From: Andrew Purtell Subject: [PATCH] HBASE-10918 [VisibilityController] System table backed ScanLabelGenerator --- .../hbase/security/visibility/Authorizations.java | 10 +++- .../visibility/DefaultScanLabelGenerator.java | 12 +++- .../visibility/EnforcingScanLabelGenerator.java | 65 ++++++++++++++++++++++ 3 files changed, 83 insertions(+), 4 deletions(-) create mode 100644 hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/EnforcingScanLabelGenerator.java diff --git hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/Authorizations.java hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/Authorizations.java index beef1e7..006bd6d 100644 --- hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/Authorizations.java +++ hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/Authorizations.java @@ -61,6 +61,14 @@ public class Authorizations { @Override public String toString() { - return this.labels.toString(); + StringBuilder sb = new StringBuilder(); + sb.append("[ "); + for (String label: labels) { + sb.append(label); + sb.append(' '); + } + sb.append(']'); + return sb.toString(); } + } \ No newline at end of file diff --git hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java index 00ef27e..5e2368b 100644 --- hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java +++ hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java @@ -77,10 +77,16 @@ public class DefaultScanLabelGenerator implements ScanLabelGenerator { } } if (!droppedLabels.isEmpty()) { - if (LOG.isDebugEnabled()) { - LOG.debug("Labels " + droppedLabels + " in Scan/Get visibility attributes dropped as user " - + userName + " having no auth set for those."); + StringBuilder sb = new StringBuilder(); + sb.append("Dropping invalid authorizations requested by user "); + sb.append(userName); + sb.append(": [ "); + for (String label: droppedLabels) { + sb.append(label); + sb.append(' '); } + sb.append(']'); + LOG.warn(sb.toString()); } return passedLabels; } diff --git hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/EnforcingScanLabelGenerator.java hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/EnforcingScanLabelGenerator.java new file mode 100644 index 0000000..7d0320a --- /dev/null +++ hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/EnforcingScanLabelGenerator.java @@ -0,0 +1,65 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.security.visibility; + +import java.util.List; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.classification.InterfaceAudience; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.security.User; + +/** + * This ScanLabelGenerator enforces a set of predefined authorizations for a + * given user, the set defined by the admin using the VisibilityClient admin + * interface or the set_auths shell command. Any authorizations requested with + * Scan#authorizations will be ignored. + */ +@InterfaceAudience.Private +public class EnforcingScanLabelGenerator implements ScanLabelGenerator { + + private static final Log LOG = LogFactory.getLog(EnforcingScanLabelGenerator.class); + + private Configuration conf; + private VisibilityLabelsManager labelsManager; + + public EnforcingScanLabelGenerator() { + this.labelsManager = VisibilityLabelsManager.get(); + } + + @Override + public void setConf(Configuration conf) { + this.conf = conf; + } + + @Override + public Configuration getConf() { + return this.conf; + } + + @Override + public List getLabels(User user, Authorizations authorizations) { + String userName = user.getShortName(); + if (authorizations != null) { + LOG.warn("Dropping authorizations requested by user " + userName + ": " + authorizations); + } + return this.labelsManager.getAuths(userName); + } + +} -- 1.8.3.2