diff --git a/hbase-server/src/main/ruby/hbase/security.rb b/hbase-server/src/main/ruby/hbase/security.rb index f471132..3335c6e 100644 --- a/hbase-server/src/main/ruby/hbase/security.rb +++ b/hbase-server/src/main/ruby/hbase/security.rb @@ -36,26 +36,6 @@ module Hbase # TODO: need to validate user name - # Verify that the specified permission is valid - if (permissions == nil || permissions.length == 0) - raise(ArgumentError, "Invalid permission: no actions associated with user") - end - - if (table_name != nil) - # Table should exist - raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name) - - tablebytes=table_name.to_java_bytes - htd = @admin.getTableDescriptor(tablebytes) - - if (family != nil) - raise(ArgumentError, "Can't find a family: #{family}") unless htd.hasFamily(family.to_java_bytes) - end - - fambytes = family.to_java_bytes if (family != nil) - qualbytes = qualifier.to_java_bytes if (qualifier != nil) - end - begin meta_table = org.apache.hadoop.hbase.client.HTable.new(@config, org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME) @@ -67,10 +47,48 @@ module Hbase perm = org.apache.hadoop.hbase.security.access.Permission.new( permissions.to_java_bytes) - # invoke cp endpoint to perform access controlse - org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant( - protocol, user, tablebytes, fambytes, - qualbytes, perm.getActions()) + # Verify that the specified permission is valid + if (permissions == nil || permissions.length == 0) + raise(ArgumentError, "Invalid permission: no actions associated with user") + end + + if (table_name != nil) + #check if the tablename passed is actually a namespace + if (isNamespace?(table_name)) + # Namespace should exist first. + namespace_name = table_name[1...table_name.length] + raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless namespace_exists?(namespace_name) + + #We pass the namespace name along with "@" so that we can differentiate a namespace from a table. + tablebytes=table_name.to_java_bytes + # invoke cp endpoint to perform access controlse + org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant( + protocol, user, tablebytes, perm.getActions()) + else + # Table should exist + raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name) + + tableName = org.apache.hadoop.hbase.TableName.valueOf(table_name.to_java_bytes) + htd = @admin.getTableDescriptor(tablebytes) + + if (family != nil) + raise(ArgumentError, "Can't find a family: #{family}") unless htd.hasFamily(family.to_java_bytes) + end + + fambytes = family.to_java_bytes if (family != nil) + qualbytes = qualifier.to_java_bytes if (qualifier != nil) + + # invoke cp endpoint to perform access controlse + org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant( + protocol, user, tableName, fambytes, + qualbytes, perm.getActions()) + end + else + # invoke cp endpoint to perform access controlse + org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant( + protocol, user, perm.getActions()) + end + ensure meta_table.close() end @@ -82,21 +100,6 @@ module Hbase # TODO: need to validate user name - if (table_name != nil) - # Table should exist - raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name) - - tablebytes=table_name.to_java_bytes - htd = @admin.getTableDescriptor(tablebytes) - - if (family != nil) - raise(ArgumentError, "Can't find family: #{family}") unless htd.hasFamily(family.to_java_bytes) - end - - fambytes = family.to_java_bytes if (family != nil) - qualbytes = qualifier.to_java_bytes if (qualifier != nil) - end - begin meta_table = org.apache.hadoop.hbase.client.HTable.new(@config, org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME) @@ -106,9 +109,41 @@ module Hbase protocol = org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos:: AccessControlService.newBlockingStub(service) - # invoke cp endpoint to perform access controlse - org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke( - protocol, user, tablebytes, fambytes, qualbytes) + if (table_name != nil) + #check if the tablename passed is actually a namespace + if (isNamespace?(table_name)) + # Namespace should exist first. + namespace_name = table_name[1...table_name.length] + raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless namespace_exists?(namespace_name) + + #We pass the namespace name along with "@" so that we can differentiate a namespace from a table. + tablebytes=table_name.to_java_bytes + # invoke cp endpoint to perform access controlse + org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke( + protocol, user, tablebytes) + else + # Table should exist + raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name) + + tableName = org.apache.hadoop.hbase.TableName.valueOf(table_name.to_java_bytes) + htd = @admin.getTableDescriptor(tableName) + + if (family != nil) + raise(ArgumentError, "Can't find a family: #{family}") unless htd.hasFamily(family.to_java_bytes) + end + + fambytes = family.to_java_bytes if (family != nil) + qualbytes = qualifier.to_java_bytes if (qualifier != nil) + + # invoke cp endpoint to perform access controlse + org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke( + protocol, user, tableName, fambytes, qualbytes) + end + else + # invoke cp endpoint to perform access controlse + org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke( + protocol, user) + end ensure meta_table.close() end @@ -118,12 +153,6 @@ module Hbase def user_permission(table_name=nil) security_available? - if (table_name != nil) - raise(ArgumentError, "Can't find table: #{table_name}") unless exists?(table_name) - - tablebytes=table_name.to_java_bytes - end - begin meta_table = org.apache.hadoop.hbase.client.HTable.new(@config, org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME) @@ -133,9 +162,23 @@ module Hbase protocol = org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos:: AccessControlService.newBlockingStub(service) - # invoke cp endpoint to perform access controlse - perms = org.apache.hadoop.hbase.protobuf.ProtobufUtil.getUserPermissions( - protocol, tablebytes) + if (table_name != nil) + #check if namespace is passed. + if (isNamespace?(table_name)) + # Namespace should exist first. + namespace_name = table_name[1...table_name.length] + raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless namespace_exists?(namespace_name) + # invoke cp endpoint to perform access controls + perms = org.apache.hadoop.hbase.protobuf.ProtobufUtil.getUserPermissions( + protocol, table_name.to_java_bytes) + else + raise(ArgumentError, "Can't find table: #{table_name}") unless exists?(table_name) + perms = org.apache.hadoop.hbase.protobuf.ProtobufUtil.getUserPermissions( + protocol, org.apache.hadoop.hbase.TableName.valueOf(table_name)) + end + else + perms = org.apache.hadoop.hbase.protobuf.ProtobufUtil.getUserPermissions(protocol) + end ensure meta_table.close() end @@ -167,11 +210,24 @@ module Hbase @admin.tableExists(table_name) end + def isNamespace?(table_name) + table_name.start_with?('@') + end + + # Does Namespace exist + def namespace_exists?(namespace_name) + namespaceDesc = @admin.getNamespaceDescriptor(namespace_name) + if(namespaceDesc == nil) + return false + else + return true + end + end + # Make sure that security tables are available def security_available?() raise(ArgumentError, "DISABLED: Security features are not available") \ unless exists?(org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME) end - end end