org.apache.hadoop.hbase.security.access
Class TableAuthManager

java.lang.Object
  extended by org.apache.hadoop.hbase.security.access.TableAuthManager
All Implemented Interfaces:
Closeable

@InterfaceAudience.Private
public class TableAuthManager
extends Object
implements Closeable

Performs authorization checks for a given user's assigned permissions


Method Summary
 boolean authorize(User user, Permission.Action action)
          Authorize a global permission based on ACLs for the given user and the user's groups.
 boolean authorize(User user, String namespace, Permission.Action action)
           
 boolean authorize(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
           
 boolean authorize(User user, TableName table, byte[] family, Permission.Action action)
           
 boolean authorize(User user, TableName table, Cell cell, Permission.Action action)
          Authorize a user for a given KV.
 boolean authorizeGroup(String groupName, Permission.Action action)
          Checks global authorization for a given action for a group, based on the stored permissions.
 boolean authorizeGroup(String groupName, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
          Checks authorization to a given table, column family and column for a group, based on the stored permissions.
 boolean authorizeUser(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
           
 boolean authorizeUser(User user, TableName table, byte[] family, Permission.Action action)
          Checks authorization to a given table and column family for a user, based on the stored user permissions.
 void close()
           
 long getMTime()
           
static TableAuthManager getOrCreate(ZooKeeperWatcher watcher, org.apache.hadoop.conf.Configuration conf)
          Returns a TableAuthManager from the cache.
 ZKPermissionWatcher getZKPermissionWatcher()
           
 boolean groupHasAccess(String groupName, TableName table, Permission.Action action)
          Checks if the user has access to the full table or at least a family/qualifier for the specified action.
 boolean hasAccess(User user, TableName table, Permission.Action action)
           
 boolean matchPermission(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
           
 boolean matchPermission(User user, TableName table, byte[] family, Permission.Action action)
          Returns true if the given user has a TablePermission matching up to the column family portion of a permission.
 void refreshNamespaceCacheFromWritable(String namespace, byte[] data)
           
 void refreshTableCacheFromWritable(TableName table, byte[] data)
           
static void release(TableAuthManager instance)
          Releases the resources for the given TableAuthManager if the reference count is down to 0.
 void removeNamespace(byte[] ns)
           
 void removeTable(TableName table)
           
 void setNamespaceGroupPermissions(String group, String namespace, List<TablePermission> perms)
          Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.
 void setNamespaceUserPermissions(String username, String namespace, List<TablePermission> perms)
          Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.
 void setTableGroupPermissions(String group, TableName table, List<TablePermission> perms)
          Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.
 void setTableUserPermissions(String username, TableName table, List<TablePermission> perms)
          Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.
 boolean userHasAccess(User user, TableName table, Permission.Action action)
          Checks if the user has access to the full table or at least a family/qualifier for the specified action.
 void writeNamespaceToZooKeeper(String namespace, org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)
           
 void writeTableToZooKeeper(TableName table, org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Method Detail

close

public void close()
Specified by:
close in interface Closeable

getZKPermissionWatcher

public ZKPermissionWatcher getZKPermissionWatcher()

refreshTableCacheFromWritable

public void refreshTableCacheFromWritable(TableName table,
                                          byte[] data)
                                   throws IOException
Throws:
IOException

refreshNamespaceCacheFromWritable

public void refreshNamespaceCacheFromWritable(String namespace,
                                              byte[] data)
                                       throws IOException
Throws:
IOException

authorize

public boolean authorize(User user,
                         Permission.Action action)
Authorize a global permission based on ACLs for the given user and the user's groups.

Parameters:
user -
action -
Returns:
true if known and authorized, false otherwise

authorize

public boolean authorize(User user,
                         TableName table,
                         Cell cell,
                         Permission.Action action)
Authorize a user for a given KV. This is called from AccessControlFilter.


authorize

public boolean authorize(User user,
                         String namespace,
                         Permission.Action action)

authorizeUser

public boolean authorizeUser(User user,
                             TableName table,
                             byte[] family,
                             Permission.Action action)
Checks authorization to a given table and column family for a user, based on the stored user permissions.

