http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 602af91..5a3c883 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -23,7 +23,6 @@ import com.google.protobuf.RpcCallback; import com.google.protobuf.RpcController; import com.google.protobuf.Service; import java.io.IOException; -import java.net.InetAddress; import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Collection; @@ -96,7 +95,6 @@ import org.apache.hadoop.hbase.filter.FilterList; import org.apache.hadoop.hbase.io.hfile.HFile; import org.apache.hadoop.hbase.ipc.CoprocessorRpcUtils; import org.apache.hadoop.hbase.ipc.RpcServer; -import org.apache.hadoop.hbase.net.Address; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos; import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService; @@ -186,10 +184,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, private static final String TAG_CHECK_PASSED = "tag_check_passed"; private static final byte[] TRUE = Bytes.toBytes(true); - TableAuthManager authManager = null; + private AccessChecker accessChecker; /** flags if we are running on a region of the _acl_ table */ - boolean aclRegion = false; + private boolean aclRegion = false; /** defined only for Endpoint implementation, so it can have way to access region services */ @@ -204,19 +202,19 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, /** Provider for mapping principal names to Users */ private UserProvider userProvider; - /** if we are active, usually true, only not true if "hbase.security.authorization" - has been set to false in site configuration */ - boolean authorizationEnabled; + /** if we are active, usually false, only true if "hbase.security.authorization" + has been set to true in site configuration */ + private boolean authorizationEnabled; /** if we are able to support cell ACLs */ - boolean cellFeaturesEnabled; + private boolean cellFeaturesEnabled; /** if we should check EXEC permissions */ - boolean shouldCheckExecPermission; + private boolean shouldCheckExecPermission; /** if we should terminate access checks early as soon as table or CF grants allow access; pre-0.98 compatible behavior */ - boolean compatibleEarlyTermination; + private boolean compatibleEarlyTermination; /** if we have been successfully initialized */ private volatile boolean initialized = false; @@ -224,12 +222,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, /** if the ACL table is available, only relevant in the master */ private volatile boolean aclTabAvailable = false; - public static boolean isAuthorizationSupported(Configuration conf) { - return conf.getBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, true); - } - public static boolean isCellAuthorizationSupported(Configuration conf) { - return isAuthorizationSupported(conf) && + return AccessChecker.isAuthorizationSupported(conf) && (HFile.getFormatVersion(conf) >= HFile.MIN_FORMAT_VERSION_WITH_TAGS); } @@ -238,10 +232,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, } public TableAuthManager getAuthManager() { - return authManager; + return accessChecker.getAuthManager(); } - void initialize(RegionCoprocessorEnvironment e) throws IOException { + private void initialize(RegionCoprocessorEnvironment e) throws IOException { final Region region = e.getRegion(); Configuration conf = e.getConfiguration(); Map<byte[], ListMultimap<String,TablePermission>> tables = @@ -253,7 +247,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, byte[] entry = t.getKey(); ListMultimap<String,TablePermission> perms = t.getValue(); byte[] serialized = AccessControlLists.writePermissionsAsBytes(perms, conf); - this.authManager.getZKPermissionWatcher().writeToZookeeper(entry, serialized); + getAuthManager().getZKPermissionWatcher().writeToZookeeper(entry, serialized); } initialized = true; } @@ -263,7 +257,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, * znodes. This is called to synchronize ACL changes following {@code _acl_} * table updates. */ - void updateACL(RegionCoprocessorEnvironment e, + private void updateACL(RegionCoprocessorEnvironment e, final Map<byte[], List<Cell>> familyMap) { Set<byte[]> entries = new TreeSet<>(Bytes.BYTES_RAWCOMPARATOR); for (Map.Entry<byte[], List<Cell>> f : familyMap.entrySet()) { @@ -274,7 +268,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, } } } - ZKPermissionWatcher zkw = this.authManager.getZKPermissionWatcher(); + ZKPermissionWatcher zkw = getAuthManager().getZKPermissionWatcher(); Configuration conf = regionEnv.getConfiguration(); byte [] currentEntry = null; // TODO: Here we are already on the ACL region. (And it is single @@ -312,7 +306,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, * the request * @return an authorization result */ - AuthResult permissionGranted(String request, User user, Action permRequest, + private AuthResult permissionGranted(String request, User user, Action permRequest, RegionCoprocessorEnvironment e, Map<byte [], ? extends Collection<?>> families) { RegionInfo hri = e.getRegion().getRegionInfo(); @@ -333,7 +327,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, } // 2. check for the table-level, if successful we can short-circuit - if (authManager.authorize(user, tableName, (byte[])null, permRequest)) { + if (getAuthManager().authorize(user, tableName, (byte[])null, permRequest)) { return AuthResult.allow(request, "Table permission granted", user, permRequest, tableName, families); } @@ -343,7 +337,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // all families must pass for (Map.Entry<byte [], ? extends Collection<?>> family : families.entrySet()) { // a) check for family level access - if (authManager.authorize(user, tableName, family.getKey(), + if (getAuthManager().authorize(user, tableName, family.getKey(), permRequest)) { continue; // family-level permission overrides per-qualifier } @@ -354,7 +348,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // for each qualifier of the family Set<byte[]> familySet = (Set<byte[]>)family.getValue(); for (byte[] qualifier : familySet) { - if (!authManager.authorize(user, tableName, family.getKey(), + if (!getAuthManager().authorize(user, tableName, family.getKey(), qualifier, permRequest)) { return AuthResult.deny(request, "Failed qualifier check", user, permRequest, tableName, makeFamilyMap(family.getKey(), qualifier)); @@ -363,7 +357,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, } else if (family.getValue() instanceof List) { // List<Cell> List<Cell> cellList = (List<Cell>)family.getValue(); for (Cell cell : cellList) { - if (!authManager.authorize(user, tableName, family.getKey(), + if (!getAuthManager().authorize(user, tableName, family.getKey(), CellUtil.cloneQualifier(cell), permRequest)) { return AuthResult.deny(request, "Failed qualifier check", user, permRequest, tableName, makeFamilyMap(family.getKey(), CellUtil.cloneQualifier(cell))); @@ -398,7 +392,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, * @param actions the desired actions * @return an authorization result */ - AuthResult permissionGranted(OpType opType, User user, RegionCoprocessorEnvironment e, + private AuthResult permissionGranted(OpType opType, User user, RegionCoprocessorEnvironment e, Map<byte [], ? extends Collection<?>> families, Action... actions) { AuthResult result = null; for (Action action: actions) { @@ -410,241 +404,61 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, return result; } - private void logResult(AuthResult result) { - if (AUDITLOG.isTraceEnabled()) { - AUDITLOG.trace("Access " + (result.isAllowed() ? "allowed" : "denied") + " for user " + - (result.getUser() != null ? result.getUser().getShortName() : "UNKNOWN") + "; reason: " + - result.getReason() + "; remote address: " + - RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("") + "; request: " + - result.getRequest() + "; context: " + result.toContextString()); - } + public void requireAccess(ObserverContext<?> ctx, String request, TableName tableName, + Action... permissions) throws IOException { + accessChecker.requireAccess(getActiveUser(ctx), request, tableName, permissions); } - /** - * Returns the active user to which authorization checks should be applied. - * If we are in the context of an RPC call, the remote user is used, - * otherwise the currently logged in user is used. - */ - private User getActiveUser(ObserverContext<?