diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java index 6b9a358a60c..5b05d23b321 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java @@ -323,6 +323,13 @@ public class DefaultVisibilityLabelServiceImpl implements VisibilityLabelService return updateZk; } + @Override + @Deprecated + public List getAuths(byte[] user, boolean systemCall) + throws IOException { + return getUserAuths(user, systemCall); + } + @Override public List getUserAuths(byte[] user, boolean systemCall) throws IOException { @@ -535,6 +542,20 @@ public class DefaultVisibilityLabelServiceImpl implements VisibilityLabelService return havingSystemAuth(user); } + @Override + @Deprecated + public boolean havingSystemAuth(byte[] user) throws IOException { + // Implementation for backward compatibility + if (this.superUsers.contains(Bytes.toString(user))) { + return true; + } + List auths = this.getUserAuths(user, true); + if (LOG.isTraceEnabled()) { + LOG.trace("The auths for user " + Bytes.toString(user) + " are " + auths); + } + return auths.contains(SYSTEM_LABEL); + } + @Override public boolean havingSystemAuth(User user) throws IOException { // A super user has 'system' auth. diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java index 8ddd47ea0be..e01f9863cb2 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java @@ -73,6 +73,18 @@ public interface VisibilityLabelService extends Configurable { */ OperationStatus[] clearAuths(byte[] user, List authLabels) throws IOException; + /** + * Retrieve the visibility labels for the user. + * @param user + * Name of the user whose authorization to be retrieved + * @param systemCall + * Whether a system or user originated call. + * @return Visibility labels authorized for the given user. + * @deprecated Use {@link#getUserAuths(byte[], boolean)} + */ + @Deprecated + List getAuths(byte[] user, boolean systemCall) throws IOException; + /** * Retrieve the visibility labels for the user. * @param user @@ -128,6 +140,18 @@ public interface VisibilityLabelService extends Configurable { VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations) throws IOException; + /** + * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The + * operation is allowed only for users having system auth. Also during read, if the requesting + * user has system auth, he can view all the data irrespective of its labels. + * @param user + * User for whom system auth check to be done. + * @return true if the given user is having system/super auth + * @deprecated Use {@link#havingSystemAuth(User)} + */ + @Deprecated + boolean havingSystemAuth(byte[] user) throws IOException; + /** * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The * operation is allowed only for users having system auth. Also during read, if the requesting diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java index e8ba08b7f78..be5588dbabc 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java @@ -148,6 +148,12 @@ public class ExpAsStringVisibilityLabelServiceImpl implements VisibilityLabelSer return finalOpStatus; } + @Override + @Deprecated + public List getAuths(byte[] user, boolean systemCall) throws IOException { + return getUserAuths(user, systemCall); + } + @Override public List getUserAuths(byte[] user, boolean systemCall) throws IOException { assert (labelsRegion != null || systemCall); @@ -430,6 +436,20 @@ public class ExpAsStringVisibilityLabelServiceImpl implements VisibilityLabelSer return false; } + @Override + @Deprecated + public boolean havingSystemAuth(byte[] user) throws IOException { + // Implementation for backward compatibility + if (this.superUsers.contains(Bytes.toString(user))) { + return true; + } + List auths = this.getUserAuths(user, true); + if (LOG.isTraceEnabled()) { + LOG.trace("The auths for user " + Bytes.toString(user) + " are " + auths); + } + return auths.contains(SYSTEM_LABEL); + } + @Override public boolean havingSystemAuth(User user) throws IOException { if (isSystemOrSuperUser(user)) {