org.apache.hadoop.hbase.security.access

Class AccessControlFilter

java.lang.Object

org.apache.hadoop.hbase.filter.Filter

org.apache.hadoop.hbase.filter.FilterBase

org.apache.hadoop.hbase.security.access.AccessControlFilter

@InterfaceAudience.Private
class AccessControlFilter
extends FilterBase

NOTE: for internal use only by AccessController implementation

TODO: There is room for further performance optimization here. Calling AuthManager.authorize() per KeyValue imposes a fair amount of overhead. A more optimized solution might look at the qualifiers where permissions are actually granted and explicitly limit the scan to those.

We should aim to use this _only_ when access to the requested column families is not granted at the column family levels. If table or column family access succeeds, then there is no need to impose the overhead of this filter.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	AccessControlFilter.Strategy

Nested classes/interfaces inherited from class org.apache.hadoop.hbase.filter.Filter

Filter.ReturnCode

Field Summary

Fields

Modifier and Type	Field and Description
private AuthManager	authManager
private Map<ByteRange,Integer>	cfVsMaxVersions
private int	currentVersions
private int	familyMaxVersions
private boolean	isSystemTable
private ByteRange	prevFam
private ByteRange	prevQual
private AccessControlFilter.Strategy	strategy
private TableName	table
private User	user

Fields inherited from class org.apache.hadoop.hbase.filter.Filter

reversed

Constructor Summary

Constructors

Constructor and Description
AccessControlFilter() For Writable
AccessControlFilter(AuthManager mgr, User ugi, TableName tableName, AccessControlFilter.Strategy strategy, Map<ByteRange,Integer> cfVsMaxVersions)

Method Summary

Modifier and Type	Method and Description
boolean	equals(Object obj)
Filter.ReturnCode	filterCell(Cell cell) A way to filter based on the column family, column qualifier and/or the column value.
boolean	filterRowKey(Cell cell) Filters a row based on the row key.
int	hashCode()
static AccessControlFilter	parseFrom(byte[] pbBytes)
void	reset() Filters that are purely stateless and do nothing in their reset() methods can inherit this null/empty implementation.
byte[]	toByteArray() Return length 0 byte array for Filters that don't require special serialization

Methods inherited from class org.apache.hadoop.hbase.filter.FilterBase

createFilterFromArguments, filterAllRemaining, filterRow, filterRowCells, filterRowKey, getNextCellHint, hasFilterRow, isFamilyEssential, toString, transformCell

Methods inherited from class org.apache.hadoop.hbase.filter.Filter

filterKeyValue, isReversed, setReversed

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

authManager

private AuthManager authManager

table

private TableName table

user

private User user

isSystemTable

private boolean isSystemTable

strategy

private AccessControlFilter.Strategy strategy

cfVsMaxVersions

private Map<ByteRange,Integer> cfVsMaxVersions

familyMaxVersions

private int familyMaxVersions

currentVersions

private int currentVersions

prevFam

private ByteRange prevFam

prevQual

private ByteRange prevQual

Constructor Detail

AccessControlFilter

AccessControlFilter()

For Writable

AccessControlFilter

AccessControlFilter(AuthManager mgr,
                    User ugi,
                    TableName tableName,
                    AccessControlFilter.Strategy strategy,
                    Map<ByteRange,Integer> cfVsMaxVersions)

Method Detail

filterRowKey

public boolean filterRowKey(Cell cell)
                     throws IOException

Description copied from class: Filter

Filters a row based on the row key. If this returns true, the entire row will be excluded. If false, each KeyValue in the row will be passed to Filter.filterCell(Cell) below. If Filter.filterAllRemaining() returns true, then Filter.filterRowKey(Cell) should also return true. Concrete implementers can signal a failure condition in their code by throwing an IOException.

Overrides:

filterRowKey in class FilterBase

Parameters:

cell - The first cell coming in the new row

Returns:

true, remove entire row, false, include the row (maybe).

Throws:

IOException - in case an I/O or an filter specific failure needs to be signaled.

filterCell

public Filter.ReturnCode filterCell(Cell cell)

Description copied from class: Filter

A way to filter based on the column family, column qualifier and/or the column value. Return code is described below. This allows filters to filter only certain number of columns, then terminate without matching ever column. If filterRowKey returns true, filterCell needs to be consistent with it. filterCell can assume that filterRowKey has already been called for the row. If your filter returns ReturnCode.NEXT_ROW, it should return ReturnCode.NEXT_ROW until Filter.reset() is called just in case the caller calls for the next row. Concrete implementers can signal a failure condition in their code by throwing an IOException.

Overrides:

filterCell in class Filter

Parameters:

cell - the Cell in question

Returns:

code as described below

See Also:

Filter.ReturnCode

reset

public void reset()
           throws IOException

Description copied from class: FilterBase

Filters that are purely stateless and do nothing in their reset() methods can inherit this null/empty implementation. Reset the state of the filter between rows. Concrete implementers can signal a failure condition in their code by throwing an IOException.

Overrides:

reset in class FilterBase

Throws:

IOException - in case an I/O or an filter specific failure needs to be signaled.

toByteArray

public byte[] toByteArray()

Description copied from class: FilterBase

Return length 0 byte array for Filters that don't require special serialization

Overrides:

toByteArray in class FilterBase

Returns:

The filter serialized using pb

parseFrom

public static AccessControlFilter parseFrom(byte[] pbBytes)
                                     throws DeserializationException

Parameters:

pbBytes - A pb serialized AccessControlFilter instance

Returns:

An instance of AccessControlFilter made from bytes

Throws:

DeserializationException

See Also:

toByteArray()

equals

public boolean equals(Object obj)

Overrides:

equals in class Object

hashCode

public int hashCode()

Overrides:

hashCode in class Object