1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.hadoop.hbase.security.access;
20
21 import java.io.ByteArrayInputStream;
22 import java.io.DataInput;
23 import java.io.DataInputStream;
24 import java.io.IOException;
25 import java.util.ArrayList;
26 import java.util.Arrays;
27 import java.util.Iterator;
28 import java.util.List;
29 import java.util.Map;
30 import java.util.Set;
31 import java.util.TreeMap;
32 import java.util.TreeSet;
33
34 import org.apache.commons.logging.Log;
35 import org.apache.commons.logging.LogFactory;
36 import org.apache.hadoop.hbase.classification.InterfaceAudience;
37 import org.apache.hadoop.conf.Configuration;
38 import org.apache.hadoop.hbase.Cell;
39 import org.apache.hadoop.hbase.CellUtil;
40 import org.apache.hadoop.hbase.HColumnDescriptor;
41 import org.apache.hadoop.hbase.HConstants;
42 import org.apache.hadoop.hbase.HTableDescriptor;
43 import org.apache.hadoop.hbase.NamespaceDescriptor;
44 import org.apache.hadoop.hbase.TableName;
45 import org.apache.hadoop.hbase.Tag;
46 import org.apache.hadoop.hbase.TagType;
47 import org.apache.hadoop.hbase.client.Delete;
48 import org.apache.hadoop.hbase.client.Get;
49 import org.apache.hadoop.hbase.client.HTable;
50 import org.apache.hadoop.hbase.client.Put;
51 import org.apache.hadoop.hbase.client.Result;
52 import org.apache.hadoop.hbase.client.ResultScanner;
53 import org.apache.hadoop.hbase.client.Scan;
54 import org.apache.hadoop.hbase.exceptions.DeserializationException;
55 import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp;
56 import org.apache.hadoop.hbase.filter.QualifierFilter;
57 import org.apache.hadoop.hbase.filter.RegexStringComparator;
58 import org.apache.hadoop.hbase.io.compress.Compression;
59 import org.apache.hadoop.hbase.master.MasterServices;
60 import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
61 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
62 import org.apache.hadoop.hbase.regionserver.BloomType;
63 import org.apache.hadoop.hbase.regionserver.HRegion;
64 import org.apache.hadoop.hbase.regionserver.InternalScanner;
65 import org.apache.hadoop.hbase.security.User;
66 import org.apache.hadoop.hbase.util.Bytes;
67 import org.apache.hadoop.hbase.util.Pair;
68 import org.apache.hadoop.io.Text;
69
70 import com.google.common.collect.ArrayListMultimap;
71 import com.google.common.collect.ListMultimap;
72 import com.google.common.collect.Lists;
73 import com.google.protobuf.InvalidProtocolBufferException;
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98 @InterfaceAudience.Private
99 public class AccessControlLists {
100
101 public static final TableName ACL_TABLE_NAME =
102 TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
103 public static final byte[] ACL_GLOBAL_NAME = ACL_TABLE_NAME.getName();
104
105 public static final String ACL_LIST_FAMILY_STR = "l";
106 public static final byte[] ACL_LIST_FAMILY = Bytes.toBytes(ACL_LIST_FAMILY_STR);
107
108 public static final byte ACL_TAG_TYPE = TagType.ACL_TAG_TYPE;
109
110 public static final char NAMESPACE_PREFIX = '@';
111
112
113 public static final HTableDescriptor ACL_TABLEDESC = new HTableDescriptor(ACL_TABLE_NAME);
114 static {
115 ACL_TABLEDESC.addFamily(
116 new HColumnDescriptor(ACL_LIST_FAMILY,
117 10,
118 Compression.Algorithm.NONE.getName(), true, true, 8 * 1024,
119 HConstants.FOREVER, BloomType.NONE.toString(),
120 HConstants.REPLICATION_SCOPE_LOCAL));
121 }
122
123
124
125
126 public static final char ACL_KEY_DELIMITER = ',';
127
128 public static final String GROUP_PREFIX = "@";
129
130 public static final String SUPERUSER_CONF_KEY = "hbase.superuser";
131
132 private static Log LOG = LogFactory.getLog(AccessControlLists.class);
133
134
135
136
137
138 static void init(MasterServices master) throws IOException {
139 master.createTable(ACL_TABLEDESC, null);
140 }
141
142
143
144
145
146
147
