[jira] [Commented] (PHOENIX-672) Add GRANT and REVOKE commands using HBase AccessController

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/PHOENIX-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16262046#comment-16262046
 ] 

ASF GitHub Bot commented on PHOENIX-672:
----------------------------------------

Github user ankitsinghal commented on a diff in the pull request:

    https://github.com/apache/phoenix/pull/283#discussion_r152479671
  
    --- Diff: 
phoenix-core/src/main/java/org/apache/phoenix/schema/MetaDataClient.java ---
    @@ -4168,4 +4176,197 @@ public MutationState useSchema(UseSchemaStatement 
useSchemaStatement) throws SQL
             }
             return new MutationState(0, 0, connection);
         }
    +
    +    public MutationState grantPermission(GrantStatement grantStatement) 
throws SQLException {
    +
    +        StringBuffer grantPermLog = new StringBuffer();
    +        grantPermLog.append("Grant Permissions requested for user/group: " 
+ grantStatement.getName());
    +        if (grantStatement.getSchemaName() != null) {
    +            grantPermLog.append(" for Schema: " + 
grantStatement.getSchemaName());
    +        } else if (grantStatement.getTableName() != null) {
    +            grantPermLog.append(" for Table: " + 
grantStatement.getTableName());
    +        }
    +        grantPermLog.append(" Permissions: " + 
Arrays.toString(grantStatement.getPermsList()));
    +        logger.info(grantPermLog.toString());
    +
    +        HConnection hConnection = 
connection.getQueryServices().getAdmin().getConnection();
    +
    +        try {
    +            if (grantStatement.getSchemaName() != null) {
    +                // SYSTEM.CATALOG doesn't have any entry for "default" 
HBase namespace, hence we will bypass the check
    +                
if(!grantStatement.getSchemaName().equals(QueryConstants.HBASE_DEFAULT_SCHEMA_NAME))
 {
    +                    
FromCompiler.getResolverForSchema(grantStatement.getSchemaName(), connection);
    +                }
    +                grantPermissionsToSchema(hConnection, grantStatement);
    +
    +            } else if (grantStatement.getTableName() != null) {
    +                PTable inputTable = PhoenixRuntime.getTable(connection,
    +                        
SchemaUtil.normalizeFullTableName(grantStatement.getTableName().toString()));
    +                if (!(PTableType.TABLE.equals(inputTable.getType()) || 
PTableType.SYSTEM.equals(inputTable.getType()))) {
    +                    throw new AccessDeniedException("Cannot GRANT 
permissions on INDEX TABLES or VIEWS");
    +                }
    +                grantPermissionsToTables(hConnection, grantStatement, 
inputTable);
    +
    +            } else {
    +                grantPermissionsToUser(hConnection, grantStatement);
    +            }
    +
    +        } catch (SQLException e) {
    +            // Bubble up the SQL Exception
    +            throw e;
    +        } catch (Throwable throwable) {
    +            // Wrap around other exceptions to PhoenixIOException (Ex: 
org.apache.hadoop.hbase.security.AccessDeniedException)
    +            throw ServerUtil.parseServerException(throwable);
    +        }
    +
    +        return new MutationState(0, 0, connection);
    +    }
    +
    +    private void grantPermissionsToTables(HConnection hConnection, 
GrantStatement grantStatement, PTable inputTable) throws Throwable {
    +
    +        org.apache.hadoop.hbase.TableName tableName = 
SchemaUtil.getPhysicalTableName
    +                (inputTable.getName().getBytes(), 
inputTable.isNamespaceMapped());
    +
    +        grantPermissionsToTable(hConnection, grantStatement, tableName);
    +
    +        for(PTable indexTable : inputTable.getIndexes()) {
    +            // Local Indexes don't correspond to new physical table, they 
are just stored in separate CF of base table.
    +            if(indexTable.getIndexType().equals(IndexType.LOCAL)) {
    +                continue;
    +            }
    +            logger.info("Granting " + 
Arrays.toString(grantStatement.getPermsList()) +
    +                    " perms to IndexTable: " + indexTable.getName() + " 
BaseTable: " + inputTable.getName());
    +            if (inputTable.isNamespaceMapped() != 
indexTable.isNamespaceMapped()) {
    +                throw new 
TablesNotInSyncException(inputTable.getTableName().getString(),
    +                        indexTable.getTableName().getString(), "Namespace 
properties");
    +            }
    +            tableName = 
SchemaUtil.getPhysicalTableName(indexTable.getName().getBytes(), 
indexTable.isNamespaceMapped());
    +            grantPermissionsToTable(hConnection, grantStatement, 
tableName);
    --- End diff --
    
    you can have a common method to give you set of physical tables on which 
revoke and grant is required.


> Add GRANT and REVOKE commands using HBase AccessController
> ----------------------------------------------------------
>
>                 Key: PHOENIX-672
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-672
>             Project: Phoenix
>          Issue Type: Task
>            Reporter: James Taylor
>            Assignee: Karan Mehta
>              Labels: namespaces, security
>             Fix For: 4.14.0
>
>         Attachments: PHOENIX-672.001.patch
>
>
> In HBase 0.98, cell-level security will be available. Take a look at 
> [this](https://communities.intel.com/community/datastack/blog/2013/10/29/hbase-cell-security)
>  excellent blog post by @apurtell. Once Phoenix works on 0.96, we should add 
> support for security to our SQL grammar.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)