View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import java.io.IOException;
22  import java.util.List;
23  
24  import org.apache.hadoop.hbase.ipc.CoprocessorProtocol;
25  
26  /**
27   * A custom protocol defined for maintaining and querying access control lists.
28   */
29  public interface AccessControllerProtocol extends CoprocessorProtocol {
30  
31    public static final long VERSION = 1L;
32  
33    /**
34     * Grants the given user or group the privilege to perform the given actions
35     * @param userPermission the details of the provided user permissions
36     * @throws IOException if the grant could not be applied
37     */
38    public void grant(UserPermission userPermission)
39        throws IOException;
40  
41    /**
42     * Grants the given user or group the privilege to perform the given actions
43     * over the specified scope contained in {@link TablePermission}
44     * @param user the user name, or, if prefixed with "@", group name receiving
45     * the grant
46     * @param permission the details of the provided permissions
47     * @throws IOException if the grant could not be applied
48     * @deprecated Use {@link #revoke(UserPermission userPermission)} instead
49     */
50    @Deprecated
51    public void grant(byte[] user, TablePermission permission)
52        throws IOException;
53  
54    /**
55     * Revokes a previously granted privilege from a user or group.
56     * Note that the provided {@link TablePermission} details must exactly match
57     * a stored grant.  For example, if user "bob" has been granted "READ" access
58     * to table "data", over column family and qualifer "info:colA", then the
59     * table, column family and column qualifier must all be specified.
60     * Attempting to revoke permissions over just the "data" table will have
61     * no effect.
62     * @param permission the details of the previously granted permission to revoke
63     * @throws IOException if the revocation could not be performed
64     */
65    public void revoke(UserPermission userPermission)
66        throws IOException;
67  
68    /**
69     * Revokes a previously granted privilege from a user or group.
70     * Note that the provided {@link TablePermission} details must exactly match
71     * a stored grant.  For example, if user "bob" has been granted "READ" access
72     * to table "data", over column family and qualifer "info:colA", then the
73     * table, column family and column qualifier must all be specified.
74     * Attempting to revoke permissions over just the "data" table will have
75     * no effect.
76     * @param user the user name, or, if prefixed with "@", group name whose
77     * privileges are being revoked
78     * @param permission the details of the previously granted permission to revoke
79     * @throws IOException if the revocation could not be performed
80     * @deprecated Use {@link #revoke(UserPermission userPermission)} instead
81     */
82    @Deprecated
83    public void revoke(byte[] user, TablePermission permission)
84        throws IOException;
85  
86    /**
87     * Queries the permissions currently stored for the given table, returning
88     * a list of currently granted permissions, along with the user or group
89     * each is associated with.
90     * @param tableName the table of the permission grants to return
91     * @return a list of the currently granted permissions, with associated user
92     * or group names
93     * @throws IOException if there is an error querying the permissions
94     */
95    public List<UserPermission> getUserPermissions(byte[] tableName)
96        throws IOException;
97  
98    /**
99     * Checks whether the given Permissions will pass the access checks for the
100    * current user. Global permissions can be checked from the -acl- table
101    * or any other table, however TablePermissions can only be checked by
102    * the table's regions. If access control checks fail this method throws
103    * AccessDeniedException.
104    * @param permissions to check for. Permission subclasses can be used
105    * to do more specific checks at the table/family/column level.
106    * @throws IOException if there is an error checking the permissions
107    */
108   public void checkPermissions(Permission[] permissions)
109       throws IOException;
110 }