View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import java.io.ByteArrayInputStream;
22  import java.io.DataInput;
23  import java.io.DataInputStream;
24  import java.io.IOException;
25  import java.util.ArrayList;
26  import java.util.Arrays;
27  import java.util.Iterator;
28  import java.util.List;
29  import java.util.Map;
30  import java.util.Set;
31  import java.util.TreeMap;
32  import java.util.TreeSet;
33  
34  import org.apache.commons.logging.Log;
35  import org.apache.commons.logging.LogFactory;
36  import org.apache.hadoop.hbase.classification.InterfaceAudience;
37  import org.apache.hadoop.conf.Configuration;
38  import org.apache.hadoop.hbase.Cell;
39  import org.apache.hadoop.hbase.CellUtil;
40  import org.apache.hadoop.hbase.HColumnDescriptor;
41  import org.apache.hadoop.hbase.HConstants;
42  import org.apache.hadoop.hbase.HTableDescriptor;
43  import org.apache.hadoop.hbase.NamespaceDescriptor;
44  import org.apache.hadoop.hbase.TableName;
45  import org.apache.hadoop.hbase.Tag;
46  import org.apache.hadoop.hbase.TagType;
47  import org.apache.hadoop.hbase.client.Delete;
48  import org.apache.hadoop.hbase.client.Get;
49  import org.apache.hadoop.hbase.client.HTable;
50  import org.apache.hadoop.hbase.client.Put;
51  import org.apache.hadoop.hbase.client.Result;
52  import org.apache.hadoop.hbase.client.ResultScanner;
53  import org.apache.hadoop.hbase.client.Scan;
54  import org.apache.hadoop.hbase.exceptions.DeserializationException;
55  import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp;
56  import org.apache.hadoop.hbase.filter.QualifierFilter;
57  import org.apache.hadoop.hbase.filter.RegexStringComparator;
58  import org.apache.hadoop.hbase.io.compress.Compression;
59  import org.apache.hadoop.hbase.master.MasterServices;
60  import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
61  import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
62  import org.apache.hadoop.hbase.regionserver.BloomType;
63  import org.apache.hadoop.hbase.regionserver.HRegion;
64  import org.apache.hadoop.hbase.regionserver.InternalScanner;
65  import org.apache.hadoop.hbase.security.User;
66  import org.apache.hadoop.hbase.util.Bytes;
67  import org.apache.hadoop.hbase.util.Pair;
68  import org.apache.hadoop.io.Text;
69  
70  import com.google.common.collect.ArrayListMultimap;
71  import com.google.common.collect.ListMultimap;
72  import com.google.common.collect.Lists;
73  import com.google.protobuf.InvalidProtocolBufferException;
74  
75  /**
76   * Maintains lists of permission grants to users and groups to allow for
77   * authorization checks by {@link AccessController}.
78   *
79   * <p>
80   * Access control lists are stored in an "internal" metadata table named
81   * {@code _acl_}. Each table's permission grants are stored as a separate row,
82   * keyed by the table name. KeyValues for permissions assignments are stored
83   * in one of the formats:
84   * <pre>
85   * Key                      Desc
86   * --------                 --------
87   * user                     table level permissions for a user [R=read, W=write]
88   * group                    table level permissions for a group
89   * user,family              column family level permissions for a user
90   * group,family             column family level permissions for a group
91   * user,family,qualifier    column qualifier level permissions for a user
92   * group,family,qualifier   column qualifier level permissions for a group
93   * </pre>
94   * All values are encoded as byte arrays containing the codes from the
95   * org.apache.hadoop.hbase.security.access.TablePermission.Action enum.
96   * </p>
97   */
98  @InterfaceAudience.Private
99  public class AccessControlLists {
100   /** Internal storage table for access control lists */
101   public static final TableName ACL_TABLE_NAME =
102       TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
103   public static final byte[] ACL_GLOBAL_NAME = ACL_TABLE_NAME.getName();
104   /** Column family used to store ACL grants */
105   public static final String ACL_LIST_FAMILY_STR = "l";
106   public static final byte[] ACL_LIST_FAMILY = Bytes.toBytes(ACL_LIST_FAMILY_STR);
107   /** KV tag to store per cell access control lists */
108   public static final byte ACL_TAG_TYPE = TagType.ACL_TAG_TYPE;
109 
110   public static final char NAMESPACE_PREFIX = '@';
111 
112   /** Table descriptor for ACL internal table */
113   public static final HTableDescriptor ACL_TABLEDESC = new HTableDescriptor(ACL_TABLE_NAME);
114   static {
115     ACL_TABLEDESC.addFamily(
116         new HColumnDescriptor(ACL_LIST_FAMILY,
117             10, // Ten is arbitrary number.  Keep versions to help debugging.
