http://git-wip-us.apache.org/repos/asf/hbase-site/blob/68eae623/devapidocs/src-html/org/apache/hadoop/hbase/master/assignment/RegionRemoteProcedureBase.html ---------------------------------------------------------------------- diff --git a/devapidocs/src-html/org/apache/hadoop/hbase/master/assignment/RegionRemoteProcedureBase.html b/devapidocs/src-html/org/apache/hadoop/hbase/master/assignment/RegionRemoteProcedureBase.html index daf2583..25ef9bf 100644 --- a/devapidocs/src-html/org/apache/hadoop/hbase/master/assignment/RegionRemoteProcedureBase.html +++ b/devapidocs/src-html/org/apache/hadoop/hbase/master/assignment/RegionRemoteProcedureBase.html @@ -116,75 +116,87 @@ <span class="sourceLineNo">108</span> }<a name="line.108"></a> <span class="sourceLineNo">109</span><a name="line.109"></a> <span class="sourceLineNo">110</span> @Override<a name="line.110"></a> -<span class="sourceLineNo">111</span> protected void rollback(MasterProcedureEnv env) throws IOException, InterruptedException {<a name="line.111"></a> -<span class="sourceLineNo">112</span> throw new UnsupportedOperationException();<a name="line.112"></a> -<span class="sourceLineNo">113</span> }<a name="line.113"></a> -<span class="sourceLineNo">114</span><a name="line.114"></a> -<span class="sourceLineNo">115</span> @Override<a name="line.115"></a> -<span class="sourceLineNo">116</span> protected boolean abort(MasterProcedureEnv env) {<a name="line.116"></a> -<span class="sourceLineNo">117</span> return false;<a name="line.117"></a> -<span class="sourceLineNo">118</span> }<a name="line.118"></a> -<span class="sourceLineNo">119</span><a name="line.119"></a> -<span class="sourceLineNo">120</span> /**<a name="line.120"></a> -<span class="sourceLineNo">121</span> * Check whether we still need to make the call to RS.<a name="line.121"></a> -<span class="sourceLineNo">122</span> * <p/><a name="line.122"></a> -<span class="sourceLineNo">123</span> * Usually this will not happen if we do not allow assigning a already onlined region. But if we<a name="line.123"></a> -<span class="sourceLineNo">124</span> * have something wrong in the RSProcedureDispatcher, where we have already sent the request to<a name="line.124"></a> -<span class="sourceLineNo">125</span> * RS, but then we tell the upper layer the remote call is failed due to rpc timeout or connection<a name="line.125"></a> -<span class="sourceLineNo">126</span> * closed or anything else, then this issue can still happen. So here we add a check to make it<a name="line.126"></a> -<span class="sourceLineNo">127</span> * more robust.<a name="line.127"></a> -<span class="sourceLineNo">128</span> */<a name="line.128"></a> -<span class="sourceLineNo">129</span> protected abstract boolean shouldDispatch(RegionStateNode regionNode);<a name="line.129"></a> +<span class="sourceLineNo">111</span> protected boolean waitInitialized(MasterProcedureEnv env) {<a name="line.111"></a> +<span class="sourceLineNo">112</span> if (TableName.isMetaTableName(getTableName())) {<a name="line.112"></a> +<span class="sourceLineNo">113</span> return false;<a name="line.113"></a> +<span class="sourceLineNo">114</span> }<a name="line.114"></a> +<span class="sourceLineNo">115</span> // First we need meta to be loaded, and second, if meta is not online then we will likely to<a name="line.115"></a> +<span class="sourceLineNo">116</span> // fail when updating meta so we wait until it is assigned.<a name="line.116"></a> +<span class="sourceLineNo">117</span> AssignmentManager am = env.getAssignmentManager();<a name="line.117"></a> +<span class="sourceLineNo">118</span> return am.waitMetaLoaded(this) || am.waitMetaAssigned(this, region);<a name="line.118"></a> +<span class="sourceLineNo">119</span> }<a name="line.119"></a> +<span class="sourceLineNo">120</span><a name="line.120"></a> +<span class="sourceLineNo">121</span> @Override<a name="line.121"></a> +<span class="sourceLineNo">122</span> protected void rollback(MasterProcedureEnv env) throws IOException, InterruptedException {<a name="line.122"></a> +<span class="sourceLineNo">123</span> throw new UnsupportedOperationException();<a name="line.123"></a> +<span class="sourceLineNo">124</span> }<a name="line.124"></a> +<span class="sourceLineNo">125</span><a name="line.125"></a> +<span class="sourceLineNo">126</span> @Override<a name="line.126"></a> +<span class="sourceLineNo">127</span> protected boolean abort(MasterProcedureEnv env) {<a name="line.127"></a> +<span class="sourceLineNo">128</span> return false;<a name="line.128"></a> +<span class="sourceLineNo">129</span> }<a name="line.129"></a> <span class="sourceLineNo">130</span><a name="line.130"></a> -<span class="sourceLineNo">131</span> @Override<a name="line.131"></a> -<span class="sourceLineNo">132</span> protected Procedure<MasterProcedureEnv>[] execute(MasterProcedureEnv env)<a name="line.132"></a> -<span class="sourceLineNo">133</span> throws ProcedureYieldException, ProcedureSuspendedException, InterruptedException {<a name="line.133"></a> -<span class="sourceLineNo">134</span> if (dispatched) {<a name="line.134"></a> -<span class="sourceLineNo">135</span> // we are done, the parent procedure will check whether we are succeeded.