1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.hadoop.hbase.security.access;
20
21 import java.io.ByteArrayInputStream;
22 import java.io.DataInput;
23 import java.io.DataInputStream;
24 import java.io.IOException;
25 import java.util.ArrayList;
26 import java.util.Arrays;
27 import java.util.List;
28 import java.util.Map;
29 import java.util.Set;
30 import java.util.TreeMap;
31 import java.util.TreeSet;
32
33 import org.apache.commons.logging.Log;
34 import org.apache.commons.logging.LogFactory;
35 import org.apache.hadoop.conf.Configuration;
36 import org.apache.hadoop.hbase.Cell;
37 import org.apache.hadoop.hbase.CellUtil;
38 import org.apache.hadoop.hbase.HColumnDescriptor;
39 import org.apache.hadoop.hbase.HConstants;
40 import org.apache.hadoop.hbase.HTableDescriptor;
41 import org.apache.hadoop.hbase.KeyValue;
42 import org.apache.hadoop.hbase.NamespaceDescriptor;
43 import org.apache.hadoop.hbase.TableName;
44 import org.apache.hadoop.hbase.catalog.MetaReader;
45 import org.apache.hadoop.hbase.client.Delete;
46 import org.apache.hadoop.hbase.client.Get;
47 import org.apache.hadoop.hbase.client.HTable;
48 import org.apache.hadoop.hbase.client.Put;
49 import org.apache.hadoop.hbase.client.Result;
50 import org.apache.hadoop.hbase.client.ResultScanner;
51 import org.apache.hadoop.hbase.client.Scan;
52 import org.apache.hadoop.hbase.exceptions.DeserializationException;
53 import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp;
54 import org.apache.hadoop.hbase.filter.QualifierFilter;
55 import org.apache.hadoop.hbase.filter.RegexStringComparator;
56 import org.apache.hadoop.hbase.io.compress.Compression;
57 import org.apache.hadoop.hbase.master.MasterServices;
58 import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
59 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
60 import org.apache.hadoop.hbase.regionserver.BloomType;
61 import org.apache.hadoop.hbase.regionserver.HRegion;
62 import org.apache.hadoop.hbase.regionserver.InternalScanner;
63 import org.apache.hadoop.hbase.util.Bytes;
64 import org.apache.hadoop.hbase.util.Pair;
65 import org.apache.hadoop.io.Text;
66
67 import com.google.common.collect.ArrayListMultimap;
68 import com.google.common.collect.ListMultimap;
69 import com.google.protobuf.InvalidProtocolBufferException;
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94 public class AccessControlLists {
95
96 public static final TableName ACL_TABLE_NAME =
97 TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
98 public static final byte[] ACL_GLOBAL_NAME = ACL_TABLE_NAME.getName();
99
100 public static final String ACL_LIST_FAMILY_STR = "l";
101 public static final byte[] ACL_LIST_FAMILY = Bytes.toBytes(ACL_LIST_FAMILY_STR);
102
103 public static final char NAMESPACE_PREFIX = '@';
104
105
106 public static final HTableDescriptor ACL_TABLEDESC = new HTableDescriptor(ACL_TABLE_NAME);
107 static {
108 ACL_TABLEDESC.addFamily(
109 new HColumnDescriptor(ACL_LIST_FAMILY,
110 10,
111 Compression.Algorithm.NONE.getName(), true, true, 8 * 1024,
112 HConstants.FOREVER, BloomType.NONE.toString(),
113 HConstants.REPLICATION_SCOPE_LOCAL));
114 }
115
116
117
118
119 public static final char ACL_KEY_DELIMITER = ',';
120
121 public static final String GROUP_PREFIX = "@";
122
123 public static final String SUPERUSER_CONF_KEY = "hbase.superuser";
124
125 private static Log LOG = LogFactory.getLog(AccessControlLists.class);
126
127
128
129
130
131 static void init(MasterServices master) throws IOException {
132 if (!MetaReader.tableExists(master.getCatalogTracker(), ACL_TABLE_NAME)) {
133 master.createTable(ACL_TABLEDESC, null);
