ACCUMULO-1479 implemented most of Table Namespace Permissions, doesnt entirely work, not well tested
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/dfdf5113 Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/dfdf5113 Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/dfdf5113 Branch: refs/heads/master Commit: dfdf5113837d79ef9f21a5a64de0a3750611b5c8 Parents: 45f59ca Author: Sean Hickey <tallirishll...@gmail.com> Authored: Thu Aug 1 14:16:19 2013 -0400 Committer: Christopher Tubbs <ctubb...@apache.org> Committed: Wed Dec 4 18:46:10 2013 -0500 ---------------------------------------------------------------------- .../core/client/admin/SecurityOperations.java | 50 + .../client/admin/SecurityOperationsImpl.java | 36 + .../core/client/impl/thrift/ClientService.java | 5009 ++++++++++++++++-- .../client/impl/thrift/SecurityErrorCode.java | 5 +- .../accumulo/core/client/mock/MockAccumulo.java | 3 +- .../client/mock/MockSecurityOperations.java | 39 + .../core/client/mock/MockTableNamespace.java | 4 +- .../core/client/security/SecurityErrorCode.java | 3 +- .../core/security/SystemPermission.java | 5 +- .../core/security/TableNamespacePermission.java | 67 + .../core/util/shell/commands/GrantCommand.java | 19 +- .../core/util/shell/commands/RevokeCommand.java | 19 +- .../shell/commands/UserPermissionsCommand.java | 20 +- core/src/main/thrift/client.thrift | 12 +- .../server/client/ClientServiceHandler.java | 22 + .../server/security/SecurityOperation.java | 191 +- .../security/handler/InsecurePermHandler.java | 31 + .../security/handler/PermissionHandler.java | 28 + .../server/security/handler/ZKPermHandler.java | 127 + .../server/security/handler/ZKSecurityTool.java | 21 + .../randomwalk/security/WalkingSecurity.java | 51 + .../apache/accumulo/test/TableNamespacesIT.java | 37 +- 22 files changed, 5301 insertions(+), 498 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/accumulo/blob/dfdf5113/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperations.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperations.java b/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperations.java index 86a3ff2..8a93efa 100644 --- a/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperations.java +++ b/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperations.java @@ -24,6 +24,7 @@ import org.apache.accumulo.core.client.security.tokens.AuthenticationToken; import org.apache.accumulo.core.client.security.tokens.PasswordToken; import org.apache.accumulo.core.security.Authorizations; import org.apache.accumulo.core.security.SystemPermission; +import org.apache.accumulo.core.security.TableNamespacePermission; import org.apache.accumulo.core.security.TablePermission; /** @@ -216,6 +217,23 @@ public interface SecurityOperations { public boolean hasTablePermission(String principal, String table, TablePermission perm) throws AccumuloException, AccumuloSecurityException; /** + * Verify the user has a particular table namespace permission + * + * @param principal + * the name of the user to query + * @param tableNamespace + * the name of the table namespace to query about + * @param perm + * the table namespace permission to check for + * @return true if user has that permission; false otherwise + * @throws AccumuloException + * if a general error occurs + * @throws AccumuloSecurityException + * if the user does not have permission to query a user + */ + public boolean hasTableNamespacePermission(String principal, String tableNamespace, TableNamespacePermission perm) throws AccumuloException, AccumuloSecurityException; + + /** * Grant a user a system permission * * @param principal @@ -246,6 +264,22 @@ public interface SecurityOperations { public void grantTablePermission(String principal, String table, TablePermission permission) throws AccumuloException, AccumuloSecurityException; /** + * Grant a user a specific permission for a specific table namespace + * + * @param principal + * the name of the user to modify + * @param tableNamespace + * the name of the table namespace to modify for the user + * @param permission + * the table namespace permission to grant to the user + * @throws AccumuloException + * if a general error occurs + * @throws AccumuloSecurityException + * if the user does not have permission to grant a user permissions + */ + public void grantTableNamespacePermission(String principal, String tableNamespace, TableNamespacePermission permission) throws AccumuloException, AccumuloSecurityException; + + /** * Revoke a system permission