Class SnapshotScannerHDFSAclController
java.lang.Object
org.apache.hadoop.hbase.security.access.SnapshotScannerHDFSAclController
- All Implemented Interfaces:
Coprocessor,MasterCoprocessor,MasterObserver
@LimitedPrivate("Configuration")
public class SnapshotScannerHDFSAclController
extends Object
implements MasterCoprocessor, MasterObserver
Set HDFS ACLs to hFiles to make HBase granted users have permission to scan snapshot
To use this feature, please mask sure HDFS config:
- dfs.namenode.acls.enabled = true
- fs.permissions.umask-mode = 027 (or smaller umask than 027)
The implementation of this feature is as followings:
- For common directories such as 'data' and 'archive', set other permission to '--x' to make everyone have the permission to access the directory.
- For namespace or table directories such as 'data/ns/table', 'archive/ns/table' and
'.hbase-snapshot/snapshotName', set user 'r-x' access acl and 'r-x' default acl when following
operations happen:
- grant user with global, namespace or table permission;
- revoke user from global, namespace or table;
- snapshot table;
- truncate table;
- Note: Because snapshots are at table level, so this feature just considers users with global, namespace or table permissions, ignores users with table CF or cell permissions.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescription(package private) static final classNested classes/interfaces inherited from interface org.apache.hadoop.hbase.Coprocessor
Coprocessor.State -
Field Summary
FieldsModifier and TypeFieldDescriptionprivate booleanprivate SnapshotScannerHDFSAclHelperprivate booleanprivate static final org.slf4j.Loggerprivate MasterServicesprivate UserProviderProvider for mapping principal names to UsersFields inherited from interface org.apache.hadoop.hbase.Coprocessor
PRIORITY_HIGHEST, PRIORITY_LOWEST, PRIORITY_SYSTEM, PRIORITY_USER, VERSION -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescription(package private) booleancheckInitialized(String operation) filterUsersToRemoveNsAccessAcl(Table aclTable, TableName tableName, Set<String> tablesUsers) Remove table user access HDFS acl from namespace directory if the user has no permissions of global, ns of the table or other tables of the ns, eg: Bob has 'ns1:t1' read permission, when delete 'ns1:t1', if Bob has global read permission, '@ns1' read permission or 'ns1:other_tables' read permission, then skip remove Bob access acl in ns1Dirs, otherwise, remove Bob access acl.private UsergetActiveUser(ObserverContext<?> ctx) private UserPermissiongetUserGlobalPermission(org.apache.hadoop.conf.Configuration conf, String userName) private UserPermissiongetUserNamespacePermission(org.apache.hadoop.conf.Configuration conf, String userName, String namespace) private UserPermissiongetUserTablePermission(org.apache.hadoop.conf.Configuration conf, String userName, TableName tableName) private booleanisHdfsAclSet(Table aclTable, String userName) private booleanisHdfsAclSet(Table aclTable, String userName, String namespace) private booleanisHdfsAclSet(Table aclTable, String userName, String namespace, TableName tableName) Check if user global/namespace/table HDFS acls is already setprivate booleanisHdfsAclSet(Table aclTable, String userName, TableName tableName) private booleanneedHandleTableHdfsAcl(TableDescriptor tableDescriptor, String operation) private booleanneedHandleTableHdfsAcl(TablePermission tablePermission) private booleanneedHandleTableHdfsAcl(TableName tableName, String operation) voidpostCompletedCreateTableAction(ObserverContext<MasterCoprocessorEnvironment> c, TableDescriptor desc, RegionInfo[] regions) Called after the createTable operation has been requested.voidpostCompletedDeleteTableAction(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName) Called afterHMasterdeletes a table.voidpostCompletedSnapshotAction(ObserverContext<MasterCoprocessorEnvironment> c, SnapshotDescription snapshot, TableDescriptor tableDescriptor) Called after the snapshot operation has been completed.voidpostCompletedTruncateTableAction(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) Called afterHMastertruncates a table.voidCalled after the createNamespace operation has been requested.voidpostDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace) Called after the deleteNamespace operation has been requested.voidpostGrant(ObserverContext<MasterCoprocessorEnvironment> c, UserPermission userPermission, boolean mergeExistingPermissions) Called