hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From st...@apache.org
Subject svn commit: r1513666 [1/4] - in /hbase/trunk: hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/ hbase-common/src/main/java/org/apache/hadoop/hbase/ hbase-protocol/src/main/j...
Date Tue, 13 Aug 2013 21:49:57 GMT
Author: stack
Date: Tue Aug 13 21:49:56 2013
New Revision: 1513666

URL: http://svn.apache.org/r1513666
Log:
HBASE-8409 Security support for namespaces

Added:
    hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
Modified:
    hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java
    hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/RequestConverter.java
    hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ResponseConverter.java
    hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/TablePermission.java
    hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java
    hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
    hbase/trunk/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/AccessControlProtos.java
    hbase/trunk/hbase-protocol/src/main/protobuf/AccessControl.proto
    hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/migration/NamespaceUpgrade.java
    hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
    hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
    hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AuthResult.java
    hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
    hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
    hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/thrift/generated/Hbase.java
    hbase/trunk/hbase-server/src/main/ruby/hbase/security.rb
    hbase/trunk/hbase-server/src/test/data/TestNamespaceUpgrade.tgz
    hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/mapreduce/TestSecureLoadIncrementalHFiles.java
    hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/mapreduce/TestSecureLoadIncrementalHFilesSplitRecovery.java
    hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/migration/TestNamespaceUpgrade.java
    hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
    hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
    hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
    hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
    hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionsWatcher.java

Modified: hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java?rev=1513666&r1=1513665&r2=1513666&view=diff
==============================================================================
--- hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java
(original)
+++ hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java
Tue Aug 13 21:49:56 2013
@@ -1565,10 +1565,10 @@ public final class ProtobufUtil {
    * @return the converted Permission
    */
   public static Permission toPermission(AccessControlProtos.Permission proto) {
-    if (proto.hasTableName()) {
+    if (proto.getType() != AccessControlProtos.Permission.Type.Global) {
       return toTablePermission(proto);
     } else {
-      List<Permission.Action> actions = toPermissionActions(proto.getActionList());
+      List<Permission.Action> actions = toPermissionActions(proto.getGlobalPermission().getActionList());
       return new Permission(actions.toArray(new Permission.Action[actions.size()]));
     }
   }
@@ -1580,18 +1580,43 @@ public final class ProtobufUtil {
    * @return the converted TablePermission
    */
   public static TablePermission toTablePermission(AccessControlProtos.Permission proto) {
-    List<Permission.Action> actions = toPermissionActions(proto.getActionList());
+    if(proto.getType() == AccessControlProtos.Permission.Type.Global) {
+      AccessControlProtos.GlobalPermission perm = proto.getGlobalPermission();
+      List<Permission.Action> actions = toPermissionActions(perm.getActionList());
+
+      return new TablePermission(null, null, null,
+          actions.toArray(new Permission.Action[actions.size()]));
+    }
+    if(proto.getType() == AccessControlProtos.Permission.Type.Namespace) {
+      AccessControlProtos.NamespacePermission perm = proto.getNamespacePermission();
+      List<Permission.Action> actions = toPermissionActions(perm.getActionList());
 
-    byte[] qualifier = null;
-    byte[] family = null;
-    TableName table = null;
-
-    if (proto.hasTableName()) table = ProtobufUtil.toTableName(proto.getTableName());
-    if (proto.hasFamily()) family = proto.getFamily().toByteArray();
-    if (proto.hasQualifier()) qualifier = proto.getQualifier().toByteArray();
+      if(!proto.hasNamespacePermission()) {
+        throw new IllegalStateException("Namespace must not be empty in NamespacePermission");
+      }
+      String namespace = perm.getNamespaceName().toStringUtf8();
+      return new TablePermission(namespace, actions.toArray(new Permission.Action[actions.size()]));
+    }
+    if(proto.getType() == AccessControlProtos.Permission.Type.Table) {
+      AccessControlProtos.TablePermission perm = proto.getTablePermission();
+      List<Permission.Action> actions = toPermissionActions(perm.getActionList());
+
+      byte[] qualifier = null;
+      byte[] family = null;
+      TableName table = null;
+
+      if (!perm.hasTableName()) {
+        throw new IllegalStateException("TableName cannot be empty");
+      }
+      table = ProtobufUtil.toTableName(perm.getTableName());
 
-    return new TablePermission(table, family, qualifier,
-        actions.toArray(new Permission.Action[actions.size()]));
+      if (perm.hasFamily()) family = perm.getFamily().toByteArray();
+      if (perm.hasQualifier()) qualifier = perm.getQualifier().toByteArray();
+
+      return new TablePermission(table, family, qualifier,
+          actions.toArray(new Permission.Action[actions.size()]));
+    }
+    throw new IllegalStateException("Unrecognize Perm Type: "+proto.getType());
   }
 