<a name="line.135"></a> -<span class="sourceLineNo">136</span> return null;<a name="line.136"></a> -<span class="sourceLineNo">137</span> }<a name="line.137"></a> -<span class="sourceLineNo">138</span> RegionStateNode regionNode = getRegionNode(env);<a name="line.138"></a> -<span class="sourceLineNo">139</span> regionNode.lock();<a name="line.139"></a> -<span class="sourceLineNo">140</span> try {<a name="line.140"></a> -<span class="sourceLineNo">141</span> if (!shouldDispatch(regionNode)) {<a name="line.141"></a> -<span class="sourceLineNo">142</span> return null;<a name="line.142"></a> -<span class="sourceLineNo">143</span> }<a name="line.143"></a> -<span class="sourceLineNo">144</span> // The code which wakes us up also needs to lock the RSN so here we do not need to synchronize<a name="line.144"></a> -<span class="sourceLineNo">145</span> // on the event.<a name="line.145"></a> -<span class="sourceLineNo">146</span> ProcedureEvent<?> event = regionNode.getProcedureEvent();<a name="line.146"></a> -<span class="sourceLineNo">147</span> try {<a name="line.147"></a> -<span class="sourceLineNo">148</span> env.getRemoteDispatcher().addOperationToNode(targetServer, this);<a name="line.148"></a> -<span class="sourceLineNo">149</span> } catch (FailedRemoteDispatchException e) {<a name="line.149"></a> -<span class="sourceLineNo">150</span> LOG.warn("Can not add remote operation {} for region {} to server {}, this usually " +<a name="line.150"></a> -<span class="sourceLineNo">151</span> "because the server is alread dead, give up and mark the procedure as complete, " +<a name="line.151"></a> -<span class="sourceLineNo">152</span> "the parent procedure will take care of this.", this, region, targetServer, e);<a name="line.152"></a> -<span class="sourceLineNo">153</span> return null;<a name="line.153"></a> -<span class="sourceLineNo">154</span> }<a name="line.154"></a> -<span class="sourceLineNo">155</span> dispatched = true;<a name="line.155"></a> -<span class="sourceLineNo">156</span> event.suspend();<a name="line.156"></a> -<span class="sourceLineNo">157</span> event.suspendIfNotReady(this);<a name="line.157"></a> -<span class="sourceLineNo">158</span> throw new ProcedureSuspendedException();<a name="line.158"></a> -<span class="sourceLineNo">159</span> } finally {<a name="line.159"></a> -<span class="sourceLineNo">160</span> regionNode.unlock();<a name="line.160"></a> -<span class="sourceLineNo">161</span> }<a name="line.161"></a> -<span class="sourceLineNo">162</span> }<a name="line.162"></a> -<span class="sourceLineNo">163</span><a name="line.163"></a> -<span class="sourceLineNo">164</span> @Override<a name="line.164"></a> -<span class="sourceLineNo">165</span> protected void serializeStateData(ProcedureStateSerializer serializer) throws IOException {<a name="line.165"></a> -<span class="sourceLineNo">166</span> serializer.serialize(RegionRemoteProcedureBaseStateData.newBuilder()<a name="line.166"></a> -<span class="sourceLineNo">167</span> .setRegion(ProtobufUtil.toRegionInfo(region))<a name="line.167"></a> -<span class="sourceLineNo">168</span> .setTargetServer(ProtobufUtil.toServerName(targetServer)).setDispatched(dispatched).build());<a name="line.168"></a> -<span class="sourceLineNo">169</span> }<a name="line.169"></a> -<span class="sourceLineNo">170</span><a name="line.170"></a> -<span class="sourceLineNo">171</span> @Override<a name="line.171"></a> -<span class="sourceLineNo">172</span> protected void deserializeStateData(ProcedureStateSerializer serializer) throws IOException {<a name="line.172"></a> -<span class="sourceLineNo">173</span> RegionRemoteProcedureBaseStateData data =<a name="line.173"></a> -<span class="sourceLineNo">174</span> serializer.deserialize(RegionRemoteProcedureBaseStateData.class);<a name="line.174"></a> -<span class="sourceLineNo">175</span> region = ProtobufUtil.toRegionInfo(data.getRegion());<a name="line.175"></a> -<span class="sourceLineNo">176</span> targetServer = ProtobufUtil.toServerName(data.getTargetServer());<a name="line.176"></a> -<span class="sourceLineNo">177</span> dispatched = data.getDispatched();<a name="line.177"></a> -<span class="sourceLineNo">178</span> }<a name="line.178"></a> -<span class="sourceLineNo">179</span>}<a name="line.179"></a> +<span class="sourceLineNo">131</span> /**<a name="line.131"></a> +<span class="sourceLineNo">132</span> * Check whether we still need to make the call to RS.<a name="line.132"></a> +<span class="sourceLineNo">133</span> * <p/><a name="line.133"></a> +<span class="sourceLineNo">134</span> * This could happen when master restarts. Since we do not know whether a request has already been<a name="line.134"></a> +<span class="sourceLineNo">135</span> * sent to the region server after we add a remote operation to the dispatcher, so the safe way is<a name="line.135"></a> +<span class="sourceLineNo">136</span> * to not persist the dispatched field and try to add the remote operation again. But it is<a name="line.136"></a> +<span class="sourceLineNo">137</span> * possible that we do have already sent the request to region server and it has also sent back<a name="line.137"></a> +<span class="sourceLineNo">138</span> * the response, so here we need to check the region state, if it is not in the expecting state,<a name="line.138"></a> +<span class="sourceLineNo">139</span> * we should give up, otherwise we may hang for ever, as the region server will just ignore<a name="line.139"></a> +<span class="sourceLineNo">140</span> * redundant calls.<a name="line.140"></a> +<span class="sourceLineNo">141</span> */<a name="line.141"></a> +<span class="sourceLineNo">142</span> protected abstract boolean shouldDispatch(RegionStateNode regionNode);<a name="line.142"></a> +<span class="sourceLineNo">143</span><a name="line.143"></a> +<span class="sourceLineNo">144</span> @Override<a name="line.144"></a> +<span class="sourceLineNo">145</span> protected Procedure<MasterProcedureEnv>[] execute(MasterProcedureEnv env)<a name="line.145"></a> +<span class="sourceLineNo">146</span> throws ProcedureYieldException, ProcedureSuspendedException, InterruptedException {<a name="line.146"></a> +<span class="sourceLineNo">147</span> if (dispatched) {<a name="line.147"></a> +<span class="sourceLineNo">148</span> // we are done, the parent procedure will check whether we are succeeded.