line.2407"></a> |
| <span class="sourceLineNo">2408</span> }<a name="line.2408"></a> |
| <span class="sourceLineNo">2409</span><a name="line.2409"></a> |
| <span class="sourceLineNo">2410</span> @Override<a name="line.2410"></a> |
| <span class="sourceLineNo">2411</span> public void preGetUserPermissions(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2411"></a> |
| <span class="sourceLineNo">2412</span> String userName, String namespace, TableName tableName, byte[] family, byte[] qualifier)<a name="line.2412"></a> |
| <span class="sourceLineNo">2413</span> throws IOException {<a name="line.2413"></a> |
| <span class="sourceLineNo">2414</span> preGetUserPermissions(getActiveUser(ctx), userName, namespace, tableName, family, qualifier);<a name="line.2414"></a> |
| <span class="sourceLineNo">2415</span> }<a name="line.2415"></a> |
| <span class="sourceLineNo">2416</span><a name="line.2416"></a> |
| <span class="sourceLineNo">2417</span> private void preGetUserPermissions(User caller, String userName, String namespace,<a name="line.2417"></a> |
| <span class="sourceLineNo">2418</span> TableName tableName, byte[] family, byte[] qualifier) throws IOException {<a name="line.2418"></a> |
| <span class="sourceLineNo">2419</span> if (tableName != null) {<a name="line.2419"></a> |
| <span class="sourceLineNo">2420</span> accessChecker.requirePermission(caller, "getUserPermissions", tableName, family, qualifier,<a name="line.2420"></a> |
| <span class="sourceLineNo">2421</span> userName, Action.ADMIN);<a name="line.2421"></a> |
| <span class="sourceLineNo">2422</span> } else if (namespace != null) {<a name="line.2422"></a> |
| <span class="sourceLineNo">2423</span> accessChecker.requireNamespacePermission(caller, "getUserPermissions", namespace, userName,<a name="line.2423"></a> |
| <span class="sourceLineNo">2424</span> Action.ADMIN);<a name="line.2424"></a> |
| <span class="sourceLineNo">2425</span> } else {<a name="line.2425"></a> |
| <span class="sourceLineNo">2426</span> accessChecker.requirePermission(caller, "getUserPermissions", userName, Action.ADMIN);<a name="line.2426"></a> |
| <span class="sourceLineNo">2427</span> }<a name="line.2427"></a> |
| <span class="sourceLineNo">2428</span> }<a name="line.2428"></a> |
| <span class="sourceLineNo">2429</span><a name="line.2429"></a> |
| <span class="sourceLineNo">2430</span> @Override<a name="line.2430"></a> |
| <span class="sourceLineNo">2431</span> public void preHasUserPermissions(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2431"></a> |
| <span class="sourceLineNo">2432</span> String userName, List<Permission> permissions) throws IOException {<a name="line.2432"></a> |
| <span class="sourceLineNo">2433</span> preHasUserPermissions(getActiveUser(ctx), userName, permissions);<a name="line.2433"></a> |
| <span class="sourceLineNo">2434</span> }<a name="line.2434"></a> |
| <span class="sourceLineNo">2435</span><a name="line.2435"></a> |
| <span class="sourceLineNo">2436</span> private void preHasUserPermissions(User caller, String userName, List<Permission> permissions)<a name="line.2436"></a> |
| <span class="sourceLineNo">2437</span> throws IOException {<a name="line.2437"></a> |
| <span class="sourceLineNo">2438</span> String request = "hasUserPermissions";<a name="line.2438"></a> |
| <span class="sourceLineNo">2439</span> for (Permission permission : permissions) {<a name="line.2439"></a> |
| <span class="sourceLineNo">2440</span> if (!caller.getShortName().equals(userName)) {<a name="line.2440"></a> |
| <span class="sourceLineNo">2441</span> // User should have admin privilege if checking permission for other users<a name="line.2441"></a> |
