001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security.visibility;
019
020import java.util.ArrayList;
021import java.util.HashSet;
022import java.util.List;
023import java.util.Set;
024import org.apache.hadoop.conf.Configuration;
025import org.apache.hadoop.hbase.security.User;
026import org.apache.yetus.audience.InterfaceAudience;
027import org.slf4j.Logger;
028import org.slf4j.LoggerFactory;
029
030/**
031 * This ScanLabelGenerator enforces a set of predefined authorizations for a given user, the set
032 * defined by the admin using the VisibilityClient admin interface or the set_auths shell command.
033 * Any authorizations requested with Scan#authorizations will be ignored.
034 */
035@InterfaceAudience.Private
036public class EnforcingScanLabelGenerator implements ScanLabelGenerator {
037
038  private static final Logger LOG = LoggerFactory.getLogger(EnforcingScanLabelGenerator.class);
039
040  private Configuration conf;
041  private VisibilityLabelsCache labelsCache;
042
043  public EnforcingScanLabelGenerator() {
044    this.labelsCache = VisibilityLabelsCache.get();
045  }
046
047  @Override
048  public void setConf(Configuration conf) {
049    this.conf = conf;
050  }
051
052  @Override
053  public Configuration getConf() {
054    return this.conf;
055  }
056
057  @Override
058  public List<String> getLabels(User user, Authorizations authorizations) {
059    String userName = user.getShortName();
060    if (authorizations != null) {
061      LOG.warn("Dropping authorizations requested by user " + userName + ": " + authorizations);
062    }
063    Set<String> auths = new HashSet<>();
064    auths.addAll(this.labelsCache.getUserAuths(userName));
065    auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames()));
066    return new ArrayList<>(auths);
067  }
068
069}