134 }
135 }
136
137
138
139
140
141
142
143 static void addUserPermission(Configuration conf, UserPermission userPerm)
144 throws IOException {
145 Permission.Action[] actions = userPerm.getActions();
146 byte[] rowKey = userPermissionRowKey(userPerm);
147 Put p = new Put(rowKey);
148 byte[] key = userPermissionKey(userPerm);
149
150 if ((actions == null) || (actions.length == 0)) {
151 String msg = "No actions associated with user '" + Bytes.toString(userPerm.getUser()) + "'";
152 LOG.warn(msg);
153 throw new IOException(msg);
154 }
155
156 byte[] value = new byte[actions.length];
157 for (int i = 0; i < actions.length; i++) {
158 value[i] = actions[i].code();
159 }
160 p.addImmutable(ACL_LIST_FAMILY, key, value);
161 if (LOG.isDebugEnabled()) {
162 LOG.debug("Writing permission with rowKey "+
163 Bytes.toString(rowKey)+" "+
164 Bytes.toString(key)+": "+Bytes.toStringBinary(value)
165 );
166 }
167 HTable acls = null;
168 try {
169 acls = new HTable(conf, ACL_TABLE_NAME);
170 acls.put(p);
171 } finally {
172 if (acls != null) acls.close();
173 }
174 }
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189 static void removeUserPermission(Configuration conf, UserPermission userPerm)
190 throws IOException {
191 Delete d = new Delete(userPermissionRowKey(userPerm));
192 byte[] key = userPermissionKey(userPerm);
193
194 if (LOG.isDebugEnabled()) {
195 LOG.debug("Removing permission "+ userPerm.toString());
196 }
197 d.deleteColumns(ACL_LIST_FAMILY, key);
198 HTable acls = null;
199 try {
200 acls = new HTable(conf, ACL_TABLE_NAME);
201 acls.delete(d);
202 } finally {
203 if (acls != null) acls.close();
204 }
205 }
206
207
208
209
210 static void removeTablePermissions(Configuration conf, TableName tableName)
211 throws IOException{
212 Delete d = new Delete(tableName.getName());
213
214 if (LOG.isDebugEnabled()) {
215 LOG.debug("Removing permissions of removed table "+ tableName);
216 }
217
218 HTable acls = null;
219 try {
220 acls = new HTable(conf, ACL_TABLE_NAME);
221 acls.delete(d);
222 } finally {
223 if (acls != null) acls.close();
224 }
225 }
226
227
228
229
230 static void removeNamespacePermissions(Configuration conf, String namespace)
231 throws IOException{
232 Delete d = new Delete(Bytes.toBytes(toNamespaceEntry(namespace)));
233
234 if (LOG.isDebugEnabled()) {
235 LOG.debug("Removing permissions of removed namespace "+ namespace);
236 }
237
238 HTable acls = null;
239 try {
240 acls = new HTable(conf, ACL_TABLE_NAME);
241 acls.delete(d);
242 } finally {
243 if (acls != null) acls.close();
244 }
245 }
246
247
248
249
250 static void removeTablePermissions(Configuration conf, TableName tableName, byte[] column)
251 throws IOException{
252
253 if (LOG.isDebugEnabled()) {
254 LOG.debug("Removing permissions of removed column " + Bytes.toString(column) +
255 " from table "+ tableName);
256 }
257
258 HTable acls = null;
259 try {
260 acls = new HTable(conf, ACL_TABLE_NAME);
261
262 Scan scan = new Scan();
263 scan.addFamily(ACL_LIST_FAMILY);
264
265 String columnName = Bytes.toString(column);
266 scan.setFilter(new QualifierFilter(CompareOp.EQUAL, new RegexStringComparator(
267 String.format("(%s%s%s)|(%s%s)$",
268 ACL_KEY_DELIMITER, columnName, ACL_KEY_DELIMITER,
269 ACL_KEY_DELIMITER, columnName))));
270
271 Set<byte[]> qualifierSet = new TreeSet<byte[]>(Bytes.BYTES_COMPARATOR);
272 ResultScanner scanner = acls.getScanner(scan);
273 try {
274 for (Result res : scanner) {
275 for (byte[] q : res.getFamilyMap(ACL_LIST_FAMILY).navigableKeySet()) {
276 qualifierSet.add(q);
277 }
278 }
279 } finally {
280 scanner.close();
