You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2014/12/12 02:30:18 UTC
[35/51] [partial] incubator-ranger git commit: RANGER-194: Rename
packages from xasecure to apache ranger
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java b/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
deleted file mode 100644
index fc032c5..0000000
--- a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
+++ /dev/null
@@ -1,1259 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package com.xasecure.authorization.hbase;
-import java.io.IOException;
-import java.net.InetAddress;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Calendar;
-import java.util.Collection;
-import java.util.Date;
-import java.util.GregorianCalendar;
-import java.util.HashMap;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-import java.util.NavigableSet;
-import java.util.Set;
-import java.util.TimeZone;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.hbase.Cell;
-import org.apache.hadoop.hbase.CellUtil;
-import org.apache.hadoop.hbase.CoprocessorEnvironment;
-import org.apache.hadoop.hbase.HColumnDescriptor;
-import org.apache.hadoop.hbase.HRegionInfo;
-import org.apache.hadoop.hbase.HTableDescriptor;
-import org.apache.hadoop.hbase.KeyValue;
-import org.apache.hadoop.hbase.NamespaceDescriptor;
-import org.apache.hadoop.hbase.ServerName;
-import org.apache.hadoop.hbase.TableName;
-import org.apache.hadoop.hbase.client.Append;
-import org.apache.hadoop.hbase.client.Delete;
-import org.apache.hadoop.hbase.client.Durability;
-import org.apache.hadoop.hbase.client.Get;
-import org.apache.hadoop.hbase.client.Increment;
-import org.apache.hadoop.hbase.client.Put;
-import org.apache.hadoop.hbase.client.Result;
-import org.apache.hadoop.hbase.client.Scan;
-import org.apache.hadoop.hbase.coprocessor.CoprocessorException;
-import org.apache.hadoop.hbase.coprocessor.CoprocessorService;
-import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
-import org.apache.hadoop.hbase.coprocessor.ObserverContext;
-import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
-import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment;
-import org.apache.hadoop.hbase.filter.ByteArrayComparable;
-import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp;
-import org.apache.hadoop.hbase.filter.FilterList;
-import org.apache.hadoop.hbase.ipc.RequestContext;
-import org.apache.hadoop.hbase.master.RegionPlan;
-import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
-import org.apache.hadoop.hbase.protobuf.ResponseConverter;
-import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
-import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService;
-import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.SnapshotDescription;
-import org.apache.hadoop.hbase.protobuf.generated.SecureBulkLoadProtos.CleanupBulkLoadRequest;
-import org.apache.hadoop.hbase.protobuf.generated.SecureBulkLoadProtos.PrepareBulkLoadRequest;
-import org.apache.hadoop.hbase.regionserver.HRegion;
-import org.apache.hadoop.hbase.regionserver.InternalScanner;
-import org.apache.hadoop.hbase.regionserver.RegionScanner;
-import org.apache.hadoop.hbase.regionserver.ScanType;
-import org.apache.hadoop.hbase.regionserver.Store;
-import org.apache.hadoop.hbase.regionserver.StoreFile;
-import org.apache.hadoop.hbase.regionserver.wal.WALEdit;
-import org.apache.hadoop.hbase.security.AccessDeniedException;
-import org.apache.hadoop.hbase.security.User;
-import org.apache.hadoop.hbase.security.access.Permission;
-import org.apache.hadoop.hbase.security.access.Permission.Action;
-import org.apache.hadoop.hbase.security.access.TablePermission;
-import org.apache.hadoop.hbase.security.access.UserPermission;
-import org.apache.hadoop.hbase.security.access.XaAccessControlLists;
-import org.apache.hadoop.hbase.util.Bytes;
-import org.apache.hadoop.hbase.util.Pair;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.MapMaker;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-import com.google.protobuf.RpcCallback;
-import com.google.protobuf.RpcController;
-import com.google.protobuf.Service;
-import com.xasecure.admin.client.XaAdminRESTClient;
-import com.xasecure.admin.client.datatype.GrantRevokeData;
-import com.xasecure.admin.client.datatype.GrantRevokeData.PermMap;
-import com.xasecure.audit.model.EnumRepositoryType;
-import com.xasecure.audit.model.HBaseAuditEvent;
-import com.xasecure.audit.provider.AuditProviderFactory;
-import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
-import com.xasecure.authorization.hadoop.constants.XaSecureHadoopConstants;
-import com.xasecure.authorization.utils.StringUtil;
-
-public class XaSecureAuthorizationCoprocessor extends XaSecureAuthorizationCoprocessorBase implements AccessControlService.Interface, CoprocessorService {
- private static final Log LOG = LogFactory.getLog(XaSecureAuthorizationCoprocessor.class.getName());
- private static final String XaSecureModuleName = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_XASECURE_MODULE_ACL_NAME_PROP , XaSecureHadoopConstants.DEFAULT_XASECURE_MODULE_ACL_NAME) ;
- private static final short accessGrantedFlag = 1;
- private static final short accessDeniedFlag = 0;
- private static final String repositoryName = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_REPOSITORY_NAME_PROP);
- private static final boolean UpdateXaPoliciesOnGrantRevoke = XaSecureConfiguration.getInstance().getBoolean(XaSecureHadoopConstants.HBASE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_PROP, XaSecureHadoopConstants.HBASE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE);
- private static final String GROUP_PREFIX = "@";
-
-
- private static final String SUPERUSER_CONFIG_PROP = "hbase.superuser";
- private static final String WILDCARD = "*";
- private static final byte[] WILDCARD_MATCH = "*".getBytes();
-
- private static final TimeZone gmtTimeZone = TimeZone.getTimeZone("GMT+0");
-
- private RegionCoprocessorEnvironment regionEnv;
- private Map<InternalScanner, String> scannerOwners = new MapMaker().weakKeys().makeMap();
-
- private HBaseAccessController accessController = HBaseAccessControllerFactory.getInstance();
- private List<String> superUserList = null;
- // Utilities Methods
- protected byte[] getTableName(RegionCoprocessorEnvironment e) {
- HRegion region = e.getRegion();
- byte[] tableName = null;
- if (region != null) {
- HRegionInfo regionInfo = region.getRegionInfo();
- if (regionInfo != null) {
- tableName = regionInfo.getTable().getName() ;
- }
- }
- return tableName;
- }
- protected void isSystemOrSuperUser(Configuration conf) throws IOException {
- User user = User.getCurrent();
- if (user == null) {
- throw new IOException("Unable to obtain the current user, authorization checks for internal operations will not work correctly!");
- }
- String currentUser = user.getShortName();
- List<String> superusers = Lists.asList(currentUser, conf.getStrings(SUPERUSER_CONFIG_PROP, new String[0]));
- User activeUser = getActiveUser();
- if (!(superusers.contains(activeUser.getShortName()))) {
- throw new AccessDeniedException("User '" + (user != null ? user.getShortName() : "null") + "is not system or super user.");
- }
- }
- private boolean isSuperUser(User user) {
- boolean isSuper = false;
- isSuper = (superUserList != null && superUserList.contains(user.getShortName()));
- if (LOG.isDebugEnabled()) {
- LOG.debug("IsSuperCheck on [" + user.getShortName() + "] returns [" + isSuper + "]");
- }
- return isSuper;
- }
- protected boolean isSpecialTable(HRegionInfo regionInfo) {
- return isSpecialTable(regionInfo.getTable().getName());
- }
- protected boolean isSpecialTable(byte[] tableName) {
- return isSpecialTable(Bytes.toString(tableName));
- }
- protected boolean isSpecialTable(String tableNameStr) {
- return tableNameStr.equals("hbase:meta") || tableNameStr.equals("-ROOT-") || tableNameStr.equals(".META.");
- }
- @SuppressWarnings("unused")
- private String getUser() {
- User u = getActiveUser();
- if (u == null) {
- return "(user:unknown)";
- } else {
- String groups = (u.getGroupNames() == null) ? "" : StringUtils.join(u.getGroupNames(), ",");
- return "(user:" + u.getShortName() + ", groups: [" + groups + "])";
- }
- }
- private User getActiveUser() {
- User user = RequestContext.getRequestUser();
- if (!RequestContext.isInRequestContext()) {
