Google Git
Sign in
apache / hbase / 1726160839368df14602da1618e3538955b25f74 / . / hbase-server / src / main / java / org / apache / hadoop / hbase / security / access / PermissionStorage.java
blob: 268bc36fc45bb86701b16cc8a4bc15b38386ec93 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.security.access;
import java.io.ByteArrayInputStream;
import java.io.DataInput;
import java.io.DataInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.AuthUtil;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.Cell.Type;
import org.apache.hadoop.hbase.CellBuilderFactory;
import org.apache.hadoop.hbase.CellBuilderType;
import org.apache.hadoop.hbase.CellUtil;
import org.apache.hadoop.hbase.CompareOperator;
import org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hadoop.hbase.PrivateCellUtil;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.Tag;
import org.apache.hadoop.hbase.TagType;
import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.ResultScanner;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.client.TableDescriptor;
import org.apache.hadoop.hbase.exceptions.DeserializationException;
import org.apache.hadoop.hbase.filter.QualifierFilter;
import org.apache.hadoop.hbase.filter.RegexStringComparator;
import org.apache.hadoop.hbase.regionserver.InternalScanner;
import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.io.Writable;
import org.apache.hadoop.io.WritableFactories;
import org.apache.hadoop.io.WritableUtils;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos;
/**
* Maintains lists of permission grants to users and groups to allow for
* authorization checks by {@link AccessController}.
*
* <p>
* Access control lists are stored in an "internal" metadata table named
* {@code _acl_}. Each table's permission grants are stored as a separate row,
* keyed by the table name. KeyValues for permissions assignments are stored
* in one of the formats:
* <pre>
* Key Desc
* -------- --------
* user table level permissions for a user [R=read, W=write]
* group table level permissions for a group
* user,family column family level permissions for a user
* group,family column family level permissions for a group
* user,family,qualifier column qualifier level permissions for a user
* group,family,qualifier column qualifier level permissions for a group
* </pre>
* <p>
* All values are encoded as byte arrays containing the codes from the
* org.apache.hadoop.hbase.security.access.TablePermission.Action enum.
* </p>
*/
@InterfaceAudience.Private
public final class PermissionStorage {
/** Internal storage table for access control lists */
public static final TableName ACL_TABLE_NAME =
TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
public static final byte[] ACL_GLOBAL_NAME = ACL_TABLE_NAME.getName();
/** Column family used to store ACL grants */
public static final String ACL_LIST_FAMILY_STR = "l";
public static final byte[] ACL_LIST_FAMILY = Bytes.toBytes(ACL_LIST_FAMILY_STR);
/** KV tag to store per cell access control lists */
public static final byte ACL_TAG_TYPE = TagType.ACL_TAG_TYPE;
public static final char NAMESPACE_PREFIX = '@';
/**
* Delimiter to separate user, column family, and qualifier in
* _acl_ table info: column keys */
public static final char ACL_KEY_DELIMITER = ',';
private static final Logger LOG = LoggerFactory.getLogger(PermissionStorage.class);
private PermissionStorage() {
}
/**
* Stores a new user permission grant in the access control lists table.
* @param conf the configuration
* @param userPerm the details of the permission to be granted
* @param t acl table instance. It is closed upon method return.
* @throws IOException in the case of an error accessing the metadata table
*/
public static void addUserPermission(Configuration conf, UserPermission userPerm, Table t,
boolean mergeExistingPermissions) throws IOException {
Permission permission = userPerm.getPermission();
Permission.Action[] actions = permission.getActions();
byte[] rowKey = userPermissionRowKey(permission);
Put p = new Put(rowKey);
byte[] key = userPermissionKey(userPerm);
if ((actions == null) || (actions.length == 0)) {
String msg = "No actions associated with user '" + userPerm.getUser() + "'";
LOG.warn(msg);
throw new IOException(msg);
}
Set<Permission.Action> actionSet = new TreeSet<Permission.Action>();
if(mergeExistingPermissions){
List<UserPermission> perms = getUserPermissions(conf, rowKey, null, null, null, false);
UserPermission currentPerm = null;
for (UserPermission perm : perms) {
if (userPerm.equalsExceptActions(perm)) {
currentPerm = perm;
break;
}
}
if (currentPerm != null && currentPerm.getPermission().getActions() != null){
actionSet.addAll(Arrays.asList(currentPerm.getPermission().getActions()));
}
}
// merge current action with new action.
