View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security.visibility;
19  
20  import java.io.IOException;
21  import java.util.List;
22  
23  import org.apache.hadoop.conf.Configurable;
24  import org.apache.hadoop.hbase.Tag;
25  import org.apache.hadoop.hbase.TagType;
26  import org.apache.hadoop.hbase.classification.InterfaceAudience;
27  import org.apache.hadoop.hbase.classification.InterfaceStability;
28  import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
29  import org.apache.hadoop.hbase.regionserver.OperationStatus;
30  import org.apache.hadoop.hbase.security.User;
31  
32  /**
33   * The interface which deals with visibility labels and user auths admin service as well as the cell
34   * visibility expression storage part and read time evaluation.
35   */
36  @InterfaceAudience.Public
37  @InterfaceStability.Evolving
38  public interface VisibilityLabelService extends Configurable {
39  
40    /**
41     * System calls this after opening of regions. Gives a chance for the VisibilityLabelService to so
42     * any initialization logic.
43     * @param e
44     *          the region coprocessor env
45     */
46    void init(RegionCoprocessorEnvironment e) throws IOException;
47  
48    /**
49     * Adds the set of labels into the system.
50     * @param labels
51     *          Labels to add to the system.
52     * @return OperationStatus for each of the label addition
53     */
54    OperationStatus[] addLabels(List<byte[]> labels) throws IOException;
55  
56    /**
57     * Sets given labels globally authorized for the user.
58     * @param user
59     *          The authorizing user
60     * @param authLabels
61     *          Labels which are getting authorized for the user
62     * @return OperationStatus for each of the label auth addition
63     */
64    OperationStatus[] setAuths(byte[] user, List<byte[]> authLabels) throws IOException;
65  
66    /**
67     * Removes given labels from user's globally authorized list of labels.
68     * @param user
69     *          The user whose authorization to be removed
70     * @param authLabels
71     *          Labels which are getting removed from authorization set
72     * @return OperationStatus for each of the label auth removal
73     */
74    OperationStatus[] clearAuths(byte[] user, List<byte[]> authLabels) throws IOException;
75  
76    /**
77     * Retrieve the visibility labels for the user.
78     * @param user
79     *          Name of the user whose authorization to be retrieved
80     * @param systemCall
81     *          Whether a system or user originated call.
82     * @return Visibility labels authorized for the given user.
83     * @deprecated Use {@link #getUserAuths(byte[], boolean)}
84     */
85    @Deprecated
86    List<String> getAuths(byte[] user, boolean systemCall) throws IOException;
87  
88    /**
89     * Retrieve the visibility labels for the user.
90     * @param user
91     *          Name of the user whose authorization to be retrieved
92     * @param systemCall
93     *          Whether a system or user originated call.
94     * @return Visibility labels authorized for the given user.
95     */
96    List<String> getUserAuths(byte[] user, boolean systemCall) throws IOException;
97  
98    /**
99     * Retrieve the visibility labels for the groups.
100    * @param groups
101    *          Name of the groups whose authorization to be retrieved
102    * @param systemCall
103    *          Whether a system or user originated call.
104    * @return Visibility labels authorized for the given group.
105    */
106   List<String> getGroupAuths(String[] groups, boolean systemCall) throws IOException;
107 
108   /**
109    * Retrieve the list of visibility labels defined in the system.
110    * @param regex  The regular expression to filter which labels are returned.
111    * @return List of visibility labels
112    */
113   List<String> listLabels(String regex) throws IOException;
114 
115   /**
116    * Creates tags corresponding to given visibility expression.
117    * <br>
118    * Note: This will be concurrently called from multiple threads and implementation should
119    * take care of thread safety.
120    * @param visExpression The Expression for which corresponding Tags to be created.
121    * @param withSerializationFormat specifies whether a tag, denoting the serialization version
122    *          of the tags, to be added in the list. When this is true make sure to add the
123    *          serialization format Tag also. The format tag value should be byte type.
124    * @param checkAuths denotes whether to check individual labels in visExpression against user's
125    *          global auth label.
126    * @return The list of tags corresponds to the visibility expression. These tags will be stored
127    *         along with the Cells.
128    */
129   List<Tag> createVisibilityExpTags(String visExpression, boolean withSerializationFormat,
130       boolean checkAuths) throws IOException;
131 
132   /**
133    * Creates VisibilityExpEvaluator corresponding to given Authorizations. <br>
134    * Note: This will be concurrently called from multiple threads and implementation should take
135    * care of thread safety.
136    * @param authorizations
137    *          Authorizations for the read request
138    * @return The VisibilityExpEvaluator corresponding to the given set of authorization labels.
139    */
140   VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations)
141       throws IOException;
142 
143   /**
144    * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The
145    * operation is allowed only for users having system auth. Also during read, if the requesting
146    * user has system auth, he can view all the data irrespective of its labels.
147    * @param user
148    *          User for whom system auth check to be done.
149    * @return true if the given user is having system/super auth
150    * @deprecated Use {@link #havingSystemAuth(User)}
151    */
152   @Deprecated
153   boolean havingSystemAuth(byte[] user) throws IOException;
154 
155   /**
156    * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The
157    * operation is allowed only for users having system auth. Also during read, if the requesting
158    * user has system auth, he can view all the data irrespective of its labels.
159    * @param user
160    *          User for whom system auth check to be done.
161    * @return true if the given user is having system/super auth
162    */
163   boolean havingSystemAuth(User user) throws IOException;
164 
165   /**
166    * System uses this for deciding whether a Cell can be deleted by matching visibility expression
167    * in Delete mutation and the cell in consideration. Also system passes the serialization format
168    * of visibility tags in Put and Delete.<br>
169    * Note: This will be concurrently called from multiple threads and implementation should take
170    * care of thread safety.
171    * @param putVisTags
172    *          The visibility tags present in the Put mutation
173    * @param putVisTagFormat
174    *          The serialization format for the Put visibility tags. A <code>null</code> value for
175    *          this format means the tags are written with unsorted label ordinals
176    * @param deleteVisTags
177    *          - The visibility tags in the delete mutation (the specified Cell Visibility)
178    * @param deleteVisTagFormat
179    *          The serialization format for the Delete visibility tags. A <code>null</code> value for
180    *          this format means the tags are written with unsorted label ordinals
181    * @return true if matching tags are found
182    * @see VisibilityConstants#SORTED_ORDINAL_SERIALIZATION_FORMAT
183    */
184   boolean matchVisibility(List<Tag> putVisTags, Byte putVisTagFormat, List<Tag> deleteVisTags,
185       Byte deleteVisTagFormat) throws IOException;
186 
187   /**
188    * Provides a way to modify the visibility tags of type {@link TagType}
189    * .VISIBILITY_TAG_TYPE, that are part of the cell created from the WALEdits
190    * that are prepared for replication while calling
191    * {@link org.apache.hadoop.hbase.replication.ReplicationEndpoint}
192    * .replicate().
193    * {@link org.apache.hadoop.hbase.security.visibility.VisibilityReplicationEndpoint}
194    * calls this API to provide an opportunity to modify the visibility tags
195    * before replicating.
196    *
197    * @param visTags
198    *          the visibility tags associated with the cell
199    * @param serializationFormat
200    *          the serialization format associated with the tag
201    * @return the modified visibility expression in the form of byte[]
202    * @throws IOException
203    */
204   byte[] encodeVisibilityForReplication(final List<Tag> visTags,
205       final Byte serializationFormat) throws IOException;
206 
207 }