| <span class="sourceLineNo">2442</span> if (permission instanceof TablePermission) {<a name="line.2442"></a> |
| <span class="sourceLineNo">2443</span> TablePermission tPerm = (TablePermission) permission;<a name="line.2443"></a> |
| <span class="sourceLineNo">2444</span> accessChecker.requirePermission(caller, request, tPerm.getTableName(), tPerm.getFamily(),<a name="line.2444"></a> |
| <span class="sourceLineNo">2445</span> tPerm.getQualifier(), userName, Action.ADMIN);<a name="line.2445"></a> |
| <span class="sourceLineNo">2446</span> } else if (permission instanceof NamespacePermission) {<a name="line.2446"></a> |
| <span class="sourceLineNo">2447</span> NamespacePermission nsPerm = (NamespacePermission) permission;<a name="line.2447"></a> |
| <span class="sourceLineNo">2448</span> accessChecker.requireNamespacePermission(caller, request, nsPerm.getNamespace(), userName,<a name="line.2448"></a> |
| <span class="sourceLineNo">2449</span> Action.ADMIN);<a name="line.2449"></a> |
| <span class="sourceLineNo">2450</span> } else {<a name="line.2450"></a> |
| <span class="sourceLineNo">2451</span> accessChecker.requirePermission(caller, request, userName, Action.ADMIN);<a name="line.2451"></a> |
| <span class="sourceLineNo">2452</span> }<a name="line.2452"></a> |
| <span class="sourceLineNo">2453</span> } else {<a name="line.2453"></a> |
| <span class="sourceLineNo">2454</span> // User don't need ADMIN privilege for self check.<a name="line.2454"></a> |
| <span class="sourceLineNo">2455</span> // Setting action as null in AuthResult to display empty action in audit log<a name="line.2455"></a> |
| <span class="sourceLineNo">2456</span> AuthResult result;<a name="line.2456"></a> |
| <span class="sourceLineNo">2457</span> if (permission instanceof TablePermission) {<a name="line.2457"></a> |
| <span class="sourceLineNo">2458</span> TablePermission tPerm = (TablePermission) permission;<a name="line.2458"></a> |
| <span class="sourceLineNo">2459</span> result = AuthResult.allow(request, "Self user validation allowed", caller, null,<a name="line.2459"></a> |
| <span class="sourceLineNo">2460</span> tPerm.getTableName(), tPerm.getFamily(), tPerm.getQualifier());<a name="line.2460"></a> |
| <span class="sourceLineNo">2461</span> } else if (permission instanceof NamespacePermission) {<a name="line.2461"></a> |
| <span class="sourceLineNo">2462</span> NamespacePermission nsPerm = (NamespacePermission) permission;<a name="line.2462"></a> |
| <span class="sourceLineNo">2463</span> result = AuthResult.allow(request, "Self user validation allowed", caller, null,<a name="line.2463"></a> |
| <span class="sourceLineNo">2464</span> nsPerm.getNamespace());<a name="line.2464"></a> |
| <span class="sourceLineNo">2465</span> } else {<a name="line.2465"></a> |
| <span class="sourceLineNo">2466</span> result = AuthResult.allow(request, "Self user validation allowed", caller, null, null,<a name="line.2466"></a> |
| <span class="sourceLineNo">2467</span> null, null);<a name="line.2467"></a> |
| <span class="sourceLineNo">2468</span> }<a name="line.2468"></a> |
| <span class="sourceLineNo">2469</span> AccessChecker.logResult(result);<a name="line.2469"></a> |
| <span class="sourceLineNo">2470</span> }<a name="line.2470"></a> |
| <span class="sourceLineNo">2471</span> }<a name="line.2471"></a> |
| <span class="sourceLineNo">2472</span> }<a name="line.2472"></a> |
| <span class="sourceLineNo">2473</span><a name="line.2473"></a> |
| <span class="sourceLineNo">2474</span> @Override<a name="line.2474"></a> |
