http://git-wip-us.apache.org/repos/asf/hbase/blob/ef7355e1/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.DeleteVersionVisibilityExpressionFilter.html ---------------------------------------------------------------------- diff --git a/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.DeleteVersionVisibilityExpressionFilter.html b/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.DeleteVersionVisibilityExpressionFilter.html index 24b3b3b..b62ac0c 100644 --- a/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.DeleteVersionVisibilityExpressionFilter.html +++ b/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.DeleteVersionVisibilityExpressionFilter.html @@ -458,666 +458,664 @@ <span class="sourceLineNo">450</span> * Checks whether cell contains any tag with type as VISIBILITY_TAG_TYPE. This<a name="line.450"></a> <span class="sourceLineNo">451</span> * tag type is reserved and should not be explicitly set by user.<a name="line.451"></a> <span class="sourceLineNo">452</span> *<a name="line.452"></a> -<span class="sourceLineNo">453</span> * @param cell<a name="line.453"></a> -<span class="sourceLineNo">454</span> * - the cell under consideration<a name="line.454"></a> -<span class="sourceLineNo">455</span> * @param pair - an optional pair of type <Boolean, Tag> which would be reused<a name="line.455"></a> -<span class="sourceLineNo">456</span> * if already set and new one will be created if null is passed<a name="line.456"></a> -<span class="sourceLineNo">457</span> * @return a pair<Boolean, Tag> - if the boolean is false then it indicates<a name="line.457"></a> -<span class="sourceLineNo">458</span> * that the cell has a RESERVERD_VIS_TAG and with boolean as true, not<a name="line.458"></a> -<span class="sourceLineNo">459</span> * null tag indicates that a string modified tag was found.<a name="line.459"></a> -<span class="sourceLineNo">460</span> */<a name="line.460"></a> -<span class="sourceLineNo">461</span> private Pair<Boolean, Tag> checkForReservedVisibilityTagPresence(Cell cell,<a name="line.461"></a> -<span class="sourceLineNo">462</span> Pair<Boolean, Tag> pair) throws IOException {<a name="line.462"></a> -<span class="sourceLineNo">463</span> if (pair == null) {<a name="line.463"></a> -<span class="sourceLineNo">464</span> pair = new Pair<Boolean, Tag>(false, null);<a name="line.464"></a> -<span class="sourceLineNo">465</span> } else {<a name="line.465"></a> -<span class="sourceLineNo">466</span> pair.setFirst(false);<a name="line.466"></a> -<span class="sourceLineNo">467</span> pair.setSecond(null);<a name="line.467"></a> -<span class="sourceLineNo">468</span> }<a name="line.468"></a> -<span class="sourceLineNo">469</span> // Bypass this check when the operation is done by a system/super user.<a name="line.469"></a> -<span class="sourceLineNo">470</span> // This is done because, while Replication, the Cells coming to the peer cluster with reserved<a name="line.470"></a> -<span class="sourceLineNo">471</span> // typed tags and this is fine and should get added to the peer cluster table<a name="line.471"></a> -<span class="sourceLineNo">472</span> if (isSystemOrSuperUser()) {<a name="line.472"></a> -<span class="sourceLineNo">473</span> // Does the cell contain special tag which indicates that the replicated<a name="line.473"></a> -<span class="sourceLineNo">474</span> // cell visiblilty tags<a name="line.474"></a> -<span class="sourceLineNo">475</span> // have been modified<a name="line.475"></a> -<span class="sourceLineNo">476</span> Tag modifiedTag = null;<a name="line.476"></a> -<span class="sourceLineNo">477</span> if (cell.getTagsLength() > 0) {<a name="line.477"></a> -<span class="sourceLineNo">478</span> Iterator<Tag> tagsIterator = CellUtil.tagsIterator(cell.getTagsArray(),<a name="line.478"></a> -<span class="sourceLineNo">479</span> cell.getTagsOffset(), cell.getTagsLength());<a name="line.479"></a> -<span class="sourceLineNo">480</span> while (tagsIterator.hasNext()) {<a name="line.480"></a> -<span class="sourceLineNo">481</span> Tag tag = tagsIterator.next();<a name="line.481"></a> -<span class="sourceLineNo">482</span> if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {<a name="line.482"></a> -<span class="sourceLineNo">483</span> modifiedTag = tag;<a name="line.483"></a> -<span class="sourceLineNo">484</span> break;<a name="line.484"></a> -<span class="sourceLineNo">485</span> }<a name="line.485"></a> -<span class="sourceLineNo">486</span> }<a name="line.486"></a> -<span class="sourceLineNo">487</span> }<a name="line.487"></a> -<span class="sourceLineNo">488</span> pair.setFirst(true);<a name="line.488"></a> -<span class="sourceLineNo">489</span> pair.setSecond(modifiedTag);<a name="line.489"></a> -<span class="sourceLineNo">490</span> return pair;<a name="line.490"></a> -<span class="sourceLineNo">491</span> }<a name="line.491"></a> -<span class="sourceLineNo">492</span> if (cell.getTagsLength() > 0) {<a name="line.492"></a> -<span class="sourceLineNo">493</span> Iterator<Tag> tagsItr = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),<a name="line.493"></a> -<span class="sourceLineNo">494</span> cell.getTagsLength());<a name="line.494"></a> -<span class="sourceLineNo">495</span> while (tagsItr.hasNext()) {<a name="line.495"></a> -<span class="sourceLineNo">496</span> if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) {<a name="line.496"></a> -<span class="sourceLineNo">497</span> return pair;<a name="line.497"></a> -<span class="sourceLineNo">498</span> }<a name="line.498"></a> -<span class="sourceLineNo">499</span> }<a name="line.499"></a> -<span class="sourceLineNo">500</span> }<a name="line.500"></a> -<span class="sourceLineNo">501</span> pair.setFirst(true);<a name="line.501"></a> -<span class="sourceLineNo">502</span> return pair;<a name="line.502"></a> -<span class="sourceLineNo">503</span> }<a name="line.503"></a> -<span class="sourceLineNo">504</span><a name="line.504"></a> -<span class="sourceLineNo">505</span> /**<a name="line.505"></a> -<span class="sourceLineNo">506</span> * Checks whether cell contains any tag with type as VISIBILITY_TAG_TYPE. This<a name="line.506"></a> -<span class="sourceLineNo">507</span> * tag type is reserved and should not be explicitly set by user. There are<a name="line.507"></a> -<span class="sourceLineNo">508</span> * two versions of this method one that accepts pair and other without pair.<a name="line.508"></a> -<span class="sourceLineNo">509</span> * In case of preAppend and preIncrement the additional operations are not<a name="line.509"></a> -<span class="sourceLineNo">510</span> * needed like checking for STRING_VIS_TAG_TYPE and hence the API without pair<a name="line.510"></a> -<span class="sourceLineNo">511</span> * could be used.<a name="line.511"></a> -<span class="sourceLineNo">512</span> *<a name="line.512"></a> -<span class="sourceLineNo">513</span> * @param cell<a name="line.513"></a> -<span class="sourceLineNo">514</span> * @throws IOException<a name="line.514"></a> -<span class="sourceLineNo">515</span> */<a name="line.515"></a> -<span class="sourceLineNo">516</span> private boolean checkForReservedVisibilityTagPresence(Cell cell) throws IOException {<a name="line.516"></a> -<span class="sourceLineNo">517</span> // Bypass this check when the operation is done by a system/super user.<a name="line.517"></a> -<span class="sourceLineNo">518</span> // This is done because, while Replication, the Cells coming to the peer<a name="line.518"></a> -<span class="sourceLineNo">519</span> // cluster with reserved<a name="line.519"></a> -<span class="sourceLineNo">520</span> // typed tags and this is fine and should get added to the peer cluster<a name="line.520"></a> -<span class="sourceLineNo">521</span> // table<a name="line.521"></a> -<span class="sourceLineNo">522</span> if (isSystemOrSuperUser()) {<a name="line.522"></a> -<span class="sourceLineNo">523</span> return true;<a name="line.523"></a> -<span class="sourceLineNo">524</span> }<a name="line.524"></a> -<span class="sourceLineNo">525</span> if (cell.getTagsLength() > 0) {<a name="line.525"></a> -<span class="sourceLineNo">526</span> Iterator<Tag> tagsItr = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),<a name="line.526"></a> -<span class="sourceLineNo">527</span> cell.getTagsLength());<a name="line.527"></a> -<span class="sourceLineNo">528</span> while (tagsItr.hasNext()) {<a name="line.528"></a> -<span class="sourceLineNo">529</span> if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) {<a name="line.529"></a> -<span class="sourceLineNo">530</span> return false;<a name="line.530"></a> -<span class="sourceLineNo">531</span> }<a name="line.531"></a> -<span class="sourceLineNo">532</span> }<a name="line.532"></a> -<span class="sourceLineNo">533</span> }<a name="line.533"></a> -<span class="sourceLineNo">534</span> return true;<a name="line.534"></a> -<span class="sourceLineNo">535</span> }<a name="line.535"></a> -<span class="sourceLineNo">536</span><a name="line.536"></a> -<span class="sourceLineNo">537</span> private void removeReplicationVisibilityTag(List<Tag> tags) throws IOException {<a name="line.537"></a> -<span class="sourceLineNo">538</span> Iterator<Tag> iterator = tags.iterator();<a name="line.538"></a> -<span class="sourceLineNo">539</span> while (iterator.hasNext()) {<a name="line.539"></a> -<span class="sourceLineNo">540</span> Tag tag = iterator.next();<a name="line.540"></a> -<span class="sourceLineNo">541</span> if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {<a name="line.541"></a> -<span class="sourceLineNo">542</span> iterator.remove();<a name="line.542"></a> -<span class="sourceLineNo">543</span> break;<a name="line.543"></a> -<span class="sourceLineNo">544</span> }<a name="line.544"></a> -<span class="sourceLineNo">545</span> }<a name="line.545"></a> -<span class="sourceLineNo">546</span> }<a name="line.546"></a> -<span class="sourceLineNo">547</span><a name="line.547"></a> -<span class="sourceLineNo">548</span> @Override<a name="line.548"></a> -<span class="sourceLineNo">549</span> public RegionScanner preScannerOpen(ObserverContext<RegionCoprocessorEnvironment> e, Scan scan,<a name="line.549"></a> -<span class="sourceLineNo">550</span> RegionScanner s) throws IOException {<a name="line.550"></a> -<span class="sourceLineNo">551</span> if (!initialized) {<a name="line.551"></a> -<span class="sourceLineNo">552</span> throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized!");<a name="line.552"></a> -<span class="sourceLineNo">553</span> }<a name="line.553"></a> -<span class="sourceLineNo">554</span> // Nothing to do if authorization is not enabled<a name="line.554"></a> -<span class="sourceLineNo">555</span> if (!authorizationEnabled) {<a name="line.555"></a> -<span class="sourceLineNo">556</span> return s;<a name="line.556"></a> -<span class="sourceLineNo">557</span> }<a name="line.557"></a> -<span class="sourceLineNo">558</span> Region region = e.getEnvironment().getRegion();<a name="line.558"></a> -<span class="sourceLineNo">559</span> Authorizations authorizations = null;<a name="line.559"></a> -<span class="sourceLineNo">560</span> try {<a name="line.560"></a> -<span class="sourceLineNo">561</span> authorizations = scan.getAuthorizations();<a name="line.561"></a> -<span class="sourceLineNo">562</span> } catch (DeserializationException de) {<a name="line.562"></a> -<span class="sourceLineNo">563</span> throw new IOException(de);<a name="line.563"></a> -<span class="sourceLineNo">564</span> }<a name="line.564"></a> -<span class="sourceLineNo">565</span> if (authorizations == null) {<a name="line.565"></a> -<span class="sourceLineNo">566</span> // No Authorizations present for this scan/Get!