148 static void addUserPermission(Configuration conf, UserPermission userPerm)
149 throws IOException {
150 Permission.Action[] actions = userPerm.getActions();
151 byte[] rowKey = userPermissionRowKey(userPerm);
152 Put p = new Put(rowKey);
153 byte[] key = userPermissionKey(userPerm);
154
155 if ((actions == null) || (actions.length == 0)) {
156 String msg = "No actions associated with user '" + Bytes.toString(userPerm.getUser()) + "'";
157 LOG.warn(msg);
158 throw new IOException(msg);
159 }
160
161 byte[] value = new byte[actions.length];
162 for (int i = 0; i < actions.length; i++) {
163 value[i] = actions[i].code();
164 }
165 p.addImmutable(ACL_LIST_FAMILY, key, value);
166 if (LOG.isDebugEnabled()) {
167 LOG.debug("Writing permission with rowKey "+
168 Bytes.toString(rowKey)+" "+
169 Bytes.toString(key)+": "+Bytes.toStringBinary(value)
170 );
171 }
172 HTable acls = null;
173 try {
174 acls = new HTable(conf, ACL_TABLE_NAME);
175 acls.put(p);
176 } finally {
177 if (acls != null) acls.close();
178 }
179 }
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194 static void removeUserPermission(Configuration conf, UserPermission userPerm)
195 throws IOException {
196 Delete d = new Delete(userPermissionRowKey(userPerm));
197 byte[] key = userPermissionKey(userPerm);
198
199 if (LOG.isDebugEnabled()) {
200 LOG.debug("Removing permission "+ userPerm.toString());
201 }
202 d.deleteColumns(ACL_LIST_FAMILY, key);
203 HTable acls = null;
204 try {
205 acls = new HTable(conf, ACL_TABLE_NAME);
206 acls.delete(d);
207 } finally {
208 if (acls != null) acls.close();
209 }
210 }
211
212
213
214
215 static void removeTablePermissions(Configuration conf, TableName tableName)
216 throws IOException{
217 Delete d = new Delete(tableName.getName());
218
219 if (LOG.isDebugEnabled()) {
220 LOG.debug("Removing permissions of removed table "+ tableName);
221 }
222
223 HTable acls = null;
224 try {
225 acls = new HTable(conf, ACL_TABLE_NAME);
226 acls.delete(d);
227 } finally {
228 if (acls != null) acls.close();
229 }
230 }
231
232
233
234
235 static void removeNamespacePermissions(Configuration conf, String namespace)
236 throws IOException{
237 Delete d = new Delete(Bytes.toBytes(toNamespaceEntry(namespace)));
238
239 if (LOG.isDebugEnabled()) {
240 LOG.debug("Removing permissions of removed namespace "+ namespace);
241 }
242
243 HTable acls = null;
244 try {
245 acls = new HTable(conf, ACL_TABLE_NAME);
246 acls.delete(d);
247 } finally {
248 if (acls != null) acls.close();
249 }
250 }
251
252
253
254
255 static void removeTablePermissions(Configuration conf, TableName tableName, byte[] column)
256 throws IOException{
257
258 if (LOG.isDebugEnabled()) {
259 LOG.debug("Removing permissions of removed column " + Bytes.toString(column) +
260 " from table "+ tableName);
261 }
262
263 HTable acls = null;
264 try {
265 acls = new HTable(conf, ACL_TABLE_NAME);
266
267 Scan scan = new Scan();
268 scan.addFamily(ACL_LIST_FAMILY);
269
270 String columnName = Bytes.toString(column);
271 scan.setFilter(new QualifierFilter(CompareOp.EQUAL, new RegexStringComparator(
272 String.format("(%s%s%s)|(%s%s)$",
273 ACL_KEY_DELIMITER, columnName, ACL_KEY_DELIMITER,
274 ACL_KEY_DELIMITER, columnName))));
275
276 Set<byte[]> qualifierSet = new TreeSet<byte[]>(Bytes.BYTES_COMPARATOR);
277 ResultScanner scanner = acls.getScanner(scan);
278 try {
279 for (Result res : scanner) {
280 for (byte[] q : res.getFamilyMap(ACL_LIST_FAMILY).navigableKeySet()) {
281 qualifierSet.add(q);
282 }
283 }
284 } finally {
285 scanner.close();
286 }
287
288 if (qualifierSet.size() > 0) {
289 Delete d = new Delete(tableName.getName());
290 for (byte[] qualifier : qualifierSet) {
291 d.deleteColumns(ACL_LIST_FAMILY, qualifier);
292 }
293 acls.delete(d);
294 }
295 } finally {
296 if (acls != null) acls.close();
297 }
298 }
299
300 static byte[] userPermissionRowKey(UserPermission userPerm) {