118             Compression.Algorithm.NONE.getName(), true, true, 8 * 1024,
119             HConstants.FOREVER, BloomType.NONE.toString(),
120             HConstants.REPLICATION_SCOPE_LOCAL));
121   }
122 
123   /**
124    * Delimiter to separate user, column family, and qualifier in
125    * _acl_ table info: column keys */
126   public static final char ACL_KEY_DELIMITER = ',';
127   /** Prefix character to denote group names */
128   public static final String GROUP_PREFIX = "@";
129   /** Configuration key for superusers */
130   public static final String SUPERUSER_CONF_KEY = "hbase.superuser";
131 
132   private static Log LOG = LogFactory.getLog(AccessControlLists.class);
133 
134   /**
135    * Check for existence of {@code _acl_} table and create it if it does not exist
136    * @param master reference to HMaster
137    */
138   static void init(MasterServices master) throws IOException {
139     master.createTable(ACL_TABLEDESC, null);
140   }
141 
142   /**
143    * Stores a new user permission grant in the access control lists table.
144    * @param conf the configuration
145    * @param userPerm the details of the permission to be granted
146    * @throws IOException in the case of an error accessing the metadata table
147    */
148   static void addUserPermission(Configuration conf, UserPermission userPerm)
149       throws IOException {
150     Permission.Action[] actions = userPerm.getActions();
151     byte[] rowKey = userPermissionRowKey(userPerm);
152     Put p = new Put(rowKey);
153     byte[] key = userPermissionKey(userPerm);
154 
155     if ((actions == null) || (actions.length == 0)) {
156       String msg = "No actions associated with user '" + Bytes.toString(userPerm.getUser()) + "'";
157       LOG.warn(msg);
158       throw new IOException(msg);
159     }
160 
161     byte[] value = new byte[actions.length];
162     for (int i = 0; i < actions.length; i++) {
163       value[i] = actions[i].code();
164     }
165     p.addImmutable(ACL_LIST_FAMILY, key, value);
166     if (LOG.isDebugEnabled()) {
167       LOG.debug("Writing permission with rowKey "+
168           Bytes.toString(rowKey)+" "+
169           Bytes.toString(key)+": "+Bytes.toStringBinary(value)
170       );
171     }
172     HTable acls = null;
173     try {
174       acls = new HTable(conf, ACL_TABLE_NAME);
175       acls.put(p);
176     } finally {
177       if (acls != null) acls.close();
178     }
179   }
180 
181   /**
182    * Removes a previously granted permission from the stored access control
183    * lists.  The {@link TablePermission} being removed must exactly match what
184    * is stored -- no wildcard matching is attempted.  Ie, if user "bob" has
185    * been granted "READ" access to the "data" table, but only to column family
186    * plus qualifier "info:colA", then trying to call this method with only
187    * user "bob" and the table name "data" (but without specifying the
188    * column qualifier "info:colA") will have no effect.
189    *
190    * @param conf the configuration
191    * @param userPerm the details of the permission to be revoked
192    * @throws IOException if there is an error accessing the metadata table
193    */
194   static void removeUserPermission(Configuration conf, UserPermission userPerm)
195       throws IOException {
196     Delete d = new Delete(userPermissionRowKey(userPerm));
197     byte[] key = userPermissionKey(userPerm);
198 
199     if (LOG.isDebugEnabled()) {
200       LOG.debug("Removing permission "+ userPerm.toString());
201     }
202     d.deleteColumns(ACL_LIST_FAMILY, key);
203     HTable acls = null;
204     try {
205       acls = new HTable(conf, ACL_TABLE_NAME);
206       acls.delete(d);
207     } finally {
208       if (acls != null) acls.close();
209     }
210   }
211 
212   /**
213    * Remove specified table from the _acl_ table.
