org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment Java Examples

The following examples show how to use org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: HBaseAtlasCoprocessor.java    From atlas with Apache License 2.0 6 votes vote down vote up
@Override
public void postCloneSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshot, TableDescriptor tableDescriptor) throws IOException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> HBaseAtlasCoprocessor.postCloneSnapshot()");
    }

    try {
        activatePluginClassLoader();
        implMasterObserver.postCloneSnapshot(observerContext,snapshot,tableDescriptor);
    } finally {
        deactivatePluginClassLoader();
    }

    if (LOG.isDebugEnabled()) {
        LOG.debug("<== HBaseAtlasCoprocessor.postCloneSnapshot()");
    }
}
 
Example #2
Source File: HBaseAtlasCoprocessor.java    From atlas with Apache License 2.0 6 votes vote down vote up
@Override
public void postRestoreSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshot, TableDescriptor tableDescriptor) throws IOException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> HBaseAtlasCoprocessor.postRestoreSnapshot()");
    }

    try {
        activatePluginClassLoader();
        implMasterObserver.postRestoreSnapshot(observerContext,snapshot,tableDescriptor);
    } finally {
        deactivatePluginClassLoader();
    }

    if (LOG.isDebugEnabled()) {
        LOG.debug("<== HBaseAtlasCoprocessor.postRestoreSnapshot()");
    }
}
 
Example #3
Source File: HBaseAtlasCoprocessor.java    From atlas with Apache License 2.0 6 votes vote down vote up
@Override
public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, String ns) throws IOException {
    if(LOG.isDebugEnabled()) {
        LOG.debug("==> HBaseAtlasCoprocessor.preDeleteNamespace()");
    }

    try {
        activatePluginClassLoader();
        implMasterObserver.postDeleteNamespace(ctx, ns);
    } finally {
        deactivatePluginClassLoader();
    }

    if(LOG.isDebugEnabled()) {
        LOG.debug("<== HBaseAtlasCoprocessor.preDeleteNamespace()");
    }
}
 
Example #4
Source File: AccessController.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Override
public void preCloneSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
    final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)
    throws IOException {
  User user = getActiveUser(ctx);
  if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)
      && hTableDescriptor.getTableName().getNameAsString()
      .equals(snapshot.getTableNameAsString())) {
    // Snapshot owner is allowed to create a table with the same name as the snapshot he took
    AuthResult result = AuthResult.allow("cloneSnapshot " + snapshot.getName(),
      "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null);
    AccessChecker.logResult(result);
  } else {
    accessChecker.requirePermission(user, "cloneSnapshot " + snapshot.getName(), null,
      Action.ADMIN);
  }
}
 
Example #5
Source File: AccessController.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Override
public void preTruncateTable(ObserverContext<MasterCoprocessorEnvironment> c,
    final TableName tableName) throws IOException {
  requirePermission(c, "truncateTable",
      tableName, null, null, Action.ADMIN, Action.CREATE);

  final Configuration conf = c.getEnvironment().getConfiguration();
  User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
    @Override
    public Void run() throws Exception {
      List<UserPermission> acls =
          PermissionStorage.getUserTablePermissions(conf, tableName, null, null, null, false);
      if (acls != null) {
        tableAcls.put(tableName, acls);
      }
      return null;
    }
  });
}
 
Example #6
Source File: VisibilityController.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Override
public void start(CoprocessorEnvironment env) throws IOException {
  this.conf = env.getConfiguration();

  authorizationEnabled = AccessChecker.isAuthorizationSupported(conf);
  if (!authorizationEnabled) {
    LOG.warn("The VisibilityController has been loaded with authorization checks disabled.");
  }

  if (HFile.getFormatVersion(conf) < HFile.MIN_FORMAT_VERSION_WITH_TAGS) {
    throw new RuntimeException("A minimum HFile version of " + HFile.MIN_FORMAT_VERSION_WITH_TAGS
      + " is required to persist visibility labels. Consider setting " + HFile.FORMAT_VERSION_KEY
      + " accordingly.");
  }

  // Do not create for master CPs
  if (!(env instanceof MasterCoprocessorEnvironment)) {
    visibilityLabelService = VisibilityLabelServiceManager.getInstance()
        .getVisibilityLabelService(this.conf);
  }
}
 
