All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.hadoop.hbase.security.visibility.VisibilityLabelService Maven / Gradle / Ivy

There is a newer version: 3.0.0-beta-1
Show newest version
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.hbase.security.visibility;

import java.io.IOException;
import java.util.List;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.hbase.Tag;
import org.apache.hadoop.hbase.TagType;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hadoop.hbase.regionserver.OperationStatus;
import org.apache.hadoop.hbase.security.User;
import org.apache.yetus.audience.InterfaceAudience;

/**
 * The interface which deals with visibility labels and user auths admin service as well as the cell
 * visibility expression storage part and read time evaluation.
 */
@InterfaceAudience.Public
public interface VisibilityLabelService extends Configurable {

  /**
   * System calls this after opening of regions. Gives a chance for the VisibilityLabelService to so
   * any initialization logic. n * the region coprocessor env
   */
  void init(RegionCoprocessorEnvironment e) throws IOException;

  /**
   * Adds the set of labels into the system. n * Labels to add to the system.
   * @return OperationStatus for each of the label addition
   */
  OperationStatus[] addLabels(List labels) throws IOException;

  /**
   * Sets given labels globally authorized for the user. n * The authorizing user n * Labels which
   * are getting authorized for the user
   * @return OperationStatus for each of the label auth addition
   */
  OperationStatus[] setAuths(byte[] user, List authLabels) throws IOException;

  /**
   * Removes given labels from user's globally authorized list of labels. n * The user whose
   * authorization to be removed n * Labels which are getting removed from authorization set
   * @return OperationStatus for each of the label auth removal
   */
  OperationStatus[] clearAuths(byte[] user, List authLabels) throws IOException;

  /**
   * Retrieve the visibility labels for the user. n * Name of the user whose authorization to be
   * retrieved n * Whether a system or user originated call.
   * @return Visibility labels authorized for the given user.
   */
  List getUserAuths(byte[] user, boolean systemCall) throws IOException;

  /**
   * Retrieve the visibility labels for the groups. n * Name of the groups whose authorization to be
   * retrieved n * Whether a system or user originated call.
   * @return Visibility labels authorized for the given group.
   */
  List getGroupAuths(String[] groups, boolean systemCall) throws IOException;

  /**
   * Retrieve the list of visibility labels defined in the system.
   * @param regex The regular expression to filter which labels are returned.
   * @return List of visibility labels
   */
  List listLabels(String regex) throws IOException;

  /**
   * Creates tags corresponding to given visibility expression. 
* Note: This will be concurrently called from multiple threads and implementation should take * care of thread safety. * @param visExpression The Expression for which corresponding Tags to be created. * @param withSerializationFormat specifies whether a tag, denoting the serialization version of * the tags, to be added in the list. When this is true make sure * to add the serialization format Tag also. The format tag value * should be byte type. * @param checkAuths denotes whether to check individual labels in visExpression * against user's global auth label. * @return The list of tags corresponds to the visibility expression. These tags will be stored * along with the Cells. */ List createVisibilityExpTags(String visExpression, boolean withSerializationFormat, boolean checkAuths) throws IOException; /** * Creates VisibilityExpEvaluator corresponding to given Authorizations.
* Note: This will be concurrently called from multiple threads and implementation should take * care of thread safety. n * Authorizations for the read request * @return The VisibilityExpEvaluator corresponding to the given set of authorization labels. */ VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations) throws IOException; /** * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The * operation is allowed only for users having system auth. Also during read, if the requesting * user has system auth, he can view all the data irrespective of its labels. n * User for whom * system auth check to be done. * @return true if the given user is having system/super auth */ boolean havingSystemAuth(User user) throws IOException; /** * System uses this for deciding whether a Cell can be deleted by matching visibility expression * in Delete mutation and the cell in consideration. Also system passes the serialization format * of visibility tags in Put and Delete.
* Note: This will be concurrently called from multiple threads and implementation should take * care of thread safety. n * The visibility tags present in the Put mutation n * The * serialization format for the Put visibility tags. A null value for this format * means the tags are written with unsorted label ordinals n * - The visibility tags in the delete * mutation (the specified Cell Visibility) n * The serialization format for the Delete visibility * tags. A null value for this format means the tags are written with unsorted label * ordinals * @return true if matching tags are found * @see VisibilityConstants#SORTED_ORDINAL_SERIALIZATION_FORMAT */ boolean matchVisibility(List putVisTags, Byte putVisTagFormat, List deleteVisTags, Byte deleteVisTagFormat) throws IOException; /** * Provides a way to modify the visibility tags of type {@link TagType} .VISIBILITY_TAG_TYPE, that * are part of the cell created from the WALEdits that are prepared for replication while calling * {@link org.apache.hadoop.hbase.replication.ReplicationEndpoint} .replicate(). * {@link org.apache.hadoop.hbase.security.visibility.VisibilityReplicationEndpoint} calls this * API to provide an opportunity to modify the visibility tags before replicating. n * the * visibility tags associated with the cell n * the serialization format associated with the tag * @return the modified visibility expression in the form of byte[] n */ byte[] encodeVisibilityForReplication(final List visTags, final Byte serializationFormat) throws IOException; }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy