View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security.access;
19  
20  import java.io.IOException;
21  import java.util.ArrayList;
22  import java.util.List;
23  import java.util.regex.Pattern;
24  
25  import org.apache.hadoop.conf.Configuration;
26  import org.apache.hadoop.hbase.HConstants;
27  import org.apache.hadoop.hbase.HTableDescriptor;
28  import org.apache.hadoop.hbase.MasterNotRunningException;
29  import org.apache.hadoop.hbase.NamespaceDescriptor;
30  import org.apache.hadoop.hbase.TableName;
31  import org.apache.hadoop.hbase.ZooKeeperConnectionException;
32  import org.apache.hadoop.hbase.classification.InterfaceAudience;
33  import org.apache.hadoop.hbase.classification.InterfaceStability;
34  import org.apache.hadoop.hbase.client.Admin;
35  import org.apache.hadoop.hbase.client.ClusterConnection;
36  import org.apache.hadoop.hbase.client.Connection;
37  import org.apache.hadoop.hbase.client.ConnectionFactory;
38  import org.apache.hadoop.hbase.client.Table;
39  import org.apache.hadoop.hbase.client.security.SecurityCapability;
40  import org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel;
41  import org.apache.hadoop.hbase.ipc.PayloadCarryingRpcController;
42  import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
43  import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
44  import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.BlockingInterface;
45  import org.apache.hadoop.hbase.util.Bytes;
46  
47  /**
48   * Utility client for doing access control admin operations.
49   */
50  @InterfaceAudience.Public
51  @InterfaceStability.Evolving
52  public class AccessControlClient {
53    public static final TableName ACL_TABLE_NAME =
54        TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
55  
56    /**
57     * Return true if authorization is supported and enabled
58     * @param connection The connection to use
59     * @return true if authorization is supported and enabled, false otherwise
60     * @throws IOException
61     */
62    public static boolean isAuthorizationEnabled(Connection connection) throws IOException {
63      return connection.getAdmin().getSecurityCapabilities()
64          .contains(SecurityCapability.AUTHORIZATION);
65    }
66  
67    /**
68     * Return true if cell authorization is supported and enabled
69     * @param connection The connection to use
70     * @return true if cell authorization is supported and enabled, false otherwise
71     * @throws IOException
72     */
73    public static boolean isCellAuthorizationEnabled(Connection connection) throws IOException {
74      return connection.getAdmin().getSecurityCapabilities()
75          .contains(SecurityCapability.CELL_AUTHORIZATION);
76    }
77  
78    private static BlockingInterface getAccessControlServiceStub(Table ht)
79        throws IOException {
80      CoprocessorRpcChannel service = ht.coprocessorService(HConstants.EMPTY_START_ROW);
81      BlockingInterface protocol =
82          AccessControlProtos.AccessControlService.newBlockingStub(service);
83      return protocol;
84    }
85  
86    /**
87     * Grants permission on the specified table for the specified user
88     * @param connection The Connection instance to use
89     * @param tableName
90     * @param userName
91     * @param family
92     * @param qual
93     * @param actions
94     * @throws Throwable
95     */
96    public static void grant(final Connection connection, final TableName tableName,
97        final String userName, final byte[] family, final byte[] qual,
98        final Permission.Action... actions) throws Throwable {
99      PayloadCarryingRpcController controller
100       = ((ClusterConnection) connection).getRpcControllerFactory().newController();
101     controller.setPriority(tableName);
102     try (Table table = connection.getTable(ACL_TABLE_NAME)) {
103       ProtobufUtil.grant(controller, getAccessControlServiceStub(table), userName, tableName,
104         family, qual, actions);
105     }
106   }
107 
108   /**
109    * Grants permission on the specified namespace for the specified user.
110    * @param connection The Connection instance to use
111    * @param namespace
112    * @param userName
113    * @param actions
114    * @throws Throwable
115    */
116   public static void grant(final Connection connection, final String namespace,
117       final String userName, final Permission.Action... actions) throws Throwable {
118     PayloadCarryingRpcController controller
119       = ((ClusterConnection) connection).getRpcControllerFactory().newController();
120 
121     try (Table table = connection.getTable(ACL_TABLE_NAME)) {
122       ProtobufUtil.grant(controller, getAccessControlServiceStub(table), userName, namespace,
123         actions);
124     }
125   }
126 
127   /**
128    * @param connection The Connection instance to use
129    * Grant global permissions for the specified user.
