1 /** 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 package org.apache.hadoop.hbase.security.visibility; 19 20 import java.io.IOException; 21 import java.util.List; 22 23 import org.apache.hadoop.conf.Configurable; 24 import org.apache.hadoop.hbase.Tag; 25 import org.apache.hadoop.hbase.TagType; 26 import org.apache.hadoop.hbase.classification.InterfaceAudience; 27 import org.apache.hadoop.hbase.classification.InterfaceStability; 28 import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment; 29 import org.apache.hadoop.hbase.regionserver.OperationStatus; 30 import org.apache.hadoop.hbase.security.User; 31 32 /** 33 * The interface which deals with visibility labels and user auths admin service as well as the cell 34 * visibility expression storage part and read time evaluation. 35 */ 36 @InterfaceAudience.Public 37 @InterfaceStability.Evolving 38 public interface VisibilityLabelService extends Configurable { 39 40 /** 41 * System calls this after opening of regions. Gives a chance for the VisibilityLabelService to so 42 * any initialization logic. 43 * @param e 44 * the region coprocessor env 45 */ 46 void init(RegionCoprocessorEnvironment e) throws IOException; 47 48 /** 49 * Adds the set of labels into the system. 50 * @param labels 51 * Labels to add to the system. 52 * @return OperationStatus for each of the label addition 53 */ 54 OperationStatus[] addLabels(List<byte[]> labels) throws IOException; 55 56 /** 57 * Sets given labels globally authorized for the user. 58 * @param user 59 * The authorizing user 60 * @param authLabels 61 * Labels which are getting authorized for the user 62 * @return OperationStatus for each of the label auth addition 63 */ 64 OperationStatus[] setAuths(byte[] user, List<byte[]> authLabels) throws IOException; 65 66 /** 67 * Removes given labels from user's globally authorized list of labels. 68 * @param user 69 * The user whose authorization to be removed 70 * @param authLabels 71 * Labels which are getting removed from authorization set 72 * @return OperationStatus for each of the label auth removal 73 */ 74 OperationStatus[] clearAuths(byte[] user, List<byte[]> authLabels) throws IOException; 75 76 /** 77 * Retrieve the visibility labels for the user. 78 * @param user 79 * Name of the user whose authorization to be retrieved 80 * @param systemCall 81 * Whether a system or user originated call. 82 * @return Visibility labels authorized for the given user. 83 * @deprecated Use {@link #getUserAuths(byte[], boolean)} 84 */ 85 @Deprecated 86 List<String> getAuths(byte[] user, boolean systemCall) throws IOException; 87 88 /** 89 * Retrieve the visibility labels for the user. 90 * @param user 91 * Name of the user whose authorization to be retrieved 92 * @param systemCall 93 * Whether a system or user originated call. 94 * @return Visibility labels authorized for the given user. 95 */ 96 List<String> getUserAuths(byte[] user, boolean systemCall) throws IOException; 97 98 /** 99 * Retrieve the visibility labels for the groups. 100 * @param groups 101 * Name of the groups whose authorization to be retrieved 102 * @param systemCall 103 * Whether a system or user originated call. 104 * @return Visibility labels authorized for the given group. 105 */ 106 List<String> getGroupAuths(String[] groups, boolean systemCall) throws IOException; 107 108 /** 109 * Retrieve the list of visibility labels defined in the system. 110 * @param regex The regular expression to filter which labels are returned. 111 * @return List of visibility labels 112 */ 113 List<String> listLabels(String regex) throws IOException; 114 115 /** 116 * Creates tags corresponding to given visibility expression. 117 * <br> 118 * Note: This will be concurrently called from multiple threads and implementation should 119 * take care of thread safety. 120 * @param visExpression The Expression for which corresponding Tags to be created. 121 * @param withSerializationFormat specifies whether a tag, denoting the serialization version 122 * of the tags, to be added in the list. When this is true make sure to add the 123 * serialization format Tag also. The format tag value should be byte type. 124 * @param checkAuths denotes whether to check individual labels in visExpression against user's 125 * global auth label. 126 * @return The list of tags corresponds to the visibility expression. These tags will be stored 127 * along with the Cells. 128 */ 129 List<Tag> createVisibilityExpTags(String visExpression, boolean withSerializationFormat, 130 boolean checkAuths) throws IOException; 131 132 /** 133 * Creates VisibilityExpEvaluator corresponding to given Authorizations. <br> 134 * Note: This will be concurrently called from multiple threads and implementation should take 135 * care of thread safety. 136 * @param authorizations 137 * Authorizations for the read request 138 * @return The VisibilityExpEvaluator corresponding to the given set of authorization labels. 139 */ 140 VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations) 141 throws IOException; 142 143 /** 144 * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The 145 * operation is allowed only for users having system auth. Also during read, if the requesting 146 * user has system auth, he can view all the data irrespective of its labels. 147 * @param user 148 * User for whom system auth check to be done. 149 * @return true if the given user is having system/super auth 150 * @deprecated Use {@link #havingSystemAuth(User)} 151 */ 152 @Deprecated 153 boolean havingSystemAuth(byte[] user) throws IOException; 154 155 /** 156 * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The 157 * operation is allowed only for users having system auth. Also during read, if the requesting 158 * user has system auth, he can view all the data irrespective of its labels. 159 * @param user 160 * User for whom system auth check to be done. 161 * @return true if the given user is having system/super auth 162 */ 163 boolean havingSystemAuth(User user) throws IOException; 164 165 /** 166 * System uses this for deciding whether a Cell can be deleted by matching visibility expression 167 * in Delete mutation and the cell in consideration. Also system passes the serialization format 168 * of visibility tags in Put and Delete.<br> 169 * Note: This will be concurrently called from multiple threads and implementation should take 170 * care of thread safety. 171 * @param putVisTags 172 * The visibility tags present in the Put mutation 173 * @param putVisTagFormat 174 * The serialization format for the Put visibility tags. A <code>null</code> value for 175 * this format means the tags are written with unsorted label ordinals 176 * @param deleteVisTags 177 * - The visibility tags in the delete mutation (the specified Cell Visibility) 178 * @param deleteVisTagFormat 179 * The serialization format for the Delete visibility tags. A <code>null</code> value for 180 * this format means the tags are written with unsorted label ordinals 181 * @return true if matching tags are found 182 * @see VisibilityConstants#SORTED_ORDINAL_SERIALIZATION_FORMAT 183 */ 184 boolean matchVisibility(List<Tag> putVisTags, Byte putVisTagFormat, List<Tag> deleteVisTags, 185 Byte deleteVisTagFormat) throws IOException; 186 187 /** 188 * Provides a way to modify the visibility tags of type {@link TagType} 189 * .VISIBILITY_TAG_TYPE, that are part of the cell created from the WALEdits 190 * that are prepared for replication while calling 191 * {@link org.apache.hadoop.hbase.replication.ReplicationEndpoint} 192 * .replicate(). 193 * {@link org.apache.hadoop.hbase.security.visibility.VisibilityReplicationEndpoint} 194 * calls this API to provide an opportunity to modify the visibility tags 195 * before replicating. 196 * 197 * @param visTags 198 * the visibility tags associated with the cell 199 * @param serializationFormat 200 * the serialization format associated with the tag 201 * @return the modified visibility expression in the form of byte[] 202 * @throws IOException 203 */ 204 byte[] encodeVisibilityForReplication(final List<Tag> visTags, 205 final Byte serializationFormat) throws IOException; 206 207 }