Class SecurityOperation
- java.lang.Object
-
- org.apache.accumulo.server.security.SecurityOperation
-
- Direct Known Subclasses:
AuditedSecurityOperation
public class SecurityOperation extends Object
Utility class for performing various security operations with the appropriate checks
-
-
Field Summary
Fields Modifier and Type Field Description protected Authenticator
authenticator
protected Authorizor
authorizor
protected ServerContext
context
protected boolean
isKerberos
protected PermissionHandler
permHandle
-
Constructor Summary
Constructors Modifier Constructor Description protected
SecurityOperation(ServerContext context)
SecurityOperation(ServerContext context, Authorizor author, Authenticator authent, PermissionHandler pm)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
_createUser(TCredentials credentials, Credentials newUser)
protected boolean
_hasNamespacePermission(String user, NamespaceId namespace, NamespacePermission permission, boolean useCached)
Checks if a user has a namespace permission
This cannot check if a system user has permission.protected boolean
_hasTablePermission(String user, TableId table, TablePermission permission, boolean useCached)
Checks if a user has a table permission
This cannot check if a system user has permission.protected void
authenticate(TCredentials credentials)
boolean
authenticatedUserHasAuthorizations(TCredentials credentials, List<ByteBuffer> list)
Check if an already authenticated user has specified authorizations.boolean
authenticateUser(TCredentials credentials, TCredentials toAuth)
boolean
canAlterNamespace(TCredentials credentials, NamespaceId namespaceId)
boolean
canAlterTable(TCredentials c, TableId tableId, NamespaceId namespaceId)
boolean
canAskAboutUser(TCredentials credentials, String user)
boolean
canBulkImport(TCredentials c, TableId tableId, String tableName, String dir, String failDir, NamespaceId namespaceId)
boolean
canChangeAuthorizations(TCredentials c, String user)
boolean
canChangePassword(TCredentials c, String user)
boolean
canCloneTable(TCredentials c, TableId tableId, String tableName, NamespaceId destinationNamespaceId, NamespaceId srcNamespaceId)
boolean
canCompact(TCredentials c, TableId tableId, NamespaceId namespaceId)
boolean
canConditionallyUpdate(TCredentials credentials, TableId tableID, NamespaceId namespaceId)
boolean
canCreateNamespace(TCredentials credentials)
boolean
canCreateTable(TCredentials c, String tableName, NamespaceId namespaceId)
boolean
canCreateUser(TCredentials c, String user)
boolean
canDeleteNamespace(TCredentials credentials, NamespaceId namespaceId)
boolean
canDeleteRange(TCredentials c, TableId tableId, String tableName, org.apache.hadoop.io.Text startRow, org.apache.hadoop.io.Text endRow, NamespaceId namespaceId)
boolean
canDeleteTable(TCredentials c, TableId tableId, NamespaceId namespaceId)
boolean
canDropUser(TCredentials c, String user)
boolean
canExport(TCredentials credentials, TableId tableId, String tableName, String exportDir, NamespaceId namespaceId)
boolean
canFlush(TCredentials c, TableId tableId, NamespaceId namespaceId)
boolean
canGetSummaries(TCredentials credentials, TableId tableId, NamespaceId namespaceId)
boolean
canGrantNamespace(TCredentials c, NamespaceId namespace)
boolean
canGrantSystem(TCredentials c, String user, SystemPermission sysPerm)
boolean
canGrantTable(TCredentials c, String user, TableId tableId, NamespaceId namespaceId)
boolean
canImport(TCredentials credentials, String tableName, String importDir, NamespaceId namespaceId)
boolean
canMerge(TCredentials c, TableId tableId, NamespaceId namespaceId)
boolean
canObtainDelegationToken(TCredentials credentials)
boolean
canOnlineOfflineTable(TCredentials c, TableId tableId, FateOperation op, NamespaceId namespaceId)
boolean
canPerformSystemActions(TCredentials credentials)
This is the check to perform any system action.boolean
canRenameNamespace(TCredentials credentials, NamespaceId namespaceId)
boolean
canRenameTable(TCredentials c, TableId tableId, String oldTableName, String newTableName, NamespaceId namespaceId)
boolean
canRevokeNamespace(TCredentials c, NamespaceId namespace)
boolean
canRevokeSystem(TCredentials c, String user, SystemPermission sysPerm)
boolean
canRevokeTable(TCredentials c, String user, TableId tableId, NamespaceId namespaceId)
boolean
canScan(TCredentials credentials, TableId tableId, NamespaceId namespaceId)
boolean
canScan(TCredentials credentials, TableId table, NamespaceId namespaceId, Map<TKeyExtent,List<TRange>> tbatch, List<TColumn> tcolumns, List<IterInfo> ssiList, Map<String,Map<String,String>> ssio, List<ByteBuffer> authorizations)
boolean