actionSet.addAll(Arrays.asList(actions));
// serialize to byte array.
byte[] value = new byte[actionSet.size()];
int index = 0;
for (Permission.Action action : actionSet) {
value[index++] = action.code();
}
p.add(CellBuilderFactory.create(CellBuilderType.SHALLOW_COPY)
.setRow(p.getRow())
.setFamily(ACL_LIST_FAMILY)
.setQualifier(key)
.setTimestamp(p.getTimestamp())
.setType(Type.Put)
.setValue(value)
.build());
if (LOG.isDebugEnabled()) {
LOG.debug("Writing permission with rowKey " + Bytes.toString(rowKey) + " "
+ Bytes.toString(key) + ": " + Bytes.toStringBinary(value));
}
try {
t.put(p);
} finally {
t.close();
}
}
static void addUserPermission(Configuration conf, UserPermission userPerm, Table t)
throws IOException{
addUserPermission(conf, userPerm, t, false);
}
/**
* Removes a previously granted permission from the stored access control
* lists. The {@link TablePermission} being removed must exactly match what
* is stored -- no wildcard matching is attempted. Ie, if user "bob" has
* been granted "READ" access to the "data" table, but only to column family
* plus qualifier "info:colA", then trying to call this method with only
* user "bob" and the table name "data" (but without specifying the
* column qualifier "info:colA") will have no effect.
*
* @param conf the configuration
* @param userPerm the details of the permission to be revoked
* @param t acl table
* @throws IOException if there is an error accessing the metadata table
*/
public static void removeUserPermission(Configuration conf, UserPermission userPerm, Table t)
throws IOException {
if (null == userPerm.getPermission().getActions() ||
userPerm.getPermission().getActions().length == 0) {
removePermissionRecord(conf, userPerm, t);
} else {
// Get all the global user permissions from the acl table
List<UserPermission> permsList =
getUserPermissions(conf, userPermissionRowKey(userPerm.getPermission()),
null, null, null, false);
List<Permission.Action> remainingActions = new ArrayList<>();
List<Permission.Action> dropActions = Arrays.asList(userPerm.getPermission().getActions());
for (UserPermission perm : permsList) {
// Find the user and remove only the requested permissions
if (perm.getUser().equals(userPerm.getUser())) {
for (Permission.Action oldAction : perm.getPermission().getActions()) {
if (!dropActions.contains(oldAction)) {
remainingActions.add(oldAction);
}
}
if (!remainingActions.isEmpty()) {
perm.getPermission().setActions(
remainingActions.toArray(new Permission.Action[remainingActions.size()]));
addUserPermission(conf, perm, t);
} else {
removePermissionRecord(conf, userPerm, t);
}
break;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Removed permission "+ userPerm.toString());
}
}
private static void removePermissionRecord(Configuration conf, UserPermission userPerm, Table t)
throws IOException {
Delete d = new Delete(userPermissionRowKey(userPerm.getPermission()));
d.addColumns(ACL_LIST_FAMILY, userPermissionKey(userPerm));
try {
t.delete(d);
} finally {
t.close();
}
}
/**
* Remove specified table from the _acl_ table.
*/
static void removeTablePermissions(Configuration conf, TableName tableName, Table t)
throws IOException{
Delete d = new Delete(tableName.getName());
d.addFamily(ACL_LIST_FAMILY);
if (LOG.isDebugEnabled()) {
LOG.debug("Removing permissions of removed table "+ tableName);
}
try {
t.delete(d);
} finally {
t.close();
}
}
/**
* Remove specified namespace from the acl table.
