View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import org.apache.hadoop.hbase.Cell;
22  import org.apache.hadoop.hbase.TableName;
23  import org.apache.hadoop.hbase.exceptions.DeserializationException;
24  import org.apache.hadoop.hbase.filter.FilterBase;
25  import org.apache.hadoop.hbase.security.User;
26  
27  /**
28   * <strong>NOTE: for internal use only by AccessController implementation</strong>
29   *
30   * <p>
31   * TODO: There is room for further performance optimization here.
32   * Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of
33   * overhead.  A more optimized solution might look at the qualifiers where
34   * permissions are actually granted and explicitly limit the scan to those.
35   * </p>
36   * <p>
37   * We should aim to use this _only_ when access to the requested column families
38   * is not granted at the column family levels.  If table or column family
39   * access succeeds, then there is no need to impose the overhead of this filter.
40   * </p>
41   */
42  class AccessControlFilter extends FilterBase {
43  
44    private TableAuthManager authManager;
45    private TableName table;
46    private User user;
47    private boolean isSystemTable;
48    private boolean cellFirstStrategy;
49  
50    /**
51     * For Writable
52     */
53    AccessControlFilter() {
54    }
55  
56    AccessControlFilter(TableAuthManager mgr, User ugi, TableName tableName,
57        boolean cellFirstStrategy) {
58      authManager = mgr;
59      table = tableName;
60      user = ugi;
61      isSystemTable = tableName.isSystemTable();
62      this.cellFirstStrategy = cellFirstStrategy;
63    }
64  
65    @Override
66    public ReturnCode filterKeyValue(Cell cell) {
67      if (isSystemTable) {
68        return ReturnCode.INCLUDE;
69      }
70      if (authManager.authorize(user, table, cell, cellFirstStrategy, Permission.Action.READ)) {
71        return ReturnCode.INCLUDE;
72      }
73      // Before per cell ACLs we used to return the NEXT_COL hint, but we can
74      // no longer do that since, given the possibility of per cell ACLs
75      // anywhere, we now need to examine all KVs with this filter.
76      return ReturnCode.SKIP;
77    }
78  
79    /**
80     * @return The filter serialized using pb
81     */
82    public byte [] toByteArray() {
83      // no implementation, server-side use only
84      throw new UnsupportedOperationException(
85        "Serialization not supported.  Intended for server-side use only.");
86    }
87  
88    /**
89     * @param pbBytes A pb serialized {@link AccessControlFilter} instance
90     * @return An instance of {@link AccessControlFilter} made from <code>bytes</code>
91     * @throws org.apache.hadoop.hbase.exceptions.DeserializationException
92     * @see {@link #toByteArray()}
93     */
94    public static AccessControlFilter parseFrom(final byte [] pbBytes)
95    throws DeserializationException {
96      // no implementation, server-side use only
97      throw new UnsupportedOperationException(
98        "Serialization not supported.  Intended for server-side use only.");
99    }
100 }