org.apache.hadoop.hbase.security.access

Class SnapshotScannerHDFSAclController

java.lang.Object

org.apache.hadoop.hbase.security.access.SnapshotScannerHDFSAclController

All Implemented Interfaces:

Coprocessor, MasterCoprocessor, MasterObserver

@InterfaceAudience.LimitedPrivate(value="Configuration")
public class SnapshotScannerHDFSAclController
extends Object
implements MasterCoprocessor, MasterObserver

Set HDFS ACLs to hFiles to make HBase granted users have permission to scan snapshot

To use this feature, please mask sure HDFS config:

• dfs.namenode.acls.enabled = true
• fs.permissions.umask-mode = 027 (or smaller umask than 027)

The implementation of this feature is as followings:

• For common directories such as 'data' and 'archive', set other permission to '--x' to make everyone have the permission to access the directory.
• For namespace or table directories such as 'data/ns/table', 'archive/ns/table' and '.hbase-snapshot/snapshotName', set user 'r-x' access acl and 'r-x' default acl when following operations happen:
  • grant user with global, namespace or table permission;
  • revoke user from global, namespace or table;
  • snapshot table;
  • truncate table;
• Note: Because snapshots are at table level, so this feature just considers users with global, namespace or table permissions, ignores users with table CF or cell permissions.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
(package private) static class	SnapshotScannerHDFSAclController.SnapshotScannerHDFSAclStorage

Nested classes/interfaces inherited from interface org.apache.hadoop.hbase.Coprocessor

Coprocessor.State

Field Summary

Fields

Modifier and Type	Field and Description
private boolean	aclTableInitialized
private SnapshotScannerHDFSAclHelper	hdfsAclHelper
private boolean	initialized
private static org.slf4j.Logger	LOG
private MasterServices	masterServices
private SnapshotScannerHDFSAclHelper.PathHelper	pathHelper
private UserProvider	userProvider Provider for mapping principal names to Users

Fields inherited from interface org.apache.hadoop.hbase.Coprocessor

PRIORITY_HIGHEST, PRIORITY_LOWEST, PRIORITY_SYSTEM, PRIORITY_USER, VERSION

Constructor Summary

Constructors

Constructor and Description
SnapshotScannerHDFSAclController()