<a name="line.148"></a> +<span class="sourceLineNo">149</span> return null;<a name="line.149"></a> +<span class="sourceLineNo">150</span> }<a name="line.150"></a> +<span class="sourceLineNo">151</span> RegionStateNode regionNode = getRegionNode(env);<a name="line.151"></a> +<span class="sourceLineNo">152</span> regionNode.lock();<a name="line.152"></a> +<span class="sourceLineNo">153</span> try {<a name="line.153"></a> +<span class="sourceLineNo">154</span> if (!shouldDispatch(regionNode)) {<a name="line.154"></a> +<span class="sourceLineNo">155</span> return null;<a name="line.155"></a> +<span class="sourceLineNo">156</span> }<a name="line.156"></a> +<span class="sourceLineNo">157</span> // The code which wakes us up also needs to lock the RSN so here we do not need to synchronize<a name="line.157"></a> +<span class="sourceLineNo">158</span> // on the event.<a name="line.158"></a> +<span class="sourceLineNo">159</span> ProcedureEvent<?> event = regionNode.getProcedureEvent();<a name="line.159"></a> +<span class="sourceLineNo">160</span> try {<a name="line.160"></a> +<span class="sourceLineNo">161</span> env.getRemoteDispatcher().addOperationToNode(targetServer, this);<a name="line.161"></a> +<span class="sourceLineNo">162</span> } catch (FailedRemoteDispatchException e) {<a name="line.162"></a> +<span class="sourceLineNo">163</span> LOG.warn("Can not add remote operation {} for region {} to server {}, this usually " +<a name="line.163"></a> +<span class="sourceLineNo">164</span> "because the server is alread dead, give up and mark the procedure as complete, " +<a name="line.164"></a> +<span class="sourceLineNo">165</span> "the parent procedure will take care of this.", this, region, targetServer, e);<a name="line.165"></a> +<span class="sourceLineNo">166</span> return null;<a name="line.166"></a> +<span class="sourceLineNo">167</span> }<a name="line.167"></a> +<span class="sourceLineNo">168</span> dispatched = true;<a name="line.168"></a> +<span class="sourceLineNo">169</span> event.suspend();<a name="line.169"></a> +<span class="sourceLineNo">170</span> event.suspendIfNotReady(this);<a name="line.170"></a> +<span class="sourceLineNo">171</span> throw new ProcedureSuspendedException();<a name="line.171"></a> +<span class="sourceLineNo">172</span> } finally {<a name="line.172"></a> +<span class="sourceLineNo">173</span> regionNode.unlock();<a name="line.173"></a> +<span class="sourceLineNo">174</span> }<a name="line.174"></a> +<span class="sourceLineNo">175</span> }<a name="line.175"></a> +<span class="sourceLineNo">176</span><a name="line.176"></a> +<span class="sourceLineNo">177</span> @Override<a name="line.177"></a> +<span class="sourceLineNo">178</span> protected void serializeStateData(ProcedureStateSerializer serializer) throws IOException {<a name="line.178"></a> +<span class="sourceLineNo">179</span> serializer.serialize(RegionRemoteProcedureBaseStateData.newBuilder()<a name="line.179"></a> +<span class="sourceLineNo">180</span> .setRegion(ProtobufUtil.toRegionInfo(region))<a name="line.180"></a> +<span class="sourceLineNo">181</span> .setTargetServer(ProtobufUtil.toServerName(targetServer)).build());<a name="line.181"></a> +<span class="sourceLineNo">182</span> }<a name="line.182"></a> +<span class="sourceLineNo">183</span><a name="line.183"></a> +<span class="sourceLineNo">184</span> @Override<a name="line.184"></a> +<span class="sourceLineNo">185</span> protected void deserializeStateData(ProcedureStateSerializer serializer) throws IOException {<a name="line.185"></a> +<span class="sourceLineNo">186</span> RegionRemoteProcedureBaseStateData data =<a name="line.186"></a> +<span class="sourceLineNo">187</span> serializer.deserialize(RegionRemoteProcedureBaseStateData.class);<a name="line.187"></a> +<span class="sourceLineNo">188</span> region = ProtobufUtil.toRegionInfo(data.getRegion());<a name="line.188"></a> +<span class="sourceLineNo">189</span> targetServer = ProtobufUtil.toServerName(data.getTargetServer());<a name="line.189"></a> +<span class="sourceLineNo">190</span> }<a name="line.190"></a> +<span class="sourceLineNo">191</span>}<a name="line.191"></a>
http://git-wip-us.apache.org/repos/asf/hbase-site/blob/68eae623/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessChecker.InputUser.html ---------------------------------------------------------------------- diff --git a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessChecker.InputUser.html b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessChecker.InputUser.html index f8acad1..daabce4 100644 --- a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessChecker.InputUser.html +++ b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessChecker.InputUser.html @@ -58,7 +58,7 @@ <span class="sourceLineNo">050</span> // TODO: we should move to a design where we don't even instantiate an AccessChecker if<a name="line.50"></a> <span class="sourceLineNo">051</span> // authorization is not enabled (like in RSRpcServices), instead of always instantiating one and<a name="line.51"></a> <span class="sourceLineNo">052</span> // calling requireXXX() only to do nothing (since authorizationEnabled will be false).