> ctx) throws IOException { - // for non-rpc handling, fallback to system user - Optional<User> optionalUser = ctx.getCaller(); - User user; - if (optionalUser.isPresent()) { - return optionalUser.get(); - } - return userProvider.getCurrent(); + public void requirePermission(ObserverContext<?> ctx, String request, + Action perm) throws IOException { + accessChecker.requirePermission(getActiveUser(ctx), request, perm); } - /** - * Authorizes that the current user has any of the given permissions for the - * given table, column family and column qualifier. - * @param tableName Table requested - * @param family Column family requested - * @param qualifier Column qualifier requested - * @throws IOException if obtaining the current user fails - * @throws AccessDeniedException if user has no authorization - */ - private void requirePermission(User user, String request, TableName tableName, byte[] family, - byte[] qualifier, Action... permissions) throws IOException { - AuthResult result = null; - - for (Action permission : permissions) { - if (authManager.authorize(user, tableName, family, qualifier, permission)) { - result = AuthResult.allow(request, "Table permission granted", user, - permission, tableName, family, qualifier); - break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", user, - permission, tableName, family, qualifier); - } - } - logResult(result); - if (authorizationEnabled && !result.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); - } + public void requireGlobalPermission(ObserverContext<?> ctx, String request, + Action perm, TableName tableName, + Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException { + accessChecker.requireGlobalPermission(getActiveUser(ctx), + request, perm,tableName, familyMap); } - /** - * Authorizes that the current user has any of the given permissions for the - * given table, column family and column qualifier. - * @param tableName Table requested - * @param family Column family param - * @param qualifier Column qualifier param - * @throws IOException if obtaining the current user fails - * @throws AccessDeniedException if user has no authorization - */ - private void requireTablePermission(User user, String request, TableName tableName, byte[] family, - byte[] qualifier, Action... permissions) throws IOException { - AuthResult result = null; - - for (Action permission : permissions) { - if (authManager.authorize(user, tableName, null, null, permission)) { - result = AuthResult.allow(request, "Table permission granted", user, - permission, tableName, null, null); - result.getParams().setFamily(family).setQualifier(qualifier); - break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", user, - permission, tableName, family, qualifier); - result.getParams().setFamily(family).setQualifier(qualifier); - } - } - logResult(result); - if (authorizationEnabled && !result.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); - } + public void requireGlobalPermission(ObserverContext<?> ctx, String request, + Action perm, String namespace) throws IOException { + accessChecker.requireGlobalPermission(getActiveUser(ctx), + request, perm, namespace); } - /** - * Authorizes that the current user has any of the given permissions to access the table. - * - * @param tableName Table requested - * @param permissions Actions being requested - * @throws IOException if obtaining the current user fails - * @throws AccessDeniedException if user has no authorization - */ - private void requireAccess(User user, String request, TableName tableName, + public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace, Action... permissions) throws IOException { - AuthResult result = null; - - for (Action permission : permissions) { - if (authManager.hasAccess(user, tableName, permission)) { - result = AuthResult.allow(request, "Table permission granted", user, - permission, tableName, null, null); - break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", user, - permission, tableName, null, null); - } - } - logResult(result); - if (authorizationEnabled && !result.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); - } + accessChecker.requireNamespacePermission(getActiveUser(ctx), + request, namespace, permissions); } - /** - * Authorizes that the current user has global privileges for the given action. - * @param perm The action being requested - * @throws IOException if obtaining the current user fails - * @throws AccessDeniedException if authorization is denied - */ - private void requirePermission(User user, String request, Action perm) throws IOException { - requireGlobalPermission(user, request, perm, null, null); - } - - /** - * Checks that the user has the given global permission. The generated - * audit log message will contain context information for the operation - * being authorized, based on the given parameters. - * @param perm Action being requested - * @param tableName Affected table name. - * @param familyMap Affected column families. - */ - private void requireGlobalPermission(User user, String request, Action perm, TableName tableName, - Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException { - AuthResult result = null; - if (authManager.authorize(user, perm)) { - result = AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap); - result.getParams().setTableName(tableName).setFamilies(familyMap); - logResult(result); - } else { - result = AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap); - result.getParams().setTableName(tableName).setFamilies(familyMap); - logResult(result); - if (authorizationEnabled) { - throw new AccessDeniedException("Insufficient permissions for user '" + - (user != null ? user.getShortName() : "null") +"' (global, action=" + - perm.toString() + ")"); - } - } + public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace, + TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap, + Action... permissions) throws IOException { + accessChecker.requireNamespacePermission(getActiveUser(ctx), + request, namespace, tableName, familyMap, + permissions); } - /** - * Checks that the user has the given global permission. The generated - * audit log message will contain context information for the operation - * being authorized, based on the given parameters. - * @param perm Action being requested - * @param namespace - */ - private void requireGlobalPermission(User user, String request, Action perm, - String namespace) throws IOException { - AuthResult authResult = null; - if (authManager.authorize(user, perm)) { - authResult = AuthResult.allow(request, "Global check allowed", user, perm, null); - authResult.getParams().setNamespace(namespace); - logResult(authResult); - } else { - authResult = AuthResult.deny(request, "Global check failed", user, perm, null); - authResult.getParams().setNamespace(namespace); - logResult(authResult); - if (authorizationEnabled) { - throw new AccessDeniedException("Insufficient permissions for user '" + - (user != null ? user.getShortName() : "null") +"' (global, action=" + - perm.toString() + ")"); - } - } + public void requirePermission(ObserverContext<?> ctx, String request, TableName tableName, + byte[] family, byte[] qualifier, Action... permissions) throws IOException { + accessChecker.requirePermission(getActiveUser(ctx), request, + tableName, family, qualifier, permissions); } - /** - * Checks that the user has the given global or namespace permission. - * @param namespace - * @param permissions Actions being requested - */ - public void requireNamespacePermission(User user, String request, String namespace, + public void requireTablePermission(ObserverContext<?> ctx, String request, + TableName tableName,byte[] family, byte[] qualifier, Action... permissions) throws IOException { - AuthResult result = null; - - for (Action permission : permissions) { - if (authManager.authorize(user, namespace, permission)) { - result = AuthResult.allow(request, "Namespace permission granted", - user, permission, namespace); - break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", user, - permission, namespace); - } - } - logResult(result); - if (authorizationEnabled && !result.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " - + result.toContextString()); - } + accessChecker.requireTablePermission(getActiveUser(ctx), + request, tableName, family, qualifier, permissions); } - /** - * Checks that the user has the given global or namespace permission. - * @param namespace - * @param permissions Actions being requested - */ - public void requireNamespacePermission(User user, String request, String namespace, - TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap, - Action... permissions) + public void checkLockPermissions(ObserverContext<?