*/
static void removeNamespacePermissions(Configuration conf, String namespace, Table t)
throws IOException{
Delete d = new Delete(Bytes.toBytes(toNamespaceEntry(namespace)));
d.addFamily(ACL_LIST_FAMILY);
if (LOG.isDebugEnabled()) {
LOG.debug("Removing permissions of removed namespace "+ namespace);
}
try {
t.delete(d);
} finally {
t.close();
}
}
static private void removeTablePermissions(TableName tableName, byte[] column, Table table,
boolean closeTable) throws IOException {
Scan scan = new Scan();
scan.addFamily(ACL_LIST_FAMILY);
String columnName = Bytes.toString(column);
scan.setFilter(new QualifierFilter(CompareOperator.EQUAL, new RegexStringComparator(
String.format("(%s%s%s)|(%s%s)$",
ACL_KEY_DELIMITER, columnName, ACL_KEY_DELIMITER,
ACL_KEY_DELIMITER, columnName))));
Set<byte[]> qualifierSet = new TreeSet<>(Bytes.BYTES_COMPARATOR);
ResultScanner scanner = null;
try {
scanner = table.getScanner(scan);
for (Result res : scanner) {
for (byte[] q : res.getFamilyMap(ACL_LIST_FAMILY).navigableKeySet()) {
qualifierSet.add(q);
}
}
if (qualifierSet.size() > 0) {
Delete d = new Delete(tableName.getName());
for (byte[] qualifier : qualifierSet) {
d.addColumns(ACL_LIST_FAMILY, qualifier);
}
table.delete(d);
}
} finally {
if (scanner != null) {
scanner.close();
}
if (closeTable) {
table.close();
}
}
}
/**
* Remove specified table column from the acl table.
*/
static void removeTablePermissions(Configuration conf, TableName tableName, byte[] column,
Table t) throws IOException {
if (LOG.isDebugEnabled()) {
LOG.debug("Removing permissions of removed column " + Bytes.toString(column) +
" from table "+ tableName);
}
removeTablePermissions(tableName, column, t, true);
}
static byte[] userPermissionRowKey(Permission permission) {
byte[] row;
if (permission instanceof TablePermission) {
TablePermission tablePerm = (TablePermission) permission;
row = tablePerm.getTableName().getName();
} else if (permission instanceof NamespacePermission) {
NamespacePermission nsPerm = (NamespacePermission) permission;
row = Bytes.toBytes(toNamespaceEntry(nsPerm.getNamespace()));
} else {
// permission instanceof TablePermission
row = ACL_GLOBAL_NAME;
}
return row;
}
/**
* Build qualifier key from user permission:
* username
* username,family
* username,family,qualifier
*/
static byte[] userPermissionKey(UserPermission permission) {
byte[] key = Bytes.toBytes(permission.getUser());
byte[] qualifier = null;
byte[] family = null;
if (permission.getPermission().getAccessScope() == Permission.Scope.TABLE) {
TablePermission tablePermission = (TablePermission) permission.getPermission();
family = tablePermission.getFamily();
qualifier = tablePermission.getQualifier();
}
if (family != null && family.length > 0) {
key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, family));
if (qualifier != null && qualifier.length > 0) {
key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, qualifier));
}
}
return key;
}
/**
* Returns {@code true} if the given region is part of the {@code _acl_}
* metadata table.
*/
static boolean isAclRegion(Region region) {
return ACL_TABLE_NAME.equals(region.getTableDescriptor().getTableName());
}
/**
* Returns {@code true} if the given table is {@code _acl_} metadata table.
*/
static boolean isAclTable(TableDescriptor desc) {
return ACL_TABLE_NAME.equals(desc.getTableName());
}
/**
* Loads all of the permission grants stored in a region of the {@code _acl_}
* table.
*
* @param aclRegion the acl region
* @return a map of the permissions for this table.
* @throws IOException if an error occurs
*/
static Map<byte[], ListMultimap<String, UserPermission>> loadAll(Region aclRegion)
throws IOException {
if (!isAclRegion(aclRegion)) {
throw new IOException("Can only load permissions from "+ACL_TABLE_NAME);
}
Map<byte[], ListMultimap<String, UserPermission>> allPerms =
new TreeMap<>(Bytes.BYTES_RAWCOMPARATOR);
// do a full scan of _acl_ table
Scan scan = new Scan();
scan.addFamily(ACL_LIST_FAMILY);
InternalScanner iScanner = null;
try {
iScanner = aclRegion.getScanner(scan);
while (true) {
List<Cell> row = new ArrayList<>();
boolean hasNext = iScanner.next(row);
ListMultimap<String, UserPermission> perms = ArrayListMultimap.create();
byte[] entry = null;
for (Cell kv : row) {
if (entry == null) {
entry = CellUtil.cloneRow(kv);
}
Pair<String, Permission> permissionsOfUserOnTable =
parsePermissionRecord(entry, kv, null, null, false, null);
if (permissionsOfUserOnTable != null) {
String username = permissionsOfUserOnTable.getFirst();
Permission permission = permissionsOfUserOnTable.getSecond();
perms.put(username, new UserPermission(username, permission));
}
}
if (entry != null) {
allPerms.put(entry, perms);
}
if (!hasNext) {
break;
}
}
} finally {
if (iScanner != null) {
iScanner.close();
}
}
return allPerms;
}
/**
* Load all permissions from the region server holding {@code _acl_},
* primarily intended for testing purposes.