<a name="line.52"></a> -<span class="sourceLineNo">053</span> private TableAuthManager authManager;<a name="line.53"></a> +<span class="sourceLineNo">053</span> private AuthManager authManager;<a name="line.53"></a> <span class="sourceLineNo">054</span><a name="line.54"></a> <span class="sourceLineNo">055</span> /** Group service to retrieve the user group information */<a name="line.55"></a> <span class="sourceLineNo">056</span> private static Groups groupService;<a name="line.56"></a> @@ -83,7 +83,7 @@ <span class="sourceLineNo">075</span> throws RuntimeException {<a name="line.75"></a> <span class="sourceLineNo">076</span> if (zkw != null) {<a name="line.76"></a> <span class="sourceLineNo">077</span> try {<a name="line.77"></a> -<span class="sourceLineNo">078</span> this.authManager = TableAuthManager.getOrCreate(zkw, conf);<a name="line.78"></a> +<span class="sourceLineNo">078</span> this.authManager = AuthManager.getOrCreate(zkw, conf);<a name="line.78"></a> <span class="sourceLineNo">079</span> } catch (IOException ioe) {<a name="line.79"></a> <span class="sourceLineNo">080</span> throw new RuntimeException("Error obtaining AccessChecker", ioe);<a name="line.80"></a> <span class="sourceLineNo">081</span> }<a name="line.81"></a> @@ -95,13 +95,13 @@ <span class="sourceLineNo">087</span> }<a name="line.87"></a> <span class="sourceLineNo">088</span><a name="line.88"></a> <span class="sourceLineNo">089</span> /**<a name="line.89"></a> -<span class="sourceLineNo">090</span> * Releases {@link TableAuthManager}'s reference.<a name="line.90"></a> +<span class="sourceLineNo">090</span> * Releases {@link AuthManager}'s reference.<a name="line.90"></a> <span class="sourceLineNo">091</span> */<a name="line.91"></a> <span class="sourceLineNo">092</span> public void stop() {<a name="line.92"></a> -<span class="sourceLineNo">093</span> TableAuthManager.release(authManager);<a name="line.93"></a> +<span class="sourceLineNo">093</span> AuthManager.release(authManager);<a name="line.93"></a> <span class="sourceLineNo">094</span> }<a name="line.94"></a> <span class="sourceLineNo">095</span><a name="line.95"></a> -<span class="sourceLineNo">096</span> public TableAuthManager getAuthManager() {<a name="line.96"></a> +<span class="sourceLineNo">096</span> public AuthManager getAuthManager() {<a name="line.96"></a> <span class="sourceLineNo">097</span> return authManager;<a name="line.97"></a> <span class="sourceLineNo">098</span> }<a name="line.98"></a> <span class="sourceLineNo">099</span><a name="line.99"></a> @@ -123,7 +123,7 @@ <span class="sourceLineNo">115</span> AuthResult result = null;<a name="line.115"></a> <span class="sourceLineNo">116</span><a name="line.116"></a> <span class="sourceLineNo">117</span> for (Action permission : permissions) {<a name="line.117"></a> -<span class="sourceLineNo">118</span> if (authManager.hasAccess(user, tableName, permission)) {<a name="line.118"></a> +<span class="sourceLineNo">118</span> if (authManager.accessUserTable(user, tableName, permission)) {<a name="line.118"></a> <span class="sourceLineNo">119</span> result = AuthResult.allow(request, "Table permission granted",<a name="line.119"></a> <span class="sourceLineNo">120</span> user, permission, tableName, null, null);<a name="line.120"></a> <span class="sourceLineNo">121</span> break;<a name="line.121"></a> @@ -172,7 +172,7 @@ <span class="sourceLineNo">164</span> return;<a name="line.164"></a> <span class="sourceLineNo">165</span> }<a name="line.165"></a> <span class="sourceLineNo">166</span> AuthResult result;<a name="line.166"></a> -<span class="sourceLineNo">167</span> if (authManager.authorize(user, perm)) {<a name="line.167"></a> +<span class="sourceLineNo">167</span> if (authManager.authorizeUserGlobal(user, perm)) {<a name="line.167"></a> <span class="sourceLineNo">168</span> result = AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap);<a name="line.168"></a> <span class="sourceLineNo">169</span> } else {<a name="line.169"></a> <span class="sourceLineNo">170</span> result = AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap);<a name="line.170"></a> @@ -203,7 +203,7 @@ <span class="sourceLineNo">195</span> return;<a name="line.195"></a> <span class="sourceLineNo">196</span> }<a name="line.196"></a> <span class="sourceLineNo">197</span> AuthResult authResult;<a name="line.197"></a> -<span class="sourceLineNo">198</span> if (authManager.authorize(user, perm)) {<a name="line.198"></a> +<span class="sourceLineNo">198</span> if (authManager.authorizeUserGlobal(user, perm)) {<a name="line.198"></a> <span class="sourceLineNo">199</span> authResult = AuthResult.allow(request, "Global check allowed", user, perm, null);<a name="line.199"></a> <span class="sourceLineNo">200</span> authResult.getParams().setNamespace(namespace);<a name="line.200"></a> <span class="sourceLineNo">201</span> logResult(authResult);<a name="line.201"></a> @@ -233,7 +233,7 @@ <span class="sourceLineNo">225</span> AuthResult result = null;<a name="line.225"></a> <span class="sourceLineNo">226</span><a name="line.226"></a> <span class="sourceLineNo">227</span> for (Action permission : permissions) {<a name="line.227"></a> -<span class="sourceLineNo">228</span> if (authManager.authorize(user, namespace, permission)) {<a name="line.228"></a> +<span class="sourceLineNo">228</span> if (authManager.authorizeUserNamespace(user, namespace, permission)) {<a name="line.228"></a> <span class="sourceLineNo">229</span> result =<a name="line.229"></a> <span class="sourceLineNo">230</span> AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);<a name="line.230"></a> <span class="sourceLineNo">231</span> break;<a name="line.231"></a> @@ -268,7 +268,7 @@ <span class="sourceLineNo">260</span> AuthResult result = null;<a name="line.260"></a> <span