HBASE-12745 Visibility Labels: support visibility labels for user groups. (Addendum for BC between 0.98 and branch-1)

2015-01-25 18:11:06 -08:00 · 2015-01-25 18:11:06 -08:00 · 0a50a7a472
parent bfae8d541c
commit 0a50a7a472
3 changed files with 65 additions and 0 deletions
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java
@ -323,6 +323,13 @@ public class DefaultVisibilityLabelServiceImpl implements VisibilityLabelService
    return updateZk;
  }

+  @Override
+  @Deprecated
+  public List<String> getAuths(byte[] user, boolean systemCall)
+      throws IOException {
+    return getUserAuths(user, systemCall);
+  }
+
  @Override
  public List<String> getUserAuths(byte[] user, boolean systemCall)
      throws IOException {
@ -535,6 +542,20 @@ public class DefaultVisibilityLabelServiceImpl implements VisibilityLabelService
    return havingSystemAuth(user);
  }

+  @Override
+  @Deprecated
+  public boolean havingSystemAuth(byte[] user) throws IOException {
+    // Implementation for backward compatibility
+    if (this.superUsers.contains(Bytes.toString(user))) {
+      return true;
+    }
+    List<String> auths = this.getUserAuths(user, true);
+    if (LOG.isTraceEnabled()) {
+      LOG.trace("The auths for user " + Bytes.toString(user) + " are " + auths);
+    }
+    return auths.contains(SYSTEM_LABEL);
+  }
+
  @Override
  public boolean havingSystemAuth(User user) throws IOException {
    // A super user has 'system' auth.
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java
@ -73,6 +73,18 @@ public interface VisibilityLabelService extends Configurable {
   */
  OperationStatus[] clearAuths(byte[] user, List<byte[]> authLabels) throws IOException;

+  /**
+   * Retrieve the visibility labels for the user.
+   * @param user
+   *          Name of the user whose authorization to be retrieved
+   * @param systemCall
+   *          Whether a system or user originated call.
+   * @return Visibility labels authorized for the given user.
+   * @deprecated Use {@link#getUserAuths(byte[], boolean)}
+   */
+  @Deprecated
+  List<String> getAuths(byte[] user, boolean systemCall) throws IOException;
+
  /**
   * Retrieve the visibility labels for the user.
   * @param user
@ -128,6 +140,18 @@ public interface VisibilityLabelService extends Configurable {
  VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations)
      throws IOException;

+  /**
+   * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The
+   * operation is allowed only for users having system auth. Also during read, if the requesting
+   * user has system auth, he can view all the data irrespective of its labels.
+   * @param user
+   *          User for whom system auth check to be done.
+   * @return true if the given user is having system/super auth
+   * @deprecated Use {@link#havingSystemAuth(User)}
+   */
+  @Deprecated
+  boolean havingSystemAuth(byte[] user) throws IOException;
+
  /**
   * System checks for user auth during admin operations. (ie. Label add, set/clear auth). The
   * operation is allowed only for users having system auth. Also during read, if the requesting
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java
@ -148,6 +148,12 @@ public class ExpAsStringVisibilityLabelServiceImpl implements VisibilityLabelSer
    return finalOpStatus;
  }

+  @Override
+  @Deprecated
+  public List<String> getAuths(byte[] user, boolean systemCall) throws IOException {
+    return getUserAuths(user, systemCall);
+  }
+
  @Override
  public List<String> getUserAuths(byte[] user, boolean systemCall) throws IOException {
    assert (labelsRegion != null || systemCall);
@ -430,6 +436,20 @@ public class ExpAsStringVisibilityLabelServiceImpl implements VisibilityLabelSer
    return false;
  }

+  @Override
+  @Deprecated
+  public boolean havingSystemAuth(byte[] user) throws IOException {
+    // Implementation for backward compatibility
+    if (this.superUsers.contains(Bytes.toString(user))) {
+      return true;
+    }
+    List<String> auths = this.getUserAuths(user, true);
+    if (LOG.isTraceEnabled()) {
+      LOG.trace("The auths for user " + Bytes.toString(user) + " are " + auths);
+    }
+    return auths.contains(SYSTEM_LABEL);
+  }
+
  @Override
  public boolean havingSystemAuth(User user) throws IOException {
    if (isSystemOrSuperUser(user)) {