View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import java.util.Collection;
22  import java.util.Map;
23  
24  import org.apache.hadoop.hbase.classification.InterfaceAudience;
25  import org.apache.hadoop.hbase.Cell;
26  import org.apache.hadoop.hbase.TableName;
27  import org.apache.hadoop.hbase.security.User;
28  import org.apache.hadoop.hbase.util.Bytes;
29  
30  /**
31   * Represents the result of an authorization check for logging and error
32   * reporting.
33   */
34  @InterfaceAudience.Private
35  public class AuthResult {
36    private boolean allowed;
37    private final String namespace;
38    private final TableName table;
39    private final Permission.Action action;
40    private final String request;
41    private String reason;
42    private final User user;
43  
44    // "family" and "qualifier" should only be used if "families" is null.
45    private final byte[] family;
46    private final byte[] qualifier;
47    private final Map<byte[], ? extends Collection<?>> families;
48  
49    public AuthResult(boolean allowed, String request, String reason, User user,
50        Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
51      this.allowed = allowed;
52      this.request = request;
53      this.reason = reason;
54      this.user = user;
55      this.table = table;
56      this.family = family;
57      this.qualifier = qualifier;
58      this.action = action;
59      this.families = null;
60      this.namespace = null;
61    }
62  
63    public AuthResult(boolean allowed, String request, String reason, User user,
64          Permission.Action action, TableName table,
65          Map<byte[], ? extends Collection<?>> families) {
66      this.allowed = allowed;
67      this.request = request;
68      this.reason = reason;
69      this.user = user;
70      this.table = table;
71      this.family = null;
72      this.qualifier = null;
73      this.action = action;
74      this.families = families;
75      this.namespace = null;
76    }
77  
78    public AuthResult(boolean allowed, String request, String reason, User user,
79          Permission.Action action, String namespace) {
80      this.allowed = allowed;
81      this.request = request;
82      this.reason = reason;
83      this.user = user;
84      this.namespace = namespace;
85      this.action = action;
86      this.table = null;
87      this.family = null;
88      this.qualifier = null;
89      this.families = null;
90    }
91  
92    public boolean isAllowed() {
93      return allowed;
94    }
95  
96    public User getUser() {
97      return user;
98    }
99  
100   public String getReason() {
101     return reason;
102   }
103 
104   public TableName getTableName() {
105     return table;
106   }
107 
108   public byte[] getFamily() {
109     return family;
110   }
111 
112   public byte[] getQualifier() {
113     return qualifier;
114   }
115 
116   public Permission.Action getAction() {
117     return action;
118   }
119 
120   public String getRequest() {
121     return request;
122   }
123 
124   public void setAllowed(boolean allowed) {
125     this.allowed = allowed;
126   }
127 
128   public void setReason(String reason) {
129     this.reason = reason;
130   }
131 
132   String toFamilyString() {
133     StringBuilder sb = new StringBuilder();
134     if (families != null) {
135       boolean first = true;
136       for (Map.Entry<byte[], ? extends Collection<?>> entry : families.entrySet()) {
137         String familyName = Bytes.toString(entry.getKey());
138         if (entry.getValue() != null && !entry.getValue().isEmpty()) {
139           for (Object o : entry.getValue()) {
140             String qualifier;
141             if (o instanceof byte[]) {
142               qualifier = Bytes.toString((byte[])o);
143             } else if (o instanceof Cell) {
144               Cell c = (Cell) o;
145               qualifier = Bytes.toString(c.getQualifierArray(), c.getQualifierOffset(),
146                   c.getQualifierLength());
147             } else {
148               // Shouldn't really reach this?
149               qualifier = o.toString();
150             }
151             if (!first) {
152               sb.append("|");
153             }
154             first = false;
155             sb.append(familyName).append(":").append(qualifier);
156           }
157         } else {
158           if (!first) {
159             sb.append("|");
160           }
161           first = false;
162           sb.append(familyName);
163         }
164       }
165     } else if (family != null) {
166       sb.append(Bytes.toString(family));
167       if (qualifier != null) {
168         sb.append(":").append(Bytes.toString(qualifier));
169       }
170     }
171     return sb.toString();
172   }
173 
174   public String toContextString() {
175     StringBuilder sb = new StringBuilder();
176     sb.append("(user=")
177         .append(user != null ? user.getName() : "UNKNOWN")
178         .append(", ");
179     sb.append("scope=")
180         .append(namespace != null ? namespace : table == null ? "GLOBAL" : table);
181     if(namespace == null) {
182       sb.append(", ")
183         .append("family=")
184         .append(toFamilyString())
185         .append(", ");
186     }
187     sb.append("action=")
188         .append(action != null ? action.toString() : "")
189         .append(")");
190     return sb.toString();
191   }
192 
193   public String toString() {
194     return "AuthResult" + toContextString();
195   }
196 
197   public static AuthResult allow(String request, String reason, User user,
198       Permission.Action action, String namespace) {
199     return new AuthResult(true, request, reason, user, action, namespace);
200   }
201 
202   public static AuthResult allow(String request, String reason, User user,
203       Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
204     return new AuthResult(true, request, reason, user, action, table, family, qualifier);
205   }
206 
207   public static AuthResult allow(String request, String reason, User user,
208       Permission.Action action, TableName table,
209       Map<byte[], ? extends Collection<?>> families) {
210     return new AuthResult(true, request, reason, user, action, table, families);
211   }
212 
213   public static AuthResult deny(String request, String reason, User user,
214       Permission.Action action, String namespace) {
215     return new AuthResult(false, request, reason, user, action, namespace);
216   }
217 
218   public static AuthResult deny(String request, String reason, User user,
219       Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
220     return new AuthResult(false, request, reason, user, action, table, family, qualifier);
221   }
222 
223   public static AuthResult deny(String request, String reason, User user,
224         Permission.Action action, TableName table,
225         Map<byte[], ? extends Collection<?>> families) {
226     return new AuthResult(false, request, reason, user, action, table, families);
227   }
228 }