1 /** 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 package org.apache.hadoop.hbase.security.visibility; 19 20 import java.io.IOException; 21 import java.util.List; 22 23 import org.apache.hadoop.classification.InterfaceAudience; 24 import org.apache.hadoop.classification.InterfaceStability; 25 import org.apache.hadoop.conf.Configurable; 26 import org.apache.hadoop.hbase.Tag; 27 import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment; 28 import org.apache.hadoop.hbase.regionserver.OperationStatus; 29 30 /** 31 * The interface which deals with visibility labels and user auths admin service as well as the cell 32 * visibility expression storage part and read time evaluation. 33 */ 34 @InterfaceAudience.Public 35 @InterfaceStability.Evolving 36 public interface VisibilityLabelService extends Configurable { 37 38 /** 39 * System calls this after opening of regions. Gives a chance for the VisibilityLabelService to so 40 * any initialization logic. 41 * @param e 42 * the region coprocessor env 43 */ 44 void init(RegionCoprocessorEnvironment e) throws IOException; 45 46 /** 47 * Adds the set of labels into the system. 48 * @param labels 49 * Labels to add to the system. 50 * @return OperationStatus for each of the label addition 51 */ 52 OperationStatus[] addLabels(List<byte[]> labels) throws IOException; 53 54 /** 55 * Sets given labels globally authorized for the user. 56 * @param user 57 * The authorizing user 58 * @param authLabels 59 * Labels which are getting authorized for the user 60 * @return OperationStatus for each of the label auth addition 61 */ 62 OperationStatus[] setAuths(byte[] user, List<byte[]> authLabels) throws IOException; 63 64 /** 65 * Removes given labels from user's globally authorized list of labels. 66 * @param user 67 * The user whose authorization to be removed 68 * @param authLabels 69 * Labels which are getting removed from authorization set 70 * @return OperationStatus for each of the label auth removal 71 */ 72 OperationStatus[] clearAuths(byte[] user, List<byte[]> authLabels) throws IOException; 73 74 /** 75 * @param user 76 * Name of the user whose authorization to be retrieved 77 * @param systemCall 78 * Whether a system or user originated call. 79 * @return Visibility labels authorized for the given user. 80 */ 81 List<String> getAuths(byte[] user, boolean systemCall) throws IOException; 82 83 /** 84 * Creates tags corresponding to given visibility expression. 85 * <br> 86 * Note: This will be concurrently called from multiple threads and implementation should 87 * take care of thread safety. 88 * @param visExpression The Expression for which corresponding Tags to be created. 89 * @param withSerializationFormat specifies whether a tag, denoting the serialization version 90 * of the tags, to be added in the list. When this is true make sure to add the 91 * serialization format Tag also. The format tag value should be byte type. 92 * @param checkAuths denotes whether to check individual labels in visExpression against user's 93 * global auth label. 94 * @return The list of tags corresponds to the visibility expression. These tags will be stored 95 * along with the Cells. 96 */ 97 List<Tag> createVisibilityExpTags(String visExpression, boolean withSerializationFormat, 98 boolean checkAuths) throws IOException; 99 100 /** 101 * Creates VisibilityExpEvaluator corresponding to given Authorizations. <br> 102 * Note: This will be concurrently called from multiple threads and implementation should take 103 * care of thread safety. 104 * @param authorizations 105 * Authorizations for the read request 106 * @return The VisibilityExpEvaluator corresponding to the given set of authorization labels. 107 */ 108 VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations) 109 throws IOException; 110 111 /** 112 * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The 113 * operation is allowed only for users having system auth. Also during read, if the requesting 114 * user has system auth, he can view all the data irrespective of its labels. 115 * @param user 116 * User for whom system auth check to be done. 117 * @return true if the given user is having system/super auth 118 */ 119 boolean havingSystemAuth(byte[] user) throws IOException; 120 121 /** 122 * System uses this for deciding whether a Cell can be deleted by matching visibility expression 123 * in Delete mutation and the cell in consideration. Also system passes the serialization format 124 * of visibility tags in Put and Delete.<br> 125 * Note: This will be concurrently called from multiple threads and implementation should take 126 * care of thread safety. 127 * @param putVisTags 128 * The visibility tags present in the Put mutation 129 * @param putVisTagFormat 130 * The serialization format for the Put visibility tags. A <code>null</code> value for 131 * this format means the tags are written with unsorted label ordinals 132 * @param deleteVisTags 133 * - The visibility tags in the delete mutation (the specified Cell Visibility) 134 * @param deleteVisTagFormat 135 * The serialization format for the Delete visibility tags. A <code>null</code> value for 136 * this format means the tags are written with unsorted label ordinals 137 * @return true if matching tags are found 138 * @see VisibilityConstants#SORTED_ORDINAL_SERIALIZATION_FORMAT 139 */ 140 boolean matchVisibility(List<Tag> putVisTags, Byte putVisTagFormat, List<Tag> deleteVisTags, 141 Byte deleteVisTagFormat) throws IOException; 142 }