1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.hadoop.hbase.security.access;
20
21 import java.io.ByteArrayInputStream;
22 import java.io.DataInput;
23 import java.io.DataInputStream;
24 import java.io.IOException;
25 import java.util.ArrayList;
26 import java.util.Arrays;
27 import java.util.Iterator;
28 import java.util.List;
29 import java.util.Map;
30 import java.util.Set;
31 import java.util.TreeMap;
32 import java.util.TreeSet;
33
34 import org.apache.commons.logging.Log;
35 import org.apache.commons.logging.LogFactory;
36 import org.apache.hadoop.conf.Configuration;
37 import org.apache.hadoop.hbase.Cell;
38 import org.apache.hadoop.hbase.CellUtil;
39 import org.apache.hadoop.hbase.HColumnDescriptor;
40 import org.apache.hadoop.hbase.HConstants;
41 import org.apache.hadoop.hbase.HTableDescriptor;
42 import org.apache.hadoop.hbase.NamespaceDescriptor;
43 import org.apache.hadoop.hbase.TableName;
44 import org.apache.hadoop.hbase.Tag;
45 import org.apache.hadoop.hbase.TagType;
46 import org.apache.hadoop.hbase.classification.InterfaceAudience;
47 import org.apache.hadoop.hbase.client.Connection;
48 import org.apache.hadoop.hbase.client.ConnectionFactory;
49 import org.apache.hadoop.hbase.client.Delete;
50 import org.apache.hadoop.hbase.client.Get;
51 import org.apache.hadoop.hbase.client.Put;
52 import org.apache.hadoop.hbase.client.Result;
53 import org.apache.hadoop.hbase.client.ResultScanner;
54 import org.apache.hadoop.hbase.client.Scan;
55 import org.apache.hadoop.hbase.client.Table;
56 import org.apache.hadoop.hbase.exceptions.DeserializationException;
57 import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp;
58 import org.apache.hadoop.hbase.filter.QualifierFilter;
59 import org.apache.hadoop.hbase.filter.RegexStringComparator;
60 import org.apache.hadoop.hbase.master.MasterServices;
61 import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
62 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
63 import org.apache.hadoop.hbase.regionserver.BloomType;
64 import org.apache.hadoop.hbase.regionserver.HRegion;
65 import org.apache.hadoop.hbase.regionserver.InternalScanner;
66 import org.apache.hadoop.hbase.security.User;
67 import org.apache.hadoop.hbase.util.Bytes;
68 import org.apache.hadoop.hbase.util.Pair;
69 import org.apache.hadoop.io.Text;
70
71 import com.google.common.collect.ArrayListMultimap;
72 import com.google.common.collect.ListMultimap;
73 import com.google.common.collect.Lists;
74 import com.google.protobuf.InvalidProtocolBufferException;
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99 @InterfaceAudience.Private
100 public class AccessControlLists {
101
102 public static final TableName ACL_TABLE_NAME =
103 TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
104 public static final byte[] ACL_GLOBAL_NAME = ACL_TABLE_NAME.getName();
105
106 public static final String ACL_LIST_FAMILY_STR = "l";
107 public static final byte[] ACL_LIST_FAMILY = Bytes.toBytes(ACL_LIST_FAMILY_STR);
108
109 public static final byte ACL_TAG_TYPE = TagType.ACL_TAG_TYPE;
110
111 public static final char NAMESPACE_PREFIX = '@';
112
113
114
115
116 public static final char ACL_KEY_DELIMITER = ',';
117
118 public static final String GROUP_PREFIX = "@";
119
120 public static final String SUPERUSER_CONF_KEY = "hbase.superuser";
121
122 private static Log LOG = LogFactory.getLog(AccessControlLists.class);
123
124
125
126
127
128
129 static void createACLTable(MasterServices master) throws IOException {
130 master.createTable(new HTableDescriptor(ACL_TABLE_NAME)
131 .addFamily(new HColumnDescriptor(ACL_LIST_FAMILY)
132 .setMaxVersions(1)
133 .setInMemory(true)
134 .setBlockCacheEnabled(true)
135 .setBlocksize(8 * 1024)
136 .setBloomFilterType(BloomType.NONE)
137 .setScope(HConstants.REPLICATION_SCOPE_LOCAL)
138
139
140 .setCacheDataInL1(true)),
141 null);
142 }
143
144
145
146
147
148
149
