View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import java.io.ByteArrayInputStream;
22  import java.io.DataInput;
23  import java.io.DataInputStream;
24  import java.io.IOException;
25  import java.util.ArrayList;
26  import java.util.Arrays;
27  import java.util.Iterator;
28  import java.util.List;
29  import java.util.Map;
30  import java.util.Set;
31  import java.util.TreeMap;
32  import java.util.TreeSet;
33  
34  import org.apache.commons.logging.Log;
35  import org.apache.commons.logging.LogFactory;
36  import org.apache.hadoop.conf.Configuration;
37  import org.apache.hadoop.hbase.AuthUtil;
38  import org.apache.hadoop.hbase.Cell;
39  import org.apache.hadoop.hbase.CellUtil;
40  import org.apache.hadoop.hbase.HColumnDescriptor;
41  import org.apache.hadoop.hbase.HConstants;
42  import org.apache.hadoop.hbase.HTableDescriptor;
43  import org.apache.hadoop.hbase.NamespaceDescriptor;
44  import org.apache.hadoop.hbase.TableName;
45  import org.apache.hadoop.hbase.Tag;
46  import org.apache.hadoop.hbase.TagType;
47  import org.apache.hadoop.hbase.classification.InterfaceAudience;
48  import org.apache.hadoop.hbase.client.Connection;
49  import org.apache.hadoop.hbase.client.ConnectionFactory;
50  import org.apache.hadoop.hbase.client.Delete;
51  import org.apache.hadoop.hbase.client.Get;
52  import org.apache.hadoop.hbase.client.Put;
53  import org.apache.hadoop.hbase.client.Result;
54  import org.apache.hadoop.hbase.client.ResultScanner;
55  import org.apache.hadoop.hbase.client.Scan;
56  import org.apache.hadoop.hbase.client.Table;
57  import org.apache.hadoop.hbase.exceptions.DeserializationException;
58  import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp;
59  import org.apache.hadoop.hbase.filter.QualifierFilter;
60  import org.apache.hadoop.hbase.filter.RegexStringComparator;
61  import org.apache.hadoop.hbase.master.MasterServices;
62  import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
63  import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
64  import org.apache.hadoop.hbase.regionserver.BloomType;
65  import org.apache.hadoop.hbase.regionserver.InternalScanner;
66  import org.apache.hadoop.hbase.regionserver.Region;
67  import org.apache.hadoop.hbase.security.User;
68  import org.apache.hadoop.hbase.util.Bytes;
69  import org.apache.hadoop.hbase.util.Pair;
70  import org.apache.hadoop.io.Text;
71  
72  import com.google.common.collect.ArrayListMultimap;
73  import com.google.common.collect.ListMultimap;
74  import com.google.common.collect.Lists;
75  
76  /**
77   * Maintains lists of permission grants to users and groups to allow for
78   * authorization checks by {@link AccessController}.
79   *
80   * <p>
81   * Access control lists are stored in an "internal" metadata table named
82   * {@code _acl_}. Each table's permission grants are stored as a separate row,
83   * keyed by the table name. KeyValues for permissions assignments are stored
84   * in one of the formats:
85   * <pre>
86   * Key                      Desc
87   * --------                 --------
88   * user                     table level permissions for a user [R=read, W=write]
89   * group                    table level permissions for a group
90   * user,family              column family level permissions for a user
91   * group,family             column family level permissions for a group
92   * user,family,qualifier    column qualifier level permissions for a user
93   * group,family,qualifier   column qualifier level permissions for a group
94   * </pre>
95   * <p>
96   * All values are encoded as byte arrays containing the codes from the
97   * org.apache.hadoop.hbase.security.access.TablePermission.Action enum.
