Package org.apache.hadoop.hbase.security.access

Class CoprocessorWhitelistMasterObserver

java.lang.Object

org.apache.hadoop.hbase.security.access.CoprocessorWhitelistMasterObserver

All Implemented Interfaces:

Coprocessor, MasterCoprocessor, MasterObserver

@LimitedPrivate("Configuration")
public class CoprocessorWhitelistMasterObserver
extends Object
implements MasterCoprocessor, MasterObserver

Master observer for restricting coprocessor assignments.

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.hadoop.hbase.Coprocessor

Coprocessor.State

Field Summary

Fields

Modifier and Type	Field	Description
static final String	CP_COPROCESSOR_WHITELIST_PATHS_KEY
private static final org.slf4j.Logger	LOG

Fields inherited from interface org.apache.hadoop.hbase.Coprocessor

PRIORITY_HIGHEST, PRIORITY_LOWEST, PRIORITY_SYSTEM, PRIORITY_USER, VERSION

Constructor Summary

Constructors

Constructor	Description
CoprocessorWhitelistMasterObserver()

Method Summary

Modifier and Type	Method	Description
Optional<MasterObserver>	getMasterObserver()
void	preCreateTable(ObserverContext<MasterCoprocessorEnvironment> ctx, TableDescriptor htd, RegionInfo[] regions)	Called before a new table is created by HMaster.
TableDescriptor	preModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName, TableDescriptor currentDesc, TableDescriptor newDesc)	Called prior to modifying a table's properties.
private static boolean	validatePath(org.apache.hadoop.fs.Path coprocPath, org.apache.hadoop.fs.Path wlPath)	Validates a single whitelist path against the coprocessor path
private static void	verifyCoprocessors(ObserverContext<MasterCoprocessorEnvironment> ctx, TableDescriptor htd)	Perform the validation checks for a coprocessor to determine if the path is white listed or not.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.hadoop.hbase.Coprocessor

getServices, start, stop

Methods inherited from interface org.apache.hadoop.hbase.coprocessor.MasterObserver

postAbortProcedure, postAddReplicationPeer, postAddRSGroup, postAssign, postBalance, postBalanceRSGroup, postBalanceSwitch, postClearDeadServers, postCloneSnapshot, postCompletedCreateTableAction, postCompletedDeleteTableAction, postCompletedDisableTableAction, postCompletedEnableTableAction, postCompletedMergeRegionsAction, postCompletedModifyTableAction, postCompletedSnapshotAction, postCompletedSplitRegionAction, postCompletedTruncateTableAction, postCreateNamespace, postCreateTable, postDecommissionRegionServers, postDeleteNamespace, postDeleteSnapshot, postDeleteTable, postDisableReplicationPeer, postDisableTable, postEnableReplicationPeer, postEnableTable, postGetClusterMetrics, postGetConfiguredNamespacesAndTablesInRSGroup, postGetLocks, postGetNamespaceDescriptor, postGetProcedures, postGetReplicationPeerConfig, postGetRSGroupInfo, postGetRSGroupInfoOfServer, postGetRSGroupInfoOfTable, postGetTableDescriptors, postGetTableNames, postGetUserPermissions, postGrant, postHasUserPermissions, postIsRpcThrottleEnabled, postListDecommissionedRegionServers, postListNamespaceDescriptors, postListNamespaces, postListReplicationPeers, postListRSGroups, postListSnapshot, postListTablesInRSGroup, postLockHeartbeat, postMasterStoreFlush, postMergeRegions, postMergeRegionsCommitAction, postModifyColumnFamilyStoreFileTracker, postModifyNamespace, postModifyTable, postModifyTableStoreFileTracker, postMove, postMoveServers, postMoveServersAndTables, postMoveTables, postRecommissionRegionServer, postRegionOffline, postRemoveReplicationPeer, postRemoveRSGroup, postRemoveServers, postRenameRSGroup, postRequestLock, postRestoreSnapshot, postRevoke, postRollBackMergeRegionsAction, postRollBackSplitRegionAction, postSetNamespaceQuota, postSetRegionServerQuota, postSetSplitOrMergeEnabled, postSetTableQuota, postSetUserQuota, postSetUserQuota, postSetUserQuota, postSnapshot, postStartMaster, postSwitchExceedThrottleQuota, postSwitchRpcThrottle, postTableFlush, postTransitReplicationPeerSyncReplicationState, postTruncateRegion, postTruncateRegionAction, postTruncateTable, postUnassign, postUpdateMasterConfiguration, postUpdateReplicationPeerConfig, postUpdateRSGroupConfig, preAbortProcedure, preAddReplicationPeer, preAddRSGroup, preAssign, preBalance, preBalanceRSGroup, preBalanceSwitch, preClearDeadServers, preCloneSnapshot, preCreateNamespace, preCreateTableAction, preCreateTableRegionsInfos, preDecommissionRegionServers, preDeleteNamespace, preDeleteSnapshot, preDeleteTable, preDeleteTableAction, preDisableReplicationPeer, preDisableTable, preDisableTableAction, preEnableReplicationPeer, preEnableTable, preEnableTableAction, preGetClusterMetrics, preGetConfiguredNamespacesAndTablesInRSGroup, preGetLocks, preGetNamespaceDescriptor, preGetProcedures, preGetReplicationPeerConfig, preGetRSGroupInfo, preGetRSGroupInfoOfServer, preGetRSGroupInfoOfTable, preGetTableDescriptors, preGetTableNames, preGetUserPermissions, preGrant, preHasUserPermissions, preIsRpcThrottleEnabled, preListDecommissionedRegionServers, preListNamespaceDescriptors, preListNamespaces, preListReplicationPeers, preListRSGroups, preListSnapshot, preListTablesInRSGroup, preLockHeartbeat, preMasterInitialization, preMasterStoreFlush, preMergeRegions, preMergeRegionsAction, preMergeRegionsCommitAction, preModifyColumnFamilyStoreFileTracker, preModifyNamespace, preModifyTableAction, preModifyTableStoreFileTracker, preMove, preMoveServers, preMoveServersAndTables, preMoveTables, preRecommissionRegionServer, preRegionOffline, preRemoveReplicationPeer, preRemoveRSGroup, preRemoveServers, preRenameRSGroup, preRequestLock, preRestoreSnapshot, preRevoke, preSetNamespaceQuota, preSetRegionServerQuota, preSetSplitOrMergeEnabled, preSetTableQuota, preSetUserQuota, preSetUserQuota, preSetUserQuota, preShutdown, preSnapshot, preSplitRegion, preSplitRegionAction, preSplitRegionAfterMETAAction, preSplitRegionBeforeMETAAction, preStopMaster, preSwitchExceedThrottleQuota, preSwitchRpcThrottle, preTableFlush, preTransitReplicationPeerSyncReplicationState, preTruncateRegion, preTruncateRegionAction, preTruncateTable, preTruncateTableAction, preUnassign, preUpdateMasterConfiguration, preUpdateReplicationPeerConfig, preUpdateRSGroupConfig

