1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.hadoop.hbase.security.access;
20
21 import java.io.ByteArrayInputStream;
22 import java.io.DataInput;
23 import java.io.DataInputStream;
24 import java.io.IOException;
25 import java.util.ArrayList;
26 import java.util.Arrays;
27 import java.util.Iterator;
28 import java.util.List;
29 import java.util.Map;
30 import java.util.Set;
31 import java.util.TreeMap;
32 import java.util.TreeSet;
33
34 import org.apache.commons.logging.Log;
35 import org.apache.commons.logging.LogFactory;
36 import org.apache.hadoop.hbase.classification.InterfaceAudience;
37 import org.apache.hadoop.conf.Configuration;
38 import org.apache.hadoop.hbase.Cell;
39 import org.apache.hadoop.hbase.CellUtil;
40 import org.apache.hadoop.hbase.HColumnDescriptor;
41 import org.apache.hadoop.hbase.HConstants;
42 import org.apache.hadoop.hbase.HTableDescriptor;
43 import org.apache.hadoop.hbase.NamespaceDescriptor;
44 import org.apache.hadoop.hbase.TableName;
45 import org.apache.hadoop.hbase.Tag;
46 import org.apache.hadoop.hbase.TagType;
47 import org.apache.hadoop.hbase.client.Delete;
48 import org.apache.hadoop.hbase.client.Get;
49 import org.apache.hadoop.hbase.client.HTable;
50 import org.apache.hadoop.hbase.client.Put;
51 import org.apache.hadoop.hbase.client.Result;
52 import org.apache.hadoop.hbase.client.ResultScanner;
53 import org.apache.hadoop.hbase.client.Scan;
54 import org.apache.hadoop.hbase.exceptions.DeserializationException;
55 import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp;
56 import org.apache.hadoop.hbase.filter.QualifierFilter;
57 import org.apache.hadoop.hbase.filter.RegexStringComparator;
58 import org.apache.hadoop.hbase.master.MasterServices;
59 import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
60 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
61 import org.apache.hadoop.hbase.regionserver.BloomType;
62 import org.apache.hadoop.hbase.regionserver.HRegion;
63 import org.apache.hadoop.hbase.regionserver.InternalScanner;
64 import org.apache.hadoop.hbase.security.User;
65 import org.apache.hadoop.hbase.util.Bytes;
66 import org.apache.hadoop.hbase.util.Pair;
67 import org.apache.hadoop.io.Text;
68
69 import com.google.common.collect.ArrayListMultimap;
70 import com.google.common.collect.ListMultimap;
71 import com.google.common.collect.Lists;
72 import com.google.protobuf.InvalidProtocolBufferException;
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97 @InterfaceAudience.Private
98 public class AccessControlLists {
99
100 public static final TableName ACL_TABLE_NAME =
101 TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
102 public static final byte[] ACL_GLOBAL_NAME = ACL_TABLE_NAME.getName();
103
104 public static final String ACL_LIST_FAMILY_STR = "l";
105 public static final byte[] ACL_LIST_FAMILY = Bytes.toBytes(ACL_LIST_FAMILY_STR);
106
107 public static final byte ACL_TAG_TYPE = TagType.ACL_TAG_TYPE;
108
109 public static final char NAMESPACE_PREFIX = '@';
110
111
112
113
114 public static final char ACL_KEY_DELIMITER = ',';
115
116 public static final String GROUP_PREFIX = "@";
117
118 public static final String SUPERUSER_CONF_KEY = "hbase.superuser";
119
120 private static Log LOG = LogFactory.getLog(AccessControlLists.class);
121
122
123
124
125
126
127 static void createACLTable(MasterServices master) throws IOException {
128 HTableDescriptor desc = new HTableDescriptor(ACL_TABLE_NAME);
129 desc.addFamily(new HColumnDescriptor(ACL_LIST_FAMILY)
130 .setMaxVersions(1)
131 .setInMemory(true)
132 .setBlockCacheEnabled(true)
133 .setBlocksize(8 * 1024)
134 .setBloomFilterType(BloomType.NONE)
135 .setScope(HConstants.REPLICATION_SCOPE_LOCAL));
136 master.createTable(desc, null);
137 }
138
139
140
141
142
143
144
145 static void addUserPermission(Configuration conf, UserPermission userPerm)
146 throws IOException {
