org.apache.hadoop.hbase.security.visibility

Interface VisibilityLabelService

All Superinterfaces:

org.apache.hadoop.conf.Configurable

All Known Implementing Classes:

DefaultVisibilityLabelServiceImpl

@InterfaceAudience.Public
@InterfaceStability.Evolving
public interface VisibilityLabelService
extends org.apache.hadoop.conf.Configurable

The interface which deals with visibility labels and user auths admin service as well as the cell visibility expression storage part and read time evaluation.

Method Summary

Methods

Modifier and Type	Method and Description
OperationStatus[]	addLabels(List<byte[]> labels) Adds the set of labels into the system.
OperationStatus[]	clearAuths(byte[] user, List<byte[]> authLabels) Removes given labels from user's globally authorized list of labels.
List<Tag>	createVisibilityExpTags(String visExpression, boolean withSerializationFormat, boolean checkAuths) Creates tags corresponding to given visibility expression.
byte[]	encodeVisibilityForReplication(List<Tag> visTags, Byte serializationFormat) Provides a way to modify the visibility tags of type TagType .VISIBILITY_TAG_TYPE, that are part of the cell created from the WALEdits that are prepared for replication while calling ReplicationEndpoint .replicate().
List<String>	getAuths(byte[] user, boolean systemCall) Deprecated. Use getUserAuths(byte[], boolean)
List<String>	getGroupAuths(String[] groups, boolean systemCall) Retrieve the visibility labels for the groups.
List<String>	getUserAuths(byte[] user, boolean systemCall) Retrieve the visibility labels for the user.
VisibilityExpEvaluator	getVisibilityExpEvaluator(Authorizations authorizations) Creates VisibilityExpEvaluator corresponding to given Authorizations.
boolean	havingSystemAuth(byte[] user) Deprecated. Use havingSystemAuth(User)
boolean	havingSystemAuth(User user) System checks for user auth during admin operations.
void	init(RegionCoprocessorEnvironment e) System calls this after opening of regions.
List<String>	listLabels(String regex) Retrieve the list of visibility labels defined in the system.
boolean	matchVisibility(List<Tag> putVisTags, Byte putVisTagFormat, List<Tag> deleteVisTags, Byte deleteVisTagFormat) System uses this for deciding whether a Cell can be deleted by matching visibility expression in Delete mutation and the cell in consideration.
OperationStatus[]	setAuths(byte[] user, List<byte[]> authLabels) Sets given labels globally authorized for the user.

Methods inherited from interface org.apache.hadoop.conf.Configurable

getConf, setConf

Method Detail

init

void init(RegionCoprocessorEnvironment e)
          throws IOException

System calls this after opening of regions. Gives a chance for the VisibilityLabelService to so any initialization logic.

Parameters:

e - the region coprocessor env

Throws:

IOException

addLabels

OperationStatus[] addLabels(List<byte[]> labels)
                            throws IOException

Adds the set of labels into the system.

Parameters:

labels - Labels to add to the system.

Returns:

OperationStatus for each of the label addition

Throws:

IOException

setAuths

OperationStatus[] setAuths(byte[] user,
                         List<byte[]> authLabels)
                           throws IOException

Sets given labels globally authorized for the user.

Parameters:

user - The authorizing user

authLabels - Labels which are getting authorized for the user

Returns:

OperationStatus for each of the label auth addition

Throws:

IOException

clearAuths

OperationStatus[] clearAuths(byte[] user,
                           List<byte[]> authLabels)
                             throws IOException

Removes given labels from user's globally authorized list of labels.

Parameters:

user - The user whose authorization to be removed

authLabels - Labels which are getting removed from authorization set

Returns:

OperationStatus for each of the label auth removal

Throws:

IOException

getAuths

@Deprecated
List<String> getAuths(byte[] user,
                               boolean systemCall)
                      throws IOException

Deprecated. Use getUserAuths(byte[], boolean)

Retrieve the visibility labels for the user.

Parameters:

user - Name of the user whose authorization to be retrieved

systemCall - Whether a system or user originated call.

Returns:

Visibility labels authorized for the given user.

Throws:

IOException

getUserAuths

List<String> getUserAuths(byte[] user,
                        boolean systemCall)
                          throws IOException

Retrieve the visibility labels for the user.