from a user * * @param principal @@ -276,6 +310,22 @@ public interface SecurityOperations { public void revokeTablePermission(String principal, String table, TablePermission permission) throws AccumuloException, AccumuloSecurityException; /** + * Revoke a table namespace permission for a specific user on a specific table namespace + * + * @param principal + * the name of the user to modify + * @param tableNamespace + * the name of the table namespace to modify for the user + * @param permission + * the table namespace permission to revoke for the user + * @throws AccumuloException + * if a general error occurs + * @throws AccumuloSecurityException + * if the user does not have permission to revoke a user's permissions + */ + public void revokeTableNamespacePermission(String principal, String tableNamespace, TableNamespacePermission permission) throws AccumuloException, AccumuloSecurityException; + + /** * Return a list of users in accumulo * * @return a set of user names http://git-wip-us.apache.org/repos/asf/accumulo/blob/dfdf5113/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperationsImpl.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperationsImpl.java b/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperationsImpl.java index 0f0e998..107ba74 100644 --- a/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperationsImpl.java +++ b/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperationsImpl.java @@ -35,6 +35,7 @@ import org.apache.accumulo.core.client.security.tokens.PasswordToken; import org.apache.accumulo.core.security.Authorizations; import org.apache.accumulo.core.security.Credentials; import org.apache.accumulo.core.security.SystemPermission; +import org.apache.accumulo.core.security.TableNamespacePermission; import org.apache.accumulo.core.security.TablePermission; import org.apache.accumulo.core.util.ArgumentChecker; import org.apache.accumulo.core.util.ByteBufferUtil; @@ -207,6 +208,17 @@ public class SecurityOperationsImpl implements SecurityOperations { } @Override + public boolean hasTableNamespacePermission(final String principal, final String tableNamespace, final TableNamespacePermission perm) throws AccumuloException, AccumuloSecurityException { + ArgumentChecker.notNull(principal, tableNamespace, perm); + return execute(new ClientExecReturn<Boolean,ClientService.Client>() { + @Override + public Boolean execute(ClientService.Client client) throws Exception { + return client.hasTableNamespacePermission(Tracer.traceInfo(), credentials.toThrift(instance), principal, tableNamespace, perm.getId()); + } + }); + } + + @Override public void grantSystemPermission(final String principal, final SystemPermission permission) throws AccumuloException, AccumuloSecurityException { ArgumentChecker.notNull(principal, permission); execute(new ClientExec<ClientService.Client>() { @@ -230,6 +242,18 @@ public class SecurityOperationsImpl implements SecurityOperations { } @Override + public void grantTableNamespacePermission(final String principal, final String tableNamespace, final TableNamespacePermission permission) throws AccumuloException, + AccumuloSecurityException { + ArgumentChecker.notNull(principal, tableNamespace, permission); + execute(new ClientExec<ClientService.Client>() { + @Override + public void execute(ClientService.Client client) throws Exception { + client.grantTableNamespacePermission(Tracer.traceInfo(), credentials.toThrift(instance), principal, tableNamespace, permission.getId()); + } + }); + } + + @Override public void revokeSystemPermission(final String principal, final SystemPermission permission) throws AccumuloException, AccumuloSecurityException { ArgumentChecker.notNull(principal, permission); execute(new ClientExec<ClientService.Client>() { @@ -252,6 +276,18 @@ public class SecurityOperationsImpl implements SecurityOperations { }); } + @Override + public void revokeTableNamespacePermission(final String principal, final String tableNamespace, final TableNamespacePermission permission) throws AccumuloException, + AccumuloSecurityException { + ArgumentChecker.notNull(principal, tableNamespace, permission); + execute(new ClientExec<ClientService.Client>() { + @Override + public void execute(ClientService.Client client) throws Exception { + client.revokeTableNamespacePermission(Tracer.traceInfo(), credentials.toThrift(instance), principal, tableNamespace, permission.getId()); + } + }); + } + @Deprecated @Override public Set<String> listUsers() throws AccumuloException, AccumuloSecurityException {