98   * </p>
99   */
100 @InterfaceAudience.Private
101 public class AccessControlLists {
102   /** Internal storage table for access control lists */
103   public static final TableName ACL_TABLE_NAME =
104       TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
105   public static final byte[] ACL_GLOBAL_NAME = ACL_TABLE_NAME.getName();
106   /** Column family used to store ACL grants */
107   public static final String ACL_LIST_FAMILY_STR = "l";
108   public static final byte[] ACL_LIST_FAMILY = Bytes.toBytes(ACL_LIST_FAMILY_STR);
109   /** KV tag to store per cell access control lists */
110   public static final byte ACL_TAG_TYPE = TagType.ACL_TAG_TYPE;
111 
112   public static final char NAMESPACE_PREFIX = '@';
113 
114   /**
115    * Delimiter to separate user, column family, and qualifier in
116    * _acl_ table info: column keys */
117   public static final char ACL_KEY_DELIMITER = ',';
118 
119   private static final Log LOG = LogFactory.getLog(AccessControlLists.class);
120 
121   /**
122    * Create the ACL table
123    * @param master
124    * @throws IOException
125    */
126   static void createACLTable(MasterServices master) throws IOException {
127     /** Table descriptor for ACL table */
128     final HTableDescriptor ACL_TABLEDESC = new HTableDescriptor(ACL_TABLE_NAME)
129       .addFamily(new HColumnDescriptor(ACL_LIST_FAMILY)
130         .setMaxVersions(1)
131         .setInMemory(true)
132         .setBlockCacheEnabled(true)
133         .setBlocksize(8 * 1024)
134         .setBloomFilterType(BloomType.NONE)
135         .setScope(HConstants.REPLICATION_SCOPE_LOCAL)
136         // Set cache data blocks in L1 if more than one cache tier deployed; e.g. this will
137         // be the case if we are using CombinedBlockCache (Bucket Cache).
138         .setCacheDataInL1(true));
139     master.createSystemTable(ACL_TABLEDESC);
140   }
141 
142   static void addUserPermission(Configuration conf, UserPermission userPerm, Table t,
143       boolean mergeExistingPermissions) throws IOException {
144     Permission.Action[] actions = userPerm.getActions();
145     byte[] rowKey = userPermissionRowKey(userPerm);
146     Put p = new Put(rowKey);
147     byte[] key = userPermissionKey(userPerm);
148 
149     if ((actions == null) || (actions.length == 0)) {
150       String msg = "No actions associated with user '" + Bytes.toString(userPerm.getUser()) + "'";
151       LOG.warn(msg);
152       throw new IOException(msg);
153     }
154 
155     Set<Permission.Action> actionSet = new TreeSet<Permission.Action>();
156     if (mergeExistingPermissions) {
157       List<UserPermission> perms = getUserPermissions(conf, rowKey);
158       UserPermission currentPerm = null;
159       for (UserPermission perm : perms) {
160         if (Bytes.equals(perm.getUser(), userPerm.getUser())
161             && ((userPerm.isGlobal() && ACL_TABLE_NAME.equals(perm.getTableName()))
162                 || perm.tableFieldsEqual(userPerm))) {
163           currentPerm = perm;
164           break;
165         }
166       }
167 
168       if (currentPerm != null && currentPerm.getActions() != null) {
169         actionSet.addAll(Arrays.asList(currentPerm.getActions()));
170       }
171     }
172 
173     // merge current action with new action.
174     actionSet.addAll(Arrays.asList(actions));
175 
176     // serialize to byte array.
177     byte[] value = new byte[actionSet.size()];
178     int index = 0;
179     for (Permission.Action action : actionSet) {
180       value[index++] = action.code();
181     }
182 
183     p.addImmutable(ACL_LIST_FAMILY, key, value);
184     if (LOG.isDebugEnabled()) {
185       LOG.debug("Writing permission with rowKey " + Bytes.toString(rowKey) + " "
186           + Bytes.toString(key) + ": " + Bytes.toStringBinary(value));
187     }
188     if (t == null) {
189       try (Connection connection = ConnectionFactory.createConnection(conf)) {
190         try (Table table = connection.getTable(ACL_TABLE_NAME)) {
191           table.put(p);
192         }
193       }
194     } else {
195       try {
196         t.put(p);
197       } finally {
198         t.close();
199       }
200     }
201   }
202 
203   /**
204    * Stores a new user permission grant in the access control lists table.