| <span class="sourceLineNo">2475</span> public void preMoveServersAndTables(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2475"></a> |
| <span class="sourceLineNo">2476</span> Set<Address> servers, Set<TableName> tables, String targetGroup) throws IOException {<a name="line.2476"></a> |
| <span class="sourceLineNo">2477</span> accessChecker.requirePermission(getActiveUser(ctx), "moveServersAndTables", null,<a name="line.2477"></a> |
| <span class="sourceLineNo">2478</span> Permission.Action.ADMIN);<a name="line.2478"></a> |
| <span class="sourceLineNo">2479</span> }<a name="line.2479"></a> |
| <span class="sourceLineNo">2480</span><a name="line.2480"></a> |
| <span class="sourceLineNo">2481</span> @Override<a name="line.2481"></a> |
| <span class="sourceLineNo">2482</span> public void preMoveServers(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2482"></a> |
| <span class="sourceLineNo">2483</span> Set<Address> servers, String targetGroup) throws IOException {<a name="line.2483"></a> |
| <span class="sourceLineNo">2484</span> accessChecker.requirePermission(getActiveUser(ctx), "moveServers", null,<a name="line.2484"></a> |
| <span class="sourceLineNo">2485</span> Permission.Action.ADMIN);<a name="line.2485"></a> |
| <span class="sourceLineNo">2486</span> }<a name="line.2486"></a> |
| <span class="sourceLineNo">2487</span><a name="line.2487"></a> |
| <span class="sourceLineNo">2488</span> @Override<a name="line.2488"></a> |
| <span class="sourceLineNo">2489</span> public void preMoveTables(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2489"></a> |
| <span class="sourceLineNo">2490</span> Set<TableName> tables, String targetGroup) throws IOException {<a name="line.2490"></a> |
| <span class="sourceLineNo">2491</span> accessChecker.requirePermission(getActiveUser(ctx), "moveTables", null,<a name="line.2491"></a> |
| <span class="sourceLineNo">2492</span> Permission.Action.ADMIN);<a name="line.2492"></a> |
| <span class="sourceLineNo">2493</span> }<a name="line.2493"></a> |
| <span class="sourceLineNo">2494</span><a name="line.2494"></a> |
| <span class="sourceLineNo">2495</span> @Override<a name="line.2495"></a> |
| <span class="sourceLineNo">2496</span> public void preAddRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, String name)<a name="line.2496"></a> |
| <span class="sourceLineNo">2497</span> throws IOException {<a name="line.2497"></a> |
| <span class="sourceLineNo">2498</span> accessChecker.requirePermission(getActiveUser(ctx), "addRSGroup", null,<a name="line.2498"></a> |
| <span class="sourceLineNo">2499</span> Permission.Action.ADMIN);<a name="line.2499"></a> |
| <span class="sourceLineNo">2500</span> }<a name="line.2500"></a> |
| <span class="sourceLineNo">2501</span><a name="line.2501"></a> |
| <span class="sourceLineNo">2502</span> @Override<a name="line.2502"></a> |
| <span class="sourceLineNo">2503</span> public void preRemoveRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, String name)<a name="line.2503"></a> |
| <span class="sourceLineNo">2504</span> throws IOException {<a name="line.2504"></a> |
| <span class="sourceLineNo">2505</span> accessChecker.requirePermission(getActiveUser(ctx), "removeRSGroup", null,<a name="line.2505"></a> |
| <span class="sourceLineNo">2506</span> Permission.Action.ADMIN);<a name="line.2506"></a> |
| <span class="sourceLineNo">2507</span> }<a name="line.2507"></a> |
| <span class="sourceLineNo">2508</span><a name="line.2508"></a> |
| <span class="sourceLineNo">2509</span> @Override<a name="line.2509"></a> |
