View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import java.util.Collection;
22  import java.util.Map;
23  
24  import org.apache.hadoop.classification.InterfaceAudience;
25  import org.apache.hadoop.hbase.KeyValue;
26  import org.apache.hadoop.hbase.TableName;
27  import org.apache.hadoop.hbase.security.User;
28  import org.apache.hadoop.hbase.util.Bytes;
29  
30  /**
31   * Represents the result of an authorization check for logging and error
32   * reporting.
33   */
34  @InterfaceAudience.Private
35  public class AuthResult {
36    private boolean allowed;
37    private final String namespace;
38    private final TableName table;
39    private final Permission.Action action;
40    private final String request;
41    private String reason;
42    private final User user;
43  
44    // "family" and "qualifier" should only be used if "families" is null.
45    private final byte[] family;
46    private final byte[] qualifier;
47    private final Map<byte[], ? extends Collection<?>> families;
48  
49    public AuthResult(boolean allowed, String request, String reason, User user,
50        Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
51      this.allowed = allowed;
52      this.request = request;
53      this.reason = reason;
54      this.user = user;
55      this.table = table;
56      this.family = family;
57      this.qualifier = qualifier;
58      this.action = action;
59      this.families = null;
60      this.namespace = null;
61    }
62  
63    public AuthResult(boolean allowed, String request, String reason, User user,
64          Permission.Action action, TableName table,
65          Map<byte[], ? extends Collection<?>> families) {
66      this.allowed = allowed;
67      this.request = request;
68      this.reason = reason;
69      this.user = user;
70      this.table = table;
71      this.family = null;
72      this.qualifier = null;
73      this.action = action;
74      this.families = families;
75      this.namespace = null;
76    }
77  
78    public AuthResult(boolean allowed, String request, String reason, User user,
79          Permission.Action action, String namespace) {
80      this.allowed = allowed;
81      this.request = request;
82      this.reason = reason;
83      this.user = user;
84      this.namespace = namespace;
85      this.action = action;
86      this.table = null;
87      this.family = null;
88      this.qualifier = null;
89      this.families = null;
90    }
91  
92    public boolean isAllowed() {
93      return allowed;
94    }
95  
96    public User getUser() {
97      return user;
98    }
99  
100   public String getReason() {
101     return reason;
102   }
103 
104   public TableName getTableName() {
105     return table;
106   }
107 
108   public byte[] getFamily() {
109     return family;
110   }
111 
112   public byte[] getQualifier() {
113     return qualifier;
114   }
115 
116   public Permission.Action getAction() {
117     return action;
118   }
119 
120   public String getRequest() {
121     return request;
122   }
123 
124   public void setAllowed(boolean allowed) {
125     this.allowed = allowed;
126   }
127 
128   public void setReason(String reason) {
129     this.reason = reason;
130   }
131 
132   String toFamilyString() {
133     StringBuilder sb = new StringBuilder();
134     if (families != null) {
135       boolean first = true;
136       for (Map.Entry<byte[], ? extends Collection<?>> entry : families.entrySet()) {
137         String familyName = Bytes.toString(entry.getKey());
138         if (entry.getValue() != null && !entry.getValue().isEmpty()) {
139           for (Object o : entry.getValue()) {
140             String qualifier;
141             if (o instanceof byte[]) {
142               qualifier = Bytes.toString((byte[])o);
143             } else if (o instanceof KeyValue) {
144               byte[] rawQualifier = ((KeyValue)o).getQualifier();
145               qualifier = Bytes.toString(rawQualifier);
146             } else {
147               // Shouldn't really reach this?
148               qualifier = o.toString();
149             }
150             if (!first) {
151               sb.append("|");
152             }
153             first = false;
154             sb.append(familyName).append(":").append(qualifier);
155           }
156         } else {
157           if (!first) {
158             sb.append("|");
159           }
160           first = false;
161           sb.append(familyName);
162         }
163       }
164     } else if (family != null) {
165       sb.append(Bytes.toString(family));
166       if (qualifier != null) {
167         sb.append(":").append(Bytes.toString(qualifier));
168       }
169     }
170     return sb.toString();
171   }
172 
173   public String toContextString() {
174     StringBuilder sb = new StringBuilder();
175     sb.append("(user=")
176         .append(user != null ? user.getName() : "UNKNOWN")
177         .append(", ");
178     sb.append("scope=")
179         .append(namespace != null ? namespace : table == null ? "GLOBAL" : table);
180     if(namespace == null) {
181       sb.append(", ")
182         .append("family=")
183         .append(toFamilyString())
184         .append(", ");
185     }
186     sb.append("action=")
187         .append(action != null ? action.toString() : "")
188         .append(")");
189     return sb.toString();
190   }
191 
192   public String toString() {
193     return "AuthResult" + toContextString();
194   }
195 
196   public static AuthResult allow(String request, String reason, User user,
197       Permission.Action action, String namespace) {
198     return new AuthResult(true, request, reason, user, action, namespace);
199   }
200 
201   public static AuthResult allow(String request, String reason, User user,
202       Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
203     return new AuthResult(true, request, reason, user, action, table, family, qualifier);
204   }
205 
206   public static AuthResult allow(String request, String reason, User user,
207       Permission.Action action, TableName table,
208       Map<byte[], ? extends Collection<?>> families) {
209     return new AuthResult(true, request, reason, user, action, table, families);
210   }
211 
212   public static AuthResult deny(String request, String reason, User user,
213       Permission.Action action, String namespace) {
214     return new AuthResult(false, request, reason, user, action, namespace);
215   }
216 
217   public static AuthResult deny(String request, String reason, User user,
218       Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
219     return new AuthResult(false, request, reason, user, action, table, family, qualifier);
220   }
221 
222   public static AuthResult deny(String request, String reason, User user,
223         Permission.Action action, TableName table,
224         Map<byte[], ? extends Collection<?>> families) {
225     return new AuthResult(false, request, reason, user, action, table, families);
226   }
227 }