@Override public RegionScanner postScannerOpen(final ObserverContext<RegionCoprocessorEnvironment> c, final Scan scan, final RegionScanner s) throws IOException { User user = VisibilityUtils.getActiveUser(); if (user != null && user.getShortName() != null) { scannerOwners.put(s, user.getShortName()); } return s; }
/** * Check if the user is this table snapshot's owner * @param snapshot the table snapshot description * @param user the user * @return true if the user is the owner of the snapshot, * false otherwise or the snapshot owner field is not present. */ public static boolean isSnapshotOwner(org.apache.hadoop.hbase.client.SnapshotDescription snapshot, User user) { if (user == null) return false; return user.getShortName().equals(snapshot.getOwner()); }
@Override public List<String> getLabels(User user, Authorizations authorizations) { String userName = user.getShortName(); if (authorizations != null) { LOG.warn("Dropping authorizations requested by user " + userName + ": " + authorizations); } Set<String> auths = new HashSet<>(); auths.addAll(this.labelsCache.getUserAuths(userName)); auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames())); return new ArrayList<>(auths); }
private static void checkAuths(Set<Integer> auths, int labelOrdinal, String identifier, boolean checkAuths) throws IOException { if (checkAuths) { if (auths == null || (!auths.contains(labelOrdinal))) { throw new AccessDeniedException("Visibility label " + identifier + " not authorized for the user " + VisibilityUtils.getActiveUser().getShortName()); } } } }
@Override public List<String> getLabels(User user, Authorizations authorizations) { if (authorizations != null) { List<String> labels = authorizations.getLabels(); String userName = user.getShortName(); Set<String> auths = new HashSet<>(); auths.addAll(this.labelsCache.getUserAuths(userName)); auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames())); return dropLabelsNotInUserAuths(labels, new ArrayList<>(auths), userName); } return null; }
@Override public List<String> getLabels(User user, Authorizations authorizations) { if (authorizations == null || authorizations.getLabels() == null || authorizations.getLabels().isEmpty()) { String userName = user.getShortName(); Set<String> auths = new HashSet<>(); auths.addAll(this.labelsCache.getUserAuths(userName)); auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames())); return new ArrayList<>(auths); } return authorizations.getLabels(); }
@Override public List<Tag> createVisibilityExpTags(String visExpression, boolean withSerializationFormat, boolean checkAuths) throws IOException { Set<Integer> auths = new HashSet<>(); if (checkAuths) { User user = VisibilityUtils.getActiveUser(); auths.addAll(this.labelsCache.getUserAuthsAsOrdinals(user.getShortName())); auths.addAll(this.labelsCache.getGroupAuthsAsOrdinals(user.getGroupNames())); } return VisibilityUtils.createVisibilityExpTags(visExpression, withSerializationFormat, checkAuths, auths, labelsCache); }
public static void logResult(AuthResult result) { if (AUDITLOG.isTraceEnabled()) { AUDITLOG.trace( "Access {} for user {}; reason: {}; remote address: {}; request: {}; context: {}", (result.isAllowed() ? "allowed" : "denied"), (result.getUser() != null ? result.getUser().getShortName() : "UNKNOWN"), result.getReason(), RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""), result.getRequest(), result.toContextString()); } }
@Override public boolean havingSystemAuth(User user) throws IOException { if (Superusers.isSuperUser(user)) { return true; } Set<String> auths = new HashSet<>(); auths.addAll(this.getUserAuths(Bytes.toBytes(user.getShortName()), true)); auths.addAll(this.getGroupAuths(user.getGroupNames(), true)); return auths.contains(SYSTEM_LABEL); }
@Override public VisibilityLabelsResponse run() throws Exception { try (Connection conn = ConnectionFactory.createConnection(conf)) { return VisibilityClient.setAuths(conn, new String[] { TOPSECRET }, USER.getShortName()); } catch (Throwable e) { } return null; } };
@Override public VisibilityLabelsResponse run() throws Exception { try (Connection conn = ConnectionFactory.createConnection(conf)) { return VisibilityClient.setAuths(conn, new String[] { TOPSECRET }, USER.getShortName()); } catch (Throwable e) { } return null; } };
@Override public VisibilityLabelsResponse run() throws Exception { try (Connection conn = ConnectionFactory.createConnection(conf)) { return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE, SECRET, TOPSECRET }, SUPERUSER.getShortName()); } catch (Throwable e) { } return null; } };
private static void setAuths() throws IOException { String[] labels = { SECRET, CONFIDENTIAL, PRIVATE, PUBLIC, TOPSECRET }; try { VisibilityClient.setAuths(UTIL.getConnection(), labels, User.getCurrent().getShortName()); } catch (Throwable t) { throw new IOException(t); } }
@Override public Void run() throws Exception { try (Connection conn = ConnectionFactory.createConnection(conf)) { VisibilityClient.addLabels(conn, new String[] { SECRET, CONFIDENTIAL }); VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL }, TESTUSER.getShortName()); } catch (Throwable t) { throw new IOException(t); } return null; } });
@Override public Void run() throws Exception { try (Connection conn = ConnectionFactory.createConnection(conf)) { VisibilityClient.addLabels(conn, new String[] { SECRET, CONFIDENTIAL }); VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, }, TESTUSER.getShortName()); } catch (Throwable t) { throw new IOException(t); } return null; } });
@Override public Void run() throws Exception { try (Connection conn = ConnectionFactory.createConnection(conf)) { VisibilityClient.setAuths(conn, new String[] { SECRET, CONFIDENTIAL }, USER_RW.getShortName()); } catch (Throwable t) { fail("Should not have failed"); } return null; } });
@Override public Object run() throws Exception { try (Connection conn = ConnectionFactory.createConnection(conf)) { conn.getAdmin().grant( new UserPermission(USER_GROUP_NS_ADMIN.getShortName(), TEST_NAMESPACE, Action.READ), false); } return null; } };
@Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf)) { conn.getAdmin().revoke(new UserPermission(USER_RO.getShortName(), new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ))); } return null; } };
@Override public Object run() throws Exception { try (Connection connection = ConnectionFactory.createConnection(conf)) { connection.getAdmin().revoke(new UserPermission(USER_GROUP_NS_ADMIN.getShortName(), new NamespacePermission(TEST_NAMESPACE, Action.READ))); } return null; } };
@Override public Object run() throws Exception { try (Connection conn = ConnectionFactory.createConnection(conf)) { conn.getAdmin().grant(new UserPermission(USER_RO.getShortName(), new TablePermission(TEST_TABLE, TEST_FAMILY, Action.READ)), false); } return null; } };