diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java index 6ca40e6..473f311 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java @@ -295,7 +295,7 @@ public class TableAuthManager { } } } else if (LOG.isDebugEnabled()) { - LOG.debug("No permissions found"); + LOG.debug("No permissions found for " + action); } return false; @@ -488,7 +488,12 @@ public class TableAuthManager { * permissions. */ public boolean authorizeGroup(String groupName, Permission.Action action) { - return authorize(globalCache.getGroup(groupName), action); + List perms = globalCache.getGroup(groupName); + if (LOG.isDebugEnabled()) { + LOG.debug("authorizing " + (perms != null && !perms.isEmpty() ? perms.get(0) : "") + + " for " + action); + } + return authorize(perms, action); } /** @@ -513,7 +518,40 @@ public class TableAuthManager { return true; } // Check table level - return authorize(getTablePermissions(table).getGroup(groupName), table, family, action); + List tblPerms = getTablePermissions(table).getGroup(groupName); + return authorize(tblPerms, table, family, action); + } + + /** + * Checks authorization to a given table, column family and column for a group, based + * on the stored permissions. + * @param groupName + * @param table + * @param family + * @param qualifier + * @param action + * @return true if known and authorized, false otherwise + */ + public boolean authorizeGroup(String groupName, TableName table, byte[] family, + byte[] qualifier, Permission.Action action) { + // Global authorization supercedes table level + if (authorizeGroup(groupName, action)) { + return true; + } + if (table == null) table = AccessControlLists.ACL_TABLE_NAME; + // Namespace authorization supercedes table level + String namespace = table.getNamespaceAsString(); + if (authorize(getNamespacePermissions(namespace).getGroup(groupName), namespace, action)) { + return true; + } + // Check table level + List tblPerms = getTablePermissions(table).getGroup(groupName); + if (LOG.isDebugEnabled()) { + LOG.debug("authorizing " + (tblPerms != null && !tblPerms.isEmpty() ? tblPerms.get(0) : "") + + " for " +groupName + " on " + table + "." + Bytes.toString(family) + "." + + Bytes.toString(qualifier) + " with " + action); + } + return authorize(tblPerms, table, family, qualifier, action); } /** @@ -548,7 +586,7 @@ public class TableAuthManager { String[] groups = user.getGroupNames(); if (groups != null) { for (String group : groups) { - if (authorizeGroup(group, table, family, action)) { + if (authorizeGroup(group, table, family, qualifier, action)) { return true; } }