001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security.visibility;
019
020import java.util.ArrayList;
021import java.util.HashSet;
022import java.util.List;
023import java.util.Set;
024
025import org.apache.yetus.audience.InterfaceAudience;
026import org.slf4j.Logger;
027import org.slf4j.LoggerFactory;
028import org.apache.hadoop.conf.Configuration;
029import org.apache.hadoop.hbase.security.User;
030
031/**
032 * If the passed in authorization is null, then this ScanLabelGenerator
033 * feeds the set of predefined authorization labels for the given user. That is
034 * the set defined by the admin using the VisibilityClient admin interface
035 * or the set_auths shell command.
036 * Otherwise the passed in authorization labels are returned with no change.
037 *
038 * Note: This SLG should not be used alone because it does not check
039 * the passed in authorization labels against what the user is authorized for.
040 */
041@InterfaceAudience.Private
042public class FeedUserAuthScanLabelGenerator implements ScanLabelGenerator {
043
044  private static final Logger LOG = LoggerFactory.getLogger(FeedUserAuthScanLabelGenerator.class);
045
046  private Configuration conf;
047  private VisibilityLabelsCache labelsCache;
048
049  public FeedUserAuthScanLabelGenerator() {
050    this.labelsCache = VisibilityLabelsCache.get();
051  }
052
053  @Override
054  public void setConf(Configuration conf) {
055    this.conf = conf;
056  }
057
058  @Override
059  public Configuration getConf() {
060    return this.conf;
061  }
062
063  @Override
064  public List<String> getLabels(User user, Authorizations authorizations) {
065    if (authorizations == null || authorizations.getLabels() == null
066        || authorizations.getLabels().isEmpty()) {
067      String userName = user.getShortName();
068      Set<String> auths = new HashSet<>();
069      auths.addAll(this.labelsCache.getUserAuths(userName));
070      auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames()));
071      return new ArrayList<>(auths);
072    }
073    return authorizations.getLabels();
074  }
075
076}