@InterfaceAudience.Private class AccessControlFilter extends FilterBase
TODO: There is room for further performance optimization here. Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of overhead. A more optimized solution might look at the qualifiers where permissions are actually granted and explicitly limit the scan to those.
We should aim to use this _only_ when access to the requested column families is not granted at the column family levels. If table or column family access succeeds, then there is no need to impose the overhead of this filter.
Modifier and Type | Class and Description |
---|---|
static class |
AccessControlFilter.Strategy |
Filter.ReturnCode
Modifier and Type | Field and Description |
---|---|
private TableAuthManager |
authManager |
private Map<ByteRange,Integer> |
cfVsMaxVersions |
private int |
currentVersions |
private int |
familyMaxVersions |
private boolean |
isSystemTable |
private ByteRange |
prevFam |
private ByteRange |
prevQual |
private AccessControlFilter.Strategy |
strategy |
private TableName |
table |
private User |
user |
Constructor and Description |
---|
AccessControlFilter()
For Writable
|
AccessControlFilter(TableAuthManager mgr,
User ugi,
TableName tableName,
AccessControlFilter.Strategy strategy,
Map<ByteRange,Integer> cfVsMaxVersions) |
Modifier and Type | Method and Description |
---|---|
Filter.ReturnCode |
filterKeyValue(Cell cell)
A way to filter based on the column family, column qualifier and/or the column value.
|
static AccessControlFilter |
parseFrom(byte[] pbBytes) |
void |
reset()
Filters that are purely stateless and do nothing in their reset() methods can inherit
this null/empty implementation.
|
byte[] |
toByteArray()
Return length 0 byte array for Filters that don't require special serialization
|
Cell |
transformCell(Cell v)
By default no transformation takes place
Give the filter a chance to transform the passed KeyValue.
|
createFilterFromArguments, filterAllRemaining, filterRow, filterRowCells, filterRowKey, getNextCellHint, getNextKeyHint, hasFilterRow, isFamilyEssential, toString, transform
isReversed, setReversed
private TableAuthManager authManager
private TableName table
private User user
private boolean isSystemTable
private AccessControlFilter.Strategy strategy
private int familyMaxVersions
private int currentVersions
private ByteRange prevFam
private ByteRange prevQual
AccessControlFilter()
AccessControlFilter(TableAuthManager mgr, User ugi, TableName tableName, AccessControlFilter.Strategy strategy, Map<ByteRange,Integer> cfVsMaxVersions)
public Filter.ReturnCode filterKeyValue(Cell cell)
Filter
ReturnCode.NEXT_ROW
, it should return
ReturnCode.NEXT_ROW
until Filter.reset()
is called just in case the caller calls
for the next row.
Concrete implementers can signal a failure condition in their code by throwing an
IOException
.filterKeyValue
in class Filter
cell
- the Cell in questionFilter.ReturnCode
public Cell transformCell(Cell v)
FilterBase
transformCell
in class FilterBase
v
- the KeyValue in questionThe transformed KeyValue is what is eventually returned to the client. Most filters will
return the passed KeyValue unchanged.
,
for an example of a
transformation.
Concrete implementers can signal a failure condition in their code by throwing an
{@link IOException}.
public void reset() throws IOException
FilterBase
IOException
.reset
in class FilterBase
IOException
- in case an I/O or an filter specific failure needs to be signaled.public byte[] toByteArray()
FilterBase
toByteArray
in class FilterBase
public static AccessControlFilter parseFrom(byte[] pbBytes) throws DeserializationException
pbBytes
- A pb serialized AccessControlFilter
instanceAccessControlFilter
made from bytes
DeserializationException
#toByteArray()}
Copyright © 2007–2019 The Apache Software Foundation. All rights reserved.