View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import java.util.Collection;
22  import java.util.Map;
23  
24  import org.apache.hadoop.classification.InterfaceAudience;
25  import org.apache.hadoop.hbase.KeyValue;
26  import org.apache.hadoop.hbase.TableName;
27  import org.apache.hadoop.hbase.security.User;
28  import org.apache.hadoop.hbase.util.Bytes;
29  
30  /**
31   * Represents the result of an authorization check for logging and error
32   * reporting.
33   */
34  @InterfaceAudience.Private
35  public class AuthResult {
36    private final boolean allowed;
37    private final String namespace;
38    private final TableName table;
39    private final Permission.Action action;
40    private final String request;
41    private final String reason;
42    private final User user;
43  
44    // "family" and "qualifier" should only be used if "families" is null.
45    private final byte[] family;
46    private final byte[] qualifier;
47    private final Map<byte[], ? extends Collection<?>> families;
48  
49    public AuthResult(boolean allowed, String request, String reason, User user,
50        Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
51      this.allowed = allowed;
52      this.request = request;
53      this.reason = reason;
54      this.user = user;
55      this.table = table;
56      this.family = family;
57      this.qualifier = qualifier;
58      this.action = action;
59      this.families = null;
60      this.namespace = null;
61    }
62  
63    public AuthResult(boolean allowed, String request, String reason, User user,
64          Permission.Action action, TableName table,
65          Map<byte[], ? extends Collection<?>> families) {
66      this.allowed = allowed;
67      this.request = request;
68      this.reason = reason;
69      this.user = user;
70      this.table = table;
71      this.family = null;
72      this.qualifier = null;
73      this.action = action;
74      this.families = families;
75      this.namespace = null;
76    }
77  
78    public AuthResult(boolean allowed, String request, String reason, User user,
79          Permission.Action action, String namespace) {
80      this.allowed = allowed;
81      this.request = request;
82      this.reason = reason;
83      this.user = user;
84      this.namespace = namespace;
85      this.action = action;
86      this.table = null;
87      this.family = null;
88      this.qualifier = null;
89      this.families = null;
90    }
91  
92    public boolean isAllowed() {
93      return allowed;
94    }
95  
96    public User getUser() {
97      return user;
98    }
99  
100   public String getReason() {
101     return reason;
102   }
103 
104   public TableName getTableName() {
105     return table;
106   }
107 
108   public byte[] getFamily() {
109     return family;
110   }
111 
112   public byte[] getQualifier() {
113     return qualifier;
114   }
115 
116   public Permission.Action getAction() {
117     return action;
118   }
119 
120   public String getRequest() {
121     return request;
122   }
123 
124   String toFamilyString() {
125     StringBuilder sb = new StringBuilder();
126     if (families != null) {
127       boolean first = true;
128       for (Map.Entry<byte[], ? extends Collection<?>> entry : families.entrySet()) {
129         String familyName = Bytes.toString(entry.getKey());
130         if (entry.getValue() != null && !entry.getValue().isEmpty()) {
131           for (Object o : entry.getValue()) {
132             String qualifier;
133             if (o instanceof byte[]) {
134               qualifier = Bytes.toString((byte[])o);
135             } else if (o instanceof KeyValue) {
136               byte[] rawQualifier = ((KeyValue)o).getQualifier();
137               qualifier = Bytes.toString(rawQualifier);
138             } else {
139               // Shouldn't really reach this?
140               qualifier = o.toString();
141             }
142             if (!first) {
143               sb.append("|");
144             }
145             first = false;
146             sb.append(familyName).append(":").append(qualifier);
147           }
148         } else {
149           if (!first) {
150             sb.append("|");
151           }
152           first = false;
153           sb.append(familyName);
154         }
155       }
156     } else if (family != null) {
157       sb.append(Bytes.toString(family));
158       if (qualifier != null) {
159         sb.append(":").append(Bytes.toString(qualifier));
160       }
161     }
162     return sb.toString();
163   }
164 
165   public String toContextString() {
166     StringBuilder sb = new StringBuilder();
167     sb.append("(user=")
168         .append(user != null ? user.getName() : "UNKNOWN")
169         .append(", ");
170     sb.append("scope=")
171         .append(namespace != null ? namespace : table == null ? "GLOBAL" : table);
172     if(namespace == null) {
173       sb.append(", ")
174         .append("family=")
175         .append(toFamilyString())
176         .append(", ");
177     }
178     sb.append("action=")
179         .append(action != null ? action.toString() : "")
180         .append(")");
181     return sb.toString();
182   }
183 
184   public String toString() {
185     return "AuthResult" + toContextString();
186   }
187 
188   public static AuthResult allow(String request, String reason, User user,
189       Permission.Action action, String namespace) {
190     return new AuthResult(true, request, reason, user, action, namespace);
191   }
192 
193   public static AuthResult allow(String request, String reason, User user,
194       Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
195     return new AuthResult(true, request, reason, user, action, table, family, qualifier);
196   }
197 
198   public static AuthResult allow(String request, String reason, User user,
199       Permission.Action action, TableName table,
200       Map<byte[], ? extends Collection<?>> families) {
201     return new AuthResult(true, request, reason, user, action, table, families);
202   }
203 
204   public static AuthResult deny(String request, String reason, User user,
205       Permission.Action action, String namespace) {
206     return new AuthResult(false, request, reason, user, action, namespace);
207   }
208 
209   public static AuthResult deny(String request, String reason, User user,
210       Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
211     return new AuthResult(false, request, reason, user, action, table, family, qualifier);
212   }
213 
214   public static AuthResult deny(String request, String reason, User user,
215         Permission.Action action, TableName table,
216         Map<byte[], ? extends Collection<?>> families) {
217     return new AuthResult(false, request, reason, user, action, table, families);
218   }
219 }