> ctx, String namespace, + TableName tableName, RegionInfo[] regionInfos, String reason) throws IOException { - AuthResult result = null; - - for (Action permission : permissions) { - if (authManager.authorize(user, namespace, permission)) { - result = AuthResult.allow(request, "Namespace permission granted", - user, permission, namespace); - result.getParams().setTableName(tableName).setFamilies(familyMap); - break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", user, - permission, namespace); - result.getParams().setTableName(tableName).setFamilies(familyMap); - } - } - logResult(result); - if (authorizationEnabled && !result.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " - + result.toContextString()); - } + accessChecker.checkLockPermissions(getActiveUser(ctx), + namespace, tableName, regionInfos, reason); } /** @@ -669,13 +483,13 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, familyMap.entrySet()) { if (family.getValue() != null && !family.getValue().isEmpty()) { for (byte[] qualifier : family.getValue()) { - if (authManager.matchPermission(user, tableName, + if (getAuthManager().matchPermission(user, tableName, family.getKey(), qualifier, perm)) { return true; } } } else { - if (authManager.matchPermission(user, tableName, family.getKey(), + if (getAuthManager().matchPermission(user, tableName, family.getKey(), perm)) { return true; } @@ -865,7 +679,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, foundColumn = true; for (Action action: actions) { // Are there permissions for this user for the cell? - if (!authManager.authorize(user, getTableName(e), cell, action)) { + if (!getAuthManager().authorize(user, getTableName(e), cell, action)) { // We can stop if the cell ACL denies access return false; } @@ -940,7 +754,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, CompoundConfiguration conf = new CompoundConfiguration(); conf.add(env.getConfiguration()); - authorizationEnabled = isAuthorizationSupported(conf); + authorizationEnabled = AccessChecker.isAuthorizationSupported(conf); if (!authorizationEnabled) { LOG.warn("The AccessController has been loaded with authorization checks disabled."); } @@ -980,27 +794,13 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // set the user-provider. this.userProvider = UserProvider.instantiate(env.getConfiguration()); - - // If zk is null or IOException while obtaining auth manager, - // throw RuntimeException so that the coprocessor is unloaded. - if (zk != null) { - try { - this.authManager = TableAuthManager.getOrCreate(zk, env.getConfiguration()); - } catch (IOException ioe) { - throw new RuntimeException("Error obtaining TableAuthManager", ioe); - } - } else { - throw new RuntimeException("Error obtaining TableAuthManager, zk found null."); - } - + accessChecker = new AccessChecker(env.getConfiguration(), zk); tableAcls = new MapMaker().weakValues().makeMap(); } @Override public void stop(CoprocessorEnvironment env) { - if (this.authManager != null) { - TableAuthManager.release(authManager); - } + TableAuthManager.release(getAuthManager()); } /*********************************** Observer/Service Getters ***********************************/ @@ -1045,7 +845,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, for (byte[] family: families) { familyMap.put(family, null); } - requireNamespacePermission(getActiveUser(c), "createTable", + requireNamespacePermission(c, "createTable", desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.CREATE); } @@ -1102,8 +902,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) throws IOException { - requirePermission(getActiveUser(c), "deleteTable", tableName, null, null, - Action.ADMIN, Action.CREATE); + requirePermission(c, "deleteTable", + tableName, null, null, Action.ADMIN, Action.CREATE); } @Override @@ -1120,14 +920,14 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, return null; } }); - this.authManager.getZKPermissionWatcher().deleteTableACLNode(tableName); + getAuthManager().getZKPermissionWatcher().deleteTableACLNode(tableName); } @Override public void preTruncateTable(ObserverContext<MasterCoprocessorEnvironment> c, final TableName tableName) throws IOException { - requirePermission(getActiveUser(c), "truncateTable", tableName, null, null, - Action.ADMIN, Action.CREATE); + requirePermission(c, "truncateTable", + tableName, null, null, Action.ADMIN, Action.CREATE); final Configuration conf = c.getEnvironment().getConfiguration(); User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { @@ -1168,8 +968,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, TableDescriptor htd) throws IOException { // TODO: potentially check if this is a add/modify/delete column operation - requirePermission(getActiveUser(c), "modifyTable", tableName, null, null, - Action.ADMIN, Action.CREATE); + requirePermission(c, "modifyTable", + tableName, null, null, Action.ADMIN, Action.CREATE); } @Override @@ -1196,8 +996,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) throws IOException { - requirePermission(getActiveUser(c), "enableTable", tableName, null, null, - Action.ADMIN, Action.CREATE); + requirePermission(c, "enableTable", + tableName, null, null, Action.ADMIN, Action.CREATE); } @Override @@ -1211,14 +1011,14 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, throw new AccessDeniedException("Not allowed to disable " + AccessControlLists.ACL_TABLE_NAME + " table with AccessController installed"); } - requirePermission(getActiveUser(c), "disableTable", tableName, null, null, - Action.ADMIN, Action.CREATE); + requirePermission(c, "disableTable", + tableName, null, null, Action.ADMIN, Action.CREATE); } @Override public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> ctx, final long procId) throws IOException { - requirePermission(getActiveUser(ctx), "abortProcedure", Action.ADMIN); + requirePermission(ctx, "abortProcedure", Action.ADMIN); } @Override @@ -1230,74 +1030,73 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void preGetProcedures(ObserverContext<MasterCoprocessorEnvironment> ctx) throws IOException { - requirePermission(getActiveUser(ctx), "getProcedure", Action.ADMIN); + requirePermission(ctx, "getProcedure", Action.ADMIN); } @Override public void preGetLocks(ObserverContext<MasterCoprocessorEnvironment> ctx) throws IOException { User user = getActiveUser(ctx); - requirePermission(user, "getLocks", Action.ADMIN); + accessChecker.requirePermission(user, "getLocks", Action.ADMIN); } @Override public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo region, ServerName srcServer, ServerName destServer) throws IOException { - requirePermission(getActiveUser(c), "move", region.getTable(), null, null, Action.ADMIN); + requirePermission(c, "move", + region.getTable(), null, null, Action.ADMIN); } @Override public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo) throws IOException { - requirePermission(getActiveUser(c), "assign", regionInfo.getTable(), null, null, Action.ADMIN); + requirePermission(c, "assign", + regionInfo.getTable(), null, null, Action.ADMIN); } @Override public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo, boolean force) throws IOException { - requirePermission(getActiveUser(c), "unassign", regionInfo.getTable(), null, null, Action.ADMIN); + requirePermission(c, "unassign", + regionInfo.getTable(), null, null, Action.ADMIN); } @Override public void preRegionOffline(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo) throws IOException { - requirePermission(getActiveUser(c), "regionOffline", regionInfo.getTable(), null, null, - Action.ADMIN); + requirePermission(c, "regionOffline", + regionInfo.getTable(), null, null, Action.ADMIN); } @Override public void preSetSplitOrMergeEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx, final boolean newValue, final MasterSwitchType switchType) throws IOException { - requirePermission(getActiveUser(ctx), "setSplitOrMergeEnabled", Action.ADMIN); - } - - @Override - public void postSetSplitOrMergeEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx, - final boolean newValue, final MasterSwitchType switchType) throws IOException { + requirePermission(ctx, "setSplitOrMergeEnabled", + Action.ADMIN); } @Override public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException { - requirePermission(getActiveUser(c), "balance", Action.ADMIN); + requirePermission(c, "balance", Action.ADMIN); } @Override public void preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c, boolean newValue) throws IOException { - requirePermission(getActiveUser(c), "balanceSwitch", Action.ADMIN); + requirePermission(c, "balanceSwitch", Action.ADMIN); } @Override public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException { - requirePermission(getActiveUser(c), "shutdown", Action.ADMIN); + requirePermission(c, "shutdown", Action.ADMIN); } @Override public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException { - requirePermission(getActiveUser(c), "stopMaster", Action.ADMIN); + requirePermission(c, "stopMaster", Action.ADMIN); } @Override @@ -1335,8 +1134,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx, final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor) throws IOException { - requirePermission(getActiveUser(ctx), "snapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null, - Permission.Action.ADMIN); + requirePermission(ctx, "snapshot " + snapshot.getName(), + hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN); } @Override @@ -1347,9 +1146,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // list it, if user is the owner of snapshot AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(), "Snapshot owner check allowed", user, null, null, null); - logResult(result); + AccessChecker.logResult(result); } else { - requirePermission(user, "listSnapshot " + snapshot.getName(), Action.ADMIN); + accessChecker.requirePermission(user, "listSnapshot " + snapshot.getName(), Action.ADMIN); } } @@ -1363,9 +1162,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // Snapshot owner is allowed to create a table with the same name as the snapshot he took AuthResult result = AuthResult.allow("cloneSnapshot " + snapshot.getName(), "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null); - logResult(result); + AccessChecker.logResult(result); } else { - requirePermission(user, "cloneSnapshot " + snapshot.getName(), Action.ADMIN); + accessChecker.requirePermission(user, "cloneSnapshot " + snapshot.getName(), Action.ADMIN); } } @@ -1375,10 +1174,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, throws IOException { User user = getActiveUser(ctx); if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) { - requirePermission(user, "restoreSnapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null, - Permission.Action.ADMIN); + accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(), + hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN); } else { - requirePermission(user, "restoreSnapshot " + snapshot.getName(), Action.ADMIN); + accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(), Action.ADMIN); } } @@ -1390,22 +1189,24 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // Snapshot owner is allowed to delete the snapshot AuthResult result = AuthResult.allow("deleteSnapshot " + snapshot.getName(), "Snapshot owner check allowed", user, null, null, null); - logResult(result); + AccessChecker.logResult(result); } else { - requirePermission(user, "deleteSnapshot " + snapshot.getName(), Action.ADMIN); + accessChecker.requirePermission(user, "deleteSnapshot " + snapshot.getName(), Action.ADMIN); } } @Override public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, NamespaceDescriptor ns) throws IOException { - requireGlobalPermission(getActiveUser(ctx), "createNamespace", Action.ADMIN, ns.getName()); + requireGlobalPermission(ctx, "createNamespace", + Action.ADMIN, ns.getName()); } @Override public void preDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace) throws IOException { - requireGlobalPermission(getActiveUser(ctx), "deleteNamespace", Action.ADMIN, namespace); + requireGlobalPermission(ctx, "deleteNamespace", + Action.ADMIN, namespace); } @Override @@ -1422,7 +1223,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, return null; } }); - this.authManager.getZKPermissionWatcher().deleteNamespaceACLNode(namespace); + getAuthManager().getZKPermissionWatcher().deleteNamespaceACLNode(namespace); LOG.info(namespace + " entry deleted in " + AccessControlLists.ACL_TABLE_NAME + " table."); } @@ -1431,13 +1232,15 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, NamespaceDescriptor ns) throws IOException { // We require only global permission so that // a user with NS admin cannot altering namespace configurations. i.e. namespace quota - requireGlobalPermission(getActiveUser(ctx), "modifyNamespace", Action.ADMIN, ns.getName()); + requireGlobalPermission(ctx, "modifyNamespace", + Action.ADMIN, ns.getName()); } @Override public void preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace) throws IOException { - requireNamespacePermission(getActiveUser(ctx), "getNamespaceDescriptor", namespace, Action.ADMIN); + requireNamespacePermission(ctx, "getNamespaceDescriptor", + namespace, Action.ADMIN); } @Override @@ -1450,7 +1253,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, while (itr.hasNext()) { NamespaceDescriptor desc = itr.next(); try { - requireNamespacePermission(user, "listNamespaces", desc.getName(), Action.ADMIN); + accessChecker.requireNamespacePermission(user, "listNamespaces", + desc.getName(), Action.ADMIN); } catch (AccessDeniedException e) { itr.remove(); } @@ -1460,8 +1264,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void preTableFlush(final ObserverContext<MasterCoprocessorEnvironment> ctx, final TableName tableName) throws IOException { - requirePermission(getActiveUser(ctx), "flushTable", tableName, null, null, - Action.ADMIN, Action.CREATE); + requirePermission(ctx, "flushTable", tableName, + null, null, Action.ADMIN, Action.CREATE); } @Override @@ -1469,29 +1273,33 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, final ObserverContext<MasterCoprocessorEnvironment> ctx, final TableName tableName, final byte[] splitRow) throws IOException { - requirePermission(getActiveUser(ctx), "split", tableName, null, null, Action.ADMIN); + requirePermission(ctx, "split", tableName, + null, null, Action.ADMIN); } @Override - public void preClearDeadServers(ObserverContext<MasterCoprocessorEnvironment> ctx) throws IOException { - requirePermission(getActiveUser(ctx), "clearDeadServers", Action.ADMIN); + public void preClearDeadServers(ObserverContext<MasterCoprocessorEnvironment> ctx) + throws IOException { + requirePermission(ctx, "clearDeadServers", Action.ADMIN); } @Override public void preDecommissionRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx, List<ServerName> servers, boolean offload) throws IOException { - requirePermission(getActiveUser(ctx), "decommissionRegionServers", Action.ADMIN); + requirePermission(ctx, "decommissionRegionServers", Action.ADMIN); } @Override - public void preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx) throws IOException { - requirePermission(getActiveUser(ctx), "listDecommissionedRegionServers", Action.ADMIN); + public void preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx) + throws IOException { + requirePermission(ctx, "listDecommissionedRegionServers", + Action.ADMIN); } @Override public void preRecommissionRegionServer(ObserverContext<MasterCoprocessorEnvironment> ctx, ServerName server, List<byte[]> encodedRegionNames) throws IOException { - requirePermission(getActiveUser(ctx), "recommissionRegionServers", Action.ADMIN); + requirePermission(ctx, "recommissionRegionServers", Action.ADMIN); } /* ---- RegionObserver implementation ---- */ @@ -1508,7 +1316,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, if (regionInfo.getTable().isSystemTable()) { checkSystemOrSuperUser(getActiveUser(c)); } else { - requirePermission(getActiveUser(c), "preOpen", Action.ADMIN); + requirePermission(c, "preOpen", Action.ADMIN); } } } @@ -1538,16 +1346,16 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void preFlush(ObserverContext<RegionCoprocessorEnvironment> c, FlushLifeCycleTracker tracker) throws IOException { - requirePermission(getActiveUser(c), "flush", getTableName(c.getEnvironment()), null, null, - Action.ADMIN, Action.CREATE); + requirePermission(c, "flush", getTableName(c.getEnvironment()), + null, null, Action.ADMIN, Action.CREATE); } @Override