View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import org.apache.commons.logging.Log;
22  import org.apache.commons.logging.LogFactory;
23  import org.apache.hadoop.hbase.classification.InterfaceAudience;
24  import org.apache.hadoop.hbase.TableName;
25  import org.apache.hadoop.hbase.KeyValue;
26  import org.apache.hadoop.hbase.util.Bytes;
27  
28  import java.io.DataInput;
29  import java.io.DataOutput;
30  import java.io.IOException;
31  
32  /**
33   * Represents an authorization for access for the given actions, optionally
34   * restricted to the given column family or column qualifier, over the
35   * given table.  If the family property is <code>null</code>, it implies
36   * full table access.
37   */
38  @InterfaceAudience.Private
39  public class TablePermission extends Permission {
40    private static final Log LOG = LogFactory.getLog(TablePermission.class);
41  
42    private TableName table;
43    private byte[] family;
44    private byte[] qualifier;
45  
46    //TODO refactor this class
47    //we need to refacting this into three classes (Global, Table, Namespace)
48    private String namespace;
49  
50    /** Nullary constructor for Writable, do not use */
51    public TablePermission() {
52      super();
53    }
54  
55    /**
56     * Create a new permission for the given table and (optionally) column family,
57     * allowing the given actions.
58     * @param table the table
59     * @param family the family, can be null if a global permission on the table
60     * @param assigned the list of allowed actions
61     */
62    public TablePermission(TableName table, byte[] family, Action... assigned) {
63      this(table, family, null, assigned);
64    }
65  
66    /**
67     * Creates a new permission for the given table, restricted to the given
68     * column family and qualifier, allowing the assigned actions to be performed.
69     * @param table the table
70     * @param family the family, can be null if a global permission on the table
71     * @param assigned the list of allowed actions
72     */
73    public TablePermission(TableName table, byte[] family, byte[] qualifier,
74        Action... assigned) {
75      super(assigned);
76      this.table = table;
77      this.family = family;
78      this.qualifier = qualifier;
79    }
80  
81    /**
82     * Creates a new permission for the given table, family and column qualifier,
83     * allowing the actions matching the provided byte codes to be performed.
84     * @param table the table
85     * @param family the family, can be null if a global permission on the table
86     * @param actionCodes the list of allowed action codes
87     */
88    public TablePermission(TableName table, byte[] family, byte[] qualifier,
89        byte[] actionCodes) {
90      super(actionCodes);
91      this.table = table;
92      this.family = family;
93      this.qualifier = qualifier;
94    }
95  
96    /**
97     * Creates a new permission for the given namespace or table, restricted to the given
98     * column family and qualifier, allowing the assigned actions to be performed.
99     * @param namespace
100    * @param table the table
101    * @param family the family, can be null if a global permission on the table
102    * @param assigned the list of allowed actions
103    */
104   public TablePermission(String namespace, TableName table, byte[] family, byte[] qualifier,
105       Action... assigned) {
106     super(assigned);
107     this.namespace = namespace;
108     this.table = table;
109     this.family = family;
110     this.qualifier = qualifier;
111   }
112 
113   /**
114    * Creates a new permission for the given namespace or table, family and column qualifier,
115    * allowing the actions matching the provided byte codes to be performed.
116    * @param namespace
117    * @param table the table
118    * @param family the family, can be null if a global permission on the table
119    * @param actionCodes the list of allowed action codes
120    */
121   public TablePermission(String namespace, TableName table, byte[] family, byte[] qualifier,
122       byte[] actionCodes) {
123     super(actionCodes);
124     this.namespace = namespace;
125     this.table = table;
126     this.family = family;
127     this.qualifier = qualifier;
128   }
129 
130   /**
131    * Creates a new permission for the given namespace,
132    * allowing the actions matching the provided byte codes to be performed.
133    * @param namespace
134    * @param actionCodes the list of allowed action codes
135    */
136   public TablePermission(String namespace, byte[] actionCodes) {
137     super(actionCodes);
138     this.namespace = namespace;
139   }
140 
141   /**
142    * Create a new permission for the given namespace,
143    * allowing the given actions.
