1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.security.access;
19
20 import java.io.IOException;
21 import java.util.ArrayList;
22 import java.util.List;
23 import java.util.regex.Pattern;
24
25 import org.apache.hadoop.conf.Configuration;
26 import org.apache.hadoop.hbase.HConstants;
27 import org.apache.hadoop.hbase.HTableDescriptor;
28 import org.apache.hadoop.hbase.MasterNotRunningException;
29 import org.apache.hadoop.hbase.NamespaceDescriptor;
30 import org.apache.hadoop.hbase.TableName;
31 import org.apache.hadoop.hbase.ZooKeeperConnectionException;
32 import org.apache.hadoop.hbase.classification.InterfaceAudience;
33 import org.apache.hadoop.hbase.classification.InterfaceStability;
34 import org.apache.hadoop.hbase.client.Admin;
35 import org.apache.hadoop.hbase.client.ClusterConnection;
36 import org.apache.hadoop.hbase.client.Connection;
37 import org.apache.hadoop.hbase.client.ConnectionFactory;
38 import org.apache.hadoop.hbase.client.Table;
39 import org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel;
40 import org.apache.hadoop.hbase.ipc.PayloadCarryingRpcController;
41 import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
42 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
43 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.BlockingInterface;
44 import org.apache.hadoop.hbase.util.Bytes;
45
46
47
48
49 @InterfaceAudience.Public
50 @InterfaceStability.Evolving
51 public class AccessControlClient {
52 public static final TableName ACL_TABLE_NAME =
53 TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
54
55 private static BlockingInterface getAccessControlServiceStub(Table ht)
56 throws IOException {
57 CoprocessorRpcChannel service = ht.coprocessorService(HConstants.EMPTY_START_ROW);
58 BlockingInterface protocol =
59 AccessControlProtos.AccessControlService.newBlockingStub(service);
60 return protocol;
61 }
62
63
64
65
66
67
68
69
70
71
72
73 public static void grant(final Connection connection, final TableName tableName,
74 final String userName, final byte[] family, final byte[] qual,
75 final Permission.Action... actions) throws Throwable {
76 PayloadCarryingRpcController controller
77 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
78 controller.setPriority(tableName);
79 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
80 ProtobufUtil.grant(controller, getAccessControlServiceStub(table), userName, tableName,
81 family, qual, actions);
82 }
83 }
84
85
86
87
88
89
90
91
92
93 public static void grant(final Connection connection, final String namespace,
94 final String userName, final Permission.Action... actions) throws Throwable {
95 PayloadCarryingRpcController controller
96 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
97
98 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
99 ProtobufUtil.grant(controller, getAccessControlServiceStub(table), userName, namespace,
100 actions);
101 }
102 }
103
104
105
106
107
108 public static void grant(final Connection connection, final String userName,
109 final Permission.Action... actions) throws Throwable {
110 PayloadCarryingRpcController controller
111 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
112 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
113 ProtobufUtil.grant(controller, getAccessControlServiceStub(table), userName, actions);
114 }
115 }
116
117 public static boolean isAccessControllerRunning(final Connection connection)
118 throws MasterNotRunningException, ZooKeeperConnectionException, IOException {
119 try (Admin admin = connection.getAdmin()) {
120 return admin.isTableAvailable(ACL_TABLE_NAME);
121 }
122 }
123
124
125
126
127
128
129
130
131
132
133
134 public static void revoke(final Connection connection, final TableName tableName,
135 final String username, final byte[] family, final byte[] qualifier,
136 final Permission.Action... actions) throws Throwable {
137 PayloadCarryingRpcController controller
138 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
139 controller.setPriority(tableName);
140 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
141 ProtobufUtil.revoke(controller, getAccessControlServiceStub(table), username, tableName,
142 family, qualifier, actions);
143 }
144 }
145
146
147
148
149
150
151
152
153
154 public static void revoke(final Connection connection, final String namespace,
155 final String userName, final Permission.Action... actions) throws Throwable {
156 PayloadCarryingRpcController controller
157 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
158 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
159 ProtobufUtil.revoke(controller, getAccessControlServiceStub(table), userName, namespace,
160 actions);
161 }