Parameters:
user -
table -
family -
action -
Returns:
true if known and authorized, false otherwise

authorizeUser

public boolean authorizeUser(User user,
                             TableName table,
                             byte[] family,
                             byte[] qualifier,
                             Permission.Action action)

userHasAccess

public boolean userHasAccess(User user,
                             TableName table,
                             Permission.Action action)
Checks if the user has access to the full table or at least a family/qualifier for the specified action.

Parameters:
user -
table -
action -
Returns:
true if the user has access to the table, false otherwise

authorizeGroup

public boolean authorizeGroup(String groupName,
                              Permission.Action action)
Checks global authorization for a given action for a group, based on the stored permissions.


authorizeGroup

public boolean authorizeGroup(String groupName,
                              TableName table,
                              byte[] family,
                              byte[] qualifier,
                              Permission.Action action)
Checks authorization to a given table, column family and column for a group, based on the stored permissions.

Parameters:
groupName -
table -
family -
qualifier -
action -
Returns:
true if known and authorized, false otherwise

groupHasAccess

public boolean groupHasAccess(String groupName,
                              TableName table,
                              Permission.Action action)
Checks if the user has access to the full table or at least a family/qualifier for the specified action.

Parameters:
groupName -
table -
action -
Returns:
true if the group has access to the table, false otherwise

authorize

public boolean authorize(User user,
                         TableName table,
                         byte[] family,
                         byte[] qualifier,
                         Permission.Action action)

hasAccess

public boolean hasAccess(User user,
                         TableName table,
                         Permission.Action action)

authorize

public boolean authorize(User user,
                         TableName table,
                         byte[] family,
                         Permission.Action action)

matchPermission

public boolean matchPermission(User user,
                               TableName table,
                               byte[] family,
                               Permission.Action action)
Returns true if the given user has a TablePermission matching up to the column family portion of a permission. Note that this permission may be scoped to a given column qualifier and does not guarantee that authorize() on the same column family would return true.


matchPermission

public boolean matchPermission(User user,
                               TableName table,
                               byte[] family,
                               byte[] qualifier,
                               Permission.Action action)

removeNamespace

public void removeNamespace(byte[] ns)

removeTable

public void removeTable(TableName table)

setTableUserPermissions

public void setTableUserPermissions(String username,
                                    TableName table,
                                    List<TablePermission> perms)
Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.

Parameters:
username -
table -
perms -

setTableGroupPermissions

public void setTableGroupPermissions(String group,
                                     TableName table,
                                     List<TablePermission> perms)
Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.

Parameters:
group -
table -
perms -

setNamespaceUserPermissions

public void setNamespaceUserPermissions(String username,
                                        String namespace,
                                        List<TablePermission> perms)
Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.

Parameters:
username -
namespace -
perms -

setNamespaceGroupPermissions

public void setNamespaceGroupPermissions(String group,
                                         String namespace,
                                         List<TablePermission> perms)
Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.

Parameters:
group -
namespace -
perms -

writeTableToZooKeeper

public void writeTableToZooKeeper(TableName table,
                                  org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)

writeNamespaceToZooKeeper

public void writeNamespaceToZooKeeper(String namespace,
                                      org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)

getMTime

public long getMTime()

getOrCreate

public static TableAuthManager getOrCreate(ZooKeeperWatcher watcher,
                                           org.apache.hadoop.conf.Configuration conf)
                                    throws IOException
Returns a TableAuthManager from the cache. If not cached, constructs a new one. Returned instance should be released back by calling release(TableAuthManager).

Throws:
IOException

release

public static void release(TableAuthManager instance)
Releases the resources for the given TableAuthManager if the reference count is down to 0.

Parameters:
instance - TableAuthManager to be released


Copyright © 2007–2015 The Apache Software Foundation. All rights reserved.