org.apache.hadoop.hbase.security.visibility

Class DefaultVisibilityLabelServiceImpl

java.lang.Object

org.apache.hadoop.hbase.security.visibility.DefaultVisibilityLabelServiceImpl

All Implemented Interfaces:

org.apache.hadoop.conf.Configurable, VisibilityLabelService

@InterfaceAudience.Private
public class DefaultVisibilityLabelServiceImpl
extends Object
implements VisibilityLabelService

Field Summary

Fields

Modifier and Type	Field and Description
private org.apache.hadoop.conf.Configuration	conf
private static byte[]	DUMMY_VALUE
private static Tag[]	LABELS_TABLE_TAGS
private VisibilityLabelsCache	labelsCache
private Region	labelsRegion
private static org.slf4j.Logger	LOG
private AtomicInteger	ordinalCounter
private List<ScanLabelGenerator>	scanLabelGenerators
private static int	SYSTEM_LABEL_ORDINAL

Constructor Summary

Constructors

Constructor and Description
DefaultVisibilityLabelServiceImpl()

Method Summary

Modifier and Type	Method and Description
OperationStatus[]	addLabels(List<byte[]> labels) Adds the set of labels into the system.
protected void	addSystemLabel(Region region, Map<String,Integer> labels, Map<String,List<Integer>> userAuths)
OperationStatus[]	clearAuths(byte[] user, List<byte[]> authLabels) Removes given labels from user's globally authorized list of labels.
private static boolean	compareTagsOrdinals(List<List<Integer>> putVisTags, List<List<Integer>> deleteVisTags)
private byte[]	createModifiedVisExpression(List<Tag> tags) n * - all the visibility tags associated with the current Cell
List<Tag>	createVisibilityExpTags(String visExpression, boolean withSerializationFormat, boolean checkAuths) Creates tags corresponding to given visibility expression.
byte[]	encodeVisibilityForReplication(List<Tag> tags, Byte serializationFormat) Provides a way to modify the visibility tags of type TagType .VISIBILITY_TAG_TYPE, that are part of the cell created from the WALEdits that are prepared for replication while calling ReplicationEndpoint .replicate().
protected Pair<Map<String,Integer>,Map<String,List<Integer>>>	extractLabelsAndAuths(List<List<Cell>> labelDetails)
org.apache.hadoop.conf.Configuration	getConf()
protected List<List<Cell>>	getExistingLabelsWithAuths()
List<String>	getGroupAuths(String[] groups, boolean systemCall) Retrieve the visibility labels for the groups.
private static void	getSortedTagOrdinals(List<List<Integer>> fullTagsList, Tag tag)
List<String>	getUserAuths(byte[] user, boolean systemCall) Retrieve the visibility labels for the user.
VisibilityExpEvaluator	getVisibilityExpEvaluator(Authorizations authorizations) Creates VisibilityExpEvaluator corresponding to given Authorizations.
boolean	havingSystemAuth(User user) System checks for user auth during admin operations.
void	init(RegionCoprocessorEnvironment e) System calls this after opening of regions.
protected boolean	isReadFromSystemAuthUser()
List<String>	listLabels(String regex) Retrieve the list of visibility labels defined in the system.
private static boolean	matchOrdinalSortedVisibilityTags(List<Tag> putVisTags, List<Tag> deleteVisTags)
private static boolean	matchUnSortedVisibilityTags(List<Tag> putVisTags, List<Tag> deleteVisTags)
boolean	matchVisibility(List<Tag> putVisTags, Byte putTagsFormat, List<Tag> deleteVisTags, Byte deleteTagsFormat) System uses this for deciding whether a Cell can be deleted by matching visibility expression in Delete mutation and the cell in consideration.
private boolean	mutateLabelsRegion(List<Mutation> mutations, OperationStatus[] finalOpStatus) Adds the mutations to labels region and set the results to the finalOpStatus.
OperationStatus[]	setAuths(byte[] user, List<byte[]> authLabels) Sets given labels globally authorized for the user.
void	setConf(org.apache.hadoop.conf.Configuration conf)
private static List<List<Integer>>	sortTagsBasedOnOrdinal(List<Tag> tags)
protected void	updateZk(boolean labelAddition)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

private static final org.slf4j.Logger LOG

SYSTEM_LABEL_ORDINAL

private static final int SYSTEM_LABEL_ORDINAL

See Also:

Constant Field Values

LABELS_TABLE_TAGS

private static final Tag[] LABELS_TABLE_TAGS

DUMMY_VALUE

private static final byte[] DUMMY_VALUE

ordinalCounter

private AtomicInteger ordinalCounter

conf

private org.apache.hadoop.conf.Configuration conf

labelsRegion

private Region labelsRegion

labelsCache

private VisibilityLabelsCache labelsCache

scanLabelGenerators

private List<ScanLabelGenerator> scanLabelGenerators

Constructor Detail

DefaultVisibilityLabelServiceImpl

public DefaultVisibilityLabelServiceImpl()