144    * @param namespace
145    * @param assigned the list of allowed actions
146    */
147   public TablePermission(String namespace, Action... assigned) {
148     super(assigned);
149     this.namespace = namespace;
150   }
151 
152   public boolean hasTable() {
153     return table != null;
154   }
155 
156   public TableName getTableName() {
157     return table;
158   }
159 
160   public boolean hasFamily() {
161     return family != null;
162   }
163 
164   public byte[] getFamily() {
165     return family;
166   }
167 
168   public boolean hasQualifier() {
169     return qualifier != null;
170   }
171 
172   public byte[] getQualifier() {
173     return qualifier;
174   }
175 
176   public boolean hasNamespace() {
177     return namespace != null;
178   }
179 
180   public String getNamespace() {
181     return namespace;
182   }
183 
184   /**
185    * Checks that a given table operation is authorized by this permission
186    * instance.
187    *
188    * @param namespace the namespace where the operation is being performed
189    * @param action the action being requested
190    * @return <code>true</code> if the action within the given scope is allowed
191    *   by this permission, <code>false</code>
192    */
193   public boolean implies(String namespace, Action action) {
194     if (!this.namespace.equals(namespace)) {
195       return false;
196     }
197 
198     // check actions
199     return super.implies(action);
200   }
201 
202   /**
203    * Checks that a given table operation is authorized by this permission
204    * instance.
205    *
206    * @param table the table where the operation is being performed
207    * @param family the column family to which the operation is restricted,
208    *   if <code>null</code> implies "all"
209    * @param qualifier the column qualifier to which the action is restricted,
210    *   if <code>null</code> implies "all"
211    * @param action the action being requested
212    * @return <code>true</code> if the action within the given scope is allowed
213    *   by this permission, <code>false</code>
214    */
215   public boolean implies(TableName table, byte[] family, byte[] qualifier,
216       Action action) {
217     if (!this.table.equals(table)) {
218       return false;
219     }
220 
221     if (this.family != null &&
222         (family == null ||
223          !Bytes.equals(this.family, family))) {
224       return false;
225     }
226 
227     if (this.qualifier != null &&
228         (qualifier == null ||
229          !Bytes.equals(this.qualifier, qualifier))) {
230       return false;
231     }
232 
233     // check actions
234     return super.implies(action);
235   }
236 
237   /**
238    * Checks if this permission grants access to perform the given action on
239    * the given table and key value.
240    * @param table the table on which the operation is being performed
241    * @param kv the KeyValue on which the operation is being requested
242    * @param action the action requested
243    * @return <code>true</code> if the action is allowed over the given scope
244    *   by this permission, otherwise <code>false</code>
245    */
246   public boolean implies(TableName table, KeyValue kv, Action action) {
247     if (!this.table.equals(table)) {
248       return false;
249     }
250 
251     if (family != null &&
252         (Bytes.compareTo(family, 0, family.length,
253             kv.getFamilyArray(), kv.getFamilyOffset(), kv.getFamilyLength()) != 0)) {
254       return false;
255     }
256 
257     if (qualifier != null &&
258         (Bytes.compareTo(qualifier, 0, qualifier.length,
259             kv.getQualifierArray(), kv.getQualifierOffset(), kv.getQualifierLength()) != 0)) {
260       return false;
261     }
262 
263     // check actions
264     return super.implies(action);
265   }
266 
267   /**
268    * Returns <code>true</code> if this permission matches the given column
269    * family at least.  This only indicates a partial match against the table
270    * and column family, however, and does not guarantee that implies() for the
271    * column same family would return <code>true</code>.  In the case of a
272    * column-qualifier specific permission, for example, implies() would still
273    * return false.
274    */
275   public boolean matchesFamily(TableName table, byte[] family, Action action) {
276     if (!this.table.equals(table)) {
277       return false;
278     }
279 
280     if (this.family != null &&
281         (family == null ||
282          !Bytes.equals(this.family, family))) {
283       return false;
284     }
285 
286     // ignore qualifier
287     // check actions
288     return super.implies(action);
289   }
290 
291   /**
292    * Returns if the given permission matches the given qualifier.