Example #7
Source File: CoprocessorWhitelistMasterObserver.java    From hbase with Apache License 2.0 6 votes vote down vote up
/**
 * Perform the validation checks for a coprocessor to determine if the path
 * is white listed or not.
 * @throws IOException if path is not included in whitelist or a failure
 *                     occurs in processing
 * @param  ctx         as passed in from the coprocessor
 * @param  htd         as passed in from the coprocessor
 */
private static void verifyCoprocessors(ObserverContext<MasterCoprocessorEnvironment> ctx,
    TableDescriptor htd) throws IOException {
  Collection<String> paths =
    ctx.getEnvironment().getConfiguration().getStringCollection(
          CP_COPROCESSOR_WHITELIST_PATHS_KEY);
  for (CoprocessorDescriptor cp : htd.getCoprocessorDescriptors()) {
    if (cp.getJarPath().isPresent()) {
      if (paths.stream().noneMatch(p -> {
        Path wlPath = new Path(p);
        if (validatePath(new Path(cp.getJarPath().get()), wlPath)) {
          LOG.debug(String.format("Coprocessor %s found in directory %s",
            cp.getClassName(), p));
          return true;
        }
        return false;
      })) {
        throw new IOException(String.format("Loading %s DENIED in %s",
          cp.getClassName(), CP_COPROCESSOR_WHITELIST_PATHS_KEY));
      }
    }
  }
}
 
Example #8
Source File: HBaseAtlasCoprocessor.java    From atlas with Apache License 2.0 6 votes vote down vote up
@Override
public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName, TableDescriptor htd) throws IOException {
    if(LOG.isDebugEnabled()) {
        LOG.debug("==> HBaseAtlasCoprocessor.postModifyTable()");
    }

    try {
        activatePluginClassLoader();
        implMasterObserver.postModifyTable(ctx, tableName, htd);
    } finally {
        deactivatePluginClassLoader();
    }

    if(LOG.isDebugEnabled()) {
        LOG.debug("<== HBaseAtlasCoprocessor.postModifyTable()");
    }
}
 
Example #9
Source File: AccessController.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Override
public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
    final TableName tableName) throws IOException {
  final Configuration conf = c.getEnvironment().getConfiguration();
  User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
    @Override
    public Void run() throws Exception {
      try (Table table =
          c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
        PermissionStorage.removeTablePermissions(conf, tableName, table);
      }
      return null;
    }
  });
  zkPermissionWatcher.deleteTableACLNode(tableName);
}
 
Example #10
Source File: SnapshotScannerHDFSAclController.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Override
public void postCompletedCreateTableAction(ObserverContext<MasterCoprocessorEnvironment> c,
    TableDescriptor desc, RegionInfo[] regions) throws IOException {
  if (needHandleTableHdfsAcl(desc, "createTable " + desc.getTableName())) {
    TableName tableName = desc.getTableName();
    // 1. Create table directories to make HDFS acls can be inherited
    hdfsAclHelper.createTableDirectories(tableName);
    // 2. Add table owner HDFS acls
    String owner =
        desc.getOwnerString() == null ? getActiveUser(c).getShortName() : desc.getOwnerString();
    hdfsAclHelper.addTableAcl(tableName, Sets.newHashSet(owner), "create");
    // 3. Record table owner permission is synced to HDFS in acl table
    SnapshotScannerHDFSAclStorage.addUserTableHdfsAcl(c.getEnvironment().getConnection(), owner,
      tableName);
  }
}
 
Example #11
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preTableFlush(final ObserverContext<MasterCoprocessorEnvironment> ctx,
    final TableName tableName) throws IOException {
  // Move this ACL check to MasterFlushTableProcedureManager#checkPermissions as part of AC
  // deprecation.
  requirePermission(ctx, "flushTable", tableName,
      null, null, Action.ADMIN, Action.CREATE);
}
 
Example #12
Source File: HBaseAtlasCoprocessor.java    From atlas with Apache License 2.0 5 votes vote down vote up
@Override
public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, String s) throws IOException {
    LOG.info("==> HBaseAtlasCoprocessor.postDeleteNamespace()");

    hbaseAtlasHook.sendHBaseNameSpaceOperation(null, s, HBaseAtlasHook.OPERATION.DELETE_NAMESPACE, observerContext);

    if (LOG.isDebugEnabled()) {
        LOG.debug("==> HBaseAtlasCoprocessor.postDeleteNamespace()");
    }
}
 
Example #13
Source File: TestNamespaceAuditor.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preCreateTableAction(ObserverContext<MasterCoprocessorEnvironment> ctx,
    TableDescriptor desc, RegionInfo[] regions) throws IOException {
  if (throwExceptionInPreCreateTableAction) {
    throw new IOException("Throw exception as it is demanded.");
  }
}
 
