001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security.visibility;
019
020import java.util.ArrayList;
021import java.util.HashSet;
022import java.util.List;
023import java.util.Set;
024
025import org.apache.yetus.audience.InterfaceAudience;
026import org.slf4j.Logger;
027import org.slf4j.LoggerFactory;
028import org.apache.hadoop.conf.Configuration;
029import org.apache.hadoop.hbase.security.User;
030
031/**
032 * This is an implementation for ScanLabelGenerator.
033 * It will extract labels from passed in authorizations and cross check
034 * against the set of predefined authorization labels for given user.
035 * The labels for which the user is not authorized will be dropped.
036 */
037@InterfaceAudience.Private
038public class DefinedSetFilterScanLabelGenerator implements ScanLabelGenerator {
039  private static final Logger LOG =
040      LoggerFactory.getLogger(DefinedSetFilterScanLabelGenerator.class);
041
042  private Configuration conf;
043
044  private VisibilityLabelsCache labelsCache;
045
046  public DefinedSetFilterScanLabelGenerator() {
047    this.labelsCache = VisibilityLabelsCache.get();
048  }
049
050  @Override
051  public void setConf(Configuration conf) {
052    this.conf = conf;
053  }
054
055  @Override
056  public Configuration getConf() {
057    return this.conf;
058  }
059
060  @Override
061  public List<String> getLabels(User user, Authorizations authorizations) {
062    if (authorizations != null) {
063      List<String> labels = authorizations.getLabels();
064      String userName = user.getShortName();
065      Set<String> auths = new HashSet<>();
066      auths.addAll(this.labelsCache.getUserAuths(userName));
067      auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames()));
068      return dropLabelsNotInUserAuths(labels, new ArrayList<>(auths), userName);
069    }
070    return null;
071  }
072
073  private List<String> dropLabelsNotInUserAuths(List<String> labels, List<String> auths,
074      String userName) {
075    List<String> droppedLabels = new ArrayList<>();
076    List<String> passedLabels = new ArrayList<>(labels.size());
077    for (String label : labels) {
078      if (auths.contains(label)) {
079        passedLabels.add(label);
080      } else {
081        droppedLabels.add(label);
082      }
083    }
084    if (!droppedLabels.isEmpty()) {
085      StringBuilder sb = new StringBuilder();
086      sb.append("Dropping invalid authorizations requested by user ");
087      sb.append(userName);
088      sb.append(": [ ");
089      for (String label: droppedLabels) {
090        sb.append(label);
091        sb.append(' ');
092      }
093      sb.append(']');
094      LOG.warn(sb.toString());
095    }
096    return passedLabels;
097  }
098}