<a name="line.566"></a> -<span class="sourceLineNo">567</span> // In case of system tables other than "labels" just scan with out visibility check and<a name="line.567"></a> -<span class="sourceLineNo">568</span> // filtering. Checking visibility labels for META and NAMESPACE table is not needed.<a name="line.568"></a> -<span class="sourceLineNo">569</span> TableName table = region.getRegionInfo().getTable();<a name="line.569"></a> -<span class="sourceLineNo">570</span> if (table.isSystemTable() && !table.equals(LABELS_TABLE_NAME)) {<a name="line.570"></a> -<span class="sourceLineNo">571</span> return s;<a name="line.571"></a> -<span class="sourceLineNo">572</span> }<a name="line.572"></a> -<span class="sourceLineNo">573</span> }<a name="line.573"></a> -<span class="sourceLineNo">574</span><a name="line.574"></a> -<span class="sourceLineNo">575</span> Filter visibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(region,<a name="line.575"></a> -<span class="sourceLineNo">576</span> authorizations);<a name="line.576"></a> -<span class="sourceLineNo">577</span> if (visibilityLabelFilter != null) {<a name="line.577"></a> -<span class="sourceLineNo">578</span> Filter filter = scan.getFilter();<a name="line.578"></a> -<span class="sourceLineNo">579</span> if (filter != null) {<a name="line.579"></a> -<span class="sourceLineNo">580</span> scan.setFilter(new FilterList(filter, visibilityLabelFilter));<a name="line.580"></a> -<span class="sourceLineNo">581</span> } else {<a name="line.581"></a> -<span class="sourceLineNo">582</span> scan.setFilter(visibilityLabelFilter);<a name="line.582"></a> -<span class="sourceLineNo">583</span> }<a name="line.583"></a> -<span class="sourceLineNo">584</span> }<a name="line.584"></a> -<span class="sourceLineNo">585</span> return s;<a name="line.585"></a> -<span class="sourceLineNo">586</span> }<a name="line.586"></a> -<span class="sourceLineNo">587</span><a name="line.587"></a> -<span class="sourceLineNo">588</span> @Override<a name="line.588"></a> -<span class="sourceLineNo">589</span> public DeleteTracker postInstantiateDeleteTracker(<a name="line.589"></a> -<span class="sourceLineNo">590</span> ObserverContext<RegionCoprocessorEnvironment> ctx, DeleteTracker delTracker)<a name="line.590"></a> -<span class="sourceLineNo">591</span> throws IOException {<a name="line.591"></a> -<span class="sourceLineNo">592</span> // Nothing to do if we are not filtering by visibility<a name="line.592"></a> -<span class="sourceLineNo">593</span> if (!authorizationEnabled) {<a name="line.593"></a> -<span class="sourceLineNo">594</span> return delTracker;<a name="line.594"></a> -<span class="sourceLineNo">595</span> }<a name="line.595"></a> -<span class="sourceLineNo">596</span> Region region = ctx.getEnvironment().getRegion();<a name="line.596"></a> -<span class="sourceLineNo">597</span> TableName table = region.getRegionInfo().getTable();<a name="line.597"></a> -<span class="sourceLineNo">598</span> if (table.isSystemTable()) {<a name="line.598"></a> -<span class="sourceLineNo">599</span> return delTracker;<a name="line.599"></a> -<span class="sourceLineNo">600</span> }<a name="line.600"></a> -<span class="sourceLineNo">601</span> // We are creating a new type of delete tracker here which is able to track<a name="line.601"></a> -<span class="sourceLineNo">602</span> // the timestamps and also the<a name="line.602"></a> -<span class="sourceLineNo">603</span> // visibility tags per cell. The covering cells are determined not only<a name="line.603"></a> -<span class="sourceLineNo">604</span> // based on the delete type and ts<a name="line.604"></a> -<span class="sourceLineNo">605</span> // but also on the visibility expression matching.<a name="line.605"></a> -<span class="sourceLineNo">606</span> return new VisibilityScanDeleteTracker();<a name="line.606"></a> -<span class="sourceLineNo">607</span> }<a name="line.607"></a> -<span class="sourceLineNo">608</span><a name="line.608"></a> -<span class="sourceLineNo">609</span> @Override<a name="line.609"></a> -<span class="sourceLineNo">610</span> public RegionScanner postScannerOpen(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.610"></a> -<span class="sourceLineNo">611</span> final Scan scan, final RegionScanner s) throws IOException {<a name="line.611"></a> -<span class="sourceLineNo">612</span> User user = VisibilityUtils.getActiveUser();<a name="line.612"></a> -<span class="sourceLineNo">613</span> if (user != null && user.getShortName() != null) {<a name="line.613"></a> -<span class="sourceLineNo">614</span> scannerOwners.put(s, user.getShortName());<a name="line.614"></a> -<span class="sourceLineNo">615</span> }<a name="line.615"></a> -<span class="sourceLineNo">616</span> return s;<a name="line.616"></a> -<span class="sourceLineNo">617</span> }<a name="line.617"></a> -<span class="sourceLineNo">618</span><a name="line.618"></a> -<span class="sourceLineNo">619</span> @Override<a name="line.619"></a> -<span class="sourceLineNo">620</span> public boolean preScannerNext(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.620"></a> -<span class="sourceLineNo">621</span> final InternalScanner s, final List<Result> result, final int limit, final boolean hasNext)<a name="line.621"></a> -<span class="sourceLineNo">622</span> throws IOException {<a name="line.622"></a> -<span class="sourceLineNo">623</span> requireScannerOwner(s);<a name="line.623"></a> -<span class="sourceLineNo">624</span> return hasNext;<a name="line.624"></a> -<span class="sourceLineNo">625</span> }<a name="line.625"></a> -<span class="sourceLineNo">626</span><a name="line.626"></a> -<span class="sourceLineNo">627</span> @Override<a name="line.627"></a> -<span class="sourceLineNo">628</span> public void preScannerClose(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.628"></a> -<span class="sourceLineNo">629</span> final InternalScanner s) throws IOException {<a name="line.629"></a> -<span class="sourceLineNo">630</span> requireScannerOwner(s);<a name="line.630"></a> -<span class="sourceLineNo">631</span> }<a name="line.631"></a> -<span class="sourceLineNo">632</span><a name="line.632"></a> -<span class="sourceLineNo">633</span> @Override<a name="line.633"></a> -<span class="sourceLineNo">634</span> public void postScannerClose(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.634"></a> -<span class="sourceLineNo">635</span> final InternalScanner s) throws IOException {<a name="line.635"></a> -<span class="sourceLineNo">636</span> // clean up any associated owner mapping<a name="line.636"></a> -<span class="sourceLineNo">637</span> scannerOwners.remove(s);<a name="line.637"></a> -<span class="sourceLineNo">638</span> }<a name="line.638"></a> -<span class="sourceLineNo">639</span><a name="line.639"></a> -<span class="sourceLineNo">640</span> /**<a name="line.640"></a> -<span class="sourceLineNo">641</span> * Verify, when servicing an RPC, that the caller is the scanner owner. If so, we assume that<a name="line.641"></a> -<span class="sourceLineNo">642</span> * access control is correctly enforced based on the checks performed in preScannerOpen()<a name="line.642"></a> -<span class="sourceLineNo">643</span> */<a name="line.643"></a> -<span class="sourceLineNo">644</span> private void requireScannerOwner(InternalScanner s) throws AccessDeniedException {<a name="line.644"></a> -<span class="sourceLineNo">645</span> if (!RpcServer.isInRpcCallContext())<a name="line.645"></a> -<span class="sourceLineNo">646</span> return;<a name="line.646"></a> -<span class="sourceLineNo">647</span> String requestUName = RpcServer.getRequestUserName();<a name="line.647"></a> -<span class="sourceLineNo">648</span> String owner = scannerOwners.get(s);<a name="line.648"></a> -<span class="sourceLineNo">649</span> if (authorizationEnabled && owner != null && !owner.equals(requestUName)) {<a name="line.649"></a> -<span class="sourceLineNo">650</span> throw new AccessDeniedException("User '" + requestUName + "' is not the scanner owner!");<a name="line.650"></a> -<span class="sourceLineNo">651</span> }<a name="line.651"></a> -<span class="sourceLineNo">652</span> }<a name="line.652"></a> -<span class="sourceLineNo">653</span><a name="line.653"></a> -<span class="sourceLineNo">654</span> @Override<a name="line.654"></a> -<span class="sourceLineNo">655</span> public void preGetOp(ObserverContext<RegionCoprocessorEnvironment> e, Get get,<a name="line.655"></a> -<span class="sourceLineNo">656</span> List<Cell> results) throws IOException {<a name="line.656"></a> -<span class="sourceLineNo">657</span> if (!initialized) {<a name="line.657"></a> -<span class="sourceLineNo">658</span> throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized");<a name="line.658"></a> -<span class="sourceLineNo">659</span> }<a name="line.659"></a> -<span class="sourceLineNo">660</span> // Nothing useful to do if authorization is not enabled<a name="line.660"></a> -<span class="sourceLineNo">661</span> if (!authorizationEnabled) {<a name="line.661"></a> -<span class="sourceLineNo">662</span> return;<a name="line.662"></a> -<span class="sourceLineNo">663</span> }<a name="line.663"></a> -<span class="sourceLineNo">664</span> Region region = e.getEnvironment().getRegion();<a name="line.664"></a> -<span class="sourceLineNo">665</span> Authorizations authorizations = null;<a name="line.665"></a> -<span class="sourceLineNo">666</span> try {<a name="line.666"></a> -<span class="sourceLineNo">667</span> authorizations = get.getAuthorizations();<a name="line.667"></a> -<span class="sourceLineNo">668</span> } catch (DeserializationException de) {<a name="line.668"></a> -<span class="sourceLineNo">669</span> throw new IOException(de);<a name="line.669"></a> -<span class="sourceLineNo">670</span> }<a name="line.670"></a> -<span class="sourceLineNo">671</span> if (authorizations == null) {<a name="line.671"></a> -<span class="sourceLineNo">672</span> // No Authorizations present for this scan/Get!