http://git-wip-us.apache.org/repos/asf/hbase-site/blob/68eae623/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.html ---------------------------------------------------------------------- diff --git a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.html b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.html index 25b7848..5c428b5 100644 --- a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.html +++ b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.html @@ -245,20 +245,20 @@ <span class="sourceLineNo">237</span> return regionEnv != null ? regionEnv.getRegion() : null;<a name="line.237"></a> <span class="sourceLineNo">238</span> }<a name="line.238"></a> <span class="sourceLineNo">239</span><a name="line.239"></a> -<span class="sourceLineNo">240</span> public TableAuthManager getAuthManager() {<a name="line.240"></a> +<span class="sourceLineNo">240</span> public AuthManager getAuthManager() {<a name="line.240"></a> <span class="sourceLineNo">241</span> return accessChecker.getAuthManager();<a name="line.241"></a> <span class="sourceLineNo">242</span> }<a name="line.242"></a> <span class="sourceLineNo">243</span><a name="line.243"></a> <span class="sourceLineNo">244</span> private void initialize(RegionCoprocessorEnvironment e) throws IOException {<a name="line.244"></a> <span class="sourceLineNo">245</span> final Region region = e.getRegion();<a name="line.245"></a> <span class="sourceLineNo">246</span> Configuration conf = e.getConfiguration();<a name="line.246"></a> -<span class="sourceLineNo">247</span> Map<byte[], ListMultimap<String, TablePermission>> tables = AccessControlLists.loadAll(region);<a name="line.247"></a> +<span class="sourceLineNo">247</span> Map<byte[], ListMultimap<String, UserPermission>> tables = AccessControlLists.loadAll(region);<a name="line.247"></a> <span class="sourceLineNo">248</span> // For each table, write out the table's permissions to the respective<a name="line.248"></a> <span class="sourceLineNo">249</span> // znode for that table.<a name="line.249"></a> -<span class="sourceLineNo">250</span> for (Map.Entry<byte[], ListMultimap<String,TablePermission>> t:<a name="line.250"></a> +<span class="sourceLineNo">250</span> for (Map.Entry<byte[], ListMultimap<String, UserPermission>> t:<a name="line.250"></a> <span class="sourceLineNo">251</span> tables.entrySet()) {<a name="line.251"></a> <span class="sourceLineNo">252</span> byte[] entry = t.getKey();<a name="line.252"></a> -<span class="sourceLineNo">253</span> ListMultimap<String,TablePermission> perms = t.getValue();<a name="line.253"></a> +<span class="sourceLineNo">253</span> ListMultimap<String, UserPermission> perms = t.getValue();<a name="line.253"></a> <span class="sourceLineNo">254</span> byte[] serialized = AccessControlLists.writePermissionsAsBytes(perms, conf);<a name="line.254"></a> <span class="sourceLineNo">255</span> getAuthManager().getZKPermissionWatcher().writeToZookeeper(entry, serialized);<a name="line.255"></a> <span class="sourceLineNo">256</span> }<a name="line.256"></a> @@ -294,7 +294,7 @@ <span class="sourceLineNo">286</span> try (Table t = e.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME)) {<a name="line.286"></a> <span class="sourceLineNo">287</span> for (byte[] entry : entries) {<a name="line.287"></a> <span class="sourceLineNo">288</span> currentEntry = entry;<a name="line.288"></a> -<span class="sourceLineNo">289</span> ListMultimap<String, TablePermission> perms =<a name="line.289"></a> +<span class="sourceLineNo">289</span> ListMultimap<String, UserPermission> perms =<a name="line.289"></a> <span class="sourceLineNo">290</span> AccessControlLists.getPermissions(conf, entry, t, null, null, null, false);<a name="line.290"></a> <span class="sourceLineNo">291</span> byte[] serialized = AccessControlLists.writePermissionsAsBytes(perms, conf);<a name="line.291"></a> <span class="sourceLineNo">292</span> zkw.writeToZookeeper(entry, serialized);<a name="line.292"></a> @@ -338,7 +338,7 @@ <span class="sourceLineNo">330</span> }<a name="line.330"></a> <span class="sourceLineNo">331</span><a name="line.331"></a> <span class="sourceLineNo">332</span> // 2. check for the table-level, if successful we can short-circuit<a name="line.332"></a> -<span class="sourceLineNo">333</span> if (getAuthManager().authorize(user, tableName, (byte[])null, permRequest)) {<a name="line.333"></a> +<span class="sourceLineNo">333</span> if (getAuthManager().authorizeUserTable(user, tableName, permRequest)) {<a name="line.333"></a> <span class="sourceLineNo">334</span> return AuthResult.allow(request, "Table permission granted", user,<a name="line.334"></a> <span class="sourceLineNo">335</span> permRequest, tableName, families);<a name="line.335"></a> <span class="sourceLineNo">336</span> }<a name="line.336"></a> @@ -348,7 +348,7 @@ <span class="sourceLineNo">340</span> // all families must pass<a name="line.340"></a> <span class="sourceLineNo">341</span> for (Map.Entry<byte [], ? extends Collection<?>> family : families.entrySet()) {<a name="line.341"></a> <span class="sourceLineNo">342</span> // a) check for family level access<a name="line.342"></a> -<span class="sourceLineNo">343</span> if (getAuthManager().authorize(user, tableName, family.getKey(),<a name="line.343"></a> +<span class="sourceLineNo">343</span> if (getAuthManager().authorizeUserTable(user, tableName, family.getKey(),<a name="line.343"></a> <span class="sourceLineNo">344</span> permRequest)) {<a name="line.344"></a> <span class="sourceLineNo">345</span> continue; // family-level permission overrides per-qualifier<a name="line.345"></a> <span class="sourceLineNo">346</span> }<a name="line.346"></a> @@ -359,17 +359,17 @@ <span class="sourceLineNo">351</span> // for each qualifier of the family<a name="line.351"></a> <span class="sourceLineNo">352</span> Set<byte[]> familySet = (Set<byte[]>)family.getValue();<a name="line.352"></a> <span class="sourceLineNo">353</span> for (byte[] qualifier : familySet) {<a name="line.353"></a> -<span class="sourceLineNo">354</span> if (!getAuthManager().authorize(user, tableName, family.getKey(),<a name="line.354"></a> -<span class="sourceLineNo">355</span> qualifier, permRequest)) {<a name="line.355"></a> +<span class="sourceLineNo">354</span> if (!getAuthManager().authorizeUserTable(user, tableName,<a name="line.354"></a> +<span class="sourceLineNo">355</span> family.getKey(), qualifier, permRequest)) {<a name="line.355"></a> <span class="sourceLineNo">356</span> return AuthResult.deny(request, "Failed qualifier check", user,<a name="line.356"></a> -<span class="sourceLineNo">357</span> permRequest, tableName, makeFamilyMap(family.getKey(), qualifier));<a name="line.357"></a> +<span class="sourceLineNo">357</span> permRequest, tableName, makeFamilyMap(family.getKey(), qualifier));<a name="line.357"></a> <span class="sourceLineNo">358</span> }<a name="line.358"></a> <span class="sourceLineNo">359</span> }<a name="line.359"></a> <span class="sourceLineNo">360</span> } else if (family.getValue() instanceof List) { // List<Cell><a name="line.360"></a> <span class="sourceLineNo">361</span> List<Cell> cellList = (List<Cell>)family.getValue();<a name="line.361"></a> <span class="sourceLineNo">362</span> for (Cell cell : cellList) {<a name="line.362"></a> -<span class="sourceLineNo">363</span> if (!getAuthManager().authorize(user, tableName, family.getKey(),<a name="line.363"></a> -<span class="sourceLineNo">364</span> CellUtil.cloneQualifier(cell), permRequest)) {<a name="line.364"></a> +<span class="sourceLineNo">363</span> if (!getAuthManager().authorizeUserTable(user, tableName, family.getKey(),<a name="line.363"></a> +<span class="sourceLineNo">364</span> CellUtil.cloneQualifier(cell), permRequest)) {<a name="line.364"></a> <span class="sourceLineNo">365</span> return AuthResult.deny(request, "Failed qualifier check", user, permRequest,<a name="line.365"></a> <span class="sourceLineNo">366</span> tableName, makeFamilyMap(family.getKey(), CellUtil.cloneQualifier(cell)));<a name="line.366"></a> <span class="sourceLineNo">367</span> }<a name="line.367"></a> @@ -378,7 +378,7 @@ <span class="sourceLineNo">370</span> } else {<a name="line.370"></a> <span class="sourceLineNo">371</span> // no qualifiers and family-level check already failed<a name="line.371"></a> <span class="sourceLineNo">372</span> return AuthResult.deny(request, "Failed family check", user, permRequest,<a name="line.372"></a> -<span class="sourceLineNo">373</span> tableName, makeFamilyMap(family.getKey(), null));<a name="line.373"></a> +<span class="sourceLineNo">373</span> tableName, makeFamilyMap(family.getKey(), null));<a name="line.373"></a> <span class="sourceLineNo">374</span> }<a name="line.374"></a> <span class="sourceLineNo">375</span> }<a name="line.375"></a> <span class="sourceLineNo">376</span><a name="line.376"></a> @@ -495,2153 +495,2161 @@ <span class="sourceLineNo">487</span> familyMap.entrySet()) {<a name="line.487"></a> <span class="sourceLineNo">488</span> if (family.getValue() != null && !family.getValue().isEmpty()) {<a name="line.488"></a> <span class="sourceLineNo">489</span> for (byte[] qualifier : family.getValue()) {<a name="line.489"></a> -<span class="sourceLineNo">490</span> if (getAuthManager().matchPermission(user, tableName,<a name="line.490"></a> -<span class="sourceLineNo">491</span> family.getKey(), qualifier, perm)) {<a name="line.491"></a> +<span class="sourceLineNo">490</span> if (getAuthManager().authorizeUserTable(user, tableName,<a name="line.490"></a> +<span class="sourceLineNo">491</span> family.getKey(), qualifier, perm)) {<a name="line.491"></a> <span class="sourceLineNo">492</span> return true;<a name="line.492"></a> <span class="sourceLineNo">493</span> }<a name="line.493"></a> <span class="sourceLineNo">494</span> }<a name="line.494"></a> <span class="sourceLineNo">495</span> } else {<a name="line.495"></a> -<span class="sourceLineNo">496</span> if (getAuthManager().matchPermission(user, tableName, family.getKey(),<a name="line.496"></a> -<span class="sourceLineNo">497</span> perm)) {<a name="line.497"></a> -<span class="sourceLineNo">498</span> return true;<a name="line.498"></a> -<span class="sourceLineNo">499</span> }<a name="line.499"></a> -<span class="sourceLineNo">500</span> }<a name="line.500"></a> -<span class="sourceLineNo">501</span> }<a name="line.501"></a> -<span class="sourceLineNo">502</span> } else