TableAuthManager (Apache HBase

java.lang.Object
- org.apache.hadoop.hbase.security.access.TableAuthManager

All Implemented Interfaces:

Closeable, AutoCloseable
```
@InterfaceAudience.Private
public class TableAuthManager
extends Object
implements Closeable
```
Performs authorization checks for a given user's assigned permissions

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`boolean`	`authorize(org.apache.hadoop.hbase.security.User user, org.apache.hadoop.hbase.security.access.Permission.Action action)` Authorize a global permission based on ACLs for the given user and the user's groups.
`boolean`	`authorize(org.apache.hadoop.hbase.security.User user, String namespace, org.apache.hadoop.hbase.security.access.Permission.Action action)`
`boolean`	`authorize(org.apache.hadoop.hbase.security.User user, org.apache.hadoop.hbase.TableName table, byte[] family, byte[] qualifier, org.apache.hadoop.hbase.security.access.Permission.Action action)`
`boolean`	`authorize(org.apache.hadoop.hbase.security.User user, org.apache.hadoop.hbase.TableName table, byte[] family, org.apache.hadoop.hbase.security.access.Permission.Action action)`
`boolean`	`authorize(org.apache.hadoop.hbase.security.User user, org.apache.hadoop.hbase.TableName table, org.apache.hadoop.hbase.Cell cell, org.apache.hadoop.hbase.security.access.Permission.Action action)` Authorize a user for a given KV.
`boolean`	`authorizeGroup(String groupName, org.apache.hadoop.hbase.security.access.Permission.Action action)` Checks global authorization for a given action for a group, based on the stored permissions.
`boolean`	`authorizeGroup(String groupName, org.apache.hadoop.hbase.TableName table, byte[] family, byte[] qualifier, org.apache.hadoop.hbase.security.access.Permission.Action action)` Checks authorization to a given table, column family and column for a group, based on the stored permissions.
`boolean`	`authorizeUser(org.apache.hadoop.hbase.security.User user, org.apache.hadoop.hbase.TableName table, byte[] family, byte[] qualifier, org.apache.hadoop.hbase.security.access.Permission.Action action)`
`boolean`	`authorizeUser(org.apache.hadoop.hbase.security.User user, org.apache.hadoop.hbase.TableName table, byte[] family, org.apache.hadoop.hbase.security.access.Permission.Action action)` Checks authorization to a given table and column family for a user, based on the stored user permissions.
`void`	`close()`
`long`	`getMTime()`
`static TableAuthManager`	`getOrCreate(org.apache.hadoop.hbase.zookeeper.ZKWatcher watcher, org.apache.hadoop.conf.Configuration conf)` Returns a TableAuthManager from the cache.
`static int`	`getTotalRefCount()`
`ZKPermissionWatcher`	`getZKPermissionWatcher()`
`boolean`	`groupHasAccess(String groupName, org.apache.hadoop.hbase.TableName table, org.apache.hadoop.hbase.security.access.Permission.Action action)` Checks if the user has access to the full table or at least a family/qualifier for the specified action.
`boolean`	`hasAccess(org.apache.hadoop.hbase.security.User user, org.apache.hadoop.hbase.TableName table, org.apache.hadoop.hbase.security.access.Permission.Action action)`
`boolean`	`matchPermission(org.apache.hadoop.hbase.security.User user, org.apache.hadoop.hbase.TableName table, byte[] family, byte[] qualifier, org.apache.hadoop.hbase.security.access.Permission.Action action)`
`boolean`	`matchPermission(org.apache.hadoop.hbase.security.User user, org.apache.hadoop.hbase.TableName table, byte[] family, org.apache.hadoop.hbase.security.access.Permission.Action action)` Returns true if the given user has a `TablePermission` matching up to the column family portion of a permission.
`void`	`refreshNamespaceCacheFromWritable(String namespace, byte[] data)`
`void`	`refreshTableCacheFromWritable(org.apache.hadoop.hbase.TableName table, byte[] data)`
`static void`	`release(TableAuthManager instance)` Releases the resources for the given TableAuthManager if the reference count is down to 0.
`void`	`removeNamespace(byte[] ns)`
`void`	`removeTable(org.apache.hadoop.hbase.TableName table)`
`void`	`setNamespaceGroupPermissions(String group, String namespace, List<org.apache.hadoop.hbase.security.access.TablePermission> perms)` Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.
`void`	`setNamespaceUserPermissions(String username, String namespace, List<org.apache.hadoop.hbase.security.access.TablePermission> perms)` Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.
`void`	`setTableGroupPermissions(String group, org.apache.hadoop.hbase.TableName table, List<org.apache.hadoop.hbase.security.access.TablePermission> perms)` Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.
`void`	`setTableUserPermissions(String username, org.apache.hadoop.hbase.TableName table, List<org.apache.hadoop.hbase.security.access.TablePermission> perms)` Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.
`boolean`	`userHasAccess(org.apache.hadoop.hbase.security.User user, org.apache.hadoop.hbase.TableName table, org.apache.hadoop.hbase.security.access.Permission.Action action)` Checks if the user has access to the full table or at least a family/qualifier for the specified action.
`void`	`writeNamespaceToZooKeeper(String namespace, org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<org.apache.hadoop.hbase.security.access.TablePermission> tablePerms)`
`void`	`writeTableToZooKeeper(org.apache.hadoop.hbase.TableName table, org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<org.apache.hadoop.hbase.security.access.TablePermission> tablePerms)`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