<a name="line.672"></a> -<span class="sourceLineNo">673</span> // In case of system tables other than "labels" just scan with out visibility check and<a name="line.673"></a> -<span class="sourceLineNo">674</span> // filtering. Checking visibility labels for META and NAMESPACE table is not needed.<a name="line.674"></a> -<span class="sourceLineNo">675</span> TableName table = region.getRegionInfo().getTable();<a name="line.675"></a> -<span class="sourceLineNo">676</span> if (table.isSystemTable() && !table.equals(LABELS_TABLE_NAME)) {<a name="line.676"></a> -<span class="sourceLineNo">677</span> return;<a name="line.677"></a> -<span class="sourceLineNo">678</span> }<a name="line.678"></a> -<span class="sourceLineNo">679</span> }<a name="line.679"></a> -<span class="sourceLineNo">680</span> Filter visibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(e.getEnvironment()<a name="line.680"></a> -<span class="sourceLineNo">681</span> .getRegion(), authorizations);<a name="line.681"></a> -<span class="sourceLineNo">682</span> if (visibilityLabelFilter != null) {<a name="line.682"></a> -<span class="sourceLineNo">683</span> Filter filter = get.getFilter();<a name="line.683"></a> -<span class="sourceLineNo">684</span> if (filter != null) {<a name="line.684"></a> -<span class="sourceLineNo">685</span> get.setFilter(new FilterList(filter, visibilityLabelFilter));<a name="line.685"></a> -<span class="sourceLineNo">686</span> } else {<a name="line.686"></a> -<span class="sourceLineNo">687</span> get.setFilter(visibilityLabelFilter);<a name="line.687"></a> -<span class="sourceLineNo">688</span> }<a name="line.688"></a> -<span class="sourceLineNo">689</span> }<a name="line.689"></a> -<span class="sourceLineNo">690</span> }<a name="line.690"></a> -<span class="sourceLineNo">691</span><a name="line.691"></a> -<span class="sourceLineNo">692</span> private boolean isSystemOrSuperUser() throws IOException {<a name="line.692"></a> -<span class="sourceLineNo">693</span> return Superusers.isSuperUser(VisibilityUtils.getActiveUser());<a name="line.693"></a> -<span class="sourceLineNo">694</span> }<a name="line.694"></a> -<span class="sourceLineNo">695</span><a name="line.695"></a> -<span class="sourceLineNo">696</span> @Override<a name="line.696"></a> -<span class="sourceLineNo">697</span> public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> e, Append append)<a name="line.697"></a> -<span class="sourceLineNo">698</span> throws IOException {<a name="line.698"></a> -<span class="sourceLineNo">699</span> // If authorization is not enabled, we don't care about reserved tags<a name="line.699"></a> -<span class="sourceLineNo">700</span> if (!authorizationEnabled) {<a name="line.700"></a> -<span class="sourceLineNo">701</span> return null;<a name="line.701"></a> -<span class="sourceLineNo">702</span> }<a name="line.702"></a> -<span class="sourceLineNo">703</span> for (CellScanner cellScanner = append.cellScanner(); cellScanner.advance();) {<a name="line.703"></a> -<span class="sourceLineNo">704</span> if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {<a name="line.704"></a> -<span class="sourceLineNo">705</span> throw new FailedSanityCheckException("Append contains cell with reserved type tag");<a name="line.705"></a> -<span class="sourceLineNo">706</span> }<a name="line.706"></a> -<span class="sourceLineNo">707</span> }<a name="line.707"></a> -<span class="sourceLineNo">708</span> return null;<a name="line.708"></a> -<span class="sourceLineNo">709</span> }<a name="line.709"></a> -<span class="sourceLineNo">710</span><a name="line.710"></a> -<span class="sourceLineNo">711</span> @Override<a name="line.711"></a> -<span class="sourceLineNo">712</span> public Result preIncrement(ObserverContext<RegionCoprocessorEnvironment> e, Increment increment)<a name="line.712"></a> -<span class="sourceLineNo">713</span> throws IOException {<a name="line.713"></a> -<span class="sourceLineNo">714</span> // If authorization is not enabled, we don't care about reserved tags<a name="line.714"></a> -<span class="sourceLineNo">715</span> if (!authorizationEnabled) {<a name="line.715"></a> -<span class="sourceLineNo">716</span> return null;<a name="line.716"></a> -<span class="sourceLineNo">717</span> }<a name="line.717"></a> -<span class="sourceLineNo">718</span> for (CellScanner cellScanner = increment.cellScanner(); cellScanner.advance();) {<a name="line.718"></a> -<span class="sourceLineNo">719</span> if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {<a name="line.719"></a> -<span class="sourceLineNo">720</span> throw new FailedSanityCheckException("Increment contains cell with reserved type tag");<a name="line.720"></a> -<span class="sourceLineNo">721</span> }<a name="line.721"></a> -<span class="sourceLineNo">722</span> }<a name="line.722"></a> -<span class="sourceLineNo">723</span> return null;<a name="line.723"></a> -<span class="sourceLineNo">724</span> }<a name="line.724"></a> -<span class="sourceLineNo">725</span><a name="line.725"></a> -<span class="sourceLineNo">726</span> @Override<a name="line.726"></a> -<span class="sourceLineNo">727</span> public Cell postMutationBeforeWAL(ObserverContext<RegionCoprocessorEnvironment> ctx,<a name="line.727"></a> -<span class="sourceLineNo">728</span> MutationType opType, Mutation mutation, Cell oldCell, Cell newCell) throws IOException {<a name="line.728"></a> -<span class="sourceLineNo">729</span> List<Tag> tags = Lists.newArrayList();<a name="line.729"></a> -<span class="sourceLineNo">730</span> CellVisibility cellVisibility = null;<a name="line.730"></a> -<span class="sourceLineNo">731</span> try {<a name="line.731"></a> -<span class="sourceLineNo">732</span> cellVisibility = mutation.getCellVisibility();<a name="line.732"></a> -<span class="sourceLineNo">733</span> } catch (DeserializationException e) {<a name="line.733"></a> -<span class="sourceLineNo">734</span> throw new IOException(e);<a name="line.734"></a> -<span class="sourceLineNo">735</span> }<a name="line.735"></a> -<span class="sourceLineNo">736</span> if (cellVisibility == null) {<a name="line.736"></a> -<span class="sourceLineNo">737</span> return newCell;<a name="line.737"></a> -<span class="sourceLineNo">738</span> }<a name="line.738"></a> -<span class="sourceLineNo">739</span> // Prepend new visibility tags to a new list of tags for the cell<a name="line.739"></a> -<span class="sourceLineNo">740</span> // Don't check user auths for labels with Mutations when the user is super user<a name="line.740"></a> -<span class="sourceLineNo">741</span> boolean authCheck = authorizationEnabled && checkAuths && !(isSystemOrSuperUser());<a name="line.741"></a> -<span class="sourceLineNo">742</span> tags.addAll(this.visibilityLabelService.createVisibilityExpTags(cellVisibility.getExpression(),<a name="line.742"></a> -<span class="sourceLineNo">743</span> true, authCheck));<a name="line.743"></a> -<span class="sourceLineNo">744</span> // Save an object allocation where we can<a name="line.744"></a> -<span class="sourceLineNo">745</span> if (newCell.getTagsLength() > 0) {<a name="line.745"></a> -<span class="sourceLineNo">746</span> // Carry forward all other tags<a name="line.746"></a> -<span class="sourceLineNo">747</span> Iterator<Tag> tagsItr = CellUtil.tagsIterator(newCell.getTagsArray(),<a name="line.747"></a> -<span class="sourceLineNo">748</span> newCell.getTagsOffset(), newCell.getTagsLength());<a name="line.748"></a> -<span class="sourceLineNo">749</span> while (tagsItr.hasNext()) {<a name="line.749"></a> -<span class="sourceLineNo">750</span> Tag tag = tagsItr.next();<a name="line.750"></a> -<span class="sourceLineNo">751</span> if (tag.getType() != TagType.VISIBILITY_TAG_TYPE<a name="line.751"></a> -<span class="sourceLineNo">752</span> && tag.getType() != TagType.VISIBILITY_EXP_SERIALIZATION_FORMAT_TAG_TYPE) {<a name="line.752"></a> -<span class="sourceLineNo">753</span> tags.add(tag);<a name="line.753"></a> -<span class="sourceLineNo">754</span> }<a name="line.754"></a> -<span class="sourceLineNo">755</span> }<a name="line.755"></a> -<span class="sourceLineNo">756</span> }<a name="line.756"></a> -<span class="sourceLineNo">757</span><a name="line.757"></a> -<span class="sourceLineNo">758</span> Cell rewriteCell = new TagRewriteCell(newCell, Tag.fromList(tags));<a name="line.758"></a> -<span class="sourceLineNo">759</span> return rewriteCell;<a name="line.759"></a> -<span class="sourceLineNo">760</span> }<a name="line.760"></a> -<span class="sourceLineNo">761</span><a name="line.761"></a> -<span class="sourceLineNo">762</span> @Override<a name="line.762"></a> -<span class="sourceLineNo">763</span> public Service getService() {<a name="line.763"></a> -<span class="sourceLineNo">764</span> return VisibilityLabelsProtos.VisibilityLabelsService.newReflectiveService(this);<a name="line.764"></a> -<span class="sourceLineNo">765</span> }<a name="line.765"></a> -<span class="sourceLineNo">766</span><a name="line.766"></a> -<span class="sourceLineNo">767</span> @Override<a name="line.767"></a> -<span class="sourceLineNo">768</span> public boolean postScannerFilterRow(final ObserverContext<RegionCoprocessorEnvironment> e,<a name="line.768"></a> -<span class="sourceLineNo">769</span> final InternalScanner s, final Cell curRowCell, final boolean hasMore) throws IOException {<a name="line.769"></a> -<span class="sourceLineNo">770</span> // Impl in BaseRegionObserver might do unnecessary copy for Off heap backed Cells.