/** * @return true if current user is a super user (whether as user running process, * declared as individual superuser or member of supergroup), false otherwise. * @param user to check * @throws IllegalStateException if lists of superusers/super groups * haven't been initialized properly */ public static boolean isSuperUser(User user) { if (superUsers == null) { throw new IllegalStateException("Super users/super groups lists" + " have not been initialized properly."); } if (superUsers.contains(user.getShortName())) { return true; } for (String group : user.getGroupNames()) { if (superGroups.contains(group)) { return true; } } return false; }
@Override public List<String> getLabels(User user, Authorizations authorizations) { String userName = user.getShortName(); if (authorizations != null) { LOG.warn("Dropping authorizations requested by user " + userName + ": " + authorizations); } Set<String> auths = new HashSet<>(); auths.addAll(this.labelsCache.getUserAuths(userName)); auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames())); return new ArrayList<>(auths); }
@Override public List<String> getLabels(User user, Authorizations authorizations) { if (authorizations != null) { List<String> labels = authorizations.getLabels(); String userName = user.getShortName(); Set<String> auths = new HashSet<>(); auths.addAll(this.labelsCache.getUserAuths(userName)); auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames())); return dropLabelsNotInUserAuths(labels, new ArrayList<>(auths), userName); } return null; }
@Override public List<String> getLabels(User user, Authorizations authorizations) { if (authorizations == null || authorizations.getLabels() == null || authorizations.getLabels().isEmpty()) { String userName = user.getShortName(); Set<String> auths = new HashSet<>(); auths.addAll(this.labelsCache.getUserAuths(userName)); auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames())); return new ArrayList<>(auths); } return authorizations.getLabels(); }
@Override public List<Tag> createVisibilityExpTags(String visExpression, boolean withSerializationFormat, boolean checkAuths) throws IOException { Set<Integer> auths = new HashSet<>(); if (checkAuths) { User user = VisibilityUtils.getActiveUser(); auths.addAll(this.labelsCache.getUserAuthsAsOrdinals(user.getShortName())); auths.addAll(this.labelsCache.getGroupAuthsAsOrdinals(user.getGroupNames())); } return VisibilityUtils.createVisibilityExpTags(visExpression, withSerializationFormat, checkAuths, auths, labelsCache); }
@Override public boolean havingSystemAuth(User user) throws IOException { // A super user has 'system' auth. if (Superusers.isSuperUser(user)) { return true; } // A user can also be explicitly granted 'system' auth. List<String> auths = this.getUserAuths(Bytes.toBytes(user.getShortName()), true); if (LOG.isTraceEnabled()) { LOG.trace("The auths for user " + user.getShortName() + " are " + auths); } if (auths.contains(SYSTEM_LABEL)) { return true; } auths = this.getGroupAuths(user.getGroupNames(), true); if (LOG.isTraceEnabled()) { LOG.trace("The auths for groups of user " + user.getShortName() + " are " + auths); } return auths.contains(SYSTEM_LABEL); }
/** * Check if user has given action privilige in global scope. * @param user user name * @param action one of action in [Read, Write, Create, Exec, Admin] * @return true if user has, false otherwise */ public boolean authorizeUserGlobal(User user, Permission.Action action) { if (user == null) { return false; } if (authorizeGlobal(globalCache.get(user.getShortName()), action)) { return true; } for (String group : user.getGroupNames()) { if (authorizeGlobal(globalCache.get(AuthUtil.toGroupEntry(group)), action)) { return true; } } return false; }
@Override public boolean havingSystemAuth(User user) throws IOException { if (Superusers.isSuperUser(user)) { return true; } Set<String> auths = new HashSet<>(); auths.addAll(this.getUserAuths(Bytes.toBytes(user.getShortName()), true)); auths.addAll(this.getGroupAuths(user.getGroupNames(), true)); return auths.contains(SYSTEM_LABEL); }
private void assertUserGroup(User user, ImmutableSet<String> groups) { assertNotNull("GroupNames should be not null", user.getGroupNames()); assertTrue("UserGroupNames length should be == " + groups.size(), user.getGroupNames().length == groups.size()); for (String group : user.getGroupNames()) { assertTrue("groupName should be in set ", groups.contains(group)); } }
@Test public void testCreateUserForTestingGroupCache() throws Exception { Configuration conf = HBaseConfiguration.create(); User uCreated = User.createUserForTesting(conf, "group_user", new String[] { "MYGROUP" }); UserProvider up = UserProvider.instantiate(conf); User uProvided = up.create(UserGroupInformation.createRemoteUser("group_user")); assertArrayEquals(uCreated.getGroupNames(), uProvided.getGroupNames()); }