if (LOG.isDebugEnabled()) {<a name="line.502"></a> -<span class="sourceLineNo">503</span> LOG.debug("Empty family map passed for permission check");<a name="line.503"></a> -<span class="sourceLineNo">504</span> }<a name="line.504"></a> -<span class="sourceLineNo">505</span><a name="line.505"></a> -<span class="sourceLineNo">506</span> return false;<a name="line.506"></a> -<span class="sourceLineNo">507</span> }<a name="line.507"></a> -<span class="sourceLineNo">508</span><a name="line.508"></a> -<span class="sourceLineNo">509</span> private enum OpType {<a name="line.509"></a> -<span class="sourceLineNo">510</span> GET("get"),<a name="line.510"></a> -<span class="sourceLineNo">511</span> EXISTS("exists"),<a name="line.511"></a> -<span class="sourceLineNo">512</span> SCAN("scan"),<a name="line.512"></a> -<span class="sourceLineNo">513</span> PUT("put"),<a name="line.513"></a> -<span class="sourceLineNo">514</span> DELETE("delete"),<a name="line.514"></a> -<span class="sourceLineNo">515</span> CHECK_AND_PUT("checkAndPut"),<a name="line.515"></a> -<span class="sourceLineNo">516</span> CHECK_AND_DELETE("checkAndDelete"),<a name="line.516"></a> -<span class="sourceLineNo">517</span> INCREMENT_COLUMN_VALUE("incrementColumnValue"),<a name="line.517"></a> -<span class="sourceLineNo">518</span> APPEND("append"),<a name="line.518"></a> -<span class="sourceLineNo">519</span> INCREMENT("increment");<a name="line.519"></a> -<span class="sourceLineNo">520</span><a name="line.520"></a> -<span class="sourceLineNo">521</span> private String type;<a name="line.521"></a> -<span class="sourceLineNo">522</span><a name="line.522"></a> -<span class="sourceLineNo">523</span> private OpType(String type) {<a name="line.523"></a> -<span class="sourceLineNo">524</span> this.type = type;<a name="line.524"></a> -<span class="sourceLineNo">525</span> }<a name="line.525"></a> -<span class="sourceLineNo">526</span><a name="line.526"></a> -<span class="sourceLineNo">527</span> @Override<a name="line.527"></a> -<span class="sourceLineNo">528</span> public String toString() {<a name="line.528"></a> -<span class="sourceLineNo">529</span> return type;<a name="line.529"></a> -<span class="sourceLineNo">530</span> }<a name="line.530"></a> -<span class="sourceLineNo">531</span> }<a name="line.531"></a> -<span class="sourceLineNo">532</span><a name="line.532"></a> -<span class="sourceLineNo">533</span> /**<a name="line.533"></a> -<span class="sourceLineNo">534</span> * Determine if cell ACLs covered by the operation grant access. This is expensive.<a name="line.534"></a> -<span class="sourceLineNo">535</span> * @return false if cell ACLs failed to grant access, true otherwise<a name="line.535"></a> -<span class="sourceLineNo">536</span> * @throws IOException<a name="line.536"></a> -<span class="sourceLineNo">537</span> */<a name="line.537"></a> -<span class="sourceLineNo">538</span> private boolean checkCoveringPermission(User user, OpType request, RegionCoprocessorEnvironment e,<a name="line.538"></a> -<span class="sourceLineNo">539</span> byte[] row, Map<byte[], ? extends Collection<?>> familyMap, long opTs, Action... actions)<a name="line.539"></a> -<span class="sourceLineNo">540</span> throws IOException {<a name="line.540"></a> -<span class="sourceLineNo">541</span> if (!cellFeaturesEnabled) {<a name="line.541"></a> -<span class="sourceLineNo">542</span> return false;<a name="line.542"></a> -<span class="sourceLineNo">543</span> }<a name="line.543"></a> -<span class="sourceLineNo">544</span> long cellGrants = 0;<a name="line.544"></a> -<span class="sourceLineNo">545</span> long latestCellTs = 0;<a name="line.545"></a> -<span class="sourceLineNo">546</span> Get get = new Get(row);<a name="line.546"></a> -<span class="sourceLineNo">547</span> // Only in case of Put/Delete op, consider TS within cell (if set for individual cells).<a name="line.547"></a> -<span class="sourceLineNo">548</span> // When every cell, within a Mutation, can be linked with diff TS we can not rely on only one<a name="line.548"></a> -<span class="sourceLineNo">549</span> // version. We have to get every cell version and check its TS against the TS asked for in<a name="line.549"></a> -<span class="sourceLineNo">550</span> // Mutation and skip those Cells which is outside this Mutation TS.In case of Put, we have to<a name="line.550"></a> -<span class="sourceLineNo">551</span> // consider only one such passing cell. In case of Delete we have to consider all the cell<a name="line.551"></a> -<span class="sourceLineNo">552</span> // versions under this passing version. When Delete Mutation contains columns which are a<a name="line.552"></a> -<span class="sourceLineNo">553</span> // version delete just consider only one version for those column cells.<a name="line.553"></a> -<span class="sourceLineNo">554</span> boolean considerCellTs = (request == OpType.PUT || request == OpType.DELETE);<a name="line.554"></a> -<span class="sourceLineNo">555</span> if (considerCellTs) {<a name="line.555"></a> -<span class="sourceLineNo">556</span> get.setMaxVersions();<a name="line.556"></a> -<span class="sourceLineNo">557</span> } else {<a name="line.557"></a> -<span class="sourceLineNo">558</span> get.setMaxVersions(1);<a name="line.558"></a> -<span class="sourceLineNo">559</span> }<a name="line.559"></a> -<span class="sourceLineNo">560</span> boolean diffCellTsFromOpTs = false;<a name="line.560"></a> -<span class="sourceLineNo">561</span> for (Map.Entry<byte[], ? extends Collection<?>> entry: familyMap.entrySet()) {<a name="line.561"></a> -<span class="sourceLineNo">562</span> byte[] col = entry.getKey();<a name="line.562"></a> -<span class="sourceLineNo">563</span> // TODO: HBASE-7114 could possibly unify the collection type in family<a name="line.563"></a> -<span class="sourceLineNo">564</span> // maps so we would not need to do this<a name="line.564"></a> -<span class="sourceLineNo">565</span> if (entry.getValue() instanceof Set) {<a name="line.565"></a> -<span class="sourceLineNo">566</span> Set<byte[]> set = (Set<byte[]>)entry.getValue();<a name="line.566"></a> -<span class="sourceLineNo">567</span> if (set == null || set.isEmpty()) {<a name="line.567"></a> -<span class="sourceLineNo">568</span> get.addFamily(col);<a name="line.568"></a> -<span class="sourceLineNo">569</span> } else {<a name="line.569"></a> -<span class="sourceLineNo">570</span> for (byte[] qual: set) {<a name="line.570"></a> -<span class="sourceLineNo">571</span> get.addColumn(col, qual);<a name="line.571"></a> -<span class="sourceLineNo">572</span> }<a name="line.572"></a> -<span class="sourceLineNo">573</span> }<a name="line.573"></a> -<span class="sourceLineNo">574</span> } else if (entry.getValue() instanceof List) {<a name="line.574"></a> -<span class="sourceLineNo">575</span> List<Cell> list = (List<Cell>)entry.getValue();<a name="line.575"></a> -<span class="sourceLineNo">576</span> if (list == null || list.isEmpty()) {<a name="line.576"></a> -<span class="sourceLineNo">577</span> get.addFamily(col);<a name="line.577"></a> -<span class="sourceLineNo">578</span> } else {<a name="line.578"></a> -<span class="sourceLineNo">579</span> // In case of family delete, a Cell will be added into the list with Qualifier as null.<a name="line.579"></a> -<span class="sourceLineNo">580</span> for (Cell cell : list) {<a name="line.580"></a> -<span class="sourceLineNo">581</span> if (cell.getQualifierLength() == 0<a name="line.581"></a> -<span class="sourceLineNo">582</span> && (cell.getTypeByte() == Type.DeleteFamily.getCode()<a name="line.582"></a> -<span class="sourceLineNo">583</span> || cell.getTypeByte() == Type.DeleteFamilyVersion.getCode())) {<a name="line.583"></a> -<span class="sourceLineNo">584</span> get.addFamily(col);<a name="line.584"></a> -<span class="sourceLineNo">585</span> } else {<a name="line.585"></a> -<span class="sourceLineNo">586</span> get.addColumn(col, CellUtil.cloneQualifier(cell));<a name="line.586"></a> -<span class="sourceLineNo">587</span> }<a name="line.587"></a> -<span class="sourceLineNo">588</span> if (considerCellTs) {<a name="line.588"></a> -<span class="sourceLineNo">589</span> long cellTs = cell.getTimestamp();<a name="line.589"></a> -<span class="sourceLineNo">590</span> latestCellTs = Math.max(latestCellTs, cellTs);<a name="line.590"></a> -<span class="sourceLineNo">591</span> diffCellTsFromOpTs = diffCellTsFromOpTs || (opTs != cellTs);<a name="line.591"></a> -<span class="sourceLineNo">592</span> }<a name="line.592"></a> -<span class="sourceLineNo">593</span> }<a name="line.593"></a> -<span class="sourceLineNo">594</span> }<a name="line.594"></a> -<span class="sourceLineNo">595</span> } else if (entry.getValue() == null) {<a name="line.595"></a> -<span class="sourceLineNo">596</span> get.addFamily(col);<a name="line.596"></a> -<span class="sourceLineNo">597</span> } else {<a name="line.597"></a> -<span class="sourceLineNo">598</span> throw new RuntimeException("Unhandled collection type " +<a name="line.598"></a> -<span class="sourceLineNo">599</span> entry.getValue().getClass().getName());<a name="line.599"></a> -<span class="sourceLineNo">600</span> }<a name="line.600"></a> -<span class="sourceLineNo">601</span> }<a name="line.601"></a> -<span class="sourceLineNo">602</span> // We want to avoid looking into the future. So, if the cells of the<a name="line.602"></a> -<span class="sourceLineNo">603</span> // operation specify a timestamp, or the operation itself specifies a<a name="line.603"></a> -<span class="sourceLineNo">604</span> // timestamp, then we use the maximum ts found. Otherwise, we bound<a name="line.604"></a> -<span class="sourceLineNo">605</span> // the Get to the current server time. We add 1 to the timerange since<a name="line.605"></a> -<span class="sourceLineNo">606</span> // the upper bound of a timerange is exclusive yet we need to examine<a name="line.606"></a> -<span class="sourceLineNo">607</span> // any cells found there inclusively.