close
```
public void close()
```
Specified by:

close in interface Closeable

Specified by:

close in interface AutoCloseable

getZKPermissionWatcher

public ZKPermissionWatcher getZKPermissionWatcher()

refreshTableCacheFromWritable

public void refreshTableCacheFromWritable(org.apache.hadoop.hbase.TableName table,
                                          byte[] data)
                                   throws IOException

Throws:: IOException

refreshNamespaceCacheFromWritable

public void refreshNamespaceCacheFromWritable(String namespace,
                                              byte[] data)
                                       throws IOException

Throws:: IOException

authorize
```
public boolean authorize(org.apache.hadoop.hbase.security.User user,
                         org.apache.hadoop.hbase.security.access.Permission.Action action)
```
Authorize a global permission based on ACLs for the given user and the user's groups.

Parameters:

user -

action -

Returns:

true if known and authorized, false otherwise

authorize

public boolean authorize(org.apache.hadoop.hbase.security.User user,
                         org.apache.hadoop.hbase.TableName table,
                         org.apache.hadoop.hbase.Cell cell,
                         org.apache.hadoop.hbase.security.access.Permission.Action action)

Authorize a user for a given KV. This is called from AccessControlFilter.

authorize

public boolean authorize(org.apache.hadoop.hbase.security.User user,
                         String namespace,
                         org.apache.hadoop.hbase.security.access.Permission.Action action)

authorizeUser

public boolean authorizeUser(org.apache.hadoop.hbase.security.User user,
                             org.apache.hadoop.hbase.TableName table,
                             byte[] family,
                             org.apache.hadoop.hbase.security.access.Permission.Action action)

Checks authorization to a given table and column family for a user, based on the stored user permissions.

Parameters:: user -; table -; family -; action -
Returns:: true if known and authorized, false otherwise

authorizeUser

public boolean authorizeUser(org.apache.hadoop.hbase.security.User user,
                             org.apache.hadoop.hbase.TableName table,
                             byte[] family,
                             byte[] qualifier,
                             org.apache.hadoop.hbase.security.access.Permission.Action action)

userHasAccess

public boolean userHasAccess(org.apache.hadoop.hbase.security.User user,
                             org.apache.hadoop.hbase.TableName table,
                             org.apache.hadoop.hbase.security.access.Permission.Action action)

Checks if the user has access to the full table or at least a family/qualifier for the specified action.

Parameters:: user -; table -; action -
Returns:: true if the user has access to the table, false otherwise

authorizeGroup

public boolean authorizeGroup(String groupName,
                              org.apache.hadoop.hbase.security.access.Permission.Action action)

Checks global authorization for a given action for a group, based on the stored permissions.

authorizeGroup

public boolean authorizeGroup(String groupName,
                              org.apache.hadoop.hbase.TableName table,
                              byte[] family,
                              byte[] qualifier,
                              org.apache.hadoop.hbase.security.access.Permission.Action action)

Checks authorization to a given table, column family and column for a group, based on the stored permissions.

Parameters:: groupName -; table -; family -; qualifier -; action -
Returns:: true if known and authorized, false otherwise

groupHasAccess

public boolean groupHasAccess(String groupName,
                              org.apache.hadoop.hbase.TableName table,
                              org.apache.hadoop.hbase.security.access.Permission.Action action)

Checks if the user has access to the full table or at least a family/qualifier for the specified action.

