View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security.visibility;
19  
20  import java.io.IOException;
21  import java.util.ArrayList;
22  import java.util.Collections;
23  import java.util.HashMap;
24  import java.util.HashSet;
25  import java.util.List;
26  import java.util.Map;
27  import java.util.Set;
28  import java.util.concurrent.locks.ReentrantReadWriteLock;
29  
30  import org.apache.commons.logging.Log;
31  import org.apache.commons.logging.LogFactory;
32  import org.apache.hadoop.conf.Configuration;
33  import org.apache.hadoop.hbase.classification.InterfaceAudience;
34  import org.apache.hadoop.hbase.exceptions.DeserializationException;
35  import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.MultiUserAuthorizations;
36  import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.UserAuthorizations;
37  import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabel;
38  import org.apache.hadoop.hbase.security.access.AccessControlLists;
39  import org.apache.hadoop.hbase.util.Bytes;
40  import org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher;
41  import org.apache.zookeeper.KeeperException;
42  
43  /**
44   * Maintains the cache for visibility labels and also uses the zookeeper to update the labels in the
45   * system. The cache updation happens based on the data change event that happens on the zookeeper
46   * znode for labels table
47   */
48  @InterfaceAudience.Private
49  public class VisibilityLabelsCache implements VisibilityLabelOrdinalProvider {
50  
51    private static final Log LOG = LogFactory.getLog(VisibilityLabelsCache.class);
52    private static final int NON_EXIST_LABEL_ORDINAL = 0;
53    private static final List<String> EMPTY_LIST = Collections.emptyList();
54    private static final Set<Integer> EMPTY_SET = Collections.emptySet();
55    private static VisibilityLabelsCache instance;
56  
57    private ZKVisibilityLabelWatcher zkVisibilityWatcher;
58    private Map<String, Integer> labels = new HashMap<String, Integer>();
59    private Map<Integer, String> ordinalVsLabels = new HashMap<Integer, String>();
60    private Map<String, Set<Integer>> userAuths = new HashMap<String, Set<Integer>>();
61    private Map<String, Set<Integer>> groupAuths = new HashMap<String, Set<Integer>>();
62  
63    /**
64     * This covers the members labels, ordinalVsLabels and userAuths
65     */
66    private ReentrantReadWriteLock lock = new ReentrantReadWriteLock();
67  
68    private VisibilityLabelsCache(ZooKeeperWatcher watcher, Configuration conf) throws IOException {
69      zkVisibilityWatcher = new ZKVisibilityLabelWatcher(watcher, this, conf);
70      try {
71        zkVisibilityWatcher.start();
72      } catch (KeeperException ke) {
73        LOG.error("ZooKeeper initialization failed", ke);
74        throw new IOException(ke);
75      }
76    }
77  
78    /**
79     * Creates the singleton instance, if not yet present, and returns the same.
80     * @param watcher
81     * @param conf
82     * @return Singleton instance of VisibilityLabelsCache
83     * @throws IOException
84     */
85    public synchronized static VisibilityLabelsCache createAndGet(ZooKeeperWatcher watcher,
86        Configuration conf) throws IOException {
87      // VisibilityLabelService#init() for different regions (in same RS) passes same instance of
88      // watcher as all get the instance from RS.
89      // watcher != instance.zkVisibilityWatcher.getWatcher() - This check is needed only in UTs with
90      // RS restart. It will be same JVM in which RS restarts and instance will be not null. But the
91      // watcher associated with existing instance will be stale as the restarted RS will have new
92      // watcher with it.
93      if (instance == null || watcher != instance.zkVisibilityWatcher.getWatcher()) {
94        instance = new VisibilityLabelsCache(watcher, conf);
95      }
96      return instance;
97    }
98  
99    /**
100    * @return Singleton instance of VisibilityLabelsCache
101    * @throws IllegalStateException
102    *           when this is called before calling
103    *           {@link #createAndGet(ZooKeeperWatcher, Configuration)}
104    */
105   public static VisibilityLabelsCache get() {
106     // By the time this method is called, the singleton instance of VisibilityLabelsCache should
107     // have been created.