<a name="line.607"></a> -<span class="sourceLineNo">608</span> long latestTs = Math.max(opTs, latestCellTs);<a name="line.608"></a> -<span class="sourceLineNo">609</span> if (latestTs == 0 || latestTs == HConstants.LATEST_TIMESTAMP) {<a name="line.609"></a> -<span class="sourceLineNo">610</span> latestTs = EnvironmentEdgeManager.currentTime();<a name="line.610"></a> -<span class="sourceLineNo">611</span> }<a name="line.611"></a> -<span class="sourceLineNo">612</span> get.setTimeRange(0, latestTs + 1);<a name="line.612"></a> -<span class="sourceLineNo">613</span> // In case of Put operation we set to read all versions. This was done to consider the case<a name="line.613"></a> -<span class="sourceLineNo">614</span> // where columns are added with TS other than the Mutation TS. But normally this wont be the<a name="line.614"></a> -<span class="sourceLineNo">615</span> // case with Put. There no need to get all versions but get latest version only.<a name="line.615"></a> -<span class="sourceLineNo">616</span> if (!diffCellTsFromOpTs && request == OpType.PUT) {<a name="line.616"></a> -<span class="sourceLineNo">617</span> get.setMaxVersions(1);<a name="line.617"></a> -<span class="sourceLineNo">618</span> }<a name="line.618"></a> -<span class="sourceLineNo">619</span> if (LOG.isTraceEnabled()) {<a name="line.619"></a> -<span class="sourceLineNo">620</span> LOG.trace("Scanning for cells with " + get);<a name="line.620"></a> -<span class="sourceLineNo">621</span> }<a name="line.621"></a> -<span class="sourceLineNo">622</span> // This Map is identical to familyMap. The key is a BR rather than byte[].<a name="line.622"></a> -<span class="sourceLineNo">623</span> // It will be easy to do gets over this new Map as we can create get keys over the Cell cf by<a name="line.623"></a> -<span class="sourceLineNo">624</span> // new SimpleByteRange(cell.familyArray, cell.familyOffset, cell.familyLen)<a name="line.624"></a> -<span class="sourceLineNo">625</span> Map<ByteRange, List<Cell>> familyMap1 = new HashMap<>();<a name="line.625"></a> -<span class="sourceLineNo">626</span> for (Entry<byte[], ? extends Collection<?>> entry : familyMap.entrySet()) {<a name="line.626"></a> -<span class="sourceLineNo">627</span> if (entry.getValue() instanceof List) {<a name="line.627"></a> -<span class="sourceLineNo">628</span> familyMap1.put(new SimpleMutableByteRange(entry.getKey()), (List<Cell>) entry.getValue());<a name="line.628"></a> -<span class="sourceLineNo">629</span> }<a name="line.629"></a> -<span class="sourceLineNo">630</span> }<a name="line.630"></a> -<span class="sourceLineNo">631</span> RegionScanner scanner = getRegion(e).getScanner(new Scan(get));<a name="line.631"></a> -<span class="sourceLineNo">632</span> List<Cell> cells = Lists.newArrayList();<a name="line.632"></a> -<span class="sourceLineNo">633</span> Cell prevCell = null;<a name="line.633"></a> -<span class="sourceLineNo">634</span> ByteRange curFam = new SimpleMutableByteRange();<a name="line.634"></a> -<span class="sourceLineNo">635</span> boolean curColAllVersions = (request == OpType.DELETE);<a name="line.635"></a> -<span class="sourceLineNo">636</span> long curColCheckTs = opTs;<a name="line.636"></a> -<span class="sourceLineNo">637</span> boolean foundColumn = false;<a name="line.637"></a> -<span class="sourceLineNo">638</span> try {<a name="line.638"></a> -<span class="sourceLineNo">639</span> boolean more = false;<a name="line.639"></a> -<span class="sourceLineNo">640</span> ScannerContext scannerContext = ScannerContext.newBuilder().setBatchLimit(1).build();<a name="line.640"></a> -<span class="sourceLineNo">641</span><a name="line.641"></a> -<span class="sourceLineNo">642</span> do {<a name="line.642"></a> -<span class="sourceLineNo">643</span> cells.clear();<a name="line.643"></a> -<span class="sourceLineNo">644</span> // scan with limit as 1 to hold down memory use on wide rows<a name="line.644"></a> -<span class="sourceLineNo">645</span> more = scanner.next(cells, scannerContext);<a name="line.645"></a> -<span class="sourceLineNo">646</span> for (Cell cell: cells) {<a name="line.646"></a> -<span class="sourceLineNo">647</span> if (LOG.isTraceEnabled()) {<a name="line.647"></a> -<span class="sourceLineNo">648</span> LOG.trace("Found cell " + cell);<a name="line.648"></a> -<span class="sourceLineNo">649</span> }<a name="line.649"></a> -<span class="sourceLineNo">650</span> boolean colChange = prevCell == null || !CellUtil.matchingColumn(prevCell, cell);<a name="line.650"></a> -<span class="sourceLineNo">651</span> if (colChange) foundColumn = false;<a name="line.651"></a> -<span class="sourceLineNo">652</span> prevCell = cell;<a name="line.652"></a> -<span class="sourceLineNo">653</span> if (!curColAllVersions && foundColumn) {<a name="line.653"></a> -<span class="sourceLineNo">654</span> continue;<a name="line.654"></a> -<span class="sourceLineNo">655</span> }<a name="line.655"></a> -<span class="sourceLineNo">656</span> if (colChange && considerCellTs) {<a name="line.656"></a> -<span class="sourceLineNo">657</span> curFam.set(cell.getFamilyArray(), cell.getFamilyOffset(), cell.getFamilyLength());<a name="line.657"></a> -<span class="sourceLineNo">658</span> List<Cell> cols = familyMap1.get(curFam);<a name="line.658"></a> -<span class="sourceLineNo">659</span> for (Cell col : cols) {<a name="line.659"></a> -<span class="sourceLineNo">660</span> // null/empty qualifier is used to denote a Family delete. The TS and delete type<a name="line.660"></a> -<span class="sourceLineNo">661</span> // associated with this is applicable for all columns within the family. That is<a name="line.661"></a> -<span class="sourceLineNo">662</span> // why the below (col.getQualifierLength() == 0) check.<a name="line.662"></a> -<span class="sourceLineNo">663</span> if ((col.getQualifierLength() == 0 && request == OpType.DELETE)<a name="line.663"></a> -<span class="sourceLineNo">664</span> || CellUtil.matchingQualifier(cell, col)) {<a name="line.664"></a> -<span class="sourceLineNo">665</span> byte type = col.getTypeByte();<a name="line.665"></a> -<span class="sourceLineNo">666</span> if (considerCellTs) {<a name="line.666"></a> -<span class="sourceLineNo">667</span> curColCheckTs = col.getTimestamp();<a name="line.667"></a> -<span class="sourceLineNo">668</span> }<a name="line.668"></a> -<span class="sourceLineNo">669</span> // For a Delete op we pass allVersions as true. When a Delete Mutation contains<a name="line.669"></a> -<span class="sourceLineNo">670</span> // a version delete for a column no need to check all the covering cells within<a name="line.670"></a> -<span class="sourceLineNo">671</span> // that column. Check all versions when Type is DeleteColumn or DeleteFamily<a name="line.671"></a> -<span class="sourceLineNo">672</span> // One version delete types are Delete/DeleteFamilyVersion<a name="line.672"></a> -<span class="sourceLineNo">673</span> curColAllVersions = (KeyValue.Type.DeleteColumn.getCode() == type)<a name="line.673"></a> -<span class="sourceLineNo">674</span> || (KeyValue.Type.DeleteFamily.getCode() == type);<a name="line.674"></a> -<span class="sourceLineNo">675</span> break;<a name="line.675"></a> -<span class="sourceLineNo">676</span> }<a name="line.676"></a> -<span class="sourceLineNo">677</span> }<a name="line.677"></a> -<span class="sourceLineNo">678</span> }<a name="line.678"></a> -<span class="sourceLineNo">679</span> if (cell.getTimestamp() > curColCheckTs) {<a name="line.679"></a> -<span class="sourceLineNo">680</span> // Just ignore this cell. This is not a covering cell.<a name="line.680"></a> -<span class="sourceLineNo">681</span> continue;<a name="line.681"></a> -<span class="sourceLineNo">682</span> }<a name="line.682"></a> -<span class="sourceLineNo">683</span> foundColumn = true;<a name="line.683"></a> -<span class="sourceLineNo">684</span> for (Action action: actions) {<a name="line.684"></a> -<span class="sourceLineNo">685</span> // Are there permissions for this user for the cell?<a name="line.685"></a> -<span class="sourceLineNo">686</span> if (!getAuthManager().authorize(user, getTableName(e), cell, action)) {<a name="line.686"></a> -<span class="sourceLineNo">687</span> // We can stop if the cell ACL denies access<a name="line.687"></a> -<span class="sourceLineNo">688</span> return false;<a name="line.688"></a> -<span class="sourceLineNo">689</span> }<a name="line.689"></a> -<span class="sourceLineNo">690</span> }<a name="line.690"></a> -<span class="sourceLineNo">691</span> cellGrants++;<a name="line.691"></a> -<span class="sourceLineNo">692</span> }<a name="line.692"></a> -<span class="sourceLineNo">693</span> } while (more);<a name="line.693"></a> -<span class="sourceLineNo">694</span> } catch (AccessDeniedException ex) {<a name="line.694"></a> -<span class="sourceLineNo">695</span> throw ex;<a name="line.695"></a> -<span class="sourceLineNo">696</span> } catch (IOException ex) {<a name="line.696"></a> -<span class="sourceLineNo">697</span> LOG.error("Exception while getting cells to calculate covering permission", ex);<a name="line.697"></a> -<span class="sourceLineNo">698</span> } finally {<a name="line.698"></a> -<span class="sourceLineNo">699</span> scanner.close();<a name="line.699"></a> -<span class="sourceLineNo">700</span> }<a name="line.700"></a> -<span class="sourceLineNo">701</span> // We should not authorize unless we have found one or more cell ACLs that<a name="line.701"></a> -<span class="sourceLineNo">702</span> // grant access. This code is used to check for additional permissions<a name="line.702"></a> -<span class="sourceLineNo">703</span> // after no table or CF grants are found.