   /**
@@ -1601,23 +1626,47 @@ public final class ProtobufUtil {
    * @return the protobuf Permission
    */
   public static AccessControlProtos.Permission toPermission(Permission perm) {
-    AccessControlProtos.Permission.Builder builder = AccessControlProtos.Permission.newBuilder();
+    AccessControlProtos.Permission.Builder ret = AccessControlProtos.Permission.newBuilder();
     if (perm instanceof TablePermission) {
       TablePermission tablePerm = (TablePermission)perm;
-      if (tablePerm.hasTable()) {
+      if(tablePerm.hasNamespace()) {
+        ret.setType(AccessControlProtos.Permission.Type.Namespace);
+
+        AccessControlProtos.NamespacePermission.Builder builder =
+            AccessControlProtos.NamespacePermission.newBuilder();
+        builder.setNamespaceName(ByteString.copyFromUtf8(tablePerm.getNamespace()));
+        for (Permission.Action a : perm.getActions()) {
+          builder.addAction(toPermissionAction(a));
+        }
+        ret.setNamespacePermission(builder);
+      } else if (tablePerm.hasTable()) {
+        ret.setType(AccessControlProtos.Permission.Type.Table);
+
+        AccessControlProtos.TablePermission.Builder builder =
+            AccessControlProtos.TablePermission.newBuilder();
         builder.setTableName(ProtobufUtil.toProtoTableName(tablePerm.getTable()));
+        if (tablePerm.hasFamily()) {
+          builder.setFamily(ByteString.copyFrom(tablePerm.getFamily()));
+        }
+        if (tablePerm.hasQualifier()) {
+          builder.setQualifier(ByteString.copyFrom(tablePerm.getQualifier()));
+        }
+        for (Permission.Action a : perm.getActions()) {
+          builder.addAction(toPermissionAction(a));
+        }
+        ret.setTablePermission(builder);
       }
-      if (tablePerm.hasFamily()) {
-        builder.setFamily(ByteString.copyFrom(tablePerm.getFamily()));
-      }
-      if (tablePerm.hasQualifier()) {
-        builder.setQualifier(ByteString.copyFrom(tablePerm.getQualifier()));
+    } else {
+      ret.setType(AccessControlProtos.Permission.Type.Global);
+
+      AccessControlProtos.GlobalPermission.Builder builder =
+          AccessControlProtos.GlobalPermission.newBuilder();
+      for (Permission.Action a : perm.getActions()) {
+        builder.addAction(toPermissionAction(a));
       }
+      ret.setGlobalPermission(builder);
     }
-    for (Permission.Action a : perm.getActions()) {
-      builder.addAction(toPermissionAction(a));
-    }
-    return builder.build();
+    return ret.build();
   }
 
   /**
@@ -1688,24 +1737,9 @@ public final class ProtobufUtil {
    * @return the protobuf UserPermission
    */
   public static AccessControlProtos.UserPermission toUserPermission(UserPermission perm)
{
-    AccessControlProtos.Permission.Builder permissionBuilder =
-        AccessControlProtos.Permission.newBuilder();
-    for (Permission.Action a : perm.getActions()) {
-      permissionBuilder.addAction(toPermissionAction(a));
-    }
-    if (perm.hasTable()) {
-      permissionBuilder.setTableName(ProtobufUtil.toProtoTableName(perm.getTable()));
-    }
-    if (perm.hasFamily()) {
-      permissionBuilder.setFamily(ByteString.copyFrom(perm.getFamily()));
-    }
-    if (perm.hasQualifier()) {
-      permissionBuilder.setQualifier(ByteString.copyFrom(perm.getQualifier()));
-    }
-
     return AccessControlProtos.UserPermission.newBuilder()
         .setUser(ByteString.copyFrom(perm.getUser()))
-        .setPermission(permissionBuilder)
+        .setPermission(toPermission(perm))
         .build();
   }
 
@@ -1716,20 +1750,8 @@ public final class ProtobufUtil {
    * @return the converted UserPermission
    */
   public static UserPermission toUserPermission(AccessControlProtos.UserPermission proto)
{
-    AccessControlProtos.Permission permission = proto.getPermission();
-    List<Permission.Action> actions = toPermissionActions(permission.getActionList());
-
-    byte[] qualifier = null;
-    byte[] family = null;
-    TableName table = null;
-
-    if (permission.hasTableName()) table = ProtobufUtil.toTableName(permission.getTableName());
-    if (permission.hasFamily()) family = permission.getFamily().toByteArray();
-    if (permission.hasQualifier()) qualifier = permission.getQualifier().toByteArray();
-
     return new UserPermission(proto.getUser().toByteArray(),
-        table, family, qualifier,
-        actions.toArray(new Permission.Action[actions.size()]));
+        toTablePermission(proto.getPermission()));
   }
 
