org.apache.hadoop.hbase.security.visibility
Class DefaultVisibilityLabelServiceImpl

java.lang.Object
  extended by org.apache.hadoop.hbase.security.visibility.DefaultVisibilityLabelServiceImpl
All Implemented Interfaces:
org.apache.hadoop.conf.Configurable, VisibilityLabelService

@InterfaceAudience.Private
public class DefaultVisibilityLabelServiceImpl
extends Object
implements VisibilityLabelService


Constructor Summary
DefaultVisibilityLabelServiceImpl()
           
 
Method Summary
 OperationStatus[] addLabels(List<byte[]> labels)
          Adds the set of labels into the system.
protected  void addSystemLabel(HRegion region, Map<String,Integer> labels, Map<String,List<Integer>> userAuths)
           
 OperationStatus[] clearAuths(byte[] user, List<byte[]> authLabels)
          Removes given labels from user's globally authorized list of labels.
 List<Tag> createVisibilityExpTags(String visExpression, boolean withSerializationFormat, boolean checkAuths)
          Creates tags corresponding to given visibility expression.
 byte[] encodeVisibilityForReplication(List<Tag> tags, Byte serializationFormat)
          Provides a way to modify the visibility tags of type TagType .VISIBILITY_TAG_TYPE, that are part of the cell created from the WALEdits that are prepared for replication while calling ReplicationEndpoint .replicate().
protected  Pair<Map<String,Integer>,Map<String,List<Integer>>> extractLabelsAndAuths(List<List<Cell>> labelDetails)
           
 List<String> getAuths(byte[] user, boolean systemCall)
          Deprecated. 
 org.apache.hadoop.conf.Configuration getConf()
           
protected  List<List<Cell>> getExistingLabelsWithAuths()
           
 List<String> getGroupAuths(String[] groups, boolean systemCall)
          Retrieve the visibility labels for the groups.
 List<String> getUserAuths(byte[] user, boolean systemCall)
          Retrieve the visibility labels for the user.
 VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations)
          Creates VisibilityExpEvaluator corresponding to given Authorizations.
 boolean havingSystemAuth(byte[] user)
          Deprecated. 
 boolean havingSystemAuth(User user)
          System checks for user auth during admin operations.
 void init(RegionCoprocessorEnvironment e)
          System calls this after opening of regions.
protected  boolean isReadFromSystemAuthUser()
           
 List<String> listLabels(String regex)
          Retrieve the list of visibility labels defined in the system.
 boolean matchVisibility(List<Tag> putVisTags, Byte putTagsFormat, List<Tag> deleteVisTags, Byte deleteTagsFormat)
          System uses this for deciding whether a Cell can be deleted by matching visibility expression in Delete mutation and the cell in consideration.
 OperationStatus[] setAuths(byte[] user, List<byte[]> authLabels)
          Sets given labels globally authorized for the user.
 void setConf(org.apache.hadoop.conf.Configuration conf)
           
protected  void updateZk(boolean labelAddition)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

DefaultVisibilityLabelServiceImpl

public DefaultVisibilityLabelServiceImpl()
Method Detail

setConf

public void setConf(org.apache.hadoop.conf.Configuration conf)
Specified by:
setConf in interface org.apache.hadoop.conf.Configurable

getConf

public org.apache.hadoop.conf.Configuration getConf()
Specified by:
getConf in interface org.apache.hadoop.conf.Configurable

init

public void init(RegionCoprocessorEnvironment e)
          throws IOException
Description copied from interface: VisibilityLabelService
System calls this after opening of regions. Gives a chance for the VisibilityLabelService to so any initialization logic.

