Package org.apache.hadoop.hbase.security.access

Class SnapshotScannerHDFSAclHelper

java.lang.Object

org.apache.hadoop.hbase.security.access.SnapshotScannerHDFSAclHelper

All Implemented Interfaces:

Closeable, AutoCloseable

@Private
public class SnapshotScannerHDFSAclHelper
extends Object
implements Closeable

A helper to modify or remove HBase granted user default and access HDFS ACLs over hFiles.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
private static class	SnapshotScannerHDFSAclHelper.HDFSAclOperation	Inner class used to describe modify or remove what type of acl entries(ACCESS, DEFAULT, ACCESS_AND_DEFAULT) for files or directories(and child files).
(package private) static final class	SnapshotScannerHDFSAclHelper.PathHelper

Field Summary

Fields

Modifier and Type	Field	Description
static final String	ACL_SYNC_TO_HDFS_ENABLE
static final String	ACL_SYNC_TO_HDFS_THREAD_NUMBER
private Admin	admin
static final String	COMMON_DIRECTORY_PERMISSION
static final String	COMMON_DIRECTORY_PERMISSION_DEFAULT
private final org.apache.hadoop.conf.Configuration	conf
private org.apache.hadoop.fs.FileSystem	fs
private static final org.slf4j.Logger	LOG
private SnapshotScannerHDFSAclHelper.PathHelper	pathHelper
private ExecutorService	pool
static final String	SNAPSHOT_RESTORE_DIRECTORY_PERMISSION
static final String	SNAPSHOT_RESTORE_DIRECTORY_PERMISSION_DEFAULT
static final String	SNAPSHOT_RESTORE_TMP_DIR
static final String	SNAPSHOT_RESTORE_TMP_DIR_DEFAULT

Constructor Summary

Constructors

Constructor	Description
SnapshotScannerHDFSAclHelper(org.apache.hadoop.conf.Configuration configuration, Connection connection)