130    */
131   public static void grant(final Connection connection, final String userName,
132        final Permission.Action... actions) throws Throwable {
133     PayloadCarryingRpcController controller
134       = ((ClusterConnection) connection).getRpcControllerFactory().newController();
135     try (Table table = connection.getTable(ACL_TABLE_NAME)) {
136       ProtobufUtil.grant(controller, getAccessControlServiceStub(table), userName, actions);
137     }
138   }
139 
140   public static boolean isAccessControllerRunning(final Connection connection)
141       throws MasterNotRunningException, ZooKeeperConnectionException, IOException {
142     try (Admin admin = connection.getAdmin()) {
143       return admin.isTableAvailable(ACL_TABLE_NAME);
144     }
145   }
146 
147   /**
148    * Revokes the permission on the table
149    * @param connection The Connection instance to use
150    * @param tableName
151    * @param username
152    * @param family
153    * @param qualifier
154    * @param actions
155    * @throws Throwable
156    */
157   public static void revoke(final Connection connection, final TableName tableName,
158       final String username, final byte[] family, final byte[] qualifier,
159       final Permission.Action... actions) throws Throwable {
160     PayloadCarryingRpcController controller
161       = ((ClusterConnection) connection).getRpcControllerFactory().newController();
162     controller.setPriority(tableName);
163     try (Table table = connection.getTable(ACL_TABLE_NAME)) {
164       ProtobufUtil.revoke(controller, getAccessControlServiceStub(table), username, tableName,
165         family, qualifier, actions);
166     }
167   }
168 
169   /**
170    * Revokes the permission on the table for the specified user.
171    * @param connection The Connection instance to use
172    * @param namespace
173    * @param userName
174    * @param actions
175    * @throws Throwable
176    */
177   public static void revoke(final Connection connection, final String namespace,
178       final String userName, final Permission.Action... actions) throws Throwable {
179     PayloadCarryingRpcController controller
180       = ((ClusterConnection) connection).getRpcControllerFactory().newController();
181     try (Table table = connection.getTable(ACL_TABLE_NAME)) {
182       ProtobufUtil.revoke(controller, getAccessControlServiceStub(table), userName, namespace,
183         actions);
184     }
185   }
186 
187   /**
188    * Revoke global permissions for the specified user.
189    * @param connection The Connection instance to use
190    */
191   public static void revoke(final Connection connection, final String userName,
192       final Permission.Action... actions) throws Throwable {
193     PayloadCarryingRpcController controller
194       = ((ClusterConnection) connection).getRpcControllerFactory().newController();
195     try (Table table = connection.getTable(ACL_TABLE_NAME)) {
196       ProtobufUtil.revoke(controller, getAccessControlServiceStub(table), userName, actions);
197     }
198   }
199 
200   /**
201    * List all the userPermissions matching the given pattern.
202    * @param connection The Connection instance to use
203    * @param tableRegex The regular expression string to match against
204    * @return - returns an array of UserPermissions
205    * @throws Throwable
206    */
207   public static List<UserPermission> getUserPermissions(Connection connection, String tableRegex)
208       throws Throwable {
209     PayloadCarryingRpcController controller
210       = ((ClusterConnection) connection).getRpcControllerFactory().newController();
211     List<UserPermission> permList = new ArrayList<UserPermission>();
212     try (Table table = connection.getTable(ACL_TABLE_NAME)) {
213       try (Admin admin = connection.getAdmin()) {
214         CoprocessorRpcChannel service = table.coprocessorService(HConstants.EMPTY_START_ROW);
215         BlockingInterface protocol =
216             AccessControlProtos.AccessControlService.newBlockingStub(service);
217         HTableDescriptor[] htds = null;
218         if (tableRegex == null || tableRegex.isEmpty()) {
219           permList = ProtobufUtil.getUserPermissions(controller, protocol);
220         } else if (tableRegex.charAt(0) == '@') {
221           String namespace = tableRegex.substring(1);
222           permList = ProtobufUtil.getUserPermissions(controller, protocol,
223             Bytes.toBytes(namespace));
224         } else {
225           htds = admin.listTables(Pattern.compile(tableRegex), true);
226           for (HTableDescriptor hd : htds) {
227             permList.addAll(ProtobufUtil.getUserPermissions(controller, protocol,
228               hd.getTableName()));
229           }
230         }
231       }
232     }
233     return permList;
234   }
235 
236   /**
237    * Grants permission on the specified table for the specified user
238    * @param conf
239    * @param tableName
240    * @param userName
241    * @param family
242    * @param qual
243    * @param actions
244    * @throws Throwable
245    * @deprecated Use {@link #grant(Connection, TableName, String, byte[], byte[],
246    * Permission.Action...)} instead.