301 byte[] row;
302 if(userPerm.hasNamespace()) {
303 row = Bytes.toBytes(toNamespaceEntry(userPerm.getNamespace()));
304 } else if(userPerm.isGlobal()) {
305 row = ACL_GLOBAL_NAME;
306 } else {
307 row = userPerm.getTableName().getName();
308 }
309 return row;
310 }
311
312
313
314
315
316
317
318 static byte[] userPermissionKey(UserPermission userPerm) {
319 byte[] qualifier = userPerm.getQualifier();
320 byte[] family = userPerm.getFamily();
321 byte[] key = userPerm.getUser();
322
323 if (family != null && family.length > 0) {
324 key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, family));
325 if (qualifier != null && qualifier.length > 0) {
326 key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, qualifier));
327 }
328 }
329
330 return key;
331 }
332
333
334
335
336
337 static boolean isAclRegion(HRegion region) {
338 return ACL_TABLE_NAME.equals(region.getTableDesc().getTableName());
339 }
340
341
342
343
344 static boolean isAclTable(HTableDescriptor desc) {
345 return ACL_TABLE_NAME.equals(desc.getTableName());
346 }
347
348
349
350
351
352
353
354
355
356 static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
357 HRegion aclRegion)
358 throws IOException {
359
360 if (!isAclRegion(aclRegion)) {
361 throw new IOException("Can only load permissions from "+ACL_TABLE_NAME);
362 }
363
364 Map<byte[], ListMultimap<String, TablePermission>> allPerms =
365 new TreeMap<byte[], ListMultimap<String, TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
366
367
368
369 Scan scan = new Scan();
370 scan.addFamily(ACL_LIST_FAMILY);
371
372 InternalScanner iScanner = null;
373 try {
374 iScanner = aclRegion.getScanner(scan);
375
376 while (true) {
377 List<Cell> row = new ArrayList<Cell>();
378
379 boolean hasNext = iScanner.next(row);
380 ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
381 byte[] entry = null;
382 for (Cell kv : row) {
383 if (entry == null) {
384 entry = CellUtil.cloneRow(kv);
385 }
386 Pair<String,TablePermission> permissionsOfUserOnTable =
387 parsePermissionRecord(entry, kv);
388 if (permissionsOfUserOnTable != null) {
389 String username = permissionsOfUserOnTable.getFirst();
390 TablePermission permissions = permissionsOfUserOnTable.getSecond();
391 perms.put(username, permissions);
392 }
393 }
394 if (entry != null) {
395 allPerms.put(entry, perms);
396 }
397 if (!hasNext) {
398 break;
399 }
400 }
401 } finally {
402 if (iScanner != null) {
403 iScanner.close();
404 }
405 }
406
407 return allPerms;
408 }
409
410
411
412
413
414 static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
415 Configuration conf) throws IOException {
416 Map<byte[], ListMultimap<String,TablePermission>> allPerms =
417 new TreeMap<byte[], ListMultimap<String,TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
418
419
420
421 Scan scan = new Scan();
422 scan.addFamily(ACL_LIST_FAMILY);
423
424 HTable acls = null;
425 ResultScanner scanner = null;
426 try {
427 acls = new HTable(conf, ACL_TABLE_NAME);
428 scanner = acls.getScanner(scan);
429 for (Result row : scanner) {
430 ListMultimap<String,TablePermission> resultPerms =
431 parsePermissions(row.getRow(), row);
432 allPerms.put(row.getRow(), resultPerms);
433 }
434 } finally {
435 if (scanner != null) scanner.close();
436 if (acls != null) acls.close();
437 }
438
439 return allPerms;
440 }
441
442 static ListMultimap<String, TablePermission> getTablePermissions(Configuration conf,
443 TableName tableName) throws IOException {
444 return getPermissions(conf, tableName != null ? tableName.getName() : null);
445 }
446
447 static ListMultimap<String, TablePermission> getNamespacePermissions(Configuration conf,
448 String namespace) throws IOException {
449 return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
450 }
451
452
453
454
455
456
457
458
459
460
461 static ListMultimap<String, TablePermission> getPermissions(Configuration conf,