after granting user permissions.voidpostModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName, TableDescriptor oldDescriptor, TableDescriptor currentDescriptor) Called after the modifyTable operation has been requested.voidpostRevoke(ObserverContext<MasterCoprocessorEnvironment> c, UserPermission userPermission) Called after revoking user permissions.voidCalled immediately after an active master instance has completed initialization.voidCall before the master initialization is set to true.voidCalled immediately prior to stopping thisHMasterprocess.private voidremoveUserGlobalHdfsAcl(Table aclTable, String userName, UserPermission userPermission) private voidremoveUserNamespaceHdfsAcl(Table aclTable, String userName, String namespace, UserPermission userPermission) private voidremoveUserTableHdfsAcl(Table aclTable, String userName, TableName tableName, UserPermission userPermission) Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.apache.hadoop.hbase.Coprocessor
getServices, start, stopMethods inherited from interface org.apache.hadoop.hbase.coprocessor.MasterObserver
postAbortProcedure, postAddReplicationPeer, postAddRSGroup, postAssign, postBalance, postBalanceRSGroup, postBalanceSwitch, postClearDeadServers, postCloneSnapshot, postCompletedDisableTableAction, postCompletedEnableTableAction, postCompletedMergeRegionsAction, postCompletedModifyTableAction, postCompletedSplitRegionAction, postCreateTable, postDecommissionRegionServers, postDeleteSnapshot, postDeleteTable, postDisableReplicationPeer, postDisableTable, postEnableReplicationPeer, postEnableTable, postGetClusterMetrics, postGetConfiguredNamespacesAndTablesInRSGroup, postGetLocks, postGetNamespaceDescriptor, postGetProcedures, postGetReplicationPeerConfig, postGetRSGroupInfo, postGetRSGroupInfoOfServer, postGetRSGroupInfoOfTable, postGetTableDescriptors, postGetTableNames, postGetUserPermissions, postHasUserPermissions, postIsRpcThrottleEnabled, postListDecommissionedRegionServers, postListNamespaceDescriptors, postListNamespaces, postListReplicationPeers, postListRSGroups, postListSnapshot, postListTablesInRSGroup, postLockHeartbeat, postMasterStoreFlush, postMergeRegions, postMergeRegionsCommitAction, postModifyColumnFamilyStoreFileTracker, postModifyNamespace, postModifyTableStoreFileTracker, postMove, postMoveServers, postMoveServersAndTables, postMoveTables, postRecommissionRegionServer, postRegionOffline, postRemoveReplicationPeer, postRemoveRSGroup, postRemoveServers, postRenameRSGroup, postRequestLock, postRestoreSnapshot, postRollBackMergeRegionsAction, postRollBackSplitRegionAction, postSetNamespaceQuota, postSetRegionServerQuota, postSetSplitOrMergeEnabled, postSetTableQuota, postSetUserQuota, postSetUserQuota, postSetUserQuota, postSnapshot, postSwitchExceedThrottleQuota, postSwitchRpcThrottle, postTableFlush, postTransitReplicationPeerSyncReplicationState, postTruncateRegion, postTruncateRegionAction, postTruncateTable, postUnassign, postUpdateMasterConfiguration, postUpdateReplicationPeerConfig, postUpdateRSGroupConfig, preAbortProcedure, preAddReplicationPeer, preAddRSGroup, preAssign, preBalance, preBalanceRSGroup, preBalanceSwitch, preClearDeadServers, preCloneSnapshot, preCreateNamespace, preCreateTable, preCreateTableAction, preCreateTableRegionsInfos, preDecommissionRegionServers, preDeleteNamespace, preDeleteSnapshot, preDeleteTable, preDeleteTableAction, preDisableReplicationPeer, preDisableTable, preDisableTableAction, preEnableReplicationPeer, preEnableTable, preEnableTableAction, preGetClusterMetrics, preGetConfiguredNamespacesAndTablesInRSGroup, preGetLocks, preGetNamespaceDescriptor, preGetProcedures, preGetReplicationPeerConfig, preGetRSGroupInfo, preGetRSGroupInfoOfServer, preGetRSGroupInfoOfTable, preGetTableDescriptors, preGetTableNames, preGetUserPermissions, preGrant, preHasUserPermissions, preIsRpcThrottleEnabled, preListDecommissionedRegionServers, preListNamespaceDescriptors, preListNamespaces, preListReplicationPeers, preListRSGroups, preListSnapshot, preListTablesInRSGroup, preLockHeartbeat, preMasterStoreFlush, preMergeRegions, preMergeRegionsAction, preMergeRegionsCommitAction, preModifyColumnFamilyStoreFileTracker, preModifyNamespace, preModifyTable, preModifyTableAction, preModifyTableStoreFileTracker, preMove, preMoveServers, preMoveServersAndTables, preMoveTables, preRecommissionRegionServer, preRegionOffline, preRemoveReplicationPeer, preRemoveRSGroup, preRemoveServers, preRenameRSGroup, preRequestLock, preRestoreSnapshot, preRevoke, preSetNamespaceQuota, preSetRegionServerQuota, preSetSplitOrMergeEnabled, preSetTableQuota, preSetUserQuota, preSetUserQuota, preSetUserQuota, preShutdown, preSnapshot, preSplitRegion, preSplitRegionAction, preSplitRegionAfterMETAAction, preSplitRegionBeforeMETAAction, preSwitchExceedThrottleQuota, preSwitchRpcThrottle, preTableFlush, preTransitReplicationPeerSyncReplicationState, preTruncateRegion, preTruncateRegionAction, preTruncateTable, preTruncateTableAction, preUnassign, preUpdateMasterConfiguration, preUpdateReplicationPeerConfig, preUpdateRSGroupConfig