class="sourceLineNo">261</span><a name="line.261"></a> <span class="sourceLineNo">262</span> for (Action permission : permissions) {<a name="line.262"></a> -<span class="sourceLineNo">263</span> if (authManager.authorize(user, namespace, permission)) {<a name="line.263"></a> +<span class="sourceLineNo">263</span> if (authManager.authorizeUserNamespace(user, namespace, permission)) {<a name="line.263"></a> <span class="sourceLineNo">264</span> result =<a name="line.264"></a> <span class="sourceLineNo">265</span> AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);<a name="line.265"></a> <span class="sourceLineNo">266</span> result.getParams().setTableName(tableName).setFamilies(familyMap);<a name="line.266"></a> @@ -307,7 +307,7 @@ <span class="sourceLineNo">299</span> AuthResult result = null;<a name="line.299"></a> <span class="sourceLineNo">300</span><a name="line.300"></a> <span class="sourceLineNo">301</span> for (Action permission : permissions) {<a name="line.301"></a> -<span class="sourceLineNo">302</span> if (authManager.authorize(user, tableName, family, qualifier, permission)) {<a name="line.302"></a> +<span class="sourceLineNo">302</span> if (authManager.authorizeUserTable(user, tableName, family, qualifier, permission)) {<a name="line.302"></a> <span class="sourceLineNo">303</span> result = AuthResult.allow(request, "Table permission granted",<a name="line.303"></a> <span class="sourceLineNo">304</span> user, permission, tableName, family, qualifier);<a name="line.304"></a> <span class="sourceLineNo">305</span> break;<a name="line.305"></a> @@ -345,7 +345,7 @@ <span class="sourceLineNo">337</span> AuthResult result = null;<a name="line.337"></a> <span class="sourceLineNo">338</span><a name="line.338"></a> <span class="sourceLineNo">339</span> for (Action permission : permissions) {<a name="line.339"></a> -<span class="sourceLineNo">340</span> if (authManager.authorize(user, tableName, null, null, permission)) {<a name="line.340"></a> +<span class="sourceLineNo">340</span> if (authManager.authorizeUserTable(user, tableName, permission)) {<a name="line.340"></a> <span class="sourceLineNo">341</span> result = AuthResult.allow(request, "Table permission granted",<a name="line.341"></a> <span class="sourceLineNo">342</span> user, permission, tableName, null, null);<a name="line.342"></a> <span class="sourceLineNo">343</span> result.getParams().setFamily(family).setQualifier(qualifier);<a name="line.343"></a> http://git-wip-us.apache.org/repos/asf/hbase-site/blob/68eae623/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessChecker.html ---------------------------------------------------------------------- diff --git a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessChecker.html b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessChecker.html index f8acad1..daabce4 100644 --- a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessChecker.html +++ b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessChecker.html @@ -58,7 +58,7 @@ <span class="sourceLineNo">050</span> // TODO: we should move to a design where we don't even instantiate an AccessChecker if<a name="line.50"></a> <span class="sourceLineNo">051</span> // authorization is not enabled (like in RSRpcServices), instead of always instantiating one and<a name="line.51"></a> <span class="sourceLineNo">052</span> // calling requireXXX() only to do nothing (since authorizationEnabled will be false).<a name="line.52"></a> -<span class="sourceLineNo">053</span> private TableAuthManager authManager;<a name="line.53"></a> +<span class="sourceLineNo">053</span> private AuthManager authManager;<a name="line.53"></a> <span class="sourceLineNo">054</span><a name="line.54"></a> <span class="sourceLineNo">055</span> /** Group service to retrieve the user group information */<a name="line.55"></a> <span class="sourceLineNo">056</span> private static Groups groupService;<a name="line.56"></a> @@ -83,7 +83,7 @@ <span class="sourceLineNo">075</span> throws RuntimeException {<a name="line.75"></a> <span class="sourceLineNo">076</span> if (zkw != null) {<a name="line.76"></a> <span class="sourceLineNo">077</span> try {<a name="line.77"></a> -<span class="sourceLineNo">078</span> this.authManager = TableAuthManager.getOrCreate(zkw, conf);<a name="line.78"></a> +<span class="sourceLineNo">078</span> this.authManager = AuthManager.getOrCreate(zkw, conf);<a name="line.78"></a> <span class="sourceLineNo">079</span> } catch (IOException ioe) {<a name="line.79"></a> <span class="sourceLineNo">080</span> throw new RuntimeException("Error obtaining AccessChecker", ioe);<a name="line.80"></a> <span class="sourceLineNo">081</span> }<a name="line.81"></a> @@ -95,13 +95,13 @@ <span class="sourceLineNo">087</span> }<a name="line.87"></a> <span class="sourceLineNo">088</span><a name="line.88"></a> <span class="sourceLineNo">089</span> /**<a name="line.89"></a> -<span class="sourceLineNo">090</span> * Releases {@link TableAuthManager}'s reference.<a name="line.90"></a> +<span class="sourceLineNo">090</span> * Releases {@link AuthManager}'s reference.