org.apache.hadoop.hbase.security.access

Class TableAuthManager

java.lang.Object

org.apache.hadoop.hbase.security.access.TableAuthManager

@InterfaceAudience.Private
public class TableAuthManager
extends Object

Performs authorization checks for a given user's assigned permissions

Method Summary

Methods

Modifier and Type	Method and Description
boolean	authorize(User user, Permission.Action action) Authorize a global permission based on ACLs for the given user and the user's groups.
boolean	authorize(User user, String namespace, Permission.Action action)
boolean	authorize(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
boolean	authorize(User user, TableName table, byte[] family, Permission.Action action)
boolean	authorize(User user, TableName table, Cell cell, Permission.Action action) Authorize a user for a given KV.
boolean	authorizeGroup(String groupName, Permission.Action action) Checks global authorization for a given action for a group, based on the stored permissions.
boolean	authorizeGroup(String groupName, TableName table, byte[] family, Permission.Action action) Checks authorization to a given table and column family for a group, based on the stored permissions.
boolean	authorizeUser(User user, Permission.Action action) Checks global authorization for a specific action for a user, based on the stored user permissions.
boolean	authorizeUser(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
boolean	authorizeUser(User user, TableName table, byte[] family, Permission.Action action) Checks authorization to a given table and column family for a user, based on the stored user permissions.
static TableAuthManager	get(ZooKeeperWatcher watcher, org.apache.hadoop.conf.Configuration conf)
long	getMTime()
ZKPermissionWatcher	getZKPermissionWatcher()
boolean	matchPermission(User user, TableName table, byte[] family, byte[] qualifier, Permission.Action action)
boolean	matchPermission(User user, TableName table, byte[] family, Permission.Action action) Returns true if the given user has a TablePermission matching up to the column family portion of a permission.
void	refreshNamespaceCacheFromWritable(String namespace, byte[] data)
void	refreshTableCacheFromWritable(TableName table, byte[] data)
void	removeNamespace(byte[] ns)
void	removeTable(TableName table)
void	setNamespaceGroupPermissions(String group, String namespace, List<TablePermission> perms) Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.
void	setNamespaceUserPermissions(String username, String namespace, List<TablePermission> perms) Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.
void	setTableGroupPermissions(String group, TableName table, List<TablePermission> perms) Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.
void	setTableUserPermissions(String username, TableName table, List<TablePermission> perms) Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.
void	writeNamespaceToZooKeeper(String namespace, org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)
void	writeTableToZooKeeper(TableName table, org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

getZKPermissionWatcher

public ZKPermissionWatcher getZKPermissionWatcher()

refreshTableCacheFromWritable

public void refreshTableCacheFromWritable(TableName table,
                                 byte[] data)
                                   throws IOException

Throws:

IOException

refreshNamespaceCacheFromWritable

public void refreshNamespaceCacheFromWritable(String namespace,
                                     byte[] data)
                                       throws IOException

Throws:

IOException

authorize

public boolean authorize(User user,
                Permission.Action action)

Authorize a global permission based on ACLs for the given user and the user's groups.

Parameters:

user -

action -

Returns:

true if known and authorized, false otherwise

authorize

public boolean authorize(User user,
                TableName table,
                Cell cell,
                Permission.Action action)

Authorize a user for a given KV. This is called from AccessControlFilter.

authorize

public boolean authorize(User user,
                String namespace,
                Permission.Action action)

authorizeUser

public boolean authorizeUser(User user,
                    Permission.Action action)

Checks global authorization for a specific action for a user, based on the stored user permissions.

authorizeUser

public boolean authorizeUser(User user,
                    TableName table,
                    byte[] family,
                    Permission.Action action)

Checks authorization to a given table and column family for a user, based on the stored user permissions.

Parameters:

user -

table -

family -

action -

Returns:

true if known and authorized, false otherwise

authorizeUser

public boolean authorizeUser(User user,
                    TableName table,
                    byte[] family,
                    byte[] qualifier,
                    Permission.Action action)

authorizeGroup

public boolean authorizeGroup(String groupName,
                     Permission.Action action)

Checks global authorization for a given action for a group, based on the stored permissions.

authorizeGroup

public boolean authorizeGroup(String groupName,
                     TableName table,
                     byte[] family,
                     Permission.Action action)

Checks authorization to a given table and column family for a group, based on the stored permissions.

Parameters:

groupName -

table -

family -

action -

Returns:

true if known and authorized, false otherwise

authorize

public boolean authorize(User user,
                TableName table,
                byte[] family,
                byte[] qualifier,
                Permission.Action action)

authorize

public boolean authorize(User user,
                TableName table,
                byte[] family,
                Permission.Action action)

matchPermission

public boolean matchPermission(User user,
                      TableName table,
                      byte[] family,
                      Permission.Action action)

Returns true if the given user has a TablePermission matching up to the column family portion of a permission. Note that this permission may be scoped to a given column qualifier and does not guarantee that authorize() on the same column family would return true.

matchPermission

public boolean matchPermission(User user,
                      TableName table,
                      byte[] family,
                      byte[] qualifier,
                      Permission.Action action)

removeNamespace

public void removeNamespace(byte[] ns)

removeTable

public void removeTable(TableName table)

setTableUserPermissions

public void setTableUserPermissions(String username,
                           TableName table,
                           List<TablePermission> perms)

Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.

Parameters:

username -

table -

perms -

setTableGroupPermissions

public void setTableGroupPermissions(String group,
                            TableName table,
                            List<TablePermission> perms)

Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.

Parameters:

group -

table -

perms -

setNamespaceUserPermissions

public void setNamespaceUserPermissions(String username,
                               String namespace,
                               List<TablePermission> perms)

Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.

Parameters:

username -

namespace -

perms -

setNamespaceGroupPermissions

public void setNamespaceGroupPermissions(String group,
                                String namespace,
                                List<TablePermission> perms)

Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.

Parameters:

group -

namespace -

perms -

writeTableToZooKeeper

public void writeTableToZooKeeper(TableName table,
                         org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)

writeNamespaceToZooKeeper

public void writeNamespaceToZooKeeper(String namespace,
                             org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<TablePermission> tablePerms)

getMTime

public long getMTime()

get

public static TableAuthManager get(ZooKeeperWatcher watcher,
                   org.apache.hadoop.conf.Configuration conf)
                            throws IOException

Throws:

IOException