-
Field Details
-
LOG
-
hdfsAclHelper
-
pathHelper
-
masterServices
-
initialized
-
aclTableInitialized
-
userProvider
Provider for mapping principal names to Users
-
-
Constructor Details
-
SnapshotScannerHDFSAclController
public SnapshotScannerHDFSAclController()
-
-
Method Details
-
getMasterObserver
- Specified by:
getMasterObserverin interfaceMasterCoprocessor
-
preMasterInitialization
public void preMasterInitialization(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException Description copied from interface:MasterObserverCall before the master initialization is set to true.HMasterprocess.- Specified by:
preMasterInitializationin interfaceMasterObserver- Throws:
IOException
-
postStartMaster
Description copied from interface:MasterObserverCalled immediately after an active master instance has completed initialization. Will not be called on standby master instances unless they take over the active role.- Specified by:
postStartMasterin interfaceMasterObserver- Throws:
IOException
-
preStopMaster
Description copied from interface:MasterObserverCalled immediately prior to stopping thisHMasterprocess.- Specified by:
preStopMasterin interfaceMasterObserver
-
postCompletedCreateTableAction
public void postCompletedCreateTableAction(ObserverContext<MasterCoprocessorEnvironment> c, TableDescriptor desc, RegionInfo[] regions) throws IOException Description copied from interface:MasterObserverCalled after the createTable operation has been requested. Called as part of create table RPC call. Called as part of create table procedure and it is async to the create RPC call.- Specified by:
postCompletedCreateTableActionin interfaceMasterObserver- Parameters:
c- the environment to interact with the framework and masterdesc- the TableDescriptor for the tableregions- the initial regions created for the table- Throws:
IOException
-
postCreateNamespace
public void postCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> c, NamespaceDescriptor ns) throws IOException Description copied from interface:MasterObserverCalled after the createNamespace operation has been requested.- Specified by:
postCreateNamespacein interfaceMasterObserver- Parameters:
c- the environment to interact with the framework and masterns- the NamespaceDescriptor for the table- Throws:
IOException
-
postCompletedSnapshotAction
public void postCompletedSnapshotAction(ObserverContext<MasterCoprocessorEnvironment> c, SnapshotDescription snapshot, TableDescriptor tableDescriptor) throws IOException Description copied from interface:MasterObserverCalled after the snapshot operation has been completed.- Specified by:
postCompletedSnapshotActionin interfaceMasterObserver- Parameters:
c- the environment to interact with the framework and mastersnapshot- the SnapshotDescriptor for the snapshottableDescriptor- the TableDescriptor of the table to snapshot- Throws:
IOException
-
postCompletedTruncateTableAction
public void postCompletedTruncateTableAction(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) throws IOException Description copied from interface:MasterObserverCalled afterHMastertruncates a table. Called as part of truncate table procedure and it is async to the truncate RPC call.- Specified by:
postCompletedTruncateTableActionin interfaceMasterObserver- Parameters:
c- the environment to interact with the framework and mastertableName- the name of the table- Throws:
IOException
-
postCompletedDeleteTableAction
public void postCompletedDeleteTableAction(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName) throws IOException Description copied from interface:MasterObserverCalled afterHMasterdeletes a table. Called as part of delete table procedure and it is async to the delete RPC call.- Specified by:
postCompletedDeleteTableActionin interfaceMasterObserver- Parameters:
