/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.security.access;
import java.util.Collection;
import java.util.Map;
import org.apache.hadoop.hbase.classification.InterfaceAudience;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.Bytes;
import com.google.common.base.Joiner;
/**
* Represents the result of an authorization check for logging and error
* reporting.
*/
@InterfaceAudience.Private
public class AuthResult {
private boolean allowed;
private final String namespace;
private final TableName table;
private final Permission.Action action;
private final String request;
private String reason;
private final User user;
private AuthResult.Params params;
// "family" and "qualifier" should only be used if "families" is null.
private final byte[] family;
private final byte[] qualifier;
private final Map<byte[], ? extends Collection<?>> families;
public AuthResult(boolean allowed, String request, String reason, User user,
Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
this.allowed = allowed;
this.request = request;
this.reason = reason;
this.user = user;
this.table = table;
this.family = family;
this.qualifier = qualifier;
this.action = action;
this.families = null;
this.namespace = null;
this.params = new Params().setTableName(table).setFamily(family).setQualifier(qualifier);
}
public AuthResult(boolean allowed, String request, String reason, User user,
Permission.Action action, TableName table,
Map<byte[], ? extends Collection<?>> families) {
this.allowed = allowed;
this.request = request;
this.reason = reason;
this.user = user;
this.table = table;
this.family = null;
this.qualifier = null;
this.action = action;
this.families = families;
this.namespace = null;
this.params = new Params().setTableName(table).setFamilies(families);
}
public AuthResult(boolean allowed, String request, String reason, User user,
Permission.Action action, String namespace) {
this.allowed = allowed;
this.request = request;
this.reason = reason;
this.user = user;
this.namespace = namespace;
this.action = action;
this.table = null;
this.family = null;
this.qualifier = null;
this.families = null;
this.params = new Params().setNamespace(namespace);
}
public boolean isAllowed() {
return allowed;
}
public User getUser() {
return user;
}
public String getReason() {
return reason;
}
public TableName getTableName() {
return table;
}
public byte[] getFamily() {
return family;
}
public byte[] getQualifier() {
return qualifier;
}
public Permission.Action getAction() {
return action;
}
public String getRequest() {
return request;
}
public Params getParams() { return this.params;}
public void setAllowed(boolean allowed) {
this.allowed = allowed;
}
public void setReason(String reason) {
this.reason = reason;
}
private static String toFamiliesString(Map<byte[], ? extends Collection<?>> families,
byte[] family, byte[] qual) {
StringBuilder sb = new StringBuilder();
if (families != null) {
boolean first = true;
for (Map.Entry<byte[], ? extends Collection<?>> entry : families.entrySet()) {
String familyName = Bytes.toString(entry.getKey());
if (entry.getValue() != null && !entry.getValue().isEmpty()) {
for (Object o : entry.getValue()) {
String qualifier;
if (o instanceof byte[]) {
qualifier = Bytes.toString((byte[])o);
} else if (o instanceof Cell) {
Cell c = (Cell) o;
qualifier = Bytes.toString(c.getQualifierArray(), c.getQualifierOffset(),
c.getQualifierLength());
} else {
// Shouldn't really reach this?
qualifier = o.toString();
}
if (!first) {
sb.append("|");
}
first = false;
sb.append(familyName).append(":").append(qualifier);
}
} else {
if (!first) {
sb.append("|");
}
first = false;
sb.append(familyName);
}
}
} else if (family != null) {
sb.append(Bytes.toString(family));
if (qual != null) {
sb.append(":").append(Bytes.toString(qual));
}
}
return sb.toString();
}
public String toContextString() {
StringBuilder sb = new StringBuilder();
String familiesString = toFamiliesString(families, family, qualifier);
sb.append("(user=")
.append(user != null ? user.getName() : "UNKNOWN")
.append(", ");
sb.append("scope=")
.append(namespace != null ? namespace :
table == null ? "GLOBAL" : table.getNameWithNamespaceInclAsString())
.append(", ");
if(namespace == null && familiesString.length() > 0) {
sb.append("family=")
.append(familiesString)
.append(", ");
}
String paramsString = params.toString();
if(paramsString.length() > 0) {
sb.append("params=[")
.append(paramsString)
.append("],");
}
sb.append("action=")
.append(action != null ? action.toString() : "")
.append(")");
return sb.toString();
}
public String toString() {
return "AuthResult" + toContextString();
}
public static AuthResult allow(String request, String reason, User user,
Permission.Action action, String namespace) {
return new AuthResult(true, request, reason, user, action, namespace);
}
public static AuthResult allow(String request, String reason, User user,
Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
return new AuthResult(true, request, reason, user, action, table, family, qualifier);
}
public static AuthResult allow(String request, String reason, User user,
Permission.Action action, TableName table,
Map<byte[], ? extends Collection<?>> families) {
return new AuthResult(true, request, reason, user, action, table, families);
}
public static AuthResult deny(String request, String reason, User user,
Permission.Action action, String namespace) {
return new AuthResult(false, request, reason, user, action, namespace);
}
public static AuthResult deny(String request, String reason, User user,
Permission.Action action, TableName table, byte[] family, byte[] qualifier) {
return new AuthResult(false, request, reason, user, action, table, family, qualifier);
}
public static AuthResult deny(String request, String reason, User user,
Permission.Action action, TableName table,
Map<byte[], ? extends Collection<?>> families) {
return new AuthResult(false, request, reason, user, action, table, families);
}
public String toFamilyString() {
return toFamiliesString(families, family, qualifier);
}
public static class Params {
private String namespace = null;
private TableName tableName = null;
private Map<byte[], ? extends Collection<?>> families = null;
byte[] family = null;
byte[] qualifier = null;
public Params setNamespace(String namespace) {
this.namespace = namespace;
return this;
}
public Params setTableName(TableName table) {
this.tableName = table;
return this;
}
public Params setFamilies(Map<byte[], ? extends Collection<?>> families) {
this.families = families;
return this;
}
public Params setFamily(byte[] family) {
this.family = family;
return this;
}
public Params setQualifier(byte[] qualifier) {
this.qualifier = qualifier;
return this;
}
public String toString() {
String familiesString = toFamiliesString(families, family, qualifier);
String[] params = new String[] {
namespace != null ? "namespace=" + namespace : null,
tableName != null ? "table=" + tableName.getNameWithNamespaceInclAsString() : null,
familiesString.length() > 0 ? "family=" + familiesString : null
};
return Joiner.on(",").skipNulls().join(params);
}
}
}