<a name="line.703"></a> -<span class="sourceLineNo">704</span> return cellGrants > 0;<a name="line.704"></a> -<span class="sourceLineNo">705</span> }<a name="line.705"></a> -<span class="sourceLineNo">706</span><a name="line.706"></a> -<span class="sourceLineNo">707</span> private static void addCellPermissions(final byte[] perms, Map<byte[], List<Cell>> familyMap) {<a name="line.707"></a> -<span class="sourceLineNo">708</span> // Iterate over the entries in the familyMap, replacing the cells therein<a name="line.708"></a> -<span class="sourceLineNo">709</span> // with new cells including the ACL data<a name="line.709"></a> -<span class="sourceLineNo">710</span> for (Map.Entry<byte[], List<Cell>> e: familyMap.entrySet()) {<a name="line.710"></a> -<span class="sourceLineNo">711</span> List<Cell> newCells = Lists.newArrayList();<a name="line.711"></a> -<span class="sourceLineNo">712</span> for (Cell cell: e.getValue()) {<a name="line.712"></a> -<span class="sourceLineNo">713</span> // Prepend the supplied perms in a new ACL tag to an update list of tags for the cell<a name="line.713"></a> -<span class="sourceLineNo">714</span> List<Tag> tags = new ArrayList<>();<a name="line.714"></a> -<span class="sourceLineNo">715</span> tags.add(new ArrayBackedTag(AccessControlLists.ACL_TAG_TYPE, perms));<a name="line.715"></a> -<span class="sourceLineNo">716</span> Iterator<Tag> tagIterator = PrivateCellUtil.tagsIterator(cell);<a name="line.716"></a> -<span class="sourceLineNo">717</span> while (tagIterator.hasNext()) {<a name="line.717"></a> -<span class="sourceLineNo">718</span> tags.add(tagIterator.next());<a name="line.718"></a> -<span class="sourceLineNo">719</span> }<a name="line.719"></a> -<span class="sourceLineNo">720</span> newCells.add(PrivateCellUtil.createCell(cell, tags));<a name="line.720"></a> -<span class="sourceLineNo">721</span> }<a name="line.721"></a> -<span class="sourceLineNo">722</span> // This is supposed to be safe, won't CME<a name="line.722"></a> -<span class="sourceLineNo">723</span> e.setValue(newCells);<a name="line.723"></a> -<span class="sourceLineNo">724</span> }<a name="line.724"></a> -<span class="sourceLineNo">725</span> }<a name="line.725"></a> -<span class="sourceLineNo">726</span><a name="line.726"></a> -<span class="sourceLineNo">727</span> // Checks whether incoming cells contain any tag with type as ACL_TAG_TYPE. This tag<a name="line.727"></a> -<span class="sourceLineNo">728</span> // type is reserved and should not be explicitly set by user.<a name="line.728"></a> -<span class="sourceLineNo">729</span> private void checkForReservedTagPresence(User user, Mutation m) throws IOException {<a name="line.729"></a> -<span class="sourceLineNo">730</span> // No need to check if we're not going to throw<a name="line.730"></a> -<span class="sourceLineNo">731</span> if (!authorizationEnabled) {<a name="line.731"></a> -<span class="sourceLineNo">732</span> m.setAttribute(TAG_CHECK_PASSED, TRUE);<a name="line.732"></a> -<span class="sourceLineNo">733</span> return;<a name="line.733"></a> -<span class="sourceLineNo">734</span> }<a name="line.734"></a> -<span class="sourceLineNo">735</span> // Superusers are allowed to store cells unconditionally.<a name="line.735"></a> -<span class="sourceLineNo">736</span> if (Superusers.isSuperUser(user)) {<a name="line.736"></a> -<span class="sourceLineNo">737</span> m.setAttribute(TAG_CHECK_PASSED, TRUE);<a name="line.737"></a> -<span class="sourceLineNo">738</span> return;<a name="line.738"></a> -<span class="sourceLineNo">739</span> }<a name="line.739"></a> -<span class="sourceLineNo">740</span> // We already checked (prePut vs preBatchMutation)<a name="line.740"></a> -<span class="sourceLineNo">741</span> if (m.getAttribute(TAG_CHECK_PASSED) != null) {<a name="line.741"></a> -<span class="sourceLineNo">742</span> return;<a name="line.742"></a> -<span class="sourceLineNo">743</span> }<a name="line.743"></a> -<span class="sourceLineNo">744</span> for (CellScanner cellScanner = m.cellScanner(); cellScanner.advance();) {<a name="line.744"></a> -<span class="sourceLineNo">745</span> Iterator<Tag> tagsItr = PrivateCellUtil.tagsIterator(cellScanner.current());<a name="line.745"></a> -<span class="sourceLineNo">746</span> while (tagsItr.hasNext()) {<a name="line.746"></a> -<span class="sourceLineNo">747</span> if (tagsItr.next().getType() == AccessControlLists.ACL_TAG_TYPE) {<a name="line.747"></a> -<span class="sourceLineNo">748</span> throw new AccessDeniedException("Mutation contains cell with reserved type tag");<a name="line.748"></a> -<span class="sourceLineNo">749</span> }<a name="line.749"></a> -<span class="sourceLineNo">750</span> }<a name="line.750"></a> -<span class="sourceLineNo">751</span> }<a name="line.751"></a> -<span class="sourceLineNo">752</span> m.setAttribute(TAG_CHECK_PASSED, TRUE);<a name="line.752"></a> -<span class="sourceLineNo">753</span> }<a name="line.753"></a> -<span class="sourceLineNo">754</span><a name="line.754"></a> -<span class="sourceLineNo">755</span> /* ---- MasterObserver implementation ---- */<a name="line.755"></a> -<span class="sourceLineNo">756</span> @Override<a name="line.756"></a> -<span class="sourceLineNo">757</span> public void start(CoprocessorEnvironment env) throws IOException {<a name="line.757"></a> -<span class="sourceLineNo">758</span> CompoundConfiguration conf = new CompoundConfiguration();<a name="line.758"></a> -<span class="sourceLineNo">759</span> conf.add(env.getConfiguration());<a name="line.759"></a> -<span class="sourceLineNo">760</span><a name="line.760"></a> -<span class="sourceLineNo">761</span> authorizationEnabled = AccessChecker.isAuthorizationSupported(conf);<a name="line.761"></a> -<span class="sourceLineNo">762</span> if (!authorizationEnabled) {<a name="line.762"></a> -<span class="sourceLineNo">763</span> LOG.warn("AccessController has been loaded with authorization checks DISABLED!");<a name="line.763"></a> -<span class="sourceLineNo">764</span> }<a name="line.764"></a> -<span class="sourceLineNo">765</span><a name="line.765"></a> -<span class="sourceLineNo">766</span> shouldCheckExecPermission = conf.getBoolean(AccessControlConstants.EXEC_PERMISSION_CHECKS_KEY,<a name="line.766"></a> -<span class="sourceLineNo">767</span> AccessControlConstants.DEFAULT_EXEC_PERMISSION_CHECKS);<a name="line.767"></a> -<span class="sourceLineNo">768</span><a name="line.768"></a> -<span class="sourceLineNo">769</span> cellFeaturesEnabled = (HFile.getFormatVersion(conf) >= HFile.MIN_FORMAT_VERSION_WITH_TAGS);<a name="line.769"></a> -<span class="sourceLineNo">770</span> if (!cellFeaturesEnabled) {<a name="line.770"></a> -<span class="sourceLineNo">771</span> LOG.info("A minimum HFile version of " + HFile.MIN_FORMAT_VERSION_WITH_TAGS<a name="line.771"></a> -<span class="sourceLineNo">772</span> + " is required to persist cell ACLs. Consider setting " + HFile.FORMAT_VERSION_KEY<a name="line.772"></a> -<span class="sourceLineNo">773</span> + " accordingly.");<a name="line.773"></a> -<span class="sourceLineNo">774</span> }<a name="line.774"></a> -<span class="sourceLineNo">775</span><a name="line.775"></a> -<span class="sourceLineNo">776</span> ZKWatcher zk = null;<a name="line.776"></a> -<span class="sourceLineNo">777</span> if (env instanceof MasterCoprocessorEnvironment) {<a name="line.777"></a> -<span class="sourceLineNo">778</span> // if running on HMaster<a name="line.778"></a> -<span class="sourceLineNo">779</span> MasterCoprocessorEnvironment mEnv = (MasterCoprocessorEnvironment)env;<a name="line.779"></a> -<span class="sourceLineNo">780</span> if (mEnv instanceof HasMasterServices) {<a name="line.780"></a> -<span class="sourceLineNo">781</span> zk = ((HasMasterServices)mEnv).getMasterServices().getZooKeeper();<a name="line.781"></a> -<span class="sourceLineNo">782</span> }<a name="line.782"></a> -<span class="sourceLineNo">783</span> } else if (env instanceof RegionServerCoprocessorEnvironment) {<a name="line.783"></a> -<span class="sourceLineNo">784</span> RegionServerCoprocessorEnvironment rsEnv = (RegionServerCoprocessorEnvironment)env;<a name="line.784"></a> -<span class="sourceLineNo">785</span> if (rsEnv instanceof HasRegionServerServices) {<a name="line.785"></a> -<span class="sourceLineNo">786</span> zk = ((HasRegionServerServices)rsEnv).getRegionServerServices().getZooKeeper();<a name="line.786"></a> -<span class="sourceLineNo">787</span> }<a name="line.787"></a> -<span class="sourceLineNo">788</span> } else if (env instanceof RegionCoprocessorEnvironment) {<a name="line.788"></a> -<span class="sourceLineNo">789</span> // if running at region<a name="line.789"></a> -<span class="sourceLineNo">790</span> regionEnv = (RegionCoprocessorEnvironment) env;<a name="line.790"></a> -<span class="sourceLineNo">791</span> conf.addBytesMap(regionEnv.getRegion().getTableDescriptor().getValues());<a name="line.791"></a> -<span class="sourceLineNo">792</span> compatibleEarlyTermination = conf.getBoolean(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT,<a name="line.792"></a> -<span class="sourceLineNo">793</span> AccessControlConstants.DEFAULT_ATTRIBUTE_EARLY_OUT);<a name="line.793"></a> -<span class="sourceLineNo">794</span> if (regionEnv instanceof HasRegionServerServices) {<a name="line.794"></a> -<span class="sourceLineNo">795</span> zk = ((HasRegionServerServices)regionEnv).getRegionServerServices().getZooKeeper();<a name="line.795"></a> -<span class="sourceLineNo">796</span> }<a name="line.796"></a> -<span class="sourceLineNo">797</span> }<a name="line.797"></a> -<span class="sourceLineNo">798</span><a name="line.798"></a> -<span class="sourceLineNo">799</span> // set the user-provider.<a name="line.799"></a> -<span class="sourceLineNo">800</span> this.userProvider = UserProvider.instantiate(env.getConfiguration());<a name="line.800"></a> -<span class="sourceLineNo">801</span> // Throws RuntimeException if fails to load TableAuthManager so that coprocessor is unloaded.<a name="line.801"></a> -<span class="sourceLineNo">802</span> accessChecker = new AccessChecker(env.getConfiguration(), zk);<a name="line.802"></a> -<span class="sourceLineNo">803</span> tableAcls = new MapMaker().weakValues().makeMap();<a name="line.803"></a> -<span class="sourceLineNo">804</span> }<a name="line.804"></a> -<span class="sourceLineNo">805</span><a name="line.805"></a> -<span class="sourceLineNo">806</span> @Override<a name="line.806"></a> -<span class="sourceLineNo">807</span> public void stop(CoprocessorEnvironment env) {<a name="line.807"></a> -<span class="sourceLineNo">808</span> accessChecker.stop();<a name="line.808"></a> -<span class="sourceLineNo">809</span> }<a name="line.809"></a> -<span class="sourceLineNo">810</span><a name="line.810"></a> -<span class="sourceLineNo">811</span> /*********************************** Observer/Service Getters ***********************************/<a name="line.811"></a> -<span class="sourceLineNo">812</span> @Override<a name="line.812"></a> -<span class="sourceLineNo">813</span> public Optional<RegionObserver> getRegionObserver() {<a name="line.813"></a> -<span class="sourceLineNo">814</span> return Optional.of(this);<a name="line.814"></a> -<span class="sourceLineNo">815</span> }<a name="line.815"></a> -<span class="sourceLineNo">816</span><a name="line.816"></a> -<span class="sourceLineNo">817</span> @Override<a name="line.817"></a> -<span class="sourceLineNo">818</span> public Optional<MasterObserver> getMasterObserver() {<a name="line.818"></a> -<span class="sourceLineNo">819</span> return Optional.of(this);<a name="line.819"></a> -<span