205    * @param conf the configuration
206    * @param userPerm the details of the permission to be granted
207    * @param t acl table instance. It is closed upon method return
208    * @throws IOException in the case of an error accessing the metadata table
209    */
210   static void addUserPermission(Configuration conf, UserPermission userPerm, Table t)
211       throws IOException {
212     addUserPermission(conf, userPerm, t, false);
213   }
214 
215   /**
216    * Removes a previously granted permission from the stored access control
217    * lists.  The {@link TablePermission} being removed must exactly match what
218    * is stored -- no wildcard matching is attempted.  Ie, if user "bob" has
219    * been granted "READ" access to the "data" table, but only to column family
220    * plus qualifier "info:colA", then trying to call this method with only
221    * user "bob" and the table name "data" (but without specifying the
222    * column qualifier "info:colA") will have no effect.
223    *
224    * @param conf the configuration
225    * @param userPerm the details of the permission to be revoked
226    * @param t acl table
227    * @throws IOException if there is an error accessing the metadata table
228    */
229   static void removeUserPermission(Configuration conf, UserPermission userPerm, Table t)
230       throws IOException {
231     if (null == userPerm.getActions()) {
232       removePermissionRecord(conf, userPerm, t);
233     } else {
234       // Get all the global user permissions from the acl table
235       List<UserPermission> permsList = getUserPermissions(conf, userPermissionRowKey(userPerm));
236       List<Permission.Action> remainingActions = new ArrayList<>();
237       List<Permission.Action> dropActions = Arrays.asList(userPerm.getActions());
238       for (UserPermission perm : permsList) {
239         // Find the user and remove only the requested permissions
240         if (Bytes.toString(perm.getUser()).equals(Bytes.toString(userPerm.getUser()))) {
241           for (Permission.Action oldAction : perm.getActions()) {
242             if (!dropActions.contains(oldAction)) {
243               remainingActions.add(oldAction);
244             }
245           }
246           if (!remainingActions.isEmpty()) {
247             perm.setActions(remainingActions.toArray(new Permission.Action[remainingActions.size()]));
248             addUserPermission(conf, perm, t);
249           } else {
250             removePermissionRecord(conf, userPerm, t);
251           }
252           break;
253         }
254       }
255     }
256     if (LOG.isDebugEnabled()) {
257       LOG.debug("Removed permission "+ userPerm.toString());
258     }
259   }
260 
261   private static void removePermissionRecord(Configuration conf, UserPermission userPerm, Table t)
262       throws IOException {
263     Delete d = new Delete(userPermissionRowKey(userPerm));
264     d.addColumns(ACL_LIST_FAMILY, userPermissionKey(userPerm));
265     if (t == null) {
266       try (Connection connection = ConnectionFactory.createConnection(conf)) {
267         try (Table table = connection.getTable(ACL_TABLE_NAME)) {
268           table.delete(d);
269         }
270       }
271     } else {
272       try {
273         t.delete(d);
274       } finally {
275         t.close();
276       }
277     }
278   }
279 
280   /**
281    * Remove specified table from the _acl_ table.
282    */
283   static void removeTablePermissions(Configuration conf, TableName tableName, Table t)
284       throws IOException{
285     Delete d = new Delete(tableName.getName());
286 
287     if (LOG.isDebugEnabled()) {
288       LOG.debug("Removing permissions of removed table "+ tableName);
289     }
290     try {
291       t.delete(d);
292     } finally {
293       t.close();
294     }
295   }
296 
297   /**
298    * Remove specified namespace from the acl table.
299    */
300   static void removeNamespacePermissions(Configuration conf, String namespace, Table t)
301       throws IOException{
302     Delete d = new Delete(Bytes.toBytes(toNamespaceEntry(namespace)));
303 
304     if (LOG.isDebugEnabled()) {
305       LOG.debug("Removing permissions of removed namespace "+ namespace);
306     }
307 
308     try {
309       t.delete(d);
310     } finally {
311       t.close();
312     }
313   }
314 
315   /**
316    * Remove specified table column from the acl table.