<a name="line.90"></a> <span class="sourceLineNo">091</span> */<a name="line.91"></a> <span class="sourceLineNo">092</span> public void stop() {<a name="line.92"></a> -<span class="sourceLineNo">093</span> TableAuthManager.release(authManager);<a name="line.93"></a> +<span class="sourceLineNo">093</span> AuthManager.release(authManager);<a name="line.93"></a> <span class="sourceLineNo">094</span> }<a name="line.94"></a> <span class="sourceLineNo">095</span><a name="line.95"></a> -<span class="sourceLineNo">096</span> public TableAuthManager getAuthManager() {<a name="line.96"></a> +<span class="sourceLineNo">096</span> public AuthManager getAuthManager() {<a name="line.96"></a> <span class="sourceLineNo">097</span> return authManager;<a name="line.97"></a> <span class="sourceLineNo">098</span> }<a name="line.98"></a> <span class="sourceLineNo">099</span><a name="line.99"></a> @@ -123,7 +123,7 @@ <span class="sourceLineNo">115</span> AuthResult result = null;<a name="line.115"></a> <span class="sourceLineNo">116</span><a name="line.116"></a> <span class="sourceLineNo">117</span> for (Action permission : permissions) {<a name="line.117"></a> -<span class="sourceLineNo">118</span> if (authManager.hasAccess(user, tableName, permission)) {<a name="line.118"></a> +<span class="sourceLineNo">118</span> if (authManager.accessUserTable(user, tableName, permission)) {<a name="line.118"></a> <span class="sourceLineNo">119</span> result = AuthResult.allow(request, "Table permission granted",<a name="line.119"></a> <span class="sourceLineNo">120</span> user, permission, tableName, null, null);<a name="line.120"></a> <span class="sourceLineNo">121</span> break;<a name="line.121"></a> @@ -172,7 +172,7 @@ <span class="sourceLineNo">164</span> return;<a name="line.164"></a> <span class="sourceLineNo">165</span> }<a name="line.165"></a> <span class="sourceLineNo">166</span> AuthResult result;<a name="line.166"></a> -<span class="sourceLineNo">167</span> if (authManager.authorize(user, perm)) {<a name="line.167"></a> +<span class="sourceLineNo">167</span> if (authManager.authorizeUserGlobal(user, perm)) {<a name="line.167"></a> <span class="sourceLineNo">168</span> result = AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap);<a name="line.168"></a> <span class="sourceLineNo">169</span> } else {<a name="line.169"></a> <span class="sourceLineNo">170</span> result = AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap);<a name="line.170"></a> @@ -203,7 +203,7 @@ <span class="sourceLineNo">195</span> return;<a name="line.195"></a> <span class="sourceLineNo">196</span> }<a name="line.196"></a> <span class="sourceLineNo">197</span> AuthResult authResult;<a name="line.197"></a> -<span class="sourceLineNo">198</span> if (authManager.authorize(user, perm)) {<a name="line.198"></a> +<span class="sourceLineNo">198</span> if (authManager.authorizeUserGlobal(user, perm)) {<a name="line.198"></a> <span class="sourceLineNo">199</span> authResult = AuthResult.allow(request, "Global check allowed", user, perm, null);<a name="line.199"></a> <span class="sourceLineNo">200</span> authResult.getParams().setNamespace(namespace);<a name="line.200"></a> <span class="sourceLineNo">201</span> logResult(authResult);<a name="line.201"></a> @@ -233,7 +233,7 @@ <span class="sourceLineNo">225</span> AuthResult result = null;<a name="line.225"></a> <span class="sourceLineNo">226</span><a name="line.226"></a> <span class="sourceLineNo">227</span> for (Action permission : permissions) {<a name="line.227"></a> -<span class="sourceLineNo">228</span> if (authManager.authorize(user, namespace, permission)) {<a name="line.228"></a> +<span class="sourceLineNo">228</span> if (authManager.authorizeUserNamespace(user, namespace, permission)) {<a name="line.228"></a> <span class="sourceLineNo">229</span> result =<a name="line.229"></a> <span class="sourceLineNo">230</span> AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);<a name="line.230"></a> <span class="sourceLineNo">231</span> break;<a name="line.231"></a> @@ -268,7 +268,7 @@ <span class="sourceLineNo">260</span> AuthResult result = null;<a name="line.260"></a> <span class="sourceLineNo">261</span><a name="line.261"></a> <span class="sourceLineNo">262</span> for (Action permission : permissions) {<a name="line.262"></a> -<span class="sourceLineNo">263</span> if (authManager.authorize(user, namespace, permission)) {<a name="line.263"></a> +<span class="sourceLineNo">263</span> if (authManager.authorizeUserNamespace(user, namespace, permission)) {<a name="line.263"></a> <span class="sourceLineNo">264</span> result =<a name="line.264"></a> <span class="sourceLineNo">265</span> AuthResult.allow(request, "Namespace permission granted", user, permission, namespace);<a name="line.265"></a> <span class="sourceLineNo">266</span> result.getParams().setTableName(tableName).setFamilies(familyMap);<a name="line.266"></a> @@ -307,7 +307,7 @@ <span class="sourceLineNo">299</span> AuthResult result = null;<a name="line.299"></a> <span class="sourceLineNo">300</span><a name="line.300"></a> <span class="sourceLineNo">301</span> for (Action permission : permissions) {<a name="line.301"></a> -<span class="sourceLineNo">302</span> if (authManager.authorize(user, tableName, family, qualifier, permission)) {<a name="line.302"></a> +<span class="sourceLineNo">302</span> if (authManager.authorizeUserTable(user, tableName, family, qualifier, permission)) {<a name="line.302"></a> <span class="sourceLineNo">303</span> result = AuthResult.allow(request, "Table permission granted",<a name="line.303"></a> <span class="sourceLineNo">304</span> user, permission, tableName, family, qualifier);<a name="line.304"></a> <span class="sourceLineNo">305</span> break;<a name="line.305"></a> @@ -345,7 +345,7 @@ <span class="sourceLineNo">337</span> AuthResult result = null;<a name="line.337"></a> <span class="sourceLineNo">338</span><a name="line.338"></a> <span class="sourceLineNo">339</span> for (Action permission : permissions) {<a name="line.339"></a> -<span class="sourceLineNo">340</span> if (authManager.authorize(user, tableName, null, null, permission)) {<a name="line.340"></a> +<span