   /**
@@ -1739,26 +1761,48 @@ public final class ProtobufUtil {
    * @param perm the list of user and table permissions
    * @return the protobuf UserTablePermissions
    */
-  public static AccessControlProtos.UserTablePermissions toUserTablePermissions(
+  public static AccessControlProtos.UsersAndPermissions toUserTablePermissions(
       ListMultimap<String, TablePermission> perm) {
-    AccessControlProtos.UserTablePermissions.Builder builder =
-                  AccessControlProtos.UserTablePermissions.newBuilder();
+    AccessControlProtos.UsersAndPermissions.Builder builder =
+                  AccessControlProtos.UsersAndPermissions.newBuilder();
     for (Map.Entry<String, Collection<TablePermission>> entry : perm.asMap().entrySet())
{
-      AccessControlProtos.UserTablePermissions.UserPermissions.Builder userPermBuilder =
-                  AccessControlProtos.UserTablePermissions.UserPermissions.newBuilder();
+      AccessControlProtos.UsersAndPermissions.UserPermissions.Builder userPermBuilder =
+                  AccessControlProtos.UsersAndPermissions.UserPermissions.newBuilder();
       userPermBuilder.setUser(ByteString.copyFromUtf8(entry.getKey()));
       for (TablePermission tablePerm: entry.getValue()) {
         userPermBuilder.addPermissions(toPermission(tablePerm));
       }
-      builder.addPermissions(userPermBuilder.build());
+      builder.addUserPermissions(userPermBuilder.build());
     }
     return builder.build();
   }
 
   /**
-   * A utility used to grant a user some permissions. The permissions will
-   * be global if table is not specified.  Otherwise, they are for those
-   * table/column family/qualifier only.
+   * A utility used to grant a user global permissions.
+   * <p>
+   * It's also called by the shell, in case you want to find references.
+   *
+   * @param protocol the AccessControlService protocol proxy
+   * @param userShortName the short name of the user to grant permissions
+   * @param actions the permissions to be granted
+   * @throws ServiceException
+   */
+  public static void grant(AccessControlService.BlockingInterface protocol,
+      String userShortName, Permission.Action... actions) throws ServiceException {
+    List<AccessControlProtos.Permission.Action> permActions =
+        Lists.newArrayListWithCapacity(actions.length);
+    for (Permission.Action a : actions) {
+      permActions.add(ProtobufUtil.toPermissionAction(a));
+    }
+    AccessControlProtos.GrantRequest request = RequestConverter.
+      buildGrantRequest(userShortName, permActions.toArray(
+        new AccessControlProtos.Permission.Action[actions.length]));
+    protocol.grant(null, request);
+  }
+
+  /**
+   * A utility used to grant a user table permissions. The permissions will
+   * be for a table table/column family/qualifier.
    * <p>
    * It's also called by the shell, in case you want to find references.
    *
@@ -1785,9 +1829,55 @@ public final class ProtobufUtil {
   }
 
   /**
-   * A utility used to revoke a user some permissions. The permissions will
-   * be global if table is not specified.  Otherwise, they are for those
-   * table/column family/qualifier only.
+   * A utility used to grant a user namespace permissions.
+   * <p>
+   * It's also called by the shell, in case you want to find references.
+   *
+   * @param protocol the AccessControlService protocol proxy
+   * @param namespace the short name of the user to grant permissions
+   * @param actions the permissions to be granted
+   * @throws ServiceException
+   */
+  public static void grant(AccessControlService.BlockingInterface protocol,
+      String userShortName, String namespace,
+      Permission.Action... actions) throws ServiceException {
+    List<AccessControlProtos.Permission.Action> permActions =
+        Lists.newArrayListWithCapacity(actions.length);
+    for (Permission.Action a : actions) {
+      permActions.add(ProtobufUtil.toPermissionAction(a));
+    }
+    AccessControlProtos.GrantRequest request = RequestConverter.
+      buildGrantRequest(userShortName, namespace, permActions.toArray(
+        new AccessControlProtos.Permission.Action[actions.length]));
+    protocol.grant(null, request);
+  }
+
+  /**
+   * A utility used to revoke a user's global permissions.
+   * <p>
+   * It's also called by the shell, in case you want to find references.
+   *
+   * @param protocol the AccessControlService protocol proxy
+   * @param userShortName the short name of the user to revoke permissions
+   * @param actions the permissions to be revoked
+   * @throws ServiceException
+   */
+  public static void revoke(AccessControlService.BlockingInterface protocol,
+      String userShortName, Permission.Action... actions) throws ServiceException {
+    List<AccessControlProtos.Permission.Action> permActions =
+        Lists.newArrayListWithCapacity(actions.length);
+    for (Permission.Action a : actions) {
+      permActions.add(ProtobufUtil.toPermissionAction(a));
+    }
+    AccessControlProtos.RevokeRequest request = RequestConverter.
+      buildRevokeRequest(userShortName, permActions.toArray(
+        new AccessControlProtos.Permission.Action[actions.length]));
+    protocol.revoke(null, request);
+  }
+
+  /**
+   * A utility used to revoke a user's table permissions. The permissions will
+   * be for a table/column family/qualifier.
    * <p>
    * It's also called by the shell, in case you want to find references.
    *
@@ -1814,7 +1904,55 @@ public final class ProtobufUtil {
   }
 
