View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import java.io.DataInput;
22  import java.io.DataOutput;
23  import java.io.IOException;
24  
25  import org.apache.hadoop.hbase.KeyValue;
26  import org.apache.hadoop.hbase.filter.FilterBase;
27  import org.apache.hadoop.hbase.security.User;
28  
29  /**
30   * <strong>NOTE: for internal use only by AccessController implementation</strong>
31   *
32   * <p>
33   * TODO: There is room for further performance optimization here.
34   * Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of
35   * overhead.  A more optimized solution might look at the qualifiers where
36   * permissions are actually granted and explicitly limit the scan to those.
37   * </p>
38   * <p>
39   * We should aim to use this _only_ when access to the requested column families
40   * is not granted at the column family levels.  If table or column family
41   * access succeeds, then there is no need to impose the overhead of this filter.
42   * </p>
43   */
44  class AccessControlFilter extends FilterBase {
45  
46    private TableAuthManager authManager;
47    private byte[] table;
48    private User user;
49  
50    /**
51     * For Writable
52     */
53    AccessControlFilter() {
54    }
55  
56    AccessControlFilter(TableAuthManager mgr, User ugi,
57        byte[] tableName) {
58      authManager = mgr;
59      table = tableName;
60      user = ugi;
61    }
62  
63    @Override
64    public ReturnCode filterKeyValue(KeyValue kv) {
65      if (authManager.authorize(user, table, kv, TablePermission.Action.READ)) {
66        return ReturnCode.INCLUDE;
67      }
68      return ReturnCode.NEXT_COL;
69    }
70  
71    @Override
72    public void write(DataOutput dataOutput) throws IOException {
73      // no implementation, server-side use only
74      throw new UnsupportedOperationException(
75          "Serialization not supported.  Intended for server-side use only.");
76    }
77  
78    @Override
79    public void readFields(DataInput dataInput) throws IOException {
80      // no implementation, server-side use only
81      throw new UnsupportedOperationException(
82          "Serialization not supported.  Intended for server-side use only.");
83    }
84  }