@Inject public AccumuloClient( Connector connector, AccumuloConfig config, ZooKeeperMetadataManager metaManager, AccumuloTableManager tableManager, IndexLookup indexLookup) throws AccumuloException, AccumuloSecurityException { this.connector = requireNonNull(connector, "connector is null"); this.username = requireNonNull(config, "config is null").getUsername(); this.metaManager = requireNonNull(metaManager, "metaManager is null"); this.tableManager = requireNonNull(tableManager, "tableManager is null"); this.indexLookup = requireNonNull(indexLookup, "indexLookup is null"); this.auths = connector.securityOperations().getUserAuthorizations(username); }
@Override public int execute(final String fullCommand, final CommandLine cl, final Shell shellState) throws AccumuloException, AccumuloSecurityException { final String user = cl.getOptionValue(userOpt.getOpt(), shellState.getAccumuloClient().whoami()); final String scanOpts = cl.getOptionValue(scanOptAuths.getOpt()); Authorizations auths = shellState.getAccumuloClient().securityOperations() .getUserAuthorizations(user); StringBuilder userAuths = new StringBuilder(); if (!auths.isEmpty()) { userAuths.append(auths); userAuths.append(","); } userAuths.append(scanOpts); shellState.getAccumuloClient().securityOperations().changeUserAuthorizations(user, ScanCommand.parseAuthorizations(userAuths.toString())); Shell.log.debug("Changed record-level authorizations for user " + user); return 0; }
@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "code runs in same security context as user who provided input") private static void printUserConfiguration(AccumuloClient accumuloClient, String user, File outputDirectory) throws IOException, AccumuloException, AccumuloSecurityException { File userScript = new File(outputDirectory, user + USER_FILE_SUFFIX); FileWriter userWriter = new FileWriter(userScript); userWriter.write(createUserFormat.format(new String[] {user})); Authorizations auths = accumuloClient.securityOperations().getUserAuthorizations(user); userWriter.write(userAuthsFormat.format(new String[] {user, auths.toString()})); for (SystemPermission sp : SystemPermission.values()) { if (accumuloClient.securityOperations().hasSystemPermission(user, sp)) { userWriter.write(sysPermFormat.format(new String[] {sp.name(), user})); } } for (String namespace : accumuloClient.namespaceOperations().list()) { for (NamespacePermission np : NamespacePermission.values()) { if (accumuloClient.securityOperations().hasNamespacePermission(user, namespace, np)) { userWriter.write(nsPermFormat.format(new String[] {np.name(), namespace, user})); } } } for (String tableName : accumuloClient.tableOperations().list()) { for (TablePermission perm : TablePermission.values()) { if (accumuloClient.securityOperations().hasTablePermission(user, tableName, perm)) { userWriter.write(tablePermFormat.format(new String[] {perm.name(), tableName, user})); } } } userWriter.close(); }
password = pair.getSecond(); SecurityOperations security = cache.getInstance().getConnector(user, password).securityOperations(); Set<String> users = security.listLocalUsers(); if (!users.contains(conf.getUsername())) { security.createLocalUser(conf.getUsername(), new PasswordToken(conf.getPassword())); security.changeUserAuthorizations(conf.getUsername(), c.securityOperations().getUserAuthorizations(conf.getUsername())); } else { PasswordToken newPassword = new PasswordToken(conf.getPassword()); security.changeLocalUserPassword(conf.getUsername(), newPassword);
@Override public int execute(final String fullCommand, final CommandLine cl, final Shell shellState) throws AccumuloException, AccumuloSecurityException { final String user = cl.getOptionValue(userOpt.getOpt(), shellState.getAccumuloClient().whoami()); final String scanOpts = cl.hasOption(clearOptAuths.getOpt()) ? null : cl.getOptionValue(scanOptAuths.getOpt()); shellState.getAccumuloClient().securityOperations().changeUserAuthorizations(user, ScanCommand.parseAuthorizations(scanOpts)); Shell.log.debug("Changed record-level authorizations for user " + user); return 0; }