317    */
318   static void removeTablePermissions(TableName tableName, byte[] column, Table table,
319       boolean closeTable) throws IOException{
320 
321     if (LOG.isDebugEnabled()) {
322       LOG.debug("Removing permissions of removed column " + Bytes.toString(column) +
323                 " from table "+ tableName);
324     }
325     Scan scan = new Scan();
326     scan.addFamily(ACL_LIST_FAMILY);
327 
328     String columnName = Bytes.toString(column);
329     scan.setFilter(new QualifierFilter(CompareOp.EQUAL, new RegexStringComparator(
330         String.format("(%s%s%s)|(%s%s)$",
331             ACL_KEY_DELIMITER, columnName, ACL_KEY_DELIMITER,
332             ACL_KEY_DELIMITER, columnName))));
333 
334     Set<byte[]> qualifierSet = new TreeSet<byte[]>(Bytes.BYTES_COMPARATOR);
335     ResultScanner scanner = null;
336     try {
337       scanner = table.getScanner(scan);
338       for (Result res : scanner) {
339         for (byte[] q : res.getFamilyMap(ACL_LIST_FAMILY).navigableKeySet()) {
340           qualifierSet.add(q);
341         }
342       }
343 
344       if (qualifierSet.size() > 0) {
345         Delete d = new Delete(tableName.getName());
346         for (byte[] qualifier : qualifierSet) {
347           d.addColumns(ACL_LIST_FAMILY, qualifier);
348         }
349         table.delete(d);
350       }
351     }  finally {
352       if (scanner != null) scanner.close();
353       if (closeTable) table.close();
354     }
355   }
356 
357   static void removeTablePermissions(Configuration conf, TableName tableName, byte[] column,
358       Table t) throws IOException {
359     if (LOG.isDebugEnabled()) {
360       LOG.debug("Removing permissions of removed column " + Bytes.toString(column) +
361           " from table "+ tableName);
362     }
363     removeTablePermissions(tableName, column, t, true);
364   }
365 
366   static byte[] userPermissionRowKey(UserPermission userPerm) {
367     byte[] row;
368     if(userPerm.hasNamespace()) {
369       row = Bytes.toBytes(toNamespaceEntry(userPerm.getNamespace()));
370     } else if(userPerm.isGlobal()) {
371       row = ACL_GLOBAL_NAME;
372     } else {
373       row = userPerm.getTableName().getName();
374     }
375     return row;
376   }
377 
378   /**
379    * Build qualifier key from user permission:
380    *  username
381    *  username,family
382    *  username,family,qualifier
383    */
384   static byte[] userPermissionKey(UserPermission userPerm) {
385     byte[] qualifier = userPerm.getQualifier();
386     byte[] family = userPerm.getFamily();
387     byte[] key = userPerm.getUser();
388 
389     if (family != null && family.length > 0) {
390       key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, family));
391       if (qualifier != null && qualifier.length > 0) {
392         key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, qualifier));
393       }
394     }
395 
396     return key;
397   }
398 
399   /**
400    * Returns {@code true} if the given region is part of the {@code _acl_}
401    * metadata table.
402    */
403   static boolean isAclRegion(Region region) {
404     return ACL_TABLE_NAME.equals(region.getTableDesc().getTableName());
405   }
406 
407   /**
408    * Returns {@code true} if the given table is {@code _acl_} metadata table.
409    */
410   static boolean isAclTable(HTableDescriptor desc) {
411     return ACL_TABLE_NAME.equals(desc.getTableName());
412   }
413 
414   /**
415    * Loads all of the permission grants stored in a region of the {@code _acl_}
416    * table.
417    *
418    * @param aclRegion
419    * @return a map of the permissions for this table.
420    * @throws IOException
421    */
422   static Map<byte[], ListMultimap<String,TablePermission>> loadAll(Region aclRegion)
423     throws IOException {
424 
425     if (!isAclRegion(aclRegion)) {
426       throw new IOException("Can only load permissions from "+ACL_TABLE_NAME);
427     }
428 
429     Map<byte[], ListMultimap<String, TablePermission>> allPerms =
430         new TreeMap<byte[], ListMultimap<String, TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
431 
432     // do a full scan of _acl_ table
433 
434     Scan scan = new Scan();
435     scan.addFamily(ACL_LIST_FAMILY);
436 
437     InternalScanner iScanner = null;
438     try {
439       iScanner = aclRegion.getScanner(scan);
440 
441       while (true) {
442         List<Cell> row = new ArrayList<Cell>();
443 
444         boolean hasNext = iScanner.next(row);
445         ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
446         byte[] entry = null;
447         for (Cell kv : row) {
448           if (entry == null) {
449             entry = CellUtil.cloneRow(kv);
450           }
451           Pair<String,TablePermission> permissionsOfUserOnTable =
452               parsePermissionRecord(entry, kv);
453           if (permissionsOfUserOnTable != null) {
454             String username = permissionsOfUserOnTable.getFirst();
455             TablePermission permissions = permissionsOfUserOnTable.getSecond();
456             perms.put(username, permissions);
457           }
458         }
459         if (entry != null) {
460           allPerms.put(entry, perms);
461         }
462         if (!hasNext) {
463           break;
464         }
465       }
466     } finally {
467       if (iScanner != null) {
468         iScanner.close();
469       }
470     }
471 
472     return allPerms;
473   }
474 
475   /**
476    * Load all permissions from the region server holding {@code _acl_},
477    * primarily intended for testing purposes.