<a name="line.770"></a> -<span class="sourceLineNo">771</span> return hasMore;<a name="line.771"></a> -<span class="sourceLineNo">772</span> }<a name="line.772"></a> -<span class="sourceLineNo">773</span><a name="line.773"></a> -<span class="sourceLineNo">774</span> /****************************** VisibilityEndpoint service related methods ******************************/<a name="line.774"></a> -<span class="sourceLineNo">775</span> @Override<a name="line.775"></a> -<span class="sourceLineNo">776</span> public synchronized void addLabels(RpcController controller, VisibilityLabelsRequest request,<a name="line.776"></a> -<span class="sourceLineNo">777</span> RpcCallback<VisibilityLabelsResponse> done) {<a name="line.777"></a> -<span class="sourceLineNo">778</span> VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();<a name="line.778"></a> -<span class="sourceLineNo">779</span> List<VisibilityLabel> visLabels = request.getVisLabelList();<a name="line.779"></a> -<span class="sourceLineNo">780</span> if (!initialized) {<a name="line.780"></a> -<span class="sourceLineNo">781</span> setExceptionResults(visLabels.size(),<a name="line.781"></a> -<span class="sourceLineNo">782</span> new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"),<a name="line.782"></a> -<span class="sourceLineNo">783</span> response);<a name="line.783"></a> -<span class="sourceLineNo">784</span> } else {<a name="line.784"></a> -<span class="sourceLineNo">785</span> List<byte[]> labels = new ArrayList<byte[]>(visLabels.size());<a name="line.785"></a> -<span class="sourceLineNo">786</span> try {<a name="line.786"></a> -<span class="sourceLineNo">787</span> if (authorizationEnabled) {<a name="line.787"></a> -<span class="sourceLineNo">788</span> checkCallingUserAuth();<a name="line.788"></a> -<span class="sourceLineNo">789</span> }<a name="line.789"></a> -<span class="sourceLineNo">790</span> RegionActionResult successResult = RegionActionResult.newBuilder().build();<a name="line.790"></a> -<span class="sourceLineNo">791</span> for (VisibilityLabel visLabel : visLabels) {<a name="line.791"></a> -<span class="sourceLineNo">792</span> byte[] label = visLabel.getLabel().toByteArray();<a name="line.792"></a> -<span class="sourceLineNo">793</span> labels.add(label);<a name="line.793"></a> -<span class="sourceLineNo">794</span> response.addResult(successResult); // Just mark as success. Later it will get reset<a name="line.794"></a> -<span class="sourceLineNo">795</span> // based on the result from<a name="line.795"></a> -<span class="sourceLineNo">796</span> // visibilityLabelService.addLabels ()<a name="line.796"></a> -<span class="sourceLineNo">797</span> }<a name="line.797"></a> -<span class="sourceLineNo">798</span> if (!labels.isEmpty()) {<a name="line.798"></a> -<span class="sourceLineNo">799</span> OperationStatus[] opStatus = this.visibilityLabelService.addLabels(labels);<a name="line.799"></a> -<span class="sourceLineNo">800</span> logResult(true, "addLabels", "Adding labels allowed", null, labels, null);<a name="line.800"></a> -<span class="sourceLineNo">801</span> int i = 0;<a name="line.801"></a> -<span class="sourceLineNo">802</span> for (OperationStatus status : opStatus) {<a name="line.802"></a> -<span class="sourceLineNo">803</span> while (response.getResult(i) != successResult)<a name="line.803"></a> -<span class="sourceLineNo">804</span> i++;<a name="line.804"></a> -<span class="sourceLineNo">805</span> if (status.getOperationStatusCode() != SUCCESS) {<a name="line.805"></a> -<span class="sourceLineNo">806</span> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.806"></a> -<span class="sourceLineNo">807</span> failureResultBuilder.setException(ResponseConverter<a name="line.807"></a> -<span class="sourceLineNo">808</span> .buildException(new DoNotRetryIOException(status.getExceptionMsg())));<a name="line.808"></a> -<span class="sourceLineNo">809</span> response.setResult(i, failureResultBuilder.build());<a name="line.809"></a> -<span class="sourceLineNo">810</span> }<a name="line.810"></a> -<span class="sourceLineNo">811</span> i++;<a name="line.811"></a> -<span class="sourceLineNo">812</span> }<a name="line.812"></a> -<span class="sourceLineNo">813</span> }<a name="line.813"></a> -<span class="sourceLineNo">814</span> } catch (AccessDeniedException e) {<a name="line.814"></a> -<span class="sourceLineNo">815</span> logResult(false, "addLabels", e.getMessage(), null, labels, null);<a name="line.815"></a> -<span class="sourceLineNo">816</span> LOG.error("User is not having required permissions to add labels", e);<a name="line.816"></a> -<span class="sourceLineNo">817</span> setExceptionResults(visLabels.size(), e, response);<a name="line.817"></a> -<span class="sourceLineNo">818</span> } catch (IOException e) {<a name="line.818"></a> -<span class="sourceLineNo">819</span> LOG.error(e);<a name="line.819"></a> -<span class="sourceLineNo">820</span> setExceptionResults(visLabels.size(), e, response);<a name="line.820"></a> -<span class="sourceLineNo">821</span> }<a name="line.821"></a> -<span class="sourceLineNo">822</span> }<a name="line.822"></a> -<span class="sourceLineNo">823</span> done.run(response.build());<a name="line.823"></a> -<span class="sourceLineNo">824</span> }<a name="line.824"></a> -<span class="sourceLineNo">825</span><a name="line.825"></a> -<span class="sourceLineNo">826</span> private void setExceptionResults(int size, IOException e,<a name="line.826"></a> -<span class="sourceLineNo">827</span> VisibilityLabelsResponse.Builder response) {<a name="line.827"></a> -<span class="sourceLineNo">828</span> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.828"></a> -<span class="sourceLineNo">829</span> failureResultBuilder.setException(ResponseConverter.buildException(e));<a name="line.829"></a> -<span class="sourceLineNo">830</span> RegionActionResult failureResult = failureResultBuilder.build();<a name="line.830"></a> -<span class="sourceLineNo">831</span> for (int i = 0; i < size; i++) {<a name="line.831"></a> -<span class="sourceLineNo">832</span> response.addResult(i, failureResult);<a name="line.832"></a> -<span class="sourceLineNo">833</span> }<a name="line.833"></a> -<span class="sourceLineNo">834</span> }<a name="line.834"></a> -<span class="sourceLineNo">835</span><a name="line.835"></a> -<span class="sourceLineNo">836</span> @Override<a name="line.836"></a> -<span class="sourceLineNo">837</span> public synchronized void setAuths(RpcController controller, SetAuthsRequest request,<a name="line.837"></a> -<span class="sourceLineNo">838</span> RpcCallback<VisibilityLabelsResponse> done) {<a name="line.838"></a> -<span class="sourceLineNo">839</span> VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();<a name="line.839"></a> -<span class="sourceLineNo">840</span> List<ByteString> auths = request.getAuthList();<a name="line.840"></a> -<span class="sourceLineNo">841</span> if (!initialized) {<a name="line.841"></a> -<span class="sourceLineNo">842</span> setExceptionResults(auths.size(),<a name="line.842"></a> -<span class="sourceLineNo">843</span> new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"),<a name="line.843"></a> -<span class="sourceLineNo">844</span> response);<a name="line.844"></a> -<span class="sourceLineNo">845</span> } else {<a name="line.845"></a> -<span class="sourceLineNo">846</span> byte[] user = request.getUser().toByteArray();<a name="line.846"></a> -<span class="sourceLineNo">847</span> List<byte[]> labelAuths = new ArrayList<byte[]>(auths.size());<a name="line.847"></a> -<span class="sourceLineNo">848</span> try {<a name="line.848"></a> -<span class="sourceLineNo">849</span> if (authorizationEnabled) {<a name="line.849"></a> -<span class="sourceLineNo">850</span> checkCallingUserAuth();<a name="line.850"></a> -<span class="sourceLineNo">851</span> }<a name="line.851"></a> -<span class="sourceLineNo">852</span> for (ByteString authBS : auths) {<a name="line.852"></a> -<span class="sourceLineNo">853</span> labelAuths.add(authBS.toByteArray());<a name="line.853"></a> -<span class="sourceLineNo">854</span> }<a name="line.854"></a> -<span class="sourceLineNo">855</span> OperationStatus[] opStatus = this.visibilityLabelService.setAuths(user, labelAuths);<a name="line.855"></a> -<span class="sourceLineNo">856</span> logResult(true, "setAuths", "Setting authorization for labels allowed", user, labelAuths,<a name="line.856"></a> -<span class="sourceLineNo">857</span> null);<a name="line.857"></a> -<span class="sourceLineNo">858</span> RegionActionResult successResult = RegionActionResult.newBuilder().build();<a name="line.858"></a> -<span class="sourceLineNo">859</span> for (OperationStatus status : opStatus) {<a name="line.859"></a> -<span class="sourceLineNo">860</span> if (status.getOperationStatusCode() == SUCCESS) {<a name="line.860"></a> -<span class="sourceLineNo">861</span> response.addResult(successResult);<a name="line.861"></a> -<span class="sourceLineNo">862</span> } else {<a name="line.862"></a> -<span class="sourceLineNo">863</span> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.863"></a> -<span class="sourceLineNo">864</span> failureResultBuilder.setException(ResponseConverter<a name="line.864"></a> -<span class="sourceLineNo">865</span> .buildException(new DoNotRetryIOException(status.getExceptionMsg())));<a name="line.865"></a> -<span class="sourceLineNo">866</span> response.addResult(failureResultBuilder.build());<a name="line.866"></a> -<span class="sourceLineNo">867</span> }<a name="line.867"></a> -<span class="sourceLineNo">868</span> }<a name="line.868"></a> -<span class="sourceLineNo">869</span> } catch (AccessDeniedException e) {<a name="line.869"></a> -<span class="sourceLineNo">870</span> logResult(false, "setAuths", e.getMessage(), user, labelAuths, null);<a name="line.870"></a> -<span class="sourceLineNo">871</span> LOG.error("User is not having required permissions to set authorization", e);<a name="line.871"></a> -<span class="sourceLineNo">872</span> setExceptionResults(auths.size(), e, response);<a name="line.872"></a> -<span class="sourceLineNo">873</span> } catch (IOException e) {<a name="line.873"></a> -<span class="sourceLineNo">874</span> LOG.error(e);<a name="line.874"></a> -<span class="sourceLineNo">875</span> setExceptionResults(auths.size(), e, response);<a name="line.875"></a> -<span class="sourceLineNo">876</span> }<a name="line.876"></a> -<span class="sourceLineNo">877</span> }<a name="line.877"></a> -<span class="sourceLineNo">878</span> done.run(response.build());<a name="line.878"></a> -<span class="sourceLineNo">879</span> }<a name="line.879"></a> -<span class="sourceLineNo">880</span><a name="line.880"></a> -<span class="sourceLineNo">881</span> private void logResult(boolean isAllowed, String request, String reason, byte[] user,<a name="line.881"></a> -<span class="sourceLineNo">882</span> List<byte[]> labelAuths, String regex) {<a name="line.882"></a> -<span class="sourceLineNo">883</span> if (AUDITLOG.isTraceEnabled()) {<a name="line.883"></a> -<span class="sourceLineNo">884</span> // This is more duplicated code!