class="sourceLineNo">820</span> }<a name="line.820"></a> -<span class="sourceLineNo">821</span><a name="line.821"></a> -<span class="sourceLineNo">822</span> @Override<a name="line.822"></a> -<span class="sourceLineNo">823</span> public Optional<EndpointObserver> getEndpointObserver() {<a name="line.823"></a> -<span class="sourceLineNo">824</span> return Optional.of(this);<a name="line.824"></a> -<span class="sourceLineNo">825</span> }<a name="line.825"></a> -<span class="sourceLineNo">826</span><a name="line.826"></a> -<span class="sourceLineNo">827</span> @Override<a name="line.827"></a> -<span class="sourceLineNo">828</span> public Optional<BulkLoadObserver> getBulkLoadObserver() {<a name="line.828"></a> -<span class="sourceLineNo">829</span> return Optional.of(this);<a name="line.829"></a> -<span class="sourceLineNo">830</span> }<a name="line.830"></a> -<span class="sourceLineNo">831</span><a name="line.831"></a> -<span class="sourceLineNo">832</span> @Override<a name="line.832"></a> -<span class="sourceLineNo">833</span> public Optional<RegionServerObserver> getRegionServerObserver() {<a name="line.833"></a> -<span class="sourceLineNo">834</span> return Optional.of(this);<a name="line.834"></a> -<span class="sourceLineNo">835</span> }<a name="line.835"></a> -<span class="sourceLineNo">836</span><a name="line.836"></a> -<span class="sourceLineNo">837</span> @Override<a name="line.837"></a> -<span class="sourceLineNo">838</span> public Iterable<Service> getServices() {<a name="line.838"></a> -<span class="sourceLineNo">839</span> return Collections.singleton(<a name="line.839"></a> -<span class="sourceLineNo">840</span> AccessControlProtos.AccessControlService.newReflectiveService(this));<a name="line.840"></a> -<span class="sourceLineNo">841</span> }<a name="line.841"></a> -<span class="sourceLineNo">842</span><a name="line.842"></a> -<span class="sourceLineNo">843</span> /*********************************** Observer implementations ***********************************/<a name="line.843"></a> -<span class="sourceLineNo">844</span><a name="line.844"></a> -<span class="sourceLineNo">845</span> @Override<a name="line.845"></a> -<span class="sourceLineNo">846</span> public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.846"></a> -<span class="sourceLineNo">847</span> TableDescriptor desc, RegionInfo[] regions) throws IOException {<a name="line.847"></a> -<span class="sourceLineNo">848</span> Set<byte[]> families = desc.getColumnFamilyNames();<a name="line.848"></a> -<span class="sourceLineNo">849</span> Map<byte[], Set<byte[]>> familyMap = new TreeMap<>(Bytes.BYTES_COMPARATOR);<a name="line.849"></a> -<span class="sourceLineNo">850</span> for (byte[] family: families) {<a name="line.850"></a> -<span class="sourceLineNo">851</span> familyMap.put(family, null);<a name="line.851"></a> -<span class="sourceLineNo">852</span> }<a name="line.852"></a> -<span class="sourceLineNo">853</span> requireNamespacePermission(c, "createTable",<a name="line.853"></a> -<span class="sourceLineNo">854</span> desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.CREATE);<a name="line.854"></a> -<span class="sourceLineNo">855</span> }<a name="line.855"></a> -<span class="sourceLineNo">856</span><a name="line.856"></a> -<span class="sourceLineNo">857</span> @Override<a name="line.857"></a> -<span class="sourceLineNo">858</span> public void postCompletedCreateTableAction(<a name="line.858"></a> -<span class="sourceLineNo">859</span> final ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.859"></a> -<span class="sourceLineNo">860</span> final TableDescriptor desc,<a name="line.860"></a> -<span class="sourceLineNo">861</span> final RegionInfo[] regions) throws IOException {<a name="line.861"></a> -<span class="sourceLineNo">862</span> // When AC is used, it should be configured as the 1st CP.<a name="line.862"></a> -<span class="sourceLineNo">863</span> // In Master, the table operations like create, are handled by a Thread pool but the max size<a name="line.863"></a> -<span class="sourceLineNo">864</span> // for this pool is 1. So if multiple CPs create tables on startup, these creations will happen<a name="line.864"></a> -<span class="sourceLineNo">865</span> // sequentially only.<a name="line.865"></a> -<span class="sourceLineNo">866</span> // Related code in HMaster#startServiceThreads<a name="line.866"></a> -<span class="sourceLineNo">867</span> // {code}<a name="line.867"></a> -<span class="sourceLineNo">868</span> // // We depend on there being only one instance of this executor running<a name="line.868"></a> -<span class="sourceLineNo">869</span> // // at a time. To do concurrency, would need fencing of enable/disable of<a name="line.869"></a> -<span class="sourceLineNo">870</span> // // tables.<a name="line.870"></a> -<span class="sourceLineNo">871</span> // this.service.startExecutorService(ExecutorType.MASTER_TABLE_OPERATIONS, 1);<a name="line.871"></a> -<span class="sourceLineNo">872</span> // {code}<a name="line.872"></a> -<span class="sourceLineNo">873</span> // In future if we change this pool to have more threads, then there is a chance for thread,<a name="line.873"></a> -<span class="sourceLineNo">874</span> // creating acl table, getting delayed and by that time another table creation got over and<a name="line.874"></a> -<span class="sourceLineNo">875</span> // this hook is getting called. In such a case, we will need a wait logic here which will<a name="line.875"></a> -<span class="sourceLineNo">876</span> // wait till the acl table is created.<a name="line.876"></a> -<span class="sourceLineNo">877</span> if (AccessControlLists.isAclTable(desc)) {<a name="line.877"></a> -<span class="sourceLineNo">878</span> this.aclTabAvailable = true;<a name="line.878"></a> -<span class="sourceLineNo">879</span> } else if (!(TableName.NAMESPACE_TABLE_NAME.equals(desc.getTableName()))) {<a name="line.879"></a> -<span class="sourceLineNo">880</span> if (!aclTabAvailable) {<a name="line.880"></a> -<span class="sourceLineNo">881</span> LOG.warn("Not adding owner permission for table " + desc.getTableName() + ". "<a name="line.881"></a> -<span class="sourceLineNo">882</span> + AccessControlLists.ACL_TABLE_NAME + " is not yet created. "<a name="line.882"></a> -<span class="sourceLineNo">883</span> + getClass().getSimpleName() + " should be configured as the first Coprocessor");<a name="line.883"></a> -<span class="sourceLineNo">884</span> } else {<a name="line.884"></a> -<span class="sourceLineNo">885</span> String owner = desc.getOwnerString();<a name="line.885"></a> -<span class="sourceLineNo">886</span> // default the table owner to current user, if not specified.<a name="line.886"></a> -<span class="sourceLineNo">887</span> if (owner == null)<a name="line.887"></a> -<span class="sourceLineNo">888</span> owner = getActiveUser(c).getShortName();<a name="line.888"></a> -<span class="sourceLineNo">889</span> final UserPermission userperm = new UserPermission(Bytes.toBytes(owner),<a name="line.889"></a> -<span class="sourceLineNo">890</span> desc.getTableName(), null, Action.values());<a name="line.890"></a> -<span class="sourceLineNo">891</span> // switch to the real hbase master user for doing the RPC on the ACL table<a name="line.891"></a> -<span class="sourceLineNo">892</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.892"></a> -<span class="sourceLineNo">893</span> @Override<a name="line.893"></a> -<span class="sourceLineNo">894</span> public Void run() throws Exception {<a name="line.894"></a> -<span class="sourceLineNo">895</span> try (Table table = c.getEnvironment().getConnection().<a name="line.895"></a> -<span class="sourceLineNo">896</span> getTable(AccessControlLists.ACL_TABLE_NAME)) {<a name="line.896"></a> -<span class="sourceLineNo">897</span> AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(),<a name="line.897"></a> -<span class="sourceLineNo">898</span> userperm, table);<a name="line.898"></a> -<span class="sourceLineNo">899</span> }<a name="line.899"></a> -<span class="sourceLineNo">900</span> return null;<a name="line.900"></a> -<span class="sourceLineNo">901</span> }<a name="line.901"></a> -<span class="sourceLineNo">902</span> });<a name="line.902"></a> -<span class="sourceLineNo">903</span> }<a name="line.903"></a> -<span class="sourceLineNo">904</span> }<a name="line.904"></a> -<span class="sourceLineNo">905</span> }<a name="line.905"></a> -<span class="sourceLineNo">906</span><a name="line.906"></a> -<span class="sourceLineNo">907</span> @Override<a name="line.907"></a> -<span class="sourceLineNo">908</span> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)<a name="line.908"></a> -<span class="sourceLineNo">909</span> throws IOException {<a name="line.909"></a> -<span class="sourceLineNo">910</span> requirePermission(c, "deleteTable",<a name="line.910"></a> -<span class="sourceLineNo">911</span> tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.911"></a> -<span class="sourceLineNo">912</span> }<a name="line.912"></a> -<span class="sourceLineNo">913</span><a name="line.913"></a> -<span class="sourceLineNo">914</span> @Override<a name="line.914"></a> -<span class="sourceLineNo">915</span> public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.915"></a> -<span class="sourceLineNo">916</span> final TableName tableName) throws IOException {<a name="line.916"></a> -<span class="sourceLineNo">917</span> final Configuration conf = c.getEnvironment().getConfiguration();<a name="line.917"></a> -<span class="sourceLineNo">918</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.918"></a> -<span class="sourceLineNo">919</span> @Override<a name="line.919"></a> -<span class="sourceLineNo">920</span> public Void run() throws Exception {<a name="line.920"></a> -<span class="sourceLineNo">921</span> try (Table table = c.getEnvironment().getConnection().