214    */
215   static void removeTablePermissions(Configuration conf, TableName tableName)
216       throws IOException{
217     Delete d = new Delete(tableName.getName());
218 
219     if (LOG.isDebugEnabled()) {
220       LOG.debug("Removing permissions of removed table "+ tableName);
221     }
222 
223     HTable acls = null;
224     try {
225       acls = new HTable(conf, ACL_TABLE_NAME);
226       acls.delete(d);
227     } finally {
228       if (acls != null) acls.close();
229     }
230   }
231 
232   /**
233    * Remove specified namespace from the acl table.
234    */
235   static void removeNamespacePermissions(Configuration conf, String namespace)
236       throws IOException{
237     Delete d = new Delete(Bytes.toBytes(toNamespaceEntry(namespace)));
238 
239     if (LOG.isDebugEnabled()) {
240       LOG.debug("Removing permissions of removed namespace "+ namespace);
241     }
242 
243     HTable acls = null;
244     try {
245       acls = new HTable(conf, ACL_TABLE_NAME);
246       acls.delete(d);
247     } finally {
248       if (acls != null) acls.close();
249     }
250   }
251 
252   /**
253    * Remove specified table column from the acl table.
254    */
255   static void removeTablePermissions(Configuration conf, TableName tableName, byte[] column)
256       throws IOException{
257 
258     if (LOG.isDebugEnabled()) {
259       LOG.debug("Removing permissions of removed column " + Bytes.toString(column) +
260                 " from table "+ tableName);
261     }
262 
263     HTable acls = null;
264     try {
265       acls = new HTable(conf, ACL_TABLE_NAME);
266 
267       Scan scan = new Scan();
268       scan.addFamily(ACL_LIST_FAMILY);
269 
270       String columnName = Bytes.toString(column);
271       scan.setFilter(new QualifierFilter(CompareOp.EQUAL, new RegexStringComparator(
272                      String.format("(%s%s%s)|(%s%s)$",
273                      ACL_KEY_DELIMITER, columnName, ACL_KEY_DELIMITER,
274                      ACL_KEY_DELIMITER, columnName))));
275 
276       Set<byte[]> qualifierSet = new TreeSet<byte[]>(Bytes.BYTES_COMPARATOR);
277       ResultScanner scanner = acls.getScanner(scan);
278       try {
279         for (Result res : scanner) {
280           for (byte[] q : res.getFamilyMap(ACL_LIST_FAMILY).navigableKeySet()) {
281             qualifierSet.add(q);
282           }
283         }
284       } finally {
285         scanner.close();
286       }
287 
288       if (qualifierSet.size() > 0) {
289         Delete d = new Delete(tableName.getName());
290         for (byte[] qualifier : qualifierSet) {
291           d.deleteColumns(ACL_LIST_FAMILY, qualifier);
292         }
293         acls.delete(d);
294       }
295     } finally {
296       if (acls != null) acls.close();
297     }
298   }
299 
300   static byte[] userPermissionRowKey(UserPermission userPerm) {
301     byte[] row;
302     if(userPerm.hasNamespace()) {
303       row = Bytes.toBytes(toNamespaceEntry(userPerm.getNamespace()));
304     } else if(userPerm.isGlobal()) {
305       row = ACL_GLOBAL_NAME;
306     } else {
307       row = userPerm.getTableName().getName();
308     }
309     return row;
310   }
311 
312   /**
313    * Build qualifier key from user permission:
314    *  username
315    *  username,family
316    *  username,family,qualifier
317    */
318   static byte[] userPermissionKey(UserPermission userPerm) {
319     byte[] qualifier = userPerm.getQualifier();
320     byte[] family = userPerm.getFamily();
321     byte[] key = userPerm.getUser();
322 
323     if (family != null && family.length > 0) {
324       key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, family));
325       if (qualifier != null && qualifier.length > 0) {
326         key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, qualifier));
327       }
328     }
329 
330     return key;
331   }
332 
333   /**
334    * Returns {@code true} if the given region is part of the {@code _acl_}
335    * metadata table.
336    */
337   static boolean isAclRegion(HRegion region) {
338     return ACL_TABLE_NAME.equals(region.getTableDesc().getTableName());
339   }
340 
341   /**
342    * Returns {@code true} if the given table is {@code _acl_} metadata table.
343    */
344   static boolean isAclTable(HTableDescriptor desc) {
345     return ACL_TABLE_NAME.equals(desc.getTableName());
346   }
347 
348   /**
349    * Loads all of the permission grants stored in a region of the {@code _acl_}
350    * table.
351    *
352    * @param aclRegion
353    * @return a map of the permissions for this table.