*/
static Map<byte[], ListMultimap<String, UserPermission>> loadAll(
Configuration conf) throws IOException {
Map<byte[], ListMultimap<String, UserPermission>> allPerms =
new TreeMap<>(Bytes.BYTES_RAWCOMPARATOR);
// do a full scan of _acl_, filtering on only first table region rows
Scan scan = new Scan();
scan.addFamily(ACL_LIST_FAMILY);
ResultScanner scanner = null;
// TODO: Pass in a Connection rather than create one each time.
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
scanner = table.getScanner(scan);
try {
for (Result row : scanner) {
ListMultimap<String, UserPermission> resultPerms =
parsePermissions(row.getRow(), row, null, null, null, false);
allPerms.put(row.getRow(), resultPerms);
}
} finally {
if (scanner != null) {
scanner.close();
}
}
}
}
return allPerms;
}
public static ListMultimap<String, UserPermission> getTablePermissions(Configuration conf,
TableName tableName) throws IOException {
return getPermissions(conf, tableName != null ? tableName.getName() : null, null, null, null,
null, false);
}
public static ListMultimap<String, UserPermission> getNamespacePermissions(Configuration conf,
String namespace) throws IOException {
return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)), null, null, null, null,
false);
}
public static ListMultimap<String, UserPermission> getGlobalPermissions(Configuration conf)
throws IOException {
return getPermissions(conf, null, null, null, null, null, false);
}
/**
* Reads user permission assignments stored in the <code>l:</code> column family of the first
* table row in <code>_acl_</code>.
* <p>
* See {@link PermissionStorage class documentation} for the key structure used for storage.
* </p>
*/
static ListMultimap<String, UserPermission> getPermissions(Configuration conf, byte[] entryName,
Table t, byte[] cf, byte[] cq, String user, boolean hasFilterUser) throws IOException {
if (entryName == null) {
entryName = ACL_GLOBAL_NAME;
}
// for normal user tables, we just read the table row from _acl_
ListMultimap<String, UserPermission> perms = ArrayListMultimap.create();
Get get = new Get(entryName);
get.addFamily(ACL_LIST_FAMILY);
Result row = null;
if (t == null) {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table table = connection.getTable(ACL_TABLE_NAME)) {
row = table.get(get);
}
}
} else {
row = t.get(get);
}
if (!row.isEmpty()) {
perms = parsePermissions(entryName, row, cf, cq, user, hasFilterUser);
} else {
LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry "
+ Bytes.toString(entryName));
}
return perms;
}
/**
* Returns the currently granted permissions for a given table as the specified user plus
* associated permissions.
*/
public static List<UserPermission> getUserTablePermissions(Configuration conf,
TableName tableName, byte[] cf, byte[] cq, String userName, boolean hasFilterUser)
throws IOException {
return getUserPermissions(conf, tableName == null ? null : tableName.getName(), cf, cq,
userName, hasFilterUser);
}
/**
* Returns the currently granted permissions for a given namespace as the specified user plus
* associated permissions.
*/
public static List<UserPermission> getUserNamespacePermissions(Configuration conf,
String namespace, String user, boolean hasFilterUser) throws IOException {
return getUserPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)), null, null, user,
hasFilterUser);
}
/**
* Returns the currently granted permissions for a given table/namespace with associated
* permissions based on the specified column family, column qualifier and user name.
* @param conf the configuration
* @param entryName Table name or the namespace
* @param cf Column family
* @param cq Column qualifier
* @param user User name to be filtered from permission as requested
* @param hasFilterUser true if filter user is provided, otherwise false.