canScan(TCredentials credentials, TableId tableId, NamespaceId namespaceId, TRange range, List<TColumn> columns, List<IterInfo> ssiList, Map<String,Map<String,String>> ssio, List<ByteBuffer> authorizations)
boolean
canSplitTablet(TCredentials credentials, TableId tableId, NamespaceId namespaceId)
boolean
canWrite(TCredentials credentials, TableId tableId, NamespaceId namespaceId)
void
changeAuthorizations(TCredentials credentials, String user, Authorizations authorizations)
void
changePassword(TCredentials credentials, Credentials toChange)
void
createUser(TCredentials credentials, Credentials newUser, Authorizations authorizations)
void
deleteNamespace(TCredentials credentials, NamespaceId namespace)
void
deleteTable(TCredentials credentials, TableId tableId, NamespaceId namespaceId)
void
dropUser(TCredentials credentials, String user)
protected static Authenticator
getAuthenticator(ServerContext context)
protected static Authorizor
getAuthorizor(ServerContext context)
static SecurityOperation
getInstance(ServerContext context)
protected static PermissionHandler
getPermHandler(ServerContext context)
String
getRootUsername()
Authorizations
getUserAuthorizations(TCredentials credentials)
Authorizations
getUserAuthorizations(TCredentials credentials, String user)
void
grantNamespacePermission(TCredentials c, String user, NamespaceId namespace, NamespacePermission permission)
void
grantSystemPermission(TCredentials credentials, String user, SystemPermission permissionById)
void
grantTablePermission(TCredentials c, String user, TableId tableId, TablePermission permission, NamespaceId namespaceId)
boolean
hasNamespacePermission(TCredentials credentials, String user, NamespaceId namespace, NamespacePermission permissionById)
boolean
hasSystemPermission(TCredentials credentials, String user, SystemPermission permissionById)
boolean
hasTablePermission(TCredentials credentials, String user, TableId tableId, TablePermission permissionById)
protected boolean
hasTablePermission(TCredentials credentials, TableId tableId, NamespaceId namespaceId, TablePermission permission, boolean useCached)
Checks if a user has a table permissionvoid
initializeSecurity(TCredentials credentials, String rootPrincipal, byte[] token)
boolean
isSystemUser(TCredentials credentials)
Set<String>
listUsers(TCredentials credentials)
void
revokeNamespacePermission(TCredentials c, String user, NamespaceId namespace, NamespacePermission permission)
void
revokeSystemPermission(TCredentials credentials, String user, SystemPermission permission)
void
revokeTablePermission(TCredentials c, String user, TableId tableId, TablePermission permission, NamespaceId namespaceId)
-
-
-
Field Detail
-
authorizor
protected Authorizor authorizor
-
authenticator
protected Authenticator authenticator
-
permHandle
protected PermissionHandler permHandle
-
isKerberos
protected boolean isKerberos
-
context
protected final ServerContext context
-
-
Constructor Detail
-
SecurityOperation
protected SecurityOperation(ServerContext context)
-
SecurityOperation
public SecurityOperation(ServerContext context, Authorizor author, Authenticator authent, PermissionHandler pm)
-
-
Method Detail
-
getInstance
public static SecurityOperation getInstance(ServerContext context)
-
getAuthorizor
protected static Authorizor getAuthorizor(ServerContext context)
-
getAuthenticator
protected static Authenticator getAuthenticator(ServerContext context)
-
getPermHandler
protected static PermissionHandler getPermHandler(ServerContext context)
-
initializeSecurity
public void initializeSecurity(TCredentials credentials, String rootPrincipal, byte[] token) throws AccumuloSecurityException
- Throws:
AccumuloSecurityException
-
getRootUsername
public String getRootUsername()
-
isSystemUser
public boolean isSystemUser(TCredentials credentials)
-
authenticate
protected void authenticate(TCredentials credentials) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canAskAboutUser
public boolean canAskAboutUser(TCredentials credentials, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
authenticateUser
public boolean authenticateUser(TCredentials credentials, TCredentials toAuth) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
getUserAuthorizations
public Authorizations getUserAuthorizations(TCredentials credentials, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
getUserAuthorizations
public Authorizations getUserAuthorizations(TCredentials credentials) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
authenticatedUserHasAuthorizations
public boolean authenticatedUserHasAuthorizations(TCredentials credentials, List<ByteBuffer> list)
Check if an already authenticated user has specified authorizations.
