diff --git hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java index 6b9a358..5b05d23 100644 --- hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java +++ hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java @@ -324,6 +324,13 @@ public class DefaultVisibilityLabelServiceImpl implements VisibilityLabelService } @Override + @Deprecated + public List getAuths(byte[] user, boolean systemCall) + throws IOException { + return getUserAuths(user, systemCall); + } + + @Override public List getUserAuths(byte[] user, boolean systemCall) throws IOException { assert (labelsRegion != null || systemCall); @@ -536,6 +543,20 @@ public class DefaultVisibilityLabelServiceImpl implements VisibilityLabelService } @Override + @Deprecated + public boolean havingSystemAuth(byte[] user) throws IOException { + // Implementation for backward compatibility + if (this.superUsers.contains(Bytes.toString(user))) { + return true; + } + List auths = this.getUserAuths(user, true); + if (LOG.isTraceEnabled()) { + LOG.trace("The auths for user " + Bytes.toString(user) + " are " + auths); + } + return auths.contains(SYSTEM_LABEL); + } + + @Override public boolean havingSystemAuth(User user) throws IOException { // A super user has 'system' auth. if (isSystemOrSuperUser(user)) { diff --git hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java index 8ddd47e..e01f986 100644 --- hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java +++ hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java @@ -80,6 +80,18 @@ public interface VisibilityLabelService extends Configurable { * @param systemCall * Whether a system or user originated call. * @return Visibility labels authorized for the given user. + * @deprecated Use {@link#getUserAuths(byte[], boolean)} + */ + @Deprecated + List getAuths(byte[] user, boolean systemCall) throws IOException; + + /** + * Retrieve the visibility labels for the user. + * @param user + * Name of the user whose authorization to be retrieved + * @param systemCall + * Whether a system or user originated call. + * @return Visibility labels authorized for the given user. */ List getUserAuths(byte[] user, boolean systemCall) throws IOException; @@ -135,6 +147,18 @@ public interface VisibilityLabelService extends Configurable { * @param user * User for whom system auth check to be done. * @return true if the given user is having system/super auth + * @deprecated Use {@link#havingSystemAuth(User)} + */ + @Deprecated + boolean havingSystemAuth(byte[] user) throws IOException; + + /** + * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The + * operation is allowed only for users having system auth. Also during read, if the requesting + * user has system auth, he can view all the data irrespective of its labels. + * @param user + * User for whom system auth check to be done. + * @return true if the given user is having system/super auth */ boolean havingSystemAuth(User user) throws IOException; diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java index 6f46fd3..439ab62 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java @@ -151,6 +151,12 @@ public class ExpAsStringVisibilityLabelServiceImpl implements VisibilityLabelSer } @Override + @Deprecated + public List getAuths(byte[] user, boolean systemCall) throws IOException { + return getUserAuths(user, systemCall); + } + + @Override public List getUserAuths(byte[] user, boolean systemCall) throws IOException { assert (labelsRegion != null || systemCall); List auths = new ArrayList(); @@ -438,6 +444,20 @@ public class ExpAsStringVisibilityLabelServiceImpl implements VisibilityLabelSer } @Override + @Deprecated + public boolean havingSystemAuth(byte[] user) throws IOException { + // Implementation for backward compatibility + if (this.superUsers.contains(Bytes.toString(user))) { + return true; + } + List auths = this.getUserAuths(user, true); + if (LOG.isTraceEnabled()) { + LOG.trace("The auths for user " + Bytes.toString(user) + " are " + auths); + } + return auths.contains(SYSTEM_LABEL); + } + + @Override public boolean havingSystemAuth(User user) throws IOException { if (isSystemOrSuperUser(user)) { return true;