<a name="line.921"></a> -<span class="sourceLineNo">922</span> getTable(AccessControlLists.ACL_TABLE_NAME)) {<a name="line.922"></a> -<span class="sourceLineNo">923</span> AccessControlLists.removeTablePermissions(conf, tableName, table);<a name="line.923"></a> -<span class="sourceLineNo">924</span> }<a name="line.924"></a> -<span class="sourceLineNo">925</span> return null;<a name="line.925"></a> -<span class="sourceLineNo">926</span> }<a name="line.926"></a> -<span class="sourceLineNo">927</span> });<a name="line.927"></a> -<span class="sourceLineNo">928</span> getAuthManager().getZKPermissionWatcher().deleteTableACLNode(tableName);<a name="line.928"></a> -<span class="sourceLineNo">929</span> }<a name="line.929"></a> -<span class="sourceLineNo">930</span><a name="line.930"></a> -<span class="sourceLineNo">931</span> @Override<a name="line.931"></a> -<span class="sourceLineNo">932</span> public void preTruncateTable(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.932"></a> -<span class="sourceLineNo">933</span> final TableName tableName) throws IOException {<a name="line.933"></a> -<span class="sourceLineNo">934</span> requirePermission(c, "truncateTable",<a name="line.934"></a> -<span class="sourceLineNo">935</span> tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.935"></a> -<span class="sourceLineNo">936</span><a name="line.936"></a> -<span class="sourceLineNo">937</span> final Configuration conf = c.getEnvironment().getConfiguration();<a name="line.937"></a> -<span class="sourceLineNo">938</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.938"></a> -<span class="sourceLineNo">939</span> @Override<a name="line.939"></a> -<span class="sourceLineNo">940</span> public Void run() throws Exception {<a name="line.940"></a> -<span class="sourceLineNo">941</span> List<UserPermission> acls =<a name="line.941"></a> -<span class="sourceLineNo">942</span> AccessControlLists.getUserTablePermissions(conf, tableName, null, null, null, false);<a name="line.942"></a> -<span class="sourceLineNo">943</span> if (acls != null) {<a name="line.943"></a> -<span class="sourceLineNo">944</span> tableAcls.put(tableName, acls);<a name="line.944"></a> -<span class="sourceLineNo">945</span> }<a name="line.945"></a> -<span class="sourceLineNo">946</span> return null;<a name="line.946"></a> -<span class="sourceLineNo">947</span> }<a name="line.947"></a> -<span class="sourceLineNo">948</span> });<a name="line.948"></a> -<span class="sourceLineNo">949</span> }<a name="line.949"></a> -<span class="sourceLineNo">950</span><a name="line.950"></a> -<span class="sourceLineNo">951</span> @Override<a name="line.951"></a> -<span class="sourceLineNo">952</span> public void postTruncateTable(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.952"></a> -<span class="sourceLineNo">953</span> final TableName tableName) throws IOException {<a name="line.953"></a> -<span class="sourceLineNo">954</span> final Configuration conf = ctx.getEnvironment().getConfiguration();<a name="line.954"></a> -<span class="sourceLineNo">955</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.955"></a> -<span class="sourceLineNo">956</span> @Override<a name="line.956"></a> -<span class="sourceLineNo">957</span> public Void run() throws Exception {<a name="line.957"></a> -<span class="sourceLineNo">958</span> List<UserPermission> perms = tableAcls.get(tableName);<a name="line.958"></a> -<span class="sourceLineNo">959</span> if (perms != null) {<a name="line.959"></a> -<span class="sourceLineNo">960</span> for (UserPermission perm : perms) {<a name="line.960"></a> -<span class="sourceLineNo">961</span> try (Table table = ctx.getEnvironment().getConnection().<a name="line.961"></a> -<span class="sourceLineNo">962</span> getTable(AccessControlLists.ACL_TABLE_NAME)) {<a name="line.962"></a> -<span class="sourceLineNo">963</span> AccessControlLists.addUserPermission(conf, perm, table);<a name="line.963"></a> -<span class="sourceLineNo">964</span> }<a name="line.964"></a> -<span class="sourceLineNo">965</span> }<a name="line.965"></a> -<span class="sourceLineNo">966</span> }<a name="line.966"></a> -<span class="sourceLineNo">967</span> tableAcls.remove(tableName);<a name="line.967"></a> -<span class="sourceLineNo">968</span> return null;<a name="line.968"></a> -<span class="sourceLineNo">969</span> }<a name="line.969"></a> -<span class="sourceLineNo">970</span> });<a name="line.970"></a> -<span class="sourceLineNo">971</span> }<a name="line.971"></a> -<span class="sourceLineNo">972</span><a name="line.972"></a> -<span class="sourceLineNo">973</span> @Override<a name="line.973"></a> -<span class="sourceLineNo">974</span> public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,<a name="line.974"></a> -<span class="sourceLineNo">975</span> TableDescriptor currentDesc, TableDescriptor newDesc) throws IOException {<a name="line.975"></a> -<span class="sourceLineNo">976</span> // TODO: potentially check if this is a add/modify/delete column operation<a name="line.976"></a> -<span class="sourceLineNo">977</span> requirePermission(c, "modifyTable",<a name="line.977"></a> -<span class="sourceLineNo">978</span> tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.978"></a> -<span class="sourceLineNo">979</span> }<a name="line.979"></a> -<span class="sourceLineNo">980</span><a name="line.980"></a> -<span class="sourceLineNo">981</span> @Override<a name="line.981"></a> -<span class="sourceLineNo">982</span> public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,<a name="line.982"></a> -<span class="sourceLineNo">983</span> TableDescriptor oldDesc, TableDescriptor currentDesc) throws IOException {<a name="line.983"></a> -<span class="sourceLineNo">984</span> final Configuration conf = c.getEnvironment().getConfiguration();<a name="line.984"></a> -<span class="sourceLineNo">985</span> // default the table owner to current user, if not specified.<a name="line.985"></a> -<span class="sourceLineNo">986</span> final String owner = (currentDesc.getOwnerString() != null) ? currentDesc.getOwnerString() :<a name="line.986"></a> -<span class="sourceLineNo">987</span> getActiveUser(c).getShortName();<a name="line.987"></a> -<span class="sourceLineNo">988</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.988"></a> -<span class="sourceLineNo">989</span> @Override<a name="line.989"></a> -<span class="sourceLineNo">990</span> public Void run() throws Exception {<a name="line.990"></a> -<span class="sourceLineNo">991</span> UserPermission userperm = new UserPermission(Bytes.toBytes(owner),<a name="line.991"></a> -<span class="sourceLineNo">992</span> currentDesc.getTableName(), null, Action.values());<a name="line.992"></a> -<span class="sourceLineNo">993</span> try (Table table = c.getEnvironment().getConnection().<a name="line.993"></a> -<span class="sourceLineNo">994</span> getTable(AccessControlLists.ACL_TABLE_NAME)) {<a name="line.994"></a> -<span class="sourceLineNo">995</span> AccessControlLists.addUserPermission(conf, userperm, table);<a name="line.995"></a> -<span class="sourceLineNo">996</span> }<a name="line.996"></a> -<span class="sourceLineNo">997</span> return null;<a name="line.997"></a> -<span class="sourceLineNo">998</span> }<a name="line.998"></a> -<span class="sourceLineNo">999</span> });<a name="line.999"></a> -<span class="sourceLineNo">1000</span> }<a name="line.1000"></a> -<span class="sourceLineNo">1001</span><a name="line.1001"></a> -<span class="sourceLineNo">1002</span> @Override<a name="line.1002"></a> -<span class="sourceLineNo">1003</span> public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)<a name="line.1003"></a> -<span class="sourceLineNo">1004</span> throws IOException {<a name="line.1004"></a> -<span class="sourceLineNo">1005</span> requirePermission(c, "enableTable",<a name="line.1005"></a> -<span class="sourceLineNo">1006</span> tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.1006"></a> -<span class="sourceLineNo">1007</span> }<a name="line.1007"></a> -<span class="sourceLineNo">1008</span><a name="line.1008"></a> -<span class="sourceLineNo">1009</span> @Override<a name="line.1009"></a> -<span class="sourceLineNo">1010</span> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)<a name="line.1010"></a> -<span class="sourceLineNo">1011</span> throws IOException {<a name="line.1011"></a> -<span class="sourceLineNo">1012</span> if (Bytes.equals(tableName.getName(), AccessControlLists.ACL_GLOBAL_NAME)) {<a name="line.1012"></a> -<span class="sourceLineNo">1013</span> // We have to unconditionally disallow disable of the ACL table when we are installed,<a name="line.1013"></a> -<span class="sourceLineNo">1014</span> // even if not enforcing authorizations. We are still allowing grants and revocations,<a name="line.1014"></a> -<span class="sourceLineNo">1015</span> // checking permissions and logging audit messages, etc. If the ACL table is not<a name="line.1015"></a> -<span class="sourceLineNo">1016</span> // available we will fail random actions all over the place.<a name="line.1016"></a> -<span class="sourceLineNo">1017</span> throw new AccessDeniedException("Not allowed to disable "<a name="line.1017"></a> -<span class="sourceLineNo">1018</span> + AccessControlLists.ACL_TABLE_NAME + " table with AccessController installed");<a name="line.1018"></a> -<span class="sourceLineNo">1019</span> }<a name="line.1019"></a> -<span class="sourceLineNo">1020</span> requirePermission(c, "disableTable",<a name="line.1020"></a> -<span class="sourceLineNo">1021</span> tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.1021"></a> -<span class="sourceLineNo">1022</span> }<a name="line.1022"></a> -<span class="sourceLineNo">1023</span><a name="line.1023"></a> -<span class="sourceLineNo">1024</span> @Override<a name="line.1024"></a> -<span class="sourceLineNo">1025</span> public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1025"></a> -<span class="sourceLineNo">1026</span> final long procId) throws IOException {<a name="line.1026"></a> -<span class="sourceLineNo">1027</span> requirePermission(ctx, "abortProcedure", Action.ADMIN);<a name="line.1027"></a> -<span class="sourceLineNo">1028</span> }<a name="line.1028"></a> -<span class="sourceLineNo">1029</span><a name="line.1029"></a> -<span class="sourceLineNo">1030</span> @Override<a name="line.1030"></a> -<span class="sourceLineNo">1031</span> public void postAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1031"></a> -<span class="sourceLineNo">1032</span> throws IOException {<a name="line.1032"></a> -<span class="sourceLineNo">1033</span> // There is nothing to do at this time after the procedure abort request was sent.