-
hasTablePermission
protected boolean hasTablePermission(TCredentials credentials, TableId tableId, NamespaceId namespaceId, TablePermission permission, boolean useCached) throws ThriftSecurityException
Checks if a user has a table permission- Returns:
- true if a user exists and has permission; false otherwise
- Throws:
ThriftSecurityException
-
_hasTablePermission
protected boolean _hasTablePermission(String user, TableId table, TablePermission permission, boolean useCached) throws ThriftSecurityException
Checks if a user has a table permission
This cannot check if a system user has permission.- Returns:
- true if a user exists and has permission; false otherwise
- Throws:
ThriftSecurityException
-
_hasNamespacePermission
protected boolean _hasNamespacePermission(String user, NamespaceId namespace, NamespacePermission permission, boolean useCached) throws ThriftSecurityException
Checks if a user has a namespace permission
This cannot check if a system user has permission.- Returns:
- true if a user exists and has permission; false otherwise
- Throws:
ThriftSecurityException
-
canScan
public boolean canScan(TCredentials credentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canScan
public boolean canScan(TCredentials credentials, TableId tableId, NamespaceId namespaceId, TRange range, List<TColumn> columns, List<IterInfo> ssiList, Map<String,Map<String,String>> ssio, List<ByteBuffer> authorizations) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canScan
public boolean canScan(TCredentials credentials, TableId table, NamespaceId namespaceId, Map<TKeyExtent,List<TRange>> tbatch, List<TColumn> tcolumns, List<IterInfo> ssiList, Map<String,Map<String,String>> ssio, List<ByteBuffer> authorizations) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canWrite
public boolean canWrite(TCredentials credentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canConditionallyUpdate
public boolean canConditionallyUpdate(TCredentials credentials, TableId tableID, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canSplitTablet
public boolean canSplitTablet(TCredentials credentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canPerformSystemActions
public boolean canPerformSystemActions(TCredentials credentials) throws ThriftSecurityException
This is the check to perform any system action. This includes tserver's loading of a tablet, shutting the system down, or altering system properties.- Throws:
ThriftSecurityException
-
canFlush
public boolean canFlush(TCredentials c, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canAlterTable
public boolean canAlterTable(TCredentials c, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canCreateTable
public boolean canCreateTable(TCredentials c, String tableName, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canRenameTable
public boolean canRenameTable(TCredentials c, TableId tableId, String oldTableName, String newTableName, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canCloneTable
public boolean canCloneTable(TCredentials c, TableId tableId, String tableName, NamespaceId destinationNamespaceId, NamespaceId srcNamespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canDeleteTable
public boolean canDeleteTable(TCredentials c, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canOnlineOfflineTable
public boolean canOnlineOfflineTable(TCredentials c, TableId tableId, FateOperation op, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canMerge
public boolean canMerge(TCredentials c, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canDeleteRange
public boolean canDeleteRange(TCredentials c, TableId tableId, String tableName, org.apache.hadoop.io.Text startRow, org.apache.hadoop.io.Text endRow, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canBulkImport
public boolean canBulkImport(TCredentials c, TableId tableId, String tableName, String dir, String failDir, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canCompact
public boolean canCompact(TCredentials c, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canChangeAuthorizations
public boolean canChangeAuthorizations(TCredentials c, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canChangePassword
public boolean canChangePassword(TCredentials c, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canCreateUser
public boolean canCreateUser(TCredentials c, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canDropUser
public boolean canDropUser(TCredentials c, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canGrantSystem
public boolean canGrantSystem(TCredentials c, String user, SystemPermission sysPerm) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canGrantTable