* @return List of UserPermissions
* @throws IOException on failure
*/
public static List<UserPermission> getUserPermissions(Configuration conf, byte[] entryName,
byte[] cf, byte[] cq, String user, boolean hasFilterUser) throws IOException {
ListMultimap<String, UserPermission> allPerms =
getPermissions(conf, entryName, null, cf, cq, user, hasFilterUser);
List<UserPermission> perms = new ArrayList<>();
for (Map.Entry<String, UserPermission> entry : allPerms.entries()) {
perms.add(entry.getValue());
}
return perms;
}
/**
* Parse and filter permission based on the specified column family, column qualifier and user
* name.
*/
private static ListMultimap<String, UserPermission> parsePermissions(byte[] entryName,
Result result, byte[] cf, byte[] cq, String user, boolean hasFilterUser) {
ListMultimap<String, UserPermission> perms = ArrayListMultimap.create();
if (result != null && result.size() > 0) {
for (Cell kv : result.rawCells()) {
Pair<String, Permission> permissionsOfUserOnTable =
parsePermissionRecord(entryName, kv, cf, cq, hasFilterUser, user);
if (permissionsOfUserOnTable != null) {
String username = permissionsOfUserOnTable.getFirst();
Permission permission = permissionsOfUserOnTable.getSecond();
perms.put(username, new UserPermission(username, permission));
}
}
}
return perms;
}
private static Pair<String, Permission> parsePermissionRecord(byte[] entryName, Cell kv,
byte[] cf, byte[] cq, boolean filterPerms, String filterUser) {
// return X given a set of permissions encoded in the permissionRecord kv.
byte[] family = CellUtil.cloneFamily(kv);
if (!Bytes.equals(family, ACL_LIST_FAMILY)) {
return null;
}
byte[] key = CellUtil.cloneQualifier(kv);
byte[] value = CellUtil.cloneValue(kv);
if (LOG.isDebugEnabled()) {
LOG.debug("Read acl: entry[" +
Bytes.toStringBinary(entryName) + "], kv [" +
Bytes.toStringBinary(key) + ": " +
Bytes.toStringBinary(value)+"]");
}
// check for a column family appended to the key
// TODO: avoid the string conversion to make this more efficient
String username = Bytes.toString(key);
// Retrieve group list for the filterUser if cell key is a group.
// Group list is not required when filterUser itself a group
List<String> filterUserGroups = null;
if (filterPerms) {
if (username.charAt(0) == '@' && !StringUtils.isEmpty(filterUser)
&& filterUser.charAt(0) != '@') {
filterUserGroups = AccessChecker.getUserGroups(filterUser);
}
}
// Handle namespace entry
if (isNamespaceEntry(entryName)) {
// Filter the permissions cell record if client query
if (filterPerms && !validateFilterUser(username, filterUser, filterUserGroups)) {
return null;
}
return new Pair<>(username,
Permission.newBuilder(Bytes.toString(fromNamespaceEntry(entryName)))
.withActionCodes(value).build());
}
// Handle global entry
if (isGlobalEntry(entryName)) {
// Filter the permissions cell record if client query
if (filterPerms && !validateFilterUser(username, filterUser, filterUserGroups)) {
return null;
}
return new Pair<>(username, Permission.newBuilder().withActionCodes(value).build());
}
// Handle table entry
int idx = username.indexOf(ACL_KEY_DELIMITER);
byte[] permFamily = null;
byte[] permQualifier = null;
if (idx > 0 && idx < username.length()-1) {
String remainder = username.substring(idx+1);
username = username.substring(0, idx);
idx = remainder.indexOf(ACL_KEY_DELIMITER);
if (idx > 0 && idx < remainder.length()-1) {
permFamily = Bytes.toBytes(remainder.substring(0, idx));
permQualifier = Bytes.toBytes(remainder.substring(idx+1));
} else {
permFamily = Bytes.toBytes(remainder);
}
}
// Filter the permissions cell record if client query
if (filterPerms) {
// ACL table contain 3 types of cell key entries; hbase:Acl, namespace and table. So to filter
// the permission cell records additional validations are required at CF, CQ and username.
// Here we can proceed based on client input whether it contain filterUser.