@Before public void setup() throws Exception { connector = getConnector(); tableName = getUniqueNames(1)[0]; connector.tableOperations().create(tableName); ClientConfiguration clientConfig = cluster.getClientConfig(); ClusterUser clusterUser = getUser(0); user = clusterUser.getPrincipal(); PasswordToken userToken; if (clientConfig.hasSasl()) { userToken = null; saslEnabled = true; } else { userToken = new PasswordToken(clusterUser.getPassword()); saslEnabled = false; } if (connector.securityOperations().listLocalUsers().contains(user)) { log.info("Dropping {}", user); connector.securityOperations().dropLocalUser(user); } connector.securityOperations().createLocalUser(user, userToken); connector.securityOperations().grantTablePermission(user, tableName, TablePermission.READ); connector.securityOperations().grantTablePermission(user, tableName, TablePermission.WRITE); connector.securityOperations().changeUserAuthorizations(user, AuthsIterator.AUTHS); }
for (SystemPermission p : SystemPermission.values()) { if (p != null && shellState.getAccumuloClient().securityOperations().hasSystemPermission(user, p)) { shellState.getReader().print(delim + "System." + p.name()); delim = ", "; for (NamespacePermission p : NamespacePermission.values()) { if (p != null && shellState.getAccumuloClient().securityOperations() .hasNamespacePermission(user, n, p)) { if (runOnce) { shellState.getReader().print("\nNamespace permissions (" + n + "): "); delim = ""; for (TablePermission p : TablePermission.values()) { if (shellState.getAccumuloClient().securityOperations().hasTablePermission(user, t, p) && p != null) { if (runOnce) {
private void setupTestUsers(final Connector accumuloConn, final String ryaInstanceName, final String pcjId) throws AccumuloException, AccumuloSecurityException { final PasswordToken pass = new PasswordToken("password"); final SecurityOperations secOps = accumuloConn.securityOperations(); // We need the table name so that we can update security for the users. final String pcjTableName = new PcjTableNameFactory().makeTableName(ryaInstanceName, pcjId); // Give the 'roor' user authorizations to see everything. secOps.changeUserAuthorizations("root", new Authorizations("A", "B", "C", "D", "E")); // Create a user that can see things with A and B. secOps.createLocalUser("abUser", pass); secOps.changeUserAuthorizations("abUser", new Authorizations("A", "B")); secOps.grantTablePermission("abUser", pcjTableName, TablePermission.READ); // Create a user that can see things with A, B, and C. secOps.createLocalUser("abcUser", pass); secOps.changeUserAuthorizations("abcUser", new Authorizations("A", "B", "C")); secOps.grantTablePermission("abcUser", pcjTableName, TablePermission.READ); // Create a user that can see things with A, D, and E. secOps.createLocalUser("adeUser", pass); secOps.changeUserAuthorizations("adeUser", new Authorizations("A", "D", "E")); secOps.grantTablePermission("adeUser", pcjTableName, TablePermission.READ); // Create a user that can't see anything. secOps.createLocalUser("noAuth", pass); secOps.changeUserAuthorizations("noAuth", new Authorizations()); secOps.grantTablePermission("noAuth", pcjTableName, TablePermission.READ); }
private void changeTablePermission(Connector conn, Random rand, String userName, String tableName) throws AccumuloException, AccumuloSecurityException { EnumSet<TablePermission> perms = EnumSet.noneOf(TablePermission.class); for (TablePermission p : TablePermission.values()) { if (conn.securityOperations().hasTablePermission(userName, tableName, p)) perms.add(p); } EnumSet<TablePermission> more = EnumSet.allOf(TablePermission.class); more.removeAll(perms); if (rand.nextBoolean() && more.size() > 0) { List<TablePermission> moreList = new ArrayList<>(more); TablePermission choice = moreList.get(rand.nextInt(moreList.size())); log.debug("adding permission " + choice); conn.securityOperations().grantTablePermission(userName, tableName, choice); } else { if (perms.size() > 0) { List<TablePermission> permList = new ArrayList<>(perms); TablePermission choice = permList.get(rand.nextInt(permList.size())); log.debug("removing permission " + choice); conn.securityOperations().revokeTablePermission(userName, tableName, choice); } } }
@Override public void checkOutputSpecs(JobContext job) throws IOException { if (!isConnectorInfoSet(job)) throw new IOException("Connector info has not been set."); String principal = getPrincipal(job); AuthenticationToken token = getAuthenticationToken(job); try { AccumuloClient c = OutputConfigurator.client(CLASS, job.getConfiguration()); if (!c.securityOperations().authenticateUser(principal, token)) throw new IOException("Unable to authenticate user"); } catch (AccumuloException | AccumuloSecurityException e) { throw new IOException(e); } }