   /**
-   * A utility used to get user permissions.
+   * A utility used to revoke a user's namespace permissions.
+   * <p>
+   * It's also called by the shell, in case you want to find references.
+   *
+   * @param protocol the AccessControlService protocol proxy
+   * @param userShortName the short name of the user to revoke permissions
+   * @param namespace optional table name
+   * @param actions the permissions to be revoked
+   * @throws ServiceException
+   */
+  public static void revoke(AccessControlService.BlockingInterface protocol,
+      String userShortName, String namespace,
+      Permission.Action... actions) throws ServiceException {
+    List<AccessControlProtos.Permission.Action> permActions =
+        Lists.newArrayListWithCapacity(actions.length);
+    for (Permission.Action a : actions) {
+      permActions.add(ProtobufUtil.toPermissionAction(a));
+    }
+    AccessControlProtos.RevokeRequest request = RequestConverter.
+      buildRevokeRequest(userShortName, namespace, permActions.toArray(
+        new AccessControlProtos.Permission.Action[actions.length]));
+    protocol.revoke(null, request);
+  }
+
+  /**
+   * A utility used to get user's global permissions.
+   * <p>
+   * It's also called by the shell, in case you want to find references.
+   *
+   * @param protocol the AccessControlService protocol proxy
+   * @throws ServiceException
+   */
+  public static List<UserPermission> getUserPermissions(
+      AccessControlService.BlockingInterface protocol) throws ServiceException {
+    AccessControlProtos.UserPermissionsRequest.Builder builder =
+      AccessControlProtos.UserPermissionsRequest.newBuilder();
+    builder.setType(AccessControlProtos.Permission.Type.Global);
+    AccessControlProtos.UserPermissionsRequest request = builder.build();
+    AccessControlProtos.UserPermissionsResponse response =
+      protocol.getUserPermissions(null, request);
+    List<UserPermission> perms = new ArrayList<UserPermission>();
+    for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) {
+      perms.add(ProtobufUtil.toUserPermission(perm));
+    }
+    return perms;
+  }
+
+  /**
+   * A utility used to get user table permissions.
    * <p>
    * It's also called by the shell, in case you want to find references.
    *
@@ -1830,11 +1968,12 @@ public final class ProtobufUtil {
     if (t != null) {
       builder.setTableName(ProtobufUtil.toProtoTableName(t));
     }
+    builder.setType(AccessControlProtos.Permission.Type.Table);
     AccessControlProtos.UserPermissionsRequest request = builder.build();
     AccessControlProtos.UserPermissionsResponse response =
       protocol.getUserPermissions(null, request);
     List<UserPermission> perms = new ArrayList<UserPermission>();
-    for (AccessControlProtos.UserPermission perm: response.getPermissionList()) {
+    for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) {
       perms.add(ProtobufUtil.toUserPermission(perm));
     }
     return perms;
@@ -1848,12 +1987,12 @@ public final class ProtobufUtil {
    * @return the converted UserPermission
    */
   public static ListMultimap<String, TablePermission> toUserTablePermissions(
-      AccessControlProtos.UserTablePermissions proto) {
+      AccessControlProtos.UsersAndPermissions proto) {
     ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
-    AccessControlProtos.UserTablePermissions.UserPermissions userPerm;
+    AccessControlProtos.UsersAndPermissions.UserPermissions userPerm;
 
-    for (int i = 0; i < proto.getPermissionsCount(); i++) {
-      userPerm = proto.getPermissions(i);
+    for (int i = 0; i < proto.getUserPermissionsCount(); i++) {
+      userPerm = proto.getUserPermissions(i);
       for (int j = 0; j < userPerm.getPermissionsCount(); j++) {
         TablePermission tablePerm = toTablePermission(userPerm.getPermissions(j));
         perms.put(userPerm.getUser().toStringUtf8(), tablePerm);

