org.apache.hadoop.hbase.security.access
Class AccessControlLists

java.lang.Object
  extended by org.apache.hadoop.hbase.security.access.AccessControlLists

public class AccessControlLists
extends Object

Maintains lists of permission grants to users and groups to allow for authorization checks by AccessController.

Access control lists are stored in an "internal" metadata table named _acl_. Each table's permission grants are stored as a separate row, keyed by the table name. KeyValues for permissions assignments are stored in one of the formats:

 Key                      Desc
 --------                 --------
 user                     table level permissions for a user [R=read, W=write]
 group                    table level permissions for a group
 user,family              column family level permissions for a user
 group,family             column family level permissions for a group
 user,family,qualifier    column qualifier level permissions for a user
 group,family,qualifier   column qualifier level permissions for a group
 
All values are encoded as byte arrays containing the codes from the org.apache.hadoop.hbase.security.access.TablePermission.Action enum.


Field Summary
static byte[] ACL_GLOBAL_NAME
           
static char ACL_KEY_DELIMITER
          Delimiter to separate user, column family, and qualifier in _acl_ table info: column keys
static byte[] ACL_LIST_FAMILY
           
static String ACL_LIST_FAMILY_STR
          Column family used to store ACL grants
static TableName ACL_TABLE_NAME
          Internal storage table for access control lists
static HTableDescriptor ACL_TABLEDESC
          Table descriptor for ACL internal table
static String GROUP_PREFIX
          Prefix character to denote group names
static char NAMESPACE_PREFIX
           
static String SUPERUSER_CONF_KEY
          Configuration key for superusers
 
Constructor Summary
AccessControlLists()
           
 
Method Summary
static byte[] fromNamespaceEntry(byte[] namespace)
           
static String fromNamespaceEntry(String namespace)
           
static String getGroupName(String aclKey)
          Returns the actual name for a group principal (stripped of the group prefix).
static boolean isGroupPrincipal(String name)
          Returns whether or not the given name should be interpreted as a group principal.
static boolean isNamespaceEntry(byte[] entryName)
           
static boolean isNamespaceEntry(String entryName)
           
static com.google.common.collect.ListMultimap<String,TablePermission> readPermissions(byte[] data, org.apache.hadoop.conf.Configuration conf)
          Reads a set of permissions as Writable instances from the input stream.
static byte[] toNamespaceEntry(byte[] namespace)
           
static String toNamespaceEntry(String namespace)
           
static byte[] writePermissionsAsBytes(com.google.common.collect.ListMultimap<String,TablePermission> perms, org.apache.hadoop.conf.Configuration conf)
          Writes a set of permissions as Writable instances and returns the resulting byte array.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

ACL_TABLE_NAME

public static final TableName ACL_TABLE_NAME
Internal storage table for access control lists


ACL_GLOBAL_NAME

public static final byte[] ACL_GLOBAL_NAME

ACL_LIST_FAMILY_STR

public static final String ACL_LIST_FAMILY_STR
Column family used to store ACL grants

See Also:
Constant Field Values

ACL_LIST_FAMILY

public static final byte[] ACL_LIST_FAMILY

NAMESPACE_PREFIX

public static final char NAMESPACE_PREFIX
See Also:
Constant Field Values

ACL_TABLEDESC

public static final HTableDescriptor ACL_TABLEDESC
Table descriptor for ACL internal table


ACL_KEY_DELIMITER

public static final char ACL_KEY_DELIMITER
Delimiter to separate user, column family, and qualifier in _acl_ table info: column keys

See Also:
Constant Field Values

GROUP_PREFIX

public static final String GROUP_PREFIX
Prefix character to denote group names

See Also:
Constant Field Values

SUPERUSER_CONF_KEY

public static final String SUPERUSER_CONF_KEY
Configuration key for superusers

See Also:
Constant Field Values
Constructor Detail

AccessControlLists

public AccessControlLists()
Method Detail

writePermissionsAsBytes

public static byte[] writePermissionsAsBytes(com.google.common.collect.ListMultimap<String,TablePermission> perms,
                                             org.apache.hadoop.conf.Configuration conf)
Writes a set of permissions as Writable instances and returns the resulting byte array. Writes a set of permission [user: table permission]


readPermissions

public static com.google.common.collect.ListMultimap<String,TablePermission> readPermissions(byte[] data,
                                                                                             org.apache.hadoop.conf.Configuration conf)
                                                                                      throws DeserializationException
Reads a set of permissions as Writable instances from the input stream.

Throws:
DeserializationException

isGroupPrincipal

public static boolean isGroupPrincipal(String name)
Returns whether or not the given name should be interpreted as a group principal. Currently this simply checks if the name starts with the special group prefix character ("@").


getGroupName

public static String getGroupName(String aclKey)
Returns the actual name for a group principal (stripped of the group prefix).


isNamespaceEntry

public static boolean isNamespaceEntry(String entryName)

isNamespaceEntry

public static boolean isNamespaceEntry(byte[] entryName)

toNamespaceEntry

public static String toNamespaceEntry(String namespace)

fromNamespaceEntry

public static String fromNamespaceEntry(String namespace)

toNamespaceEntry

public static byte[] toNamespaceEntry(byte[] namespace)

fromNamespaceEntry

public static byte[] fromNamespaceEntry(byte[] namespace)


Copyright © 2013 The Apache Software Foundation. All Rights Reserved.