281 }
282
283 if (qualifierSet.size() > 0) {
284 Delete d = new Delete(tableName.getName());
285 for (byte[] qualifier : qualifierSet) {
286 d.deleteColumns(ACL_LIST_FAMILY, qualifier);
287 }
288 acls.delete(d);
289 }
290 } finally {
291 if (acls != null) acls.close();
292 }
293 }
294
295 static byte[] userPermissionRowKey(UserPermission userPerm) {
296 byte[] row;
297 if(userPerm.hasNamespace()) {
298 row = Bytes.toBytes(toNamespaceEntry(userPerm.getNamespace()));
299 } else if(userPerm.isGlobal()) {
300 row = ACL_GLOBAL_NAME;
301 } else {
302 row = userPerm.getTableName().getName();
303 }
304 return row;
305 }
306
307
308
309
310
311
312
313 static byte[] userPermissionKey(UserPermission userPerm) {
314 byte[] qualifier = userPerm.getQualifier();
315 byte[] family = userPerm.getFamily();
316 byte[] key = userPerm.getUser();
317
318 if (family != null && family.length > 0) {
319 key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, family));
320 if (qualifier != null && qualifier.length > 0) {
321 key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, qualifier));
322 }
323 }
324
325 return key;
326 }
327
328
329
330
331
332 static boolean isAclRegion(HRegion region) {
333 return ACL_TABLE_NAME.equals(region.getTableDesc().getTableName());
334 }
335
336
337
338
339 static boolean isAclTable(HTableDescriptor desc) {
340 return ACL_TABLE_NAME.equals(desc.getTableName());
341 }
342
343
344
345
346
347
348
349
350
351 static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
352 HRegion aclRegion)
353 throws IOException {
354
355 if (!isAclRegion(aclRegion)) {
356 throw new IOException("Can only load permissions from "+ACL_TABLE_NAME);
357 }
358
359 Map<byte[], ListMultimap<String, TablePermission>> allPerms =
360 new TreeMap<byte[], ListMultimap<String, TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
361
362
363
364 Scan scan = new Scan();
365 scan.addFamily(ACL_LIST_FAMILY);
366
367 InternalScanner iScanner = null;
368 try {
369 iScanner = aclRegion.getScanner(scan);
370
371 while (true) {
372 List<Cell> row = new ArrayList<Cell>();
373
374 boolean hasNext = iScanner.next(row);
375 ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
376 byte[] entry = null;
377 for (Cell kv : row) {
378 if (entry == null) {
379 entry = CellUtil.cloneRow(kv);
380 }
381 Pair<String,TablePermission> permissionsOfUserOnTable =
382 parsePermissionRecord(entry, kv);
383 if (permissionsOfUserOnTable != null) {
384 String username = permissionsOfUserOnTable.getFirst();
385 TablePermission permissions = permissionsOfUserOnTable.getSecond();
386 perms.put(username, permissions);
387 }
388 }
389 if (entry != null) {
390 allPerms.put(entry, perms);
391 }
392 if (!hasNext) {
393 break;
394 }
395 }
396 } finally {
397 if (iScanner != null) {
398 iScanner.close();
399 }
400 }
401
402 return allPerms;
403 }
404
405
406
407
408
409 static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
410 Configuration conf) throws IOException {
411 Map<byte[], ListMultimap<String,TablePermission>> allPerms =
412 new TreeMap<byte[], ListMultimap<String,TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
413
414
415
416 Scan scan = new Scan();
417 scan.addFamily(ACL_LIST_FAMILY);
418
419 HTable acls = null;
420 ResultScanner scanner = null;
421 try {
422 acls = new HTable(conf, ACL_TABLE_NAME);
423 scanner = acls.getScanner(scan);
424 for (Result row : scanner) {
425 ListMultimap<String,TablePermission> resultPerms =
426 parsePermissions(row.getRow(), row);
427 allPerms.put(row.getRow(), resultPerms);
428 }
429 } finally {
430 if (scanner != null) scanner.close();