354    * @throws IOException
355    */
356   static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
357       HRegion aclRegion)
358     throws IOException {
359 
360     if (!isAclRegion(aclRegion)) {
361       throw new IOException("Can only load permissions from "+ACL_TABLE_NAME);
362     }
363 
364     Map<byte[], ListMultimap<String, TablePermission>> allPerms =
365         new TreeMap<byte[], ListMultimap<String, TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
366 
367     // do a full scan of _acl_ table
368 
369     Scan scan = new Scan();
370     scan.addFamily(ACL_LIST_FAMILY);
371 
372     InternalScanner iScanner = null;
373     try {
374       iScanner = aclRegion.getScanner(scan);
375 
376       while (true) {
377         List<Cell> row = new ArrayList<Cell>();
378 
379         boolean hasNext = iScanner.next(row);
380         ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
381         byte[] entry = null;
382         for (Cell kv : row) {
383           if (entry == null) {
384             entry = CellUtil.cloneRow(kv);
385           }
386           Pair<String,TablePermission> permissionsOfUserOnTable =
387               parsePermissionRecord(entry, kv);
388           if (permissionsOfUserOnTable != null) {
389             String username = permissionsOfUserOnTable.getFirst();
390             TablePermission permissions = permissionsOfUserOnTable.getSecond();
391             perms.put(username, permissions);
392           }
393         }
394         if (entry != null) {
395           allPerms.put(entry, perms);
396         }
397         if (!hasNext) {
398           break;
399         }
400       }
401     } finally {
402       if (iScanner != null) {
403         iScanner.close();
404       }
405     }
406 
407     return allPerms;
408   }
409 
410   /**
411    * Load all permissions from the region server holding {@code _acl_},
412    * primarily intended for testing purposes.
413    */
414   static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
415       Configuration conf) throws IOException {
416     Map<byte[], ListMultimap<String,TablePermission>> allPerms =
417         new TreeMap<byte[], ListMultimap<String,TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
418 
419     // do a full scan of _acl_, filtering on only first table region rows
420 
421     Scan scan = new Scan();
422     scan.addFamily(ACL_LIST_FAMILY);
423 
424     HTable acls = null;
425     ResultScanner scanner = null;
426     try {
427       acls = new HTable(conf, ACL_TABLE_NAME);
428       scanner = acls.getScanner(scan);
429       for (Result row : scanner) {
430         ListMultimap<String,TablePermission> resultPerms =
431             parsePermissions(row.getRow(), row);
432         allPerms.put(row.getRow(), resultPerms);
433       }
434     } finally {
435       if (scanner != null) scanner.close();
436       if (acls != null) acls.close();
437     }
438 
439     return allPerms;
440   }
441 
442   static ListMultimap<String, TablePermission> getTablePermissions(Configuration conf,
443         TableName tableName) throws IOException {
444     return getPermissions(conf, tableName != null ? tableName.getName() : null);
445   }
446 
447   static ListMultimap<String, TablePermission> getNamespacePermissions(Configuration conf,
448         String namespace) throws IOException {
449     return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
450   }
451 
452   /**
453    * Reads user permission assignments stored in the <code>l:</code> column
454    * family of the first table row in <code>_acl_</code>.
455    *
456    * <p>
457    * See {@link AccessControlLists class documentation} for the key structure
458    * used for storage.
459    * </p>
460    */
461   static ListMultimap<String, TablePermission> getPermissions(Configuration conf,
462       byte[] entryName) throws IOException {
463     if (entryName == null) entryName = ACL_TABLE_NAME.getName();
464 
465     // for normal user tables, we just read the table row from _acl_
466     ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
467     HTable acls = null;
468     try {
469       acls = new HTable(conf, ACL_TABLE_NAME);
470       Get get = new Get(entryName);
471       get.addFamily(ACL_LIST_FAMILY);
472       Result row = acls.get(get);
473       if (!row.isEmpty()) {
474         perms = parsePermissions(entryName, row);
475       } else {
476         LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry "
477             + Bytes.toString(entryName));
478       }
479     } finally {
480       if (acls != null) acls.close();
481     }
482 
483     return perms;
484   }
485 
486   /**
487    * Returns the currently granted permissions for a given table as a list of
488    * user plus associated permissions.
