1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 */
18
19 package org.apache.hadoop.hbase.security.access;
20
21 import org.apache.hadoop.hbase.TableName;
22 import org.apache.hadoop.hbase.exceptions.DeserializationException;
23 import org.apache.hadoop.hbase.KeyValue;
24 import org.apache.hadoop.hbase.filter.FilterBase;
25 import org.apache.hadoop.hbase.security.User;
26
27 /**
28 * <strong>NOTE: for internal use only by AccessController implementation</strong>
29 *
30 * <p>
31 * TODO: There is room for further performance optimization here.
32 * Calling TableAuthManager.authorize() per KeyValue imposes a fair amount of
33 * overhead. A more optimized solution might look at the qualifiers where
34 * permissions are actually granted and explicitly limit the scan to those.
35 * </p>
36 * <p>
37 * We should aim to use this _only_ when access to the requested column families
38 * is not granted at the column family levels. If table or column family
39 * access succeeds, then there is no need to impose the overhead of this filter.
40 * </p>
41 */
42 class AccessControlFilter extends FilterBase {
43
44 private TableAuthManager authManager;
45 private TableName table;
46 private User user;
47
48 /**
49 * For Writable
50 */
51 AccessControlFilter() {
52 }
53
54 AccessControlFilter(TableAuthManager mgr, User ugi,
55 TableName tableName) {
56 authManager = mgr;
57 table = tableName;
58 user = ugi;
59 }
60
61 @Override
62 public ReturnCode filterKeyValue(KeyValue kv) {
63 if (authManager.authorize(user, table, kv, TablePermission.Action.READ)) {
64 return ReturnCode.INCLUDE;
65 }
66 return ReturnCode.NEXT_COL;
67 }
68
69 /**
70 * @return The filter serialized using pb
71 */
72 public byte [] toByteArray() {
73 // no implementation, server-side use only
74 throw new UnsupportedOperationException(
75 "Serialization not supported. Intended for server-side use only.");
76 }
77
78 /**
79 * @param pbBytes A pb serialized {@link AccessControlFilter} instance
80 * @return An instance of {@link AccessControlFilter} made from <code>bytes</code>
81 * @throws org.apache.hadoop.hbase.exceptions.DeserializationException
82 * @see {@link #toByteArray()}
83 */
84 public static AccessControlFilter parseFrom(final byte [] pbBytes)
85 throws DeserializationException {
86 // no implementation, server-side use only
87 throw new UnsupportedOperationException(
88 "Serialization not supported. Intended for server-side use only.");
89 }
90 }