public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> c, Store store, InternalScanner scanner, ScanType scanType, CompactionLifeCycleTracker tracker, CompactionRequest request) throws IOException { - requirePermission(getActiveUser(c), "compact", getTableName(c.getEnvironment()), null, null, - Action.ADMIN, Action.CREATE); + requirePermission(c, "compact", getTableName(c.getEnvironment()), + null, null, Action.ADMIN, Action.CREATE); return scanner; } @@ -1594,7 +1402,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, authResult.setReason("Access allowed with filter"); // Only wrap the filter if we are enforcing authorizations if (authorizationEnabled) { - Filter ourFilter = new AccessControlFilter(authManager, user, table, + Filter ourFilter = new AccessControlFilter(getAuthManager(), user, table, AccessControlFilter.Strategy.CHECK_TABLE_AND_CF_ONLY, cfVsMaxVersions); // wrap any existing filter @@ -1624,7 +1432,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, authResult.setReason("Access allowed with filter"); // Only wrap the filter if we are enforcing authorizations if (authorizationEnabled) { - Filter ourFilter = new AccessControlFilter(authManager, user, table, + Filter ourFilter = new AccessControlFilter(getAuthManager(), user, table, AccessControlFilter.Strategy.CHECK_CELL_DEFAULT, cfVsMaxVersions); // wrap any existing filter if (filter != null) { @@ -1646,7 +1454,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, } } - logResult(authResult); + AccessChecker.logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") @@ -1682,8 +1490,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // security policy over time without requiring expensive updates. RegionCoprocessorEnvironment env = c.getEnvironment(); Map<byte[],? extends Collection<Cell>> families = put.getFamilyCellMap(); - AuthResult authResult = permissionGranted(OpType.PUT, user, env, families, Action.WRITE); - logResult(authResult); + AuthResult authResult = permissionGranted(OpType.PUT, + user, env, families, Action.WRITE); + AccessChecker.logResult(authResult); if (!authResult.isAllowed()) { if (cellFeaturesEnabled && !compatibleEarlyTermination) { put.setAttribute(CHECK_COVERING_PERM, TRUE); @@ -1727,8 +1536,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, RegionCoprocessorEnvironment env = c.getEnvironment(); Map<byte[],? extends Collection<Cell>> families = delete.getFamilyCellMap(); User user = getActiveUser(c); - AuthResult authResult = permissionGranted(OpType.DELETE, user, env, families, Action.WRITE); - logResult(authResult); + AuthResult authResult = permissionGranted(OpType.DELETE, + user, env, families, Action.WRITE); + AccessChecker.logResult(authResult); if (!authResult.isAllowed()) { if (cellFeaturesEnabled && !compatibleEarlyTermination) { delete.setAttribute(CHECK_COVERING_PERM, TRUE); @@ -1766,7 +1576,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, authResult = AuthResult.deny(opType.toString(), "Covering cell set", user, Action.WRITE, table, m.getFamilyCellMap()); } - logResult(authResult); + AccessChecker.logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString()); @@ -1797,9 +1607,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // Require READ and WRITE permissions on the table, CF, and KV to update RegionCoprocessorEnvironment env = c.getEnvironment(); Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier); - AuthResult authResult = permissionGranted(OpType.CHECK_AND_PUT, user, env, families, - Action.READ, Action.WRITE); - logResult(authResult); + AuthResult authResult = permissionGranted(OpType.CHECK_AND_PUT, + user, env, families, Action.READ, Action.WRITE); + AccessChecker.logResult(authResult); if (!authResult.isAllowed()) { if (cellFeaturesEnabled && !compatibleEarlyTermination) { put.setAttribute(CHECK_COVERING_PERM, TRUE); @@ -1822,10 +1632,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public boolean preCheckAndPutAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c, - final byte[] row, final byte[] family, final byte[] qualifier, - final CompareOperator opp, final ByteArrayComparable comparator, final Put put, - final boolean result) - throws IOException { + final byte[] row, final byte[] family, final byte[] qualifier, + final CompareOperator opp, final ByteArrayComparable comparator, final Put put, + final boolean result) throws IOException { if (put.getAttribute(CHECK_COVERING_PERM) != null) { // We had failure with table, cf and q perm checks and now giving a chance for cell // perm check @@ -1835,13 +1644,13 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, User user = getActiveUser(c); if (checkCoveringPermission(user, OpType.CHECK_AND_PUT, c.getEnvironment(), row, families, HConstants.LATEST_TIMESTAMP, Action.READ)) { - authResult = AuthResult.allow(OpType.CHECK_AND_PUT.toString(), "Covering cell set", - user, Action.READ, table, families); + authResult = AuthResult.allow(OpType.CHECK_AND_PUT.toString(), + "Covering cell set", user, Action.READ, table, families); } else { - authResult = AuthResult.deny(OpType.CHECK_AND_PUT.toString(), "Covering cell set", - user, Action.READ, table, families); + authResult = AuthResult.deny(OpType.CHECK_AND_PUT.toString(), + "Covering cell set", user, Action.READ, table, families); } - logResult(authResult); + AccessChecker.logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString()); } @@ -1865,9 +1674,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, RegionCoprocessorEnvironment env = c.getEnvironment(); Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier); User user = getActiveUser(c); - AuthResult authResult = permissionGranted(OpType.CHECK_AND_DELETE, user, env, families, - Action.READ, Action.WRITE); - logResult(authResult); + AuthResult authResult = permissionGranted( + OpType.CHECK_AND_DELETE, user, env, families, Action.READ, Action.WRITE); + AccessChecker.logResult(authResult); if (!authResult.isAllowed()) { if (cellFeaturesEnabled && !compatibleEarlyTermination) { delete.setAttribute(CHECK_COVERING_PERM, TRUE); @@ -1881,8 +1690,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public boolean preCheckAndDeleteAfterRowLock( - final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row, final byte[] family, - final byte[] qualifier, final CompareOperator op, + final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row, + final byte[] family, final byte[] qualifier, final CompareOperator op, final ByteArrayComparable comparator, final Delete delete, final boolean result) throws IOException { if (delete.getAttribute(CHECK_COVERING_PERM) != null) { @@ -1892,15 +1701,15 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier); AuthResult authResult = null; User user = getActiveUser(c); - if (checkCoveringPermission(user, OpType.CHECK_AND_DELETE, c.getEnvironment(), row, families, - HConstants.LATEST_TIMESTAMP, Action.READ)) { - authResult = AuthResult.allow(OpType.CHECK_AND_DELETE.toString(), "Covering cell set", - user, Action.READ, table, families); + if (checkCoveringPermission(user, OpType.CHECK_AND_DELETE, c.getEnvironment(), + row, families, HConstants.LATEST_TIMESTAMP, Action.READ)) { + authResult = AuthResult.allow(OpType.CHECK_AND_DELETE.toString(), + "Covering cell set", user, Action.READ, table, families); } else { - authResult = AuthResult.deny(OpType.CHECK_AND_DELETE.toString(), "Covering cell set", - user, Action.READ, table, families); + authResult = AuthResult.deny(OpType.CHECK_AND_DELETE.toString(), + "Covering cell set", user, Action.READ, table, families); } - logResult(authResult); + AccessChecker.logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString()); } @@ -1917,8 +1726,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // Require WRITE permission to the table, CF, and the KV to be appended RegionCoprocessorEnvironment env = c.getEnvironment(); Map<byte[],? extends Collection<Cell>> families = append.getFamilyCellMap(); - AuthResult authResult = permissionGranted(OpType.APPEND, user, env, families, Action.WRITE); - logResult(authResult); + AuthResult authResult = permissionGranted(OpType.APPEND, user, + env, families, Action.WRITE); + AccessChecker.logResult(authResult); if (!authResult.isAllowed()) { if (cellFeaturesEnabled && !compatibleEarlyTermination) { append.setAttribute(CHECK_COVERING_PERM, TRUE); @@ -1951,13 +1761,13 