478    */
479   static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
480       Configuration conf) throws IOException {
481     Map<byte[], ListMultimap<String,TablePermission>> allPerms =
482         new TreeMap<byte[], ListMultimap<String,TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
483 
484     // do a full scan of _acl_, filtering on only first table region rows
485 
486     Scan scan = new Scan();
487     scan.addFamily(ACL_LIST_FAMILY);
488 
489     ResultScanner scanner = null;
490     // TODO: Pass in a Connection rather than create one each time.
491     try (Connection connection = ConnectionFactory.createConnection(conf)) {
492       try (Table table = connection.getTable(ACL_TABLE_NAME)) {
493         scanner = table.getScanner(scan);
494         try {
495           for (Result row : scanner) {
496             ListMultimap<String,TablePermission> resultPerms = parsePermissions(row.getRow(), row);
497             allPerms.put(row.getRow(), resultPerms);
498           }
499         } finally {
500           if (scanner != null) scanner.close();
501         }
502       }
503     }
504 
505     return allPerms;
506   }
507 
508   public static ListMultimap<String, TablePermission> getTablePermissions(Configuration conf,
509         TableName tableName) throws IOException {
510     return getPermissions(conf, tableName != null ? tableName.getName() : null, null);
511   }
512 
513   public static ListMultimap<String, TablePermission> getNamespacePermissions(Configuration conf,
514         String namespace) throws IOException {
515     return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)), null);
516   }
517 
518   /**
519    * Reads user permission assignments stored in the <code>l:</code> column
520    * family of the first table row in <code>_acl_</code>.
521    *
522    * <p>
523    * See {@link AccessControlLists class documentation} for the key structure
524    * used for storage.
525    * </p>
526    */
527   static ListMultimap<String, TablePermission> getPermissions(Configuration conf,
528       byte[] entryName, Table t) throws IOException {
529     if (entryName == null) entryName = ACL_GLOBAL_NAME;
530 
531     // for normal user tables, we just read the table row from _acl_
532     ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
533     Get get = new Get(entryName);
534     get.addFamily(ACL_LIST_FAMILY);
535     Result row = null;
536     if (t == null) {
537       try (Connection connection = ConnectionFactory.createConnection(conf)) {
538         try (Table table = connection.getTable(ACL_TABLE_NAME)) {
539           row = table.get(get);
540         }
541       }
542     } else {
543       row = t.get(get);
544     }
545 
546     if (!row.isEmpty()) {
547       perms = parsePermissions(entryName, row);
548     } else {
549       LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry "
550           + Bytes.toString(entryName));
551     }
552 
553     return perms;
554   }
555 
556   /**
557    * Returns the currently granted permissions for a given table as a list of
558    * user plus associated permissions.