Field Details

CP_COPROCESSOR_WHITELIST_PATHS_KEY

public static final String CP_COPROCESSOR_WHITELIST_PATHS_KEY

See Also:

• Constant Field Values

LOG

private static final org.slf4j.Logger LOG

Constructor Details

CoprocessorWhitelistMasterObserver

public CoprocessorWhitelistMasterObserver()

Method Details

getMasterObserver

public Optional<MasterObserver> getMasterObserver()

Specified by:

getMasterObserver in interface MasterCoprocessor

preModifyTable

public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx,
 TableName tableName,
 TableDescriptor currentDesc,
 TableDescriptor newDesc)
                               throws IOException

Description copied from interface: MasterObserver

Called prior to modifying a table's properties. Called as part of modify table RPC call.

Specified by:

preModifyTable in interface MasterObserver

Parameters:

ctx - the environment to interact with the framework and master

tableName - the name of the table

currentDesc - current TableDescriptor of the table

newDesc - after modify operation, table will have this descriptor

Throws:

IOException

preCreateTable

public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> ctx,
 TableDescriptor htd,
 RegionInfo[] regions)
                    throws IOException

Description copied from interface: MasterObserver

Called before a new table is created by HMaster. Called as part of create table RPC call.

Specified by:

preCreateTable in interface MasterObserver

Parameters:

ctx - the environment to interact with the framework and master

htd - the TableDescriptor for the table

regions - the initial regions created for the table

Throws:

IOException

validatePath

private static boolean validatePath(org.apache.hadoop.fs.Path coprocPath,
 org.apache.hadoop.fs.Path wlPath)

Validates a single whitelist path against the coprocessor path

Parameters:

coprocPath - the path to the coprocessor including scheme

wlPath - can be: 1) a "*" to wildcard all coprocessor paths 2) a specific filesystem (e.g. hdfs://my-cluster/) 3) a wildcard path to be evaluated by FilenameUtils.wildcardMatch(String, String) path can specify scheme or not (e.g. "file:///usr/hbase/coprocessors" or for all filesystems "/usr/hbase/coprocessors")

Returns:

if the path was found under the wlPath

verifyCoprocessors

private static void verifyCoprocessors(ObserverContext<MasterCoprocessorEnvironment> ctx,
 TableDescriptor htd)
                                throws IOException

Perform the validation checks for a coprocessor to determine if the path is white listed or not.

Parameters:

ctx - as passed in from the coprocessor

htd - as passed in from the coprocessor

Throws:

IOException - if path is not included in whitelist or a failure occurs in processing