diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index cb664bb2d2f8..3779903f869a 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -429,7 +429,6 @@ private enum OpType { DELETE("delete"), CHECK_AND_PUT("checkAndPut"), CHECK_AND_DELETE("checkAndDelete"), - INCREMENT_COLUMN_VALUE("incrementColumnValue"), APPEND("append"), INCREMENT("increment"); @@ -1503,18 +1502,27 @@ public void preBatchMutate(ObserverContext c, // We have a failure with table, cf and q perm checks and now giving a chance for cell // perm check OpType opType; + long timestamp; if (m instanceof Put) { checkForReservedTagPresence(user, m); opType = OpType.PUT; + timestamp = m.getTimestamp(); } else if (m instanceof Delete) { opType = OpType.DELETE; + timestamp = m.getTimestamp(); + } else if (m instanceof Increment) { + opType = OpType.INCREMENT; + timestamp = ((Increment) m).getTimeRange().getMax(); + } else if (m instanceof Append) { + opType = OpType.APPEND; + timestamp = ((Append) m).getTimeRange().getMax(); } else { - // If the operation type is not Put or Delete, do nothing + // If the operation type is not Put/Delete/Increment/Append, do nothing continue; } AuthResult authResult = null; if (checkCoveringPermission(user, opType, c.getEnvironment(), m.getRow(), - m.getFamilyCellMap(), m.getTimestamp(), Action.WRITE)) { + m.getFamilyCellMap(), timestamp, Action.WRITE)) { authResult = AuthResult.allow(opType.toString(), "Covering cell set", user, Action.WRITE, table, m.getFamilyCellMap()); } else { @@ -1695,32 +1703,6 @@ public Result preAppend(ObserverContext c, Append return null; } - @Override - public Result preAppendAfterRowLock(final ObserverContext c, - final Append append) throws IOException { - if (append.getAttribute(CHECK_COVERING_PERM) != null) { - // We had failure with table, cf and q perm checks and now giving a chance for cell - // perm check - TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable(); - AuthResult authResult = null; - User user = getActiveUser(c); - if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(), - append.getFamilyCellMap(), append.getTimeRange().getMax(), Action.WRITE)) { - authResult = AuthResult.allow(OpType.APPEND.toString(), - "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap()); - } else { - authResult = AuthResult.deny(OpType.APPEND.toString(), - "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap()); - } - AccessChecker.logResult(authResult); - if (authorizationEnabled && !authResult.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " + - authResult.toContextString()); - } - } - return null; - } - @Override public Result preIncrement(final ObserverContext c, final Increment increment) @@ -1756,32 +1738,6 @@ public Result preIncrement(final ObserverContext c return null; } - @Override - public Result preIncrementAfterRowLock(final ObserverContext c, - final Increment increment) throws IOException { - if (increment.getAttribute(CHECK_COVERING_PERM) != null) { - // We had failure with table, cf and q perm checks and now giving a chance for cell - // perm check - TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable(); - AuthResult authResult = null; - User user = getActiveUser(c); - if (checkCoveringPermission(user, OpType.INCREMENT, c.getEnvironment(), increment.getRow(), - increment.getFamilyCellMap(), increment.getTimeRange().getMax(), Action.WRITE)) { - authResult = AuthResult.allow(OpType.INCREMENT.toString(), "Covering cell set", - user, Action.WRITE, table, increment.getFamilyCellMap()); - } else { - authResult = AuthResult.deny(OpType.INCREMENT.toString(), "Covering cell set", - user, Action.WRITE, table, increment.getFamilyCellMap()); - } - AccessChecker.logResult(authResult); - if (authorizationEnabled && !authResult.