import org.apache.accumulo.core.security.VisibilityEvaluator; //导入依赖的package包/类
@Override
public boolean canRead(Visibility visibility) {
    Preconditions.checkNotNull(visibility, "visibility is required");

    // this is just a shortcut so that we don't need to construct evaluators and visibility objects to check for an empty string.
    if (visibility.getVisibilityString().length() == 0) {
        return true;
    }

    VisibilityEvaluator visibilityEvaluator = new VisibilityEvaluator(new org.apache.accumulo.core.security.Authorizations(this.getAuthorizations()));
    ColumnVisibility columnVisibility = new ColumnVisibility(visibility.getVisibilityString());
    try {
        return visibilityEvaluator.evaluate(columnVisibility);
    } catch (VisibilityParseException e) {
        throw new VertexiumException("could not evaluate visibility " + visibility.getVisibilityString(), e);
    }
}
 

import org.apache.accumulo.core.security.VisibilityEvaluator; //导入依赖的package包/类
/**
 * Checks if the user's authorizations allows them to have access to the
 * provided document based on its document visibility.
 * @param authorizations the {@link Authorizations}.
 * @param documentVisibility the {@link DocumentVisibility}.
 * @param doesEmptyAccessPass {@code true} if an empty authorization pass
 * allows access to everything. {@code false} otherwise.
 * @return {@code true} if the user has access to the document.
 * {@code false} otherwise.
 */
public static boolean doesUserHaveDocumentAccess(final Authorizations authorizations, final DocumentVisibility documentVisibility, final boolean doesEmptyAccessPass) {
    final Authorizations userAuths = authorizations != null ? authorizations : MongoDbRdfConstants.ALL_AUTHORIZATIONS;
    final VisibilityEvaluator visibilityEvaluator = new VisibilityEvaluator(userAuths);
    boolean accept = false;
    if (doesEmptyAccessPass && MongoDbRdfConstants.ALL_AUTHORIZATIONS.equals(userAuths)) {
        accept = true;
    } else {
        try {
            accept = visibilityEvaluator.evaluate(documentVisibility);
        } catch (final VisibilityParseException e) {
            log.error("Could not parse document visibility.");
        }
    }

    return accept;
}
 

import org.apache.accumulo.core.security.VisibilityEvaluator; //导入依赖的package包/类
/**
 * Validate Accumulo-style visibility expression against a set of authorizations.
 *
 * @param auths Formal authorizations of the user
 * @param visibilityExpression Accumulo-style visibility expression
 * @return true if validation authorizations against visibility expression, false otherwise
 */
public static boolean validateVisibilityExpression(Set<String> auths, String visibilityExpression) {
    if (StringUtils.isBlank(visibilityExpression)) {
        return true; // No visibility to check
    }

    if (auths == null || auths.isEmpty()) {
        return false; // Has visibility but no auths
    }

    final VisibilityEvaluator visEval = new VisibilityEvaluator(
            new org.apache.accumulo.core.security.Authorizations(
                    auths.toArray(new String[] {})));

    try {
        return visEval.evaluate(new ColumnVisibility(visibilityExpression));
    } catch (final VisibilityParseException e) {
        return false;
    }
}
 

import org.apache.accumulo.core.security.VisibilityEvaluator; //导入依赖的package包/类
public AccumuloVisibilityFilter(Map<String, Object> params, ESLogger logger) {
    this.logger = logger;

    if (params.get("expressionField") != null) {
        this.securityExpressionField = params.get("expressionField").toString();
    }

    String auths = params.get("auths").toString().trim();
    Authorizations authorizations;
    if (auths.isEmpty()) {
        authorizations = new Authorizations();
    } else {
        authorizations = new Authorizations(auths.split(","));
    }
    this.visibilityEvaluator = new VisibilityEvaluator(authorizations);
}
 

import org.apache.accumulo.core.security.VisibilityEvaluator; //导入依赖的package包/类
/**
 * Test that rfiles created by a specific version of PACE still work correctly.
 *
 * @param versionConfig
 *          Configuration for the version with which the rfiles were generated.
 */
private void testVersion(File versionConfig) throws Exception {
  String parentDirectory = versionConfig.getParent();

  JsonParser parser = new JsonParser();
  JsonObject configJson = parser.parse(new FileReader(versionConfig)).getAsJsonObject();

  // Get a scanner for the data file.
  List<byte[]> auths = new ArrayList<>();
  for (JsonElement authElem : configJson.getAsJsonArray("authorizations")) {
    auths.add(VisibilityEvaluator.escape(authElem.getAsString().getBytes(Utils.VISIBILITY_CHARSET), false));
  }
  Authorizations authorizations = new Authorizations(auths);

  LocalFileSystem fs = FileSystem.getLocal(new Configuration());
  Scanner dataScanner = RFile.newScanner().from(Paths.get(parentDirectory, configJson.getAsJsonPrimitive("data-table").getAsString()).toString())
      .withFileSystem(fs).withAuthorizations(authorizations).build();