Method Detail

setConf

public void setConf(org.apache.hadoop.conf.Configuration conf)

Specified by:

setConf in interface org.apache.hadoop.conf.Configurable

getConf

public org.apache.hadoop.conf.Configuration getConf()

Specified by:

getConf in interface org.apache.hadoop.conf.Configurable

init

public void init(RegionCoprocessorEnvironment e)
          throws IOException

Description copied from interface: VisibilityLabelService

System calls this after opening of regions. Gives a chance for the VisibilityLabelService to so any initialization logic. n * the region coprocessor env

Specified by:

init in interface VisibilityLabelService

Throws:

IOException

getExistingLabelsWithAuths

protected List<List<Cell>> getExistingLabelsWithAuths()
                                               throws IOException

Throws:

IOException

extractLabelsAndAuths

protected Pair<Map<String,Integer>,Map<String,List<Integer>>> extractLabelsAndAuths(List<List<Cell>> labelDetails)

addSystemLabel

protected void addSystemLabel(Region region,
                              Map<String,Integer> labels,
                              Map<String,List<Integer>> userAuths)
                       throws IOException

Throws:

IOException

addLabels

public OperationStatus[] addLabels(List<byte[]> labels)
                            throws IOException

Description copied from interface: VisibilityLabelService

Adds the set of labels into the system. n * Labels to add to the system.

Specified by:

addLabels in interface VisibilityLabelService

Returns:

OperationStatus for each of the label addition

Throws:

IOException

setAuths

public OperationStatus[] setAuths(byte[] user,
                                  List<byte[]> authLabels)
                           throws IOException

Description copied from interface: VisibilityLabelService

Sets given labels globally authorized for the user. n * The authorizing user n * Labels which are getting authorized for the user

Specified by:

setAuths in interface VisibilityLabelService

Returns:

OperationStatus for each of the label auth addition

Throws:

IOException

clearAuths

public OperationStatus[] clearAuths(byte[] user,
                                    List<byte[]> authLabels)
                             throws IOException

Description copied from interface: VisibilityLabelService

Removes given labels from user's globally authorized list of labels. n * The user whose authorization to be removed n * Labels which are getting removed from authorization set

Specified by:

clearAuths in interface VisibilityLabelService

Returns:

OperationStatus for each of the label auth removal

Throws:

IOException

mutateLabelsRegion

private boolean mutateLabelsRegion(List<Mutation> mutations,
                                   OperationStatus[] finalOpStatus)
                            throws IOException

Adds the mutations to labels region and set the results to the finalOpStatus. finalOpStatus might have some entries in it where the OpStatus is FAILURE. We will leave those and set in others in the order. nn * @return whether we need a ZK update or not.

Throws:

IOException

getUserAuths

public List<String> getUserAuths(byte[] user,
                                 boolean systemCall)
                          throws IOException

Description copied from interface: VisibilityLabelService

Retrieve the visibility labels for the user. n * Name of the user whose authorization to be retrieved n * Whether a system or user originated call.

Specified by:

getUserAuths in interface VisibilityLabelService

Returns:

Visibility labels authorized for the given user.

Throws:

IOException

getGroupAuths

public List<String> getGroupAuths(String[] groups,
                                  boolean systemCall)
                           throws IOException

Description copied from interface: VisibilityLabelService

Retrieve the visibility labels for the groups. n * Name of the groups whose authorization to be retrieved n * Whether a system or user originated call.

Specified by:

getGroupAuths in interface VisibilityLabelService

Returns:

Visibility labels authorized for the given group.

Throws:

IOException

listLabels

public List<String> listLabels(String regex)
                        throws IOException

Description copied from interface: VisibilityLabelService

Retrieve the list of visibility labels defined in the system.

Specified by:

listLabels in interface VisibilityLabelService

Parameters:

regex - The regular expression to filter which labels are returned.

Returns:

List of visibility labels

Throws:

IOException

createVisibilityExpTags

public List<Tag> createVisibilityExpTags(String visExpression,
                                         boolean withSerializationFormat,
                                         boolean checkAuths)
                                  throws IOException

Description copied from interface: VisibilityLabelService

Creates tags corresponding to given visibility expression.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety.

Specified by:

createVisibilityExpTags in interface VisibilityLabelService

Parameters:

visExpression - The Expression for which corresponding Tags to be created.

withSerializationFormat - specifies whether a tag, denoting the serialization version of the tags, to be added in the list. When this is true make sure to add the serialization format Tag also. The format tag value should be byte type.

checkAuths - denotes whether to check individual labels in visExpression against user's global auth label.