147 Permission.Action[] actions = userPerm.getActions();
148 byte[] rowKey = userPermissionRowKey(userPerm);
149 Put p = new Put(rowKey);
150 byte[] key = userPermissionKey(userPerm);
151
152 if ((actions == null) || (actions.length == 0)) {
153 String msg = "No actions associated with user '" + Bytes.toString(userPerm.getUser()) + "'";
154 LOG.warn(msg);
155 throw new IOException(msg);
156 }
157
158 byte[] value = new byte[actions.length];
159 for (int i = 0; i < actions.length; i++) {
160 value[i] = actions[i].code();
161 }
162 p.addImmutable(ACL_LIST_FAMILY, key, value);
163 if (LOG.isDebugEnabled()) {
164 LOG.debug("Writing permission with rowKey "+
165 Bytes.toString(rowKey)+" "+
166 Bytes.toString(key)+": "+Bytes.toStringBinary(value)
167 );
168 }
169 HTable acls = null;
170 try {
171 acls = new HTable(conf, ACL_TABLE_NAME);
172 acls.put(p);
173 } finally {
174 if (acls != null) acls.close();
175 }
176 }
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191 static void removeUserPermission(Configuration conf, UserPermission userPerm)
192 throws IOException {
193 Delete d = new Delete(userPermissionRowKey(userPerm));
194 byte[] key = userPermissionKey(userPerm);
195
196 if (LOG.isDebugEnabled()) {
197 LOG.debug("Removing permission "+ userPerm.toString());
198 }
199 d.deleteColumns(ACL_LIST_FAMILY, key);
200 HTable acls = null;
201 try {
202 acls = new HTable(conf, ACL_TABLE_NAME);
203 acls.delete(d);
204 } finally {
205 if (acls != null) acls.close();
206 }
207 }
208
209
210
211
212 static void removeTablePermissions(Configuration conf, TableName tableName)
213 throws IOException{
214 Delete d = new Delete(tableName.getName());
215
216 if (LOG.isDebugEnabled()) {
217 LOG.debug("Removing permissions of removed table "+ tableName);
218 }
219
220 HTable acls = null;
221 try {
222 acls = new HTable(conf, ACL_TABLE_NAME);
223 acls.delete(d);
224 } finally {
225 if (acls != null) acls.close();
226 }
227 }
228
229
230
231
232 static void removeNamespacePermissions(Configuration conf, String namespace)
233 throws IOException{
234 Delete d = new Delete(Bytes.toBytes(toNamespaceEntry(namespace)));
235
236 if (LOG.isDebugEnabled()) {
237 LOG.debug("Removing permissions of removed namespace "+ namespace);
238 }
239
240 HTable acls = null;
241 try {
242 acls = new HTable(conf, ACL_TABLE_NAME);
243 acls.delete(d);
244 } finally {
245 if (acls != null) acls.close();
246 }
247 }
248
249
250
251
252 static void removeTablePermissions(Configuration conf, TableName tableName, byte[] column)
253 throws IOException{
254
255 if (LOG.isDebugEnabled()) {
256 LOG.debug("Removing permissions of removed column " + Bytes.toString(column) +
257 " from table "+ tableName);
258 }
259
260 HTable acls = null;
261 try {
262 acls = new HTable(conf, ACL_TABLE_NAME);
263
264 Scan scan = new Scan();
265 scan.addFamily(ACL_LIST_FAMILY);
266
267 String columnName = Bytes.toString(column);
268 scan.setFilter(new QualifierFilter(CompareOp.EQUAL, new RegexStringComparator(
269 String.format("(%s%s%s)|(%s%s)$",
270 ACL_KEY_DELIMITER, columnName, ACL_KEY_DELIMITER,
271 ACL_KEY_DELIMITER, columnName))));
272
273 Set<byte[]> qualifierSet = new TreeSet<byte[]>(Bytes.BYTES_COMPARATOR);
274 ResultScanner scanner = acls.getScanner(scan);
275 try {
276 for (Result res : scanner) {
277 for (byte[] q : res.getFamilyMap(ACL_LIST_FAMILY).navigableKeySet()) {
278 qualifierSet.add(q);
279 }
280 }
281 } finally {
282 scanner.close();
283 }
284
285 if (qualifierSet.size() > 0) {
286 Delete d = new Delete(tableName.getName());
287 for (byte[] qualifier : qualifierSet) {
288 d.deleteColumns(ACL_LIST_FAMILY, qualifier);
289 }
290 acls.delete(d);
291 }
292 } finally {
293 if (acls != null) acls.close();
294 }
295 }
296
297 static byte[] userPermissionRowKey(UserPermission userPerm) {
298 byte[] row;
299 if(userPerm.hasNamespace()) {