489    */
490   static List<UserPermission> getUserTablePermissions(
491       Configuration conf, TableName tableName) throws IOException {
492     return getUserPermissions(conf, tableName == null ? null : tableName.getName());
493   }
494 
495   static List<UserPermission> getUserNamespacePermissions(
496       Configuration conf, String namespace) throws IOException {
497     return getUserPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
498   }
499 
500   static List<UserPermission> getUserPermissions(
501       Configuration conf, byte[] entryName)
502   throws IOException {
503     ListMultimap<String,TablePermission> allPerms = getPermissions(
504       conf, entryName);
505 
506     List<UserPermission> perms = new ArrayList<UserPermission>();
507 
508     for (Map.Entry<String, TablePermission> entry : allPerms.entries()) {
509       UserPermission up = new UserPermission(Bytes.toBytes(entry.getKey()),
510           entry.getValue().getTableName(), entry.getValue().getFamily(),
511           entry.getValue().getQualifier(), entry.getValue().getActions());
512       perms.add(up);
513     }
514     return perms;
515   }
516 
517   private static ListMultimap<String, TablePermission> parsePermissions(
518       byte[] entryName, Result result) {
519     ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
520     if (result != null && result.size() > 0) {
521       for (Cell kv : result.rawCells()) {
522 
523         Pair<String,TablePermission> permissionsOfUserOnTable =
524             parsePermissionRecord(entryName, kv);
525 
526         if (permissionsOfUserOnTable != null) {
527           String username = permissionsOfUserOnTable.getFirst();
528           TablePermission permissions = permissionsOfUserOnTable.getSecond();
529           perms.put(username, permissions);
530         }
531       }
532     }
533     return perms;
534   }
535 
536   private static Pair<String, TablePermission> parsePermissionRecord(
537       byte[] entryName, Cell kv) {
538     // return X given a set of permissions encoded in the permissionRecord kv.
539     byte[] family = CellUtil.cloneFamily(kv);
540 
541     if (!Bytes.equals(family, ACL_LIST_FAMILY)) {
542       return null;
543     }
544 
545     byte[] key = CellUtil.cloneQualifier(kv);
546     byte[] value = CellUtil.cloneValue(kv);
547     if (LOG.isDebugEnabled()) {
548       LOG.debug("Read acl: kv ["+
549                 Bytes.toStringBinary(key)+": "+
550                 Bytes.toStringBinary(value)+"]");
551     }
552 
553     // check for a column family appended to the key
554     // TODO: avoid the string conversion to make this more efficient
555     String username = Bytes.toString(key);
556 
557     //Handle namespace entry
558     if(isNamespaceEntry(entryName)) {
559       return new Pair<String, TablePermission>(username,
560           new TablePermission(Bytes.toString(fromNamespaceEntry(entryName)), value));
561     }
562 
563     //Handle table and global entry
564     //TODO global entry should be handled differently
565     int idx = username.indexOf(ACL_KEY_DELIMITER);
566     byte[] permFamily = null;
567     byte[] permQualifier = null;
568     if (idx > 0 && idx < username.length()-1) {
569       String remainder = username.substring(idx+1);
570       username = username.substring(0, idx);
571       idx = remainder.indexOf(ACL_KEY_DELIMITER);
572       if (idx > 0 && idx < remainder.length()-1) {
573         permFamily = Bytes.toBytes(remainder.substring(0, idx));
574         permQualifier = Bytes.toBytes(remainder.substring(idx+1));
575       } else {
576         permFamily = Bytes.toBytes(remainder);
577       }
578     }
579 
580     return new Pair<String,TablePermission>(username,
581         new TablePermission(TableName.valueOf(entryName), permFamily, permQualifier, value));
582   }
583 
584   /**
585    * Writes a set of permissions as {@link org.apache.hadoop.io.Writable} instances
586    * and returns the resulting byte array.
587    *
588    * Writes a set of permission [user: table permission]
589    */
590   public static byte[] writePermissionsAsBytes(ListMultimap<String, TablePermission> perms,
591       Configuration conf) {
592     return ProtobufUtil.prependPBMagic(ProtobufUtil.toUserTablePermissions(perms).toByteArray());
593   }
594 
595   /**
596    * Reads a set of permissions as {@link org.apache.hadoop.io.Writable} instances
597    * from the input stream.
