View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security.visibility;
19  
20  import java.util.ArrayList;
21  import java.util.List;
22  
23  import org.apache.commons.logging.Log;
24  import org.apache.commons.logging.LogFactory;
25  import org.apache.hadoop.hbase.classification.InterfaceAudience;
26  import org.apache.hadoop.conf.Configuration;
27  import org.apache.hadoop.hbase.security.User;
28  
29  /**
30   * This is an implementation for ScanLabelGenerator.
31   * It will extract labels from passed in authorizations and cross check
32   * against the set of predefined authorization labels for given user.
33   * The labels for which the user is not authorized will be dropped.
34   */
35  @InterfaceAudience.Private
36  public class DefinedSetFilterScanLabelGenerator implements ScanLabelGenerator {
37  
38    private static final Log LOG = LogFactory.getLog(DefinedSetFilterScanLabelGenerator.class);
39  
40    private Configuration conf;
41  
42    private VisibilityLabelsCache labelsCache;
43  
44    public DefinedSetFilterScanLabelGenerator() {
45      this.labelsCache = VisibilityLabelsCache.get();
46    }
47  
48    @Override
49    public void setConf(Configuration conf) {
50      this.conf = conf;
51    }
52  
53    @Override
54    public Configuration getConf() {
55      return this.conf;
56    }
57  
58    @Override
59    public List<String> getLabels(User user, Authorizations authorizations) {
60      if (authorizations != null) {
61        List<String> labels = authorizations.getLabels();
62        String userName = user.getShortName();
63        List<String> auths = this.labelsCache.getAuths(userName);
64        return dropLabelsNotInUserAuths(labels, auths, userName);
65      }
66      return null;
67    }
68  
69    private List<String> dropLabelsNotInUserAuths(List<String> labels, List<String> auths,
70        String userName) {
71      List<String> droppedLabels = new ArrayList<String>();
72      List<String> passedLabels = new ArrayList<String>(labels.size());
73      for (String label : labels) {
74        if (auths.contains(label)) {
75          passedLabels.add(label);
76        } else {
77          droppedLabels.add(label);
78        }
79      }
80      if (!droppedLabels.isEmpty()) {
81        StringBuilder sb = new StringBuilder();
82        sb.append("Dropping invalid authorizations requested by user ");
83        sb.append(userName);
84        sb.append(": [ ");
85        for (String label: droppedLabels) {
86          sb.append(label);
87          sb.append(' ');
88        }
89        sb.append(']');
90        LOG.warn(sb.toString());
91      }
92      return passedLabels;
93    }
94  }