Method Summary

Modifier and Type	Method	Description
private static org.apache.hadoop.fs.permission.AclEntry	aclEntry(org.apache.hadoop.fs.permission.AclEntryScope scope, String name)
boolean	addTableAcl(TableName tableName, Set<String> users, String operation)	Add table user acls
private boolean	checkUserPermission(UserPermission userPermission)
void	close()
(package private) boolean	containReadAction(UserPermission userPermission)
(package private) void	createDirIfNotExist(org.apache.hadoop.fs.Path path)
(package private) void	createTableDirectories(TableName tableName)
(package private) void	deleteEmptyDir(org.apache.hadoop.fs.Path path)
(package private) List<org.apache.hadoop.fs.Path>	getGlobalRootPaths()	return paths that user will global permission will visit
(package private) List<org.apache.hadoop.fs.Path>	getNamespaceRootPaths(String namespace)	return paths that user will namespace permission will visit
(package private) SnapshotScannerHDFSAclHelper.PathHelper	getPathHelper()
(package private) List<org.apache.hadoop.fs.Path>	getTableRootPaths(TableName tableName, boolean includeSnapshotPath)	return paths that user will table permission will visit
private List<org.apache.hadoop.fs.Path>	getTableSnapshotPaths(TableName tableName)
private Set<String>	getUsersWithGlobalReadAction()	Return users with global read permission
(package private) Set<String>	getUsersWithNamespaceReadAction(String namespace, boolean includeGlobal)	Return users with namespace read permission
private Set<String>	getUsersWithReadAction(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> permissionMultimap)
(package private) Set<String>	getUsersWithTableReadAction(TableName tableName, boolean includeNamespace, boolean includeGlobal)	Return users with table read permission
boolean	grantAcl(UserPermission userPermission, Set<String> skipNamespaces, Set<TableName> skipTables)	Set acl when grant user permission
private void	handleGlobalAcl(Set<String> users, Set<String> skipNamespaces, Set<TableName> skipTables, SnapshotScannerHDFSAclHelper.HDFSAclOperation.OperationType operationType)
private void	handleGrantOrRevokeAcl(UserPermission userPermission, SnapshotScannerHDFSAclHelper.HDFSAclOperation.OperationType operationType, Set<String> skipNamespaces, Set<TableName> skipTables)
private CompletableFuture<Void>	handleHDFSAcl(SnapshotScannerHDFSAclHelper.HDFSAclOperation acl)
private CompletableFuture<Void>	handleHDFSAclParallel(List<SnapshotScannerHDFSAclHelper.HDFSAclOperation> operations)
private CompletableFuture<Void>	handleHDFSAclSequential(List<SnapshotScannerHDFSAclHelper.HDFSAclOperation> operations)
private void	handleNamespaceAccessAcl(String namespace, Set<String> users, SnapshotScannerHDFSAclHelper.HDFSAclOperation.OperationType operationType)
private void	handleNamespaceAcl(Set<String> namespaces, Set<String> users, Set<String> skipNamespaces, Set<TableName> skipTables, SnapshotScannerHDFSAclHelper.HDFSAclOperation.OperationType operationType)
private void	handleTableAcl(Set<TableName> tableNames, Set<String> users, Set<String> skipNamespaces, Set<TableName> skipTables, SnapshotScannerHDFSAclHelper.HDFSAclOperation.OperationType operationType)
static boolean	isAclSyncToHdfsEnabled(org.apache.hadoop.conf.Configuration conf)
(package private) boolean	isAclSyncToHdfsEnabled(TableDescriptor tableDescriptor)
(package private) boolean	isNotFamilyOrQualifierPermission(TablePermission tablePermission)
boolean	removeNamespaceAccessAcl(TableName tableName, Set<String> removeUsers, String operation)	Remove table access acl from namespace dir when delete table
boolean	removeNamespaceDefaultAcl(String namespace, Set<String> removeUsers)	Remove default acl from namespace archive dir when delete namespace
boolean	removeTableAcl(TableName tableName, Set<String> users)	Remove table acls when modify table
boolean	removeTableDefaultAcl(TableName tableName, Set<String> removeUsers)	Remove default acl from table archive dir when delete table
boolean	revokeAcl(UserPermission userPermission, Set<String> skipNamespaces, Set<TableName> skipTables)	Remove acl when grant or revoke user permission
void	setCommonDirectoryPermission()
boolean	snapshotAcl(SnapshotDescription snapshot)	Set acl when take a snapshot

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

LOG

private static final org.slf4j.Logger LOG

ACL_SYNC_TO_HDFS_ENABLE

public static final String ACL_SYNC_TO_HDFS_ENABLE

See Also:

• Constant Field Values

ACL_SYNC_TO_HDFS_THREAD_NUMBER

public static final String ACL_SYNC_TO_HDFS_THREAD_NUMBER

See Also:

• Constant Field Values

SNAPSHOT_RESTORE_TMP_DIR

public static final String SNAPSHOT_RESTORE_TMP_DIR

See Also:

• Constant Field Values

SNAPSHOT_RESTORE_TMP_DIR_DEFAULT

public static final String SNAPSHOT_RESTORE_TMP_DIR_DEFAULT

See Also:

• Constant Field Values

COMMON_DIRECTORY_PERMISSION

public static final String COMMON_DIRECTORY_PERMISSION

See Also:

• Constant Field Values

COMMON_DIRECTORY_PERMISSION_DEFAULT

public static final String COMMON_DIRECTORY_PERMISSION_DEFAULT

See Also:

• Constant Field Values

SNAPSHOT_RESTORE_DIRECTORY_PERMISSION

public static final String SNAPSHOT_RESTORE_DIRECTORY_PERMISSION

See Also:

• Constant Field Values

SNAPSHOT_RESTORE_DIRECTORY_PERMISSION_DEFAULT

public static final String SNAPSHOT_RESTORE_DIRECTORY_PERMISSION_DEFAULT

See Also:

• Constant Field Values

admin

private Admin admin

conf

private final org.apache.hadoop.conf.Configuration conf

fs

private org.apache.hadoop.fs.FileSystem fs

pathHelper

private SnapshotScannerHDFSAclHelper.PathHelper pathHelper

pool

private ExecutorService pool

Constructor Details

SnapshotScannerHDFSAclHelper

public SnapshotScannerHDFSAclHelper(org.apache.hadoop.conf.Configuration configuration,
 Connection connection)
                             throws IOException