300 row = Bytes.toBytes(toNamespaceEntry(userPerm.getNamespace()));
301 } else if(userPerm.isGlobal()) {
302 row = ACL_GLOBAL_NAME;
303 } else {
304 row = userPerm.getTableName().getName();
305 }
306 return row;
307 }
308
309
310
311
312
313
314
315 static byte[] userPermissionKey(UserPermission userPerm) {
316 byte[] qualifier = userPerm.getQualifier();
317 byte[] family = userPerm.getFamily();
318 byte[] key = userPerm.getUser();
319
320 if (family != null && family.length > 0) {
321 key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, family));
322 if (qualifier != null && qualifier.length > 0) {
323 key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, qualifier));
324 }
325 }
326
327 return key;
328 }
329
330
331
332
333
334 static boolean isAclRegion(HRegion region) {
335 return ACL_TABLE_NAME.equals(region.getTableDesc().getTableName());
336 }
337
338
339
340
341 static boolean isAclTable(HTableDescriptor desc) {
342 return ACL_TABLE_NAME.equals(desc.getTableName());
343 }
344
345
346
347
348
349
350
351
352
353 static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
354 HRegion aclRegion)
355 throws IOException {
356
357 if (!isAclRegion(aclRegion)) {
358 throw new IOException("Can only load permissions from "+ACL_TABLE_NAME);
359 }
360
361 Map<byte[], ListMultimap<String, TablePermission>> allPerms =
362 new TreeMap<byte[], ListMultimap<String, TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
363
364
365
366 Scan scan = new Scan();
367 scan.addFamily(ACL_LIST_FAMILY);
368
369 InternalScanner iScanner = null;
370 try {
371 iScanner = aclRegion.getScanner(scan);
372
373 while (true) {
374 List<Cell> row = new ArrayList<Cell>();
375
376 boolean hasNext = iScanner.next(row);
377 ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
378 byte[] entry = null;
379 for (Cell kv : row) {
380 if (entry == null) {
381 entry = CellUtil.cloneRow(kv);
382 }
383 Pair<String,TablePermission> permissionsOfUserOnTable =
384 parsePermissionRecord(entry, kv);
385 if (permissionsOfUserOnTable != null) {
386 String username = permissionsOfUserOnTable.getFirst();
387 TablePermission permissions = permissionsOfUserOnTable.getSecond();
388 perms.put(username, permissions);
389 }
390 }
391 if (entry != null) {
392 allPerms.put(entry, perms);
393 }
394 if (!hasNext) {
395 break;
396 }
397 }
398 } finally {
399 if (iScanner != null) {
400 iScanner.close();
401 }
402 }
403
404 return allPerms;
405 }
406
407
408
409
410
411 static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
412 Configuration conf) throws IOException {
413 Map<byte[], ListMultimap<String,TablePermission>> allPerms =
414 new TreeMap<byte[], ListMultimap<String,TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
415
416
417
418 Scan scan = new Scan();
419 scan.addFamily(ACL_LIST_FAMILY);
420
421 HTable acls = null;
422 ResultScanner scanner = null;
423 try {
424 acls = new HTable(conf, ACL_TABLE_NAME);
425 scanner = acls.getScanner(scan);
426 for (Result row : scanner) {
427 ListMultimap<String,TablePermission> resultPerms =
428 parsePermissions(row.getRow(), row);
429 allPerms.put(row.getRow(), resultPerms);
430 }
431 } finally {
432 if (scanner != null) scanner.close();
433 if (acls != null) acls.close();
434 }
435
436 return allPerms;
437 }
438
439 static ListMultimap<String, TablePermission> getTablePermissions(Configuration conf,
440 TableName tableName) throws IOException {
441 return getPermissions(conf, tableName != null ? tableName.getName() : null);
442 }
443
444 static ListMultimap<String, TablePermission> getNamespacePermissions(Configuration conf,
445 String namespace) throws IOException {
446 return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
447 }
448
449
450
451
452
453
454
455
456
457
458 static ListMultimap<String, TablePermission> getPermissions(Configuration conf,
459 byte[] entryName) throws IOException {