| <span class="sourceLineNo">2510</span> public void preBalanceRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, String groupName,<a name="line.2510"></a> |
| <span class="sourceLineNo">2511</span> BalanceRequest request) throws IOException {<a name="line.2511"></a> |
| <span class="sourceLineNo">2512</span> accessChecker.requirePermission(getActiveUser(ctx), "balanceRSGroup", null,<a name="line.2512"></a> |
| <span class="sourceLineNo">2513</span> Permission.Action.ADMIN);<a name="line.2513"></a> |
| <span class="sourceLineNo">2514</span> }<a name="line.2514"></a> |
| <span class="sourceLineNo">2515</span><a name="line.2515"></a> |
| <span class="sourceLineNo">2516</span> @Override<a name="line.2516"></a> |
| <span class="sourceLineNo">2517</span> public void preRemoveServers(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2517"></a> |
| <span class="sourceLineNo">2518</span> Set<Address> servers) throws IOException {<a name="line.2518"></a> |
| <span class="sourceLineNo">2519</span> accessChecker.requirePermission(getActiveUser(ctx), "removeServers", null,<a name="line.2519"></a> |
| <span class="sourceLineNo">2520</span> Permission.Action.ADMIN);<a name="line.2520"></a> |
| <span class="sourceLineNo">2521</span> }<a name="line.2521"></a> |
| <span class="sourceLineNo">2522</span><a name="line.2522"></a> |
| <span class="sourceLineNo">2523</span> @Override<a name="line.2523"></a> |
| <span class="sourceLineNo">2524</span> public void preGetRSGroupInfo(ObserverContext<MasterCoprocessorEnvironment> ctx, String groupName)<a name="line.2524"></a> |
| <span class="sourceLineNo">2525</span> throws IOException {<a name="line.2525"></a> |
| <span class="sourceLineNo">2526</span> accessChecker.requirePermission(getActiveUser(ctx), "getRSGroupInfo", null,<a name="line.2526"></a> |
| <span class="sourceLineNo">2527</span> Permission.Action.ADMIN);<a name="line.2527"></a> |
| <span class="sourceLineNo">2528</span> }<a name="line.2528"></a> |
| <span class="sourceLineNo">2529</span><a name="line.2529"></a> |
| <span class="sourceLineNo">2530</span> @Override<a name="line.2530"></a> |
| <span class="sourceLineNo">2531</span> public void preGetRSGroupInfoOfTable(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2531"></a> |
| <span class="sourceLineNo">2532</span> TableName tableName) throws IOException {<a name="line.2532"></a> |
| <span class="sourceLineNo">2533</span> accessChecker.requirePermission(getActiveUser(ctx), "getRSGroupInfoOfTable", null,<a name="line.2533"></a> |
| <span class="sourceLineNo">2534</span> Permission.Action.ADMIN);<a name="line.2534"></a> |
| <span class="sourceLineNo">2535</span> // todo: should add check for table existence<a name="line.2535"></a> |
| <span class="sourceLineNo">2536</span> }<a name="line.2536"></a> |
| <span class="sourceLineNo">2537</span><a name="line.2537"></a> |
| <span class="sourceLineNo">2538</span> @Override<a name="line.2538"></a> |
| <span class="sourceLineNo">2539</span> public void preListRSGroups(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.2539"></a> |
| <span class="sourceLineNo">2540</span> throws IOException {<a name="line.2540"></a> |
| <span class="sourceLineNo">2541</span> accessChecker.requirePermission(getActiveUser(ctx), "listRSGroups", null,<a name="line.2541"></a> |
| <span class="sourceLineNo">2542</span> Permission.Action.ADMIN);<a name="line.2542"></a> |
| <span class="sourceLineNo">2543</span> }<a name="line.2543"></a> |
| <span class="sourceLineNo">2544</span><a name="line.2544"></a> |
| <span class="sourceLineNo">2545</span> @Override<a name="line.2545"></a> |