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, User user = getActiveUser(c); if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(), append.getFamilyCellMap(), append.getTimeRange().getMax(), Action.WRITE)) { - authResult = AuthResult.allow(OpType.APPEND.toString(), "Covering cell set", - user, Action.WRITE, table, append.getFamilyCellMap()); + authResult = AuthResult.allow(OpType.APPEND.toString(), + "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap()); } else { - authResult = AuthResult.deny(OpType.APPEND.toString(), "Covering cell set", - user, Action.WRITE, table, append.getFamilyCellMap()); + authResult = AuthResult.deny(OpType.APPEND.toString(), + "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap()); } - logResult(authResult); + AccessChecker.logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString()); @@ -1977,9 +1787,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // the incremented value RegionCoprocessorEnvironment env = c.getEnvironment(); Map<byte[],? extends Collection<Cell>> families = increment.getFamilyCellMap(); - AuthResult authResult = permissionGranted(OpType.INCREMENT, user, env, families, - Action.WRITE); - logResult(authResult); + AuthResult authResult = permissionGranted(OpType.INCREMENT, + user, env, families, Action.WRITE); + AccessChecker.logResult(authResult); if (!authResult.isAllowed()) { if (cellFeaturesEnabled && !compatibleEarlyTermination) { increment.setAttribute(CHECK_COVERING_PERM, TRUE); @@ -2018,7 +1828,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, authResult = AuthResult.deny(OpType.INCREMENT.toString(), "Covering cell set", user, Action.WRITE, table, increment.getFamilyCellMap()); } - logResult(authResult); + AccessChecker.logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString()); @@ -2156,7 +1966,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, List<Pair<byte[], String>> familyPaths) throws IOException { User user = getActiveUser(ctx); for(Pair<byte[],String> el : familyPaths) { - requirePermission(user, "preBulkLoadHFile", + accessChecker.requirePermission(user, "preBulkLoadHFile", ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null, @@ -2173,7 +1983,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx) throws IOException { - requireAccess(getActiveUser(ctx), "prePrepareBulkLoad", + requireAccess(ctx, "prePrepareBulkLoad", ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE); } @@ -2186,7 +1996,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx) throws IOException { - requireAccess(getActiveUser(ctx), "preCleanupBulkLoad", + requireAccess(ctx, "preCleanupBulkLoad", ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE); } @@ -2198,7 +2008,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // Don't intercept calls to our own AccessControlService, we check for // appropriate permissions in the service handlers if (shouldCheckExecPermission && !(service instanceof AccessControlService)) { - requirePermission(getActiveUser(ctx), + requirePermission(ctx, "invoke(" + service.getDescriptorForType().getName() + "." + methodName + ")", getTableName(ctx.getEnvironment()), null, null, Action.EXEC); @@ -2215,8 +2025,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void grant(RpcController controller, - AccessControlProtos.GrantRequest request, - RpcCallback<AccessControlProtos.GrantResponse> done) { + AccessControlProtos.GrantRequest request, + RpcCallback<AccessControlProtos.GrantResponse> done) { final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission()); AccessControlProtos.GrantResponse response = null; try { @@ -2233,11 +2043,12 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, switch(request.getUserPermission().getPermission().getType()) { case Global : case Table : - requirePermission(caller, "grant", perm.getTableName(), + accessChecker.requirePermission(caller, "grant", perm.getTableName(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); break; case Namespace : - requireNamespacePermission(caller, "grant", perm.getNamespace(), Action.ADMIN); + accessChecker.requireNamespacePermission(caller, "grant", perm.getNamespace(), + Action.ADMIN); break; } @@ -2272,8 +2083,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void revoke(RpcController controller, - AccessControlProtos.RevokeRequest request, - RpcCallback<AccessControlProtos.RevokeResponse> done) { + AccessControlProtos.RevokeRequest request, + RpcCallback<AccessControlProtos.RevokeResponse> done) { final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission()); AccessControlProtos.RevokeResponse response = null; try { @@ -2290,11 +2101,12 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, switch(request.getUserPermission().getPermission().getType()) { case Global : case Table : - requirePermission(caller, "revoke", perm.getTableName(), perm.getFamily(), + accessChecker.requirePermission(caller, "revoke", perm.getTableName(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); break; case Namespace : - requireNamespacePermission(caller, "revoke", perm.getNamespace(), Action.ADMIN); + accessChecker.requireNamespacePermission(caller, "revoke", perm.getNamespace(), + Action.ADMIN); break; } @@ -2328,8 +2140,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void getUserPermissions(RpcController controller, - AccessControlProtos.GetUserPermissionsRequest request, - RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) { + AccessControlProtos.GetUserPermissionsRequest request, + RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) { AccessControlProtos.GetUserPermissionsResponse response = null; try { // only allowed to be called on _acl_ region @@ -2343,7 +2155,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, if (request.getType() == AccessControlProtos.Permission.Type.Table) { final TableName table = request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName()) : null; - requirePermission(caller, "userPermissions", table, null, null, Action.ADMIN); + accessChecker.requirePermission(caller, "userPermissions", + table, null, null, Action.ADMIN); perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() { @Override public List<UserPermission> run() throws Exception { @@ -2352,7 +2165,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, }); } else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) { final String namespace = request.getNamespaceName().toStringUtf8(); - requireNamespacePermission(caller, "userPermissions", namespace, Action.ADMIN); + accessChecker.requireNamespacePermission(caller, "userPermissions", + namespace, Action.ADMIN); perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() { @Override public List<UserPermission> run() throws Exception { @@ -2361,7 +2175,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, } }); } else { - requirePermission(caller, "userPermissions", Action.ADMIN); + accessChecker.requirePermission(caller, "userPermissions", Action.ADMIN); perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() { @Override public List<UserPermission> run() throws Exception { @@ -2426,7 +2240,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, AuthResult result = permissionGranted("checkPermissions", user, action, regionEnv, familyMap); - logResult(result); + AccessChecker.logResult(result); if (!result.isAllowed()) { // Even if passive we need to throw an exception here, we support checking // effective permissions, so throw unconditionally @@ -2441,14 +2255,14 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, for (Action action : permission.getActions()) { AuthResult result; - if (authManager.authorize(user, action)) { + if (getAuthManager().authorize(user, action)) { result = AuthResult.allow("checkPermissions", "Global action allowed", user, action, null, null); } else { result = AuthResult.deny("checkPermissions", "Global action denied", user, action, null, null); } - logResult(result); + AccessChecker.logResult(result); if (!result.isAllowed()) { // Even if passive we need to throw an exception here, we support checking // effective permissions, so throw unconditionally @@ -2488,7 +2302,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void preClose(ObserverContext<RegionCoprocessorEnvironment> c, boolean abortRequested) throws IOException { - requirePermission(getActiveUser(c), "preClose", Action.ADMIN); + requirePermission(c, "preClose", Action.ADMIN); } private void checkSystemOrSuperUser(User