- // for non-rpc handling, fallback to system user
- try {
- user = User.getCurrent();
- } catch (IOException e) {
- LOG.error("Unable to find the current user");
- user = null;
- }
- }
- return user;
- }
-
- private String getRemoteAddress() {
- RequestContext reqContext = RequestContext.get();
- InetAddress remoteAddr = reqContext != null ? reqContext.getRemoteAddress() : null;
- String strAddr = remoteAddr != null ? remoteAddr.getHostAddress() : null;
-
- return strAddr;
- }
-
- // Methods that are used within the CoProcessor
- private void requireScannerOwner(InternalScanner s) throws AccessDeniedException {
- if (RequestContext.isInRequestContext()) {
- String requestUserName = RequestContext.getRequestUserName();
- String owner = scannerOwners.get(s);
- if (owner != null && !owner.equals(requestUserName)) {
- throw new AccessDeniedException("User '" + requestUserName + "' is not the scanner owner!");
- }
- }
- }
- // Methods that are delegated to AUTHManager
- public boolean isPermissionGranted(User user, Action action) {
- if (isSuperUser(user)) {
- return true;
- } else {
- return accessController.isAccessAllowed(user, action);
- }
- }
- public boolean isPermissionGranted(User user, byte[] tableName, Action action) {
- if (isSuperUser(user)) {
- return true;
- } else {
- return accessController.isAccessAllowed(user, tableName, action);
- }
- }
- public boolean isPermissionGranted(User user, byte[] tableName, byte[] colf, Action action) {
- if (isSuperUser(user)) {
- return true;
- } else {
- return accessController.isAccessAllowed(user, tableName, colf, WILDCARD_MATCH, action);
- }
- }
- public boolean isPermissionGranted(User user, byte[] tableName, byte[] colf, byte[] col, Action action) {
- if (isSuperUser(user)) {
- return true;
- } else {
- return accessController.isAccessAllowed(user, tableName, colf, col, action);
- }
- }
- // Methods that are internally used by co-processors
- @SuppressWarnings("unchecked")
- public void requirePermission(String request, Action action, RegionCoprocessorEnvironment rEnv, Map<byte[], ? extends Collection<?>> families) throws IOException {
- HRegionInfo hri = rEnv.getRegion().getRegionInfo();
- byte[] tableName = hri.getTable().getName() ;
- String tableNameStr = Bytes.toString(tableName);
- if (hri.isMetaTable() || hri.isMetaRegion()) {
- if (action == TablePermission.Action.READ) {
- return;
- }
- }
- User user = getActiveUser();
- if (user == null) {
- throw new AccessDeniedException("No user associated with request (" + request + ") for action: " + action + "on table:" + tableName);
- }
- if (isSuperUser(user)) {
- return;
- }
- if (action == TablePermission.Action.WRITE && (hri.isMetaTable() || hri.isMetaRegion()) && (isPermissionGranted(user, Permission.Action.CREATE) || isPermissionGranted(user, Permission.Action.ADMIN))) {
- return;
- }
- if (isPermissionGranted(user, tableName, (byte[]) null, action)) {
- return;
- }
- if (families != null && families.size() > 0) {
- // all families must pass
- for (Map.Entry<byte[], ? extends Collection<?>> family : families.entrySet()) {
- // a) check for family level access
- if (isPermissionGranted(user, tableName, family.getKey(), action)) {
- continue; // family-level permission overrides per-qualifier
- }
- // b) qualifier level access can still succeed
- if ((family.getValue() != null) && (family.getValue().size() > 0)) {
- if (family.getValue() instanceof Set) { // Set<byte[]> - Set
- // of Columns
- // for each qualifier of the family
- Set<byte[]> qualifierSet = (Set<byte[]>) family.getValue();
- for (byte[] qualifier : qualifierSet) {
- if (!isPermissionGranted(user, tableName, family.getKey(), qualifier, action)) {
- if (accessController.isAudited(tableName)) {
- auditEvent(request, tableName, family.getKey(), qualifier, null, null, user, accessDeniedFlag);
- }
- throw new AccessDeniedException("Insufficient permissions for user '" + user + "',action: " + action + ", tableName:" + tableNameStr + ", family:" + Bytes.toString(family.getKey()) + ",column: " + Bytes.toString(qualifier));
- }
- }
- } else if (family.getValue() instanceof List) { // List<KeyValue>
- // - List of
- // KeyValue
- // pair
- List<KeyValue> kvList = (List<KeyValue>) family.getValue();
- for (KeyValue kv : kvList) {
- if (!isPermissionGranted(user, tableName, family.getKey(), kv.getQualifier(), action)) {
- if (accessController.isAudited(tableName)) {
- auditEvent(request, tableName, family.getKey(), kv.getQualifier(), null, null, user, accessDeniedFlag);
- }
- throw new AccessDeniedException("Insufficient permissions for user '" + user + "',action: " + action + ", tableName:" + tableNameStr + ", family:" + Bytes.toString(family.getKey()) + ",column: " + Bytes.toString(kv.getQualifier()));
- }
- }
- }
- } else {
- if (accessController.isAudited(tableName)) {
- auditEvent(request, tableName, family.getKey(), null, null, null, user, accessDeniedFlag);
- }
- throw new AccessDeniedException("Insufficient permissions for user '" + user + "',action: " + action + ", tableName:" + tableNameStr + ", family:" + Bytes.toString(family.getKey()) + ", no columns found.");
- }
- }
- return;
- }
- if (accessController.isAudited(tableName)) {
- auditEvent(request, tableName, null, null, null, null, user, accessDeniedFlag);
- }
- throw new AccessDeniedException("Insufficient permissions for user '" + user + "',action: " + action + ", tableName:" + tableNameStr);
- }
- // Check if the user has global permission ...
- protected void requireGlobalPermission(String request, String objName, Permission.Action action) throws AccessDeniedException {
- User user = getActiveUser();
- if (!isPermissionGranted(user, action)) {
- if (accessController.isAudited(WILDCARD_MATCH)) {
- auditEvent(request, objName, null, null, null, null, user, accessDeniedFlag);
- }
- throw new AccessDeniedException("Insufficient permissions for user '" + getActiveUser() + "' (global, action=" + action + ")");
- }
- }
- protected void requirePermission(String request, byte[] tableName, Permission.Action action) throws AccessDeniedException {
- User user = getActiveUser();
- if (!isPermissionGranted(user, tableName, action)) {
- if (accessController.isAudited(tableName)) {
- auditEvent(request, tableName, null, null, null, null, user, accessDeniedFlag);
- }
- throw new AccessDeniedException("Insufficient permissions for user '" + getActiveUser() + "' (global, action=" + action + ")");
- }
- }
- protected void requirePermission(String request, byte[] aTableName, byte[] aColumnFamily, byte[] aQualifier, Permission.Action... actions) throws AccessDeniedException {
- User user = getActiveUser();
- boolean isAllowed = false;
-
- for (Action action : actions) {
- isAllowed = isPermissionGranted(user, aTableName, aColumnFamily, aQualifier, action);
-
- if(isAllowed) {
- break;
- }
- }
-
- if (!isAllowed) {
- if (accessController.isAudited(aTableName)) {
- auditEvent(request, aTableName, aColumnFamily, aQualifier, null, null, user, accessDeniedFlag);
- }
- Permission.Action deniedAction = actions.length > 0 ? actions[0] : null;
-
- throw new AccessDeniedException("Insufficient permissions for user '" + user + "',action: " + deniedAction + ", tableName:" + Bytes.toString(aTableName) + ", family:" + Bytes.toString(aColumnFamily) + ",column: " + Bytes.toString(aQualifier));
- }
- }
- protected void requirePermission(String request, Permission.Action perm, RegionCoprocessorEnvironment env, Collection<byte[]> families) throws IOException {
- HashMap<byte[], Set<byte[]>> familyMap = new HashMap<byte[], Set<byte[]>>();
-
- if(families != null) {
- for (byte[] family : families) {
- familyMap.put(family, null);
- }
- }
- requirePermission(request, perm, env, familyMap);
- }
- protected boolean isPermissionGranted(String request, User requestUser, Permission.Action perm, RegionCoprocessorEnvironment env, Map<byte[], NavigableSet<byte[]>> familyMap) {
- boolean ret = true;
- try {
- requirePermission(request, perm, env, familyMap);
- } catch (Throwable t) {
- ret = false;
- }
- return ret;
- }
- protected boolean hasFamilyQualifierPermission(User requestUser, Permission.Action perm, RegionCoprocessorEnvironment env, Map<byte[], NavigableSet<byte[]>> familyMap) {
- User user = requestUser;
- byte[] tableName = getTableName(env);