Modified: hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/RequestConverter.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/RequestConverter.java?rev=1513666&r1=1513665&r2=1513666&view=diff
==============================================================================
--- hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/RequestConverter.java
(original)
+++ hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/RequestConverter.java
Tue Aug 13 21:49:56 2013
@@ -1205,6 +1205,32 @@ public final class RequestConverter {
    * Create a request to grant user permissions.
    *
    * @param username the short user name who to grant permissions
+   * @param actions the permissions to be granted
+   * @return A {@link AccessControlProtos} GrantRequest
+   */
+  public static AccessControlProtos.GrantRequest buildGrantRequest(
+      String username, AccessControlProtos.Permission.Action... actions) {
+    AccessControlProtos.Permission.Builder ret =
+        AccessControlProtos.Permission.newBuilder();
+    AccessControlProtos.GlobalPermission.Builder permissionBuilder =
+        AccessControlProtos.GlobalPermission.newBuilder();
+    for (AccessControlProtos.Permission.Action a : actions) {
+      permissionBuilder.addAction(a);
+    }
+    ret.setType(AccessControlProtos.Permission.Type.Global)
+       .setGlobalPermission(permissionBuilder);
+    return AccessControlProtos.GrantRequest.newBuilder()
+      .setUserPermission(
+          AccessControlProtos.UserPermission.newBuilder()
+              .setUser(ByteString.copyFromUtf8(username))
+              .setPermission(ret)
+      ).build();
+  }
+
+  /**
+   * Create a request to grant user permissions.
+   *
+   * @param username the short user name who to grant permissions
    * @param tableName optional table name the permissions apply
    * @param family optional column family
    * @param qualifier optional qualifier
@@ -1214,26 +1240,88 @@ public final class RequestConverter {
   public static AccessControlProtos.GrantRequest buildGrantRequest(
       String username, TableName tableName, byte[] family, byte[] qualifier,
       AccessControlProtos.Permission.Action... actions) {
-    AccessControlProtos.Permission.Builder permissionBuilder =
+    AccessControlProtos.Permission.Builder ret =
         AccessControlProtos.Permission.newBuilder();
+    AccessControlProtos.TablePermission.Builder permissionBuilder =
+        AccessControlProtos.TablePermission.newBuilder();
     for (AccessControlProtos.Permission.Action a : actions) {
       permissionBuilder.addAction(a);
     }
-    if (tableName != null) {
-      permissionBuilder.setTableName(ProtobufUtil.toProtoTableName(tableName));
+    if (tableName == null) {
+      throw new NullPointerException("TableName cannot be null");
     }
+    permissionBuilder.setTableName(ProtobufUtil.toProtoTableName(tableName));
+
     if (family != null) {
       permissionBuilder.setFamily(ByteString.copyFrom(family));
     }
     if (qualifier != null) {
       permissionBuilder.setQualifier(ByteString.copyFrom(qualifier));
     }
+    ret.setType(AccessControlProtos.Permission.Type.Table)
+       .setTablePermission(permissionBuilder);
+    return AccessControlProtos.GrantRequest.newBuilder()
+      .setUserPermission(
+          AccessControlProtos.UserPermission.newBuilder()
+              .setUser(ByteString.copyFromUtf8(username))
+              .setPermission(ret)
+      ).build();
+  }
 