Method Summary

Modifier and Type	Method and Description
(package private) boolean	checkInitialized(String operation)
private Set<String>	filterUsersToRemoveNsAccessAcl(Table aclTable, TableName tableName, Set<String> tablesUsers) Remove table user access HDFS acl from namespace directory if the user has no permissions of global, ns of the table or other tables of the ns, eg: Bob has 'ns1:t1' read permission, when delete 'ns1:t1', if Bob has global read permission, '@ns1' read permission or 'ns1:other_tables' read permission, then skip remove Bob access acl in ns1Dirs, otherwise, remove Bob access acl.
private User	getActiveUser(ObserverContext<?> ctx)
Optional<MasterObserver>	getMasterObserver()
private UserPermission	getUserGlobalPermission(org.apache.hadoop.conf.Configuration conf, String userName)
private UserPermission	getUserNamespacePermission(org.apache.hadoop.conf.Configuration conf, String userName, String namespace)
private UserPermission	getUserTablePermission(org.apache.hadoop.conf.Configuration conf, String userName, TableName tableName)
private boolean	isHdfsAclSet(Table aclTable, String userName)
private boolean	isHdfsAclSet(Table aclTable, String userName, String namespace)
private boolean	isHdfsAclSet(Table aclTable, String userName, String namespace, TableName tableName) Check if user global/namespace/table HDFS acls is already set
private boolean	isHdfsAclSet(Table aclTable, String userName, TableName tableName)
private boolean	needHandleTableHdfsAcl(TableDescriptor tableDescriptor, String operation)
private boolean	needHandleTableHdfsAcl(TableName tableName, String operation)
private boolean	needHandleTableHdfsAcl(TablePermission tablePermission)
void	postCompletedCreateTableAction(ObserverContext<MasterCoprocessorEnvironment> c, TableDescriptor desc, RegionInfo[] regions) Called after the createTable operation has been requested.
void	postCompletedDeleteTableAction(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName) Called after HMaster deletes a table.
void	postCompletedSnapshotAction(ObserverContext<MasterCoprocessorEnvironment> c, SnapshotDescription snapshot, TableDescriptor tableDescriptor) Called after the snapshot operation has been completed.
void	postCompletedTruncateTableAction(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) Called after HMaster truncates a table.
void	postCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> c, NamespaceDescriptor ns) Called after the createNamespace operation has been requested.
void	postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace) Called after the deleteNamespace operation has been requested.
void	postGrant(ObserverContext<MasterCoprocessorEnvironment> c, UserPermission userPermission, boolean mergeExistingPermissions) Called after granting user permissions.
void	postModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName, TableDescriptor oldDescriptor, TableDescriptor currentDescriptor) Called after the modifyTable operation has been requested.
void	postRevoke(ObserverContext<MasterCoprocessorEnvironment> c, UserPermission userPermission) Called after revoking user permissions.
void	postStartMaster(ObserverContext<MasterCoprocessorEnvironment> c) Called immediately after an active master instance has completed initialization.
void	preMasterInitialization(ObserverContext<MasterCoprocessorEnvironment> c) Call before the master initialization is set to true.
void	preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c) Called immediately prior to stopping this HMaster process.
private void	removeUserGlobalHdfsAcl(Table aclTable, String userName, UserPermission userPermission)
private void	removeUserNamespaceHdfsAcl(Table aclTable, String userName, String namespace, UserPermission userPermission)
private void	removeUserTableHdfsAcl(Table aclTable, String userName, TableName tableName, UserPermission userPermission)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.hadoop.hbase.Coprocessor

getServices, start, stop

Methods inherited from interface org.apache.hadoop.hbase.coprocessor.MasterObserver