- if (familyMap != null && familyMap.size() > 0) {
- for (Map.Entry<byte[], NavigableSet<byte[]>> family : familyMap.entrySet()) {
- if (family.getValue() != null && !family.getValue().isEmpty()) {
- for (byte[] qualifier : family.getValue()) {
- boolean isGranted = isPermissionGranted(user, tableName, family.getKey(), qualifier, perm);
- LOG.info(":=> hasFamilyQualifierPermission: T(" + Bytes.toString(tableName) + "), family: (" + Bytes.toString(family.getKey() ) + "), Q(" + Bytes.toString(qualifier) + "), Permission: [" + perm + "] => [" + isGranted + "]") ;
- if (isGranted) {
- return true;
- }
- }
- } else {
- boolean isGranted = isPermissionGranted(user, tableName, family.getKey(), perm);
- LOG.info(":=> hasFamilyPermission: T(" + Bytes.toString(tableName) + "), family: (" + Bytes.toString(family.getKey() ) + ", Permission: [" + perm + "] => [" + isGranted + "]") ;
- if (isGranted) {
- return true;
- }
- }
- }
- } else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Empty family map passed for permission check");
- }
- }
- return false;
- }
-
-
- public void checkPermissions(Permission[] permissions) throws IOException {
- String tableName = regionEnv.getRegion().getTableDesc().getTableName().getNameAsString() ;
- for (Permission permission : permissions) {
- if (permission instanceof TablePermission) {
- TablePermission tperm = (TablePermission) permission;
- for (Permission.Action action : permission.getActions()) {
- if (! tperm.getTableName().getNameAsString().equals(tableName)) {
- throw new AccessDeniedException(String.format("This method can only execute at the table specified in TablePermission. " + "Table of the region:%s , requested table:%s", tableName,
- tperm.getTableName().getNameAsString()));
- }
- HashMap<byte[], Set<byte[]>> familyMap = Maps.newHashMapWithExpectedSize(1);
- if (tperm.getFamily() != null) {
- if (tperm.getQualifier() != null) {
- familyMap.put(tperm.getFamily(), Sets.newHashSet(tperm.getQualifier()));
- } else {
- familyMap.put(tperm.getFamily(), null);
- }
- }
- requirePermission("checkPermissions", action, regionEnv, familyMap);
- }
- } else {
- for (Permission.Action action : permission.getActions()) {
- byte[] tname = regionEnv.getRegion().getTableDesc().getTableName().getName() ;
- requirePermission("checkPermissions", tname, action);
- }
- }
- }
- }
-
- @Override
- public void postAddColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, HColumnDescriptor column) throws IOException {
- auditEvent("addColumn", tableName.getName(), column.getName(), null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postAssign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo) throws IOException {
- auditEvent("assign", regionInfo.getTable().getNameAsString(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postBalance(ObserverContext<MasterCoprocessorEnvironment> c,List<RegionPlan> aRegPlanList) throws IOException {
- auditEvent("balance", (String) null, null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c, boolean oldValue, boolean newValue) throws IOException {
- auditEvent("balanceSwitch", (String) null, null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postCloneSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException {
- auditEvent("cloneSnapshot", hTableDescriptor.getNameAsString(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postCreateTable(ObserverContext<MasterCoprocessorEnvironment> ctx, HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
- auditEvent("createTable", desc.getNameAsString(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postDelete(ObserverContext<RegionCoprocessorEnvironment> c, Delete delete, WALEdit edit, Durability durability) throws IOException {
- auditEvent("delete", delete.toString(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, byte[] col) throws IOException {
- auditEvent("deleteColumn", tableName.getName(), col, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postDeleteSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot) throws IOException {
- auditEvent("deleteSnapShot", (String) null, null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) throws IOException {
- auditEvent("deleteTable", tableName.getName(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) throws IOException {
- auditEvent("disableTable", tableName.getName(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) throws IOException {
- auditEvent("enableTable", tableName.getName(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, HColumnDescriptor descriptor) throws IOException {
- auditEvent("modifyColumn", tableName.getName(), descriptor.getName(), null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, HTableDescriptor htd) throws IOException {
- auditEvent("modifyTable", tableName.getName(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postMove(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo region, ServerName srcServer, ServerName destServer) throws IOException {
- auditEvent("move", region.getTable().getName(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postOpen(ObserverContext<RegionCoprocessorEnvironment> ctx) {
- auditEvent("open", (String) null, null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postRestoreSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException {
- auditEvent("restoreSnapshot", (String) null, null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postScannerClose(ObserverContext<RegionCoprocessorEnvironment> c, InternalScanner s) throws IOException {
- try {
- scannerOwners.remove(s);
- } finally {
- byte[] tableName = getTableName(c.getEnvironment());
-
- if (!isSpecialTable(tableName)) {
- auditEvent("scannerClose", tableName, null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- }
- }
- @Override
- public RegionScanner postScannerOpen(ObserverContext<RegionCoprocessorEnvironment> c, Scan scan, RegionScanner s) throws IOException {
- try {
- User user = getActiveUser();
- if (user != null && user.getShortName() != null) {
- scannerOwners.put(s, user.getShortName());
- }
- } finally {
- byte[] tableName = getTableName(c.getEnvironment());
-
- if (!isSpecialTable(tableName)) {
- auditEvent("scannerOpen", tableName, null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- }
- return s;
- }
- @Override
- public void postSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException {
- auditEvent("snapshot", hTableDescriptor.getNameAsString(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> ctx) throws IOException {
- if(UpdateXaPoliciesOnGrantRevoke) {
- XaAccessControlLists.init(ctx.getEnvironment().getMasterServices());
- }
-
- auditEvent("startMaster", (String) null, null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void postUnassign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo, boolean force) throws IOException {
- auditEvent("unassign", regionInfo.getTable().getName(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, HColumnDescriptor column) throws IOException {
- requirePermission("addColumn", tableName.getName(), null, null, Action.ADMIN, Action.CREATE);
- }
- @Override
- public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> c, Append append) throws IOException {
- requirePermission("append", TablePermission.Action.WRITE, c.getEnvironment(), append.getFamilyCellMap());
- return null;
- }
- @Override
- public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo) throws IOException {
- requirePermission("assign", regionInfo.getTable().getName(), null, null, Action.ADMIN);
- }
- @Override
- public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException {
- requirePermission("balance", null, Permission.Action.ADMIN);
- }
- @Override
- public boolean preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c, boolean newValue) throws IOException {
- requirePermission("balanceSwitch", null, Permission.Action.ADMIN);
- return newValue;
- }
- @Override
- public void preBulkLoadHFile(ObserverContext<RegionCoprocessorEnvironment> ctx, List<Pair<byte[], String>> familyPaths) throws IOException {
- List<byte[]> cfs = new LinkedList<byte[]>();
- for (Pair<byte[], String> el : familyPaths) {
- cfs.add(el.getFirst());
- }
- requirePermission("bulkLoadHFile", Permission.Action.WRITE, ctx.getEnvironment(), cfs);
- }
- @Override
