Class AccessControlFilter
java.lang.Object
org.apache.hadoop.hbase.filter.Filter
org.apache.hadoop.hbase.filter.FilterBase
org.apache.hadoop.hbase.security.access.AccessControlFilter
NOTE: for internal use only by AccessController implementation
TODO: There is room for further performance optimization here. Calling AuthManager.authorize() per KeyValue imposes a fair amount of overhead. A more optimized solution might look at the qualifiers where permissions are actually granted and explicitly limit the scan to those.
We should aim to use this _only_ when access to the requested column families is not granted at the column family levels. If table or column family access succeeds, then there is no need to impose the overhead of this filter.
-
Nested Class Summary
Nested classes/interfaces inherited from class org.apache.hadoop.hbase.filter.Filter
Filter.ReturnCode
-
Field Summary
Modifier and TypeFieldDescriptionprivate AuthManager
private int
private int
private boolean
private ByteRange
private ByteRange
private AccessControlFilter.Strategy
private TableName
private User
-
Constructor Summary
ConstructorDescriptionFor WritableAccessControlFilter
(AuthManager mgr, User ugi, TableName tableName, AccessControlFilter.Strategy strategy, Map<ByteRange, Integer> cfVsMaxVersions) -
Method Summary
Modifier and TypeMethodDescriptionboolean
filterCell
(Cell cell) A way to filter based on the column family, column qualifier and/or the column value.boolean
filterRowKey
(Cell cell) Filters a row based on the row key.int
hashCode()
static AccessControlFilter
parseFrom
(byte[] pbBytes) void
reset()
Filters that are purely stateless and do nothing in their reset() methods can inherit this null/empty implementation.byte[]
Returns The filter serialized using pbMethods inherited from class org.apache.hadoop.hbase.filter.FilterBase
createFilterFromArguments, filterAllRemaining, filterRow, filterRowCells, getNextCellHint, hasFilterRow, isFamilyEssential, toString, transformCell
Methods inherited from class org.apache.hadoop.hbase.filter.Filter
isReversed, setReversed
-
Field Details
-
authManager
-
table
-
user
-
isSystemTable
-
strategy
-
cfVsMaxVersions
-
familyMaxVersions
-
currentVersions
-
prevFam
-
prevQual
-
-
Constructor Details
-
AccessControlFilter
For Writable -
AccessControlFilter
AccessControlFilter(AuthManager mgr, User ugi, TableName tableName, AccessControlFilter.Strategy strategy, Map<ByteRange, Integer> cfVsMaxVersions)
-
-
Method Details
-
filterRowKey
Description copied from class:Filter
Filters a row based on the row key. If this returns true, the entire row will be excluded. If false, each KeyValue in the row will be passed toFilter.filterCell(Cell)
below. IfFilter.filterAllRemaining()
returns true, thenFilter.filterRowKey(Cell)
should also return true. Concrete implementers can signal a failure condition in their code by throwing anIOException
.- Overrides:
filterRowKey
in classFilterBase
- Parameters:
cell
- The first cell coming in the new row- Returns:
- true, remove entire row, false, include the row (maybe).
- Throws:
IOException
- in case an I/O or an filter specific failure needs to be signaled.
-
filterCell
Description copied from class:Filter
A way to filter based on the column family, column qualifier and/or the column value. Return code is described below. This allows filters to filter only certain number of columns, then terminate without matching ever column. If filterRowKey returns true, filterCell needs to be consistent with it. filterCell can assume that filterRowKey has already been called for the row. If your filter returnsReturnCode.NEXT_ROW
, it should returnReturnCode.NEXT_ROW
untilFilter.reset()
is called just in case the caller calls for the next row. Concrete implementers can signal a failure condition in their code by throwing anIOException
.- Overrides:
filterCell
in classFilter
- Parameters:
cell
- the Cell in question- Returns:
- code as described below
- See Also:
-
reset
Description copied from class:FilterBase
Filters that are purely stateless and do nothing in their reset() methods can inherit this null/empty implementation. Reset the state of the filter between rows. Concrete implementers can signal a failure condition in their code by throwing anIOException
.- Overrides:
reset
in classFilterBase
- Throws:
IOException
- in case an I/O or an filter specific failure needs to be signaled.
-
toByteArray
Returns The filter serialized using pb- Overrides:
toByteArray
in classFilterBase
- Returns:
- The filter serialized using pb
-
parseFrom
- Parameters:
pbBytes
- A pb serializedAccessControlFilter
instance- Returns:
- An instance of
AccessControlFilter
made frombytes
- Throws:
DeserializationException
- See Also:
-
equals
-
hashCode
-