<a name="line.1033"></a> -<span class="sourceLineNo">1034</span> }<a name="line.1034"></a> -<span class="sourceLineNo">1035</span><a name="line.1035"></a> -<span class="sourceLineNo">1036</span> @Override<a name="line.1036"></a> -<span class="sourceLineNo">1037</span> public void preGetProcedures(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1037"></a> -<span class="sourceLineNo">1038</span> throws IOException {<a name="line.1038"></a> -<span class="sourceLineNo">1039</span> requirePermission(ctx, "getProcedure", Action.ADMIN);<a name="line.1039"></a> -<span class="sourceLineNo">1040</span> }<a name="line.1040"></a> -<span class="sourceLineNo">1041</span><a name="line.1041"></a> -<span class="sourceLineNo">1042</span> @Override<a name="line.1042"></a> -<span class="sourceLineNo">1043</span> public void preGetLocks(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1043"></a> -<span class="sourceLineNo">1044</span> throws IOException {<a name="line.1044"></a> -<span class="sourceLineNo">1045</span> User user = getActiveUser(ctx);<a name="line.1045"></a> -<span class="sourceLineNo">1046</span> accessChecker.requirePermission(user, "getLocks", null, Action.ADMIN);<a name="line.1046"></a> -<span class="sourceLineNo">1047</span> }<a name="line.1047"></a> -<span class="sourceLineNo">1048</span><a name="line.1048"></a> -<span class="sourceLineNo">1049</span> @Override<a name="line.1049"></a> -<span class="sourceLineNo">1050</span> public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo region,<a name="line.1050"></a> -<span class="sourceLineNo">1051</span> ServerName srcServer, ServerName destServer) throws IOException {<a name="line.1051"></a> -<span class="sourceLineNo">1052</span> requirePermission(c, "move",<a name="line.1052"></a> -<span class="sourceLineNo">1053</span> region.getTable(), null, null, Action.ADMIN);<a name="line.1053"></a> -<span class="sourceLineNo">1054</span> }<a name="line.1054"></a> -<span class="sourceLineNo">1055</span><a name="line.1055"></a> -<span class="sourceLineNo">1056</span> @Override<a name="line.1056"></a> -<span class="sourceLineNo">1057</span> public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo)<a name="line.1057"></a> -<span class="sourceLineNo">1058</span> throws IOException {<a name="line.1058"></a> -<span class="sourceLineNo">1059</span> requirePermission(c, "assign",<a name="line.1059"></a> -<span class="sourceLineNo">1060</span> regionInfo.getTable(), null, null, Action.ADMIN);<a name="line.1060"></a> -<span class="sourceLineNo">1061</span> }<a name="line.1061"></a> -<span class="sourceLineNo">1062</span><a name="line.1062"></a> -<span class="sourceLineNo">1063</span> @Override<a name="line.1063"></a> -<span class="sourceLineNo">1064</span> public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo,<a name="line.1064"></a> -<span class="sourceLineNo">1065</span> boolean force) throws IOException {<a name="line.1065"></a> -<span class="sourceLineNo">1066</span> requirePermission(c, "unassign",<a name="line.1066"></a> -<span class="sourceLineNo">1067</span> regionInfo.getTable(), null, null, Action.ADMIN);<a name="line.1067"></a> -<span class="sourceLineNo">1068</span> }<a name="line.1068"></a> -<span class="sourceLineNo">1069</span><a name="line.1069"></a> -<span class="sourceLineNo">1070</span> @Override<a name="line.1070"></a> -<span class="sourceLineNo">1071</span> public void preRegionOffline(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.1071"></a> -<span class="sourceLineNo">1072</span> RegionInfo regionInfo) throws IOException {<a name="line.1072"></a> -<span class="sourceLineNo">1073</span> requirePermission(c, "regionOffline",<a name="line.1073"></a> -<span class="sourceLineNo">1074</span> regionInfo.getTable(), null, null, Action.ADMIN);<a name="line.1074"></a> -<span class="sourceLineNo">1075</span> }<a name="line.1075"></a> -<span class="sourceLineNo">1076</span><a name="line.1076"></a> -<span class="sourceLineNo">1077</span> @Override<a name="line.1077"></a> -<span class="sourceLineNo">1078</span> public void preSetSplitOrMergeEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1078"></a> -<span class="sourceLineNo">1079</span> final boolean newValue, final MasterSwitchType switchType) throws IOException {<a name="line.1079"></a> -<span class="sourceLineNo">1080</span> requirePermission(ctx, "setSplitOrMergeEnabled",<a name="line.1080"></a> -<span class="sourceLineNo">1081</span> Action.ADMIN);<a name="line.1081"></a> -<span class="sourceLineNo">1082</span> }<a name="line.1082"></a> -<span class="sourceLineNo">1083</span><a name="line.1083"></a> -<span class="sourceLineNo">1084</span> @Override<a name="line.1084"></a> -<span class="sourceLineNo">1085</span> public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c)<a name="line.1085"></a> -<span class="sourceLineNo">1086</span> throws IOException {<a name="line.1086"></a> -<span class="sourceLineNo">1087</span> requirePermission(c, "balance", Action.ADMIN);<a name="line.1087"></a> -<span class="sourceLineNo">1088</span> }<a name="line.1088"></a> -<span class="sourceLineNo">1089</span><a name="line.1089"></a> -<span class="sourceLineNo">1090</span> @Override<a name="line.1090"></a> -<span class="sourceLineNo">1091</span> public void preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.1091"></a> -<span class="sourceLineNo">1092</span> boolean newValue) throws IOException {<a name="line.1092"></a> -<span class="sourceLineNo">1093</span> requirePermission(c, "balanceSwitch", Action.ADMIN);<a name="line.1093"></a> -<span class="sourceLineNo">1094</span> }<a name="line.1094"></a> -<span class="sourceLineNo">1095</span><a name="line.1095"></a> -<span class="sourceLineNo">1096</span> @Override<a name="line.1096"></a> -<span class="sourceLineNo">1097</span> public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c)<a name="line.1097"></a> -<span class="sourceLineNo">1098</span> throws IOException {<a name="line.1098"></a> -<span class="sourceLineNo">1099</span> requirePermission(c, "shutdown", Action.ADMIN);<a name="line.1099"></a> -<span class="sourceLineNo">1100</span> }<a name="line.1100"></a> -<span class="sourceLineNo">1101</span><a name="line.1101"></a> -<span class="sourceLineNo">1102</span> @Override<a name="line.1102"></a> -<span class="sourceLineNo">1103</span> public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c)<a name="line.1103"></a> -<span class="sourceLineNo">1104</span> throws IOException {<a name="line.1104"></a> -<span class="sourceLineNo">1105</span> requirePermission(c, "stopMaster", Action.ADMIN);<a name="line.1105"></a> -<span class="sourceLineNo">1106</span> }<a name="line.1106"></a> -<span class="sourceLineNo">1107</span><a name="line.1107"></a> -<span class="sourceLineNo">1108</span> @Override<a name="line.1108"></a> -<span class="sourceLineNo">1109</span> public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1109"></a> -<span class="sourceLineNo">1110</span> throws IOException {<a name="line.1110"></a> -<span class="sourceLineNo">1111</span> try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {<a name="line.1111"></a> -<span class="sourceLineNo">1112</span> if (!admin.tableExists(AccessControlLists.ACL_TABLE_NAME)) {<a name="line.1112"></a> -<span class="sourceLineNo">1113</span> createACLTable(admin);<a name="line.1113"></a> -<span class="sourceLineNo">1114</span> } else {<a name="line.1114"></a> -<span class="sourceLineNo">1115</span> this.aclTabAvailable = true;<a name="line.1115"></a> -<span class="sourceLineNo">1116</span> }<a name="line.1116"></a> -<span class="sourceLineNo">1117</span> }<a name="line.1117"></a> -<span class="sourceLineNo">1118</span> }<a name="line.1118"></a> -<span class="sourceLineNo">1119</span> /**<a name="line.1119"></a> -<span class="sourceLineNo">1120</span> * Create the ACL table<a name="line.1120"></a> -<span class="sourceLineNo">1121</span> * @throws IOException<a name="line.1121"></a> -<span class="sourceLineNo">1122</span> */<a name="line.1122"></a> -<span class="sourceLineNo">1123</span> private static void createACLTable(Admin admin) throws IOException {<a name="line.1123"></a> -<span class="sourceLineNo">1124</span> /** Table descriptor for ACL table */<a name="line.1124"></a> -<span class="sourceLineNo">1125</span> ColumnFamilyDescriptor cfd =<a name="line.1125"></a> -<span class="sourceLineNo">1126</span> ColumnFamilyDescriptorBuilder.newBuilder(AccessControlLists.ACL_LIST_FAMILY).<a name="line.1126"></a> -<span class="sourceLineNo">1127</span> setMaxVersions(1).<a name="line.1127"></a> -<span class="sourceLineNo">1128</span> setInMemory(true).<a name="line.1128"></a> -<span class="sourceLineNo">1129</span> setBlockCacheEnabled(true).<a name="line.1129"></a> -<span class="sourceLineNo">1130</span> setBlocksize(8 * 1024).<a name="line.1130"></a> -<span class="sourceLineNo">1131</span> setBloomFilterType(BloomType.NONE).<a name="line.1131"></a> -<span class="sourceLineNo">1132</span> setScope(HConstants.REPLICATION_SCOPE_LOCAL).build();<a name="line.1132"></a> -<span class="sourceLineNo">1133</span> TableDescriptor td =<a name="line.1133"></a> -<span class="sourceLineNo">1134</span> TableDescriptorBuilder.newBuilder(AccessControlLists.ACL_TABLE_NAME).<a name="line.1134"></a> -<span class="sourceLineNo">1135</span> setColumnFamily(cfd).build();<a name="line.1135"></a> -<span class="sourceLineNo">1136</span> admin.createTable(td);<a name="line.1136"></a> -<span class="sourceLineNo">1137</span> }<a name="line.1137"></a> -<span class="sourceLineNo">1138</span><a name="line.1138"></a> -<span class="sourceLineNo">1139</span> @Override<a name="line.1139"></a> -<span class="sourceLineNo">1140</span> public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1140"></a> -<span class="sourceLineNo">1141</span> final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)<a name="line.1141"></a> -<span class="sourceLineNo">1142</span> throws IOException {<a name="line.1142"></a> -<span class="sourceLineNo">1143</span> // Move this ACL check to SnapshotManager#checkPermissions as part of AC deprecation.