Parameters:: groupName -; table -; action -
Returns:: true if the group has access to the table, false otherwise

authorize

public boolean authorize(org.apache.hadoop.hbase.security.User user,
                         org.apache.hadoop.hbase.TableName table,
                         byte[] family,
                         byte[] qualifier,
                         org.apache.hadoop.hbase.security.access.Permission.Action action)

hasAccess

public boolean hasAccess(org.apache.hadoop.hbase.security.User user,
                         org.apache.hadoop.hbase.TableName table,
                         org.apache.hadoop.hbase.security.access.Permission.Action action)

authorize

public boolean authorize(org.apache.hadoop.hbase.security.User user,
                         org.apache.hadoop.hbase.TableName table,
                         byte[] family,
                         org.apache.hadoop.hbase.security.access.Permission.Action action)

matchPermission

public boolean matchPermission(org.apache.hadoop.hbase.security.User user,
                               org.apache.hadoop.hbase.TableName table,
                               byte[] family,
                               org.apache.hadoop.hbase.security.access.Permission.Action action)

Returns true if the given user has a TablePermission matching up to the column family portion of a permission. Note that this permission may be scoped to a given column qualifier and does not guarantee that authorize() on the same column family would return true.

matchPermission

public boolean matchPermission(org.apache.hadoop.hbase.security.User user,
                               org.apache.hadoop.hbase.TableName table,
                               byte[] family,
                               byte[] qualifier,
                               org.apache.hadoop.hbase.security.access.Permission.Action action)

removeNamespace

public void removeNamespace(byte[] ns)

removeTable

public void removeTable(org.apache.hadoop.hbase.TableName table)

setTableUserPermissions

public void setTableUserPermissions(String username,
                                    org.apache.hadoop.hbase.TableName table,
                                    List<org.apache.hadoop.hbase.security.access.TablePermission> perms)

Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.

Parameters:: username -; table -; perms -

setTableGroupPermissions

public void setTableGroupPermissions(String group,
                                     org.apache.hadoop.hbase.TableName table,
                                     List<org.apache.hadoop.hbase.security.access.TablePermission> perms)

Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.

Parameters:: group -; table -; perms -

setNamespaceUserPermissions

public void setNamespaceUserPermissions(String username,
                                        String namespace,
                                        List<org.apache.hadoop.hbase.security.access.TablePermission> perms)

Overwrites the existing permission set for a given user for a table, and triggers an update for zookeeper synchronization.

Parameters:: username -; namespace -; perms -

setNamespaceGroupPermissions

public void setNamespaceGroupPermissions(String group,
                                         String namespace,
                                         List<org.apache.hadoop.hbase.security.access.TablePermission> perms)

Overwrites the existing permission set for a group and triggers an update for zookeeper synchronization.

Parameters:: group -; namespace -; perms -

writeTableToZooKeeper

public void writeTableToZooKeeper(org.apache.hadoop.hbase.TableName table,
                                  org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<org.apache.hadoop.hbase.security.access.TablePermission> tablePerms)

writeNamespaceToZooKeeper

public void writeNamespaceToZooKeeper(String namespace,
                                      org.apache.hadoop.hbase.security.access.TableAuthManager.PermissionCache<org.apache.hadoop.hbase.security.access.TablePermission> tablePerms)

getMTime
```
public long getMTime()
```

getOrCreate

public static TableAuthManager getOrCreate(org.apache.hadoop.hbase.zookeeper.ZKWatcher watcher,
                                           org.apache.hadoop.conf.Configuration conf)
                                    throws IOException

Returns a TableAuthManager from the cache. If not cached, constructs a new one. Returned instance should be released back by calling release(TableAuthManager).

Throws:: IOException

getTotalRefCount
```
public static int getTotalRefCount()
```

release
```
public static void release(TableAuthManager instance)
```
Releases the resources for the given TableAuthManager if the reference count is down to 0.

Parameters:

instance - TableAuthManager to be released

Class TableAuthManager

Method Summary

Methods inherited from class java.lang.Object

Method Detail

close

getZKPermissionWatcher

refreshTableCacheFromWritable

refreshNamespaceCacheFromWritable

authorize

authorize

authorize

authorizeUser

authorizeUser

userHasAccess

authorizeGroup

authorizeGroup

groupHasAccess

authorize

hasAccess

authorize

matchPermission

matchPermission

removeNamespace

removeTable

setTableUserPermissions

setTableGroupPermissions

setNamespaceUserPermissions

setNamespaceGroupPermissions

writeTableToZooKeeper

writeNamespaceToZooKeeper

getMTime

getOrCreate

getTotalRefCount

release