[GitHub] [hbase] openinx commented on a change in pull request #336: HBASE-22580 Add a table attribute to make user scan snapshot feature configurable for table

[GitBox]

openinx commented on a change in pull request #336: HBASE-22580 Add a table 
attribute to make user scan snapshot feature configurable for table
URL: https://github.com/apache/hbase/pull/336#discussion_r298162008
 
 

 ##########
 File path: 
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SnapshotScannerHDFSAclHelper.java
 ##########
 @@ -447,28 +458,80 @@ private void setTableAcl(TableName tableName, 
Set<String> users)
         .collect(Collectors.toList());
   }
 
+  /**
+   * Return users with global read permission
+   * @return users with global read permission
+   * @throws IOException if an error occurred
+   */
+  private Set<String> getUsersWithGlobalReadAction() throws IOException {
+    return 
getUsersWithReadAction(PermissionStorage.getGlobalPermissions(conf));
+  }
+
   /**
    * Return users with namespace read permission
    * @param namespace the namespace
+   * @param includeGlobal true if include users with global read action
    * @return users with namespace read permission
    * @throws IOException if an error occurred
    */
-  private Set<String> getUsersWithNamespaceReadAction(String namespace) throws 
IOException {
-    return PermissionStorage.getNamespacePermissions(conf, 
namespace).entries().stream()
-        .filter(entry -> entry.getValue().getPermission().implies(READ))
-        .map(entry -> entry.getKey()).collect(Collectors.toSet());
+  Set<String> getUsersWithNamespaceReadAction(String namespace, boolean 
includeGlobal)
+      throws IOException {
+    Set<String> users =
+        getUsersWithReadAction(PermissionStorage.getNamespacePermissions(conf, 
namespace));
+    if (includeGlobal) {
+      users.addAll(getUsersWithGlobalReadAction());
+    }
+    return users;
   }
 
   /**
    * Return users with table read permission
    * @param tableName the table
+   * @param includeNamespace true if include users with namespace read action
+   * @param includeGlobal true if include users with global read action
    * @return users with table read permission
    * @throws IOException if an error occurred
    */
-  private Set<String> getUsersWithTableReadAction(TableName tableName) throws 
IOException {
-    return PermissionStorage.getTablePermissions(conf, 
tableName).entries().stream()
-        .filter(entry -> entry.getValue().getPermission().implies(READ))
-        .map(entry -> entry.getKey()).collect(Collectors.toSet());
+  Set<String> getUsersWithTableReadAction(TableName tableName, boolean 
includeNamespace,
+      boolean includeGlobal) throws IOException {
+    Set<String> users =
+        getUsersWithReadAction(PermissionStorage.getTablePermissions(conf, 
tableName));
+    if (includeNamespace) {
+      users
+          
.addAll(getUsersWithNamespaceReadAction(tableName.getNamespaceAsString(), 
includeGlobal));
+    }
+    return users;
+  }
+
+  private Set<String>
+      getUsersWithReadAction(ListMultimap<String, UserPermission> 
permissionMultimap) {
+    return permissionMultimap.entries().stream()
+        .filter(entry -> checkUserPermission(entry.getValue())).map(entry -> 
entry.getKey())
+        .collect(Collectors.toSet());
+  }
+
+  private boolean checkUserPermission(UserPermission userPermission) {
+    boolean result = containReadAction(userPermission);
+    if (result && userPermission.getPermission() instanceof TablePermission) {
+      result = checkTablePermissionHasNoCfOrCq((TablePermission) 
userPermission.getPermission());
+    }
+    return result;
+  }
+
+  boolean containReadAction(UserPermission userPermission) {
+    return userPermission.getPermission().implies(Permission.Action.READ);
+  }
+
+  boolean checkTablePermissionHasNoCfOrCq(TablePermission tablePermission) {
+    return !tablePermission.hasFamily() && !tablePermission.hasQualifier();
+  }
+
+  boolean isTableUserScanSnapshotEnabled(TableDescriptor tableDescriptor) {
+    String value = tableDescriptor.getValue(USER_SCAN_SNAPSHOT_ENABLE);
 
 Review comment:
   The flag should mean  whether will we sync the table access to HDFS files 
ACL ?  I think we should a more clear  name ?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services