<a name="line.1143"></a> -<span class="sourceLineNo">1144</span> requirePermission(ctx, "snapshot " + snapshot.getName(),<a name="line.1144"></a> -<span class="sourceLineNo">1145</span> hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);<a name="line.1145"></a> -<span class="sourceLineNo">1146</span> }<a name="line.1146"></a> -<span class="sourceLineNo">1147</span><a name="line.1147"></a> -<span class="sourceLineNo">1148</span> @Override<a name="line.1148"></a> -<span class="sourceLineNo">1149</span> public void preListSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1149"></a> -<span class="sourceLineNo">1150</span> final SnapshotDescription snapshot) throws IOException {<a name="line.1150"></a> -<span class="sourceLineNo">1151</span> User user = getActiveUser(ctx);<a name="line.1151"></a> -<span class="sourceLineNo">1152</span> if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {<a name="line.1152"></a> -<span class="sourceLineNo">1153</span> // list it, if user is the owner of snapshot<a name="line.1153"></a> -<span class="sourceLineNo">1154</span> AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(),<a name="line.1154"></a> -<span class="sourceLineNo">1155</span> "Snapshot owner check allowed", user, null, null, null);<a name="line.1155"></a> -<span class="sourceLineNo">1156</span> AccessChecker.logResult(result);<a name="line.1156"></a> -<span class="sourceLineNo">1157</span> } else {<a name="line.1157"></a> -<span class="sourceLineNo">1158</span> accessChecker.requirePermission(user, "listSnapshot " + snapshot.getName(), null,<a name="line.1158"></a> -<span class="sourceLineNo">1159</span> Action.ADMIN);<a name="line.1159"></a> -<span class="sourceLineNo">1160</span> }<a name="line.1160"></a> -<span class="sourceLineNo">1161</span> }<a name="line.1161"></a> -<span class="sourceLineNo">1162</span><a name="line.1162"></a> -<span class="sourceLineNo">1163</span> @Override<a name="line.1163"></a> -<span class="sourceLineNo">1164</span> public void preCloneSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1164"></a> -<span class="sourceLineNo">1165</span> final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)<a name="line.1165"></a> -<span class="sourceLineNo">1166</span> throws IOException {<a name="line.1166"></a> -<span class="sourceLineNo">1167</span> User user = getActiveUser(ctx);<a name="line.1167"></a> -<span class="sourceLineNo">1168</span> if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)<a name="line.1168"></a> -<span class="sourceLineNo">1169</span> && hTableDescriptor.getTableName().getNameAsString().equals(snapshot.getTable())) {<a name="line.1169"></a> -<span class="sourceLineNo">1170</span> // Snapshot owner is allowed to create a table with the same name as the snapshot he took<a name="line.1170"></a> -<span class="sourceLineNo">1171</span> AuthResult result = AuthResult.allow("cloneSnapshot " + snapshot.getName(),<a name="line.1171"></a> -<span class="sourceLineNo">1172</span> "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null);<a name="line.1172"></a> -<span class="sourceLineNo">1173</span> AccessChecker.logResult(result);<a name="line.1173"></a> -<span class="sourceLineNo">1174</span> } else {<a name="line.1174"></a> -<span class="sourceLineNo">1175</span> accessChecker.requirePermission(user, "cloneSnapshot " + snapshot.getName(), null,<a name="line.1175"></a> -<span class="sourceLineNo">1176</span> Action.ADMIN);<a name="line.1176"></a> -<span class="sourceLineNo">1177</span> }<a name="line.1177"></a> -<span class="sourceLineNo">1178</span> }<a name="line.1178"></a> -<span class="sourceLineNo">1179</span><a name="line.1179"></a> -<span class="sourceLineNo">1180</span> @Override<a name="line.1180"></a> -<span class="sourceLineNo">1181</span> public void preRestoreSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1181"></a> -<span class="sourceLineNo">1182</span> final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)<a name="line.1182"></a> -<span class="sourceLineNo">1183</span> throws IOException {<a name="line.1183"></a> -<span class="sourceLineNo">1184</span> User user = getActiveUser(ctx);<a name="line.1184"></a> -<span class="sourceLineNo">1185</span> if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {<a name="line.1185"></a> -<span class="sourceLineNo">1186</span> accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(),<a name="line.1186"></a> -<span class="sourceLineNo">1187</span> hTableDescriptor.getTableName(), null, null, null, Permission.Action.ADMIN);<a name="line.1187"></a> -<span class="sourceLineNo">1188</span> } else {<a name="line.1188"></a> -<span class="sourceLineNo">1189</span> accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(), null,<a name="line.1189"></a> -<span class="sourceLineNo">1190</span> Action.ADMIN);<a name="line.1190"></a> -<span class="sourceLineNo">1191</span> }<a name="line.1191"></a> -<span class="sourceLineNo">1192</span> }<a name="line.1192"></a> -<span class="sourceLineNo">1193</span><a name="line.1193"></a> -<span class="sourceLineNo">1194</span> @Override<a name="line.1194"></a> -<span class="sourceLineNo">1195</span> public void preDeleteSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1195"></a> -<span class="sourceLineNo">1196</span> final SnapshotDescription snapshot) throws IOException {<a name="line.1196"></a> -<span class="sourceLineNo">1197</span> User user = getActiveUser(ctx);<a name="line.1197"></a> -<span class="sourceLineNo">1198</span> if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {<a name="line.1198"></a> -<span class="sourceLineNo">1199</span> // Snapshot owner is allowed to delete the snapshot<a name="line.1199"></a> -<span class="sourceLineNo">1200</span> AuthResult result = AuthResult.allow("deleteSnapshot " + snapshot.getName(),<a name="line.1200"></a> -<span class="sourceLineNo">1201</span> "Snapshot owner check allowed", user, null, null, null);<a name="line.1201"></a> -<span class="sourceLineNo">1202</span> AccessChecker.logResult(result);<a name="line.1202"></a> -<span class="sourceLineNo">1203</span> } else {<a name="line.1203"></a> -<span class="sourceLineNo">1204</span> accessChecker.requirePermission(user, "deleteSnapshot " + snapshot.getName(), null,<a name="line.1204"></a> -<span class="sourceLineNo">1205</span> Action.ADMIN);<a name="line.1205"></a> -<span class="sourceLineNo">1206</span> }<a name="line.1206"></a> -<span class="sourceLineNo">1207</span> }<a name="line.1207"></a> -<span class="sourceLineNo">1208</span><a name="line.1208"></a> -<span class="sourceLineNo">1209</span> @Override<a name="line.1209"></a> -<span class="sourceLineNo">1210</span> public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1210"></a> -<span class="sourceLineNo">1211</span> NamespaceDescriptor ns) throws IOException {<a name="line.1211"></a> -<span class="sourceLineNo">1212</span> requireGlobalPermission(ctx, "createNamespace",<a name="line.1212"></a> -<span class="sourceLineNo">1213</span> Action.ADMIN, ns.getName());<a name="line.1213"></a> -<span class="sourceLineNo">1214</span> }<a name="line.1214"></a> -<span class="sourceLineNo">1215</span><a name="line.1215"></a> -<span class="sourceLineNo">1216</span> @Override<a name="line.1216"></a> -<span class="sourceLineNo">1217</span> public void preDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace)<a name="line.1217"></a> -<span class="sourceLineNo">1218</span> throws IOException {<a name="line.1218"></a> -<span class="sourceLineNo">1219</span> requireGlobalPermission(ctx, "deleteNamespace",<a name="line.1219"></a> -<span class="sourceLineNo">1220</span> Action.ADMIN, namespace);<a name="line.1220"></a> -<span class="sourceLineNo">1221</span> }<a name="line.1221"></a> -<span class="sourceLineNo">1222</span><a name="line.1222"></a> -<span class="sourceLineNo">1223</span> @Override<a name="line.1223"></a> -<span class="sourceLineNo">1224</span> public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1224"></a> -<span class="sourceLineNo">1225</span> final String namespace) throws IOException {<a name="line.1225"></a> -<span class="sourceLineNo">1226</span> final Configuration conf = ctx.getEnvironment().getConfiguration();<a name="line.1226"></a> -<span class="sourceLineNo">1227</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.1227"></a> -<span class="sourceLineNo">1228</span> @Override<a name="line.1228"></a> -<span class="sourceLineNo">1229</span> public Void run() throws Exception {<a name="line.1229"></a> -<span class="sourceLineNo">1230</span> try (Table table = ctx.getEnvironment().getConnection().<a name="line.1230"></a> -<span class="sourceLineNo">1231</span> getTable(AccessControlLists.ACL_TABLE_NAME)) {<a name="line.1231"></a> -<span class="sourceLineNo">1232</span> AccessControlLists.removeNamespacePermissions(conf, namespace, table);<a name="line.1232"></a> -<span class="sourceLineNo">1233</span> }<a name="line.1233"></a> -<span class="sourceLineNo">1234</span> return null;<a name="line.1234"></a> -<span class="sourceLineNo">1235</span> }<a name="line.1235"></a> -<span class="sourceLineNo">1236</span> });<a name="line.1236"></a> -<span class="sourceLineNo">1237</span> getAuthManager().getZKPermissionWatcher().deleteNamespaceACLNode(namespace);<a name="line.1237"></a> -<span class="sourceLineNo">1238</span> LOG.info(namespace + " entry deleted in " + AccessControlLists.ACL_TABLE_NAME + " table.");<a name="line.1238"></a> -<span class="sourceLineNo">1239</span> }<a name="line.1239"></a> -<span class="sourceLineNo">1240</span><a name="line.1240"></a> -<span class="sourceLineNo">1241</span> @Override<a name="line.1241"></a> -<span class="sourceLineNo">1242</span> public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1242"></a> -<span class="sourceLineNo">1243</span> NamespaceDescriptor currentNsDesc, NamespaceDescriptor newNsDesc) throws IOException {<a name="line.1243"></a> -<span class="sourceLineNo">1244</span> // We require only global permission so that<a name="line.1244"></a> -<span class="sourceLineNo">1245</span> // a user with NS admin cannot altering namespace configurations. i.e. namespace quota<a name="line.1245"></a> -<span class="sourceLineNo">1246</span> requireGlobalPermission(ctx, "modifyNamespace", Action.ADMIN, newNsDesc.getName());<a name="line.1246"></a> -<span class="sourceLineNo">1247</span> }<a name="line.1247"></a> -<span class="sourceLineNo">1248</span><a name="line.1248"></a> -<span class="sourceLineNo">1249</span> @Override<a name="line.1249"></a> -<span class="sourceLineNo">1250</span> public void preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1250"></a> -<span class="sourceLineNo">1251</span> String namespace) throws IOException {<a name="line.1251"></a> -<span class="sourceLineNo">1252</span> requireNamespacePermission(ctx, "getNamespaceDescriptor", namespace, Action.ADMIN);<a name="line.1252"></a> -<span class="sourceLineNo">1253</span> }<a name="line.1253"></a> -<span class="sourceLineNo">1254</span><a name="line.1254"></a> -<span class="sourceLineNo">1255</span> @Overr
<TRUNCATED>