Throws:

IOException

Method Details

close

public void close()

Specified by:

close in interface AutoCloseable

Specified by:

close in interface Closeable

setCommonDirectoryPermission

public void setCommonDirectoryPermission()
                                  throws IOException

Throws:

IOException

grantAcl

public boolean grantAcl(UserPermission userPermission,
 Set<String> skipNamespaces,
 Set<TableName> skipTables)

Set acl when grant user permission

Parameters:

userPermission - the user and permission

skipNamespaces - the namespace set to skip set acl because already set

skipTables - the table set to skip set acl because already set

Returns:

false if an error occurred, otherwise true

revokeAcl

public boolean revokeAcl(UserPermission userPermission,
 Set<String> skipNamespaces,
 Set<TableName> skipTables)

Remove acl when grant or revoke user permission

Parameters:

userPermission - the user and permission

skipNamespaces - the namespace set to skip remove acl

skipTables - the table set to skip remove acl

Returns:

false if an error occurred, otherwise true

snapshotAcl

public boolean snapshotAcl(SnapshotDescription snapshot)

Set acl when take a snapshot

Parameters:

snapshot - the snapshot desc

Returns:

false if an error occurred, otherwise true

removeNamespaceAccessAcl

public boolean removeNamespaceAccessAcl(TableName tableName,
 Set<String> removeUsers,
 String operation)

Remove table access acl from namespace dir when delete table

Parameters:

tableName - the table

removeUsers - the users whose access acl will be removed

Returns:

false if an error occurred, otherwise true

removeNamespaceDefaultAcl

public boolean removeNamespaceDefaultAcl(String namespace,
 Set<String> removeUsers)

Remove default acl from namespace archive dir when delete namespace

Parameters:

namespace - the namespace

removeUsers - the users whose default acl will be removed

Returns:

false if an error occurred, otherwise true

removeTableDefaultAcl

public boolean removeTableDefaultAcl(TableName tableName,
 Set<String> removeUsers)

Remove default acl from table archive dir when delete table

Parameters:

tableName - the table name

removeUsers - the users whose default acl will be removed

Returns:

false if an error occurred, otherwise true

addTableAcl

public boolean addTableAcl(TableName tableName,
 Set<String> users,
 String operation)

Add table user acls

Parameters:

tableName - the table

users - the table users with READ permission

Returns:

false if an error occurred, otherwise true

removeTableAcl

public boolean removeTableAcl(TableName tableName,
 Set<String> users)

Remove table acls when modify table

Parameters:

tableName - the table

users - the table users with READ permission

Returns:

false if an error occurred, otherwise true

handleGrantOrRevokeAcl

private void handleGrantOrRevokeAcl(UserPermission userPermission,
 SnapshotScannerHDFSAclHelper.HDFSAclOperation.OperationType operationType,
 Set<String> skipNamespaces,
 Set<TableName> skipTables)
                             throws ExecutionException,
InterruptedException,
IOException

Throws:

ExecutionException

InterruptedException

IOException

handleGlobalAcl

private void handleGlobalAcl(Set<String> users,
 Set<String> skipNamespaces,
 Set<TableName> skipTables,
 SnapshotScannerHDFSAclHelper.HDFSAclOperation.OperationType operationType)
                      throws ExecutionException,
InterruptedException,
IOException

Throws:

ExecutionException

InterruptedException

IOException

handleNamespaceAcl

private void handleNamespaceAcl(Set<String> namespaces,
 Set<String> users,
 Set<String> skipNamespaces,
 Set<TableName> skipTables,
 SnapshotScannerHDFSAclHelper.HDFSAclOperation.OperationType operationType)
                         throws ExecutionException,
InterruptedException,
IOException

Throws:

ExecutionException

InterruptedException

IOException

handleTableAcl

private void handleTableAcl(Set<TableName> tableNames,
 Set<String> users,
 Set<String> skipNamespaces,
 Set<TableName> skipTables,
 SnapshotScannerHDFSAclHelper.HDFSAclOperation.OperationType operationType)
                     throws ExecutionException,
InterruptedException,
IOException