Example #14
Source File: TestMasterAbortWhileMergingTable.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preMergeRegionsCommitAction(
    ObserverContext<MasterCoprocessorEnvironment> ctx,
    RegionInfo[] regionsToMerge, List<Mutation> metaEntries) {
  mergeCommitArrive.countDown();
  LOG.error("mergeCommitArrive countdown");
}
 
Example #15
Source File: JMXListener.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void start(CoprocessorEnvironment env) throws IOException {
  int rmiRegistryPort = -1;
  int rmiConnectorPort = -1;
  Configuration conf = env.getConfiguration();

  if (env instanceof MasterCoprocessorEnvironment) {
    // running on Master
    rmiRegistryPort =
        conf.getInt("master" + RMI_REGISTRY_PORT_CONF_KEY, defMasterRMIRegistryPort);
    rmiConnectorPort = conf.getInt("master" + RMI_CONNECTOR_PORT_CONF_KEY, rmiRegistryPort);
    LOG.info("Master rmiRegistryPort:" + rmiRegistryPort + ",Master rmiConnectorPort:"
        + rmiConnectorPort);
  } else if (env instanceof RegionServerCoprocessorEnvironment) {
    // running on RegionServer
    rmiRegistryPort =
      conf.getInt("regionserver" + RMI_REGISTRY_PORT_CONF_KEY,
      defRegionserverRMIRegistryPort);
    rmiConnectorPort =
      conf.getInt("regionserver" + RMI_CONNECTOR_PORT_CONF_KEY, rmiRegistryPort);
    LOG.info("RegionServer rmiRegistryPort:" + rmiRegistryPort
      + ",RegionServer rmiConnectorPort:" + rmiConnectorPort);

  } else if (env instanceof RegionCoprocessorEnvironment) {
    LOG.error("JMXListener should not be loaded in Region Environment!");
    return;
  }

  synchronized(JMXListener.class) {
    if (JMX_CS != null) {
      LOG.info("JMXListener has been started at Registry port " + rmiRegistryPort);
    }
    else {
      startConnectorServer(rmiRegistryPort, rmiConnectorPort);
    }
  }
}
 
Example #16
Source File: SecureTestUtil.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void postCompletedDeleteTableAction(
    final ObserverContext<MasterCoprocessorEnvironment> ctx,
    final TableName tableName) throws IOException {
  // the AccessController test, some times calls only and directly the
  // postCompletedDeleteTableAction()
  if (tableDeletionLatch != null) {
    tableDeletionLatch.countDown();
  }
}
 
Example #17
Source File: TestAsyncAdminBuilder.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx,
    String namespace) throws IOException {
  if (retryNum.getAndIncrement() < DEFAULT_RETRIES_NUMBER) {
    throw new IOException("call fail");
  }
}
 
Example #18
Source File: TestFailedProcCleanup.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> env,
    TableDescriptor desc, RegionInfo[] regions) throws IOException {

  if (desc.getTableName().equals(TABLE)) {
    throw new AccessDeniedException("Don't allow creation of table");
  }
}
 
Example #19
Source File: SnapshotScannerHDFSAclController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void postRevoke(ObserverContext<MasterCoprocessorEnvironment> c,
    UserPermission userPermission) throws IOException {
  if (checkInitialized("revoke " + userPermission)) {
    try (Table aclTable =
        c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
      String userName = userPermission.getUser();
      Configuration conf = c.getEnvironment().getConfiguration();
      switch (userPermission.getAccessScope()) {
        case GLOBAL:
          UserPermission userGlobalPerm = getUserGlobalPermission(conf, userName);
          if (userGlobalPerm == null || !hdfsAclHelper.containReadAction(userGlobalPerm)) {
            removeUserGlobalHdfsAcl(aclTable, userName, userPermission);
          }
          break;
        case NAMESPACE:
          NamespacePermission nsPerm = (NamespacePermission) userPermission.getPermission();
          UserPermission userNsPerm =
              getUserNamespacePermission(conf, userName, nsPerm.getNamespace());
          if (userNsPerm == null || !hdfsAclHelper.containReadAction(userNsPerm)) {
            removeUserNamespaceHdfsAcl(aclTable, userName, nsPerm.getNamespace(), userPermission);
          }
          break;
        case TABLE:
          TablePermission tPerm = (TablePermission) userPermission.getPermission();
          if (needHandleTableHdfsAcl(tPerm)) {
            TableName tableName = tPerm.getTableName();
            UserPermission userTablePerm = getUserTablePermission(conf, userName, tableName);
            if (userTablePerm == null || !hdfsAclHelper.containReadAction(userTablePerm)) {
              removeUserTableHdfsAcl(aclTable, userName, tableName, userPermission);
            }
          }
          break;
        default:
          throw new IllegalArgumentException(
              "Illegal user permission scope " + userPermission.getAccessScope());
      }
    }
  }
}
 
