1 /**
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 */
18 package org.apache.hadoop.hbase.security.visibility;
19
20 import java.io.IOException;
21 import java.util.List;
22
23 import org.apache.hadoop.conf.Configurable;
24 import org.apache.hadoop.hbase.Tag;
25 import org.apache.hadoop.hbase.TagType;
26 import org.apache.hadoop.hbase.classification.InterfaceAudience;
27 import org.apache.hadoop.hbase.classification.InterfaceStability;
28 import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
29 import org.apache.hadoop.hbase.regionserver.OperationStatus;
30 import org.apache.hadoop.hbase.security.User;
31
32 /**
33 * The interface which deals with visibility labels and user auths admin service as well as the cell
34 * visibility expression storage part and read time evaluation.
35 */
36 @InterfaceAudience.Public
37 @InterfaceStability.Evolving
38 public interface VisibilityLabelService extends Configurable {
39
40 /**
41 * System calls this after opening of regions. Gives a chance for the VisibilityLabelService to so
42 * any initialization logic.
43 * @param e
44 * the region coprocessor env
45 */
46 void init(RegionCoprocessorEnvironment e) throws IOException;
47
48 /**
49 * Adds the set of labels into the system.
50 * @param labels
51 * Labels to add to the system.
52 * @return OperationStatus for each of the label addition
53 */
54 OperationStatus[] addLabels(List<byte[]> labels) throws IOException;
55
56 /**
57 * Sets given labels globally authorized for the user.
58 * @param user
59 * The authorizing user
60 * @param authLabels
61 * Labels which are getting authorized for the user
62 * @return OperationStatus for each of the label auth addition
63 */
64 OperationStatus[] setAuths(byte[] user, List<byte[]> authLabels) throws IOException;
65
66 /**
67 * Removes given labels from user's globally authorized list of labels.
68 * @param user
69 * The user whose authorization to be removed
70 * @param authLabels
71 * Labels which are getting removed from authorization set
72 * @return OperationStatus for each of the label auth removal
73 */
74 OperationStatus[] clearAuths(byte[] user, List<byte[]> authLabels) throws IOException;
75
76 /**
77 * Retrieve the visibility labels for the user.
78 * @param user
79 * Name of the user whose authorization to be retrieved
80 * @param systemCall
81 * Whether a system or user originated call.
82 * @return Visibility labels authorized for the given user.
83 * @deprecated Use {@link #getUserAuths(byte[], boolean)}
84 */
85 @Deprecated
86 List<String> getAuths(byte[] user, boolean systemCall) throws IOException;
87
88 /**
89 * Retrieve the visibility labels for the user.
90 * @param user
91 * Name of the user whose authorization to be retrieved
92 * @param systemCall
93 * Whether a system or user originated call.
94 * @return Visibility labels authorized for the given user.
95 */
96 List<String> getUserAuths(byte[] user, boolean systemCall) throws IOException;
97
98 /**
99 * Retrieve the visibility labels for the groups.
100 * @param groups
101 * Name of the groups whose authorization to be retrieved
102 * @param systemCall
103 * Whether a system or user originated call.
104 * @return Visibility labels authorized for the given group.
105 */
106 List<String> getGroupAuths(String[] groups, boolean systemCall) throws IOException;
107
108 /**
109 * Retrieve the list of visibility labels defined in the system.
110 * @param regex The regular expression to filter which labels are returned.
111 * @return List of visibility labels
112 */
113 List<String> listLabels(String regex) throws IOException;
114
115 /**
116 * Creates tags corresponding to given visibility expression.
117 * <br>
118 * Note: This will be concurrently called from multiple threads and implementation should
119 * take care of thread safety.
120 * @param visExpression The Expression for which corresponding Tags to be created.
121 * @param withSerializationFormat specifies whether a tag, denoting the serialization version
122 * of the tags, to be added in the list. When this is true make sure to add the
123 * serialization format Tag also. The format tag value should be byte type.
124 * @param checkAuths denotes whether to check individual labels in visExpression against user's
125 * global auth label.
126 * @return The list of tags corresponds to the visibility expression. These tags will be stored
127 * along with the Cells.
128 */
129 List<Tag> createVisibilityExpTags(String visExpression, boolean withSerializationFormat,
130 boolean checkAuths) throws IOException;
131
132 /**
133 * Creates VisibilityExpEvaluator corresponding to given Authorizations. <br>
134 * Note: This will be concurrently called from multiple threads and implementation should take
135 * care of thread safety.
136 * @param authorizations
137 * Authorizations for the read request
138 * @return The VisibilityExpEvaluator corresponding to the given set of authorization labels.
139 */
140 VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations)
141 throws IOException;
142
143 /**
144 * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The
145 * operation is allowed only for users having system auth. Also during read, if the requesting
146 * user has system auth, he can view all the data irrespective of its labels.
147 * @param user
148 * User for whom system auth check to be done.
149 * @return true if the given user is having system/super auth
150 * @deprecated Use {@link #havingSystemAuth(User)}
151 */
152 @Deprecated
153 boolean havingSystemAuth(byte[] user) throws IOException;
154
155 /**
156 * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The
157 * operation is allowed only for users having system auth. Also during read, if the requesting
158 * user has system auth, he can view all the data irrespective of its labels.
159 * @param user
160 * User for whom system auth check to be done.
161 * @return true if the given user is having system/super auth
162 */
163 boolean havingSystemAuth(User user) throws IOException;
164
165 /**
166 * System uses this for deciding whether a Cell can be deleted by matching visibility expression
167 * in Delete mutation and the cell in consideration. Also system passes the serialization format
168 * of visibility tags in Put and Delete.<br>
169 * Note: This will be concurrently called from multiple threads and implementation should take
170 * care of thread safety.
171 * @param putVisTags
172 * The visibility tags present in the Put mutation
173 * @param putVisTagFormat
174 * The serialization format for the Put visibility tags. A <code>null</code> value for
175 * this format means the tags are written with unsorted label ordinals
176 * @param deleteVisTags
177 * - The visibility tags in the delete mutation (the specified Cell Visibility)
178 * @param deleteVisTagFormat
179 * The serialization format for the Delete visibility tags. A <code>null</code> value for
180 * this format means the tags are written with unsorted label ordinals
181 * @return true if matching tags are found
182 * @see VisibilityConstants#SORTED_ORDINAL_SERIALIZATION_FORMAT
183 */
184 boolean matchVisibility(List<Tag> putVisTags, Byte putVisTagFormat, List<Tag> deleteVisTags,
185 Byte deleteVisTagFormat) throws IOException;
186
187 /**
188 * Provides a way to modify the visibility tags of type {@link TagType}
189 * .VISIBILITY_TAG_TYPE, that are part of the cell created from the WALEdits
190 * that are prepared for replication while calling
191 * {@link org.apache.hadoop.hbase.replication.ReplicationEndpoint}
192 * .replicate().
193 * {@link org.apache.hadoop.hbase.security.visibility.VisibilityReplicationEndpoint}
194 * calls this API to provide an opportunity to modify the visibility tags
195 * before replicating.
196 *
197 * @param visTags
198 * the visibility tags associated with the cell
199 * @param serializationFormat
200 * the serialization format associated with the tag
201 * @return the modified visibility expression in the form of byte[]
202 * @throws IOException
203 */
204 byte[] encodeVisibilityForReplication(final List<Tag> visTags,
205 final Byte serializationFormat) throws IOException;
206
207 }