150 static void addUserPermission(Configuration conf, UserPermission userPerm)
151 throws IOException {
152 Permission.Action[] actions = userPerm.getActions();
153 byte[] rowKey = userPermissionRowKey(userPerm);
154 Put p = new Put(rowKey);
155 byte[] key = userPermissionKey(userPerm);
156
157 if ((actions == null) || (actions.length == 0)) {
158 String msg = "No actions associated with user '" + Bytes.toString(userPerm.getUser()) + "'";
159 LOG.warn(msg);
160 throw new IOException(msg);
161 }
162
163 byte[] value = new byte[actions.length];
164 for (int i = 0; i < actions.length; i++) {
165 value[i] = actions[i].code();
166 }
167 p.addImmutable(ACL_LIST_FAMILY, key, value);
168 if (LOG.isDebugEnabled()) {
169 LOG.debug("Writing permission with rowKey "+
170 Bytes.toString(rowKey)+" "+
171 Bytes.toString(key)+": "+Bytes.toStringBinary(value)
172 );
173 }
174
175 try (Connection connection = ConnectionFactory.createConnection(conf)) {
176 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
177 table.put(p);
178 }
179 }
180 }
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195 static void removeUserPermission(Configuration conf, UserPermission userPerm)
196 throws IOException {
197 Delete d = new Delete(userPermissionRowKey(userPerm));
198 byte[] key = userPermissionKey(userPerm);
199
200 if (LOG.isDebugEnabled()) {
201 LOG.debug("Removing permission "+ userPerm.toString());
202 }
203 d.addColumns(ACL_LIST_FAMILY, key);
204
205 try (Connection connection = ConnectionFactory.createConnection(conf)) {
206 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
207 table.delete(d);
208 }
209 }
210 }
211
212
213
214
215 static void removeTablePermissions(Configuration conf, TableName tableName)
216 throws IOException{
217 Delete d = new Delete(tableName.getName());
218
219 if (LOG.isDebugEnabled()) {
220 LOG.debug("Removing permissions of removed table "+ tableName);
221 }
222
223 try (Connection connection = ConnectionFactory.createConnection(conf)) {
224 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
225 table.delete(d);
226 }
227 }
228 }
229
230
231
232
233 static void removeNamespacePermissions(Configuration conf, String namespace)
234 throws IOException{
235 Delete d = new Delete(Bytes.toBytes(toNamespaceEntry(namespace)));
236
237 if (LOG.isDebugEnabled()) {
238 LOG.debug("Removing permissions of removed namespace "+ namespace);
239 }
240
241 try (Connection connection = ConnectionFactory.createConnection(conf)) {
242 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
243 table.delete(d);
244 }
245 }
246 }
247
248
249
250
251 static void removeTablePermissions(Configuration conf, TableName tableName, byte[] column)
252 throws IOException{
253
254 if (LOG.isDebugEnabled()) {
255 LOG.debug("Removing permissions of removed column " + Bytes.toString(column) +
256 " from table "+ tableName);
257 }
258
259 try (Connection connection = ConnectionFactory.createConnection(conf)) {
260 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
261 Scan scan = new Scan();
262 scan.addFamily(ACL_LIST_FAMILY);
263
264 String columnName = Bytes.toString(column);
265 scan.setFilter(new QualifierFilter(CompareOp.EQUAL, new RegexStringComparator(
266 String.format("(%s%s%s)|(%s%s)$",
267 ACL_KEY_DELIMITER, columnName, ACL_KEY_DELIMITER,
268 ACL_KEY_DELIMITER, columnName))));
269
270 Set<byte[]> qualifierSet = new TreeSet<byte[]>(Bytes.BYTES_COMPARATOR);
271 ResultScanner scanner = table.getScanner(scan);
272 try {
273 for (Result res : scanner) {
274 for (byte[] q : res.getFamilyMap(ACL_LIST_FAMILY).navigableKeySet()) {
275 qualifierSet.add(q);
276 }
277 }
278 } finally {
279 scanner.close();
280 }
281
282 if (qualifierSet.size() > 0) {
283 Delete d = new Delete(tableName.getName());
284 for (byte[] qualifier : qualifierSet) {
285 d.addColumns(ACL_LIST_FAMILY, qualifier);
286 }
287 table.delete(d);
288 }
289 }
290 }
291 }
292
293 static byte[] userPermissionRowKey(UserPermission userPerm) {
