1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.security.access;
19
20 import java.io.IOException;
21 import java.util.ArrayList;
22 import java.util.List;
23 import java.util.regex.Pattern;
24
25 import org.apache.hadoop.conf.Configuration;
26 import org.apache.hadoop.hbase.HConstants;
27 import org.apache.hadoop.hbase.HTableDescriptor;
28 import org.apache.hadoop.hbase.MasterNotRunningException;
29 import org.apache.hadoop.hbase.NamespaceDescriptor;
30 import org.apache.hadoop.hbase.TableName;
31 import org.apache.hadoop.hbase.ZooKeeperConnectionException;
32 import org.apache.hadoop.hbase.classification.InterfaceAudience;
33 import org.apache.hadoop.hbase.classification.InterfaceStability;
34 import org.apache.hadoop.hbase.client.HBaseAdmin;
35 import org.apache.hadoop.hbase.client.HTable;
36 import org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel;
37 import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
38 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
39 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.BlockingInterface;
40 import org.apache.hadoop.hbase.util.Bytes;
41
42
43
44
45 @InterfaceAudience.Public
46 @InterfaceStability.Evolving
47 public class AccessControlClient {
48 public static final TableName ACL_TABLE_NAME =
49 TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
50
51 private static HTable getAclTable(Configuration conf) throws IOException {
52 return new HTable(conf, ACL_TABLE_NAME);
53 }
54
55 private static BlockingInterface getAccessControlServiceStub(HTable ht)
56 throws IOException {
57 CoprocessorRpcChannel service = ht.coprocessorService(HConstants.EMPTY_START_ROW);
58 BlockingInterface protocol =
59 AccessControlProtos.AccessControlService.newBlockingStub(service);
60 return protocol;
61 }
62
63
64
65
66
67
68
69
70
71
72
73
74 public static void grant(Configuration conf, final TableName tableName,
75 final String userName, final byte[] family, final byte[] qual,
76 final Permission.Action... actions) throws Throwable {
77 HTable ht = null;
78 try {
79 ht = getAclTable(conf);
80 ProtobufUtil.grant(getAccessControlServiceStub(ht), userName, tableName, family, qual,
81 actions);
82 } finally {
83 if (ht != null) {
84 ht.close();
85 }
86 }
87 }
88
89
90
91
92
93
94
95
96 public static void grant(Configuration conf, final String namespace,
97 final String userName, final Permission.Action... actions) throws Throwable {
98 HTable ht = null;
99 try {
100 ht = getAclTable(conf);
101 ProtobufUtil.grant(getAccessControlServiceStub(ht), userName, namespace, actions);
102 } finally {
103 if (ht != null) {
104 ht.close();
105 }
106 }
107 }
108 public static boolean isAccessControllerRunning(Configuration conf)
109 throws MasterNotRunningException, ZooKeeperConnectionException, IOException {
110 HBaseAdmin ha = null;
111 try {
112 ha = new HBaseAdmin(conf);
113 return ha.isTableAvailable(ACL_TABLE_NAME);
114 } finally {
115 if (ha != null) {
116 ha.close();
117 }
118 }
119 }
120
121
122
123
124
125
126
127
128
129
130 public static void revoke(Configuration conf, final TableName tableName,
131 final String username, final byte[] family, final byte[] qualifier,
132 final Permission.Action... actions) throws Throwable {
133 HTable ht = null;
134 try {
135 ht = getAclTable(conf);
136 ProtobufUtil.revoke(getAccessControlServiceStub(ht), username, tableName, family, qualifier,
137 actions);
138 } finally {
139 if (ht != null) {
140 ht.close();
141 }
142 }
143 }
144
145
146
147
148
149
150
151
152
153 public static void revoke(Configuration conf, final String namespace,
154 final String userName, final Permission.Action... actions) throws Throwable {
155 HTable ht = null;
156 try {
157 ht = getAclTable(conf);
158 ProtobufUtil.revoke(getAccessControlServiceStub(ht), userName, namespace, actions);
159 } finally {
160 if (ht != null) {
161 ht.close();
162 }
163 }
164 }
165
166
167
168
169
170
171
172
173 public static List<UserPermission> getUserPermissions(Configuration conf, String tableRegex)
174 throws Throwable {
175 List<UserPermission> permList = new ArrayList<UserPermission>();
176 HTable ht = null;
177 HBaseAdmin ha = null;
178 try {
179 ha = new HBaseAdmin(conf);
180 ht = new HTable(conf, ACL_TABLE_NAME);
181 CoprocessorRpcChannel service = ht.coprocessorService(HConstants.EMPTY_START_ROW);
182 BlockingInterface protocol =
183 AccessControlProtos.AccessControlService.newBlockingStub(service);
184 HTableDescriptor[] htds = null;
185
186 if (tableRegex == null || tableRegex.isEmpty()) {
187 permList = ProtobufUtil.getUserPermissions(protocol);
188 } else if (tableRegex.charAt(0) == '@') {
189 String namespace = tableRegex.substring(1);
190 permList = ProtobufUtil.getUserPermissions(protocol, Bytes.toBytes(namespace));
191 } else {
192 htds = ha.listTables(Pattern.compile(tableRegex));
193 for (HTableDescriptor hd : htds) {
194 permList.addAll(ProtobufUtil.getUserPermissions(protocol, hd.getTableName()));
195 }
196 }
197 } finally {
198 if (ht != null) {
199 ht.close();
200 }
201 if (ha != null) {
202 ha.close();
203 }
204 }
205 return permList;
206 }
207
208 }