1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.security.visibility;
19
20 import java.util.ArrayList;
21 import java.util.HashSet;
22 import java.util.List;
23 import java.util.Set;
24
25 import org.apache.commons.logging.Log;
26 import org.apache.commons.logging.LogFactory;
27 import org.apache.hadoop.hbase.classification.InterfaceAudience;
28 import org.apache.hadoop.conf.Configuration;
29 import org.apache.hadoop.hbase.security.User;
30
31
32
33
34
35
36
37 @InterfaceAudience.Private
38 public class DefinedSetFilterScanLabelGenerator implements ScanLabelGenerator {
39
40 private static final Log LOG = LogFactory.getLog(DefinedSetFilterScanLabelGenerator.class);
41
42 private Configuration conf;
43
44 private VisibilityLabelsCache labelsCache;
45
46 public DefinedSetFilterScanLabelGenerator() {
47 this.labelsCache = VisibilityLabelsCache.get();
48 }
49
50 @Override
51 public void setConf(Configuration conf) {
52 this.conf = conf;
53 }
54
55 @Override
56 public Configuration getConf() {
57 return this.conf;
58 }
59
60 @Override
61 public List<String> getLabels(User user, Authorizations authorizations) {
62 if (authorizations != null) {
63 List<String> labels = authorizations.getLabels();
64 String userName = user.getShortName();
65 Set<String> auths = new HashSet<String>();
66 auths.addAll(this.labelsCache.getUserAuths(userName));
67 auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames()));
68 return dropLabelsNotInUserAuths(labels, new ArrayList<String>(auths), userName);
69 }
70 return null;
71 }
72
73 private List<String> dropLabelsNotInUserAuths(List<String> labels, List<String> auths,
74 String userName) {
75 List<String> droppedLabels = new ArrayList<String>();
76 List<String> passedLabels = new ArrayList<String>(labels.size());
77 for (String label : labels) {
78 if (auths.contains(label)) {
79 passedLabels.add(label);
80 } else {
81 droppedLabels.add(label);
82 }
83 }
84 if (!droppedLabels.isEmpty()) {
85 StringBuilder sb = new StringBuilder();
86 sb.append("Dropping invalid authorizations requested by user ");
87 sb.append(userName);
88 sb.append(": [ ");
89 for (String label: droppedLabels) {
90 sb.append(label);
91 sb.append(' ');
92 }
93 sb.append(']');
94 LOG.warn(sb.toString());
95 }
96 return passedLabels;
97 }
98 }