ctx- the environment to interact with the framework and mastertableName- the name of the table- Throws:
IOException
-
postModifyTable
public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName, TableDescriptor oldDescriptor, TableDescriptor currentDescriptor) throws IOException Description copied from interface:MasterObserverCalled after the modifyTable operation has been requested. Called as part of modify table RPC call.- Specified by:
postModifyTablein interfaceMasterObserver- Parameters:
ctx- the environment to interact with the framework and mastertableName- the name of the tableoldDescriptor- descriptor of table before modify operation happenedcurrentDescriptor- current TableDescriptor of the table- Throws:
IOException
-
postDeleteNamespace
public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace) throws IOException Description copied from interface:MasterObserverCalled after the deleteNamespace operation has been requested.- Specified by:
postDeleteNamespacein interfaceMasterObserver- Parameters:
ctx- the environment to interact with the framework and masternamespace- the name of the namespace- Throws:
IOException
-
postGrant
public void postGrant(ObserverContext<MasterCoprocessorEnvironment> c, UserPermission userPermission, boolean mergeExistingPermissions) throws IOException Description copied from interface:MasterObserverCalled after granting user permissions.- Specified by:
postGrantin interfaceMasterObserver- Parameters:
c- the coprocessor instance's environmentuserPermission- the user and permissionsmergeExistingPermissions- True if merge with previous granted permissions- Throws:
IOException
-
postRevoke
public void postRevoke(ObserverContext<MasterCoprocessorEnvironment> c, UserPermission userPermission) throws IOException Description copied from interface:MasterObserverCalled after revoking user permissions.- Specified by:
postRevokein interfaceMasterObserver- Parameters:
c- the coprocessor instance's environmentuserPermission- the user and permissions- Throws:
IOException
-
removeUserGlobalHdfsAcl
private void removeUserGlobalHdfsAcl(Table aclTable, String userName, UserPermission userPermission) throws IOException - Throws:
IOException
-
removeUserNamespaceHdfsAcl
private void removeUserNamespaceHdfsAcl(Table aclTable, String userName, String namespace, UserPermission userPermission) throws IOException - Throws:
IOException
-
removeUserTableHdfsAcl
private void removeUserTableHdfsAcl(Table aclTable, String userName, TableName tableName, UserPermission userPermission) throws IOException - Throws:
IOException
-
getUserGlobalPermission
private UserPermission getUserGlobalPermission(org.apache.hadoop.conf.Configuration conf, String userName) throws IOException - Throws:
IOException
-
getUserNamespacePermission
private UserPermission getUserNamespacePermission(org.apache.hadoop.conf.Configuration conf, String userName, String namespace) throws IOException - Throws:
IOException
-
getUserTablePermission
private UserPermission getUserTablePermission(org.apache.hadoop.conf.Configuration conf, String userName, TableName tableName) throws IOException - Throws:
IOException
-
isHdfsAclSet
- Throws:
IOException
-
isHdfsAclSet
- Throws:
IOException
-
isHdfsAclSet
private boolean isHdfsAclSet(Table aclTable, String userName, TableName tableName) throws IOException - Throws:
IOException
-
isHdfsAclSet
private boolean isHdfsAclSet(Table aclTable, String userName, String namespace, TableName tableName) throws IOException Check if user global/namespace/table HDFS acls is already set- Throws:
IOException
-
checkInitialized
-
needHandleTableHdfsAcl
- Throws:
IOException
-
needHandleTableHdfsAcl
- Throws:
IOException
-
needHandleTableHdfsAcl
-
getActiveUser
- Throws:
IOException
-
filterUsersToRemoveNsAccessAcl
private Set<String> filterUsersToRemoveNsAccessAcl(Table aclTable, TableName tableName, Set<String> tablesUsers) throws IOException Remove table user access HDFS acl from namespace directory if the user has no permissions of global, ns of the table or other tables of the ns, eg: Bob has 'ns1:t1' read permission, when delete 'ns1:t1', if Bob has global read permission, '@ns1' read permission or 'ns1:other_tables' read permission, then skip remove Bob access acl in ns1Dirs, otherwise, remove Bob access acl.- Parameters:
aclTable- acl tabletableName- the name of the tabletablesUsers- table users set- Returns:
- users whose access acl will be removed from the namespace of the table
- Throws:
IOException- if an error occurred
-