postAbortProcedure, postAddReplicationPeer, postAddRSGroup, postAssign, postBalance, postBalanceRSGroup, postBalanceSwitch, postClearDeadServers, postCloneSnapshot, postCompletedDisableTableAction, postCompletedEnableTableAction, postCompletedMergeRegionsAction, postCompletedModifyTableAction, postCompletedModifyTableAction, postCompletedSplitRegionAction, postCreateTable, postDecommissionRegionServers, postDeleteSnapshot, postDeleteTable, postDisableReplicationPeer, postDisableTable, postEnableReplicationPeer, postEnableTable, postGetClusterMetrics, postGetLocks, postGetNamespaceDescriptor, postGetProcedures, postGetReplicationPeerConfig, postGetTableDescriptors, postGetTableNames, postGetUserPermissions, postHasUserPermissions, postIsRpcThrottleEnabled, postListDecommissionedRegionServers, postListNamespaceDescriptors, postListNamespaces, postListReplicationPeers, postListSnapshot, postLockHeartbeat, postMasterStoreFlush, postMergeRegions, postMergeRegionsCommitAction, postModifyColumnFamilyStoreFileTracker, postModifyNamespace, postModifyNamespace, postModifyTable, postModifyTableStoreFileTracker, postMove, postMoveServers, postMoveServersAndTables, postMoveTables, postRecommissionRegionServer, postRegionOffline, postRemoveReplicationPeer, postRemoveRSGroup, postRemoveServers, postRenameRSGroup, postRequestLock, postRestoreSnapshot, postRollBackMergeRegionsAction, postRollBackSplitRegionAction, postSetNamespaceQuota, postSetRegionServerQuota, postSetSplitOrMergeEnabled, postSetTableQuota, postSetUserQuota, postSetUserQuota, postSetUserQuota, postSnapshot, postSwitchExceedThrottleQuota, postSwitchRpcThrottle, postTableFlush, postTruncateTable, postUnassign, postUnassign, postUpdateReplicationPeerConfig, postUpdateRSGroupConfig, preAbortProcedure, preAddReplicationPeer, preAddRSGroup, preAssign, preBalance, preBalanceRSGroup, preBalanceSwitch, preClearDeadServers, preCloneSnapshot, preCreateNamespace, preCreateTable, preCreateTableAction, preCreateTableRegionsInfos, preDecommissionRegionServers, preDeleteNamespace, preDeleteSnapshot, preDeleteTable, preDeleteTableAction, preDisableReplicationPeer, preDisableTable, preDisableTableAction, preEnableReplicationPeer, preEnableTable, preEnableTableAction, preGetClusterMetrics, preGetLocks, preGetNamespaceDescriptor, preGetProcedures, preGetReplicationPeerConfig, preGetTableDescriptors, preGetTableNames, preGetUserPermissions, preGrant, preHasUserPermissions, preIsRpcThrottleEnabled, preListDecommissionedRegionServers, preListNamespaceDescriptors, preListNamespaces, preListReplicationPeers, preListSnapshot, preLockHeartbeat, preMasterStoreFlush, preMergeRegions, preMergeRegionsAction, preMergeRegionsCommitAction, preModifyColumnFamilyStoreFileTracker, preModifyNamespace, preModifyNamespace, preModifyTable, preModifyTable, preModifyTableAction, preModifyTableAction, preModifyTableStoreFileTracker, preMove, preMoveServers, preMoveServersAndTables, preMoveTables, preRecommissionRegionServer, preRegionOffline, preRemoveReplicationPeer, preRemoveRSGroup, preRemoveServers, preRenameRSGroup, preRequestLock, preRestoreSnapshot, preRevoke, preSetNamespaceQuota, preSetRegionServerQuota, preSetSplitOrMergeEnabled, preSetTableQuota, preSetUserQuota, preSetUserQuota, preSetUserQuota, preShutdown, preSnapshot, preSplitRegion, preSplitRegionAction, preSplitRegionAfterMETAAction, preSplitRegionBeforeMETAAction, preSwitchExceedThrottleQuota, preSwitchRpcThrottle, preTableFlush, preTruncateTable, preTruncateTableAction, preUnassign, preUnassign, preUpdateReplicationPeerConfig, preUpdateRSGroupConfig

Field Detail

LOG

private static final org.slf4j.Logger LOG

hdfsAclHelper

private SnapshotScannerHDFSAclHelper hdfsAclHelper

pathHelper

private SnapshotScannerHDFSAclHelper.PathHelper pathHelper

masterServices

private MasterServices masterServices

initialized

private volatile boolean initialized

aclTableInitialized

private volatile boolean aclTableInitialized

userProvider

private UserProvider userProvider

Provider for mapping principal names to Users

Constructor Detail

SnapshotScannerHDFSAclController

public SnapshotScannerHDFSAclController()

Method Detail

getMasterObserver

public Optional<MasterObserver> getMasterObserver()

Specified by:

getMasterObserver in interface MasterCoprocessor

preMasterInitialization

public void preMasterInitialization(ObserverContext<MasterCoprocessorEnvironment> c)
                             throws IOException

Description copied from interface: MasterObserver

Call before the master initialization is set to true. HMaster process.

Specified by:

preMasterInitialization in interface MasterObserver

Throws:

IOException

postStartMaster

public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> c)
                     throws IOException

Description copied from interface: MasterObserver

Called immediately after an active master instance has completed initialization. Will not be called on standby master instances unless they take over the active role.

Specified by:

postStartMaster in interface MasterObserver

Throws:

IOException

preStopMaster

public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c)

Description copied from interface: MasterObserver

Called immediately prior to stopping this HMaster process.

