Class DefaultVisibilityLabelServiceImpl
java.lang.Object
org.apache.hadoop.hbase.security.visibility.DefaultVisibilityLabelServiceImpl
- All Implemented Interfaces:
org.apache.hadoop.conf.Configurable,VisibilityLabelService
@Private
public class DefaultVisibilityLabelServiceImpl
extends Object
implements VisibilityLabelService
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate org.apache.hadoop.conf.Configurationprivate static final byte[]private static final Tag[]private VisibilityLabelsCacheprivate Regionprivate static final org.slf4j.Loggerprivate AtomicIntegerprivate List<ScanLabelGenerator>private static final int -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionAdds the set of labels into the system.protected voidclearAuths(byte[] user, List<byte[]> authLabels) Removes given labels from user's globally authorized list of labels.private static booleanprivate byte[]createModifiedVisExpression(List<Tag> tags) - all the visibility tags associated with the current CellcreateVisibilityExpTags(String visExpression, boolean withSerializationFormat, boolean checkAuths) Creates tags corresponding to given visibility expression.byte[]encodeVisibilityForReplication(List<Tag> tags, Byte serializationFormat) Provides a way to modify the visibility tags of typeTagType.VISIBILITY_TAG_TYPE, that are part of the cell created from the WALEdits that are prepared for replication while callingReplicationEndpoint.replicate().extractLabelsAndAuths(List<List<Cell>> labelDetails) org.apache.hadoop.conf.ConfigurationgetConf()getGroupAuths(String[] groups, boolean systemCall) Retrieve the visibility labels for the groups.private static voidgetSortedTagOrdinals(List<List<Integer>> fullTagsList, Tag tag) getUserAuths(byte[] user, boolean systemCall) Retrieve the visibility labels for the user.getVisibilityExpEvaluator(Authorizations authorizations) Creates VisibilityExpEvaluator corresponding to given Authorizations.booleanhavingSystemAuth(User user) System checks for user auth during admin operations.voidSystem calls this after opening of regions.protected booleanlistLabels(String regex) Retrieve the list of visibility labels defined in the system.private static booleanmatchOrdinalSortedVisibilityTags(List<Tag> putVisTags, List<Tag> deleteVisTags) private static booleanmatchUnSortedVisibilityTags(List<Tag> putVisTags, List<Tag> deleteVisTags) booleanmatchVisibility(List<Tag> putVisTags, Byte putTagsFormat, List<Tag> deleteVisTags, Byte deleteTagsFormat) System uses this for deciding whether a Cell can be deleted by matching visibility expression in Delete mutation and the cell in consideration.private booleanmutateLabelsRegion(List<Mutation> mutations, OperationStatus[] finalOpStatus) Adds the mutations to labels region and set the results to the finalOpStatus.Sets given labels globally authorized for the user.voidsetConf(org.apache.hadoop.conf.Configuration conf) sortTagsBasedOnOrdinal(List<Tag> tags) protected voidupdateZk(boolean labelAddition)
-
Field Details
-
LOG
-
SYSTEM_LABEL_ORDINAL
- See Also:
-
LABELS_TABLE_TAGS
-
DUMMY_VALUE
-
ordinalCounter
-
conf
-
labelsRegion
-
labelsCache
-
scanLabelGenerators
-
-
Constructor Details
-
DefaultVisibilityLabelServiceImpl
public DefaultVisibilityLabelServiceImpl()
-
-
Method Details
-
setConf
- Specified by:
setConfin interfaceorg.apache.hadoop.conf.Configurable
-
getConf
- Specified by:
getConfin interfaceorg.apache.hadoop.conf.Configurable
-
init
Description copied from interface:VisibilityLabelServiceSystem calls this after opening of regions. Gives a chance for the VisibilityLabelService to so any initialization logic. the region coprocessor env- Specified by:
initin interfaceVisibilityLabelService- Throws:
IOException
-
getExistingLabelsWithAuths
- Throws:
IOException
-
extractLabelsAndAuths
-
addSystemLabel
protected void addSystemLabel(Region region, Map<String, Integer> labels, Map<String, throws IOExceptionList<Integer>> userAuths) - Throws:
IOException
-
addLabels
Description copied from interface:VisibilityLabelServiceAdds the set of labels into the system. Labels to add to the system.- Specified by:
addLabelsin interfaceVisibilityLabelService- Returns:
- OperationStatus for each of the label addition
- Throws:
IOException
-
setAuths
Description copied from interface:VisibilityLabelServiceSets given labels globally authorized for the user. The authorizing user Labels which are getting authorized for the user- Specified by:
setAuthsin interfaceVisibilityLabelService- Returns:
- OperationStatus for each of the label auth addition
- Throws:
IOException
-
clearAuths
Description copied from interface:VisibilityLabelServiceRemoves given labels from user's globally authorized list of labels. The user whose authorization to be removed Labels which are getting removed from authorization set- Specified by:
clearAuthsin interfaceVisibilityLabelService- Returns:
- OperationStatus for each of the label auth removal
- Throws:
IOException
-
mutateLabelsRegion
private boolean mutateLabelsRegion(List<Mutation> mutations, OperationStatus[] finalOpStatus) throws IOException Adds the mutations to labels region and set the results to the finalOpStatus. finalOpStatus might have some entries in it where the OpStatus is FAILURE. We will leave those and set in others in the order.- Returns:
- whether we need a ZK update or not.
- Throws:
IOException
-
getUserAuths
Description copied from interface:VisibilityLabelServiceRetrieve the visibility labels for the user. Name of the user whose authorization to be retrieved Whether a system or user originated call.- Specified by:
getUserAuthsin interfaceVisibilityLabelService- Returns:
- Visibility labels authorized for the given user.
- Throws:
IOException
-
getGroupAuths
Description copied from interface:VisibilityLabelServiceRetrieve the visibility labels for the groups. Name of the groups whose authorization to be retrieved Whether a system or user originated call.- Specified by:
getGroupAuthsin interfaceVisibilityLabelService- Returns:
- Visibility labels authorized for the given group.
- Throws:
IOException
-
listLabels
Description copied from interface:VisibilityLabelServiceRetrieve the list of visibility labels defined in the system.- Specified by:
listLabelsin interfaceVisibilityLabelService- Parameters:
regex- The regular expression to filter which labels are returned.- Returns:
- List of visibility labels
- Throws:
IOException
-
createVisibilityExpTags
public List<Tag> createVisibilityExpTags(String visExpression, boolean withSerializationFormat, boolean checkAuths) throws IOException Description copied from interface:VisibilityLabelServiceCreates tags corresponding to given visibility expression.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety.- Specified by:
createVisibilityExpTagsin interfaceVisibilityLabelService- Parameters:
visExpression- The Expression for which corresponding Tags to be created.withSerializationFormat- specifies whether a tag, denoting the serialization version of the tags, to be added in the list. When this is true make sure to add the serialization format Tag also. The format tag value should be byte type.checkAuths- denotes whether to check individual labels in visExpression against user's global auth label.- Returns:
- The list of tags corresponds to the visibility expression. These tags will be stored along with the Cells.
- Throws:
IOException
-
updateZk
- Throws:
IOException
-
getVisibilityExpEvaluator
public VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations) throws IOException Description copied from interface:VisibilityLabelServiceCreates VisibilityExpEvaluator corresponding to given Authorizations.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety. Authorizations for the read request- Specified by:
getVisibilityExpEvaluatorin interfaceVisibilityLabelService- Returns:
- The VisibilityExpEvaluator corresponding to the given set of authorization labels.
- Throws:
IOException
-
isReadFromSystemAuthUser
- Throws:
IOException
-
havingSystemAuth
Description copied from interface:VisibilityLabelServiceSystem checks for user auth during admin operations. (ie. Label add, set/clear auth). The operation is allowed only for users having system auth. Also during read, if the requesting user has system auth, he can view all the data irrespective of its labels. User for whom system auth check to be done.- Specified by:
havingSystemAuthin interfaceVisibilityLabelService- Returns:
- true if the given user is having system/super auth
- Throws:
IOException
-
matchVisibility
public boolean matchVisibility(List<Tag> putVisTags, Byte putTagsFormat, List<Tag> deleteVisTags, Byte deleteTagsFormat) throws IOException Description copied from interface:VisibilityLabelServiceSystem uses this for deciding whether a Cell can be deleted by matching visibility expression in Delete mutation and the cell in consideration. Also system passes the serialization format of visibility tags in Put and Delete.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety. The visibility tags present in the Put mutation The serialization format for the Put visibility tags. Anullvalue for this format means the tags are written with unsorted label ordinals - The visibility tags in the delete mutation (the specified Cell Visibility) The serialization format for the Delete visibility tags. Anullvalue for this format means the tags are written with unsorted label ordinals- Specified by:
matchVisibilityin interfaceVisibilityLabelService- Returns:
- true if matching tags are found
- Throws:
IOException- See Also:
-
matchUnSortedVisibilityTags
private static boolean matchUnSortedVisibilityTags(List<Tag> putVisTags, List<Tag> deleteVisTags) throws IOException - Parameters:
putVisTags- Visibility tags in Put MutationdeleteVisTags- Visibility tags in Delete Mutation- Returns:
- true when all the visibility tags in Put matches with visibility tags in Delete. This is used when, at least one set of tags are not sorted based on the label ordinal.
- Throws:
IOException
-
matchOrdinalSortedVisibilityTags
private static boolean matchOrdinalSortedVisibilityTags(List<Tag> putVisTags, List<Tag> deleteVisTags) - Parameters:
putVisTags- Visibility tags in Put MutationdeleteVisTags- Visibility tags in Delete Mutation- Returns:
- true when all the visibility tags in Put matches with visibility tags in Delete. This is used when both the set of tags are sorted based on the label ordinal.
-
sortTagsBasedOnOrdinal
- Throws:
IOException
-
getSortedTagOrdinals
private static void getSortedTagOrdinals(List<List<Integer>> fullTagsList, Tag tag) throws IOException - Throws:
IOException
-
compareTagsOrdinals
-
encodeVisibilityForReplication
public byte[] encodeVisibilityForReplication(List<Tag> tags, Byte serializationFormat) throws IOException Description copied from interface:VisibilityLabelServiceProvides a way to modify the visibility tags of typeTagType.VISIBILITY_TAG_TYPE, that are part of the cell created from the WALEdits that are prepared for replication while callingReplicationEndpoint.replicate().VisibilityReplicationEndpointcalls this API to provide an opportunity to modify the visibility tags before replicating. the visibility tags associated with the cell the serialization format associated with the tag- Specified by:
encodeVisibilityForReplicationin interfaceVisibilityLabelService- Returns:
- the modified visibility expression in the form of byte[]
- Throws:
IOException
-
createModifiedVisExpression
- all the visibility tags associated with the current Cell- Returns:
- - the modified visibility expression as byte[]
- Throws:
IOException
-