462 byte[] entryName) throws IOException {
463 if (entryName == null) entryName = ACL_TABLE_NAME.getName();
464
465
466 ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
467 HTable acls = null;
468 try {
469 acls = new HTable(conf, ACL_TABLE_NAME);
470 Get get = new Get(entryName);
471 get.addFamily(ACL_LIST_FAMILY);
472 Result row = acls.get(get);
473 if (!row.isEmpty()) {
474 perms = parsePermissions(entryName, row);
475 } else {
476 LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry "
477 + Bytes.toString(entryName));
478 }
479 } finally {
480 if (acls != null) acls.close();
481 }
482
483 return perms;
484 }
485
486
487
488
489
490 static List<UserPermission> getUserTablePermissions(
491 Configuration conf, TableName tableName) throws IOException {
492 return getUserPermissions(conf, tableName == null ? null : tableName.getName());
493 }
494
495 static List<UserPermission> getUserNamespacePermissions(
496 Configuration conf, String namespace) throws IOException {
497 return getUserPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
498 }
499
500 static List<UserPermission> getUserPermissions(
501 Configuration conf, byte[] entryName)
502 throws IOException {
503 ListMultimap<String,TablePermission> allPerms = getPermissions(
504 conf, entryName);
505
506 List<UserPermission> perms = new ArrayList<UserPermission>();
507
508 for (Map.Entry<String, TablePermission> entry : allPerms.entries()) {
509 UserPermission up = new UserPermission(Bytes.toBytes(entry.getKey()),
510 entry.getValue().getTableName(), entry.getValue().getFamily(),
511 entry.getValue().getQualifier(), entry.getValue().getActions());
512 perms.add(up);
513 }
514 return perms;
515 }
516
517 private static ListMultimap<String, TablePermission> parsePermissions(
518 byte[] entryName, Result result) {
519 ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
520 if (result != null && result.size() > 0) {
521 for (Cell kv : result.rawCells()) {
522
523 Pair<String,TablePermission> permissionsOfUserOnTable =
524 parsePermissionRecord(entryName, kv);
525
526 if (permissionsOfUserOnTable != null) {
527 String username = permissionsOfUserOnTable.getFirst();
528 TablePermission permissions = permissionsOfUserOnTable.getSecond();
529 perms.put(username, permissions);
530 }
531 }
532 }
533 return perms;
534 }
535
536 private static Pair<String, TablePermission> parsePermissionRecord(
537 byte[] entryName, Cell kv) {
538
539 byte[] family = CellUtil.cloneFamily(kv);
540
541 if (!Bytes.equals(family, ACL_LIST_FAMILY)) {
542 return null;
543 }
544
545 byte[] key = CellUtil.cloneQualifier(kv);
546 byte[] value = CellUtil.cloneValue(kv);
547 if (LOG.isDebugEnabled()) {
548 LOG.debug("Read acl: kv ["+
549 Bytes.toStringBinary(key)+": "+
550 Bytes.toStringBinary(value)+"]");
551 }
552
553
554
555 String username = Bytes.toString(key);
556
557
558 if(isNamespaceEntry(entryName)) {
559 return new Pair<String, TablePermission>(username,
560 new TablePermission(Bytes.toString(fromNamespaceEntry(entryName)), value));
561 }
562
563
564
565 int idx = username.indexOf(ACL_KEY_DELIMITER);
566 byte[] permFamily = null;
567 byte[] permQualifier = null;
568 if (idx > 0 && idx < username.length()-1) {
569 String remainder = username.substring(idx+1);
570 username = username.substring(0, idx);
571 idx = remainder.indexOf(ACL_KEY_DELIMITER);
572 if (idx > 0 && idx < remainder.length()-1) {
573 permFamily = Bytes.toBytes(remainder.substring(0, idx));
574 permQualifier = Bytes.toBytes(remainder.substring(idx+1));
575 } else {
576 permFamily = Bytes.toBytes(remainder);
577 }
578 }
579
580 return new Pair<String,TablePermission>(username,
581 new TablePermission(TableName.valueOf(entryName), permFamily, permQualifier, value));
582 }
583
584
585
586
587
588
589
590 public static byte[] writePermissionsAsBytes(ListMultimap<String, TablePermission> perms,