Specified by:
init in interface VisibilityLabelService
Parameters:
e - the region coprocessor env
Throws:
IOException

getExistingLabelsWithAuths

protected List<List<Cell>> getExistingLabelsWithAuths()
                                               throws IOException
Throws:
IOException

extractLabelsAndAuths

protected Pair<Map<String,Integer>,Map<String,List<Integer>>> extractLabelsAndAuths(List<List<Cell>> labelDetails)

addSystemLabel

protected void addSystemLabel(HRegion region,
                              Map<String,Integer> labels,
                              Map<String,List<Integer>> userAuths)
                       throws IOException
Throws:
IOException

addLabels

public OperationStatus[] addLabels(List<byte[]> labels)
                            throws IOException
Description copied from interface: VisibilityLabelService
Adds the set of labels into the system.

Specified by:
addLabels in interface VisibilityLabelService
Parameters:
labels - Labels to add to the system.
Returns:
OperationStatus for each of the label addition
Throws:
IOException

setAuths

public OperationStatus[] setAuths(byte[] user,
                                  List<byte[]> authLabels)
                           throws IOException
Description copied from interface: VisibilityLabelService
Sets given labels globally authorized for the user.

Specified by:
setAuths in interface VisibilityLabelService
Parameters:
user - The authorizing user
authLabels - Labels which are getting authorized for the user
Returns:
OperationStatus for each of the label auth addition
Throws:
IOException

clearAuths

public OperationStatus[] clearAuths(byte[] user,
                                    List<byte[]> authLabels)
                             throws IOException
Description copied from interface: VisibilityLabelService
Removes given labels from user's globally authorized list of labels.

Specified by:
clearAuths in interface VisibilityLabelService
Parameters:
user - The user whose authorization to be removed
authLabels - Labels which are getting removed from authorization set
Returns:
OperationStatus for each of the label auth removal
Throws:
IOException

getAuths

@Deprecated
public List<String> getAuths(byte[] user,
                                        boolean systemCall)
                      throws IOException
Deprecated. 

Description copied from interface: VisibilityLabelService
Retrieve the visibility labels for the user.

Specified by:
getAuths in interface VisibilityLabelService
Parameters:
user - Name of the user whose authorization to be retrieved
systemCall - Whether a system or user originated call.
Returns:
Visibility labels authorized for the given user.
Throws:
IOException

getUserAuths

public List<String> getUserAuths(byte[] user,
                                 boolean systemCall)
                          throws IOException
Description copied from interface: VisibilityLabelService
Retrieve the visibility labels for the user.

Specified by:
getUserAuths in interface VisibilityLabelService
Parameters:
user - Name of the user whose authorization to be retrieved
systemCall - Whether a system or user originated call.
Returns:
Visibility labels authorized for the given user.
Throws:
IOException

getGroupAuths

public List<String> getGroupAuths(String[] groups,
                                  boolean systemCall)
                           throws IOException
Description copied from interface: VisibilityLabelService
Retrieve the visibility labels for the groups.

Specified by:
getGroupAuths in interface VisibilityLabelService
Parameters:
groups - Name of the groups whose authorization to be retrieved
systemCall - Whether a system or user originated call.
Returns:
Visibility labels authorized for the given group.
Throws:
IOException

listLabels

public List<String> listLabels(String regex)
                        throws IOException
Description copied from interface: VisibilityLabelService
Retrieve the list of visibility labels defined in the system.

Specified by:
listLabels in interface VisibilityLabelService
Parameters:
regex - The regular expression to filter which labels are returned.
Returns:
List of visibility labels
Throws:
IOException

createVisibilityExpTags

public List<Tag> createVisibilityExpTags(String visExpression,
                                         boolean withSerializationFormat,
                                         boolean checkAuths)
                                  throws IOException
Description copied from interface: VisibilityLabelService
Creates tags corresponding to given visibility expression.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety.