+  /**
+   * Create a request to grant user permissions.
+   *
+   * @param username the short user name who to grant permissions
+   * @param namespace optional table name the permissions apply
+   * @param actions the permissions to be granted
+   * @return A {@link AccessControlProtos} GrantRequest
+   */
+  public static AccessControlProtos.GrantRequest buildGrantRequest(
+      String username, String namespace,
+      AccessControlProtos.Permission.Action... actions) {
+    AccessControlProtos.Permission.Builder ret =
+        AccessControlProtos.Permission.newBuilder();
+    AccessControlProtos.NamespacePermission.Builder permissionBuilder =
+        AccessControlProtos.NamespacePermission.newBuilder();
+    for (AccessControlProtos.Permission.Action a : actions) {
+      permissionBuilder.addAction(a);
+    }
+    if (namespace != null) {
+      permissionBuilder.setNamespaceName(ByteString.copyFromUtf8(namespace));
+    }
+    ret.setType(AccessControlProtos.Permission.Type.Namespace)
+       .setNamespacePermission(permissionBuilder);
     return AccessControlProtos.GrantRequest.newBuilder()
-      .setPermission(
+      .setUserPermission(
+          AccessControlProtos.UserPermission.newBuilder()
+              .setUser(ByteString.copyFromUtf8(username))
+              .setPermission(ret)
+      ).build();
+  }
+
+  /**
+   * Create a request to revoke user permissions.
+   *
+   * @param username the short user name whose permissions to be revoked
+   * @param actions the permissions to be revoked
+   * @return A {@link AccessControlProtos} RevokeRequest
+   */
+  public static AccessControlProtos.RevokeRequest buildRevokeRequest(
+      String username, AccessControlProtos.Permission.Action... actions) {
+    AccessControlProtos.Permission.Builder ret =
+        AccessControlProtos.Permission.newBuilder();
+    AccessControlProtos.GlobalPermission.Builder permissionBuilder =
+        AccessControlProtos.GlobalPermission.newBuilder();
+    for (AccessControlProtos.Permission.Action a : actions) {
+      permissionBuilder.addAction(a);
+    }
+    ret.setType(AccessControlProtos.Permission.Type.Global)
+       .setGlobalPermission(permissionBuilder);
+    return AccessControlProtos.RevokeRequest.newBuilder()
+      .setUserPermission(
           AccessControlProtos.UserPermission.newBuilder()
               .setUser(ByteString.copyFromUtf8(username))
-              .setPermission(permissionBuilder.build())
+              .setPermission(ret)
       ).build();
   }
 
@@ -1250,8 +1338,10 @@ public final class RequestConverter {
   public static AccessControlProtos.RevokeRequest buildRevokeRequest(
       String username, TableName tableName, byte[] family, byte[] qualifier,
       AccessControlProtos.Permission.Action... actions) {
-    AccessControlProtos.Permission.Builder permissionBuilder =
+    AccessControlProtos.Permission.Builder ret =
         AccessControlProtos.Permission.newBuilder();
+    AccessControlProtos.TablePermission.Builder permissionBuilder =
+        AccessControlProtos.TablePermission.newBuilder();
     for (AccessControlProtos.Permission.Action a : actions) {
       permissionBuilder.addAction(a);
     }
@@ -1264,12 +1354,44 @@ public final class RequestConverter {
     if (qualifier != null) {
       permissionBuilder.setQualifier(ByteString.copyFrom(qualifier));
     }
+    ret.setType(AccessControlProtos.Permission.Type.Table)
+       .setTablePermission(permissionBuilder);
+    return AccessControlProtos.RevokeRequest.newBuilder()
+      .setUserPermission(
+          AccessControlProtos.UserPermission.newBuilder()
+              .setUser(ByteString.copyFromUtf8(username))
+              .setPermission(ret)
+      ).build();
+  }
 
+  /**
+   * Create a request to revoke user permissions.
+   *
+   * @param username the short user name whose permissions to be revoked
+   * @param namespace optional table name the permissions apply
+   * @param actions the permissions to be revoked
+   * @return A {@link AccessControlProtos} RevokeRequest
+   */
+  public static AccessControlProtos.RevokeRequest buildRevokeRequest(
+      String username, String namespace,
+      AccessControlProtos.Permission.Action... actions) {
+    AccessControlProtos.Permission.Builder ret =
+        AccessControlProtos.Permission.newBuilder();
+    AccessControlProtos.NamespacePermission.Builder permissionBuilder =
+        AccessControlProtos.NamespacePermission.newBuilder();
+    for (AccessControlProtos.Permission.Action a : actions) {
+      permissionBuilder.addAction(a);
+    }
+    if (namespace != null) {
+      permissionBuilder.setNamespaceName(ByteString.copyFromUtf8(namespace));
+    }
+    ret.setType(AccessControlProtos.Permission.Type.Namespace)
+       .setNamespacePermission(permissionBuilder);
     return AccessControlProtos.RevokeRequest.newBuilder()
-      .setPermission(
+      .setUserPermission(
           AccessControlProtos.UserPermission.newBuilder()
               .setUser(ByteString.copyFromUtf8(username))
-              .setPermission(permissionBuilder.build())
+              .setPermission(ret)
       ).build();
   }
 

Modified: hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ResponseConverter.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ResponseConverter.java?rev=1513666&r1=1513665&r2=1513666&view=diff
==============================================================================
--- hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ResponseConverter.java
(original)
+++ hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ResponseConverter.java
Tue Aug 13 21:49:56 2013
@@ -116,7 +116,7 @@ public final class ResponseConverter {
       final List<UserPermission> permissions) {
     UserPermissionsResponse.Builder builder = UserPermissionsResponse.newBuilder();
     for (UserPermission perm : permissions) {
-      builder.addPermission(ProtobufUtil.toUserPermission(perm));
+      builder.addUserPermission(ProtobufUtil.toUserPermission(perm));
     }
     return builder.build();
   }

