001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security.visibility; 019 020import java.util.ArrayList; 021import java.util.HashSet; 022import java.util.List; 023import java.util.Set; 024 025import org.apache.yetus.audience.InterfaceAudience; 026import org.slf4j.Logger; 027import org.slf4j.LoggerFactory; 028import org.apache.hadoop.conf.Configuration; 029import org.apache.hadoop.hbase.security.User; 030 031/** 032 * This is an implementation for ScanLabelGenerator. 033 * It will extract labels from passed in authorizations and cross check 034 * against the set of predefined authorization labels for given user. 035 * The labels for which the user is not authorized will be dropped. 036 */ 037@InterfaceAudience.Private 038public class DefinedSetFilterScanLabelGenerator implements ScanLabelGenerator { 039 private static final Logger LOG = 040 LoggerFactory.getLogger(DefinedSetFilterScanLabelGenerator.class); 041 042 private Configuration conf; 043 044 private VisibilityLabelsCache labelsCache; 045 046 public DefinedSetFilterScanLabelGenerator() { 047 this.labelsCache = VisibilityLabelsCache.get(); 048 } 049 050 @Override 051 public void setConf(Configuration conf) { 052 this.conf = conf; 053 } 054 055 @Override 056 public Configuration getConf() { 057 return this.conf; 058 } 059 060 @Override 061 public List<String> getLabels(User user, Authorizations authorizations) { 062 if (authorizations != null) { 063 List<String> labels = authorizations.getLabels(); 064 String userName = user.getShortName(); 065 Set<String> auths = new HashSet<>(); 066 auths.addAll(this.labelsCache.getUserAuths(userName)); 067 auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames())); 068 return dropLabelsNotInUserAuths(labels, new ArrayList<>(auths), userName); 069 } 070 return null; 071 } 072 073 private List<String> dropLabelsNotInUserAuths(List<String> labels, List<String> auths, 074 String userName) { 075 List<String> droppedLabels = new ArrayList<>(); 076 List<String> passedLabels = new ArrayList<>(labels.size()); 077 for (String label : labels) { 078 if (auths.contains(label)) { 079 passedLabels.add(label); 080 } else { 081 droppedLabels.add(label); 082 } 083 } 084 if (!droppedLabels.isEmpty()) { 085 StringBuilder sb = new StringBuilder(); 086 sb.append("Dropping invalid authorizations requested by user "); 087 sb.append(userName); 088 sb.append(": [ "); 089 for (String label: droppedLabels) { 090 sb.append(label); 091 sb.append(' '); 092 } 093 sb.append(']'); 094 LOG.warn(sb.toString()); 095 } 096 return passedLabels; 097 } 098}