Search in sources :

Example 1 with VisibilityParseException

use of org.apache.accumulo.core.security.VisibilityParseException in project accumulo by apache.

the class TransformingIterator method canSee.

/**
 * Indicates whether or not the user is able to see {@code key}. If the user has not supplied authorizations, or the iterator is not in the scan scope, then
 * this method simply returns {@code true}. Otherwise, {@code key}'s column visibility is tested against the user-supplied authorizations, and the test result
 * is returned. For performance, the test results are cached so that the same visibility is not tested multiple times.
 *
 * @param key
 *          the key to test
 * @return {@code true} if the key is visible or iterator is not scanning, and {@code false} if not
 */
protected boolean canSee(Key key) {
    // Ensure that the visibility (which could have been transformed) parses. Must always do this check, even if visibility is not evaluated.
    ByteSequence visibility = key.getColumnVisibilityData();
    ColumnVisibility colVis = null;
    Boolean parsed = (Boolean) parsedVisibilitiesCache.get(visibility);
    if (parsed == null) {
        try {
            colVis = new ColumnVisibility(visibility.toArray());
            parsedVisibilitiesCache.put(visibility, Boolean.TRUE);
        } catch (BadArgumentException e) {
            log.error("Parse error after transformation : {}", visibility);
            parsedVisibilitiesCache.put(visibility, Boolean.FALSE);
            if (scanning) {
                return false;
            } else {
                throw e;
            }
        }
    } else if (!parsed) {
        if (scanning)
            return false;
        else
            throw new IllegalStateException();
    }
    Boolean visible = canSeeColumnFamily(key);
    if (!scanning || !visible || ve == null || visibleCache == null || visibility.length() == 0)
        return visible;
    visible = (Boolean) visibleCache.get(visibility);
    if (visible == null) {
        try {
            if (colVis == null)
                colVis = new ColumnVisibility(visibility.toArray());
            visible = ve.evaluate(colVis);
            visibleCache.put(visibility, visible);
        } catch (VisibilityParseException | BadArgumentException e) {
            log.error("Parse Error", e);
            visible = Boolean.FALSE;
        }
    }
    return visible;
}
Also used : BadArgumentException(org.apache.accumulo.core.util.BadArgumentException) ColumnVisibility(org.apache.accumulo.core.security.ColumnVisibility) ByteSequence(org.apache.accumulo.core.data.ByteSequence) VisibilityParseException(org.apache.accumulo.core.security.VisibilityParseException)

Example 2 with VisibilityParseException

use of org.apache.accumulo.core.security.VisibilityParseException in project accumulo by apache.

the class ConditionalWriterImpl method isVisible.

private boolean isVisible(ByteSequence cv) {
    Text testVis = new Text(cv.toArray());
    if (testVis.getLength() == 0)
        return true;
    Boolean b = cache.get(testVis);
    if (b != null)
        return b;
    try {
        Boolean bb = ve.evaluate(new ColumnVisibility(testVis));
        cache.put(new Text(testVis), bb);
        return bb;
    } catch (VisibilityParseException | BadArgumentException e) {
        return false;
    }
}
Also used : BadArgumentException(org.apache.accumulo.core.util.BadArgumentException) Text(org.apache.hadoop.io.Text) ColumnVisibility(org.apache.accumulo.core.security.ColumnVisibility) VisibilityParseException(org.apache.accumulo.core.security.VisibilityParseException)

Example 3 with VisibilityParseException

use of org.apache.accumulo.core.security.VisibilityParseException in project incubator-rya by apache.

the class DocumentVisibilityUtil method doesUserHaveDocumentAccess.