Example #20
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
    TableName tableName, TableDescriptor currentDesc, TableDescriptor newDesc)
    throws IOException {
  // TODO: potentially check if this is a add/modify/delete column operation
  requirePermission(c, "modifyTable", tableName, null, null, Action.ADMIN, Action.CREATE);
  return newDesc;
}
 
Example #21
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)
    throws IOException {
  if (Bytes.equals(tableName.getName(), PermissionStorage.ACL_GLOBAL_NAME)) {
    // We have to unconditionally disallow disable of the ACL table when we are installed,
    // even if not enforcing authorizations. We are still allowing grants and revocations,
    // checking permissions and logging audit messages, etc. If the ACL table is not
    // available we will fail random actions all over the place.
    throw new AccessDeniedException("Not allowed to disable " + PermissionStorage.ACL_TABLE_NAME
        + " table with AccessController installed");
  }
  requirePermission(c, "disableTable",
      tableName, null, null, Action.ADMIN, Action.CREATE);
}
 
Example #22
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,
    NamespaceDescriptor currentNsDesc, NamespaceDescriptor newNsDesc) throws IOException {
  // We require only global permission so that
  // a user with NS admin cannot altering namespace configurations. i.e. namespace quota
  requireGlobalPermission(ctx, "modifyNamespace", Action.ADMIN, newNsDesc.getName());
}
 
Example #23
Source File: TestEnableTable.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void postCompletedDeleteTableAction(
    final ObserverContext<MasterCoprocessorEnvironment> ctx,
    final TableName tableName)
throws IOException {
  // the AccessController test, some times calls only and directly the postDeleteTableHandler()
  if (tableDeletionLatch != null) {
    tableDeletionLatch.countDown();
  }
}
 
Example #24
Source File: TestMultiParallel.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void postBalance(final ObserverContext<MasterCoprocessorEnvironment> ctx,
    List<RegionPlan> plans) throws IOException {
  if (!plans.isEmpty()) {
    postBalanceCount.incrementAndGet();
  }
}
 
Example #25
Source File: ExampleMasterObserverWithMetrics.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> ctx,
                           TableDescriptor desc, RegionInfo[] regions) throws IOException {
  // we rely on the fact that there is only 1 instance of our MasterObserver. We keep track of
  // when the operation starts before the operation is executing.
  this.createTableStartTime = System.currentTimeMillis();
}
 
Example #26
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preDeleteSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
    final SnapshotDescription snapshot) throws IOException {
  User user = getActiveUser(ctx);
  if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
    // Snapshot owner is allowed to delete the snapshot
    AuthResult result = AuthResult.allow("deleteSnapshot " + snapshot.getName(),
        "Snapshot owner check allowed", user, null, null, null);
    AccessChecker.logResult(result);
  } else {
    accessChecker.requirePermission(user, "deleteSnapshot " + snapshot.getName(), null,
      Action.ADMIN);
  }
}
 
Example #27
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preRestoreSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
    final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)
    throws IOException {
  User user = getActiveUser(ctx);
  if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
    accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(),
      hTableDescriptor.getTableName(), null, null, null, Permission.Action.ADMIN);
  } else {
    accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(), null,
      Action.ADMIN);
  }
}
 
Example #28
Source File: BaseTestHBaseFsck.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void postCompletedCreateTableAction(
    final ObserverContext<MasterCoprocessorEnvironment> ctx,
    final TableDescriptor desc,
    final RegionInfo[] regions) throws IOException {
  // the AccessController test, some times calls only and directly the
  // postCompletedCreateTableAction()
  if (tableCreationLatch != null) {
    tableCreationLatch.countDown();
  }
}
 
Example #29
Source File: AccessController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public void preListSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx,
    final SnapshotDescription snapshot) throws IOException {
  User user = getActiveUser(ctx);
  if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
    // list it, if user is the owner of snapshot
    AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(),
        "Snapshot owner check allowed", user, null, null, null);
    AccessChecker.logResult(result);
  } else {
    accessChecker.requirePermission(user, "listSnapshot " + snapshot.getName(), null,
      Action.ADMIN);
  }
}
 
Example #30
Source File: CoprocessorWhitelistMasterObserver.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx,
    TableName tableName, TableDescriptor currentDesc, TableDescriptor newDesc)
    throws IOException {
  verifyCoprocessors(ctx, newDesc);
  return newDesc;
}