View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security.visibility;
19  
20  import java.util.ArrayList;
21  import java.util.HashSet;
22  import java.util.List;
23  import java.util.Set;
24  
25  import org.apache.commons.logging.Log;
26  import org.apache.commons.logging.LogFactory;
27  import org.apache.hadoop.hbase.classification.InterfaceAudience;
28  import org.apache.hadoop.conf.Configuration;
29  import org.apache.hadoop.hbase.security.User;
30  
31  /**
32   * This is an implementation for ScanLabelGenerator.
33   * It will extract labels from passed in authorizations and cross check
34   * against the set of predefined authorization labels for given user.
35   * The labels for which the user is not authorized will be dropped.
36   */
37  @InterfaceAudience.Private
38  public class DefinedSetFilterScanLabelGenerator implements ScanLabelGenerator {
39  
40    private static final Log LOG = LogFactory.getLog(DefinedSetFilterScanLabelGenerator.class);
41  
42    private Configuration conf;
43  
44    private VisibilityLabelsCache labelsCache;
45  
46    public DefinedSetFilterScanLabelGenerator() {
47      this.labelsCache = VisibilityLabelsCache.get();
48    }
49  
50    @Override
51    public void setConf(Configuration conf) {
52      this.conf = conf;
53    }
54  
55    @Override
56    public Configuration getConf() {
57      return this.conf;
58    }
59  
60    @Override
61    public List<String> getLabels(User user, Authorizations authorizations) {
62      if (authorizations != null) {
63        List<String> labels = authorizations.getLabels();
64        String userName = user.getShortName();
65        Set<String> auths = new HashSet<String>();
66        auths.addAll(this.labelsCache.getUserAuths(userName));
67        auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames()));
68        return dropLabelsNotInUserAuths(labels, new ArrayList<String>(auths), userName);
69      }
70      return null;
71    }
72  
73    private List<String> dropLabelsNotInUserAuths(List<String> labels, List<String> auths,
74        String userName) {
75      List<String> droppedLabels = new ArrayList<String>();
76      List<String> passedLabels = new ArrayList<String>(labels.size());
77      for (String label : labels) {
78        if (auths.contains(label)) {
79          passedLabels.add(label);
80        } else {
81          droppedLabels.add(label);
82        }
83      }
84      if (!droppedLabels.isEmpty()) {
85        StringBuilder sb = new StringBuilder();
86        sb.append("Dropping invalid authorizations requested by user ");
87        sb.append(userName);
88        sb.append(": [ ");
89        for (String label: droppedLabels) {
90          sb.append(label);
91          sb.append(' ');
92        }
93        sb.append(']');
94        LOG.warn(sb.toString());
95      }
96      return passedLabels;
97    }
98  }