- public boolean preCheckAndDelete(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Delete delete, boolean result) throws IOException {
- Collection<byte[]> familyMap = Arrays.asList(new byte[][] { family });
- requirePermission("checkAndDelete", TablePermission.Action.READ, c.getEnvironment(), familyMap);
- requirePermission("checkAndDelete", TablePermission.Action.WRITE, c.getEnvironment(), familyMap);
- return result;
- }
- @Override
- public boolean preCheckAndPut(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Put put, boolean result) throws IOException {
- Collection<byte[]> familyMap = Arrays.asList(new byte[][] { family });
- requirePermission("checkAndPut", TablePermission.Action.READ, c.getEnvironment(), familyMap);
- requirePermission("checkAndPut", TablePermission.Action.WRITE, c.getEnvironment(), familyMap);
- return result;
- }
- @Override
- public void preCloneSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException {
- requirePermission("cloneSnapshot", null, Permission.Action.ADMIN);
- }
- @Override
- public void preClose(ObserverContext<RegionCoprocessorEnvironment> e, boolean abortRequested) throws IOException {
- requirePermission("close", getTableName(e.getEnvironment()), Permission.Action.ADMIN);
- }
- @Override
- public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> e, Store store, InternalScanner scanner,ScanType scanType) throws IOException {
- requirePermission("compact", getTableName(e.getEnvironment()), null, null, Action.ADMIN, Action.CREATE);
- return scanner;
- }
- @Override
- public void preCompactSelection(ObserverContext<RegionCoprocessorEnvironment> e, Store store, List<StoreFile> candidates) throws IOException {
- requirePermission("compactSelection", getTableName(e.getEnvironment()), null, null, Action.ADMIN, Action.CREATE);
- }
-
- @Override
- public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> c, HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
- requirePermission("createTable", desc.getName(), Permission.Action.CREATE);
- }
- @Override
- public void preDelete(ObserverContext<RegionCoprocessorEnvironment> c, Delete delete, WALEdit edit, Durability durability) throws IOException {
- requirePermission("delete", TablePermission.Action.WRITE, c.getEnvironment(), delete.getFamilyCellMap());
- }
- @Override
- public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, byte[] col) throws IOException {
- requirePermission("deleteColumn", tableName.getName(), null, null, Action.ADMIN, Action.CREATE);
- }
- @Override
- public void preDeleteSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot) throws IOException {
- requirePermission("deleteSnapshot", null, Permission.Action.ADMIN);
- }
- @Override
- public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) throws IOException {
- requirePermission("deleteTable", tableName.getName(), null, null, Action.ADMIN, Action.CREATE);
- }
- @Override
- public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) throws IOException {
- requirePermission("disableTable", tableName.getName(), null, null, Action.ADMIN, Action.CREATE);
- }
- @Override
- public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) throws IOException {
- requirePermission("enableTable", tableName.getName(), null, null, Action.ADMIN, Action.CREATE);
- }
- @Override
- public boolean preExists(ObserverContext<RegionCoprocessorEnvironment> c, Get get, boolean exists) throws IOException {
- requirePermission("exists", TablePermission.Action.READ, c.getEnvironment(), get.familySet());
- return exists;
- }
- @Override
- public void preFlush(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
- requirePermission("flush", getTableName(e.getEnvironment()), null, null, Action.ADMIN, Action.CREATE);
- }
- @Override
- public void preGetClosestRowBefore(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row, byte[] family, Result result) throws IOException {
- requirePermission("getClosestRowBefore", TablePermission.Action.READ, c.getEnvironment(), (family != null ? Lists.newArrayList(family) : null));
- }
- @Override
- public Result preIncrement(ObserverContext<RegionCoprocessorEnvironment> c, Increment increment) throws IOException {
- requirePermission("increment", TablePermission.Action.WRITE, c.getEnvironment(), increment.getFamilyCellMap().keySet());
-
- return null;
- }
- @Override
- public long preIncrementColumnValue(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row, byte[] family, byte[] qualifier, long amount, boolean writeToWAL) throws IOException {
- requirePermission("incrementColumnValue", TablePermission.Action.READ, c.getEnvironment(), Arrays.asList(new byte[][] { family }));
- requirePermission("incrementColumnValue", TablePermission.Action.WRITE, c.getEnvironment(), Arrays.asList(new byte[][] { family }));
- return -1;
- }
- @Override
- public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, HColumnDescriptor descriptor) throws IOException {
- requirePermission("modifyColumn", tableName.getName(), null, null, Action.ADMIN, Action.CREATE);
- }
- @Override
- public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, HTableDescriptor htd) throws IOException {
- requirePermission("modifyTable", tableName.getName(), null, null, Action.ADMIN, Action.CREATE);
- }
- @Override
- public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo region, ServerName srcServer, ServerName destServer) throws IOException {
- requirePermission("move", region.getTable().getName() , null, null, Action.ADMIN);
- }
- @Override
- public void preOpen(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
- RegionCoprocessorEnvironment env = e.getEnvironment();
- final HRegion region = env.getRegion();
- if (region == null) {
- LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");
- return;
- } else {
- HRegionInfo regionInfo = region.getRegionInfo();
- if (isSpecialTable(regionInfo)) {
- isSystemOrSuperUser(regionEnv.getConfiguration());
- } else {
- requirePermission("open", getTableName(e.getEnvironment()), Action.ADMIN);
- }
- }
- }
- @Override
- public void preRestoreSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException {
- requirePermission("restoreSnapshot", hTableDescriptor.getName(), Permission.Action.ADMIN);
- }
-
- @Override
- public void preScannerClose(ObserverContext<RegionCoprocessorEnvironment> c, InternalScanner s) throws IOException {
- requireScannerOwner(s);
- }
- @Override
- public boolean preScannerNext(ObserverContext<RegionCoprocessorEnvironment> c, InternalScanner s, List<Result> result, int limit, boolean hasNext) throws IOException {
- requireScannerOwner(s);
- return hasNext;
- }
- @Override
- public RegionScanner preScannerOpen(ObserverContext<RegionCoprocessorEnvironment> c, Scan scan, RegionScanner s) throws IOException {
- RegionCoprocessorEnvironment e = c.getEnvironment();
- User user = getActiveUser();
- boolean isGranted = isPermissionGranted("scannerOpen", user, TablePermission.Action.READ, e, scan.getFamilyMap());
- if (!isGranted) {
- if (hasFamilyQualifierPermission(user, TablePermission.Action.READ, e, scan.getFamilyMap())) {
- byte[] table = getTableName(e);
- XaSecureAccessControlFilter filter = new XaSecureAccessControlFilter(user, table);
- if (scan.hasFilter()) {
- FilterList wrapper = new FilterList(FilterList.Operator.MUST_PASS_ALL, Lists.newArrayList(filter, scan.getFilter()));
- scan.setFilter(wrapper);
- } else {
- scan.setFilter(filter);
- }
- } else {
- throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' for scanner open on table " + Bytes.toString(getTableName(e)));
- }
- }
- return s;
- }
- @Override
- public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException {
- requirePermission("shutdown", null, Permission.Action.ADMIN);
- }
- @Override
- public void preSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException {
- requirePermission("snapshot", hTableDescriptor.getName(), Permission.Action.ADMIN);
- }
- @Override
- public void preSplit(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
- requirePermission("split", getTableName(e.getEnvironment()), null, null, Action.ADMIN);
- }
- @Override
- public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException {
- requirePermission("stopMaster", null, Permission.Action.ADMIN);
- }
- @Override
- public void preStopRegionServer(ObserverContext<RegionServerCoprocessorEnvironment> env) throws IOException {