431 if (acls != null) acls.close();
432 }
433
434 return allPerms;
435 }
436
437 static ListMultimap<String, TablePermission> getTablePermissions(Configuration conf,
438 TableName tableName) throws IOException {
439 return getPermissions(conf, tableName != null ? tableName.getName() : null);
440 }
441
442 static ListMultimap<String, TablePermission> getNamespacePermissions(Configuration conf,
443 String namespace) throws IOException {
444 return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
445 }
446
447
448
449
450
451
452
453
454
455
456 static ListMultimap<String, TablePermission> getPermissions(Configuration conf,
457 byte[] entryName) throws IOException {
458 if (entryName == null) entryName = ACL_TABLE_NAME.getName();
459
460
461 ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
462 HTable acls = null;
463 try {
464 acls = new HTable(conf, ACL_TABLE_NAME);
465 Get get = new Get(entryName);
466 get.addFamily(ACL_LIST_FAMILY);
467 Result row = acls.get(get);
468 if (!row.isEmpty()) {
469 perms = parsePermissions(entryName, row);
470 } else {
471 LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry "
472 + Bytes.toString(entryName));
473 }
474 } finally {
475 if (acls != null) acls.close();
476 }
477
478 return perms;
479 }
480
481
482
483
484
485 static List<UserPermission> getUserTablePermissions(
486 Configuration conf, TableName tableName) throws IOException {
487 return getUserPermissions(conf, tableName == null ? null : tableName.getName());
488 }
489
490 static List<UserPermission> getUserNamespacePermissions(
491 Configuration conf, String namespace) throws IOException {
492 return getUserPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
493 }
494
495 static List<UserPermission> getUserPermissions(
496 Configuration conf, byte[] entryName)
497 throws IOException {
498 ListMultimap<String,TablePermission> allPerms = getPermissions(
499 conf, entryName);
500
501 List<UserPermission> perms = new ArrayList<UserPermission>();
502
503 for (Map.Entry<String, TablePermission> entry : allPerms.entries()) {
504 UserPermission up = new UserPermission(Bytes.toBytes(entry.getKey()),
505 entry.getValue().getTableName(), entry.getValue().getFamily(),
506 entry.getValue().getQualifier(), entry.getValue().getActions());
507 perms.add(up);
508 }
509 return perms;
510 }
511
512 private static ListMultimap<String, TablePermission> parsePermissions(
513 byte[] entryName, Result result) {
514 ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
515 if (result != null && result.size() > 0) {
516 for (Cell kv : result.rawCells()) {
517
518 Pair<String,TablePermission> permissionsOfUserOnTable =
519 parsePermissionRecord(entryName, kv);
520
521 if (permissionsOfUserOnTable != null) {
522 String username = permissionsOfUserOnTable.getFirst();
523 TablePermission permissions = permissionsOfUserOnTable.getSecond();
524 perms.put(username, permissions);
525 }
526 }
527 }
528 return perms;
529 }
530
531 private static Pair<String, TablePermission> parsePermissionRecord(
532 byte[] entryName, Cell kv) {
533
534 byte[] family = CellUtil.cloneFamily(kv);
535
536 if (!Bytes.equals(family, ACL_LIST_FAMILY)) {
537 return null;
538 }
539
540 byte[] key = CellUtil.cloneQualifier(kv);
541 byte[] value = CellUtil.cloneValue(kv);
542 if (LOG.isDebugEnabled()) {
543 LOG.debug("Read acl: kv ["+
544 Bytes.toStringBinary(key)+": "+
545 Bytes.toStringBinary(value)+"]");
546 }
547
548
549
550 String username = Bytes.toString(key);
551
552
553 if(isNamespaceEntry(entryName)) {
554 return new Pair<String, TablePermission>(username,