<a name="line.884"></a> -<span class="sourceLineNo">885</span> InetAddress remoteAddr = RpcServer.getRemoteAddress();<a name="line.885"></a> -<span class="sourceLineNo">886</span> List<String> labelAuthsStr = new ArrayList<>();<a name="line.886"></a> -<span class="sourceLineNo">887</span> if (labelAuths != null) {<a name="line.887"></a> -<span class="sourceLineNo">888</span> int labelAuthsSize = labelAuths.size();<a name="line.888"></a> -<span class="sourceLineNo">889</span> labelAuthsStr = new ArrayList<>(labelAuthsSize);<a name="line.889"></a> -<span class="sourceLineNo">890</span> for (int i = 0; i < labelAuthsSize; i++) {<a name="line.890"></a> -<span class="sourceLineNo">891</span> labelAuthsStr.add(Bytes.toString(labelAuths.get(i)));<a name="line.891"></a> -<span class="sourceLineNo">892</span> }<a name="line.892"></a> -<span class="sourceLineNo">893</span> }<a name="line.893"></a> -<span class="sourceLineNo">894</span><a name="line.894"></a> -<span class="sourceLineNo">895</span> User requestingUser = null;<a name="line.895"></a> -<span class="sourceLineNo">896</span> try {<a name="line.896"></a> -<span class="sourceLineNo">897</span> requestingUser = VisibilityUtils.getActiveUser();<a name="line.897"></a> -<span class="sourceLineNo">898</span> } catch (IOException e) {<a name="line.898"></a> -<span class="sourceLineNo">899</span> LOG.warn("Failed to get active system user.");<a name="line.899"></a> -<span class="sourceLineNo">900</span> LOG.debug("Details on failure to get active system user.", e);<a name="line.900"></a> -<span class="sourceLineNo">901</span> }<a name="line.901"></a> -<span class="sourceLineNo">902</span> AUDITLOG.trace("Access " + (isAllowed ? "allowed" : "denied") + " for user "<a name="line.902"></a> -<span class="sourceLineNo">903</span> + (requestingUser != null ? requestingUser.getShortName() : "UNKNOWN") + "; reason: "<a name="line.903"></a> -<span class="sourceLineNo">904</span> + reason + "; remote address: " + (remoteAddr != null ? remoteAddr : "") + "; request: "<a name="line.904"></a> -<span class="sourceLineNo">905</span> + request + "; user: " + (user != null ? Bytes.toShort(user) : "null") + "; labels: "<a name="line.905"></a> -<span class="sourceLineNo">906</span> + labelAuthsStr + "; regex: " + regex);<a name="line.906"></a> -<span class="sourceLineNo">907</span> }<a name="line.907"></a> -<span class="sourceLineNo">908</span> }<a name="line.908"></a> -<span class="sourceLineNo">909</span><a name="line.909"></a> -<span class="sourceLineNo">910</span> @Override<a name="line.910"></a> -<span class="sourceLineNo">911</span> public synchronized void getAuths(RpcController controller, GetAuthsRequest request,<a name="line.911"></a> -<span class="sourceLineNo">912</span> RpcCallback<GetAuthsResponse> done) {<a name="line.912"></a> -<span class="sourceLineNo">913</span> GetAuthsResponse.Builder response = GetAuthsResponse.newBuilder();<a name="line.913"></a> -<span class="sourceLineNo">914</span> if (!initialized) {<a name="line.914"></a> -<span class="sourceLineNo">915</span> controller.setFailed("VisibilityController not yet initialized");<a name="line.915"></a> -<span class="sourceLineNo">916</span> } else {<a name="line.916"></a> -<span class="sourceLineNo">917</span> byte[] user = request.getUser().toByteArray();<a name="line.917"></a> -<span class="sourceLineNo">918</span> List<String> labels = null;<a name="line.918"></a> -<span class="sourceLineNo">919</span> try {<a name="line.919"></a> -<span class="sourceLineNo">920</span> // We do ACL check here as we create scanner directly on region. It will not make calls to<a name="line.920"></a> -<span class="sourceLineNo">921</span> // AccessController CP methods.<a name="line.921"></a> -<span class="sourceLineNo">922</span> if (authorizationEnabled && accessControllerAvailable && !isSystemOrSuperUser()) {<a name="line.922"></a> -<span class="sourceLineNo">923</span> User requestingUser = VisibilityUtils.getActiveUser();<a name="line.923"></a> -<span class="sourceLineNo">924</span> throw new AccessDeniedException("User '"<a name="line.924"></a> -<span class="sourceLineNo">925</span> + (requestingUser != null ? requestingUser.getShortName() : "null")<a name="line.925"></a> -<span class="sourceLineNo">926</span> + "' is not authorized to perform this action.");<a name="line.926"></a> -<span class="sourceLineNo">927</span> }<a name="line.927"></a> -<span class="sourceLineNo">928</span> if (AuthUtil.isGroupPrincipal(Bytes.toString(user))) {<a name="line.928"></a> -<span class="sourceLineNo">929</span> String group = AuthUtil.getGroupName(Bytes.toString(user));<a name="line.929"></a> -<span class="sourceLineNo">930</span> labels = this.visibilityLabelService.getGroupAuths(new String[]{group}, false);<a name="line.930"></a> -<span class="sourceLineNo">931</span> }<a name="line.931"></a> -<span class="sourceLineNo">932</span> else {<a name="line.932"></a> -<span class="sourceLineNo">933</span> labels = this.visibilityLabelService.getUserAuths(user, false);<a name="line.933"></a> -<span class="sourceLineNo">934</span> }<a name="line.934"></a> -<span class="sourceLineNo">935</span> logResult(true, "getAuths", "Get authorizations for user allowed", user, null, null);<a name="line.935"></a> -<span class="sourceLineNo">936</span> } catch (AccessDeniedException e) {<a name="line.936"></a> -<span class="sourceLineNo">937</span> logResult(false, "getAuths", e.getMessage(), user, null, null);<a name="line.937"></a> +<span class="sourceLineNo">453</span> * @param cell The cell under consideration<a name="line.453"></a> +<span class="sourceLineNo">454</span> * @param pair An optional pair of type {@code <Boolean, Tag>} which would be reused if already<a name="line.454"></a> +<span class="sourceLineNo">455</span> * set and new one will be created if NULL is passed<a name="line.455"></a> +<span class="sourceLineNo">456</span> * @return If the boolean is false then it indicates that the cell has a RESERVERD_VIS_TAG and<a name="line.456"></a> +<span class="sourceLineNo">457</span> * with boolean as true, not null tag indicates that a string modified tag was found.<a name="line.457"></a> +<span class="sourceLineNo">458</span> */<a name="line.458"></a> +<span class="sourceLineNo">459</span> private Pair<Boolean, Tag> checkForReservedVisibilityTagPresence(Cell cell,<a name="line.459"></a> +<span class="sourceLineNo">460</span> Pair<Boolean, Tag> pair) throws IOException {<a name="line.460"></a> +<span class="sourceLineNo">461</span> if (pair == null) {<a name="line.461"></a> +<span class="sourceLineNo">462</span> pair = new Pair<Boolean, Tag>(false, null);<a name="line.462"></a> +<span class="sourceLineNo">463</span> } else {<a name="line.463"></a> +<span class="sourceLineNo">464</span> pair.setFirst(false);<a name="line.464"></a> +<span class="sourceLineNo">465</span> pair.setSecond(null);<a name="line.465"></a> +<span class="sourceLineNo">466</span> }<a name="line.466"></a> +<span class="sourceLineNo">467</span> // Bypass this check when the operation is done by a system/super user.<a name="line.467"></a> +<span class="sourceLineNo">468</span> // This is done because, while Replication, the Cells coming to the peer cluster with reserved<a name="line.468"></a> +<span class="sourceLineNo">469</span> // typed tags and this is fine and should get added to the peer cluster table<a name="line.469"></a> +<span class="sourceLineNo">470</span> if (isSystemOrSuperUser()) {<a name="line.470"></a> +<span class="sourceLineNo">471</span> // Does the cell contain special tag which indicates that the replicated<a name="line.471"></a> +<span class="sourceLineNo">472</span> // cell visiblilty tags<a name="line.472"></a> +<span class="sourceLineNo">473</span> // have been modified<a name="line.473"></a> +<span class="sourceLineNo">474</span> Tag modifiedTag = null;<a name="line.474"></a> +<span class="sourceLineNo">475</span> if (cell.getTagsLength() > 0) {<a name="line.475"></a> +<span class="sourceLineNo">476</span> Iterator<Tag> tagsIterator = CellUtil.tagsIterator(cell.getTagsArray(),<a name="line.476"></a> +<span class="sourceLineNo">477</span> cell.getTagsOffset(), cell.getTagsLength());<a name="line.477"></a> +<span class="sourceLineNo">478</span> while (tagsIterator.hasNext()) {<a name="line.478"></a> +<span class="sourceLineNo">479</span> Tag tag = tagsIterator.next();<a name="line.479"></a> +<span class="sourceLineNo">480</span> if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {<a name="line.480"></a> +<span class="sourceLineNo">481</span> modifiedTag = tag;<a name="line.481"></a> +<span class="sourceLineNo">482</span> break;<a name="line.482"></a> +<span class="sourceLineNo">483</span> }<a name="line.483"></a> +<span class="sourceLineNo">484</span> }<a name="line.484"></a> +<span class="sourceLineNo">485</span> }<a name="line.485"></a> +<span class="sourceLineNo">486</span> pair.setFirst(true);<a name="line.486"></a> +<span class="sourceLineNo">487</span> pair.setSecond(modifiedTag);<a name="line.487"></a> +<span class="sourceLineNo">488</span> return pair;<a name="line.488"></a> +<span class="sourceLineNo">489</span> }<a name="line.489"></a> +<span class="sourceLineNo">490</span> if (cell.getTagsLength() > 0) {<a name="line.490"></a> +<span class="sourceLineNo">491</span> Iterator<Tag> tagsItr = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),<a name="line.491"></a> +<span class="sourceLineNo">492</span> cell.getTagsLength());<a name="line.492"></a> +<span class="sourceLineNo">493</span> while (tagsItr.hasNext()) {<a name="line.493"></a> +<span class="sourceLineNo">494</span> if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) {<a name="line.494"></a> +<span class="sourceLineNo">495</span> return pair;<a name="line.495"></a> +<span class="sourceLineNo">496</span> }<a name="line.496"></a> +<span class="sourceLineNo">497</span> }<a name="line.497"></a> +<span class="sourceLineNo">498</span> }<a name="line.498"></a> +<span class="sourceLineNo">499</span> pair.setFirst(true);<a name="line.499"></a> +<span class="sourceLineNo">500</span> return pair;<a name="line.500"></a> +<span class="sourceLineNo">501</span> }<a name="line.501"></a> +<span class="sourceLineNo">502</span><a name="line.502"></a> +<span class="sourceLineNo">503</span> /**<a name="line.503"></a> +<span class="sourceLineNo">504</span> * Checks whether cell contains any tag with type as VISIBILITY_TAG_TYPE. This<a name="line.504"></a> +<span class="sourceLineNo">505</span> * tag type is reserved and should not be explicitly set by user. There are<a name="line.505"></a> +<span class="sourceLineNo">506</span> * two versions of this method one that accepts pair and other without pair.