108     if (instance == null) {
109       throw new IllegalStateException("VisibilityLabelsCache not yet instantiated");
110     }
111     return instance;
112   }
113 
114   public void refreshLabelsCache(byte[] data) throws IOException {
115     List<VisibilityLabel> visibilityLabels = null;
116     try {
117       visibilityLabels = VisibilityUtils.readLabelsFromZKData(data);
118     } catch (DeserializationException dse) {
119       throw new IOException(dse);
120     }
121     this.lock.writeLock().lock();
122     try {
123       labels.clear();
124       ordinalVsLabels.clear();
125       for (VisibilityLabel visLabel : visibilityLabels) {
126         String label = Bytes.toString(visLabel.getLabel().toByteArray());
127         labels.put(label, visLabel.getOrdinal());
128         ordinalVsLabels.put(visLabel.getOrdinal(), label);
129       }
130     } finally {
131       this.lock.writeLock().unlock();
132     }
133   }
134 
135   public void refreshUserAuthsCache(byte[] data) throws IOException {
136     MultiUserAuthorizations multiUserAuths = null;
137     try {
138       multiUserAuths = VisibilityUtils.readUserAuthsFromZKData(data);
139     } catch (DeserializationException dse) {
140       throw new IOException(dse);
141     }
142     this.lock.writeLock().lock();
143     try {
144       this.userAuths.clear();
145       this.groupAuths.clear();
146       for (UserAuthorizations userAuths : multiUserAuths.getUserAuthsList()) {
147         String user = Bytes.toString(userAuths.getUser().toByteArray());
148         if (AccessControlLists.isGroupPrincipal(user)) {
149           this.groupAuths.put(AccessControlLists.getGroupName(user),
150             new HashSet<Integer>(userAuths.getAuthList()));
151         } else {
152           this.userAuths.put(user, new HashSet<Integer>(userAuths.getAuthList()));
153         }
154       }
155     } finally {
156       this.lock.writeLock().unlock();
157     }
158   }
159 
160   /**
161    * @param label Not null label string
162    * @return The ordinal for the label. The ordinal starts from 1. Returns 0 when passed a non
163    *         existing label.
164    */
165   @Override
166   public int getLabelOrdinal(String label) {
167     Integer ordinal = null;
168     this.lock.readLock().lock();
169     try {
170       ordinal = labels.get(label);
171     } finally {
172       this.lock.readLock().unlock();
173     }
174     if (ordinal != null) {
175       return ordinal.intValue();
176     }
177     // 0 denotes not available
178     return NON_EXIST_LABEL_ORDINAL;
179   }
180 
181   /**
182    * @param ordinal The ordinal of label which we are looking for.
183    * @return The label having the given ordinal. Returns <code>null</code> when no label exist in
184    *         the system with given ordinal
185    */
186   @Override
187   public String getLabel(int ordinal) {
188     this.lock.readLock().lock();
189     try {
190       return this.ordinalVsLabels.get(ordinal);
191     } finally {
192       this.lock.readLock().unlock();
193     }
194   }
195 
196   /**
197    * @return The total number of visibility labels.
198    */
199   public int getLabelsCount() {
200     this.lock.readLock().lock();
201     try {
202       return this.labels.size();
203     } finally {
204       this.lock.readLock().unlock();
205     }
206   }
207 
208   public List<String> getUserAuths(String user) {
209     List<String> auths = EMPTY_LIST;
210     Set<Integer> authOrdinals = getUserAuthsAsOrdinals(user);
211     if (!authOrdinals.equals(EMPTY_SET)) {
212       auths = new ArrayList<String>(authOrdinals.size());
213       for (Integer authOrdinal : authOrdinals) {
214         auths.add(ordinalVsLabels.get(authOrdinal));
215       }
216     }
217     return auths;
218   }
219 
220   public List<String> getGroupAuths(String[] groups) {
221     List<String> auths = EMPTY_LIST;
222     Set<Integer> authOrdinals = getGroupAuthsAsOrdinals(groups);
223     if (!authOrdinals.equals(EMPTY_SET)) {
224       auths = new ArrayList<String>(authOrdinals.size());
225       for (Integer authOrdinal : authOrdinals) {
226         auths.add(ordinalVsLabels.get(authOrdinal));
227       }
228     }
229     return auths;
230   }
231 
232   /**
233    * Returns the list of ordinals of labels associated with the user
234    *
235    * @param user Not null value.
236    * @return the list of ordinals
237    */
238   public Set<Integer> getUserAuthsAsOrdinals(String user) {
239     this.lock.readLock().lock();
240     try {
241       Set<Integer> auths = userAuths.get(user);
242       return (auths == null) ? EMPTY_SET : auths;
243     } finally {
244       this.lock.readLock().unlock();
245     }
246   }
247 
248   /**
249    * Returns the list of ordinals of labels associated with the groups
250    *
251    * @param groups
252    * @return the list of ordinals
253    */
254   public Set<Integer> getGroupAuthsAsOrdinals(String[] groups) {
255     this.lock.readLock().lock();
256     try {
257       Set<Integer> authOrdinals = new HashSet<Integer>();
258       if (groups != null && groups.length > 0) {
259         Set<Integer> groupAuthOrdinals = null;
260         for (String group : groups) {
261           groupAuthOrdinals = groupAuths.get(group);
262           if (groupAuthOrdinals != null && !groupAuthOrdinals.isEmpty()) {
263             authOrdinals.addAll(groupAuthOrdinals);
264           }
265         }
266       }
267       return (authOrdinals.isEmpty()) ? EMPTY_SET : authOrdinals;
268     } finally {
269       this.lock.readLock().unlock();
270     }
271   }
272 
273   public void writeToZookeeper(byte[] data, boolean labelsOrUserAuths) {
274     this.zkVisibilityWatcher.writeToZookeeper(data, labelsOrUserAuths);
275   }
276 }