activeUser) throws IOException { @@ -2506,7 +2320,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, public void preStopRegionServer( ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws IOException { - requirePermission(getActiveUser(ctx), "preStopRegionServer", Action.ADMIN); + requirePermission(ctx, "preStopRegionServer", Action.ADMIN); } private Map<byte[], ? extends Collection<byte[]>> makeFamilyMap(byte[] family, @@ -2536,7 +2350,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, for (TableName tableName: tableNamesList) { // Skip checks for a table that does not exist if (!admin.tableExists(tableName)) continue; - requirePermission(getActiveUser(ctx), "getTableDescriptors", tableName, null, null, + requirePermission(ctx, "getTableDescriptors", tableName, null, null, Action.ADMIN, Action.CREATE); } } @@ -2558,7 +2372,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, while (itr.hasNext()) { TableDescriptor htd = itr.next(); try { - requirePermission(getActiveUser(ctx), "getTableDescriptors", htd.getTableName(), null, null, + requirePermission(ctx, "getTableDescriptors", htd.getTableName(), null, null, Action.ADMIN, Action.CREATE); } catch (AccessDeniedException e) { itr.remove(); @@ -2574,7 +2388,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, while (itr.hasNext()) { TableDescriptor htd = itr.next(); try { - requireAccess(getActiveUser(ctx), "getTableNames", htd.getTableName(), Action.values()); + requireAccess(ctx, "getTableNames", htd.getTableName(), Action.values()); } catch (AccessDeniedException e) { itr.remove(); } @@ -2584,14 +2398,14 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void preMergeRegions(final ObserverContext<MasterCoprocessorEnvironment> ctx, final RegionInfo[] regionsToMerge) throws IOException { - requirePermission(getActiveUser(ctx), "mergeRegions", regionsToMerge[0].getTable(), null, null, + requirePermission(ctx, "mergeRegions", regionsToMerge[0].getTable(), null, null, Action.ADMIN); } @Override public void preRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws IOException { - requirePermission(getActiveUser(ctx), "preRollLogWriterRequest", Permission.Action.ADMIN); + requirePermission(ctx, "preRollLogWriterRequest", Permission.Action.ADMIN); } @Override @@ -2601,33 +2415,33 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx, final String userName, final GlobalQuotaSettings quotas) throws IOException { - requirePermission(getActiveUser(ctx), "setUserQuota", Action.ADMIN); + requirePermission(ctx, "setUserQuota", Action.ADMIN); } @Override public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx, final String userName, final TableName tableName, final GlobalQuotaSettings quotas) throws IOException { - requirePermission(getActiveUser(ctx), "setUserTableQuota", tableName, null, null, Action.ADMIN); + requirePermission(ctx, "setUserTableQuota", tableName, null, null, Action.ADMIN); } @Override public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx, final String userName, final String namespace, final GlobalQuotaSettings quotas) throws IOException { - requirePermission(getActiveUser(ctx), "setUserNamespaceQuota", Action.ADMIN); + requirePermission(ctx, "setUserNamespaceQuota", Action.ADMIN); } @Override public void preSetTableQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx, final TableName tableName, final GlobalQuotaSettings quotas) throws IOException { - requirePermission(getActiveUser(ctx), "setTableQuota", tableName, null, null, Action.ADMIN); + requirePermission(ctx, "setTableQuota", tableName, null, null, Action.ADMIN); } @Override public void preSetNamespaceQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx, final String namespace, final GlobalQuotaSettings quotas) throws IOException { - requirePermission(getActiveUser(ctx), "setNamespaceQuota", Action.ADMIN); + requirePermission(ctx, "setNamespaceQuota", Action.ADMIN); } @Override @@ -2639,98 +2453,56 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, @Override public void preReplicateLogEntries(ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws IOException { - requirePermission(getActiveUser(ctx), "replicateLogEntries", Action.WRITE); + requirePermission(ctx, "replicateLogEntries", Action.WRITE); } @Override public void preClearCompactionQueues(ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws IOException { - requirePermission(getActiveUser(ctx), "preClearCompactionQueues", Permission.Action.ADMIN); - } - - @Override - public void preMoveServersAndTables(ObserverContext<MasterCoprocessorEnvironment> ctx, - Set<Address> servers, Set<TableName> tables, String targetGroup) throws IOException { - requirePermission(getActiveUser(ctx), "moveServersAndTables", Action.ADMIN); - } - - @Override - public void preMoveServers(ObserverContext<MasterCoprocessorEnvironment> ctx, - Set<Address> servers, String targetGroup) throws IOException { - requirePermission(getActiveUser(ctx), "moveServers", Action.ADMIN); - } - - @Override - public void preMoveTables(ObserverContext<MasterCoprocessorEnvironment> ctx, - Set<TableName> tables, String targetGroup) throws IOException { - requirePermission(getActiveUser(ctx), "moveTables", Action.ADMIN); - } - - @Override - public void preAddRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, - String name) throws IOException { - requirePermission(getActiveUser(ctx), "addRSGroup", Action.ADMIN); - } - - @Override - public void preRemoveRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, - String name) throws IOException { - requirePermission(getActiveUser(ctx), "removeRSGroup", Action.ADMIN); - } - - @Override - public void preBalanceRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, - String groupName) throws IOException { - requirePermission(getActiveUser(ctx), "balanceRSGroup", Action.ADMIN); - } - - @Override - public void preRemoveServers(ObserverContext<MasterCoprocessorEnvironment> ctx, - Set<Address> servers) throws IOException { - requirePermission(getActiveUser(ctx), "removeServers", Action.ADMIN); + requirePermission(ctx, "preClearCompactionQueues", Permission.Action.ADMIN); } @Override public void preAddReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx, String peerId, ReplicationPeerConfig peerConfig) throws IOException { - requirePermission(getActiveUser(ctx), "addReplicationPeer", Action.ADMIN); + requirePermission(ctx, "addReplicationPeer", Action.ADMIN); } @Override public void preRemoveReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx, String peerId) throws IOException { - requirePermission(getActiveUser(ctx), "removeReplicationPeer", Action.ADMIN); + requirePermission(ctx, "removeReplicationPeer", Action.ADMIN); } @Override public void preEnableReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx, String peerId) throws IOException { - requirePermission(getActiveUser(ctx), "enableReplicationPeer", Action.ADMIN); + requirePermission(ctx, "enableReplicationPeer", Action.ADMIN); } @Override public void preDisableReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx, String peerId) throws IOException { - requirePermission(getActiveUser(ctx), "disableReplicationPeer", Action.ADMIN); + requirePermission(ctx, "disableReplicationPeer", Action.ADMIN); } @Override public void preGetReplicationPeerConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx, String peerId) throws IOException { - requirePermission(getActiveUser(ctx), "getReplicationPeerConfig", Action.ADMIN); + requirePermission(ctx, "getReplicationPeerConfig", Action.ADMIN); } @Override public void preUpdateReplicationPeerConfig( final ObserverContext<MasterCoprocessorEnvironment> ctx, String peerId, ReplicationPeerConfig peerConfig) throws IOException { - requirePermission(getActiveUser(ctx), "updateReplicationPeerConfig", Action.ADMIN); + requirePermission(ctx, "updateReplicationPeerConfig", Action.ADMIN); } @Override public void preListReplicationPeers(final ObserverContext<MasterCoprocessorEnvironment> ctx, String regex) throws IOException { - requirePermission(getActiveUser(ctx), "listReplicationPeers", Action.ADMIN); + requirePermission(ctx, "listReplicationPeers", Action.ADMIN); } @Override @@ -2740,27 +2512,26 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, // There are operations in the CREATE and ADMIN domain which may require lock, READ // or WRITE. So for any lock request, we check for these two perms irrespective of lock