| <span class="sourceLineNo">2546</span> public void preListTablesInRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2546"></a> |
| <span class="sourceLineNo">2547</span> String groupName) throws IOException {<a name="line.2547"></a> |
| <span class="sourceLineNo">2548</span> accessChecker.requirePermission(getActiveUser(ctx), "listTablesInRSGroup", null,<a name="line.2548"></a> |
| <span class="sourceLineNo">2549</span> Permission.Action.ADMIN);<a name="line.2549"></a> |
| <span class="sourceLineNo">2550</span> }<a name="line.2550"></a> |
| <span class="sourceLineNo">2551</span><a name="line.2551"></a> |
| <span class="sourceLineNo">2552</span> @Override<a name="line.2552"></a> |
| <span class="sourceLineNo">2553</span> public void preGetConfiguredNamespacesAndTablesInRSGroup(<a name="line.2553"></a> |
| <span class="sourceLineNo">2554</span> ObserverContext<MasterCoprocessorEnvironment> ctx, String groupName) throws IOException {<a name="line.2554"></a> |
| <span class="sourceLineNo">2555</span> accessChecker.requirePermission(getActiveUser(ctx), "getConfiguredNamespacesAndTablesInRSGroup",<a name="line.2555"></a> |
| <span class="sourceLineNo">2556</span> null, Permission.Action.ADMIN);<a name="line.2556"></a> |
| <span class="sourceLineNo">2557</span> }<a name="line.2557"></a> |
| <span class="sourceLineNo">2558</span><a name="line.2558"></a> |
| <span class="sourceLineNo">2559</span> @Override<a name="line.2559"></a> |
| <span class="sourceLineNo">2560</span> public void preGetRSGroupInfoOfServer(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2560"></a> |
| <span class="sourceLineNo">2561</span> Address server) throws IOException {<a name="line.2561"></a> |
| <span class="sourceLineNo">2562</span> accessChecker.requirePermission(getActiveUser(ctx), "getRSGroupInfoOfServer", null,<a name="line.2562"></a> |
| <span class="sourceLineNo">2563</span> Permission.Action.ADMIN);<a name="line.2563"></a> |
| <span class="sourceLineNo">2564</span> }<a name="line.2564"></a> |
| <span class="sourceLineNo">2565</span><a name="line.2565"></a> |
| <span class="sourceLineNo">2566</span> @Override<a name="line.2566"></a> |
| <span class="sourceLineNo">2567</span> public void preRenameRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, String oldName,<a name="line.2567"></a> |
| <span class="sourceLineNo">2568</span> String newName) throws IOException {<a name="line.2568"></a> |
| <span class="sourceLineNo">2569</span> accessChecker.requirePermission(getActiveUser(ctx), "renameRSGroup", null,<a name="line.2569"></a> |
| <span class="sourceLineNo">2570</span> Permission.Action.ADMIN);<a name="line.2570"></a> |
| <span class="sourceLineNo">2571</span> }<a name="line.2571"></a> |
| <span class="sourceLineNo">2572</span><a name="line.2572"></a> |
| <span class="sourceLineNo">2573</span> @Override<a name="line.2573"></a> |
| <span class="sourceLineNo">2574</span> public void preUpdateRSGroupConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.2574"></a> |
| <span class="sourceLineNo">2575</span> final String groupName, final Map<String, String> configuration) throws IOException {<a name="line.2575"></a> |
| <span class="sourceLineNo">2576</span> accessChecker.requirePermission(getActiveUser(ctx), "updateRSGroupConfig", null,<a name="line.2576"></a> |
| <span class="sourceLineNo">2577</span> Permission.Action.ADMIN);<a name="line.2577"></a> |
| <span class="sourceLineNo">2578</span> }<a name="line.2578"></a> |
| <span class="sourceLineNo">2579</span>}<a name="line.2579"></a> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| </pre> |
| </div> |
| </body> |
| </html> |
