View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import org.apache.hadoop.hbase.TableName;
22  import org.apache.hadoop.hbase.exceptions.DeserializationException;
23  import org.apache.hadoop.hbase.KeyValue;
24  import org.apache.hadoop.hbase.filter.FilterBase;
25  import org.apache.hadoop.hbase.security.User;
26  
27  /**
28   * <strong>NOTE: for internal use only by AccessController implementation</strong>
29   *
30   * <p>
31   * TODO: There is room for further performance optimization here.
32   * Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of
33   * overhead.  A more optimized solution might look at the qualifiers where
34   * permissions are actually granted and explicitly limit the scan to those.
35   * </p>
36   * <p>
37   * We should aim to use this _only_ when access to the requested column families
38   * is not granted at the column family levels.  If table or column family
39   * access succeeds, then there is no need to impose the overhead of this filter.
40   * </p>
41   */
42  class AccessControlFilter extends FilterBase {
43  
44    private TableAuthManager authManager;
45    private TableName table;
46    private User user;
47  
48    /**
49     * For Writable
50     */
51    AccessControlFilter() {
52    }
53  
54    AccessControlFilter(TableAuthManager mgr, User ugi,
55        TableName tableName) {
56      authManager = mgr;
57      table = tableName;
58      user = ugi;
59    }
60  
61    @Override
62    public ReturnCode filterKeyValue(KeyValue kv) {
63      if (authManager.authorize(user, table, kv, TablePermission.Action.READ)) {
64        return ReturnCode.INCLUDE;
65      }
66      return ReturnCode.NEXT_COL;
67    }
68  
69    /**
70     * @return The filter serialized using pb
71     */
72    public byte [] toByteArray() {
73      // no implementation, server-side use only
74      throw new UnsupportedOperationException(
75        "Serialization not supported.  Intended for server-side use only.");
76    }
77  
78    /**
79     * @param pbBytes A pb serialized {@link AccessControlFilter} instance
80     * @return An instance of {@link AccessControlFilter} made from <code>bytes</code>
81     * @throws org.apache.hadoop.hbase.exceptions.DeserializationException
82     * @see {@link #toByteArray()}
83     */
84    public static AccessControlFilter parseFrom(final byte [] pbBytes)
85    throws DeserializationException {
86      // no implementation, server-side use only
87      throw new UnsupportedOperationException(
88        "Serialization not supported.  Intended for server-side use only.");
89    }
90  }