555 new TablePermission(Bytes.toString(fromNamespaceEntry(entryName)), value));
556 }
557
558
559
560 int idx = username.indexOf(ACL_KEY_DELIMITER);
561 byte[] permFamily = null;
562 byte[] permQualifier = null;
563 if (idx > 0 && idx < username.length()-1) {
564 String remainder = username.substring(idx+1);
565 username = username.substring(0, idx);
566 idx = remainder.indexOf(ACL_KEY_DELIMITER);
567 if (idx > 0 && idx < remainder.length()-1) {
568 permFamily = Bytes.toBytes(remainder.substring(0, idx));
569 permQualifier = Bytes.toBytes(remainder.substring(idx+1));
570 } else {
571 permFamily = Bytes.toBytes(remainder);
572 }
573 }
574
575 return new Pair<String,TablePermission>(username,
576 new TablePermission(TableName.valueOf(entryName), permFamily, permQualifier, value));
577 }
578
579
580
581
582
583
584
585 public static byte[] writePermissionsAsBytes(ListMultimap<String, TablePermission> perms,
586 Configuration conf) {
587 return ProtobufUtil.prependPBMagic(ProtobufUtil.toUserTablePermissions(perms).toByteArray());
588 }
589
590
591
592
593
594 public static ListMultimap<String, TablePermission> readPermissions(byte[] data,
595 Configuration conf)
596 throws DeserializationException {
597 if (ProtobufUtil.isPBMagicPrefix(data)) {
598 int pblen = ProtobufUtil.lengthOfPBMagic();
599 try {
600 AccessControlProtos.UsersAndPermissions perms =
601 AccessControlProtos.UsersAndPermissions.newBuilder().mergeFrom(
602 data, pblen, data.length - pblen).build();
603 return ProtobufUtil.toUserTablePermissions(perms);
604 } catch (InvalidProtocolBufferException e) {
605 throw new DeserializationException(e);
606 }
607 } else {
608 ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
609 try {
610 DataInput in = new DataInputStream(new ByteArrayInputStream(data));
611 int length = in.readInt();
612 for (int i=0; i<length; i++) {
613 String user = Text.readString(in);
614 List<TablePermission> userPerms =
615 (List)HbaseObjectWritableFor96Migration.readObject(in, conf);
616 perms.putAll(user, userPerms);
617 }
618 } catch (IOException e) {
619 throw new DeserializationException(e);
620 }
621 return perms;
622 }
623 }
624
625
626
627
628
629
630 public static boolean isGroupPrincipal(String name) {
631 return name != null && name.startsWith(GROUP_PREFIX);
632 }
633
634
635
636
637
638 public static String getGroupName(String aclKey) {
639 if (!isGroupPrincipal(aclKey)) {
640 return aclKey;
641 }
642
643 return aclKey.substring(GROUP_PREFIX.length());
644 }
645
646 public static boolean isNamespaceEntry(String entryName) {
647 return entryName.charAt(0) == NAMESPACE_PREFIX;
648 }
649
650 public static boolean isNamespaceEntry(byte[] entryName) {
651 return entryName[0] == NAMESPACE_PREFIX;
652 }
653
654 public static String toNamespaceEntry(String namespace) {
655 return NAMESPACE_PREFIX + namespace;
656 }
657
658 public static String fromNamespaceEntry(String namespace) {
659 if(namespace.charAt(0) != NAMESPACE_PREFIX)
660 throw new IllegalArgumentException("Argument is not a valid namespace entry");
661 return namespace.substring(1);
662 }
663
664 public static byte[] toNamespaceEntry(byte[] namespace) {
665 byte[] ret = new byte[namespace.length+1];
666 ret[0] = NAMESPACE_PREFIX;
667 System.arraycopy(namespace, 0, ret, 1, namespace.length);
668 return ret;
669 }
670
671 public static byte[] fromNamespaceEntry(byte[] namespace) {
672 if(namespace[0] != NAMESPACE_PREFIX) {
673 throw new IllegalArgumentException("Argument is not a valid namespace entry: " +
674 Bytes.toString(namespace));
675 }
676 return Arrays.copyOfRange(namespace, 1, namespace.length);
677 }
678 }