Returns:

The list of tags corresponds to the visibility expression. These tags will be stored along with the Cells.

Throws:

IOException

updateZk

protected void updateZk(boolean labelAddition)
                 throws IOException

Throws:

IOException

getVisibilityExpEvaluator

public VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations)
                                                 throws IOException

Description copied from interface: VisibilityLabelService

Creates VisibilityExpEvaluator corresponding to given Authorizations.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety. n * Authorizations for the read request

Specified by:

getVisibilityExpEvaluator in interface VisibilityLabelService

Returns:

The VisibilityExpEvaluator corresponding to the given set of authorization labels.

Throws:

IOException

isReadFromSystemAuthUser

protected boolean isReadFromSystemAuthUser()
                                    throws IOException

Throws:

IOException

havingSystemAuth

public boolean havingSystemAuth(User user)
                         throws IOException

Description copied from interface: VisibilityLabelService

System checks for user auth during admin operations. (ie. Label add, set/clear auth). The operation is allowed only for users having system auth. Also during read, if the requesting user has system auth, he can view all the data irrespective of its labels. n * User for whom system auth check to be done.

Specified by:

havingSystemAuth in interface VisibilityLabelService

Returns:

true if the given user is having system/super auth

Throws:

IOException

matchVisibility

public boolean matchVisibility(List<Tag> putVisTags,
                               Byte putTagsFormat,
                               List<Tag> deleteVisTags,
                               Byte deleteTagsFormat)
                        throws IOException

Description copied from interface: VisibilityLabelService

System uses this for deciding whether a Cell can be deleted by matching visibility expression in Delete mutation and the cell in consideration. Also system passes the serialization format of visibility tags in Put and Delete.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety. n * The visibility tags present in the Put mutation n * The serialization format for the Put visibility tags. A null value for this format means the tags are written with unsorted label ordinals n * - The visibility tags in the delete mutation (the specified Cell Visibility) n * The serialization format for the Delete visibility tags. A null value for this format means the tags are written with unsorted label ordinals

Specified by:

matchVisibility in interface VisibilityLabelService

Returns:

true if matching tags are found

Throws:

IOException

See Also:

VisibilityConstants.SORTED_ORDINAL_SERIALIZATION_FORMAT

matchUnSortedVisibilityTags

private static boolean matchUnSortedVisibilityTags(List<Tag> putVisTags,
                                                   List<Tag> deleteVisTags)
                                            throws IOException

Parameters:

putVisTags - Visibility tags in Put Mutation

deleteVisTags - Visibility tags in Delete Mutation

Returns:

true when all the visibility tags in Put matches with visibility tags in Delete. This is used when, at least one set of tags are not sorted based on the label ordinal.

Throws:

IOException

matchOrdinalSortedVisibilityTags

private static boolean matchOrdinalSortedVisibilityTags(List<Tag> putVisTags,
                                                        List<Tag> deleteVisTags)

Parameters:

putVisTags - Visibility tags in Put Mutation

deleteVisTags - Visibility tags in Delete Mutation

Returns:

true when all the visibility tags in Put matches with visibility tags in Delete. This is used when both the set of tags are sorted based on the label ordinal.

sortTagsBasedOnOrdinal

private static List<List<Integer>> sortTagsBasedOnOrdinal(List<Tag> tags)
                                                   throws IOException

Throws:

IOException

getSortedTagOrdinals

private static void getSortedTagOrdinals(List<List<Integer>> fullTagsList,
                                         Tag tag)
                                  throws IOException

Throws:

IOException

compareTagsOrdinals

private static boolean compareTagsOrdinals(List<List<Integer>> putVisTags,
                                           List<List<Integer>> deleteVisTags)

encodeVisibilityForReplication

public byte[] encodeVisibilityForReplication(List<Tag> tags,
                                             Byte serializationFormat)
                                      throws IOException

Description copied from interface: VisibilityLabelService

Provides a way to modify the visibility tags of type TagType .VISIBILITY_TAG_TYPE, that are part of the cell created from the WALEdits that are prepared for replication while calling ReplicationEndpoint .replicate(). VisibilityReplicationEndpoint calls this API to provide an opportunity to modify the visibility tags before replicating. n * the visibility tags associated with the cell n * the serialization format associated with the tag

Specified by:

encodeVisibilityForReplication in interface VisibilityLabelService

Returns:

the modified visibility expression in the form of byte[] n

Throws:

IOException

createModifiedVisExpression

private byte[] createModifiedVisExpression(List<Tag> tags)
                                    throws IOException

n * - all the visibility tags associated with the current Cell

Returns:

- the modified visibility expression as byte[]

Throws:

IOException