type. String reason = String.format("Description=%s", description); - checkLockPermissions(getActiveUser(ctx), namespace, tableName, regionInfos, reason); + checkLockPermissions(ctx, namespace, tableName, regionInfos, reason); } @Override public void preLockHeartbeat(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName, String description) throws IOException { - checkLockPermissions(getActiveUser(ctx), null, tableName, null, description); + checkLockPermissions(ctx, null, tableName, null, description); } - private void checkLockPermissions(User user, String namespace, - TableName tableName, RegionInfo[] regionInfos, String reason) - throws IOException { - if (namespace != null && !namespace.isEmpty()) { - requireNamespacePermission(user, reason, namespace, Action.ADMIN, Action.CREATE); - } else if (tableName != null || (regionInfos != null && regionInfos.length > 0)) { - // So, either a table or regions op. If latter, check perms ons table. - TableName tn = tableName != null? tableName: regionInfos[0].getTable(); - requireTablePermission(user, reason, tn, null, null, - Action.ADMIN, Action.CREATE); - } else { - throw new DoNotRetryIOException("Invalid lock level when requesting permissions."); + /** + * Returns the active user to which authorization checks should be applied. + * If we are in the context of an RPC call, the remote user is used, + * otherwise the currently logged in user is used. + */ + public User getActiveUser(ObserverContext<?> ctx) throws IOException { + // for non-rpc handling, fallback to system user + Optional<User> optionalUser = ctx.getCaller(); + if (optionalUser.isPresent()) { + return optionalUser.get(); } + return userProvider.getCurrent(); } }
http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java index 41a4dd3..76feff4 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java @@ -754,7 +754,7 @@ public class TableAuthManager implements Closeable { } @VisibleForTesting - static int getTotalRefCount() { + public static int getTotalRefCount() { int total = 0; for (int count : refCount.values()) { total += count; http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java index d4b8e58..1ba6029 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java @@ -105,6 +105,7 @@ import org.apache.hadoop.hbase.regionserver.querymatcher.DeleteTracker; import org.apache.hadoop.hbase.security.AccessDeniedException; import org.apache.hadoop.hbase.security.Superusers; import org.apache.hadoop.hbase.security.User; +import org.apache.hadoop.hbase.security.access.AccessChecker; import org.apache.hadoop.hbase.security.access.AccessController; import org.apache.hbase.thirdparty.com.google.common.collect.Lists; import org.apache.hbase.thirdparty.com.google.common.collect.MapMaker; @@ -141,8 +142,8 @@ public class VisibilityController implements MasterCoprocessor, RegionCoprocesso private VisibilityLabelService visibilityLabelService; - /** if we are active, usually true, only not true if "hbase.security.authorization" - has been set to false in site configuration */ + /** if we are active, usually false, only true if "hbase.security.authorization" + has been set to true in site configuration */ boolean authorizationEnabled; // Add to this list if there are any reserved tag types @@ -153,19 +154,15 @@ public class VisibilityController implements MasterCoprocessor, RegionCoprocesso RESERVED_VIS_TAG_TYPES.add(TagType.STRING_VIS_TAG_TYPE); } - public static boolean isAuthorizationSupported(Configuration conf) { - return conf.getBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, true); - } - public static boolean isCellAuthorizationSupported(Configuration conf) { - return isAuthorizationSupported(conf); + return AccessChecker.isAuthorizationSupported(conf); } @Override public void start(CoprocessorEnvironment env) throws IOException { this.conf = env.getConfiguration(); - authorizationEnabled = isAuthorizationSupported(conf); + authorizationEnabled = AccessChecker.isAuthorizationSupported(conf); if (!authorizationEnabled) { LOG.warn("The VisibilityController has been loaded with authorization checks disabled."); } http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java index 8bf792b..407ebf9 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java @@ -106,6 +106,7 @@ public class SecureTestUtil { conf.set(CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY, AccessController.class.getName()); // Need HFile V3 for tags for security features conf.setInt(HFile.FORMAT_VERSION_KEY, 3); + conf.set(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, "true"); configureSuperuser(conf); } @@ -129,6 +130,11 @@ public class SecureTestUtil { if (conf.getInt(HFile.FORMAT_VERSION_KEY, 2) < HFile.MIN_FORMAT_VERSION_WITH_TAGS) { throw new RuntimeException("Post 0.96 security features require HFile version >= 3"); } + + if (!conf.getBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, false)) { + throw new RuntimeException("Post 2.0.0 security features require set " + + User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY + " to true"); + } } public static void checkTablePerms(Configuration conf, TableName table, byte[] family, byte[] column, http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 2435532..be1b0e4 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -2839,81 +2839,6 @@ public class TestAccessController extends SecureTestUtil { } @Test - public void testMoveServers() throws Exception { - AccessTestAction action1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preMoveServers(ObserverContextImpl.createAndPrepare(CP_ENV), - null, null); - return null; - } - }; - - verifyAllowed(action1, SUPERUSER, USER_ADMIN); - verifyDenied(action1, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - } - - @Test - public void testMoveTables() throws Exception { - AccessTestAction action1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preMoveTables(ObserverContextImpl.createAndPrepare(CP_ENV), - null, null); - return null; - } - }; - - verifyAllowed(action1, SUPERUSER, USER_ADMIN); - verifyDenied(action1, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - } - - @Test - public void testAddGroup() throws Exception { - AccessTestAction action1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preAddRSGroup(ObserverContextImpl.createAndPrepare(CP_ENV), - null); - return null; - } - }; - - verifyAllowed(action1, SUPERUSER, USER_ADMIN); - verifyDenied(action1, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - } - - @Test - public void testRemoveGroup() throws Exception { - AccessTestAction action1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preRemoveRSGroup(ObserverContextImpl.createAndPrepare(CP_ENV), - null); - return null; - } - }; - - verifyAllowed(action1, SUPERUSER, USER_ADMIN); - verifyDenied(action1, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - } - - @Test - public void testBalanceGroup() throws Exception { - AccessTestAction action1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preBalanceRSGroup(ObserverContextImpl.createAndPrepare(CP_ENV), - null); - return null; - } - }; - - verifyAllowed(action1, SUPERUSER, USER_ADMIN); - verifyDenied(action1, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - } - - @Test public void testAddReplicationPeer() throws Exception { AccessTestAction action = new AccessTestAction() { @Override http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/VisibilityTestUtil.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/VisibilityTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/VisibilityTestUtil.java index 7dbe256..4e2c4b7 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/VisibilityTestUtil.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/VisibilityTestUtil.java @@ -14,7 +14,7 @@ import java.io.IOException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.coprocessor.CoprocessorHost; - +import org.apache.hadoop.hbase.security.User; /** * Utility methods for testing visibility labels. @@ -23,6 +23,7 @@ public class VisibilityTestUtil { public static void enableVisiblityLabels(Configuration conf) throws IOException { conf.setInt("hfile.format.version", 3); + conf.setBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, true); appendCoprocessor(conf, CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY, VisibilityController.class.getName()); appendCoprocessor(conf, CoprocessorHost.REGION_COPROCESSOR_CONF_KEY,