public boolean canGrantTable(TCredentials c, String user, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canGrantNamespace
public boolean canGrantNamespace(TCredentials c, NamespaceId namespace) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canRevokeSystem
public boolean canRevokeSystem(TCredentials c, String user, SystemPermission sysPerm) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canRevokeTable
public boolean canRevokeTable(TCredentials c, String user, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canRevokeNamespace
public boolean canRevokeNamespace(TCredentials c, NamespaceId namespace) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
changeAuthorizations
public void changeAuthorizations(TCredentials credentials, String user, Authorizations authorizations) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
changePassword
public void changePassword(TCredentials credentials, Credentials toChange) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
createUser
public void createUser(TCredentials credentials, Credentials newUser, Authorizations authorizations) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
_createUser
protected void _createUser(TCredentials credentials, Credentials newUser) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
dropUser
public void dropUser(TCredentials credentials, String user) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
grantSystemPermission
public void grantSystemPermission(TCredentials credentials, String user, SystemPermission permissionById) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
grantTablePermission
public void grantTablePermission(TCredentials c, String user, TableId tableId, TablePermission permission, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
grantNamespacePermission
public void grantNamespacePermission(TCredentials c, String user, NamespaceId namespace, NamespacePermission permission) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
revokeSystemPermission
public void revokeSystemPermission(TCredentials credentials, String user, SystemPermission permission) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
revokeTablePermission
public void revokeTablePermission(TCredentials c, String user, TableId tableId, TablePermission permission, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
revokeNamespacePermission
public void revokeNamespacePermission(TCredentials c, String user, NamespaceId namespace, NamespacePermission permission) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
hasSystemPermission
public boolean hasSystemPermission(TCredentials credentials, String user, SystemPermission permissionById) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
hasTablePermission
public boolean hasTablePermission(TCredentials credentials, String user, TableId tableId, TablePermission permissionById) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
hasNamespacePermission
public boolean hasNamespacePermission(TCredentials credentials, String user, NamespaceId namespace, NamespacePermission permissionById) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
listUsers
public Set<String> listUsers(TCredentials credentials) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
deleteTable
public void deleteTable(TCredentials credentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
deleteNamespace
public void deleteNamespace(TCredentials credentials, NamespaceId namespace) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canExport
public boolean canExport(TCredentials credentials, TableId tableId, String tableName, String exportDir, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canImport
public boolean canImport(TCredentials credentials, String tableName, String importDir, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canAlterNamespace
public boolean canAlterNamespace(TCredentials credentials, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canCreateNamespace
public boolean canCreateNamespace(TCredentials credentials) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canDeleteNamespace
public boolean canDeleteNamespace(TCredentials credentials, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canRenameNamespace
public boolean canRenameNamespace(TCredentials credentials, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canObtainDelegationToken
public boolean canObtainDelegationToken(TCredentials credentials) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
canGetSummaries
public boolean canGetSummaries(TCredentials credentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException
- Throws:
ThriftSecurityException
-
-