View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security;
19  
20  import org.apache.hadoop.conf.Configuration;
21  import org.apache.hadoop.hbase.protobuf.generated.AdminProtos.AdminService;
22  import org.apache.hadoop.hbase.protobuf.generated.ClientProtos.ClientService;
23  import org.apache.hadoop.hbase.protobuf.generated.MasterProtos.MasterService;
24  import org.apache.hadoop.hbase.protobuf.generated.RegionServerStatusProtos.RegionServerStatusService;
25  import org.apache.hadoop.security.authorize.PolicyProvider;
26  import org.apache.hadoop.security.authorize.ProxyUsers;
27  import org.apache.hadoop.security.authorize.Service;
28  import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
29  
30  /**
31   * Implementation of secure Hadoop policy provider for mapping
32   * protocol interfaces to hbase-policy.xml entries.
33   */
34  public class HBasePolicyProvider extends PolicyProvider {
35    protected final static Service[] services = {
36        new Service("security.client.protocol.acl", ClientService.BlockingInterface.class),
37        new Service("security.client.protocol.acl", AdminService.BlockingInterface.class),
38        new Service("security.admin.protocol.acl", MasterService.BlockingInterface.class),
39        new Service("security.masterregion.protocol.acl", RegionServerStatusService.BlockingInterface.class)
40    };
41  
42    @Override
43    public Service[] getServices() {
44      return services;
45    }
46  
47    public static void init(Configuration conf, ServiceAuthorizationManager authManager) {
48      // set service-level authorization security policy
49      System.setProperty("hadoop.policy.file", "hbase-policy.xml");
50      if (conf.getBoolean(ServiceAuthorizationManager.SERVICE_AUTHORIZATION_CONFIG, false)) {
51        authManager.refresh(conf, new HBasePolicyProvider());
52        ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
53      }
54    }
55  }