@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "code runs in same security context as user who provided input") private static void printUserConfiguration(AccumuloClient accumuloClient, String user, File outputDirectory) throws IOException, AccumuloException, AccumuloSecurityException { File userScript = new File(outputDirectory, user + USER_FILE_SUFFIX); FileWriter userWriter = new FileWriter(userScript); userWriter.write(createUserFormat.format(new String[] {user})); Authorizations auths = accumuloClient.securityOperations().getUserAuthorizations(user); userWriter.write(userAuthsFormat.format(new String[] {user, auths.toString()})); for (SystemPermission sp : SystemPermission.values()) { if (accumuloClient.securityOperations().hasSystemPermission(user, sp)) { userWriter.write(sysPermFormat.format(new String[] {sp.name(), user})); } } for (String namespace : accumuloClient.namespaceOperations().list()) { for (NamespacePermission np : NamespacePermission.values()) { if (accumuloClient.securityOperations().hasNamespacePermission(user, namespace, np)) { userWriter.write(nsPermFormat.format(new String[] {np.name(), namespace, user})); } } } for (String tableName : accumuloClient.tableOperations().list()) { for (TablePermission perm : TablePermission.values()) { if (accumuloClient.securityOperations().hasTablePermission(user, tableName, perm)) { userWriter.write(tablePermFormat.format(new String[] {perm.name(), tableName, user})); } } } userWriter.close(); }
if (!client.securityOperations().hasTablePermission(principal, tableConfig.getKey(), TablePermission.READ)) throw new IOException("Unable to access table");
private void verifyHasNoTablePermissions(Connector root_conn, String user, String table, TablePermission... perms) throws AccumuloException, AccumuloSecurityException { for (TablePermission p : perms) if (root_conn.securityOperations().hasTablePermission(user, table, p)) throw new IllegalStateException( user + " SHOULD NOT have table permission " + p + " for table " + table); } }
private void verifyHasOnlyTheseTablePermissions(Connector root_conn, String user, String table, TablePermission... perms) throws AccumuloException, AccumuloSecurityException { List<TablePermission> permList = Arrays.asList(perms); for (TablePermission p : TablePermission.values()) { if (permList.contains(p)) { // should have these if (!root_conn.securityOperations().hasTablePermission(user, table, p)) throw new IllegalStateException( user + " SHOULD have table permission " + p + " for table " + table); } else { // should not have these if (root_conn.securityOperations().hasTablePermission(user, table, p)) throw new IllegalStateException( user + " SHOULD NOT have table permission " + p + " for table " + table); } } }
delim = ""; for (TablePermission p : TablePermission.values()) { if (shellState.getAccumuloClient().securityOperations().hasTablePermission(user, t, p) && p != null) { if (runOnce) {
private void changeTablePermission(Connector conn, Random rand, String userName, String tableName) throws AccumuloException, AccumuloSecurityException { EnumSet<TablePermission> perms = EnumSet.noneOf(TablePermission.class); for (TablePermission p : TablePermission.values()) { if (conn.securityOperations().hasTablePermission(userName, tableName, p)) perms.add(p); } EnumSet<TablePermission> more = EnumSet.allOf(TablePermission.class); more.removeAll(perms); if (rand.nextBoolean() && more.size() > 0) { List<TablePermission> moreList = new ArrayList<>(more); TablePermission choice = moreList.get(rand.nextInt(moreList.size())); log.debug("adding permission " + choice); conn.securityOperations().grantTablePermission(userName, tableName, choice); } else { if (perms.size() > 0) { List<TablePermission> permList = new ArrayList<>(perms); TablePermission choice = permList.get(rand.nextInt(permList.size())); log.debug("removing permission " + choice); conn.securityOperations().revokeTablePermission(userName, tableName, choice); } } }
private boolean checkAccess(final Connector connector, final String user, final String table) { try { if (!connector.securityOperations().hasTablePermission(user, table, TablePermission.READ) && !connector.securityOperations().hasNamespacePermission(user, table, NamespacePermission.READ)) { return false; } } catch (final AccumuloException | AccumuloSecurityException e) { return false; } return true; }
@Before public void setupMetadataPermission() throws Exception { Connector conn = getConnector(); rootHasWritePermission = conn.securityOperations().hasTablePermission("root", MetadataTable.NAME, TablePermission.WRITE); if (!rootHasWritePermission) { conn.securityOperations().grantTablePermission("root", MetadataTable.NAME, TablePermission.WRITE); // Make sure it propagates through ZK Thread.sleep(5000); } }
