View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import org.apache.hadoop.hbase.Cell;
22  import org.apache.hadoop.hbase.KeyValueUtil;
23  import org.apache.hadoop.hbase.TableName;
24  import org.apache.hadoop.hbase.exceptions.DeserializationException;
25  import org.apache.hadoop.hbase.KeyValue;
26  import org.apache.hadoop.hbase.filter.FilterBase;
27  import org.apache.hadoop.hbase.security.User;
28  
29  /**
30   * <strong>NOTE: for internal use only by AccessController implementation</strong>
31   *
32   * <p>
33   * TODO: There is room for further performance optimization here.
34   * Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of
35   * overhead.  A more optimized solution might look at the qualifiers where
36   * permissions are actually granted and explicitly limit the scan to those.
37   * </p>
38   * <p>
39   * We should aim to use this _only_ when access to the requested column families
40   * is not granted at the column family levels.  If table or column family
41   * access succeeds, then there is no need to impose the overhead of this filter.
42   * </p>
43   */
44  class AccessControlFilter extends FilterBase {
45  
46    private TableAuthManager authManager;
47    private TableName table;
48    private User user;
49  
50    /**
51     * For Writable
52     */
53    AccessControlFilter() {
54    }
55  
56    AccessControlFilter(TableAuthManager mgr, User ugi,
57        TableName tableName) {
58      authManager = mgr;
59      table = tableName;
60      user = ugi;
61    }
62  
63    @Override
64    public ReturnCode filterKeyValue(Cell c) {
65      // TODO go and redo auth manager to use Cell instead of KV.
66      KeyValue kv = KeyValueUtil.ensureKeyValue(c);
67      if (authManager.authorize(user, table, kv, TablePermission.Action.READ)) {
68        return ReturnCode.INCLUDE;
69      }
70      return ReturnCode.NEXT_COL;
71    }
72  
73    /**
74     * @return The filter serialized using pb
75     */
76    public byte [] toByteArray() {
77      // no implementation, server-side use only
78      throw new UnsupportedOperationException(
79        "Serialization not supported.  Intended for server-side use only.");
80    }
81  
82    /**
83     * @param pbBytes A pb serialized {@link AccessControlFilter} instance
84     * @return An instance of {@link AccessControlFilter} made from <code>bytes</code>
85     * @throws org.apache.hadoop.hbase.exceptions.DeserializationException
86     * @see {@link #toByteArray()}
87     */
88    public static AccessControlFilter parseFrom(final byte [] pbBytes)
89    throws DeserializationException {
90      // no implementation, server-side use only
91      throw new UnsupportedOperationException(
92        "Serialization not supported.  Intended for server-side use only.");
93    }
94  }