293    * @param table the table name to match
294    * @param family the column family to match
295    * @param qualifier the qualifier name to match
296    * @param action the action requested
297    * @return <code>true</code> if the table, family and qualifier match,
298    *   otherwise <code>false</code>
299    */
300   public boolean matchesFamilyQualifier(TableName table, byte[] family, byte[] qualifier,
301                                 Action action) {
302     if (!matchesFamily(table, family, action)) {
303       return false;
304     } else {
305       if (this.qualifier != null &&
306           (qualifier == null ||
307            !Bytes.equals(this.qualifier, qualifier))) {
308         return false;
309       }
310     }
311     return super.implies(action);
312   }
313 
314   @Override
315   @edu.umd.cs.findbugs.annotations.SuppressWarnings(value="NP_NULL_ON_SOME_PATH",
316     justification="Passed on construction except on constructor not to be used")
317   public boolean equals(Object obj) {
318     if (!(obj instanceof TablePermission)) {
319       return false;
320     }
321     TablePermission other = (TablePermission)obj;
322 
323     if (!(table.equals(other.getTableName()) &&
324         ((family == null && other.getFamily() == null) ||
325          Bytes.equals(family, other.getFamily())) &&
326         ((qualifier == null && other.getQualifier() == null) ||
327          Bytes.equals(qualifier, other.getQualifier())) &&
328         ((namespace == null && other.getNamespace() == null) ||
329          (namespace != null && namespace.equals(other.getNamespace())))
330        )) {
331       return false;
332     }
333 
334     // check actions
335     return super.equals(other);
336   }
337 
338   @Override
339   public int hashCode() {
340     final int prime = 37;
341     int result = super.hashCode();
342     if (table != null) {
343       result = prime * result + table.hashCode();
344     }
345     if (family != null) {
346       result = prime * result + Bytes.hashCode(family);
347     }
348     if (qualifier != null) {
349       result = prime * result + Bytes.hashCode(qualifier);
350     }
351     if (namespace != null) {
352       result = prime * result + namespace.hashCode();
353     }
354     return result;
355   }
356 
357   @Override
358   public String toString() {
359     StringBuilder str = new StringBuilder("[TablePermission: ");
360     if(namespace != null) {
361       str.append("namespace=").append(namespace)
362          .append(", ");
363     }
364     else if(table != null) {
365        str.append("table=").append(table)
366           .append(", family=")
367           .append(family == null ? null : Bytes.toString(family))
368           .append(", qualifier=")
369           .append(qualifier == null ? null : Bytes.toString(qualifier))
370           .append(", ");
371     } else {
372       str.append("actions=");
373     }
374     if (actions != null) {
375       for (int i=0; i<actions.length; i++) {
376         if (i > 0)
377           str.append(",");
378         if (actions[i] != null)
379           str.append(actions[i].toString());
380         else
381           str.append("NULL");
382       }
383     }
384     str.append("]");
385 
386     return str.toString();
387   }
388 
389   @Override
390   public void readFields(DataInput in) throws IOException {
391     super.readFields(in);
392     byte[] tableBytes = Bytes.readByteArray(in);
393     table = TableName.valueOf(tableBytes);
394     if (in.readBoolean()) {
395       family = Bytes.readByteArray(in);
396     }
397     if (in.readBoolean()) {
398       qualifier = Bytes.readByteArray(in);
399     }
400     if(in.readBoolean()) {
401       namespace = Bytes.toString(Bytes.readByteArray(in));
402     }
403   }
404 
405   @Override
406   public void write(DataOutput out) throws IOException {
407     super.write(out);
408     Bytes.writeByteArray(out, table.getName());
409     out.writeBoolean(family != null);
410     if (family != null) {
411       Bytes.writeByteArray(out, family);
412     }
413     out.writeBoolean(qualifier != null);
414     if (qualifier != null) {
415       Bytes.writeByteArray(out, qualifier);
416     }
417     out.writeBoolean(namespace != null);
418     if(namespace != null) {
419       Bytes.writeByteArray(out, Bytes.toBytes(namespace));
420     }
421   }
422 }