  // Validate each configuration.
  for (JsonElement testElem : configJson.getAsJsonArray("tests")) {
    JsonObject test = testElem.getAsJsonObject();
    SignatureConfig signatureConfig = new SignatureConfigBuilder().readFromFile(
        new FileReader(Paths.get(parentDirectory, test.getAsJsonPrimitive("config").getAsString()).toFile())).build();
    SignatureKeyContainer keyContainer = LocalSignatureKeyContainer.read(new FileReader(Paths.get(parentDirectory,
        test.getAsJsonPrimitive("keys").getAsString()).toFile()));

    EntrySigner verifier = new EntrySigner(signatureConfig, keyContainer);
    Scanner signedScanner = RFile.newScanner().from(Paths.get(parentDirectory, test.getAsJsonPrimitive("table").getAsString()).toString()).withFileSystem(fs)
        .withAuthorizations(authorizations).build();

    runTest(dataScanner, signedScanner, verifier, signatureConfig);
  }
}
 

import org.apache.accumulo.core.security.VisibilityEvaluator; //导入依赖的package包/类
/**
 * Test that rfiles created by a specific version of PACE still work correctly.
 *
 * @param versionConfig
 *          Configuration for the version with which the rfiles were generated.
 */
private void testVersion(File versionConfig) throws Exception {
  String parentDirectory = versionConfig.getParent();

  JsonParser parser = new JsonParser();
  JsonObject configJson = parser.parse(new FileReader(versionConfig)).getAsJsonObject();

  // Get a scanner for the data file.
  List<byte[]> auths = new ArrayList<>();
  for (JsonElement authElem : configJson.getAsJsonArray("authorizations")) {
    auths.add(VisibilityEvaluator.escape(authElem.getAsString().getBytes(Utils.VISIBILITY_CHARSET), false));
  }
  Authorizations authorizations = new Authorizations(auths);

  LocalFileSystem fs = FileSystem.getLocal(new Configuration());
  Scanner dataScanner = RFile.newScanner().from(Paths.get(parentDirectory, configJson.getAsJsonPrimitive("data-table").getAsString()).toString())
      .withFileSystem(fs).withAuthorizations(authorizations).build();

  // Validate each configuration.
  for (JsonElement testElem : configJson.getAsJsonArray("tests")) {
    JsonObject test = testElem.getAsJsonObject();
    EncryptionConfig encryptionConfig = new EncryptionConfigBuilder().readFromFile(
        new FileReader(Paths.get(parentDirectory, test.getAsJsonPrimitive("config").getAsString()).toFile())).build();
    EncryptionKeyContainer keyContainer = LocalEncryptionKeyContainer.read(new FileReader(Paths.get(parentDirectory,
        test.getAsJsonPrimitive("keys").getAsString()).toFile()));

    EntryEncryptor decryptor = new EntryEncryptor(encryptionConfig, keyContainer);
    Scanner encryptedScanner = RFile.newScanner().from(Paths.get(parentDirectory, test.getAsJsonPrimitive("table").getAsString()).toString())
        .withFileSystem(fs).withAuthorizations(authorizations).build();

    runTest(dataScanner, encryptedScanner, decryptor);
  }
}
 

import org.apache.accumulo.core.security.VisibilityEvaluator; //导入依赖的package包/类
/**
 * Wrap the visibility field.
 * <p>
 * The resulting field will have the value {@literal colVis = (<originalColVis>)|data}. If the original column visibility value is empty, then the deafult
 * visibility value will be used in place of originalColVis.
 *
 * @param visibility
 *          The visibility data being wrapped.
 * @param data
 *          data to wrap into visibility.
 * @return Wrapped visibility.
 */
private static byte[] wrapVisibility(byte[] visibility, byte[] data) throws IOException {
  ByteArrayOutputStream colVisStream = new ByteArrayOutputStream();
  DataOutput colVisOut = new DataOutputStream(colVisStream);

  colVisOut.writeByte((byte) '(');
  colVisOut.write(visibility);
  colVisOut.writeByte((byte) ')');
  colVisOut.writeByte((byte) '|');
  colVisOut.write(VisibilityEvaluator.escape(data, true));

  return colVisStream.toByteArray();
}
 

import org.apache.accumulo.core.security.VisibilityEvaluator; //导入依赖的package包/类
public VisibilityIterator(final List<T> values, Authorizations authorizations) {
	this.values = values;
	this.ve = new VisibilityEvaluator(authorizations);
	this.expectedItems = values.size();
}
 

import org.apache.accumulo.core.security.VisibilityEvaluator; //导入依赖的package包/类
@Override public void init(SortedKeyValueIterator<Key,Value> source, Map<String,String> options, IteratorEnvironment env) throws IOException {
    super.init(source, options, env);
    checker = new VisibilityEvaluator(new Authorizations(options.get(AUTHS).getBytes()));
}