class="sourceLineNo">340</span> if (authManager.authorizeUserTable(user, tableName, permission)) {<a name="line.340"></a> <span class="sourceLineNo">341</span> result = AuthResult.allow(request, "Table permission granted",<a name="line.341"></a> <span class="sourceLineNo">342</span> user, permission, tableName, null, null);<a name="line.342"></a> <span class="sourceLineNo">343</span> result.getParams().setFamily(family).setQualifier(qualifier);<a name="line.343"></a> http://git-wip-us.apache.org/repos/asf/hbase-site/blob/68eae623/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessControlFilter.Strategy.html ---------------------------------------------------------------------- diff --git a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessControlFilter.Strategy.html b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessControlFilter.Strategy.html index d69fb6a..f5e1bf7 100644 --- a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessControlFilter.Strategy.html +++ b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessControlFilter.Strategy.html @@ -46,7 +46,7 @@ <span class="sourceLineNo">038</span> *<a name="line.38"></a> <span class="sourceLineNo">039</span> * <p><a name="line.39"></a> <span class="sourceLineNo">040</span> * TODO: There is room for further performance optimization here.<a name="line.40"></a> -<span class="sourceLineNo">041</span> * Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of<a name="line.41"></a> +<span class="sourceLineNo">041</span> * Calling AuthManager.authorize() per KeyValue imposes a fair amount of<a name="line.41"></a> <span class="sourceLineNo">042</span> * overhead. A more optimized solution might look at the qualifiers where<a name="line.42"></a> <span class="sourceLineNo">043</span> * permissions are actually granted and explicitly limit the scan to those.<a name="line.43"></a> <span class="sourceLineNo">044</span> * </p><a name="line.44"></a> @@ -66,7 +66,7 @@ <span class="sourceLineNo">058</span> CHECK_CELL_DEFAULT,<a name="line.58"></a> <span class="sourceLineNo">059</span> }<a name="line.59"></a> <span class="sourceLineNo">060</span><a name="line.60"></a> -<span class="sourceLineNo">061</span> private TableAuthManager authManager;<a name="line.61"></a> +<span class="sourceLineNo">061</span> private AuthManager authManager;<a name="line.61"></a> <span class="sourceLineNo">062</span> private TableName table;<a name="line.62"></a> <span class="sourceLineNo">063</span> private User user;<a name="line.63"></a> <span class="sourceLineNo">064</span> private boolean isSystemTable;<a name="line.64"></a> @@ -83,7 +83,7 @@ <span class="sourceLineNo">075</span> AccessControlFilter() {<a name="line.75"></a> <span class="sourceLineNo">076</span> }<a name="line.76"></a> <span class="sourceLineNo">077</span><a name="line.77"></a> -<span class="sourceLineNo">078</span> AccessControlFilter(TableAuthManager mgr, User ugi, TableName tableName,<a name="line.78"></a> +<span class="sourceLineNo">078</span> AccessControlFilter(AuthManager mgr, User ugi, TableName tableName,<a name="line.78"></a> <span class="sourceLineNo">079</span> Strategy strategy, Map<ByteRange, Integer> cfVsMaxVersions) {<a name="line.79"></a> <span class="sourceLineNo">080</span> authManager = mgr;<a name="line.80"></a> <span class="sourceLineNo">081</span> table = tableName;<a name="line.81"></a> @@ -127,20 +127,20 @@ <span class="sourceLineNo">119</span> return ReturnCode.SKIP;<a name="line.119"></a> <span class="sourceLineNo">120</span> }<a name="line.120"></a> <span class="sourceLineNo">121</span> // XXX: Compare in place, don't clone<a name="line.121"></a> -<span class="sourceLineNo">122</span> byte[] family = CellUtil.cloneFamily(cell);<a name="line.122"></a> -<span class="sourceLineNo">123</span> byte[] qualifier = CellUtil.cloneQualifier(cell);<a name="line.123"></a> +<span class="sourceLineNo">122</span> byte[] f = CellUtil.cloneFamily(cell);<a name="line.122"></a> +<span class="sourceLineNo">123</span> byte[] q = CellUtil.cloneQualifier(cell);<a name="line.123"></a> <span class="sourceLineNo">124</span> switch (strategy) {<a name="line.124"></a> <span class="sourceLineNo">125</span> // Filter only by checking the table or CF permissions<a name="line.125"></a> <span class="sourceLineNo">126</span> case CHECK_TABLE_AND_CF_ONLY: {<a name="line.126"></a> -<span class="sourceLineNo">127</span> if (authManager.authorize(user, table, family, qualifier, Permission.Action.READ)) {<a name="line.127"></a> +<span class="sourceLineNo">127</span> if (authManager.authorizeUserTable(user, table, f, q, Permission.Action.READ)) {<a name="line.127"></a> <span class="sourceLineNo">128</span> return ReturnCode.INCLUDE;<a name="line.128"></a> <span class="sourceLineNo">129</span> }<a name="line.129"></a> <span class="sourceLineNo">130</span> }<a name="line.130"></a> <span class="sourceLineNo">131</span> break;<a name="line.131"></a> <span class="sourceLineNo">132</span> // Cell permissions can override table or CF permissions<a name="line.132"></a> <span class="sourceLineNo">133</span> case CHECK_CELL_DEFAULT: {<a name="line.133"></a> -<span class="sourceLineNo">134</span> if (authManager.authorize(user, table, family, qualifier, Permission.Action.READ) ||<a name="line.134"></a> -<span class="sourceLineNo">135</span> authManager.authorize(user, table, cell, Permission.Action.READ)) {<a name="line.135"></a> +<span class="sourceLineNo">134</span> if (authManager.authorizeUserTable(user, table, f, q, Permission.Action.READ) ||<a name="line.134"></a> +<span class="sourceLineNo">135</span> authManager.authorizeCell(user, table, cell, Permission.Action.READ)) {<a