use of org.apache.accumulo.core.security.VisibilityParseException in project accumulo by apache.
the class TransformingIterator method canSee.
/**
* Indicates whether or not the user is able to see {@code key}. If the user has not supplied authorizations, or the iterator is not in the scan scope, then
* this method simply returns {@code true}. Otherwise, {@code key}'s column visibility is tested against the user-supplied authorizations, and the test result
* is returned. For performance, the test results are cached so that the same visibility is not tested multiple times.
*
* @param key
* the key to test
* @return {@code true} if the key is visible or iterator is not scanning, and {@code false} if not
*/
protected boolean canSee(Key key) {
// Ensure that the visibility (which could have been transformed) parses. Must always do this check, even if visibility is not evaluated.
ByteSequence visibility = key.getColumnVisibilityData();
ColumnVisibility colVis = null;
Boolean parsed = (Boolean) parsedVisibilitiesCache.get(visibility);
if (parsed == null) {
try {
colVis = new ColumnVisibility(visibility.toArray());
parsedVisibilitiesCache.put(visibility, Boolean.TRUE);
} catch (BadArgumentException e) {
log.error("Parse error after transformation : {}", visibility);
parsedVisibilitiesCache.put(visibility, Boolean.FALSE);
if (scanning) {
return false;
} else {
throw e;
}
}
} else if (!parsed) {
if (scanning)
return false;
else
throw new IllegalStateException();
}
Boolean visible = canSeeColumnFamily(key);
if (!scanning || !visible || ve == null || visibleCache == null || visibility.length() == 0)
return visible;
visible = (Boolean) visibleCache.get(visibility);
if (visible == null) {
try {
if (colVis == null)
colVis = new ColumnVisibility(visibility.toArray());
visible = ve.evaluate(colVis);
visibleCache.put(visibility, visible);
} catch (VisibilityParseException | BadArgumentException e) {
log.error("Parse Error", e);
visible = Boolean.FALSE;
}
}
return visible;
}
use of org.apache.accumulo.core.security.VisibilityParseException in project accumulo by apache.
the class ConditionalWriterImpl method isVisible.
private boolean isVisible(ByteSequence cv) {
Text testVis = new Text(cv.toArray());
if (testVis.getLength() == 0)
return true;
Boolean b = cache.get(testVis);
if (b != null)
return b;
try {
Boolean bb = ve.evaluate(new ColumnVisibility(testVis));
cache.put(new Text(testVis), bb);
return bb;
} catch (VisibilityParseException | BadArgumentException e) {
return false;
}
}
use of org.apache.accumulo.core.security.VisibilityParseException in project incubator-rya by apache.
the class DocumentVisibilityUtil method doesUserHaveDocumentAccess.
/**
* Checks if the user's authorizations allows them to have access to the
* provided document based on its document visibility.
* @param authorizations the {@link Authorizations}.
* @param documentVisibility the {@link DocumentVisibility}.
* @param doesEmptyAccessPass {@code true} if an empty authorization pass
* allows access to everything. {@code false} otherwise.
* @return {@code true} if the user has access to the document.
* {@code false} otherwise.
*/
public static boolean doesUserHaveDocumentAccess(final Authorizations authorizations, final DocumentVisibility documentVisibility, final boolean doesEmptyAccessPass) {
final Authorizations userAuths = authorizations != null ? authorizations : MongoDbRdfConstants.ALL_AUTHORIZATIONS;
final VisibilityEvaluator visibilityEvaluator = new VisibilityEvaluator(userAuths);
boolean accept = false;
if (doesEmptyAccessPass && MongoDbRdfConstants.ALL_AUTHORIZATIONS.equals(userAuths)) {
accept = true;
} else {
try {
accept = visibilityEvaluator.evaluate(documentVisibility);
} catch (final VisibilityParseException e) {
log.error("Could not parse document visibility.");
}
}
return accept;
}
use of org.apache.accumulo.core.security.VisibilityParseException in project accumulo by apache.
the class VisibilityFilter method accept.
@Override
protected boolean accept(Key k, Value v) {
ByteSequence testVis = k.getColumnVisibilityData();
if (testVis.length() == 0 && defaultVisibility.length() == 0)
return true;
else if (testVis.length() == 0)
testVis = defaultVisibility;
Boolean b = (Boolean) cache.get(testVis);
if (b != null)
return b;
try {
Boolean bb = ve.evaluate(new ColumnVisibility(testVis.toArray()));
cache.put(testVis, bb);
return bb;
} catch (VisibilityParseException | BadArgumentException e) {
log.error("Parse Error", e);
return false;
}
}
use of org.apache.accumulo.core.security.VisibilityParseException in project accumulo by apache.
the class VisibilityConstraint method check.
@Override
public List<Short> check(Environment env, Mutation mutation) {
List<ColumnUpdate> updates = mutation.getUpdates();
HashSet<String> ok = null;
if (updates.size() > 1)
ok = new HashSet<>();
VisibilityEvaluator ve = null;
for (ColumnUpdate update : updates) {
byte[] cv = update.getColumnVisibility();
if (cv.length > 0) {
String key = null;
if (ok != null && ok.contains(key = new String(cv, UTF_8)))
continue;
try {
if (ve == null)
ve = new VisibilityEvaluator(env.getAuthorizationsContainer());
if (!ve.evaluate(new ColumnVisibility(cv)))
return Collections.singletonList((short) 2);
} catch (BadArgumentException | VisibilityParseException bae) {
return Collections.singletonList((short) 1);
}
if (ok != null)
ok.add(key);
}
}
return null;
}
Aggregations