247    */
248   @Deprecated
249   public static void grant(Configuration conf, final TableName tableName,
250       final String userName, final byte[] family, final byte[] qual,
251       final Permission.Action... actions) throws Throwable {
252     try (Connection connection = ConnectionFactory.createConnection(conf)) {
253       grant(connection, tableName, userName, family, qual, actions);
254     }
255   }
256 
257   /**
258    * Grants permission on the specified namespace for the specified user.
259    * @param conf
260    * @param namespace
261    * @param userName
262    * @param actions
263    * @throws Throwable
264    * @deprecated Use {@link #grant(Connection, String, String, Permission.Action...)}
265    * instead.
266    */
267   @Deprecated
268   public static void grant(Configuration conf, final String namespace,
269       final String userName, final Permission.Action... actions) throws Throwable {
270     try (Connection connection = ConnectionFactory.createConnection(conf)) {
271       grant(connection, namespace, userName, actions);
272     }
273   }
274 
275   /**
276    * Grant global permissions for the specified user.
277    * @deprecated Use {@link #grant(Connection, String, Permission.Action...)} instead.
278    */
279   @Deprecated
280   public static void grant(Configuration conf, final String userName,
281       final Permission.Action... actions) throws Throwable {
282     try (Connection connection = ConnectionFactory.createConnection(conf)) {
283       grant(connection, userName, actions);
284     }
285   }
286 
287   /**
288    * @deprecated Use {@link #isAccessControllerRunning(Connection)} instead.
289    */
290   @Deprecated
291   public static boolean isAccessControllerRunning(Configuration conf)
292       throws MasterNotRunningException, ZooKeeperConnectionException, IOException {
293     try (Connection connection = ConnectionFactory.createConnection(conf)) {
294       return isAccessControllerRunning(connection);
295     }
296   }
297 
298   /**
299    * Revokes the permission on the table
300    * @param conf
301    * @param tableName
302    * @param username
303    * @param family
304    * @param qualifier
305    * @param actions
306    * @throws Throwable
307    * @deprecated Use {@link #revoke(Connection, TableName, String, byte[], byte[],
308    * Permission.Action...)} instead.
309    */
310   @Deprecated
311   public static void revoke(Configuration conf, final TableName tableName,
312       final String username, final byte[] family, final byte[] qualifier,
313       final Permission.Action... actions) throws Throwable {
314     try (Connection connection = ConnectionFactory.createConnection(conf)) {
315       revoke(connection, tableName, username, family, qualifier, actions);
316     }
317   }
318 
319   /**
320    * Revokes the permission on the table for the specified user.
321    * @param conf
322    * @param namespace
323    * @param userName
324    * @param actions
325    * @throws Throwable
326    * @deprecated Use {@link #revoke(Connection, String, String, Permission.Action...)} instead.
327    */
328   @Deprecated
329   public static void revoke(Configuration conf, final String namespace,
330       final String userName, final Permission.Action... actions) throws Throwable {
331     try (Connection connection = ConnectionFactory.createConnection(conf)) {
332       revoke(connection, namespace, userName, actions);
333     }
334   }
335 
336   /**
337    * Revoke global permissions for the specified user.
338    * @deprecated Use {@link #revoke(Connection, String, Permission.Action...)} instead.
339    */
340   @Deprecated
341   public static void revoke(Configuration conf, final String userName,
342       final Permission.Action... actions) throws Throwable {
343     try (Connection connection = ConnectionFactory.createConnection(conf)) {
344       revoke(connection, userName, actions);
345     }
346   }
347 
348   /**
349    * List all the userPermissions matching the given pattern.
350    * @param conf
351    * @param tableRegex The regular expression string to match against
352    * @return - returns an array of UserPermissions
353    * @throws Throwable
354    * @deprecated Use {@link #getUserPermissions(Connection, String)} instead.
355    */
356   @Deprecated
357   public static List<UserPermission> getUserPermissions(Configuration conf, String tableRegex)
358   throws Throwable {
359     try (Connection connection = ConnectionFactory.createConnection(conf)) {
360       return getUserPermissions(connection, tableRegex);
361     }
362   }
363 }