@Override protected void doTableOp(final Shell shellState, final String tableName) throws Exception { try { shellState.getAccumuloClient().securityOperations().grantTablePermission(user, tableName, TablePermission.valueOf(permission[1])); Shell.log .debug("Granted " + user + " the " + permission[1] + " permission on table " + tableName); } catch (IllegalArgumentException e) { throw new IllegalArgumentException("No such table permission", e); } }
@Override public Void run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); conn.tableOperations().create(table); // Give our unprivileged user permission on the table we made for them conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.READ); conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.WRITE); conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.ALTER_TABLE); conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.DROP_TABLE); conn.securityOperations().changeUserAuthorizations(qualifiedUser1, new Authorizations(viz)); return null; } });
if (!client.securityOperations().hasTablePermission(principal, tableConfig.getKey(), TablePermission.READ)) throw new IOException("Unable to access table");
if (!conn.securityOperations().hasSystemPermission(conn.whoami(), SystemPermission.OBTAIN_DELEGATION_TOKEN)) { log.error( return conn.securityOperations().getDelegationToken(new DelegationTokenConfig()); } catch (Exception e) { final String msg = "Failed to acquire DelegationToken for use with MapReduce";
c.securityOperations().createLocalUser(principal, passwordToken); loginAs(testUser); Connector test_user_conn = c.getInstance().getConnector(principal, token); testMissingTablePermission(test_user_conn, testUser, perm, tableName); loginAs(rootUser); c.securityOperations().grantTablePermission(principal, tableName, perm); verifyHasOnlyTheseTablePermissions(c, principal, tableName, perm); loginAs(testUser); c.securityOperations().revokeTablePermission(principal, tableName, perm); verifyHasNoTablePermissions(c, principal, tableName, perm);
@Before public void setupMetadataPermission() throws Exception { Connector conn = getConnector(); rootHasWritePermission = conn.securityOperations().hasTablePermission("root", MetadataTable.NAME, TablePermission.WRITE); if (!rootHasWritePermission) { conn.securityOperations().grantTablePermission("root", MetadataTable.NAME, TablePermission.WRITE); // Make sure it propagates through ZK Thread.sleep(5000); } }
@Before public void createLocalUser() throws AccumuloException, AccumuloSecurityException { Connector conn = getConnector(); inst = conn.getInstance(); ClientConfiguration clientConf = cluster.getClientConfig(); ClusterUser user = getUser(0); username = user.getPrincipal(); saslEnabled = clientConf.hasSasl(); // Create the user if it doesn't exist Set<String> users = conn.securityOperations().listLocalUsers(); if (!users.contains(username)) { PasswordToken passwdToken = null; if (!saslEnabled) { password = user.getPassword(); passwdToken = new PasswordToken(password); } conn.securityOperations().createLocalUser(username, passwdToken); } }
shellState.getAccumuloClient().securityOperations().createLocalUser(user, passwordToken); Shell.log.debug("Created user " + user); return 0;
@Override public Void run() throws Exception { final Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); // The "root" user should have all system permissions for (SystemPermission perm : SystemPermission.values()) { assertTrue("Expected user to have permission: " + perm, conn.securityOperations().hasSystemPermission(conn.whoami(), perm)); } // and the ability to modify the root and metadata tables for (String table : Arrays.asList(RootTable.NAME, MetadataTable.NAME)) { assertTrue(conn.securityOperations().hasTablePermission(conn.whoami(), table, TablePermission.ALTER_TABLE)); } return null; } });
private boolean checkAccess(final Connector connector, final String user, final String table) { try { if (!connector.securityOperations().hasTablePermission(user, table, TablePermission.READ) && !connector.securityOperations().hasNamespacePermission(user, table, NamespacePermission.READ)) { return false; } } catch (final AccumuloException | AccumuloSecurityException e) { return false; } return true; }