162 }
163
164
165
166
167
168 public static void revoke(final Connection connection, final String userName,
169 final Permission.Action... actions) throws Throwable {
170 PayloadCarryingRpcController controller
171 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
172 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
173 ProtobufUtil.revoke(controller, getAccessControlServiceStub(table), userName, actions);
174 }
175 }
176
177
178
179
180
181
182
183
184 public static List<UserPermission> getUserPermissions(Connection connection, String tableRegex)
185 throws Throwable {
186 PayloadCarryingRpcController controller
187 = ((ClusterConnection) connection).getRpcControllerFactory().newController();
188 List<UserPermission> permList = new ArrayList<UserPermission>();
189 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
190 try (Admin admin = connection.getAdmin()) {
191 CoprocessorRpcChannel service = table.coprocessorService(HConstants.EMPTY_START_ROW);
192 BlockingInterface protocol =
193 AccessControlProtos.AccessControlService.newBlockingStub(service);
194 HTableDescriptor[] htds = null;
195 if (tableRegex == null || tableRegex.isEmpty()) {
196 permList = ProtobufUtil.getUserPermissions(controller, protocol);
197 } else if (tableRegex.charAt(0) == '@') {
198 String namespaceRegex = tableRegex.substring(1);
199 for (NamespaceDescriptor nsds : admin.listNamespaceDescriptors()) {
200 String namespace = nsds.getName();
201 if (namespace.matches(namespaceRegex)) {
202 permList.addAll(ProtobufUtil.getUserPermissions(controller, protocol,
203 Bytes.toBytes(namespace)));
204 }
205 }
206 } else {
207 htds = admin.listTables(Pattern.compile(tableRegex), true);
208 for (HTableDescriptor hd : htds) {
209 permList.addAll(ProtobufUtil.getUserPermissions(controller, protocol,
210 hd.getTableName()));
211 }
212 }
213 }
214 }
215 return permList;
216 }
217
218
219
220
221
222
223
224
225
226
227
228
229
230 @Deprecated
231 public static void grant(Configuration conf, final TableName tableName,
232 final String userName, final byte[] family, final byte[] qual,
233 final Permission.Action... actions) throws Throwable {
234 try (Connection connection = ConnectionFactory.createConnection(conf)) {
235 grant(connection, tableName, userName, family, qual, actions);
236 }
237 }
238
239
240
241
242
243
244
245
246
247
248
249 @Deprecated
250 public static void grant(Configuration conf, final String namespace,
251 final String userName, final Permission.Action... actions) throws Throwable {
252 try (Connection connection = ConnectionFactory.createConnection(conf)) {
253 grant(connection, namespace, userName, actions);
254 }
255 }
256
257
258
259
260
261 @Deprecated
262 public static void grant(Configuration conf, final String userName,
263 final Permission.Action... actions) throws Throwable {
264 try (Connection connection = ConnectionFactory.createConnection(conf)) {
265 grant(connection, userName, actions);
266 }
267 }
268
269
270
271
272 @Deprecated
273 public static boolean isAccessControllerRunning(Configuration conf)
274 throws MasterNotRunningException, ZooKeeperConnectionException, IOException {
275 try (Connection connection = ConnectionFactory.createConnection(conf)) {
276 return isAccessControllerRunning(connection);
277 }
278 }
279
280
281
282
283
284
285
286
287
288
289
290
291
292 @Deprecated
293 public static void revoke(Configuration conf, final TableName tableName,
294 final String username, final byte[] family, final byte[] qualifier,
295 final Permission.Action... actions) throws Throwable {
296 try (Connection connection = ConnectionFactory.createConnection(conf)) {
297 revoke(connection, tableName, username, family, qualifier, actions);
298 }
299 }
300
301
302
303
304
305
306
307
308
309
310 @Deprecated
311 public static void revoke(Configuration conf, final String namespace,
312 final String userName, final Permission.Action... actions) throws Throwable {
313 try (Connection connection = ConnectionFactory.createConnection(conf)) {
314 revoke(connection, namespace, userName, actions);
315 }
316 }
317
318
319
320
321
322 @Deprecated
323 public static void revoke(Configuration conf, final String userName,
324 final Permission.Action... actions) throws Throwable {
325 try (Connection connection = ConnectionFactory.createConnection(conf)) {
326 revoke(connection, userName, actions);
327 }
328 }
329
330
331
332
333
334
335
336
337
338 @Deprecated
339 public static List<UserPermission> getUserPermissions(Configuration conf, String tableRegex)
340 throws Throwable {
341 try (Connection connection = ConnectionFactory.createConnection(conf)) {
342 return getUserPermissions(connection, tableRegex);
343 }
344 }
345 }