Repository: hbase Updated Branches: refs/heads/branch-1 bfae8d541 -> 0a50a7a47
HBASE-12745 Visibility Labels: support visibility labels for user groups. (Addendum for BC between 0.98 and branch-1) Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/0a50a7a4 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/0a50a7a4 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/0a50a7a4 Branch: refs/heads/branch-1 Commit: 0a50a7a472f4b7c8c0609f2da875c047ea2c0bf7 Parents: bfae8d5 Author: Enis Soztutar <e...@apache.org> Authored: Sun Jan 25 18:11:06 2015 -0800 Committer: Enis Soztutar <e...@apache.org> Committed: Sun Jan 25 18:11:40 2015 -0800 ---------------------------------------------------------------------- .../DefaultVisibilityLabelServiceImpl.java | 21 +++++++++++++++++ .../visibility/VisibilityLabelService.java | 24 ++++++++++++++++++++ .../ExpAsStringVisibilityLabelServiceImpl.java | 20 ++++++++++++++++ 3 files changed, 65 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/0a50a7a4/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java index 6b9a358..5b05d23 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java @@ -324,6 +324,13 @@ public class DefaultVisibilityLabelServiceImpl implements VisibilityLabelService } @Override + @Deprecated + public List<String> getAuths(byte[] user, boolean systemCall) + throws IOException { + return getUserAuths(user, systemCall); + } + + @Override public List<String> getUserAuths(byte[] user, boolean systemCall) throws IOException { assert (labelsRegion != null || systemCall); @@ -536,6 +543,20 @@ public class DefaultVisibilityLabelServiceImpl implements VisibilityLabelService } @Override + @Deprecated + public boolean havingSystemAuth(byte[] user) throws IOException { + // Implementation for backward compatibility + if (this.superUsers.contains(Bytes.toString(user))) { + return true; + } + List<String> auths = this.getUserAuths(user, true); + if (LOG.isTraceEnabled()) { + LOG.trace("The auths for user " + Bytes.toString(user) + " are " + auths); + } + return auths.contains(SYSTEM_LABEL); + } + + @Override public boolean havingSystemAuth(User user) throws IOException { // A super user has 'system' auth. if (isSystemOrSuperUser(user)) { http://git-wip-us.apache.org/repos/asf/hbase/blob/0a50a7a4/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java index 8ddd47e..e01f986 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java @@ -80,6 +80,18 @@ public interface VisibilityLabelService extends Configurable { * @param systemCall * Whether a system or user originated call. * @return Visibility labels authorized for the given user. + * @deprecated Use {@link#getUserAuths(byte[], boolean)} + */ + @Deprecated + List<String> getAuths(byte[] user, boolean systemCall) throws IOException; + + /** + * Retrieve the visibility labels for the user. + * @param user + * Name of the user whose authorization to be retrieved + * @param systemCall + * Whether a system or user originated call. + * @return Visibility labels authorized for the given user. */ List<String> getUserAuths(byte[] user, boolean systemCall) throws IOException; @@ -135,6 +147,18 @@ public interface VisibilityLabelService extends Configurable { * @param user * User for whom system auth check to be done. * @return true if the given user is having system/super auth + * @deprecated Use {@link#havingSystemAuth(User)} + */ + @Deprecated + boolean havingSystemAuth(byte[] user) throws IOException; + + /** + * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The + * operation is allowed only for users having system auth. Also during read, if the requesting + * user has system auth, he can view all the data irrespective of its labels. + * @param user + * User for whom system auth check to be done. + * @return true if the given user is having system/super auth */ boolean havingSystemAuth(User user) throws IOException; http://git-wip-us.apache.org/repos/asf/hbase/blob/0a50a7a4/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java index e8ba08b..be5588d 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java @@ -149,6 +149,12 @@ public class ExpAsStringVisibilityLabelServiceImpl implements VisibilityLabelSer } @Override + @Deprecated + public List<String> getAuths(byte[] user, boolean systemCall) throws IOException { + return getUserAuths(user, systemCall); + } + + @Override public List<String> getUserAuths(byte[] user, boolean systemCall) throws IOException { assert (labelsRegion != null || systemCall); List<String> auths = new ArrayList<String>(); @@ -431,6 +437,20 @@ public class ExpAsStringVisibilityLabelServiceImpl implements VisibilityLabelSer } @Override + @Deprecated + public boolean havingSystemAuth(byte[] user) throws IOException { + // Implementation for backward compatibility + if (this.superUsers.contains(Bytes.toString(user))) { + return true; + } + List<String> auths = this.getUserAuths(user, true); + if (LOG.isTraceEnabled()) { + LOG.trace("The auths for user " + Bytes.toString(user) + " are " + auths); + } + return auths.contains(SYSTEM_LABEL); + } + + @Override public boolean havingSystemAuth(User user) throws IOException { if (isSystemOrSuperUser(user)) { return true;
