001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security; 019 020import org.apache.hadoop.conf.Configuration; 021import org.apache.hadoop.security.authorize.PolicyProvider; 022import org.apache.hadoop.security.authorize.ProxyUsers; 023import org.apache.hadoop.security.authorize.Service; 024import org.apache.hadoop.security.authorize.ServiceAuthorizationManager; 025import org.apache.yetus.audience.InterfaceAudience; 026 027import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.AdminService; 028import org.apache.hadoop.hbase.shaded.protobuf.generated.BootstrapNodeProtos.BootstrapNodeService; 029import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.ClientService; 030import org.apache.hadoop.hbase.shaded.protobuf.generated.LockServiceProtos.LockService; 031import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos; 032import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos.MasterService; 033import org.apache.hadoop.hbase.shaded.protobuf.generated.RegionServerStatusProtos.RegionServerStatusService; 034import org.apache.hadoop.hbase.shaded.protobuf.generated.RegistryProtos; 035 036/** 037 * Implementation of secure Hadoop policy provider for mapping protocol interfaces to 038 * hbase-policy.xml entries. 039 */ 040@InterfaceAudience.Private 041public class HBasePolicyProvider extends PolicyProvider { 042 protected final static Service[] services = 043 { new Service("security.client.protocol.acl", ClientService.BlockingInterface.class), 044 new Service("security.client.protocol.acl", AdminService.BlockingInterface.class), 045 new Service("security.client.protocol.acl", MasterProtos.HbckService.BlockingInterface.class), 046 new Service("security.client.protocol.acl", 047 RegistryProtos.ClientMetaService.BlockingInterface.class), 048 new Service("security.admin.protocol.acl", MasterService.BlockingInterface.class), 049 new Service("security.admin.protocol.acl", LockService.BlockingInterface.class), 050 new Service("security.masterregion.protocol.acl", 051 RegionServerStatusService.BlockingInterface.class), 052 new Service("security.regionserver.protocol.acl", 053 BootstrapNodeService.BlockingInterface.class) }; 054 055 @Override 056 public Service[] getServices() { 057 return services; 058 } 059 060 public static void init(Configuration conf, ServiceAuthorizationManager authManager) { 061 // set service-level authorization security policy 062 System.setProperty("hadoop.policy.file", "hbase-policy.xml"); 063 if (conf.getBoolean(ServiceAuthorizationManager.SERVICE_AUTHORIZATION_CONFIG, false)) { 064 authManager.refresh(conf, new HBasePolicyProvider()); 065 ProxyUsers.refreshSuperUserGroupsConfiguration(conf); 066 } 067 } 068}