Specified by:

preStopMaster in interface MasterObserver

postCompletedCreateTableAction

public void postCompletedCreateTableAction(ObserverContext<MasterCoprocessorEnvironment> c,
                                           TableDescriptor desc,
                                           RegionInfo[] regions)
                                    throws IOException

Description copied from interface: MasterObserver

Called after the createTable operation has been requested. Called as part of create table RPC call. Called as part of create table procedure and it is async to the create RPC call.

Specified by:

postCompletedCreateTableAction in interface MasterObserver

Parameters:

c - the environment to interact with the framework and master

desc - the TableDescriptor for the table

regions - the initial regions created for the table

Throws:

IOException

postCreateNamespace

public void postCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> c,
                                NamespaceDescriptor ns)
                         throws IOException

Description copied from interface: MasterObserver

Called after the createNamespace operation has been requested.

Specified by:

postCreateNamespace in interface MasterObserver

Parameters:

c - the environment to interact with the framework and master

ns - the NamespaceDescriptor for the table

Throws:

IOException

postCompletedSnapshotAction

public void postCompletedSnapshotAction(ObserverContext<MasterCoprocessorEnvironment> c,
                                        SnapshotDescription snapshot,
                                        TableDescriptor tableDescriptor)
                                 throws IOException

Description copied from interface: MasterObserver

Called after the snapshot operation has been completed.

Specified by:

postCompletedSnapshotAction in interface MasterObserver

Parameters:

c - the environment to interact with the framework and master

snapshot - the SnapshotDescriptor for the snapshot

tableDescriptor - the TableDescriptor of the table to snapshot

Throws:

IOException

postCompletedTruncateTableAction

public void postCompletedTruncateTableAction(ObserverContext<MasterCoprocessorEnvironment> c,
                                             TableName tableName)
                                      throws IOException

Description copied from interface: MasterObserver

Called after HMaster truncates a table. Called as part of truncate table procedure and it is async to the truncate RPC call.

Specified by:

postCompletedTruncateTableAction in interface MasterObserver

Parameters:

c - the environment to interact with the framework and master

tableName - the name of the table

Throws:

IOException

postCompletedDeleteTableAction

public void postCompletedDeleteTableAction(ObserverContext<MasterCoprocessorEnvironment> ctx,
                                           TableName tableName)
                                    throws IOException

Description copied from interface: MasterObserver

Called after HMaster deletes a table. Called as part of delete table procedure and it is async to the delete RPC call.

Specified by:

postCompletedDeleteTableAction in interface MasterObserver

Parameters:

ctx - the environment to interact with the framework and master

tableName - the name of the table

Throws:

IOException

postModifyTable

public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx,
                            TableName tableName,
                            TableDescriptor oldDescriptor,
                            TableDescriptor currentDescriptor)
                     throws IOException

Description copied from interface: MasterObserver

Called after the modifyTable operation has been requested. Called as part of modify table RPC call.

Specified by:

postModifyTable in interface MasterObserver

Parameters:

ctx - the environment to interact with the framework and master

tableName - the name of the table

oldDescriptor - descriptor of table before modify operation happened

currentDescriptor - current TableDescriptor of the table

Throws:

IOException

postDeleteNamespace

public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,
                                String namespace)
                         throws IOException

Description copied from interface: MasterObserver

Called after the deleteNamespace operation has been requested.

Specified by:

postDeleteNamespace in interface MasterObserver

Parameters:

ctx - the environment to interact with the framework and master

namespace - the name of the namespace

Throws:

IOException

postGrant

public void postGrant(ObserverContext<MasterCoprocessorEnvironment> c,
                      UserPermission userPermission,
                      boolean mergeExistingPermissions)
               throws IOException

Description copied from interface: MasterObserver

Called after granting user permissions.