Modified: hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/TablePermission.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/TablePermission.java?rev=1513666&r1=1513665&r2=1513666&view=diff
==============================================================================
--- hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/TablePermission.java
(original)
+++ hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/TablePermission.java
Tue Aug 13 21:49:56 2013
@@ -41,6 +41,10 @@ public class TablePermission extends Per
   private byte[] family;
   private byte[] qualifier;
 
+  //TODO refactor this class
+  //we need to refacting this into three classes (Global, Table, Namespace)
+  private String namespace;
+
   /** Nullary constructor for Writable, do not use */
   public TablePermission() {
     super();
@@ -87,6 +91,62 @@ public class TablePermission extends Per
     this.qualifier = qualifier;
   }
 
+  /**
+   * Creates a new permission for the given namespace or table, restricted to the given
+   * column family and qualifer, allowing the assigned actions to be performed.
+   * @param namespace
+   * @param table the table
+   * @param family the family, can be null if a global permission on the table
+   * @param assigned the list of allowed actions
+   */
+  public TablePermission(String namespace, TableName table, byte[] family, byte[] qualifier,
+      Action... assigned) {
+    super(assigned);
+    this.namespace = namespace;
+    this.table = table;
+    this.family = family;
+    this.qualifier = qualifier;
+  }
+
+  /**
+   * Creates a new permission for the given namespace or table, family and column qualifier,
+   * allowing the actions matching the provided byte codes to be performed.
+   * @param namespace
+   * @param table the table
+   * @param family the family, can be null if a global permission on the table
+   * @param actionCodes the list of allowed action codes
+   */
+  public TablePermission(String namespace, TableName table, byte[] family, byte[] qualifier,
+      byte[] actionCodes) {
+    super(actionCodes);
+    this.namespace = namespace;
+    this.table = table;
+    this.family = family;
+    this.qualifier = qualifier;
+  }
+
+  /**
+   * Creates a new permission for the given namespace,
+   * allowing the actions matching the provided byte codes to be performed.
+   * @param namespace
+   * @param actionCodes the list of allowed action codes
+   */
+  public TablePermission(String namespace, byte[] actionCodes) {
+    super(actionCodes);
+    this.namespace = namespace;
+  }
+
+  /**
+   * Create a new permission for the given namespace,
+   * allowing the given actions.
+   * @param namespace
+   * @param assigned the list of allowed actions
+   */
+  public TablePermission(String namespace, Action... assigned) {
+    super(assigned);
+    this.namespace = namespace;
+  }
+
   public boolean hasTable() {
     return table != null;
   }
@@ -111,6 +171,32 @@ public class TablePermission extends Per
     return qualifier;
   }
 
+  public boolean hasNamespace() {
+    return namespace != null;
+  }
+
+  public String getNamespace() {
+    return namespace;
+  }
+
+  /**
+   * Checks that a given table operation is authorized by this permission
+   * instance.
+   *
+   * @param namespace the namespace where the operation is being performed
+   * @param action the action being requested
+   * @return <code>true</code> if the action within the given scope is allowed
+   *   by this permission, <code>false</code>
+   */
+  public boolean implies(String namespace, Action action) {
+    if (!this.namespace.equals(namespace)) {
+      return false;
+    }
+
+    // check actions
+    return super.implies(action);
+  }
+
   /**
    * Checks that a given table operation is authorized by this permission
    * instance.
@@ -234,7 +320,9 @@ public class TablePermission extends Per
         ((family == null && other.getFamily() == null) ||
          Bytes.equals(family, other.getFamily())) &&
         ((qualifier == null && other.getQualifier() == null) ||
-         Bytes.equals(qualifier, other.getQualifier()))
+         Bytes.equals(qualifier, other.getQualifier())) &&
+        ((namespace == null && other.getNamespace() == null) ||
+         namespace.equals(other.getNamespace()))
        )) {
       return false;
     }
@@ -256,15 +344,28 @@ public class TablePermission extends Per
     if (qualifier != null) {
       result = prime * result + Bytes.hashCode(qualifier);
     }
+    if (namespace != null) {
+      result = prime * result + namespace.hashCode();
+    }
     return result;
   }
 