- requirePermission("stop", null, Permission.Action.ADMIN);
- }
- @Override
- public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo, boolean force) throws IOException {
- requirePermission("unassign", regionInfo.getTable().getName(), null, null, Action.ADMIN);
- }
- private String coprocessorType = "unknown";
- private static final String MASTER_COPROCESSOR_TYPE = "master";
- private static final String REGIONAL_COPROCESSOR_TYPE = "regional";
- private static final String REGIONAL_SERVER_COPROCESSOR_TYPE = "regionalServer";
- @Override
- public void start(CoprocessorEnvironment env) throws IOException {
- AuditProviderFactory.ApplicationType appType = AuditProviderFactory.ApplicationType.Unknown;
-
- if (env instanceof MasterCoprocessorEnvironment) {
- coprocessorType = MASTER_COPROCESSOR_TYPE;
- appType = AuditProviderFactory.ApplicationType.HBaseMaster;
- } else if (env instanceof RegionServerCoprocessorEnvironment) {
- coprocessorType = REGIONAL_SERVER_COPROCESSOR_TYPE;
- appType = AuditProviderFactory.ApplicationType.HBaseRegionalServer;
- } else if (env instanceof RegionCoprocessorEnvironment) {
- regionEnv = (RegionCoprocessorEnvironment) env;
- coprocessorType = REGIONAL_COPROCESSOR_TYPE;
- appType = AuditProviderFactory.ApplicationType.HBaseRegionalServer;
- }
-
- XaSecureConfiguration.getInstance().initAudit(appType);
-
- if (superUserList == null) {
- superUserList = new ArrayList<String>();
- Configuration conf = env.getConfiguration();
- String[] users = conf.getStrings(SUPERUSER_CONFIG_PROP);
- if (users != null) {
- for (String user : users) {
- user = user.trim();
- LOG.info("Start() - Adding Super User(" + user + ")");
- superUserList.add(user);
- }
- }
- }
- if (LOG.isDebugEnabled()) {
- LOG.debug("Start of Coprocessor: [" + coprocessorType + "] with superUserList [" + superUserList + "]");
- }
- }
- @Override
- public void stop(CoprocessorEnvironment env) {
- }
- @Override
- public void prePut(ObserverContext<RegionCoprocessorEnvironment> c, Put put, WALEdit edit, Durability durability) throws IOException {
- requirePermission("put", TablePermission.Action.WRITE, c.getEnvironment(), put.getFamilyCellMap());
- }
-
- @Override
- public void postPut(ObserverContext<RegionCoprocessorEnvironment> c, Put put, WALEdit edit, Durability durability) {
- byte[] tableName = getTableName(c.getEnvironment());
- if (!isSpecialTable(tableName)) {
- if (accessController.isAudited(tableName)) {
- Map<byte[], List<Cell>> colf2KeyValMap = put.getFamilyCellMap() ;
- for (byte[] colf : colf2KeyValMap.keySet()) {
- if (colf != null) {
- List<Cell> kvList = colf2KeyValMap.get(colf);
- for (Cell kv : kvList) {
- auditEvent("Put", tableName, CellUtil.cloneFamily(kv), CellUtil.cloneQualifier(kv) , CellUtil.cloneRow(kv), CellUtil.cloneValue(kv), getActiveUser(), accessGrantedFlag);
- }
- }
- }
-
-
- }
- }
- }
-
- @Override
- public void preGetOp(final ObserverContext<RegionCoprocessorEnvironment> rEnv, final Get get, final List<Cell> result) throws IOException {
- RegionCoprocessorEnvironment e = rEnv.getEnvironment();
- User requestUser = getActiveUser();
-
-
- if (LOG.isDebugEnabled())
- {
- StringBuilder fields = new StringBuilder() ;
- Map<byte[], NavigableSet<byte[]>> familyMap = get.getFamilyMap() ;
- if (familyMap != null && familyMap.size() > 0) {
- for(byte[] columnfamily : familyMap.keySet() ) {
- if (columnfamily != null && columnfamily.length > 0) {
- NavigableSet<byte[]> columnNameSet = familyMap.get(columnfamily) ;
- if (columnNameSet != null && columnNameSet.size() > 0) {
- for(byte[] columnname : columnNameSet) {
- fields.append("Field[" + Bytes.toString(columnfamily) + ":" + Bytes.toString(columnname) + "],") ;
- }
- }
- else {
- fields.append("Field[" + Bytes.toString(columnfamily) + ":null],") ;
- }
- }
- }
- }
- else {
- if (familyMap == null){
- fields.append("{null}") ;
- }
- else {
- fields.append("{empty}") ;
- }
- }
- LOG.debug("preGet is checking permission for the following fields: {" + fields.toString() + "}");
- }
-
- boolean isPermGranted = isPermissionGranted("get", requestUser, TablePermission.Action.READ, e, get.getFamilyMap());
-
- if (!isPermGranted) {
- isPermGranted = hasFamilyQualifierPermission(requestUser, TablePermission.Action.READ, e, get.getFamilyMap());
- if (isPermGranted) {
- byte[] table = getTableName(e);
- XaSecureAccessControlFilter filter = new XaSecureAccessControlFilter(requestUser, table);
- if (get.getFilter() != null) {
- FilterList wrapper = new FilterList(FilterList.Operator.MUST_PASS_ALL, Lists.newArrayList(filter, get.getFilter()));
- get.setFilter(wrapper);
- } else {
- get.setFilter(filter);
- }
- } else {
- throw new AccessDeniedException("Insufficient permissions (table=" + e.getRegion().getTableDesc().getNameAsString() + ", action=READ)");
- }
- }
- }
- @Override
- public void postGetOp(final ObserverContext<RegionCoprocessorEnvironment> env, final Get get, final List<Cell> results) throws IOException {
- HRegionInfo hri = env.getEnvironment().getRegion().getRegionInfo();
-
- byte[] tableName = hri.getTable().getName() ;
-
- if (!isSpecialTable(tableName)) {
- try {
- if (accessController.isAudited(tableName)) {
- for (Cell cell : results) {
- auditEvent("Get", tableName, cell.getFamily(), cell.getQualifier(), cell.getRow(), cell.getValue(), getActiveUser(), accessGrantedFlag);
- }
- }
- } catch (Throwable t) {
- }
- }
- }
-
- @Override
- public void preRegionOffline(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo) throws IOException {
- requirePermission("regionOffline", regionInfo.getTable().getName(), null, null, Action.ADMIN);
- }
- @Override
- public void postRegionOffline(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo) throws IOException {
- auditEvent("regionOffline", regionInfo.getTable().getName(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- @Override
- public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, NamespaceDescriptor ns) throws IOException {
- requireGlobalPermission("createNamespace", ns.getName(), Action.ADMIN);
- }
- @Override
- public void postCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, NamespaceDescriptor ns) throws IOException {
- if (accessController.isAudited(WILDCARD_MATCH)) {
- auditEvent("createNamespace", ns.getName(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- }
- @Override
- public void preDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace) throws IOException {
- requireGlobalPermission("deleteNamespace", namespace, Action.ADMIN);
- }
- @Override
- public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace) throws IOException {
- if (accessController.isAudited(WILDCARD_MATCH)) {
- auditEvent("deleteNamespace", namespace, null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- }
- @Override
- public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, NamespaceDescriptor ns) throws IOException {
- requireGlobalPermission("modifyNamespace", ns.getName(), Action.ADMIN);
- }
- @Override
- public void postModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, NamespaceDescriptor ns) throws IOException {
- if (accessController.isAudited(WILDCARD_MATCH)) {
- auditEvent("modifyNamespace", ns.getName(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- }
- @Override
- public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors) throws IOException {
- if (tableNamesList == null || tableNamesList.isEmpty()) { // If the list is empty, this is a request for all table descriptors and requires GLOBAL ADMIN privs.
- requireGlobalPermission("getTableDescriptors", WILDCARD, Action.ADMIN);
- } else { // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the request can be granted.
- for (TableName tableName: tableNamesList) {
- requirePermission("getTableDescriptors", tableName.getName(), null, null, Action.ADMIN, Action.CREATE);
- }
- }
- }
- @Override
- public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<HTableDescriptor> descriptors) throws IOException {
- if (descriptors == null || descriptors.isEmpty()) { // If the list is empty, this is a request for all table descriptors and requires GLOBAL ADMIN privs.
- auditEvent("getTableDescriptors", WILDCARD, null, null, null, null, getActiveUser(), accessGrantedFlag);
- } else { // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the request can be granted.