@Test public void testCacheGetGroups() throws Exception { Configuration conf = HBaseConfiguration.create(); UserProvider up = UserProvider.instantiate(conf); // VERY unlikely that this user will exist on the box. // This should mean the user has no groups. String nonUser = "kklvfnvhdhcenfnniilggljhdecjhidkle"; // Create two UGI's for this username UserGroupInformation ugiOne = UserGroupInformation.createRemoteUser(nonUser); UserGroupInformation ugiTwo = UserGroupInformation.createRemoteUser(nonUser); // Now try and get the user twice. User uOne = up.create(ugiOne); User uTwo = up.create(ugiTwo); // Make sure that we didn't break groups and everything worked well. assertArrayEquals(uOne.getGroupNames(),uTwo.getGroupNames()); // Check that they are referentially equal. // Since getting a group for a users that doesn't exist creates a new string array // the only way that they should be referentially equal is if the cache worked and // made sure we didn't go to hadoop's script twice. assertTrue(uOne.getGroupNames() == uTwo.getGroupNames()); assertEquals(0, ugiOne.getGroupNames().length); }
/** * Check if user has given action privilige in table:family scope. * This method is for backward compatibility. * @param user user name * @param table table name * @param family family names * @param action one of action in [Read, Write, Create, Exec, Admin] * @return true if user has, false otherwise */ public boolean authorizeUserFamily(User user, TableName table, byte[] family, Permission.Action action) { PermissionCache<TablePermission> tblPermissions = tableCache.getOrDefault(table, TBL_NO_PERMISSION); if (authorizeFamily(tblPermissions.get(user.getShortName()), table, family, action)) { return true; } for (String group : user.getGroupNames()) { if (authorizeFamily(tblPermissions.get(AuthUtil.toGroupEntry(group)), table, family, action)) { return true; } } return false; }
String groupNames[] = user.getGroupNames(); if (groupNames != null) { for (String group : groupNames) {
@Test public void testCacheGetGroupsRoot() throws Exception { // Windows users don't have a root user. // However pretty much every other *NIX os will have root. if (!SystemUtils.IS_OS_WINDOWS) { Configuration conf = HBaseConfiguration.create(); UserProvider up = UserProvider.instantiate(conf); String rootUserName = "root"; // Create two UGI's for this username UserGroupInformation ugiOne = UserGroupInformation.createRemoteUser(rootUserName); UserGroupInformation ugiTwo = UserGroupInformation.createRemoteUser(rootUserName); // Now try and get the user twice. User uOne = up.create(ugiOne); User uTwo = up.create(ugiTwo); // Make sure that we didn't break groups and everything worked well. assertArrayEquals(uOne.getGroupNames(),uTwo.getGroupNames()); String[] groupNames = ugiOne.getGroupNames(); assertTrue(groupNames.length > 0); } }
/** * Check if user has given action privilige in namespace scope. * @param user user name * @param namespace namespace * @param action one of action in [Read, Write, Create, Exec, Admin] * @return true if user has, false otherwise */ public boolean authorizeUserNamespace(User user, String namespace, Permission.Action action) { if (user == null) { return false; } if (authorizeUserGlobal(user, action)) { return true; } PermissionCache<NamespacePermission> nsPermissions = namespaceCache.getOrDefault(namespace, NS_NO_PERMISSION); if (authorizeNamespace(nsPermissions.get(user.getShortName()), namespace, action)) { return true; } for (String group : user.getGroupNames()) { if (authorizeNamespace(nsPermissions.get(AuthUtil.toGroupEntry(group)), namespace, action)) { return true; } } return false; }
/** * Checks if the user has access to the full table or at least a family/qualifier * for the specified action. * @param user user name * @param table table name * @param action action in one of [Read, Write, Create, Exec, Admin] * @return true if the user has access to the table, false otherwise */ public boolean accessUserTable(User user, TableName table, Permission.Action action) { if (user == null) { return false; } if (table == null) { table = AccessControlLists.ACL_TABLE_NAME; } if (authorizeUserNamespace(user, table.getNamespaceAsString(), action)) { return true; } PermissionCache<TablePermission> tblPermissions = tableCache.getOrDefault(table, TBL_NO_PERMISSION); if (hasAccessTable(tblPermissions.get(user.getShortName()), action)) { return true; } for (String group : user.getGroupNames()) { if (hasAccessTable(tblPermissions.get(AuthUtil.toGroupEntry(group)), action)) { return true; } } return false; }
return true; for (String group : user.getGroupNames()) { if (authorizeTable(tblPermissions.get(AuthUtil.toGroupEntry(group)), table, family, qualifier, action)) {
/** * @return true if current user is a super user (whether as user running process, * declared as individual superuser or member of supergroup), false otherwise. * @param user to check * @throws IllegalStateException if lists of superusers/super groups * haven't been initialized properly */ public static boolean isSuperUser(User user) { if (superUsers == null) { throw new IllegalStateException("Super users/super groups lists" + " haven't been initialized properly."); } if (superUsers.contains(user.getShortName())) { return true; } for (String group : user.getGroupNames()) { if (superGroups.contains(group)) { return true; } } return false; }
String[] groupNames = user.getGroupNames(); if (groupNames != null) { for (String group : groupNames) {
@Test public void testCreateUserForTestingGroupCache() throws Exception { Configuration conf = HBaseConfiguration.create(); User uCreated = User.createUserForTesting(conf, "group_user", new String[] { "MYGROUP" }); UserProvider up = UserProvider.instantiate(conf); User uProvided = up.create(UserGroupInformation.createRemoteUser("group_user")); assertArrayEquals(uCreated.getGroupNames(), uProvided.getGroupNames()); }