1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19 package org.apache.hadoop.hbase.security.access; 20 21 import java.io.DataInput; 22 import java.io.DataOutput; 23 import java.io.IOException; 24 25 import org.apache.hadoop.hbase.KeyValue; 26 import org.apache.hadoop.hbase.filter.FilterBase; 27 import org.apache.hadoop.hbase.security.User; 28 29 /** 30 * <strong>NOTE: for internal use only by AccessController implementation</strong> 31 * 32 * <p> 33 * TODO: There is room for further performance optimization here. 34 * Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of 35 * overhead. A more optimized solution might look at the qualifiers where 36 * permissions are actually granted and explicitly limit the scan to those. 37 * </p> 38 * <p> 39 * We should aim to use this _only_ when access to the requested column families 40 * is not granted at the column family levels. If table or column family 41 * access succeeds, then there is no need to impose the overhead of this filter. 42 * </p> 43 */ 44 class AccessControlFilter extends FilterBase { 45 46 private TableAuthManager authManager; 47 private byte[] table; 48 private User user; 49 50 /** 51 * For Writable 52 */ 53 AccessControlFilter() { 54 } 55 56 AccessControlFilter(TableAuthManager mgr, User ugi, 57 byte[] tableName) { 58 authManager = mgr; 59 table = tableName; 60 user = ugi; 61 } 62 63 @Override 64 public ReturnCode filterKeyValue(KeyValue kv) { 65 if (authManager.authorize(user, table, kv, TablePermission.Action.READ)) { 66 return ReturnCode.INCLUDE; 67 } 68 return ReturnCode.NEXT_COL; 69 } 70 71 @Override 72 public void write(DataOutput dataOutput) throws IOException { 73 // no implementation, server-side use only 74 throw new UnsupportedOperationException( 75 "Serialization not supported. Intended for server-side use only."); 76 } 77 78 @Override 79 public void readFields(DataInput dataInput) throws IOException { 80 // no implementation, server-side use only 81 throw new UnsupportedOperationException( 82 "Serialization not supported. Intended for server-side use only."); 83 } 84 }