- for (HTableDescriptor descriptor : descriptors) {
- auditEvent("getTableDescriptors", descriptor.getName(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
- }
- }
- @Override
- public void preMerge(ObserverContext<RegionServerCoprocessorEnvironment> ctx, HRegion regionA, HRegion regionB) throws IOException {
- requirePermission("mergeRegions", regionA.getTableDesc().getTableName().getName(), null, null, Action.ADMIN);
- }
-
- @Override
- public void postMerge(ObserverContext<RegionServerCoprocessorEnvironment> c, HRegion regionA, HRegion regionB, HRegion mergedRegion) throws IOException {
- auditEvent("mergeRegions", regionA.getTableDesc().getTableName().getName(), null, null, null, null, getActiveUser(), accessGrantedFlag);
- }
-
- public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx, PrepareBulkLoadRequest request) throws IOException {
- List<byte[]> cfs = null;
-
- requirePermission("prePrepareBulkLoad", Permission.Action.WRITE, ctx.getEnvironment(), cfs);
- }
-
- public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx, CleanupBulkLoadRequest request) throws IOException {
- List<byte[]> cfs = null;
-
- requirePermission("preCleanupBulkLoad", Permission.Action.WRITE, ctx.getEnvironment(), cfs);
- }
-
- private void auditEvent(String eventName, byte[] tableName, byte[] columnFamilyName, byte[] qualifierName, byte[] row, byte[] value, User user, short accessFlag) {
- auditEvent(eventName, Bytes.toString(tableName), Bytes.toString(columnFamilyName), Bytes.toString(qualifierName), row, value, user, accessFlag);
- }
-
- private void auditEvent(String eventName, String tableName, String columnFamilyName, String qualifierName, byte[] row, byte[] value, User user, short accessFlag) {
-
- if (tableName != null && accessController.isAudited(tableName.getBytes())) {
-
- String resourceType = "table";
- String resourceName = tableName;
- if (columnFamilyName != null && columnFamilyName.length() > 0) {
- resourceName += "/" + columnFamilyName;
- resourceType = "columnFamily";
- }
- if (qualifierName != null && qualifierName.length() > 0) {
- resourceName += "/" + qualifierName;
- resourceType = "column";
- }
-
- HBaseAuditEvent auditEvent = new HBaseAuditEvent();
-
- auditEvent.setAclEnforcer(XaSecureModuleName);
- auditEvent.setResourceType(resourceType);
- auditEvent.setResourcePath(resourceName);
- auditEvent.setAction(eventName);
- auditEvent.setAccessType(eventName);
- auditEvent.setUser(user == null ? XaSecureHadoopConstants.AUDITLOG_EMPTY_STRING : user.getShortName());
- auditEvent.setAccessResult(accessFlag);
- auditEvent.setClientIP(getRemoteAddress());
- auditEvent.setEventTime(getUTCDate());
- auditEvent.setRepositoryType(EnumRepositoryType.HBASE);
- auditEvent.setRepositoryName(repositoryName);
-
- try {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Writing audit log [" + auditEvent + "] - START.");
- }
- AuditProviderFactory.getAuditProvider().log(auditEvent);
- if (LOG.isDebugEnabled()) {
- LOG.debug("Writing audit log [" + auditEvent + "] - END.");
- }
- }
- catch(Throwable t) {
- LOG.error("ERROR during audit log [" + auditEvent + "]", t);
- }
-
- }
- }
-
- public static Date getUTCDate() {
- Calendar local=Calendar.getInstance();
- int offset = local.getTimeZone().getOffset(local.getTimeInMillis());
- GregorianCalendar utc = new GregorianCalendar(gmtTimeZone);
- utc.setTimeInMillis(local.getTimeInMillis());
- utc.add(Calendar.MILLISECOND, -offset);
- return utc.getTime();
- }
-
- @Override
- public void grant(RpcController controller, AccessControlProtos.GrantRequest request, RpcCallback<AccessControlProtos.GrantResponse> done) {
- boolean isSuccess = false;
-
- if(UpdateXaPoliciesOnGrantRevoke) {
- GrantRevokeData grData = null;
-
- try {
- grData = createGrantData(request);
-
- XaAdminRESTClient xaAdmin = new XaAdminRESTClient();
-
- xaAdmin.grantPrivilege(grData);
-
- isSuccess = true;
- } catch(IOException excp) {
- LOG.warn("grant() failed", excp);
-
- ResponseConverter.setControllerException(controller, excp);
- } catch (Exception excp) {
- LOG.warn("grant() failed", excp);
-
- ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage()));
- } finally {
- byte[] tableName = grData == null ? null : StringUtil.getBytes(grData.getTables());
-
- if(accessController.isAudited(tableName)) {
- byte[] colFamily = grData == null ? null : StringUtil.getBytes(grData.getColumnFamilies());
- byte[] qualifier = grData == null ? null : StringUtil.getBytes(grData.getColumns());
-
- // Note: failed return from REST call will be logged as 'DENIED'
- auditEvent("grant", tableName, colFamily, qualifier, null, null, getActiveUser(), isSuccess ? accessGrantedFlag : accessDeniedFlag);
- }
- }
- }
-
- AccessControlProtos.GrantResponse response = isSuccess ? AccessControlProtos.GrantResponse.getDefaultInstance() : null;
-
- done.run(response);
- }
-
- @Override
- public void revoke(RpcController controller, AccessControlProtos.RevokeRequest request, RpcCallback<AccessControlProtos.RevokeResponse> done) {
- boolean isSuccess = false;
-
- if(UpdateXaPoliciesOnGrantRevoke) {
- GrantRevokeData grData = null;
-
- try {
- grData = createRevokeData(request);
-
- XaAdminRESTClient xaAdmin = new XaAdminRESTClient();
-
- xaAdmin.revokePrivilege(grData);
-
- isSuccess = true;
- } catch(IOException excp) {
- LOG.warn("revoke() failed", excp);
-
- ResponseConverter.setControllerException(controller, excp);
- } catch (Exception excp) {
- LOG.warn("revoke() failed", excp);
-
- ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage()));
- } finally {
- byte[] tableName = grData == null ? null : StringUtil.getBytes(grData.getTables());
-
- if(accessController.isAudited(tableName)) {
- byte[] colFamily = grData == null ? null : StringUtil.getBytes(grData.getColumnFamilies());
- byte[] qualifier = grData == null ? null : StringUtil.getBytes(grData.getColumns());
-
- // Note: failed return from REST call will be logged as 'DENIED'
- auditEvent("revoke", tableName, colFamily, qualifier, null, null, getActiveUser(), isSuccess ? accessGrantedFlag : accessDeniedFlag);
- }
- }
- }
-
- AccessControlProtos.RevokeResponse response = isSuccess ? AccessControlProtos.RevokeResponse.getDefaultInstance() : null;
-
- done.run(response);
- }
-
- @Override
- public void checkPermissions(RpcController controller, AccessControlProtos.CheckPermissionsRequest request, RpcCallback<AccessControlProtos.CheckPermissionsResponse> done) {
- LOG.debug("checkPermissions(): ");
- }
-
- @Override
- public void getUserPermissions(RpcController controller, AccessControlProtos.GetUserPermissionsRequest request, RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {
- LOG.debug("getUserPermissions(): ");
- }
-
- @Override
- public Service getService() {
- return AccessControlProtos.AccessControlService.newReflectiveService(this);
- }
-
- private GrantRevokeData createGrantData(AccessControlProtos.GrantRequest request) throws Exception {
- org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.UserPermission up = request.getUserPermission();
- org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.Permission perm = up == null ? null : up.getPermission();
-
- UserPermission userPerm = up == null ? null : ProtobufUtil.toUserPermission(up);
- Permission.Action[] actions = userPerm == null ? null : userPerm.getActions();
- String userName = userPerm == null ? null : Bytes.toString(userPerm.getUser());
- String tableName = null;
- String colFamily = null;
- String qualifier = null;
-
- if(perm == null) {
- throw new Exception("grant(): invalid data - permission is null");
- }
-
- if(StringUtil.isEmpty(userName)) {
- throw new Exception("grant(): invalid data - username empty");
- }
-
- if ((actions == null) || (actions.length == 0)) {
- throw new Exception("grant(): invalid data - no action specified");
- }
-
- switch(perm.getType()) {
- case Global:
- tableName = colFamily = qualifier = "*";
- break;
-
- case Table:
- tableName = Bytes.toString(userPerm.getTableName().getName());
- colFamily = Bytes.toString(userPerm.getFamily());
- qualifier = Bytes.toString(userPerm.getQualifier());
- break;
-
- case Namespace:
- default:
- LOG.warn("grant(): ignoring type '" + perm.getType().name() + "'");
- break;
- }
-
- if(StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) {
- throw new Exception("grant(): table/columnFamily/columnQualifier not specified");
- }
-
- PermMap permMap = new PermMap();
-
- if(userName.startsWith(GROUP_PREFIX)) {
- permMap.addGroup(userName.substring(GROUP_PREFIX.length()));
- } else {
- permMap.addUser(userName);
- }
-
- for (int i = 0; i < actions.length; i++) {
- switch(actions[i].code()) {
- case 'R':
- case 'W':
- case 'C':
- case 'A':
- permMap.addPerm(actions[i].name());
- break;
-
- default:
- LOG.warn("grant(): ignoring action '" + actions[i].name() + "' for user '" + userName + "'");
- }
- }
-
- User activeUser = getActiveUser();
- String grantor = activeUser != null ? activeUser.getShortName() : null;
-
- GrantRevokeData grData = new GrantRevokeData();
-
- grData.setHBaseData(grantor, repositoryName, tableName, qualifier, colFamily, permMap);
-
- return grData;
- }
-
- private GrantRevokeData createRevokeData(AccessControlProtos.RevokeRequest request) throws Exception {
- org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.UserPermission up = request.getUserPermission();
- org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.Permission perm = up == null ? null : up.getPermission();
-
- UserPermission userPerm = up == null ? null : ProtobufUtil.toUserPermission(up);
- String userName = userPerm == null ? null : Bytes.toString(userPerm.getUser());
- String tableName = null;
- String colFamily = null;
- String qualifier = null;
-
- if(perm == null) {
- throw new Exception("revoke(): invalid data - permission is null");
- }