294 byte[] row;
295 if(userPerm.hasNamespace()) {
296 row = Bytes.toBytes(toNamespaceEntry(userPerm.getNamespace()));
297 } else if(userPerm.isGlobal()) {
298 row = ACL_GLOBAL_NAME;
299 } else {
300 row = userPerm.getTableName().getName();
301 }
302 return row;
303 }
304
305
306
307
308
309
310
311 static byte[] userPermissionKey(UserPermission userPerm) {
312 byte[] qualifier = userPerm.getQualifier();
313 byte[] family = userPerm.getFamily();
314 byte[] key = userPerm.getUser();
315
316 if (family != null && family.length > 0) {
317 key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, family));
318 if (qualifier != null && qualifier.length > 0) {
319 key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, qualifier));
320 }
321 }
322
323 return key;
324 }
325
326
327
328
329
330 static boolean isAclRegion(HRegion region) {
331 return ACL_TABLE_NAME.equals(region.getTableDesc().getTableName());
332 }
333
334
335
336
337 static boolean isAclTable(HTableDescriptor desc) {
338 return ACL_TABLE_NAME.equals(desc.getTableName());
339 }
340
341
342
343
344
345
346
347
348
349 static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
350 HRegion aclRegion)
351 throws IOException {
352
353 if (!isAclRegion(aclRegion)) {
354 throw new IOException("Can only load permissions from "+ACL_TABLE_NAME);
355 }
356
357 Map<byte[], ListMultimap<String, TablePermission>> allPerms =
358 new TreeMap<byte[], ListMultimap<String, TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
359
360
361
362 Scan scan = new Scan();
363 scan.addFamily(ACL_LIST_FAMILY);
364
365 InternalScanner iScanner = null;
366 try {
367 iScanner = aclRegion.getScanner(scan);
368
369 while (true) {
370 List<Cell> row = new ArrayList<Cell>();
371
372 boolean hasNext = iScanner.next(row);
373 ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
374 byte[] entry = null;
375 for (Cell kv : row) {
376 if (entry == null) {
377 entry = CellUtil.cloneRow(kv);
378 }
379 Pair<String,TablePermission> permissionsOfUserOnTable =
380 parsePermissionRecord(entry, kv);
381 if (permissionsOfUserOnTable != null) {
382 String username = permissionsOfUserOnTable.getFirst();
383 TablePermission permissions = permissionsOfUserOnTable.getSecond();
384 perms.put(username, permissions);
385 }
386 }
387 if (entry != null) {
388 allPerms.put(entry, perms);
389 }
390 if (!hasNext) {
391 break;
392 }
393 }
394 } finally {
395 if (iScanner != null) {
396 iScanner.close();
397 }
398 }
399
400 return allPerms;
401 }
402
403
404
405
406
407 static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
408 Configuration conf) throws IOException {
409 Map<byte[], ListMultimap<String,TablePermission>> allPerms =
410 new TreeMap<byte[], ListMultimap<String,TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
411
412
413
414 Scan scan = new Scan();
415 scan.addFamily(ACL_LIST_FAMILY);
416
417 ResultScanner scanner = null;
418
419 try (Connection connection = ConnectionFactory.createConnection(conf)) {
420 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
421 scanner = table.getScanner(scan);
422 try {
423 for (Result row : scanner) {
424 ListMultimap<String,TablePermission> resultPerms = parsePermissions(row.getRow(), row);
425 allPerms.put(row.getRow(), resultPerms);
426 }
427 } finally {
428 if (scanner != null) scanner.close();
429 }
430 }
431 }
432
433 return allPerms;
434 }
435
436 static ListMultimap<String, TablePermission> getTablePermissions(Configuration conf,
437 TableName tableName) throws IOException {
438 return getPermissions(conf, tableName != null ? tableName.getName() : null);
439 }
440
441 static ListMultimap<String, TablePermission> getNamespacePermissions(Configuration conf,
442 String namespace) throws IOException {
443 return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
444 }
445
446
447
448
449
450
451
452
453
454
455 static ListMultimap<String, TablePermission> getPermissions(Configuration conf,
