org.apache.hadoop.hbase.security.access
Class TableAuthManager

java.lang.Object
  extended by org.apache.hadoop.hbase.security.access.TableAuthManager

@InterfaceAudience.Private
public class TableAuthManager
extends Object

Performs authorization checks for a given user's assigned permissions


Method Summary
 boolean authorize(User user, Permission.Action action)
          Authorize a global permission based on ACLs for the given user and the user's groups.
 boolean authorize(User user, String namespace, Permission.Action action)
           
 boolean authorize(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
           
 boolean authorize(User user, TableName table, byte[] family, Permission.Action action)
           
 boolean authorize(User user, TableName table, Cell cell, Permission.Action action)
          Authorize a user for a given KV.
 boolean authorizeGroup(String groupName, Permission.Action action)
          Checks global authorization for a given action for a group, based on the stored permissions.
 boolean authorizeGroup(String groupName, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
          Checks authorization to a given table, column family and column for a group, based on the stored permissions.
 boolean authorizeUser(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
           
 boolean authorizeUser(User user, TableName table, byte[] family, Permission.Action action)
          Checks authorization to a given table and column family for a user, based on the stored user permissions.
static TableAuthManager get(ZooKeeperWatcher watcher, org.apache.hadoop.conf.Configuration conf)
           
 long getMTime()
           
 ZKPermissionWatcher getZKPermissionWatcher()
           
 boolean groupHasAccess(String groupName, TableName table, Permission.Action action)
          Checks if the user has access to the full table or at least a family/qualifier for the specified action.
 boolean hasAccess(User user, TableName table, Permission.Action action)
           
 boolean matchPermission(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
           
 boolean matchPermission(User user, TableName table, byte[] family, Permission.Action action)
          Returns true if the given user has a TablePermission matching up to the column family portion of a permission.
 void refreshNamespaceCacheFromWritable(String namespace, byte[] data)
           
 void refreshTableCacheFromWritable(TableName table, byte[] data)
           
 void removeNamespace(byte[] ns)
           
 void removeTable(TableName table)
           
 void setNamespaceGroupPermissions(String group, String namespace, List<TablePermission> perms)
          Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.
 void setNamespaceUserPermissions(String username, String namespace, List<TablePermission> perms)
          Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.
 void setTableGroupPermissions(String group, TableName table, List<TablePermission> perms)
          Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.
 void setTableUserPermissions(String username, TableName table, List<TablePermission> perms)
          Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.
 boolean userHasAccess(User user, TableName table, Permission.Action action)
          Checks if the user has access to the full table or at least a family/qualifier for the specified action.
 void writeNamespaceToZooKeeper(String namespace, org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)
           
 void writeTableToZooKeeper(TableName table, org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Method Detail

getZKPermissionWatcher

public ZKPermissionWatcher getZKPermissionWatcher()

refreshTableCacheFromWritable

public void refreshTableCacheFromWritable(TableName table,
                                          byte[] data)
                                   throws IOException
Throws:
IOException

refreshNamespaceCacheFromWritable

public void refreshNamespaceCacheFromWritable(String namespace,
                                              byte[] data)
                                       throws IOException
Throws:
IOException

authorize

public boolean authorize(User user,
                         Permission.Action action)
Authorize a global permission based on ACLs for the given user and the user's groups.

Parameters:
user -
action -
Returns:
true if known and authorized, false otherwise

authorize

public boolean authorize(User user,
                         TableName table,
                         Cell cell,
                         Permission.Action action)
Authorize a user for a given KV. This is called from AccessControlFilter.


authorize

public boolean authorize(User user,
                         String namespace,
                         Permission.Action action)

authorizeUser

public boolean authorizeUser(User user,
                             TableName table,
                             byte[] family,
                             Permission.Action action)
Checks authorization to a given table and column family for a user, based on the stored user permissions.

Parameters:
user -
table -
family -
action -
Returns:
true if known and authorized, false otherwise

authorizeUser

public boolean authorizeUser(User user,
                             TableName table,
                             byte[] family,
                             byte[] qualifier,
                             Permission.Action action)

userHasAccess

public boolean userHasAccess(User user,
                             TableName table,
                             Permission.Action action)
Checks if the user has access to the full table or at least a family/qualifier for the specified action.

Parameters:
user -
table -
action -
Returns:
true if the user has access to the table, false otherwise

authorizeGroup

public boolean authorizeGroup(String groupName,
                              Permission.Action action)
Checks global authorization for a given action for a group, based on the stored permissions.


authorizeGroup

public boolean authorizeGroup(String groupName,
                              TableName table,
                              byte[] family,
                              byte[] qualifier,
                              Permission.Action action)
Checks authorization to a given table, column family and column for a group, based on the stored permissions.

Parameters:
groupName -
table -
family -
qualifier -
action -
Returns:
true if known and authorized, false otherwise

groupHasAccess

public boolean groupHasAccess(String groupName,
                              TableName table,
                              Permission.Action action)
Checks if the user has access to the full table or at least a family/qualifier for the specified action.

Parameters:
groupName -
table -
action -
Returns:
true if the group has access to the table, false otherwise

authorize

public boolean authorize(User user,
                         TableName table,
                         byte[] family,
                         byte[] qualifier,
                         Permission.Action action)

hasAccess

public boolean hasAccess(User user,
                         TableName table,
                         Permission.Action action)

authorize

public boolean authorize(User user,
                         TableName table,
                         byte[] family,
                         Permission.Action action)

matchPermission

public boolean matchPermission(User user,
                               TableName table,
                               byte[] family,
                               Permission.Action action)
Returns true if the given user has a TablePermission matching up to the column family portion of a permission. Note that this permission may be scoped to a given column qualifier and does not guarantee that authorize() on the same column family would return true.


matchPermission

public boolean matchPermission(User user,
                               TableName table,
                               byte[] family,
                               byte[] qualifier,
                               Permission.Action action)

removeNamespace

public void removeNamespace(byte[] ns)

removeTable

public void removeTable(TableName table)

setTableUserPermissions

public void setTableUserPermissions(String username,
                                    TableName table,
                                    List<TablePermission> perms)
Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.

Parameters:
username -
table -
perms -

setTableGroupPermissions

public void setTableGroupPermissions(String group,
                                     TableName table,
                                     List<TablePermission> perms)
Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.

Parameters:
group -
table -
perms -

setNamespaceUserPermissions

public void setNamespaceUserPermissions(String username,
                                        String namespace,
                                        List<TablePermission> perms)
Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.

Parameters:
username -
namespace -
perms -

setNamespaceGroupPermissions

public void setNamespaceGroupPermissions(String group,
                                         String namespace,
                                         List<TablePermission> perms)
Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.

Parameters:
group -
namespace -
perms -

writeTableToZooKeeper

public void writeTableToZooKeeper(TableName table,
                                  org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)

writeNamespaceToZooKeeper

public void writeNamespaceToZooKeeper(String namespace,
                                      org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)

getMTime

public long getMTime()

get

public static TableAuthManager get(ZooKeeperWatcher watcher,
                                   org.apache.hadoop.conf.Configuration conf)
                            throws IOException
Throws:
IOException


Copyright © 2015 The Apache Software Foundation. All rights reserved.