-
- if(StringUtil.isEmpty(userName)) {
- throw new Exception("revoke(): invalid data - username empty");
- }
-
- switch(perm.getType()) {
- case Global :
- tableName = colFamily = qualifier = "*";
- break;
-
- case Table :
- tableName = Bytes.toString(userPerm.getTableName().getName());
- colFamily = Bytes.toString(userPerm.getFamily());
- qualifier = Bytes.toString(userPerm.getQualifier());
- break;
-
- case Namespace:
- default:
- LOG.warn("revoke(): ignoring type '" + perm.getType().name() + "'");
- break;
- }
-
- if(StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) {
- throw new Exception("revoke(): table/columnFamily/columnQualifier not specified");
- }
-
- PermMap permMap = new PermMap();
-
- if(userName.startsWith(GROUP_PREFIX)) {
- permMap.addGroup(userName.substring(GROUP_PREFIX.length()));
- } else {
- permMap.addUser(userName);
- }
-
- // revoke removes all permissions
- permMap.addPerm(Permission.Action.READ.name());
- permMap.addPerm(Permission.Action.WRITE.name());
- permMap.addPerm(Permission.Action.CREATE.name());
- permMap.addPerm(Permission.Action.ADMIN.name());
-
- User activeUser = getActiveUser();
- String grantor = activeUser != null ? activeUser.getShortName() : null;
-
- GrantRevokeData grData = new GrantRevokeData();
-
- grData.setHBaseData(grantor, repositoryName, tableName, qualifier, colFamily, permMap);
-
- return grData;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessorBase.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessorBase.java b/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessorBase.java
deleted file mode 100644
index b60a95b..0000000
--- a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessorBase.java
+++ /dev/null
@@ -1,671 +0,0 @@
-/**
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.xasecure.authorization.hbase;
-
-import java.io.IOException;
-import java.util.List;
-
-import org.apache.hadoop.hbase.HColumnDescriptor;
-import org.apache.hadoop.hbase.HRegionInfo;
-import org.apache.hadoop.hbase.HTableDescriptor;
-import org.apache.hadoop.hbase.NamespaceDescriptor;
-import org.apache.hadoop.hbase.ServerName;
-import org.apache.hadoop.hbase.TableName;
-import org.apache.hadoop.hbase.client.Mutation;
-import org.apache.hadoop.hbase.coprocessor.BaseRegionObserver;
-import org.apache.hadoop.hbase.coprocessor.BulkLoadObserver;
-import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
-import org.apache.hadoop.hbase.coprocessor.MasterObserver;
-import org.apache.hadoop.hbase.coprocessor.ObserverContext;
-import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
-import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment;
-import org.apache.hadoop.hbase.coprocessor.RegionServerObserver;
-import org.apache.hadoop.hbase.master.RegionPlan;
-import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.SnapshotDescription;
-import org.apache.hadoop.hbase.protobuf.generated.SecureBulkLoadProtos.CleanupBulkLoadRequest;
-import org.apache.hadoop.hbase.protobuf.generated.SecureBulkLoadProtos.PrepareBulkLoadRequest;
-import org.apache.hadoop.hbase.regionserver.HRegion;
-import org.apache.hadoop.hbase.replication.ReplicationEndpoint;
-import org.apache.hadoop.hbase.security.access.Permission;
-import org.apache.hadoop.hbase.security.access.Permission.Action;
-
-public class XaSecureAuthorizationCoprocessorBase extends BaseRegionObserver
- implements MasterObserver, RegionServerObserver, BulkLoadObserver {
-
- @Override
- public void preStopRegionServer(
- ObserverContext<RegionServerCoprocessorEnvironment> env)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preMerge(
- ObserverContext<RegionServerCoprocessorEnvironment> ctx,
- HRegion regionA, HRegion regionB) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postMerge(
- ObserverContext<RegionServerCoprocessorEnvironment> c,
- HRegion regionA, HRegion regionB, HRegion mergedRegion)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preMergeCommit(
- ObserverContext<RegionServerCoprocessorEnvironment> ctx,
- HRegion regionA, HRegion regionB, List<Mutation> metaEntries)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postMergeCommit(
- ObserverContext<RegionServerCoprocessorEnvironment> ctx,
- HRegion regionA, HRegion regionB, HRegion mergedRegion)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preRollBackMerge(
- ObserverContext<RegionServerCoprocessorEnvironment> ctx,
- HRegion regionA, HRegion regionB) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postRollBackMerge(
- ObserverContext<RegionServerCoprocessorEnvironment> ctx,
- HRegion regionA, HRegion regionB) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preCreateTable(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postCreateTable(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preCreateTableHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postCreateTableHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preDeleteTable(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postDeleteTable(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preDeleteTableHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postDeleteTableHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preModifyTable(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HTableDescriptor htd) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postModifyTable(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HTableDescriptor htd) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preModifyTableHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HTableDescriptor htd) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postModifyTableHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HTableDescriptor htd) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HColumnDescriptor column) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postAddColumn(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HColumnDescriptor column) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preAddColumnHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HColumnDescriptor column) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postAddColumnHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HColumnDescriptor column) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preModifyColumn(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HColumnDescriptor descriptor)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postModifyColumn(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HColumnDescriptor descriptor)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preModifyColumnHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HColumnDescriptor descriptor)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postModifyColumnHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, HColumnDescriptor descriptor)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preDeleteColumn(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, byte[] c) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postDeleteColumn(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, byte[] c) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preDeleteColumnHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, byte[] c) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postDeleteColumnHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName, byte[] c) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preEnableTable(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postEnableTable(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preEnableTableHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postEnableTableHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preDisableTable(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postDisableTable(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preDisableTableHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postDisableTableHandler(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preMove(ObserverContext<MasterCoprocessorEnvironment> ctx,
- HRegionInfo region, ServerName srcServer, ServerName destServer)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postMove(ObserverContext<MasterCoprocessorEnvironment> ctx,
- HRegionInfo region, ServerName srcServer, ServerName destServer)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preAssign(ObserverContext<MasterCoprocessorEnvironment> ctx,
- HRegionInfo regionInfo) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postAssign(ObserverContext<MasterCoprocessorEnvironment> ctx,
- HRegionInfo regionInfo) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> ctx,
- HRegionInfo regionInfo, boolean force) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postUnassign(ObserverContext<MasterCoprocessorEnvironment> ctx,
- HRegionInfo regionInfo, boolean force) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preRegionOffline(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- HRegionInfo regionInfo) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postRegionOffline(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- HRegionInfo regionInfo) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preBalance(ObserverContext<MasterCoprocessorEnvironment> ctx)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postBalance(ObserverContext<MasterCoprocessorEnvironment> ctx,
- List<RegionPlan> plans) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public boolean preBalanceSwitch(
- ObserverContext<MasterCoprocessorEnvironment> ctx, boolean newValue)
- throws IOException {
- // TODO Auto-generated method stub
- return false;
- }
-
- @Override
- public void postBalanceSwitch(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- boolean oldValue, boolean newValue) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> ctx)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> ctx)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postStartMaster(