456 byte[] entryName) throws IOException {
457 if (entryName == null) entryName = ACL_GLOBAL_NAME;
458
459
460 ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
461
462 try (Connection connection = ConnectionFactory.createConnection(conf)) {
463 try (Table table = connection.getTable(ACL_TABLE_NAME)) {
464 Get get = new Get(entryName);
465 get.addFamily(ACL_LIST_FAMILY);
466 Result row = table.get(get);
467 if (!row.isEmpty()) {
468 perms = parsePermissions(entryName, row);
469 } else {
470 LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry "
471 + Bytes.toString(entryName));
472 }
473 }
474 }
475
476 return perms;
477 }
478
479
480
481
482
483 static List<UserPermission> getUserTablePermissions(
484 Configuration conf, TableName tableName) throws IOException {
485 return getUserPermissions(conf, tableName == null ? null : tableName.getName());
486 }
487
488 static List<UserPermission> getUserNamespacePermissions(
489 Configuration conf, String namespace) throws IOException {
490 return getUserPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
491 }
492
493 static List<UserPermission> getUserPermissions(
494 Configuration conf, byte[] entryName)
495 throws IOException {
496 ListMultimap<String,TablePermission> allPerms = getPermissions(
497 conf, entryName);
498
499 List<UserPermission> perms = new ArrayList<UserPermission>();
500
501 for (Map.Entry<String, TablePermission> entry : allPerms.entries()) {
502 UserPermission up = new UserPermission(Bytes.toBytes(entry.getKey()),
503 entry.getValue().getTableName(), entry.getValue().getFamily(),
504 entry.getValue().getQualifier(), entry.getValue().getActions());
505 perms.add(up);
506 }
507 return perms;
508 }
509
510 private static ListMultimap<String, TablePermission> parsePermissions(
511 byte[] entryName, Result result) {
512 ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
513 if (result != null && result.size() > 0) {
514 for (Cell kv : result.rawCells()) {
515
516 Pair<String,TablePermission> permissionsOfUserOnTable =
517 parsePermissionRecord(entryName, kv);
518
519 if (permissionsOfUserOnTable != null) {
520 String username = permissionsOfUserOnTable.getFirst();
521 TablePermission permissions = permissionsOfUserOnTable.getSecond();
522 perms.put(username, permissions);
523 }
524 }
525 }
526 return perms;
527 }
528
529 private static Pair<String, TablePermission> parsePermissionRecord(
530 byte[] entryName, Cell kv) {
531
532 byte[] family = CellUtil.cloneFamily(kv);
533
534 if (!Bytes.equals(family, ACL_LIST_FAMILY)) {
535 return null;
536 }
537
538 byte[] key = CellUtil.cloneQualifier(kv);
539 byte[] value = CellUtil.cloneValue(kv);
540 if (LOG.isDebugEnabled()) {
541 LOG.debug("Read acl: kv ["+
542 Bytes.toStringBinary(key)+": "+
543 Bytes.toStringBinary(value)+"]");
544 }
545
546
547
548 String username = Bytes.toString(key);
549
550
551 if(isNamespaceEntry(entryName)) {
552 return new Pair<String, TablePermission>(username,
553 new TablePermission(Bytes.toString(fromNamespaceEntry(entryName)), value));
554 }
555
556
557
558 int idx = username.indexOf(ACL_KEY_DELIMITER);
559 byte[] permFamily = null;
560 byte[] permQualifier = null;
561 if (idx > 0 && idx < username.length()-1) {
562 String remainder = username.substring(idx+1);
563 username = username.substring(0, idx);
564 idx = remainder.indexOf(ACL_KEY_DELIMITER);
565 if (idx > 0 && idx < remainder.length()-1) {
566 permFamily = Bytes.toBytes(remainder.substring(0, idx));
567 permQualifier = Bytes.toBytes(remainder.substring(idx+1));
568 } else {
569 permFamily = Bytes.toBytes(remainder);
570 }
571 }
572
573 return new Pair<String,TablePermission>(username,
574 new TablePermission(TableName.valueOf(entryName), permFamily, permQualifier, value));
575 }
576
577
578
579
580
581
582
583 public static byte[] writePermissionsAsBytes(ListMultimap<String, TablePermission> perms,
584 Configuration conf) {