/**
 * Checks if the user's authorizations allows them to have access to the
 * provided document based on its document visibility.
 * @param authorizations the {@link Authorizations}.
 * @param documentVisibility the {@link DocumentVisibility}.
 * @param doesEmptyAccessPass {@code true} if an empty authorization pass
 * allows access to everything. {@code false} otherwise.
 * @return {@code true} if the user has access to the document.
 * {@code false} otherwise.
 */
public static boolean doesUserHaveDocumentAccess(final Authorizations authorizations, final DocumentVisibility documentVisibility, final boolean doesEmptyAccessPass) {
    final Authorizations userAuths = authorizations != null ? authorizations : MongoDbRdfConstants.ALL_AUTHORIZATIONS;
    final VisibilityEvaluator visibilityEvaluator = new VisibilityEvaluator(userAuths);
    boolean accept = false;
    if (doesEmptyAccessPass && MongoDbRdfConstants.ALL_AUTHORIZATIONS.equals(userAuths)) {
        accept = true;
    } else {
        try {
            accept = visibilityEvaluator.evaluate(documentVisibility);
        } catch (final VisibilityParseException e) {
            log.error("Could not parse document visibility.");
        }
    }
    return accept;
}
Also used : Authorizations(org.apache.accumulo.core.security.Authorizations) VisibilityEvaluator(org.apache.accumulo.core.security.VisibilityEvaluator) VisibilityParseException(org.apache.accumulo.core.security.VisibilityParseException)

Example 4 with VisibilityParseException

use of org.apache.accumulo.core.security.VisibilityParseException in project accumulo by apache.

the class VisibilityFilter method accept.

@Override
protected boolean accept(Key k, Value v) {
    ByteSequence testVis = k.getColumnVisibilityData();
    if (testVis.length() == 0 && defaultVisibility.length() == 0)
        return true;
    else if (testVis.length() == 0)
        testVis = defaultVisibility;
    Boolean b = (Boolean) cache.get(testVis);
    if (b != null)
        return b;
    try {
        Boolean bb = ve.evaluate(new ColumnVisibility(testVis.toArray()));
        cache.put(testVis, bb);
        return bb;
    } catch (VisibilityParseException | BadArgumentException e) {
        log.error("Parse Error", e);
        return false;
    }
}
Also used : BadArgumentException(org.apache.accumulo.core.util.BadArgumentException) ColumnVisibility(org.apache.accumulo.core.security.ColumnVisibility) ByteSequence(org.apache.accumulo.core.data.ByteSequence) ArrayByteSequence(org.apache.accumulo.core.data.ArrayByteSequence) VisibilityParseException(org.apache.accumulo.core.security.VisibilityParseException)

Example 5 with VisibilityParseException

use of org.apache.accumulo.core.security.VisibilityParseException in project accumulo by apache.

the class VisibilityConstraint method check.

@Override
public List<Short> check(Environment env, Mutation mutation) {
    List<ColumnUpdate> updates = mutation.getUpdates();
    HashSet<String> ok = null;
    if (updates.size() > 1)
        ok = new HashSet<>();
    VisibilityEvaluator ve = null;
    for (ColumnUpdate update : updates) {
        byte[] cv = update.getColumnVisibility();
        if (cv.length > 0) {
            String key = null;
            if (ok != null && ok.contains(key = new String(cv, UTF_8)))
                continue;
            try {
                if (ve == null)
                    ve = new VisibilityEvaluator(env.getAuthorizationsContainer());
                if (!ve.evaluate(new ColumnVisibility(cv)))
                    return Collections.singletonList((short) 2);
            } catch (BadArgumentException | VisibilityParseException bae) {
                return Collections.singletonList((short) 1);
            }
            if (ok != null)
                ok.add(key);
        }
    }
    return null;
}
Also used : BadArgumentException(org.apache.accumulo.core.util.BadArgumentException) ColumnUpdate(org.apache.accumulo.core.data.ColumnUpdate) VisibilityEvaluator(org.apache.accumulo.core.security.VisibilityEvaluator) ColumnVisibility(org.apache.accumulo.core.security.ColumnVisibility) VisibilityParseException(org.apache.accumulo.core.security.VisibilityParseException) HashSet(java.util.HashSet)

Aggregations

VisibilityParseException (org.apache.accumulo.core.security.VisibilityParseException)7 ColumnVisibility (org.apache.accumulo.core.security.ColumnVisibility)6 BadArgumentException (org.apache.accumulo.core.util.BadArgumentException)5 ByteSequence (org.apache.accumulo.core.data.ByteSequence)3 VisibilityEvaluator (org.apache.accumulo.core.security.VisibilityEvaluator)3 HashSet (java.util.HashSet)1 ArrayByteSequence (org.apache.accumulo.core.data.ArrayByteSequence)1 ColumnUpdate (org.apache.accumulo.core.data.ColumnUpdate)1 Authorizations (org.apache.accumulo.core.security.Authorizations)1 Text (org.apache.hadoop.io.Text)1 VertexiumException (org.vertexium.VertexiumException)1