559    */
560   static List<UserPermission> getUserTablePermissions(
561       Configuration conf, TableName tableName) throws IOException {
562     return getUserPermissions(conf, tableName == null ? null : tableName.getName());
563   }
564 
565   static List<UserPermission> getUserNamespacePermissions(
566       Configuration conf, String namespace) throws IOException {
567     return getUserPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
568   }
569 
570   static List<UserPermission> getUserPermissions(
571       Configuration conf, byte[] entryName)
572   throws IOException {
573     ListMultimap<String,TablePermission> allPerms = getPermissions(
574       conf, entryName, null);
575 
576     List<UserPermission> perms = new ArrayList<UserPermission>();
577 
578     if(isNamespaceEntry(entryName)) {  // Namespace
579       for (Map.Entry<String, TablePermission> entry : allPerms.entries()) {
580         UserPermission up = new UserPermission(Bytes.toBytes(entry.getKey()),
581           entry.getValue().getNamespace(), entry.getValue().getActions());
582         perms.add(up);
583       }
584     } else {  // Table
585       for (Map.Entry<String, TablePermission> entry : allPerms.entries()) {
586         UserPermission up = new UserPermission(Bytes.toBytes(entry.getKey()),
587             entry.getValue().getTableName(), entry.getValue().getFamily(),
588             entry.getValue().getQualifier(), entry.getValue().getActions());
589         perms.add(up);
590       }
591     }
592     return perms;
593   }
594 
595   private static ListMultimap<String, TablePermission> parsePermissions(
596       byte[] entryName, Result result) {
597     ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
598     if (result != null && result.size() > 0) {
599       for (Cell kv : result.rawCells()) {
600 
601         Pair<String,TablePermission> permissionsOfUserOnTable =
602             parsePermissionRecord(entryName, kv);
603 
604         if (permissionsOfUserOnTable != null) {
605           String username = permissionsOfUserOnTable.getFirst();
606           TablePermission permissions = permissionsOfUserOnTable.getSecond();
607           perms.put(username, permissions);
608         }
609       }
610     }
611     return perms;
612   }
613 
614   private static Pair<String, TablePermission> parsePermissionRecord(
615       byte[] entryName, Cell kv) {
616     // return X given a set of permissions encoded in the permissionRecord kv.
617     byte[] family = CellUtil.cloneFamily(kv);
618 
619     if (!Bytes.equals(family, ACL_LIST_FAMILY)) {
620       return null;
621     }
622 
623     byte[] key = CellUtil.cloneQualifier(kv);
624     byte[] value = CellUtil.cloneValue(kv);
625     if (LOG.isDebugEnabled()) {
626       LOG.debug("Read acl: kv ["+
627                 Bytes.toStringBinary(key)+": "+
628                 Bytes.toStringBinary(value)+"]");
629     }
630 
631     // check for a column family appended to the key
632     // TODO: avoid the string conversion to make this more efficient
633     String username = Bytes.toString(key);
634 
635     //Handle namespace entry
636     if(isNamespaceEntry(entryName)) {
637       return new Pair<String, TablePermission>(username,
638           new TablePermission(Bytes.toString(fromNamespaceEntry(entryName)), value));
639     }
640 
641     //Handle table and global entry
642     //TODO global entry should be handled differently
643     int idx = username.indexOf(ACL_KEY_DELIMITER);
644     byte[] permFamily = null;
645     byte[] permQualifier = null;
646     if (idx > 0 && idx < username.length()-1) {
647       String remainder = username.substring(idx+1);
648       username = username.substring(0, idx);
649       idx = remainder.indexOf(ACL_KEY_DELIMITER);
650       if (idx > 0 && idx < remainder.length()-1) {
651         permFamily = Bytes.toBytes(remainder.substring(0, idx));
652         permQualifier = Bytes.toBytes(remainder.substring(idx+1));
653       } else {
654         permFamily = Bytes.toBytes(remainder);
655       }
656     }
657 
658     return new Pair<String,TablePermission>(username,
659         new TablePermission(TableName.valueOf(entryName), permFamily, permQualifier, value));
660   }
661 
662   /**
663    * Writes a set of permissions as {@link org.apache.hadoop.io.Writable} instances
664    * and returns the resulting byte array.
665    *
666    * Writes a set of permission [user: table permission]
667    */
668   public static byte[] writePermissionsAsBytes(ListMultimap<String, TablePermission> perms,
669       Configuration conf) {
670     return ProtobufUtil.prependPBMagic(ProtobufUtil.toUserTablePermissions(perms).toByteArray());
671   }
672 
673   /**
674    * Reads a set of permissions as {@link org.apache.hadoop.io.Writable} instances
675    * from the input stream.