<a name="line.506"></a> +<span class="sourceLineNo">507</span> * In case of preAppend and preIncrement the additional operations are not<a name="line.507"></a> +<span class="sourceLineNo">508</span> * needed like checking for STRING_VIS_TAG_TYPE and hence the API without pair<a name="line.508"></a> +<span class="sourceLineNo">509</span> * could be used.<a name="line.509"></a> +<span class="sourceLineNo">510</span> *<a name="line.510"></a> +<span class="sourceLineNo">511</span> * @param cell<a name="line.511"></a> +<span class="sourceLineNo">512</span> * @throws IOException<a name="line.512"></a> +<span class="sourceLineNo">513</span> */<a name="line.513"></a> +<span class="sourceLineNo">514</span> private boolean checkForReservedVisibilityTagPresence(Cell cell) throws IOException {<a name="line.514"></a> +<span class="sourceLineNo">515</span> // Bypass this check when the operation is done by a system/super user.<a name="line.515"></a> +<span class="sourceLineNo">516</span> // This is done because, while Replication, the Cells coming to the peer<a name="line.516"></a> +<span class="sourceLineNo">517</span> // cluster with reserved<a name="line.517"></a> +<span class="sourceLineNo">518</span> // typed tags and this is fine and should get added to the peer cluster<a name="line.518"></a> +<span class="sourceLineNo">519</span> // table<a name="line.519"></a> +<span class="sourceLineNo">520</span> if (isSystemOrSuperUser()) {<a name="line.520"></a> +<span class="sourceLineNo">521</span> return true;<a name="line.521"></a> +<span class="sourceLineNo">522</span> }<a name="line.522"></a> +<span class="sourceLineNo">523</span> if (cell.getTagsLength() > 0) {<a name="line.523"></a> +<span class="sourceLineNo">524</span> Iterator<Tag> tagsItr = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),<a name="line.524"></a> +<span class="sourceLineNo">525</span> cell.getTagsLength());<a name="line.525"></a> +<span class="sourceLineNo">526</span> while (tagsItr.hasNext()) {<a name="line.526"></a> +<span class="sourceLineNo">527</span> if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) {<a name="line.527"></a> +<span class="sourceLineNo">528</span> return false;<a name="line.528"></a> +<span class="sourceLineNo">529</span> }<a name="line.529"></a> +<span class="sourceLineNo">530</span> }<a name="line.530"></a> +<span class="sourceLineNo">531</span> }<a name="line.531"></a> +<span class="sourceLineNo">532</span> return true;<a name="line.532"></a> +<span class="sourceLineNo">533</span> }<a name="line.533"></a> +<span class="sourceLineNo">534</span><a name="line.534"></a> +<span class="sourceLineNo">535</span> private void removeReplicationVisibilityTag(List<Tag> tags) throws IOException {<a name="line.535"></a> +<span class="sourceLineNo">536</span> Iterator<Tag> iterator = tags.iterator();<a name="line.536"></a> +<span class="sourceLineNo">537</span> while (iterator.hasNext()) {<a name="line.537"></a> +<span class="sourceLineNo">538</span> Tag tag = iterator.next();<a name="line.538"></a> +<span class="sourceLineNo">539</span> if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {<a name="line.539"></a> +<span class="sourceLineNo">540</span> iterator.remove();<a name="line.540"></a> +<span class="sourceLineNo">541</span> break;<a name="line.541"></a> +<span class="sourceLineNo">542</span> }<a name="line.542"></a> +<span class="sourceLineNo">543</span> }<a name="line.543"></a> +<span class="sourceLineNo">544</span> }<a name="line.544"></a> +<span class="sourceLineNo">545</span><a name="line.545"></a> +<span class="sourceLineNo">546</span> @Override<a name="line.546"></a> +<span class="sourceLineNo">547</span> public RegionScanner preScannerOpen(ObserverContext<RegionCoprocessorEnvironment> e, Scan scan,<a name="line.547"></a> +<span class="sourceLineNo">548</span> RegionScanner s) throws IOException {<a name="line.548"></a> +<span class="sourceLineNo">549</span> if (!initialized) {<a name="line.549"></a> +<span class="sourceLineNo">550</span> throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized!");<a name="line.550"></a> +<span class="sourceLineNo">551</span> }<a name="line.551"></a> +<span class="sourceLineNo">552</span> // Nothing to do if authorization is not enabled<a name="line.552"></a> +<span class="sourceLineNo">553</span> if (!authorizationEnabled) {<a name="line.553"></a> +<span class="sourceLineNo">554</span> return s;<a name="line.554"></a> +<span class="sourceLineNo">555</span> }<a name="line.555"></a> +<span class="sourceLineNo">556</span> Region region = e.getEnvironment().getRegion();<a name="line.556"></a> +<span class="sourceLineNo">557</span> Authorizations authorizations = null;<a name="line.557"></a> +<span class="sourceLineNo">558</span> try {<a name="line.558"></a> +<span class="sourceLineNo">559</span> authorizations = scan.getAuthorizations();<a name="line.559"></a> +<span class="sourceLineNo">560</span> } catch (DeserializationException de) {<a name="line.560"></a> +<span class="sourceLineNo">561</span> throw new IOException(de);<a name="line.561"></a> +<span class="sourceLineNo">562</span> }<a name="line.562"></a> +<span class="sourceLineNo">563</span> if (authorizations == null) {<a name="line.563"></a> +<span class="sourceLineNo">564</span> // No Authorizations present for this scan/Get!<a name="line.564"></a> +<span class="sourceLineNo">565</span> // In case of system tables other than "labels" just scan with out visibility check and<a name="line.565"></a> +<span class="sourceLineNo">566</span> // filtering. Checking visibility labels for META and NAMESPACE table is not needed.<a name="line.566"></a> +<span class="sourceLineNo">567</span> TableName table = region.getRegionInfo().getTable();<a name="line.567"></a> +<span class="sourceLineNo">568</span> if (table.isSystemTable() && !table.equals(LABELS_TABLE_NAME)) {<a name="line.568"></a> +<span class="sourceLineNo">569</span> return s;<a name="line.569"></a> +<span class="sourceLineNo">570</span> }<a name="line.570"></a> +<span class="sourceLineNo">571</span> }<a name="line.571"></a> +<span class="sourceLineNo">572</span><a name="line.572"></a> +<span class="sourceLineNo">573</span> Filter visibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(region,<a name="line.573"></a> +<span class="sourceLineNo">574</span> authorizations);<a name="line.574"></a> +<span class="sourceLineNo">575</span> if (visibilityLabelFilter != null) {<a name="line.575"></a> +<span class="sourceLineNo">576</span> Filter filter = scan.getFilter();<a name="line.576"></a> +<span class="sourceLineNo">577</span> if (filter != null) {<a name="line.577"></a> +<span class="sourceLineNo">578</span> scan.setFilter(new FilterList(filter, visibilityLabelFilter));<a name="line.578"></a> +<span class="sourceLineNo">579</span> } else {<a name="line.579"></a> +<span class="sourceLineNo">580</span> scan.setFilter(visibilityLabelFilter);<a name="line.580"></a> +<span class="sourceLineNo">581</span> }<a name="line.581"></a> +<span class="sourceLineNo">582</span> }<a name="line.582"></a> +<span class="sourceLineNo">583</span> return s;<a name="line.583"></a> +<span class="sourceLineNo">584</span> }<a name="line.584"></a> +<span class="sourceLineNo">585</span><a name="line.585"></a> +<span class="sourceLineNo">586</span> @Override<a name="line.586"></a> +<span class="sourceLineNo">587</span> public DeleteTracker postInstantiateDeleteTracker(<a name="line.587"></a> +<span class="sourceLineNo">588</span> ObserverContext<RegionCoprocessorEnvironment> ctx, DeleteTracker delTracker)<a name="line.588"></a> +<span class="sourceLineNo">589</span> throws IOException {<a name="line.589"></a> +<span class="sourceLineNo">590</span> // Nothing to do if we are not filtering by visibility<a name="line.590"></a> +<span class="sourceLineNo">591</span> if (!authorizationEnabled) {<a name="line.591"></a> +<span class="sourceLineNo">592</span> return delTracker;<a name="line.592"></a> +<span class="sourceLineNo">593</span> }<a name="line.593"></a> +<span class="sourceLineNo">594</span> Region region = ctx.getEnvironment().getRegion();<a name="line.594"></a> +<span class="sourceLineNo">595</span> TableName table = region.getRegionInfo().getTable();<a name="line.595"></a> +<span class="sourceLineNo">596</span> if (table.isSystemTable()) {<a name="line.596"></a> +<span class="sourceLineNo">597</span> return delTracker;<a name="line.597"></a> +<span class="sourceLineNo">598</span> }<a name="line.598"></a> +<span class="sourceLineNo">599</span> // We are creating a new type of delete tracker here which is able to track<a name="line.599"></a> +<span class="sourceLineNo">600</span> // the timestamps and also the<a name="line.600"></a> +<span class="sourceLineNo">601</span> // visibility tags per cell. The covering cells are determined not only<a name="line.601"></a> +<span class="sourceLineNo">602</span> // based on the delete type and ts<a name="line.602"></a> +<span class="sourceLineNo">603</span> // but also on the visibility expression matching.