1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import org.apache.hadoop.hbase.exceptions.DeserializationException;
22  import org.apache.hadoop.hbase.KeyValue;
23  import org.apache.hadoop.hbase.filter.FilterBase;
24  import org.apache.hadoop.hbase.security.User;
25  
26  /**
27   * <strong>NOTE: for internal use only by AccessController implementation</strong>
28   *
29   * <p>
30   * TODO: There is room for further performance optimization here.
31   * Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of
32   * overhead.  A more optimized solution might look at the qualifiers where
33   * permissions are actually granted and explicitly limit the scan to those.
34   * </p>
35   * <p>
36   * We should aim to use this _only_ when access to the requested column families
37   * is not granted at the column family levels.  If table or column family
38   * access succeeds, then there is no need to impose the overhead of this filter.
39   * </p>
40   */
41  class AccessControlFilter extends FilterBase {
42  
43    private TableAuthManager authManager;
44    private byte[] table;
45    private User user;
46  
47    /**
48     * For Writable
49     */
50    AccessControlFilter() {
51    }
52  
53    AccessControlFilter(TableAuthManager mgr, User ugi,
54        byte[] tableName) {
55      authManager = mgr;
56      table = tableName;
57      user = ugi;
58    }
59  
60    @Override
61    public ReturnCode filterKeyValue(KeyValue kv) {
62      if (authManager.authorize(user, table, kv, TablePermission.Action.READ)) {
63        return ReturnCode.INCLUDE;
64      }
65      return ReturnCode.NEXT_COL;
66    }
67  
68    /**
69     * @return The filter serialized using pb
70     */
71    public byte [] toByteArray() {
72      // no implementation, server-side use only
73      throw new UnsupportedOperationException(
74        "Serialization not supported.  Intended for server-side use only.");
75    }
76  
77    /**
78     * @param pbBytes A pb serialized {@link AccessControlFilter} instance
79     * @return An instance of {@link AccessControlFilter} made from <code>bytes</code>
80     * @throws org.apache.hadoop.hbase.exceptions.DeserializationException
81     * @see {@link #toByteArray()}
82     */
83    public static AccessControlFilter parseFrom(final byte [] pbBytes)
84    throws DeserializationException {
85      // no implementation, server-side use only
86      throw new UnsupportedOperationException(
87        "Serialization not supported.  Intended for server-side use only.");
88    }
89  }