View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security.visibility;
19  
20  import java.io.IOException;
21  import java.util.List;
22  
23  import org.apache.hadoop.classification.InterfaceAudience;
24  import org.apache.hadoop.classification.InterfaceStability;
25  import org.apache.hadoop.conf.Configurable;
26  import org.apache.hadoop.hbase.Tag;
27  import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
28  import org.apache.hadoop.hbase.regionserver.OperationStatus;
29  
30  /**
31   * The interface which deals with visibility labels and user auths admin service as well as the cell
32   * visibility expression storage part and read time evaluation.
33   */
34  @InterfaceAudience.Public
35  @InterfaceStability.Evolving
36  public interface VisibilityLabelService extends Configurable {
37  
38    /**
39     * System calls this after opening of regions. Gives a chance for the VisibilityLabelService to so
40     * any initialization logic.
41     * @param e
42     *          the region coprocessor env
43     */
44    void init(RegionCoprocessorEnvironment e) throws IOException;
45  
46    /**
47     * Adds the set of labels into the system.
48     * @param labels
49     *          Labels to add to the system.
50     * @return OperationStatus for each of the label addition
51     */
52    OperationStatus[] addLabels(List<byte[]> labels) throws IOException;
53  
54    /**
55     * Sets given labels globally authorized for the user.
56     * @param user
57     *          The authorizing user
58     * @param authLabels
59     *          Labels which are getting authorized for the user
60     * @return OperationStatus for each of the label auth addition
61     */
62    OperationStatus[] setAuths(byte[] user, List<byte[]> authLabels) throws IOException;
63  
64    /**
65     * Removes given labels from user's globally authorized list of labels.
66     * @param user
67     *          The user whose authorization to be removed
68     * @param authLabels
69     *          Labels which are getting removed from authorization set
70     * @return OperationStatus for each of the label auth removal
71     */
72    OperationStatus[] clearAuths(byte[] user, List<byte[]> authLabels) throws IOException;
73  
74    /**
75     * @param user
76     *          Name of the user whose authorization to be retrieved
77     * @param systemCall
78     *          Whether a system or user originated call.
79     * @return Visibility labels authorized for the given user.
80     */
81    List<String> getAuths(byte[] user, boolean systemCall) throws IOException;
82  
83    /**
84     * Creates tags corresponding to given visibility expression.
85     * <br>
86     * Note: This will be concurrently called from multiple threads and implementation should
87     * take care of thread safety.
88     * @param visExpression The Expression for which corresponding Tags to be created.
89     * @param withSerializationFormat specifies whether a tag, denoting the serialization version
90     *          of the tags, to be added in the list. When this is true make sure to add the
91     *          serialization format Tag also. The format tag value should be byte type.
92     * @param checkAuths denotes whether to check individual labels in visExpression against user's
93     *          global auth label.
94     * @return The list of tags corresponds to the visibility expression. These tags will be stored
95     *         along with the Cells.
96     */
97    List<Tag> createVisibilityExpTags(String visExpression, boolean withSerializationFormat,
98        boolean checkAuths) throws IOException;
99  
100   /**
101    * Creates VisibilityExpEvaluator corresponding to given Authorizations. <br>
102    * Note: This will be concurrently called from multiple threads and implementation should take
103    * care of thread safety.
104    * @param authorizations
105    *          Authorizations for the read request
106    * @return The VisibilityExpEvaluator corresponding to the given set of authorization labels.
107    */
108   VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations)
109       throws IOException;
110 
111   /**
112    * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The
113    * operation is allowed only for users having system auth. Also during read, if the requesting
114    * user has system auth, he can view all the data irrespective of its labels.
115    * @param user
116    *          User for whom system auth check to be done.
117    * @return true if the given user is having system/super auth
118    */
119   boolean havingSystemAuth(byte[] user) throws IOException;
120 
121   /**
122    * System uses this for deciding whether a Cell can be deleted by matching visibility expression
123    * in Delete mutation and the cell in consideration. Also system passes the serialization format
124    * of visibility tags in Put and Delete.<br>
125    * Note: This will be concurrently called from multiple threads and implementation should take
126    * care of thread safety.
127    * @param putVisTags
128    *          The visibility tags present in the Put mutation
129    * @param putVisTagFormat
130    *          The serialization format for the Put visibility tags. A <code>null</code> value for
131    *          this format means the tags are written with unsorted label ordinals
132    * @param deleteVisTags
133    *          - The visibility tags in the delete mutation (the specified Cell Visibility)
134    * @param deleteVisTagFormat
135    *          The serialization format for the Delete visibility tags. A <code>null</code> value for
136    *          this format means the tags are written with unsorted label ordinals
137    * @return true if matching tags are found
138    * @see VisibilityConstants#SORTED_ORDINAL_SERIALIZATION_FORMAT
139    */
140   boolean matchVisibility(List<Tag> putVisTags, Byte putVisTagFormat, List<Tag> deleteVisTags,
141       Byte deleteVisTagFormat) throws IOException;
142 }