<a name="line.603"></a> +<span class="sourceLineNo">604</span> return new VisibilityScanDeleteTracker();<a name="line.604"></a> +<span class="sourceLineNo">605</span> }<a name="line.605"></a> +<span class="sourceLineNo">606</span><a name="line.606"></a> +<span class="sourceLineNo">607</span> @Override<a name="line.607"></a> +<span class="sourceLineNo">608</span> public RegionScanner postScannerOpen(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.608"></a> +<span class="sourceLineNo">609</span> final Scan scan, final RegionScanner s) throws IOException {<a name="line.609"></a> +<span class="sourceLineNo">610</span> User user = VisibilityUtils.getActiveUser();<a name="line.610"></a> +<span class="sourceLineNo">611</span> if (user != null && user.getShortName() != null) {<a name="line.611"></a> +<span class="sourceLineNo">612</span> scannerOwners.put(s, user.getShortName());<a name="line.612"></a> +<span class="sourceLineNo">613</span> }<a name="line.613"></a> +<span class="sourceLineNo">614</span> return s;<a name="line.614"></a> +<span class="sourceLineNo">615</span> }<a name="line.615"></a> +<span class="sourceLineNo">616</span><a name="line.616"></a> +<span class="sourceLineNo">617</span> @Override<a name="line.617"></a> +<span class="sourceLineNo">618</span> public boolean preScannerNext(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.618"></a> +<span class="sourceLineNo">619</span> final InternalScanner s, final List<Result> result, final int limit, final boolean hasNext)<a name="line.619"></a> +<span class="sourceLineNo">620</span> throws IOException {<a name="line.620"></a> +<span class="sourceLineNo">621</span> requireScannerOwner(s);<a name="line.621"></a> +<span class="sourceLineNo">622</span> return hasNext;<a name="line.622"></a> +<span class="sourceLineNo">623</span> }<a name="line.623"></a> +<span class="sourceLineNo">624</span><a name="line.624"></a> +<span class="sourceLineNo">625</span> @Override<a name="line.625"></a> +<span class="sourceLineNo">626</span> public void preScannerClose(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.626"></a> +<span class="sourceLineNo">627</span> final InternalScanner s) throws IOException {<a name="line.627"></a> +<span class="sourceLineNo">628</span> requireScannerOwner(s);<a name="line.628"></a> +<span class="sourceLineNo">629</span> }<a name="line.629"></a> +<span class="sourceLineNo">630</span><a name="line.630"></a> +<span class="sourceLineNo">631</span> @Override<a name="line.631"></a> +<span class="sourceLineNo">632</span> public void postScannerClose(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.632"></a> +<span class="sourceLineNo">633</span> final InternalScanner s) throws IOException {<a name="line.633"></a> +<span class="sourceLineNo">634</span> // clean up any associated owner mapping<a name="line.634"></a> +<span class="sourceLineNo">635</span> scannerOwners.remove(s);<a name="line.635"></a> +<span class="sourceLineNo">636</span> }<a name="line.636"></a> +<span class="sourceLineNo">637</span><a name="line.637"></a> +<span class="sourceLineNo">638</span> /**<a name="line.638"></a> +<span class="sourceLineNo">639</span> * Verify, when servicing an RPC, that the caller is the scanner owner. If so, we assume that<a name="line.639"></a> +<span class="sourceLineNo">640</span> * access control is correctly enforced based on the checks performed in preScannerOpen()<a name="line.640"></a> +<span class="sourceLineNo">641</span> */<a name="line.641"></a> +<span class="sourceLineNo">642</span> private void requireScannerOwner(InternalScanner s) throws AccessDeniedException {<a name="line.642"></a> +<span class="sourceLineNo">643</span> if (!RpcServer.isInRpcCallContext())<a name="line.643"></a> +<span class="sourceLineNo">644</span> return;<a name="line.644"></a> +<span class="sourceLineNo">645</span> String requestUName = RpcServer.getRequestUserName();<a name="line.645"></a> +<span class="sourceLineNo">646</span> String owner = scannerOwners.get(s);<a name="line.646"></a> +<span class="sourceLineNo">647</span> if (authorizationEnabled && owner != null && !owner.equals(requestUName)) {<a name="line.647"></a> +<span class="sourceLineNo">648</span> throw new AccessDeniedException("User '" + requestUName + "' is not the scanner owner!");<a name="line.648"></a> +<span class="sourceLineNo">649</span> }<a name="line.649"></a> +<span class="sourceLineNo">650</span> }<a name="line.650"></a> +<span class="sourceLineNo">651</span><a name="line.651"></a> +<span class="sourceLineNo">652</span> @Override<a name="line.652"></a> +<span class="sourceLineNo">653</span> public void preGetOp(ObserverContext<RegionCoprocessorEnvironment> e, Get get,<a name="line.653"></a> +<span class="sourceLineNo">654</span> List<Cell> results) throws IOException {<a name="line.654"></a> +<span class="sourceLineNo">655</span> if (!initialized) {<a name="line.655"></a> +<span class="sourceLineNo">656</span> throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized");<a name="line.656"></a> +<span class="sourceLineNo">657</span> }<a name="line.657"></a> +<span class="sourceLineNo">658</span> // Nothing useful to do if authorization is not enabled<a name="line.658"></a> +<span class="sourceLineNo">659</span> if (!authorizationEnabled) {<a name="line.659"></a> +<span class="sourceLineNo">660</span> return;<a name="line.660"></a> +<span class="sourceLineNo">661</span> }<a name="line.661"></a> +<span class="sourceLineNo">662</span> Region region = e.getEnvironment().getRegion();<a name="line.662"></a> +<span class="sourceLineNo">663</span> Authorizations authorizations = null;<a name="line.663"></a> +<span class="sourceLineNo">664</span> try {<a name="line.664"></a> +<span class="sourceLineNo">665</span> authorizations = get.getAuthorizations();<a name="line.665"></a> +<span class="sourceLineNo">666</span> } catch (DeserializationException de) {<a name="line.666"></a> +<span class="sourceLineNo">667</span> throw new IOException(de);<a name="line.667"></a> +<span class="sourceLineNo">668</span> }<a name="line.668"></a> +<span class="sourceLineNo">669</span> if (authorizations == null) {<a name="line.669"></a> +<span class="sourceLineNo">670</span> // No Authorizations present for this scan/Get!<a name="line.670"></a> +<span class="sourceLineNo">671</span> // In case of system tables other than "labels" just scan with out visibility check and<a name="line.671"></a> +<span class="sourceLineNo">672</span> // filtering. Checking visibility labels for META and NAMESPACE table is not needed.<a name="line.672"></a> +<span class="sourceLineNo">673</span> TableName table = region.getRegionInfo().getTable();<a name="line.673"></a> +<span class="sourceLineNo">674</span> if (table.isSystemTable() && !table.equals(LABELS_TABLE_NAME)) {<a name="line.674"></a> +<span class="sourceLineNo">675</span> return;<a name="line.675"></a> +<span class="sourceLineNo">676</span> }<a name="line.676"></a> +<span class="sourceLineNo">677</span> }<a name="line.677"></a> +<span class="sourceLineNo">678</span> Filter visibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(e.getEnvironment()<a name="line.678"></a> +<span class="sourceLineNo">679</span> .getRegion(), authorizations);<a name="line.679"></a> +<span class="sourceLineNo">680</span> if (visibilityLabelFilter != null) {<a name="line.680"></a> +<span class="sourceLineNo">681</span> Filter filter = get.getFilter();<a name="line.681"></a> +<span class="sourceLineNo">682</span> if (filter != null) {<a name="line.682"></a> +<span class="sourceLineNo">683</span> get.setFilter(new FilterList(filter, visibilityLabelFilter));<a name="line.683"></a> +<span class="sourceLineNo">684</span> } else {<a name="line.684"></a> +<span class="sourceLineNo">685</span> get.setFilter(visibilityLabelFilter);<a name="line.685"></a> +<span class="sourceLineNo">686</span> }<a name="line.686"></a> +<span class="sourceLineNo">687</span> }<a name="line.687"></a> +<span class="sourceLineNo">688</span> }<a name="line.688"></a> +<span class="sourceLineNo">689</span><a name="line.689"></a> +<span class="sourceLineNo">690</span> private boolean isSystemOrSuperUser() throws IOException {<a name="line.690"></a> +<span class="sourceLineNo">691</span> return Superusers.isSuperUser(VisibilityUtils.getActiveUser());<a name="line.691"></a> +<span class="sourceLineNo">692</span> }<a name="line.692"></a> +<span class="sourceLineNo">693</span><a name="line.693"></a> +<span class="sourceLineNo">694</span> @Override<a name="line.694"></a> +<span class="sourceLineNo">695</span> public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> e, Append append)<a name="line.695"></a> +<span class="sourceLineNo">696</span> throws IOException {<a name="line.696"></a> +<span class="sourceLineNo">697</span> // If authorization is not enabled, we don't care about reserved tags<a name="line.697"></a> +<span class="sourceLineNo">698</span> if (!authorizationEnabled) {<a name="line.698"></a> +<span class="sourceLineNo">699</span> return null;<a name="line.699"></a> +<span class="sourceLineNo">700</span> }<a name="line.700"></a> +<span class="sourceLineNo">701</span> for (CellScanner cellScanner = append.cellScanner(); cellScanner.advance();) {<a name="line.701"></a> +<span class="sourceLineNo">702</span> if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {<a name="line.702"></a> +<span class="sourceLineNo">703</span> throw new FailedSanityCheckException("Append contains cell with reserved type tag");<a name="line.703"></a> +<span class="sourceLineNo">704</span> }<a name="line.704"></a> +<span class="sourceLineNo">705</span> }<a name="line.705"></a> +<span class="sourceLineNo">706</span> return null;<a name="line.706"></a> +<span class="sourceLineNo">707</span> }<a name="line.707"></a> +<span class="sourceLineNo">708</span><a name="line.708"></a> +<span class="sourceLineNo">709</span> @Override<a name="line.709"></a> +<span class="sourceLineNo">710</span> public Result preIncrement(ObserverContext<RegionCoprocessorEnvironment> e, Increment increment)<a name="line.710"></a> +<span class="sourceLineNo">711</span> throws IOException {<a name="line.711"></a> +<span class="sourceLineNo">712</span> // If authorization is not enabled, we don't care about reserved tags<a name="line.712"></a> +<span class="sourceLineNo">713</span> if (!authorizationEnabled) {<a name="line.713"></a> +<span class="sourceLineNo">714</span> return null;<a name="line.714"></a> +<span class="sourceLineNo">715</span> }<a name="line.715"></a> +<span class="sourceLineNo">716</span> for (CellScanner cellScanner = increment.cellScanner(); cellScanner.advance();) {<a name="line.716"></a> +<span class="sourceLineNo">717</span> if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {<a name="line.717"></a> +<span class="sourceLineNo">718</span> throw new FailedSanityCheckException("Increment contains cell with reserved type tag");<a name="line.718"></a> +<span class="sourceLineNo">719</span> }<a name="line.719"></a> +<span class="sourceLineNo">720</span> }<a name="line.720"></a> +<span class="sourceLineNo">721</span> return null;<a name="line.721"></a> +<span class="sourceLineNo">722</span> }<a name="line.722"></a> +<span class="sourceLineNo">723</span><a name="line.723"></a> +<span class="sourceLineNo">724</span> @Override<a name="line.724"></a> +<span class="sourceLineNo">725</span> public Cell postMutationBeforeWAL(ObserverContext<RegionCoprocessorEnvironment> ctx,<a name="line.725"></a> +<span class="sourceLineNo">726</span> MutationType opType, Mutation mutation, Cell oldCell, Cell newCell) throws IOException {<a name="line.726"></a> +<span class="sourceLineNo">727</span> List<Tag> tags = Lists.newArrayList();<a name="line.727"></a> +<span class="sourceLineNo">728</span> CellVisibility cellVisibility = null;<a name="line.728"></a> +<span class="sourceLineNo">729</span> try {<a name="line.729"></a> +<span class="sourceLineNo">730</span> cellVisibility = mutation.getCellVisibility();<a name="line.730"></a> +<span class="sourceLineNo">731</span> } catch (DeserializationException e) {<a name="line.731"></a> +<span class="sourceLineNo">732</span> throw new IOException(e);<a name="line.732"></a> +<span class="sourceLineNo">733</span> }<a name="line.733"></a> +<span class="sourceLineNo">734</span> if (cellVisibility == null) {<a name="line.734"></a> +<span class="sourceLineNo">735</span> return newCell;<a name="line.735"></a> +<span class="sourceLineNo">736</span> }<a name="line.736"></a> +<span class="sourceLineNo">737</span> // Prepend new visibility tags to a new list of tags for the cell<a name="line.737"></a> +<span class="sourceLineNo">738</span> // Don't check user auths for labels with Mutations when the user is super user<a name="line.738"></a> +<span class="sourceLineNo">739</span> boolean authCheck = authorizationEnabled && checkAuths && !