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " + - authResult.toContextString()); - } - } - return null; - } - @Override public List> postIncrementBeforeWAL( ObserverContext ctx, Mutation mutation, diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java index 02ed4dd1df0b..37f25a83ea72 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java @@ -45,11 +45,9 @@ import org.apache.hadoop.hbase.Tag; import org.apache.hadoop.hbase.TagType; import org.apache.hadoop.hbase.client.Admin; -import org.apache.hadoop.hbase.client.Append; import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder; import org.apache.hadoop.hbase.client.Delete; import org.apache.hadoop.hbase.client.Get; -import org.apache.hadoop.hbase.client.Increment; import org.apache.hadoop.hbase.client.MasterSwitchType; import org.apache.hadoop.hbase.client.Mutation; import org.apache.hadoop.hbase.client.Put; @@ -69,7 +67,6 @@ import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment; import org.apache.hadoop.hbase.coprocessor.RegionObserver; import org.apache.hadoop.hbase.exceptions.DeserializationException; -import org.apache.hadoop.hbase.exceptions.FailedSanityCheckException; import org.apache.hadoop.hbase.filter.Filter; import org.apache.hadoop.hbase.filter.FilterBase; import org.apache.hadoop.hbase.filter.FilterList; @@ -323,7 +320,7 @@ public void preBatchMutate(ObserverContext c, } } } - if (!sanityFailure) { + if (!sanityFailure && (m instanceof Put || m instanceof Delete)) { if (cellVisibility != null) { String labelsExp = cellVisibility.getExpression(); List visibilityTags = labelCache.get(labelsExp); @@ -360,7 +357,7 @@ public void preBatchMutate(ObserverContext c, if (m instanceof Put) { Put p = (Put) m; p.add(cell); - } else if (m instanceof Delete) { + } else { Delete d = (Delete) m; d.add(cell); } @@ -470,35 +467,6 @@ private Pair checkForReservedVisibilityTagPresence(Cell cell, return pair; } - /** - * Checks whether cell contains any tag with type as VISIBILITY_TAG_TYPE. This - * tag type is reserved and should not be explicitly set by user. There are - * two versions of this method one that accepts pair and other without pair. - * In case of preAppend and preIncrement the additional operations are not - * needed like checking for STRING_VIS_TAG_TYPE and hence the API without pair - * could be used. - * - * @param cell - * @throws IOException - */ - private boolean checkForReservedVisibilityTagPresence(Cell cell) throws IOException { - // Bypass this check when the operation is done by a system/super user. - // This is done because, while Replication, the Cells coming to the peer - // cluster with reserved - // typed tags and this is fine and should get added to the peer cluster - // table - if (isSystemOrSuperUser()) { - return true; - } - Iterator tagsItr = PrivateCellUtil.tagsIterator(cell); - while (tagsItr.hasNext()) { - if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) { - return false; - } - } - return true; - } - private void removeReplicationVisibilityTag(List tags) throws IOException { Iterator iterator = tags.iterator(); while (iterator.hasNext()) { @@ -657,36 +625,6 @@ private boolean isSystemOrSuperUser() throws IOException { return Superusers.isSuperUser(VisibilityUtils.getActiveUser()); } - @Override - public Result preAppend(ObserverContext e, Append append) - throws IOException { - // If authorization is not enabled, we don't care about reserved tags - if (!authorizationEnabled) { - return null; - } - for (CellScanner cellScanner = append.cellScanner(); cellScanner.advance();) { - if (!checkForReservedVisibilityTagPresence(cellScanner.current())) { - throw new FailedSanityCheckException("Append contains cell with reserved type tag"); - } - } - return null; - } - - @Override - public Result preIncrement(ObserverContext e, Increment increment) - throws IOException { - // If authorization is not enabled, we don't care about reserved tags - if (!authorizationEnabled) { - return null; - } - for (CellScanner cellScanner = increment.cellScanner(); cellScanner.advance();) { - if (!checkForReservedVisibilityTagPresence(cellScanner.current())) { - throw new FailedSanityCheckException("Increment contains cell with reserved type tag"); - } - } - return null; - } - @Override public List> postIncrementBeforeWAL( ObserverContext ctx, Mutation mutation,