Specified by:

postGrant in interface MasterObserver

Parameters:

c - the coprocessor instance's environment

userPermission - the user and permissions

mergeExistingPermissions - True if merge with previous granted permissions

Throws:

IOException

postRevoke

public void postRevoke(ObserverContext<MasterCoprocessorEnvironment> c,
                       UserPermission userPermission)
                throws IOException

Description copied from interface: MasterObserver

Called after revoking user permissions.

Specified by:

postRevoke in interface MasterObserver

Parameters:

c - the coprocessor instance's environment

userPermission - the user and permissions

Throws:

IOException

removeUserGlobalHdfsAcl

private void removeUserGlobalHdfsAcl(Table aclTable,
                                     String userName,
                                     UserPermission userPermission)
                              throws IOException

Throws:

IOException

removeUserNamespaceHdfsAcl

private void removeUserNamespaceHdfsAcl(Table aclTable,
                                        String userName,
                                        String namespace,
                                        UserPermission userPermission)
                                 throws IOException

Throws:

IOException

removeUserTableHdfsAcl

private void removeUserTableHdfsAcl(Table aclTable,
                                    String userName,
                                    TableName tableName,
                                    UserPermission userPermission)
                             throws IOException

Throws:

IOException

getUserGlobalPermission

private UserPermission getUserGlobalPermission(org.apache.hadoop.conf.Configuration conf,
                                               String userName)
                                        throws IOException

Throws:

IOException

getUserNamespacePermission

private UserPermission getUserNamespacePermission(org.apache.hadoop.conf.Configuration conf,
                                                  String userName,
                                                  String namespace)
                                           throws IOException

Throws:

IOException

getUserTablePermission

private UserPermission getUserTablePermission(org.apache.hadoop.conf.Configuration conf,
                                              String userName,
                                              TableName tableName)
                                       throws IOException

Throws:

IOException

isHdfsAclSet

private boolean isHdfsAclSet(Table aclTable,
                             String userName)
                      throws IOException

Throws:

IOException

isHdfsAclSet

private boolean isHdfsAclSet(Table aclTable,
                             String userName,
                             String namespace)
                      throws IOException

Throws:

IOException

isHdfsAclSet

private boolean isHdfsAclSet(Table aclTable,
                             String userName,
                             TableName tableName)
                      throws IOException

Throws:

IOException

isHdfsAclSet

private boolean isHdfsAclSet(Table aclTable,
                             String userName,
                             String namespace,
                             TableName tableName)
                      throws IOException

Check if user global/namespace/table HDFS acls is already set

Throws:

IOException

checkInitialized

@InterfaceAudience.Private
boolean checkInitialized(String operation)

needHandleTableHdfsAcl

private boolean needHandleTableHdfsAcl(TablePermission tablePermission)
                                throws IOException

Throws:

IOException

needHandleTableHdfsAcl

private boolean needHandleTableHdfsAcl(TableName tableName,
                                       String operation)
                                throws IOException

Throws:

IOException

needHandleTableHdfsAcl

private boolean needHandleTableHdfsAcl(TableDescriptor tableDescriptor,
                                       String operation)

getActiveUser

private User getActiveUser(ObserverContext<?> ctx)
                    throws IOException

Throws:

IOException

filterUsersToRemoveNsAccessAcl

private Set<String> filterUsersToRemoveNsAccessAcl(Table aclTable,
                                                   TableName tableName,
                                                   Set<String> tablesUsers)
                                            throws IOException

Remove table user access HDFS acl from namespace directory if the user has no permissions of global, ns of the table or other tables of the ns, eg: Bob has 'ns1:t1' read permission, when delete 'ns1:t1', if Bob has global read permission, '@ns1' read permission or 'ns1:other_tables' read permission, then skip remove Bob access acl in ns1Dirs, otherwise, remove Bob access acl.

Parameters:

aclTable - acl table

tableName - the name of the table

tablesUsers - table users set

Returns:

users whose access acl will be removed from the namespace of the table

Throws:

IOException - if an error occurred