460 if (entryName == null) entryName = ACL_GLOBAL_NAME;
461
462
463 ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
464 HTable acls = null;
465 try {
466 acls = new HTable(conf, ACL_TABLE_NAME);
467 Get get = new Get(entryName);
468 get.addFamily(ACL_LIST_FAMILY);
469 Result row = acls.get(get);
470 if (!row.isEmpty()) {
471 perms = parsePermissions(entryName, row);
472 } else {
473 LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry "
474 + Bytes.toString(entryName));
475 }
476 } finally {
477 if (acls != null) acls.close();
478 }
479
480 return perms;
481 }
482
483
484
485
486
487 static List<UserPermission> getUserTablePermissions(
488 Configuration conf, TableName tableName) throws IOException {
489 return getUserPermissions(conf, tableName == null ? null : tableName.getName());
490 }
491
492 static List<UserPermission> getUserNamespacePermissions(
493 Configuration conf, String namespace) throws IOException {
494 return getUserPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
495 }
496
497 static List<UserPermission> getUserPermissions(
498 Configuration conf, byte[] entryName)
499 throws IOException {
500 ListMultimap<String,TablePermission> allPerms = getPermissions(
501 conf, entryName);
502
503 List<UserPermission> perms = new ArrayList<UserPermission>();
504
505 for (Map.Entry<String, TablePermission> entry : allPerms.entries()) {
506 UserPermission up = new UserPermission(Bytes.toBytes(entry.getKey()),
507 entry.getValue().getTableName(), entry.getValue().getFamily(),
508 entry.getValue().getQualifier(), entry.getValue().getActions());
509 perms.add(up);
510 }
511 return perms;
512 }
513
514 private static ListMultimap<String, TablePermission> parsePermissions(
515 byte[] entryName, Result result) {
516 ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
517 if (result != null && result.size() > 0) {
518 for (Cell kv : result.rawCells()) {
519
520 Pair<String,TablePermission> permissionsOfUserOnTable =
521 parsePermissionRecord(entryName, kv);
522
523 if (permissionsOfUserOnTable != null) {
524 String username = permissionsOfUserOnTable.getFirst();
525 TablePermission permissions = permissionsOfUserOnTable.getSecond();
526 perms.put(username, permissions);
527 }
528 }
529 }
530 return perms;
531 }
532
533 private static Pair<String, TablePermission> parsePermissionRecord(
534 byte[] entryName, Cell kv) {
535
536 byte[] family = CellUtil.cloneFamily(kv);
537
538 if (!Bytes.equals(family, ACL_LIST_FAMILY)) {
539 return null;
540 }
541
542 byte[] key = CellUtil.cloneQualifier(kv);
543 byte[] value = CellUtil.cloneValue(kv);
544 if (LOG.isDebugEnabled()) {
545 LOG.debug("Read acl: kv ["+
546 Bytes.toStringBinary(key)+": "+
547 Bytes.toStringBinary(value)+"]");
548 }
549
550
551
552 String username = Bytes.toString(key);
553
554
555 if(isNamespaceEntry(entryName)) {
556 return new Pair<String, TablePermission>(username,
557 new TablePermission(Bytes.toString(fromNamespaceEntry(entryName)), value));
558 }
559
560
561
562 int idx = username.indexOf(ACL_KEY_DELIMITER);
563 byte[] permFamily = null;
564 byte[] permQualifier = null;
565 if (idx > 0 && idx < username.length()-1) {
566 String remainder = username.substring(idx+1);
567 username = username.substring(0, idx);
568 idx = remainder.indexOf(ACL_KEY_DELIMITER);
569 if (idx > 0 && idx < remainder.length()-1) {
570 permFamily = Bytes.toBytes(remainder.substring(0, idx));
571 permQualifier = Bytes.toBytes(remainder.substring(idx+1));
572 } else {
573 permFamily = Bytes.toBytes(remainder);
574 }
575 }
576
577 return new Pair<String,TablePermission>(username,
578 new TablePermission(TableName.valueOf(entryName), permFamily, permQualifier, value));
579 }
580
581
582
583
584
585
586
587 public static byte[] writePermissionsAsBytes(ListMultimap<String, TablePermission> perms,
588 Configuration conf) {
589 return ProtobufUtil.prependPBMagic(ProtobufUtil.toUserTablePermissions(perms).toByteArray());