// Validate the filterUser when specified
if (filterUser != null && !validateFilterUser(username, filterUser, filterUserGroups)) {
return null;
}
if (!validateCFAndCQ(permFamily, cf, permQualifier, cq)) {
return null;
}
}
return new Pair<>(username, Permission.newBuilder(TableName.valueOf(entryName))
.withFamily(permFamily).withQualifier(permQualifier).withActionCodes(value).build());
}
/*
* Validate the cell key with the client filterUser if specified in the query input. 1. If cell
* key (username) is not a group then check whether client filterUser is equal to username 2. If
* cell key (username) is a group then check whether client filterUser belongs to the cell key
* group (username) 3. In case when both filterUser and username are group names then cell will be
* filtered if not equal.
*/
private static boolean validateFilterUser(String username, String filterUser,
List<String> filterUserGroups) {
if (filterUserGroups == null) {
// Validate user name or group names whether equal
if (filterUser.equals(username)) {
return true;
}
} else {
// Check whether filter user belongs to the cell key group.
return filterUserGroups.contains(username.substring(1));
}
return false;
}
/*
* Validate the cell with client CF and CQ if specified in the query input. 1. If CF is NULL, then
* no need of further validation, result should include all CF and CQ. 2. IF CF specified and
* equal then validation required at CQ level if CF specified in client input, otherwise return
* all CQ records.
*/
private static boolean validateCFAndCQ(byte[] permFamily, byte[] cf, byte[] permQualifier,
byte[] cq) {
boolean include = true;
if (cf != null) {
if (Bytes.equals(cf, permFamily)) {
if (cq != null && !Bytes.equals(cq, permQualifier)) {
// if CQ specified and didn't match then ignore this cell
include = false;
}
} else {
// if CF specified and didn't match then ignore this cell
include = false;
}
}
return include;
}
/**
* Writes a set of permissions as {@link org.apache.hadoop.io.Writable} instances and returns the
* resulting byte array. Writes a set of permission [user: table permission]
*/
public static byte[] writePermissionsAsBytes(ListMultimap<String, UserPermission> perms,
Configuration conf) {
return ProtobufUtil
.prependPBMagic(AccessControlUtil.toUserTablePermissions(perms).toByteArray());
}
// This is part of the old HbaseObjectWritableFor96Migration.
private static final int LIST_CODE = 61;
private static final int WRITABLE_CODE = 14;
private static final int WRITABLE_NOT_ENCODED = 0;
private static List<Permission> readWritableUserPermission(DataInput in,
Configuration conf) throws IOException, ClassNotFoundException {
assert WritableUtils.readVInt(in) == LIST_CODE;
int length = in.readInt();
List<Permission> list = new ArrayList<>(length);
for (int i = 0; i < length; i++) {
assert WritableUtils.readVInt(in) == WRITABLE_CODE;
assert WritableUtils.readVInt(in) == WRITABLE_NOT_ENCODED;
String className = Text.readString(in);
Class<? extends Writable> clazz = conf.getClassByName(className).asSubclass(Writable.class);
Writable instance = WritableFactories.newInstance(clazz, conf);
instance.readFields(in);
list.add((Permission) instance);
}
return list;
}
public static ListMultimap<String, UserPermission> readUserPermission(byte[] data,
Configuration conf) throws DeserializationException {
if (ProtobufUtil.isPBMagicPrefix(data)) {
int pblen = ProtobufUtil.lengthOfPBMagic();
try {
AccessControlProtos.UsersAndPermissions.Builder builder =
AccessControlProtos.UsersAndPermissions.newBuilder();
ProtobufUtil.mergeFrom(builder, data, pblen, data.length - pblen);
return AccessControlUtil.toUserPermission(builder.build());
} catch (IOException e) {
throw new DeserializationException(e);
}
} else {
// TODO: We have to re-write non-PB data as PB encoded. Otherwise we will carry old Writables
// forever (here and a couple of other places).