Parameters:

user - Name of the user whose authorization to be retrieved

systemCall - Whether a system or user originated call.

Returns:

Visibility labels authorized for the given user.

Throws:

IOException

getGroupAuths

List<String> getGroupAuths(String[] groups,
                         boolean systemCall)
                           throws IOException

Retrieve the visibility labels for the groups.

Parameters:

groups - Name of the groups whose authorization to be retrieved

systemCall - Whether a system or user originated call.

Returns:

Visibility labels authorized for the given group.

Throws:

IOException

listLabels

List<String> listLabels(String regex)
                        throws IOException

Retrieve the list of visibility labels defined in the system.

Parameters:

regex - The regular expression to filter which labels are returned.

Returns:

List of visibility labels

Throws:

IOException

createVisibilityExpTags

List<Tag> createVisibilityExpTags(String visExpression,
                                boolean withSerializationFormat,
                                boolean checkAuths)
                                  throws IOException

Creates tags corresponding to given visibility expression.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety.

Parameters:

visExpression - The Expression for which corresponding Tags to be created.

withSerializationFormat - specifies whether a tag, denoting the serialization version of the tags, to be added in the list. When this is true make sure to add the serialization format Tag also. The format tag value should be byte type.

checkAuths - denotes whether to check individual labels in visExpression against user's global auth label.

Returns:

The list of tags corresponds to the visibility expression. These tags will be stored along with the Cells.

Throws:

IOException

getVisibilityExpEvaluator

VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations)
                                                 throws IOException

Creates VisibilityExpEvaluator corresponding to given Authorizations.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety.

Parameters:

authorizations - Authorizations for the read request

Returns:

The VisibilityExpEvaluator corresponding to the given set of authorization labels.

Throws:

IOException

havingSystemAuth

@Deprecated
boolean havingSystemAuth(byte[] user)
                         throws IOException

Deprecated. Use havingSystemAuth(User)

System checks for user auth during admin operations. (ie. Label add, set/clear auth). The operation is allowed only for users having system auth. Also during read, if the requesting user has system auth, he can view all the data irrespective of its labels.

Parameters:

user - User for whom system auth check to be done.

Returns:

true if the given user is having system/super auth

Throws:

IOException

havingSystemAuth

boolean havingSystemAuth(User user)
                         throws IOException

System checks for user auth during admin operations. (ie. Label add, set/clear auth). The operation is allowed only for users having system auth. Also during read, if the requesting user has system auth, he can view all the data irrespective of its labels.

Parameters:

user - User for whom system auth check to be done.

Returns:

true if the given user is having system/super auth

Throws:

IOException

matchVisibility

boolean matchVisibility(List<Tag> putVisTags,
                      Byte putVisTagFormat,
                      List<Tag> deleteVisTags,
                      Byte deleteVisTagFormat)
                        throws IOException

System uses this for deciding whether a Cell can be deleted by matching visibility expression in Delete mutation and the cell in consideration. Also system passes the serialization format of visibility tags in Put and Delete.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety.

Parameters:

putVisTags - The visibility tags present in the Put mutation

putVisTagFormat - The serialization format for the Put visibility tags. A null value for this format means the tags are written with unsorted label ordinals

deleteVisTags - - The visibility tags in the delete mutation (the specified Cell Visibility)

deleteVisTagFormat - The serialization format for the Delete visibility tags. A null value for this format means the tags are written with unsorted label ordinals

Returns:

true if matching tags are found

Throws:

IOException

See Also:

VisibilityConstants.SORTED_ORDINAL_SERIALIZATION_FORMAT

encodeVisibilityForReplication

byte[] encodeVisibilityForReplication(List<Tag> visTags,
                                    Byte serializationFormat)
                                      throws IOException

Provides a way to modify the visibility tags of type TagType .VISIBILITY_TAG_TYPE, that are part of the cell created from the WALEdits that are prepared for replication while calling ReplicationEndpoint .replicate(). VisibilityReplicationEndpoint calls this API to provide an opportunity to modify the visibility tags before replicating.

Parameters:

visTags - the visibility tags associated with the cell

serializationFormat - the serialization format associated with the tag

Returns:

the modified visibility expression in the form of byte[]

Throws:

IOException