(isSystemOrSuperUser());<a name="line.739"></a> +<span class="sourceLineNo">740</span> tags.addAll(this.visibilityLabelService.createVisibilityExpTags(cellVisibility.getExpression(),<a name="line.740"></a> +<span class="sourceLineNo">741</span> true, authCheck));<a name="line.741"></a> +<span class="sourceLineNo">742</span> // Save an object allocation where we can<a name="line.742"></a> +<span class="sourceLineNo">743</span> if (newCell.getTagsLength() > 0) {<a name="line.743"></a> +<span class="sourceLineNo">744</span> // Carry forward all other tags<a name="line.744"></a> +<span class="sourceLineNo">745</span> Iterator<Tag> tagsItr = CellUtil.tagsIterator(newCell.getTagsArray(),<a name="line.745"></a> +<span class="sourceLineNo">746</span> newCell.getTagsOffset(), newCell.getTagsLength());<a name="line.746"></a> +<span class="sourceLineNo">747</span> while (tagsItr.hasNext()) {<a name="line.747"></a> +<span class="sourceLineNo">748</span> Tag tag = tagsItr.next();<a name="line.748"></a> +<span class="sourceLineNo">749</span> if (tag.getType() != TagType.VISIBILITY_TAG_TYPE<a name="line.749"></a> +<span class="sourceLineNo">750</span> && tag.getType() != TagType.VISIBILITY_EXP_SERIALIZATION_FORMAT_TAG_TYPE) {<a name="line.750"></a> +<span class="sourceLineNo">751</span> tags.add(tag);<a name="line.751"></a> +<span class="sourceLineNo">752</span> }<a name="line.752"></a> +<span class="sourceLineNo">753</span> }<a name="line.753"></a> +<span class="sourceLineNo">754</span> }<a name="line.754"></a> +<span class="sourceLineNo">755</span><a name="line.755"></a> +<span class="sourceLineNo">756</span> Cell rewriteCell = new TagRewriteCell(newCell, Tag.fromList(tags));<a name="line.756"></a> +<span class="sourceLineNo">757</span> return rewriteCell;<a name="line.757"></a> +<span class="sourceLineNo">758</span> }<a name="line.758"></a> +<span class="sourceLineNo">759</span><a name="line.759"></a> +<span class="sourceLineNo">760</span> @Override<a name="line.760"></a> +<span class="sourceLineNo">761</span> public Service getService() {<a name="line.761"></a> +<span class="sourceLineNo">762</span> return VisibilityLabelsProtos.VisibilityLabelsService.newReflectiveService(this);<a name="line.762"></a> +<span class="sourceLineNo">763</span> }<a name="line.763"></a> +<span class="sourceLineNo">764</span><a name="line.764"></a> +<span class="sourceLineNo">765</span> @Override<a name="line.765"></a> +<span class="sourceLineNo">766</span> public boolean postScannerFilterRow(final ObserverContext<RegionCoprocessorEnvironment> e,<a name="line.766"></a> +<span class="sourceLineNo">767</span> final InternalScanner s, final Cell curRowCell, final boolean hasMore) throws IOException {<a name="line.767"></a> +<span class="sourceLineNo">768</span> // Impl in BaseRegionObserver might do unnecessary copy for Off heap backed Cells.<a name="line.768"></a> +<span class="sourceLineNo">769</span> return hasMore;<a name="line.769"></a> +<span class="sourceLineNo">770</span> }<a name="line.770"></a> +<span class="sourceLineNo">771</span><a name="line.771"></a> +<span class="sourceLineNo">772</span> /****************************** VisibilityEndpoint service related methods ******************************/<a name="line.772"></a> +<span class="sourceLineNo">773</span> @Override<a name="line.773"></a> +<span class="sourceLineNo">774</span> public synchronized void addLabels(RpcController controller, VisibilityLabelsRequest request,<a name="line.774"></a> +<span class="sourceLineNo">775</span> RpcCallback<VisibilityLabelsResponse> done) {<a name="line.775"></a> +<span class="sourceLineNo">776</span> VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();<a name="line.776"></a> +<span class="sourceLineNo">777</span> List<VisibilityLabel> visLabels = request.getVisLabelList();<a name="line.777"></a> +<span class="sourceLineNo">778</span> if (!initialized) {<a name="line.778"></a> +<span class="sourceLineNo">779</span> setExceptionResults(visLabels.size(),<a name="line.779"></a> +<span class="sourceLineNo">780</span> new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"),<a name="line.780"></a> +<span class="sourceLineNo">781</span> response);<a name="line.781"></a> +<span class="sourceLineNo">782</span> } else {<a name="line.782"></a> +<span class="sourceLineNo">783</span> List<byte[]> labels = new ArrayList<byte[]>(visLabels.size());<a name="line.783"></a> +<span class="sourceLineNo">784</span> try {<a name="line.784"></a> +<span class="sourceLineNo">785</span> if (authorizationEnabled) {<a name="line.785"></a> +<span class="sourceLineNo">786</span> checkCallingUserAuth();<a name="line.786"></a> +<span class="sourceLineNo">787</span> }<a name="line.787"></a> +<span class="sourceLineNo">788</span> RegionActionResult successResult = RegionActionResult.newBuilder().build();<a name="line.788"></a> +<span class="sourceLineNo">789</span> for (VisibilityLabel visLabel : visLabels) {<a name="line.789"></a> +<span class="sourceLineNo">790</span> byte[] label = visLabel.getLabel().toByteArray();<a name="line.790"></a> +<span class="sourceLineNo">791</span> labels.add(label);<a name="line.791"></a> +<span class="sourceLineNo">792</span> response.addResult(successResult); // Just mark as success. Later it will get reset<a name="line.792"></a> +<span class="sourceLineNo">793</span> // based on the result from<a name="line.793"></a> +<span class="sourceLineNo">794</span> // visibilityLabelService.addLabels ()<a name="line.794"></a> +<span class="sourceLineNo">795</span> }<a name="line.795"></a> +<span class="sourceLineNo">796</span> if (!labels.isEmpty()) {<a name="line.796"></a> +<span class="sourceLineNo">797</span> OperationStatus[] opStatus = this.visibilityLabelService.addLabels(labels);<a name="line.797"></a> +<span class="sourceLineNo">798</span> logResult(true, "addLabels", "Adding labels allowed", null, labels, null);<a name="line.798"></a> +<span class="sourceLineNo">799</span> int i = 0;<a name="line.799"></a> +<span class="sourceLineNo">800</span> for (OperationStatus status : opStatus) {<a name="line.800"></a> +<span class="sourceLineNo">801</span> while (response.getResult(i) != successResult)<a name="line.801"></a> +<span class="sourceLineNo">802</span> i++;<a name="line.802"></a> +<span class="sourceLineNo">803</span> if (status.getOperationStatusCode() != SUCCESS) {<a name="line.803"></a> +<span class="sourceLineNo">804</span> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.804"></a> +<span class="sourceLineNo">805</span> failureResultBuilder.setException(ResponseConverter<a name="line.805"></a> +<span class="sourceLineNo">806</span> .buildException(new DoNotRetryIOException(status.getExceptionMsg())));<a name="line.806"></a> +<span class="sourceLineNo">807</span> response.setResult(i, failureResultBuilder.build());<a name="line.807"></a> +<span class="sourceLineNo">808</span> }<a name="line.808"></a> +<span class="sourceLineNo">809</span> i++;<a name="line.809"></a> +<span class="sourceLineNo">810</span> }<a name="line.810"></a> +<span class="sourceLineNo">811</span> }<a name="line.811"></a> +<span class="sourceLineNo">812</span> } catch (AccessDeniedException e) {<a name="line.812"></a> +<span class="sourceLineNo">813</span> logResult(false, "addLabels", e.getMessage(), null, labels, null);<a name="line.813"></a> +<span class="sourceLineNo">814</span> LOG.error("User is not having required permissions to add labels", e);<a name="line.814"></a> +<span class="sourceLineNo">815</span> setExceptionResults(visLabels.size(), e, response);<a name="line.815"></a> +<span class="sourceLineNo">816</span> } catch (IOException e) {<a name="line.816"></a> +<span class="sourceLineNo">817</span> LOG.error(e);<a name="line.817"></a> +<span class="sourceLineNo">818</span> setExceptionResults(visLabels.size(), e, response);<a name="line.818"></a> +<span class="sourceLineNo">819</span> }<a name="line.819"></a> +<span class="sourceLineNo">820</span> }<a name="line.820"></a> +<span class="sourceLineNo">821</span> done.run(response.build());<a name="line.821"></a> +<span class="sourceLineNo">822</span> }<a name="line.822"></a> +<span class="sourceLineNo">823</span><a name="line.823"></a> +<span class="sourceLineNo">824</span> private void setExceptionResults(int size, IOException e,<a name="line.824"></a> +<span class="sourceLineNo">825</span> VisibilityLabelsResponse.Builder response) {<a name="line.825"></a> +<span class="sourceLineNo">826</span> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.826"></a> +<span class="sourceLineNo">827</span> failureResultBuilder.setException(ResponseConverter.buildException(e));<a name="line.827"></a> +<span class="sourceLineNo">828</span> RegionActionResult failureResult = failureResultBuilder.build();<a name="line.828"></a> +<span class="sourceLineNo">829</span> for (int i = 0; i < size; i++) {<a name="line.829"></a> +<span class="sourceLineNo">830</span> response.addResult(i, failureResult);<a name="line.830"></a> +<span class="sourceLineNo">831</span> }<a name="line.831"></a> +<span class="sourceLineNo">832</span> }<a name="line.832"></a> +<span class="sourceLineNo">833</span><a name="line.833"></a> +<span class="sourceLineNo">834</span> @Override<a name="line.834"></a>
<TRUNCATED>
