1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19 package org.apache.hadoop.hbase.security.access; 20 21 import org.apache.hadoop.hbase.Cell; 22 import org.apache.hadoop.hbase.TableName; 23 import org.apache.hadoop.hbase.exceptions.DeserializationException; 24 import org.apache.hadoop.hbase.filter.FilterBase; 25 import org.apache.hadoop.hbase.security.User; 26 27 /** 28 * <strong>NOTE: for internal use only by AccessController implementation</strong> 29 * 30 * <p> 31 * TODO: There is room for further performance optimization here. 32 * Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of 33 * overhead. A more optimized solution might look at the qualifiers where 34 * permissions are actually granted and explicitly limit the scan to those. 35 * </p> 36 * <p> 37 * We should aim to use this _only_ when access to the requested column families 38 * is not granted at the column family levels. If table or column family 39 * access succeeds, then there is no need to impose the overhead of this filter. 40 * </p> 41 */ 42 class AccessControlFilter extends FilterBase { 43 44 private TableAuthManager authManager; 45 private TableName table; 46 private User user; 47 private boolean isSystemTable; 48 private boolean cellFirstStrategy; 49 50 /** 51 * For Writable 52 */ 53 AccessControlFilter() { 54 } 55 56 AccessControlFilter(TableAuthManager mgr, User ugi, TableName tableName, 57 boolean cellFirstStrategy) { 58 authManager = mgr; 59 table = tableName; 60 user = ugi; 61 isSystemTable = tableName.isSystemTable(); 62 this.cellFirstStrategy = cellFirstStrategy; 63 } 64 65 @Override 66 public ReturnCode filterKeyValue(Cell cell) { 67 if (isSystemTable) { 68 return ReturnCode.INCLUDE; 69 } 70 if (authManager.authorize(user, table, cell, cellFirstStrategy, Permission.Action.READ)) { 71 return ReturnCode.INCLUDE; 72 } 73 // Before per cell ACLs we used to return the NEXT_COL hint, but we can 74 // no longer do that since, given the possibility of per cell ACLs 75 // anywhere, we now need to examine all KVs with this filter. 76 return ReturnCode.SKIP; 77 } 78 79 /** 80 * @return The filter serialized using pb 81 */ 82 public byte [] toByteArray() { 83 // no implementation, server-side use only 84 throw new UnsupportedOperationException( 85 "Serialization not supported. Intended for server-side use only."); 86 } 87 88 /** 89 * @param pbBytes A pb serialized {@link AccessControlFilter} instance 90 * @return An instance of {@link AccessControlFilter} made from <code>bytes</code> 91 * @throws org.apache.hadoop.hbase.exceptions.DeserializationException 92 * @see {@link #toByteArray()} 93 */ 94 public static AccessControlFilter parseFrom(final byte [] pbBytes) 95 throws DeserializationException { 96 // no implementation, server-side use only 97 throw new UnsupportedOperationException( 98 "Serialization not supported. Intended for server-side use only."); 99 } 100 }