598    */
599   public static ListMultimap<String, TablePermission> readPermissions(byte[] data,
600       Configuration conf)
601   throws DeserializationException {
602     if (ProtobufUtil.isPBMagicPrefix(data)) {
603       int pblen = ProtobufUtil.lengthOfPBMagic();
604       try {
605         AccessControlProtos.UsersAndPermissions perms =
606           AccessControlProtos.UsersAndPermissions.newBuilder().mergeFrom(
607             data, pblen, data.length - pblen).build();
608         return ProtobufUtil.toUserTablePermissions(perms);
609       } catch (InvalidProtocolBufferException e) {
610         throw new DeserializationException(e);
611       }
612     } else {
613       ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
614       try {
615         DataInput in = new DataInputStream(new ByteArrayInputStream(data));
616         int length = in.readInt();
617         for (int i=0; i<length; i++) {
618           String user = Text.readString(in);
619           List<TablePermission> userPerms =
620             (List)HbaseObjectWritableFor96Migration.readObject(in, conf);
621           perms.putAll(user, userPerms);
622         }
623       } catch (IOException e) {
624         throw new DeserializationException(e);
625       }
626       return perms;
627     }
628   }
629 
630   /**
631    * Returns whether or not the given name should be interpreted as a group
632    * principal.  Currently this simply checks if the name starts with the
633    * special group prefix character ("@").
634    */
635   public static boolean isGroupPrincipal(String name) {
636     return name != null && name.startsWith(GROUP_PREFIX);
637   }
638 
639   /**
640    * Returns the actual name for a group principal (stripped of the
641    * group prefix).
642    */
643   public static String getGroupName(String aclKey) {
644     if (!isGroupPrincipal(aclKey)) {
645       return aclKey;
646     }
647 
648     return aclKey.substring(GROUP_PREFIX.length());
649   }
650 
651   public static boolean isNamespaceEntry(String entryName) {
652     return entryName.charAt(0) == NAMESPACE_PREFIX;
653   }
654 
655   public static boolean isNamespaceEntry(byte[] entryName) {
656     return entryName[0] == NAMESPACE_PREFIX;
657   }
658   
659   public static String toNamespaceEntry(String namespace) {
660      return NAMESPACE_PREFIX + namespace;
661    }
662 
663    public static String fromNamespaceEntry(String namespace) {
664      if(namespace.charAt(0) != NAMESPACE_PREFIX)
665        throw new IllegalArgumentException("Argument is not a valid namespace entry");
666      return namespace.substring(1);
667    }
668 
669    public static byte[] toNamespaceEntry(byte[] namespace) {
670      byte[] ret = new byte[namespace.length+1];
671      ret[0] = NAMESPACE_PREFIX;
672      System.arraycopy(namespace, 0, ret, 1, namespace.length);
673      return ret;
674    }
675 
676    public static byte[] fromNamespaceEntry(byte[] namespace) {
677      if(namespace[0] != NAMESPACE_PREFIX) {
678        throw new IllegalArgumentException("Argument is not a valid namespace entry: " +
679            Bytes.toString(namespace));
680      }
681      return Arrays.copyOfRange(namespace, 1, namespace.length);
682    }
683 
684    public static List<Permission> getCellPermissionsForUser(User user, Cell cell)
685        throws IOException {
686      // Save an object allocation where we can
687      if (cell.getTagsLengthUnsigned() == 0) {
688        return null;
689      }
690      List<Permission> results = Lists.newArrayList();
691      Iterator<Tag> tagsIterator = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),
692         cell.getTagsLengthUnsigned());
693      while (tagsIterator.hasNext()) {
694        Tag tag = tagsIterator.next();
695        if (tag.getType() == ACL_TAG_TYPE) {
696          // Deserialize the table permissions from the KV
697          ListMultimap<String,Permission> kvPerms = ProtobufUtil.toUsersAndPermissions(
698            AccessControlProtos.UsersAndPermissions.newBuilder().mergeFrom(
699              tag.getBuffer(), tag.getTagOffset(), tag.getTagLength()).build());
700          // Are there permissions for this user?
701          List<Permission> userPerms = kvPerms.get(user.getShortName());
702          if (userPerms != null) {
703            results.addAll(userPerms);
704          }
705          // Are there permissions for any of the groups this user belongs to?
706          String groupNames[] = user.getGroupNames();
707          if (groupNames != null) {
708            for (String group : groupNames) {
709              List<Permission> groupPerms = kvPerms.get(GROUP_PREFIX + group);
710              if (results != null) {
711                results.addAll(groupPerms);
712              }
713            }
714          }
715        }
716      }
717      return results;
718    }
719 }