   public String toString() {
-    StringBuilder str = new StringBuilder("[TablePermission: ")
-        .append("table=").append(table)
-        .append(", family=").append(Bytes.toString(family))
-        .append(", qualifier=").append(Bytes.toString(qualifier))
-        .append(", actions=");
+    StringBuilder str = new StringBuilder("[TablePermission: ");
+    if(namespace != null) {
+      str.append("namespace=").append(namespace)
+         .append(", ");
+    }
+    else if(table != null) {
+       str.append("table=").append(table)
+          .append(", family=")
+          .append(family == null ? null : Bytes.toString(family))
+          .append(", qualifier=")
+          .append(qualifier == null ? null : Bytes.toString(qualifier))
+          .append(", ");
+    } else {
+      str.append("actions=");
+    }
     if (actions != null) {
       for (int i=0; i<actions.length; i++) {
         if (i > 0)
@@ -291,6 +392,9 @@ public class TablePermission extends Per
     if (in.readBoolean()) {
       qualifier = Bytes.readByteArray(in);
     }
+    if(in.readBoolean()) {
+      namespace = Bytes.toString(Bytes.readByteArray(in));
+    }
   }
 
   @Override
@@ -305,5 +409,9 @@ public class TablePermission extends Per
     if (qualifier != null) {
       Bytes.writeByteArray(out, qualifier);
     }
+    out.writeBoolean(namespace != null);
+    if(namespace != null) {
+      Bytes.writeByteArray(out, Bytes.toBytes(namespace));
+    }
   }
 }

Modified: hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java?rev=1513666&r1=1513665&r2=1513666&view=diff
==============================================================================
--- hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java
(original)
+++ hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java
Tue Aug 13 21:49:56 2013
@@ -63,6 +63,29 @@ public class UserPermission extends Tabl
   }
 
   /**
+   * Creates a new instance for the given user.
+   * @param user the user
+   * @param namespace
+   * @param assigned the list of allowed actions
+   */
+  public UserPermission(byte[] user, String namespace, Action... assigned) {
+    super(namespace, assigned);
+    this.user = user;
+  }
+
+  /**
+   * Creates a new instance for the given user,
+   * matching the actions with the given codes.
+   * @param user the user
+   * @param namespace
+   * @param actionCodes the list of allowed action codes
+   */
+  public UserPermission(byte[] user, String namespace, byte[] actionCodes) {
+    super(namespace, actionCodes);
+    this.user = user;
+  }
+
+  /**
    * Creates a new instance for the given user, table and column family.
    * @param user the user
    * @param table the table
@@ -110,6 +133,18 @@ public class UserPermission extends Tabl
     this.user = user;
   }
 
+  /**
+   * Creates a new instance for the given user, table, column family and
+   * qualifier, matching the actions with the given codes.
+   * @param user the user
+   * @param perm a TablePermission
+   */
+  public UserPermission(byte[] user, TablePermission perm) {
+    super(perm.getNamespace(), perm.getTable(), perm.getFamily(), perm.getQualifier(),
+        perm.actions);
+    this.user = user;
+  }
+
   public byte[] getUser() {
     return user;
   }
@@ -118,8 +153,7 @@ public class UserPermission extends Tabl
    * Returns true if this permission describes a global user permission.
    */
   public boolean isGlobal() {
-    TableName tableName = getTable();
-    return(tableName == null);
+    return(!hasTable() && !hasNamespace());
   }
 
   @Override

Modified: hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java?rev=1513666&r1=1513665&r2=1513666&view=diff
==============================================================================
--- hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java (original)
+++ hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java Tue Aug
13 21:49:56 2013
@@ -289,6 +289,9 @@ public final class HConstants {
   /** Used by HBCK to sideline backup data */
   public static final String HBCK_SIDELINEDIR_NAME = ".hbck";
 
+  /** Any artifacts left from migration can be moved here */
+  public static final String MIGRATION_NAME = ".migration";
+
   /** Used to construct the name of the compaction directory during compaction */
   public static final String HREGION_COMPACTIONDIR_NAME = "compaction.dir";
 
@@ -835,7 +838,7 @@ public final class HConstants {
     Collections.unmodifiableList(Arrays.asList(new String[] { HREGION_LOGDIR_NAME,
       HREGION_OLDLOGDIR_NAME, CORRUPT_DIR_NAME, SPLIT_LOGDIR_NAME,
       HBCK_SIDELINEDIR_NAME, HFILE_ARCHIVE_DIRECTORY, SNAPSHOT_DIR_NAME, HBASE_TEMP_DIRECTORY,
-      OLD_SNAPSHOT_DIR_NAME, BASE_NAMESPACE_DIR}));
+      OLD_SNAPSHOT_DIR_NAME, BASE_NAMESPACE_DIR, MIGRATION_NAME}));
 
   /** Directories that are not HBase user table directories */
   public static final List<String> HBASE_NON_USER_TABLE_DIRS =



Mime
View raw message