Specified by:
createVisibilityExpTags in interface VisibilityLabelService
Parameters:
visExpression - The Expression for which corresponding Tags to be created.
withSerializationFormat - specifies whether a tag, denoting the serialization version of the tags, to be added in the list. When this is true make sure to add the serialization format Tag also. The format tag value should be byte type.
checkAuths - denotes whether to check individual labels in visExpression against user's global auth label.
Returns:
The list of tags corresponds to the visibility expression. These tags will be stored along with the Cells.
Throws:
IOException

updateZk

protected void updateZk(boolean labelAddition)
                 throws IOException
Throws:
IOException

getVisibilityExpEvaluator

public VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations)
                                                 throws IOException
Description copied from interface: VisibilityLabelService
Creates VisibilityExpEvaluator corresponding to given Authorizations.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety.

Specified by:
getVisibilityExpEvaluator in interface VisibilityLabelService
Parameters:
authorizations - Authorizations for the read request
Returns:
The VisibilityExpEvaluator corresponding to the given set of authorization labels.
Throws:
IOException

isReadFromSystemAuthUser

protected boolean isReadFromSystemAuthUser()
                                    throws IOException
Throws:
IOException

havingSystemAuth

@Deprecated
public boolean havingSystemAuth(byte[] user)
                         throws IOException
Deprecated. 

Description copied from interface: VisibilityLabelService
System checks for user auth during admin operations. (ie. Label add, set/clear auth). The operation is allowed only for users having system auth. Also during read, if the requesting user has system auth, he can view all the data irrespective of its labels.

Specified by:
havingSystemAuth in interface VisibilityLabelService
Parameters:
user - User for whom system auth check to be done.
Returns:
true if the given user is having system/super auth
Throws:
IOException

havingSystemAuth

public boolean havingSystemAuth(User user)
                         throws IOException
Description copied from interface: VisibilityLabelService
System checks for user auth during admin operations. (ie. Label add, set/clear auth). The operation is allowed only for users having system auth. Also during read, if the requesting user has system auth, he can view all the data irrespective of its labels.

Specified by:
havingSystemAuth in interface VisibilityLabelService
Parameters:
user - User for whom system auth check to be done.
Returns:
true if the given user is having system/super auth
Throws:
IOException

matchVisibility

public boolean matchVisibility(List<Tag> putVisTags,
                               Byte putTagsFormat,
                               List<Tag> deleteVisTags,
                               Byte deleteTagsFormat)
                        throws IOException
Description copied from interface: VisibilityLabelService
System uses this for deciding whether a Cell can be deleted by matching visibility expression in Delete mutation and the cell in consideration. Also system passes the serialization format of visibility tags in Put and Delete.
Note: This will be concurrently called from multiple threads and implementation should take care of thread safety.

Specified by:
matchVisibility in interface VisibilityLabelService
Parameters:
putVisTags - The visibility tags present in the Put mutation
putTagsFormat - The serialization format for the Put visibility tags. A null value for this format means the tags are written with unsorted label ordinals
deleteVisTags - - The visibility tags in the delete mutation (the specified Cell Visibility)
deleteTagsFormat - The serialization format for the Delete visibility tags. A null value for this format means the tags are written with unsorted label ordinals
Returns:
true if matching tags are found
Throws:
IOException
See Also:
VisibilityConstants.SORTED_ORDINAL_SERIALIZATION_FORMAT

encodeVisibilityForReplication

public byte[] encodeVisibilityForReplication(List<Tag> tags,
                                             Byte serializationFormat)
                                      throws IOException
Description copied from interface: VisibilityLabelService
Provides a way to modify the visibility tags of type TagType .VISIBILITY_TAG_TYPE, that are part of the cell created from the WALEdits that are prepared for replication while calling ReplicationEndpoint .replicate(). VisibilityReplicationEndpoint calls this API to provide an opportunity to modify the visibility tags before replicating.

Specified by:
encodeVisibilityForReplication in interface VisibilityLabelService
Parameters:
tags - the visibility tags associated with the cell
serializationFormat - the serialization format associated with the tag
Returns:
the modified visibility expression in the form of byte[]
Throws:
IOException


Copyright © 2007–2016 The Apache Software Foundation. All rights reserved.