ListMultimap<String, UserPermission> userPermission = ArrayListMultimap.create();
try {
DataInput in = new DataInputStream(new ByteArrayInputStream(data));
int length = in.readInt();
for (int i = 0; i < length; i++) {
String user = Text.readString(in);
List<Permission> perms = readWritableUserPermission(in, conf);
for (Permission p : perms) {
userPermission.put(user, new UserPermission(user, p));
}
}
} catch (IOException | ClassNotFoundException e) {
throw new DeserializationException(e);
}
return userPermission;
}
}
public static ListMultimap<String, Permission> readPermissions(byte[] data,
Configuration conf) throws DeserializationException {
if (ProtobufUtil.isPBMagicPrefix(data)) {
int pblen = ProtobufUtil.lengthOfPBMagic();
try {
AccessControlProtos.UsersAndPermissions.Builder builder =
AccessControlProtos.UsersAndPermissions.newBuilder();
ProtobufUtil.mergeFrom(builder, data, pblen, data.length - pblen);
return AccessControlUtil.toPermission(builder.build());
} catch (IOException e) {
throw new DeserializationException(e);
}
} else {
// TODO: We have to re-write non-PB data as PB encoded. Otherwise we will carry old Writables
// forever (here and a couple of other places).
ListMultimap<String, Permission> perms = ArrayListMultimap.create();
try {
DataInput in = new DataInputStream(new ByteArrayInputStream(data));
int length = in.readInt();
for (int i = 0; i < length; i++) {
String user = Text.readString(in);
perms.putAll(user, readWritableUserPermission(in, conf));
}
} catch (IOException | ClassNotFoundException e) {
throw new DeserializationException(e);
}
return perms;
}
}
public static boolean isGlobalEntry(byte[] entryName) {
return Bytes.equals(entryName, ACL_GLOBAL_NAME);
}
public static boolean isNamespaceEntry(String entryName) {
return isNamespaceEntry(Bytes.toBytes(entryName));
}
public static boolean isNamespaceEntry(byte[] entryName) {
return entryName != null && entryName.length !=0 && entryName[0] == NAMESPACE_PREFIX;
}
public static boolean isTableEntry(byte[] entryName) {
return !isNamespaceEntry(entryName) && !isGlobalEntry(entryName) && entryName != null;
}
public static String toNamespaceEntry(String namespace) {
return NAMESPACE_PREFIX + namespace;
}
public static String fromNamespaceEntry(String namespace) {
if (namespace.charAt(0) != NAMESPACE_PREFIX) {
throw new IllegalArgumentException("Argument is not a valid namespace entry");
}
return namespace.substring(1);
}
public static byte[] toNamespaceEntry(byte[] namespace) {
byte[] ret = new byte[namespace.length+1];
ret[0] = NAMESPACE_PREFIX;
System.arraycopy(namespace, 0, ret, 1, namespace.length);
return ret;
}
public static byte[] fromNamespaceEntry(byte[] namespace) {
if(namespace[0] != NAMESPACE_PREFIX) {
throw new IllegalArgumentException("Argument is not a valid namespace entry: " +
Bytes.toString(namespace));
}
return Arrays.copyOfRange(namespace, 1, namespace.length);
}
public static List<Permission> getCellPermissionsForUser(User user, Cell cell)
throws IOException {
// Save an object allocation where we can
if (cell.getTagsLength() == 0) {
return null;
}
List<Permission> results = Lists.newArrayList();
Iterator<Tag> tagsIterator = PrivateCellUtil.tagsIterator(cell);
while (tagsIterator.hasNext()) {
Tag tag = tagsIterator.next();
if (tag.getType() == ACL_TAG_TYPE) {
// Deserialize the table permissions from the KV
// TODO: This can be improved. Don't build UsersAndPermissions just to unpack it again,
// use the builder
AccessControlProtos.UsersAndPermissions.Builder builder =
AccessControlProtos.UsersAndPermissions.newBuilder();
if (tag.hasArray()) {
ProtobufUtil.mergeFrom(builder, tag.getValueArray(), tag.getValueOffset(),
tag.getValueLength());
} else {
ProtobufUtil.mergeFrom(builder, Tag.cloneValue(tag));
}
ListMultimap<String,Permission> kvPerms =
AccessControlUtil.toUsersAndPermissions(builder.build());
// Are there permissions for this user?
List<Permission> userPerms = kvPerms.get(user.getShortName());
if (userPerms != null) {
results.addAll(userPerms);
}
// Are there permissions for any of the groups this user belongs to?
String[] groupNames = user.getGroupNames();
if (groupNames != null) {
for (String group : groupNames) {
List<Permission> groupPerms = kvPerms.get(AuthUtil.toGroupEntry(group));
if (results != null) {
results.addAll(groupPerms);
}
}
}
}
}
return results;
}
}