585 return ProtobufUtil.prependPBMagic(ProtobufUtil.toUserTablePermissions(perms).toByteArray());
586 }
587
588
589
590
591
592 public static ListMultimap<String, TablePermission> readPermissions(byte[] data,
593 Configuration conf)
594 throws DeserializationException {
595 if (ProtobufUtil.isPBMagicPrefix(data)) {
596 int pblen = ProtobufUtil.lengthOfPBMagic();
597 try {
598 AccessControlProtos.UsersAndPermissions perms =
599 AccessControlProtos.UsersAndPermissions.newBuilder().mergeFrom(
600 data, pblen, data.length - pblen).build();
601 return ProtobufUtil.toUserTablePermissions(perms);
602 } catch (InvalidProtocolBufferException e) {
603 throw new DeserializationException(e);
604 }
605 } else {
606 ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
607 try {
608 DataInput in = new DataInputStream(new ByteArrayInputStream(data));
609 int length = in.readInt();
610 for (int i=0; i<length; i++) {
611 String user = Text.readString(in);
612 List<TablePermission> userPerms =
613 (List)HbaseObjectWritableFor96Migration.readObject(in, conf);
614 perms.putAll(user, userPerms);
615 }
616 } catch (IOException e) {
617 throw new DeserializationException(e);
618 }
619 return perms;
620 }
621 }
622
623
624
625
626
627
628 public static boolean isGroupPrincipal(String name) {
629 return name != null && name.startsWith(GROUP_PREFIX);
630 }
631
632
633
634
635
636 public static String getGroupName(String aclKey) {
637 if (!isGroupPrincipal(aclKey)) {
638 return aclKey;
639 }
640
641 return aclKey.substring(GROUP_PREFIX.length());
642 }
643
644
645
646
647 public static String toGroupEntry(String name) {
648 return GROUP_PREFIX + name;
649 }
650
651 public static boolean isNamespaceEntry(String entryName) {
652 return entryName.charAt(0) == NAMESPACE_PREFIX;
653 }
654
655 public static boolean isNamespaceEntry(byte[] entryName) {
656 return entryName[0] == NAMESPACE_PREFIX;
657 }
658
659 public static String toNamespaceEntry(String namespace) {
660 return NAMESPACE_PREFIX + namespace;
661 }
662
663 public static String fromNamespaceEntry(String namespace) {
664 if(namespace.charAt(0) != NAMESPACE_PREFIX)
665 throw new IllegalArgumentException("Argument is not a valid namespace entry");
666 return namespace.substring(1);
667 }
668
669 public static byte[] toNamespaceEntry(byte[] namespace) {
670 byte[] ret = new byte[namespace.length+1];
671 ret[0] = NAMESPACE_PREFIX;
672 System.arraycopy(namespace, 0, ret, 1, namespace.length);
673 return ret;
674 }
675
676 public static byte[] fromNamespaceEntry(byte[] namespace) {
677 if(namespace[0] != NAMESPACE_PREFIX) {
678 throw new IllegalArgumentException("Argument is not a valid namespace entry: " +
679 Bytes.toString(namespace));
680 }
681 return Arrays.copyOfRange(namespace, 1, namespace.length);
682 }
683
684 public static List<Permission> getCellPermissionsForUser(User user, Cell cell)
685 throws IOException {
686
687 if (cell.getTagsLength() == 0) {
688 return null;
689 }
690 List<Permission> results = Lists.newArrayList();
691 Iterator<Tag> tagsIterator = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),
692 cell.getTagsLength());
693 while (tagsIterator.hasNext()) {
694 Tag tag = tagsIterator.next();
695 if (tag.getType() == ACL_TAG_TYPE) {
696
697 ListMultimap<String,Permission> kvPerms = ProtobufUtil.toUsersAndPermissions(
698 AccessControlProtos.UsersAndPermissions.newBuilder().mergeFrom(
699 tag.getBuffer(), tag.getTagOffset(), tag.getTagLength()).build());
700
701 List<Permission> userPerms = kvPerms.get(user.getShortName());
702 if (userPerms != null) {
703 results.addAll(userPerms);
704 }
705
706 String groupNames[] = user.getGroupNames();
707 if (groupNames != null) {
708 for (String group : groupNames) {
709 List<Permission> groupPerms = kvPerms.get(GROUP_PREFIX + group);
710 if (results != null) {
711 results.addAll(groupPerms);
712 }
713 }
714 }
715 }
716 }
717 return results;
718 }
719 }