590 }
591
592
593
594
595
596 public static ListMultimap<String, TablePermission> readPermissions(byte[] data,
597 Configuration conf)
598 throws DeserializationException {
599 if (ProtobufUtil.isPBMagicPrefix(data)) {
600 int pblen = ProtobufUtil.lengthOfPBMagic();
601 try {
602 AccessControlProtos.UsersAndPermissions perms =
603 AccessControlProtos.UsersAndPermissions.newBuilder().mergeFrom(
604 data, pblen, data.length - pblen).build();
605 return ProtobufUtil.toUserTablePermissions(perms);
606 } catch (InvalidProtocolBufferException e) {
607 throw new DeserializationException(e);
608 }
609 } else {
610 ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
611 try {
612 DataInput in = new DataInputStream(new ByteArrayInputStream(data));
613 int length = in.readInt();
614 for (int i=0; i<length; i++) {
615 String user = Text.readString(in);
616 List<TablePermission> userPerms =
617 (List)HbaseObjectWritableFor96Migration.readObject(in, conf);
618 perms.putAll(user, userPerms);
619 }
620 } catch (IOException e) {
621 throw new DeserializationException(e);
622 }
623 return perms;
624 }
625 }
626
627
628
629
630
631
632 public static boolean isGroupPrincipal(String name) {
633 return name != null && name.startsWith(GROUP_PREFIX);
634 }
635
636
637
638
639
640 public static String getGroupName(String aclKey) {
641 if (!isGroupPrincipal(aclKey)) {
642 return aclKey;
643 }
644
645 return aclKey.substring(GROUP_PREFIX.length());
646 }
647
648
649
650
651 public static String toGroupEntry(String name) {
652 return GROUP_PREFIX + name;
653 }
654
655 public static boolean isNamespaceEntry(String entryName) {
656 return entryName.charAt(0) == NAMESPACE_PREFIX;
657 }
658
659 public static boolean isNamespaceEntry(byte[] entryName) {
660 return entryName[0] == NAMESPACE_PREFIX;
661 }
662
663 public static String toNamespaceEntry(String namespace) {
664 return NAMESPACE_PREFIX + namespace;
665 }
666
667 public static String fromNamespaceEntry(String namespace) {
668 if(namespace.charAt(0) != NAMESPACE_PREFIX)
669 throw new IllegalArgumentException("Argument is not a valid namespace entry");
670 return namespace.substring(1);
671 }
672
673 public static byte[] toNamespaceEntry(byte[] namespace) {
674 byte[] ret = new byte[namespace.length+1];
675 ret[0] = NAMESPACE_PREFIX;
676 System.arraycopy(namespace, 0, ret, 1, namespace.length);
677 return ret;
678 }
679
680 public static byte[] fromNamespaceEntry(byte[] namespace) {
681 if(namespace[0] != NAMESPACE_PREFIX) {
682 throw new IllegalArgumentException("Argument is not a valid namespace entry: " +
683 Bytes.toString(namespace));
684 }
685 return Arrays.copyOfRange(namespace, 1, namespace.length);
686 }
687
688 public static List<Permission> getCellPermissionsForUser(User user, Cell cell)
689 throws IOException {
690
691 if (cell.getTagsLengthUnsigned() == 0) {
692 return null;
693 }
694 List<Permission> results = Lists.newArrayList();
695 Iterator<Tag> tagsIterator = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),
696 cell.getTagsLengthUnsigned());
697 while (tagsIterator.hasNext()) {
698 Tag tag = tagsIterator.next();
699 if (tag.getType() == ACL_TAG_TYPE) {
700
701 ListMultimap<String,Permission> kvPerms = ProtobufUtil.toUsersAndPermissions(
702 AccessControlProtos.UsersAndPermissions.newBuilder().mergeFrom(
703 tag.getBuffer(), tag.getTagOffset(), tag.getTagLength()).build());
704
705 List<Permission> userPerms = kvPerms.get(user.getShortName());
706 if (userPerms != null) {
707 results.addAll(userPerms);
708 }
709
710 String groupNames[] = user.getGroupNames();
711 if (groupNames != null) {
712 for (String group : groupNames) {
713 List<Permission> groupPerms = kvPerms.get(GROUP_PREFIX + group);
714 if (results != null) {
715 results.addAll(groupPerms);
716 }
717 }
718 }
719 }
720 }
721 return results;
722 }
723 }