- ObserverContext<MasterCoprocessorEnvironment> ctx)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preMasterInitialization(
- ObserverContext<MasterCoprocessorEnvironment> ctx)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx,
- SnapshotDescription snapshot, HTableDescriptor hTableDescriptor)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx,
- SnapshotDescription snapshot, HTableDescriptor hTableDescriptor)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preCloneSnapshot(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- SnapshotDescription snapshot, HTableDescriptor hTableDescriptor)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postCloneSnapshot(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- SnapshotDescription snapshot, HTableDescriptor hTableDescriptor)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preRestoreSnapshot(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- SnapshotDescription snapshot, HTableDescriptor hTableDescriptor)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postRestoreSnapshot(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- SnapshotDescription snapshot, HTableDescriptor hTableDescriptor)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preDeleteSnapshot(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- SnapshotDescription snapshot) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postDeleteSnapshot(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- SnapshotDescription snapshot) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preGetTableDescriptors(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- List<TableName> tableNamesList, List<HTableDescriptor> descriptors)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postGetTableDescriptors(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- List<HTableDescriptor> descriptors) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preCreateNamespace(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- NamespaceDescriptor ns) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postCreateNamespace(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- NamespaceDescriptor ns) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preDeleteNamespace(
- ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postDeleteNamespace(
- ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace)
- throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void preModifyNamespace(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- NamespaceDescriptor ns) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void postModifyNamespace(
- ObserverContext<MasterCoprocessorEnvironment> ctx,
- NamespaceDescriptor ns) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- public void preRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- public void postRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- public void preTableFlush(final ObserverContext<MasterCoprocessorEnvironment> ctx, final TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- public void postTableFlush(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- public void preTruncateTableHandler(final ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- public void postTruncateTableHandler(final ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- public void preTruncateTable(final ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- public void postTruncateTable(final ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName) throws IOException {
- // TODO Auto-generated method stub
-
- }
-
- public ReplicationEndpoint postCreateReplicationEndPoint(ObserverContext<RegionServerCoprocessorEnvironment> ctx, ReplicationEndpoint endpoint) {
- return endpoint;
- }
-
- public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx, PrepareBulkLoadRequest request) throws IOException {
- }
-
- public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx, CleanupBulkLoadRequest request) throws IOException {
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java b/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java
new file mode 100644
index 0000000..7f33b15
--- /dev/null
+++ b/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java
@@ -0,0 +1,104 @@
+/**
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.security.access;
+
+import java.io.IOException;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+
+import org.apache.hadoop.hbase.TableExistsException;
+import org.apache.hadoop.hbase.master.MasterServices;
+import org.apache.log4j.Logger;
+
+
+public class RangerAccessControlLists {
+
+ private static final Logger LOG = Logger.getLogger(RangerAccessControlLists.class) ;
+
+ public static void init(MasterServices master) throws IOException {
+
+ Class<AccessControlLists> accessControlListsClass = AccessControlLists.class ;
+ String cName = accessControlListsClass.getName() ;
+
+ Class<?>[] params = new Class[1] ;
+ params[0] = MasterServices.class ;
+
+ for (String mname : new String[] { "init", "createACLTable" } ) {
+ try {
+ try {
+ Method m = accessControlListsClass.getDeclaredMethod(mname, params) ;
+ if (m != null) {
+ try {
+
+ try {
+ m.invoke(null, master) ;
+ logInfo("Execute method name [" + mname + "] in Class [" + cName + "] is successful.");
+ } catch (InvocationTargetException e) {
+ Throwable cause = e ;
+ boolean tableExistsExceptionFound = false ;
+ if (e != null) {
+ Throwable ecause = e.getTargetException() ;
+ if (ecause != null) {
+ cause = ecause ;
+ if (ecause instanceof TableExistsException) {
+ tableExistsExceptionFound = true ;
+ }
+ }
+ }
+ if (! tableExistsExceptionFound) {
+ logError("Unable to execute the method [" + mname + "] on [" + cName + "] due to exception", cause) ;
+ throw new IOException(cause) ;
+ }
+ }
+ return ;
+ } catch (IllegalArgumentException e) {
+ logError("Unable to execute method name [" + mname + "] in Class [" + cName + "].", e);
+ throw new IOException(e) ;
+ } catch (IllegalAccessException e) {
+ logError("Unable to execute method name [" + mname + "] in Class [" + cName + "].", e);
+ throw new IOException(e) ;
+ }
+ }
+ }
+ catch(NoSuchMethodException nsme) {
+ logInfo("Unable to get method name [" + mname + "] in Class [" + cName + "]. Ignoring the exception");
+ }
+ } catch (SecurityException e) {
+ logError("Unable to get method name [" + mname + "] in Class [" + cName + "].", e);
+ throw new IOException(e) ;
+ }
+ }
+ throw new IOException("Unable to initialize() [" + cName + "]") ;
+ }
+
+
+ private static void logInfo(String msg) {
+ // System.out.println(msg) ;
+ LOG.info(msg) ;
+ }
+
+ private static void logError(String msg, Throwable t) {
+// System.err.println(msg) ;
+// if (t != null) {
+// t.printStackTrace(System.err);
+// }
+ LOG.error(msg, t);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/XaAccessControlLists.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/XaAccessControlLists.java b/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/XaAccessControlLists.java
deleted file mode 100644
index 8313532..0000000
--- a/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/XaAccessControlLists.java
+++ /dev/null
@@ -1,104 +0,0 @@
-/**
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.hbase.security.access;
-
-import java.io.IOException;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
-
-import org.apache.hadoop.hbase.TableExistsException;
-import org.apache.hadoop.hbase.master.MasterServices;
-import org.apache.log4j.Logger;
-
-
-public class XaAccessControlLists {
-
- private static final Logger LOG = Logger.getLogger(XaAccessControlLists.class) ;
-
- public static void init(MasterServices master) throws IOException {
-
- Class<AccessControlLists> accessControlListsClass = AccessControlLists.class ;
- String cName = accessControlListsClass.getName() ;
-
- Class<?>[] params = new Class[1] ;
- params[0] = MasterServices.class ;
-
- for (String mname : new String[] { "init", "createACLTable" } ) {
- try {
- try {
- Method m = accessControlListsClass.getDeclaredMethod(mname, params) ;
- if (m != null) {
- try {
-
- try {
- m.invoke(null, master) ;
- logInfo("Execute method name [" + mname + "] in Class [" + cName + "] is successful.");
- } catch (InvocationTargetException e) {
- Throwable cause = e ;
- boolean tableExistsExceptionFound = false ;
- if (e != null) {
- Throwable ecause = e.getTargetException() ;
- if (ecause != null) {
- cause = ecause ;
- if (ecause instanceof TableExistsException) {
- tableExistsExceptionFound = true ;
- }
- }
- }
- if (! tableExistsExceptionFound) {
- logError("Unable to execute the method [" + mname + "] on [" + cName + "] due to exception", cause) ;
- throw new IOException(cause) ;
- }
- }
- return ;
- } catch (IllegalArgumentException e) {
- logError("Unable to execute method name [" + mname + "] in Class [" + cName + "].", e);
- throw new IOException(e) ;
- } catch (IllegalAccessException e) {
- logError("Unable to execute method name [" + mname + "] in Class [" + cName + "].", e);
- throw new IOException(e) ;
- }
- }
- }
- catch(NoSuchMethodException nsme) {
- logInfo("Unable to get method name [" + mname + "] in Class [" + cName + "]. Ignoring the exception");
- }
- } catch (SecurityException e) {
- logError("Unable to get method name [" + mname + "] in Class [" + cName + "].", e);
- throw new IOException(e) ;
- }
- }
- throw new IOException("Unable to initialize() [" + cName + "]") ;
- }
-
-
- private static void logInfo(String msg) {
- // System.out.println(msg) ;
- LOG.info(msg) ;
- }
-
- private static void logError(String msg, Throwable t) {
-// System.err.println(msg) ;
-// if (t != null) {
-// t.printStackTrace(System.err);
-// }
- LOG.error(msg, t);
- }
-
-}