View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security;
19  
20  import org.apache.hadoop.classification.InterfaceAudience;
21  import org.apache.hadoop.conf.Configuration;
22  import org.apache.hadoop.hbase.protobuf.generated.AdminProtos.AdminService;
23  import org.apache.hadoop.hbase.protobuf.generated.ClientProtos.ClientService;
24  import org.apache.hadoop.hbase.protobuf.generated.MasterProtos.MasterService;
25  import org.apache.hadoop.hbase.protobuf.generated.RegionServerStatusProtos.RegionServerStatusService;
26  import org.apache.hadoop.security.authorize.PolicyProvider;
27  import org.apache.hadoop.security.authorize.ProxyUsers;
28  import org.apache.hadoop.security.authorize.Service;
29  import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
30  
31  /**
32   * Implementation of secure Hadoop policy provider for mapping
33   * protocol interfaces to hbase-policy.xml entries.
34   */
35  @InterfaceAudience.Private
36  public class HBasePolicyProvider extends PolicyProvider {
37    protected final static Service[] services = {
38        new Service("security.client.protocol.acl", ClientService.BlockingInterface.class),
39        new Service("security.client.protocol.acl", AdminService.BlockingInterface.class),
40        new Service("security.admin.protocol.acl", MasterService.BlockingInterface.class),
41        new Service("security.masterregion.protocol.acl", RegionServerStatusService.BlockingInterface.class)
42    };
43  
44    @Override
45    public Service[] getServices() {
46      return services;
47    }
48  
49    public static void init(Configuration conf, ServiceAuthorizationManager authManager) {
50      // set service-level authorization security policy
51      System.setProperty("hadoop.policy.file", "hbase-policy.xml");
52      if (conf.getBoolean(ServiceAuthorizationManager.SERVICE_AUTHORIZATION_CONFIG, false)) {
53        authManager.refresh(conf, new HBasePolicyProvider());
54        ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
55      }
56    }
57  }