1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19 package org.apache.hadoop.hbase.security.access; 20 21 import java.io.IOException; 22 import java.util.List; 23 24 import org.apache.hadoop.hbase.ipc.CoprocessorProtocol; 25 26 /** 27 * A custom protocol defined for maintaining and querying access control lists. 28 */ 29 public interface AccessControllerProtocol extends CoprocessorProtocol { 30 31 public static final long VERSION = 1L; 32 33 /** 34 * Grants the given user or group the privilege to perform the given actions 35 * @param userPermission the details of the provided user permissions 36 * @throws IOException if the grant could not be applied 37 */ 38 public void grant(UserPermission userPermission) 39 throws IOException; 40 41 /** 42 * Grants the given user or group the privilege to perform the given actions 43 * over the specified scope contained in {@link TablePermission} 44 * @param user the user name, or, if prefixed with "@", group name receiving 45 * the grant 46 * @param permission the details of the provided permissions 47 * @throws IOException if the grant could not be applied 48 * @deprecated Use {@link #revoke(UserPermission userPermission)} instead 49 */ 50 @Deprecated 51 public void grant(byte[] user, TablePermission permission) 52 throws IOException; 53 54 /** 55 * Revokes a previously granted privilege from a user or group. 56 * Note that the provided {@link TablePermission} details must exactly match 57 * a stored grant. For example, if user "bob" has been granted "READ" access 58 * to table "data", over column family and qualifer "info:colA", then the 59 * table, column family and column qualifier must all be specified. 60 * Attempting to revoke permissions over just the "data" table will have 61 * no effect. 62 * @param permission the details of the previously granted permission to revoke 63 * @throws IOException if the revocation could not be performed 64 */ 65 public void revoke(UserPermission userPermission) 66 throws IOException; 67 68 /** 69 * Revokes a previously granted privilege from a user or group. 70 * Note that the provided {@link TablePermission} details must exactly match 71 * a stored grant. For example, if user "bob" has been granted "READ" access 72 * to table "data", over column family and qualifer "info:colA", then the 73 * table, column family and column qualifier must all be specified. 74 * Attempting to revoke permissions over just the "data" table will have 75 * no effect. 76 * @param user the user name, or, if prefixed with "@", group name whose 77 * privileges are being revoked 78 * @param permission the details of the previously granted permission to revoke 79 * @throws IOException if the revocation could not be performed 80 * @deprecated Use {@link #revoke(UserPermission userPermission)} instead 81 */ 82 @Deprecated 83 public void revoke(byte[] user, TablePermission permission) 84 throws IOException; 85 86 /** 87 * Queries the permissions currently stored for the given table, returning 88 * a list of currently granted permissions, along with the user or group 89 * each is associated with. 90 * @param tableName the table of the permission grants to return 91 * @return a list of the currently granted permissions, with associated user 92 * or group names 93 * @throws IOException if there is an error querying the permissions 94 */ 95 public List<UserPermission> getUserPermissions(byte[] tableName) 96 throws IOException; 97 98 /** 99 * Checks whether the given Permissions will pass the access checks for the 100 * current user. Global permissions can be checked from the -acl- table 101 * or any other table, however TablePermissions can only be checked by 102 * the table's regions. If access control checks fail this method throws 103 * AccessDeniedException. 104 * @param permissions to check for. Permission subclasses can be used 105 * to do more specific checks at the table/family/column level. 106 * @throws IOException if there is an error checking the permissions 107 */ 108 public void checkPermissions(Permission[] permissions) 109 throws IOException; 110 }