@InterfaceAudience.Private class AccessControlFilter extends FilterBase
TODO: There is room for further performance optimization here. Calling AuthManager.authorize() per KeyValue imposes a fair amount of overhead. A more optimized solution might look at the qualifiers where permissions are actually granted and explicitly limit the scan to those.
We should aim to use this _only_ when access to the requested column families is not granted at the column family levels. If table or column family access succeeds, then there is no need to impose the overhead of this filter.
Modifier and Type | Class and Description |
---|---|
static class |
AccessControlFilter.Strategy |
Filter.ReturnCode
Modifier and Type | Field and Description |
---|---|
private AuthManager |
authManager |
private Map<ByteRange,Integer> |
cfVsMaxVersions |
private int |
currentVersions |
private int |
familyMaxVersions |
private boolean |
isSystemTable |
private ByteRange |
prevFam |
private ByteRange |
prevQual |
private AccessControlFilter.Strategy |
strategy |
private TableName |
table |
private User |
user |
Constructor and Description |
---|
AccessControlFilter()
For Writable
|
AccessControlFilter(AuthManager mgr,
User ugi,
TableName tableName,
AccessControlFilter.Strategy strategy,
Map<ByteRange,Integer> cfVsMaxVersions) |
Modifier and Type | Method and Description |
---|---|
boolean |
equals(Object obj) |
Filter.ReturnCode |
filterCell(Cell cell)
A way to filter based on the column family, column qualifier and/or the column value.
|
boolean |
filterRowKey(Cell cell)
Filters a row based on the row key.
|
int |
hashCode() |
static AccessControlFilter |
parseFrom(byte[] pbBytes) |
void |
reset()
Filters that are purely stateless and do nothing in their reset() methods can inherit this
null/empty implementation.
|
byte[] |
toByteArray()
Returns The filter serialized using pb
|
createFilterFromArguments, filterAllRemaining, filterRow, filterRowCells, getNextCellHint, hasFilterRow, isFamilyEssential, toString, transformCell
isReversed, setReversed
private AuthManager authManager
private boolean isSystemTable
private AccessControlFilter.Strategy strategy
private Map<ByteRange,Integer> cfVsMaxVersions
private int familyMaxVersions
private int currentVersions
AccessControlFilter()
AccessControlFilter(AuthManager mgr, User ugi, TableName tableName, AccessControlFilter.Strategy strategy, Map<ByteRange,Integer> cfVsMaxVersions)
public boolean filterRowKey(Cell cell) throws IOException
Filter
Filter.filterCell(Cell)
below. If
Filter.filterAllRemaining()
returns true, then Filter.filterRowKey(Cell)
should also return
true. Concrete implementers can signal a failure condition in their code by throwing an
IOException
.filterRowKey
in class FilterBase
cell
- The first cell coming in the new rowIOException
- in case an I/O or an filter specific failure needs to be signaled.public Filter.ReturnCode filterCell(Cell cell)
Filter
ReturnCode.NEXT_ROW
, it should return
ReturnCode.NEXT_ROW
until Filter.reset()
is called just in case the caller calls
for the next row. Concrete implementers can signal a failure condition in their code by
throwing an IOException
.filterCell
in class Filter
cell
- the Cell in questionFilter.ReturnCode
public void reset() throws IOException
FilterBase
IOException
.reset
in class FilterBase
IOException
- in case an I/O or an filter specific failure needs to be signaled.public byte[] toByteArray()
toByteArray
in class FilterBase
public static AccessControlFilter parseFrom(byte[] pbBytes) throws DeserializationException
pbBytes
- A pb serialized AccessControlFilter
instanceAccessControlFilter
made from bytes
DeserializationException
toByteArray()
Copyright © 2007–2020 The Apache Software Foundation. All rights reserved.