} else if (dice == 1) { log.debug("Checking table permission " + userName + " " + tableName); conn.securityOperations().hasTablePermission(userName, tableName, TablePermission.values()[rand.nextInt(TablePermission.values().length)]); } else if (dice == 2) {
if (!conn.securityOperations().hasTablePermission(getPrincipal(implementingClass, conf), tableConfig.getKey(), TablePermission.READ)) throw new IOException("Unable to access table");
if (!client.securityOperations().hasTablePermission(principal, tableConfig.getKey(), TablePermission.READ)) throw new IOException("Unable to access table");
private static void printUserConfiguration(Connector connector, String user, File outputDirectory) throws IOException, AccumuloException, AccumuloSecurityException { File userScript = new File(outputDirectory, user + USER_FILE_SUFFIX); FileWriter userWriter = new FileWriter(userScript); userWriter.write(createUserFormat.format(new String[] {user})); Authorizations auths = connector.securityOperations().getUserAuthorizations(user); userWriter.write(userAuthsFormat.format(new String[] {user, auths.toString()})); for (SystemPermission sp : SystemPermission.values()) { if (connector.securityOperations().hasSystemPermission(user, sp)) { userWriter.write(sysPermFormat.format(new String[] {sp.name(), user})); } } for (String namespace : connector.namespaceOperations().list()) { for (NamespacePermission np : NamespacePermission.values()) { if (connector.securityOperations().hasNamespacePermission(user, namespace, np)) { userWriter.write(nsPermFormat.format(new String[] {np.name(), namespace, user})); } } } for (String tableName : connector.tableOperations().list()) { for (TablePermission perm : TablePermission.values()) { if (connector.securityOperations().hasTablePermission(user, tableName, perm)) { userWriter.write(tablePermFormat.format(new String[] {perm.name(), tableName, user})); } } } userWriter.close(); }
if (!client.securityOperations().hasTablePermission(principal, tableConfig.getKey(), TablePermission.READ)) throw new IOException("Unable to access table");
@Override public boolean hasTablePermission(ByteBuffer login, String user, String table, org.apache.accumulo.proxy.thrift.TablePermission perm) throws org.apache.accumulo.proxy.thrift.AccumuloException, org.apache.accumulo.proxy.thrift.AccumuloSecurityException, org.apache.accumulo.proxy.thrift.TableNotFoundException, TException { try { return getConnector(login).securityOperations().hasTablePermission(user, table, TablePermission.getPermissionById((byte) perm.getValue())); } catch (Exception e) { handleExceptionTNF(e); return false; } }
conn.securityOperations().hasTablePermission("root", MetadataTable.NAME, TablePermission.WRITE));
conn.securityOperations().hasTablePermission("root", MetadataTable.NAME, TablePermission.WRITE));
if (!c.securityOperations().authenticateUser(getUsername(conf), new PasswordToken(getPassword(conf)))) throw new IOException("Unable to authenticate user"); if (!c.securityOperations().hasTablePermission(getUsername(conf), getTablename(conf), TablePermission.READ)) throw new IOException("Unable to access table");
@After public void resetMetadataPermission() throws Exception { Connector conn = getConnector(); // Final state doesn't match the original if (rootHasWritePermission != conn.securityOperations().hasTablePermission("root", MetadataTable.NAME, TablePermission.WRITE)) { if (rootHasWritePermission) { // root had write permission when starting, ensure root still does conn.securityOperations().grantTablePermission("root", MetadataTable.NAME, TablePermission.WRITE); } else { // root did not have write permission when starting, ensure that it does not conn.securityOperations().revokeTablePermission("root", MetadataTable.NAME, TablePermission.WRITE); } } }
@Override public Void run() throws Exception { final Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); // The "root" user should have all system permissions for (SystemPermission perm : SystemPermission.values()) { assertTrue("Expected user to have permission: " + perm, conn.securityOperations().hasSystemPermission(conn.whoami(), perm)); } // and the ability to modify the root and metadata tables for (String table : Arrays.asList(RootTable.NAME, MetadataTable.NAME)) { assertTrue(conn.securityOperations().hasTablePermission(conn.whoami(), table, TablePermission.ALTER_TABLE)); } return null; } });
delim = ""; for (TablePermission p : TablePermission.values()) { if (shellState.getConnector().securityOperations().hasTablePermission(user, t, p) && p != null) { if (runOnce) {