591 Configuration conf) {
592 return ProtobufUtil.prependPBMagic(ProtobufUtil.toUserTablePermissions(perms).toByteArray());
593 }
594
595
596
597
598
599 public static ListMultimap<String, TablePermission> readPermissions(byte[] data,
600 Configuration conf)
601 throws DeserializationException {
602 if (ProtobufUtil.isPBMagicPrefix(data)) {
603 int pblen = ProtobufUtil.lengthOfPBMagic();
604 try {
605 AccessControlProtos.UsersAndPermissions perms =
606 AccessControlProtos.UsersAndPermissions.newBuilder().mergeFrom(
607 data, pblen, data.length - pblen).build();
608 return ProtobufUtil.toUserTablePermissions(perms);
609 } catch (InvalidProtocolBufferException e) {
610 throw new DeserializationException(e);
611 }
612 } else {
613 ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
614 try {
615 DataInput in = new DataInputStream(new ByteArrayInputStream(data));
616 int length = in.readInt();
617 for (int i=0; i<length; i++) {
618 String user = Text.readString(in);
619 List<TablePermission> userPerms =
620 (List)HbaseObjectWritableFor96Migration.readObject(in, conf);
621 perms.putAll(user, userPerms);
622 }
623 } catch (IOException e) {
624 throw new DeserializationException(e);
625 }
626 return perms;
627 }
628 }
629
630
631
632
633
634
635 public static boolean isGroupPrincipal(String name) {
636 return name != null && name.startsWith(GROUP_PREFIX);
637 }
638
639
640
641
642
643 public static String getGroupName(String aclKey) {
644 if (!isGroupPrincipal(aclKey)) {
645 return aclKey;
646 }
647
648 return aclKey.substring(GROUP_PREFIX.length());
649 }
650
651 public static boolean isNamespaceEntry(String entryName) {
652 return entryName.charAt(0) == NAMESPACE_PREFIX;
653 }
654
655 public static boolean isNamespaceEntry(byte[] entryName) {
656 return entryName[0] == NAMESPACE_PREFIX;
657 }
658
659 public static String toNamespaceEntry(String namespace) {
660 return NAMESPACE_PREFIX + namespace;
661 }
662
663 public static String fromNamespaceEntry(String namespace) {
664 if(namespace.charAt(0) != NAMESPACE_PREFIX)
665 throw new IllegalArgumentException("Argument is not a valid namespace entry");
666 return namespace.substring(1);
667 }
668
669 public static byte[] toNamespaceEntry(byte[] namespace) {
670 byte[] ret = new byte[namespace.length+1];
671 ret[0] = NAMESPACE_PREFIX;
672 System.arraycopy(namespace, 0, ret, 1, namespace.length);
673 return ret;
674 }
675
676 public static byte[] fromNamespaceEntry(byte[] namespace) {
677 if(namespace[0] != NAMESPACE_PREFIX) {
678 throw new IllegalArgumentException("Argument is not a valid namespace entry: " +
679 Bytes.toString(namespace));
680 }
681 return Arrays.copyOfRange(namespace, 1, namespace.length);
682 }
683
684 public static List<Permission> getCellPermissionsForUser(User user, Cell cell)
685 throws IOException {
686
687 if (cell.getTagsLengthUnsigned() == 0) {
688 return null;
689 }
690 List<Permission> results = Lists.newArrayList();
691 Iterator<Tag> tagsIterator = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),
692 cell.getTagsLengthUnsigned());
693 while (tagsIterator.hasNext()) {
694 Tag tag = tagsIterator.next();
695 if (tag.getType() == ACL_TAG_TYPE) {
696
697 ListMultimap<String,Permission> kvPerms = ProtobufUtil.toUsersAndPermissions(
698 AccessControlProtos.UsersAndPermissions.newBuilder().mergeFrom(
699 tag.getBuffer(), tag.getTagOffset(), tag.getTagLength()).build());
700
701 List<Permission> userPerms = kvPerms.get(user.getShortName());
702 if (userPerms != null) {
703 results.addAll(userPerms);
704 }
705
706 String groupNames[] = user.getGroupNames();
707 if (groupNames != null) {
708 for (String group : groupNames) {
709 List<Permission> groupPerms = kvPerms.get(GROUP_PREFIX + group);
710 if (results != null) {
711 results.addAll(groupPerms);
712 }
713 }
714 }
715 }
716 }
717 return results;
718 }
719 }