676    */
677   public static ListMultimap<String, TablePermission> readPermissions(byte[] data,
678       Configuration conf)
679   throws DeserializationException {
680     if (ProtobufUtil.isPBMagicPrefix(data)) {
681       int pblen = ProtobufUtil.lengthOfPBMagic();
682       try {
683         AccessControlProtos.UsersAndPermissions.Builder builder =
684           AccessControlProtos.UsersAndPermissions.newBuilder();
685         ProtobufUtil.mergeFrom(builder, data, pblen, data.length - pblen);
686         return ProtobufUtil.toUserTablePermissions(builder.build());
687       } catch (IOException e) {
688         throw new DeserializationException(e);
689       }
690     } else {
691       ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
692       try {
693         DataInput in = new DataInputStream(new ByteArrayInputStream(data));
694         int length = in.readInt();
695         for (int i=0; i<length; i++) {
696           String user = Text.readString(in);
697           List<TablePermission> userPerms =
698             (List)HbaseObjectWritableFor96Migration.readObject(in, conf);
699           perms.putAll(user, userPerms);
700         }
701       } catch (IOException e) {
702         throw new DeserializationException(e);
703       }
704       return perms;
705     }
706   }
707 
708   public static boolean isNamespaceEntry(String entryName) {
709     return entryName != null && entryName.charAt(0) == NAMESPACE_PREFIX;
710   }
711 
712   public static boolean isNamespaceEntry(byte[] entryName) {
713     return entryName != null && entryName.length !=0 && entryName[0] == NAMESPACE_PREFIX;
714   }
715 
716   public static String toNamespaceEntry(String namespace) {
717      return NAMESPACE_PREFIX + namespace;
718    }
719 
720    public static String fromNamespaceEntry(String namespace) {
721      if(namespace.charAt(0) != NAMESPACE_PREFIX)
722        throw new IllegalArgumentException("Argument is not a valid namespace entry");
723      return namespace.substring(1);
724    }
725 
726    public static byte[] toNamespaceEntry(byte[] namespace) {
727      byte[] ret = new byte[namespace.length+1];
728      ret[0] = NAMESPACE_PREFIX;
729      System.arraycopy(namespace, 0, ret, 1, namespace.length);
730      return ret;
731    }
732 
733    public static byte[] fromNamespaceEntry(byte[] namespace) {
734      if(namespace[0] != NAMESPACE_PREFIX) {
735        throw new IllegalArgumentException("Argument is not a valid namespace entry: " +
736            Bytes.toString(namespace));
737      }
738      return Arrays.copyOfRange(namespace, 1, namespace.length);
739    }
740 
741    public static List<Permission> getCellPermissionsForUser(User user, Cell cell)
742        throws IOException {
743      // Save an object allocation where we can
744      if (cell.getTagsLength() == 0) {
745        return null;
746      }
747      List<Permission> results = Lists.newArrayList();
748      Iterator<Tag> tagsIterator = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),
749         cell.getTagsLength());
750      while (tagsIterator.hasNext()) {
751        Tag tag = tagsIterator.next();
752        if (tag.getType() == ACL_TAG_TYPE) {
753          // Deserialize the table permissions from the KV
754          // TODO: This can be improved. Don't build UsersAndPermissions just to unpack it again,
755          // use the builder
756          AccessControlProtos.UsersAndPermissions.Builder builder = 
757            AccessControlProtos.UsersAndPermissions.newBuilder();
758          ProtobufUtil.mergeFrom(builder, tag.getBuffer(), tag.getTagOffset(), tag.getTagLength());
759          ListMultimap<String,Permission> kvPerms =
760            ProtobufUtil.toUsersAndPermissions(builder.build());
761          // Are there permissions for this user?
762          List<Permission> userPerms = kvPerms.get(user.getShortName());
763          if (userPerms != null) {
764            results.addAll(userPerms);
765          }
766          // Are there permissions for any of the groups this user belongs to?
767          String groupNames[] = user.getGroupNames();
768          if (groupNames != null) {
769            for (String group : groupNames) {
770              List<Permission> groupPerms = kvPerms.get(AuthUtil.toGroupEntry(group));
771              if (results != null) {
772                results.addAll(groupPerms);
773              }
774            }
775          }
776        }
777      }
778      return results;
779    }
780 }