Throws:

ExecutionException

InterruptedException

IOException

handleNamespaceAccessAcl

private void handleNamespaceAccessAcl(String namespace,
 Set<String> users,
 SnapshotScannerHDFSAclHelper.HDFSAclOperation.OperationType operationType)
                               throws ExecutionException,
InterruptedException

Throws:

ExecutionException

InterruptedException

createTableDirectories

void createTableDirectories(TableName tableName)
                     throws IOException

Throws:

IOException

getGlobalRootPaths

List<org.apache.hadoop.fs.Path> getGlobalRootPaths()

return paths that user will global permission will visit

Returns:

the path list

getNamespaceRootPaths

List<org.apache.hadoop.fs.Path> getNamespaceRootPaths(String namespace)

return paths that user will namespace permission will visit

Parameters:

namespace - the namespace

Returns:

the path list

getTableRootPaths

List<org.apache.hadoop.fs.Path> getTableRootPaths(TableName tableName,
 boolean includeSnapshotPath)
                                           throws IOException

return paths that user will table permission will visit

Parameters:

tableName - the table

includeSnapshotPath - true if return table snapshots paths, otherwise false

Returns:

the path list

Throws:

IOException - if an error occurred

getTableSnapshotPaths

private List<org.apache.hadoop.fs.Path> getTableSnapshotPaths(TableName tableName)
                                                       throws IOException

Throws:

IOException

getUsersWithGlobalReadAction

private Set<String> getUsersWithGlobalReadAction()
                                          throws IOException

Return users with global read permission

Returns:

users with global read permission

Throws:

IOException - if an error occurred

getUsersWithNamespaceReadAction

Set<String> getUsersWithNamespaceReadAction(String namespace,
 boolean includeGlobal)
                                     throws IOException

Return users with namespace read permission

Parameters:

namespace - the namespace

includeGlobal - true if include users with global read action

Returns:

users with namespace read permission

Throws:

IOException - if an error occurred

getUsersWithTableReadAction

Set<String> getUsersWithTableReadAction(TableName tableName,
 boolean includeNamespace,
 boolean includeGlobal)
                                 throws IOException

Return users with table read permission

Parameters:

tableName - the table

includeNamespace - true if include users with namespace read action

includeGlobal - true if include users with global read action

Returns:

users with table read permission

Throws:

IOException - if an error occurred

getUsersWithReadAction

private Set<String> getUsersWithReadAction(org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap<String,UserPermission> permissionMultimap)

checkUserPermission

private boolean checkUserPermission(UserPermission userPermission)

containReadAction

boolean containReadAction(UserPermission userPermission)

isNotFamilyOrQualifierPermission

boolean isNotFamilyOrQualifierPermission(TablePermission tablePermission)

isAclSyncToHdfsEnabled

public static boolean isAclSyncToHdfsEnabled(org.apache.hadoop.conf.Configuration conf)

isAclSyncToHdfsEnabled

boolean isAclSyncToHdfsEnabled(TableDescriptor tableDescriptor)

getPathHelper

SnapshotScannerHDFSAclHelper.PathHelper getPathHelper()

handleHDFSAcl

private CompletableFuture<Void> handleHDFSAcl(SnapshotScannerHDFSAclHelper.HDFSAclOperation acl)

handleHDFSAclSequential

private CompletableFuture<Void> handleHDFSAclSequential(List<SnapshotScannerHDFSAclHelper.HDFSAclOperation> operations)

handleHDFSAclParallel

private CompletableFuture<Void> handleHDFSAclParallel(List<SnapshotScannerHDFSAclHelper.HDFSAclOperation> operations)

aclEntry

private static org.apache.hadoop.fs.permission.AclEntry aclEntry(org.apache.hadoop.fs.permission.AclEntryScope scope,
 String name)

createDirIfNotExist

void createDirIfNotExist(org.apache.hadoop.fs.Path path)
                  throws IOException

Throws:

IOException

deleteEmptyDir

void deleteEmptyDir(org.apache.hadoop.fs.Path path)
             throws IOException

Throws:

IOException