name="line.135"></a> <span class="sourceLineNo">136</span> return ReturnCode.INCLUDE;<a name="line.136"></a> <span class="sourceLineNo">137</span> }<a name="line.137"></a> <span class="sourceLineNo">138</span> }<a name="line.138"></a> http://git-wip-us.apache.org/repos/asf/hbase-site/blob/68eae623/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessControlFilter.html ---------------------------------------------------------------------- diff --git a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessControlFilter.html b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessControlFilter.html index d69fb6a..f5e1bf7 100644 --- a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessControlFilter.html +++ b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessControlFilter.html @@ -46,7 +46,7 @@ <span class="sourceLineNo">038</span> *<a name="line.38"></a> <span class="sourceLineNo">039</span> * <p><a name="line.39"></a> <span class="sourceLineNo">040</span> * TODO: There is room for further performance optimization here.<a name="line.40"></a> -<span class="sourceLineNo">041</span> * Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of<a name="line.41"></a> +<span class="sourceLineNo">041</span> * Calling AuthManager.authorize() per KeyValue imposes a fair amount of<a name="line.41"></a> <span class="sourceLineNo">042</span> * overhead. A more optimized solution might look at the qualifiers where<a name="line.42"></a> <span class="sourceLineNo">043</span> * permissions are actually granted and explicitly limit the scan to those.<a name="line.43"></a> <span class="sourceLineNo">044</span> * </p><a name="line.44"></a> @@ -66,7 +66,7 @@ <span class="sourceLineNo">058</span> CHECK_CELL_DEFAULT,<a name="line.58"></a> <span class="sourceLineNo">059</span> }<a name="line.59"></a> <span class="sourceLineNo">060</span><a name="line.60"></a> -<span class="sourceLineNo">061</span> private TableAuthManager authManager;<a name="line.61"></a> +<span class="sourceLineNo">061</span> private AuthManager authManager;<a name="line.61"></a> <span class="sourceLineNo">062</span> private TableName table;<a name="line.62"></a> <span class="sourceLineNo">063</span> private User user;<a name="line.63"></a> <span class="sourceLineNo">064</span> private boolean isSystemTable;<a name="line.64"></a> @@ -83,7 +83,7 @@ <span class="sourceLineNo">075</span> AccessControlFilter() {<a name="line.75"></a> <span class="sourceLineNo">076</span> }<a name="line.76"></a> <span class="sourceLineNo">077</span><a name="line.77"></a> -<span class="sourceLineNo">078</span> AccessControlFilter(TableAuthManager mgr, User ugi, TableName tableName,<a name="line.78"></a> +<span class="sourceLineNo">078</span> AccessControlFilter(AuthManager mgr, User ugi, TableName tableName,<a name="line.78"></a> <span class="sourceLineNo">079</span> Strategy strategy, Map<ByteRange, Integer> cfVsMaxVersions) {<a name="line.79"></a> <span class="sourceLineNo">080</span> authManager = mgr;<a name="line.80"></a> <span class="sourceLineNo">081</span> table = tableName;<a name="line.81"></a> @@ -127,20 +127,20 @@ <span class="sourceLineNo">119</span> return ReturnCode.SKIP;<a name="line.119"></a> <span class="sourceLineNo">120</span> }<a name="line.120"></a> <span class="sourceLineNo">121</span> // XXX: Compare in place, don't clone<a name="line.121"></a> -<span class="sourceLineNo">122</span> byte[] family = CellUtil.cloneFamily(cell);<a name="line.122"></a> -<span class="sourceLineNo">123</span> byte[] qualifier = CellUtil.cloneQualifier(cell);<a name="line.123"></a> +<span class="sourceLineNo">122</span> byte[] f = CellUtil.cloneFamily(cell);<a name="line.122"></a> +<span class="sourceLineNo">123</span> byte[] q = CellUtil.cloneQualifier(cell);<a name="line.123"></a> <span class="sourceLineNo">124</span> switch (strategy) {<a name="line.124"></a> <span class="sourceLineNo">125</span> // Filter only by checking the table or CF permissions<a name="line.125"></a> <span class="sourceLineNo">126</span> case CHECK_TABLE_AND_CF_ONLY: {<a name="line.126"></a> -<span class="sourceLineNo">127</span> if (authManager.authorize(user, table, family, qualifier, Permission.Action.READ)) {<a name="line.127"></a> +<span class="sourceLineNo">127</span> if (authManager.authorizeUserTable(user, table, f, q, Permission.Action.READ)) {<a name="line.127"></a> <span class="sourceLineNo">128</span> return ReturnCode.INCLUDE;<a name="line.128"></a> <span class="sourceLineNo">129</span> }<a name="line.129"></a> <span class="sourceLineNo">130</span> }<a name="line.130"></a> <span class="sourceLineNo">131</span> break;<a name="line.131"></a> <span class="sourceLineNo">132</span> // Cell permissions can override table or CF permissions<a name="line.132"></a> <span class="sourceLineNo">133</span> case CHECK_CELL_DEFAULT: {<a name="line.133"></a> -<span class="sourceLineNo">134</span> if (authManager.authorize(user, table, family, qualifier, Permission.Action.READ) ||<a name="line.134"></a> -<span class="sourceLineNo">135</span> authManager.authorize(user, table, cell, Permission.Action.READ)) {<a name="line.135"></a> +<span class="sourceLineNo">134</span> if (authManager.authorizeUserTable(user, table, f, q, Permission.Action.READ) ||<a name="line.134"></a> +<span class="sourceLineNo">135</span> authManager.authorizeCell(user, table, cell, Permission.Action.READ)) {<a name="line.135"></a> <span class="sourceLineNo">136</span> return ReturnCode.INCLUDE;<a name="line.136"></a> <span class="sourceLineNo">137</span> }<a name="line.137"></a> <span class="sourceLineNo">138</span> }<a name="line.138"></a>
