1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19 package org.apache.hadoop.hbase.security.access; 20 21 import org.apache.hadoop.hbase.exceptions.DeserializationException; 22 import org.apache.hadoop.hbase.KeyValue; 23 import org.apache.hadoop.hbase.filter.FilterBase; 24 import org.apache.hadoop.hbase.security.User; 25 26 /** 27 * <strong>NOTE: for internal use only by AccessController implementation</strong> 28 * 29 * <p> 30 * TODO: There is room for further performance optimization here. 31 * Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of 32 * overhead. A more optimized solution might look at the qualifiers where 33 * permissions are actually granted and explicitly limit the scan to those. 34 * </p> 35 * <p> 36 * We should aim to use this _only_ when access to the requested column families 37 * is not granted at the column family levels. If table or column family 38 * access succeeds, then there is no need to impose the overhead of this filter. 39 * </p> 40 */ 41 class AccessControlFilter extends FilterBase { 42 43 private TableAuthManager authManager; 44 private byte[] table; 45 private User user; 46 47 /** 48 * For Writable 49 */ 50 AccessControlFilter() { 51 } 52 53 AccessControlFilter(TableAuthManager mgr, User ugi, 54 byte[] tableName) { 55 authManager = mgr; 56 table = tableName; 57 user = ugi; 58 } 59 60 @Override 61 public ReturnCode filterKeyValue(KeyValue kv) { 62 if (authManager.authorize(user, table, kv, TablePermission.Action.READ)) { 63 return ReturnCode.INCLUDE; 64 } 65 return ReturnCode.NEXT_COL; 66 } 67 68 /** 69 * @return The filter serialized using pb 70 */ 71 public byte [] toByteArray() { 72 // no implementation, server-side use only 73 throw new UnsupportedOperationException( 74 "Serialization not supported. Intended for server-side use only."); 75 } 76 77 /** 78 * @param pbBytes A pb serialized {@link AccessControlFilter} instance 79 * @return An instance of {@link AccessControlFilter} made from <code>bytes</code> 80 * @throws org.apache.hadoop.hbase.exceptions.DeserializationException 81 * @see {@link #toByteArray()} 82 */ 83 public static AccessControlFilter parseFrom(final byte [] pbBytes) 84 throws DeserializationException { 85 // no implementation, server-side use only 86 throw new UnsupportedOperationException( 87 "Serialization not supported. Intended for server-side use only."); 88 } 89 }