You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by GitBox <gi...@apache.org> on 2019/05/15 11:13:37 UTC
[GitHub] [hbase] mymeiyi commented on a change in pull request #163: HBASE-21995 Add a coprocessor to set HDFS ACL for hbase granted user

mymeiyi commented on a change in pull request #163: HBASE-21995 Add a coprocessor to set HDFS ACL for hbase granted user
URL: https://github.com/apache/hbase/pull/163#discussion_r284203270
 
 

 ##########
 File path: hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclController.java
 ##########
 @@ -0,0 +1,634 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hbase.security.access;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hbase.Cell;
+import org.apache.hadoop.hbase.CellUtil;
+import org.apache.hadoop.hbase.HBaseInterfaceAudience;
+import org.apache.hadoop.hbase.NamespaceDescriptor;
+import org.apache.hadoop.hbase.TableName;
+import org.apache.hadoop.hbase.client.Admin;
+import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;
+import org.apache.hadoop.hbase.client.Delete;
+import org.apache.hadoop.hbase.client.Get;
+import org.apache.hadoop.hbase.client.Put;
+import org.apache.hadoop.hbase.client.RegionInfo;
+import org.apache.hadoop.hbase.client.Result;
+import org.apache.hadoop.hbase.client.ResultScanner;
+import org.apache.hadoop.hbase.client.Scan;
+import org.apache.hadoop.hbase.client.SnapshotDescription;
+import org.apache.hadoop.hbase.client.Table;
+import org.apache.hadoop.hbase.client.TableDescriptor;
+import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
+import org.apache.hadoop.hbase.coprocessor.CoreCoprocessor;
+import org.apache.hadoop.hbase.coprocessor.HasMasterServices;
+import org.apache.hadoop.hbase.coprocessor.MasterCoprocessor;
+import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
+import org.apache.hadoop.hbase.coprocessor.MasterObserver;
+import org.apache.hadoop.hbase.coprocessor.ObserverContext;
+import org.apache.hadoop.hbase.master.MasterServices;
+import org.apache.hadoop.hbase.security.User;
+import org.apache.hadoop.hbase.security.UserProvider;
+import org.apache.hadoop.hbase.security.access.HDFSAclHelper.PathHelper;
+import org.apache.hadoop.hbase.security.access.Permission.Action;
+import org.apache.hadoop.hbase.util.Bytes;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Set HDFS ACLs to hFiles to make HBase granted users have permission to scan snapshot
+ * <p>
+ * To use this feature, please mask sure HDFS config:
+ * <ul>
+ * <li>dfs.permissions.enabled = true</li>
+ * <li>fs.permissions.umask-mode = 027 (or smaller umask than 027)</li>
+ * </ul>
+ * </p>
+ * <p>
+ * The implementation of this feature is as followings:
+ * <ul>
+ * <li>For public directories such as 'data' and 'archive', set other permission to '--x' to make
+ * everyone have the permission to access the directory.</li>
+ * <li>For namespace or table directories such as 'data/ns/table', 'archive/ns/table' and
+ * '.hbase-snapshot/snapshotName', set user 'r-x' acl and default 'r-x' acl when following
+ * operations happen:
+ * <ul>
+ * <li>grant user with global, namespace or table permission;</li>
+ * <li>revoke user from global, namespace or table;</li>
+ * <li>snapshot table;</li>
+ * <li>truncate table;</li>
+ * </ul>
+ * </li>
+ * <li>Note: Because snapshots are at table level, so this feature just considers users with global,
+ * namespace or table permissions, ignores users with table CF or cell permissions.</li>
+ * </ul>
+ * </p>
+ */
+@CoreCoprocessor
+@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG)
+public class HDFSAclController implements MasterCoprocessor, MasterObserver {
+  private static final Logger LOG = LoggerFactory.getLogger(HDFSAclController.class);
+
+  public static final String HDFS_ACL_ENABLE = "hbase.hdfs.acl.enable";
+  public static final String HDFS_ACL_THREAD_NUMBER = "hbase.hdfs.acl.thread.number";
+  // the tmp directory to restore snapshot, it can not be a sub directory of HBase root dir
+  public static final String SNAPSHOT_RESTORE_TMP_DIR = "hbase.snapshot.restore.tmp.dir";
+  public static final String SNAPSHOT_RESTORE_TMP_DIR_DEFAULT =
+      "/hbase/.tmpdir-to-restore-snapshot";
+  // If enable this feature, set public directories permission to 751
+  public static final FsPermission ACL_ENABLE_PUBLIC_HFILE_PERMISSION =
+      new FsPermission((short) 0751);
+  // If enable this feature, set restore directory permission to 703
+  public static final FsPermission ACL_ENABLE_RESTORE_HFILE_PERMISSION =
+      new FsPermission((short) 0703);
+
+  private HDFSAclHelper hdfsAclHelper = null;
+  private PathHelper pathHelper = null;
+  private FileSystem fs = null;
+  /** Provider for mapping principal names to Users */
+  private UserProvider userProvider;
+
+  @Override
+  public Optional<MasterObserver> getMasterObserver() {
+    return Optional.of(this);
+  }
+
+  @Override
+  public void preMasterInitialization(final ObserverContext<MasterCoprocessorEnvironment> c)
+      throws IOException {
+    if (isHdfsAclEnabled(c.getEnvironment().getConfiguration())) {
+      MasterServices masterServices = null;
+      MasterCoprocessorEnvironment mEnv = c.getEnvironment();
+      if (mEnv instanceof HasMasterServices) {
+        masterServices = ((HasMasterServices) mEnv).getMasterServices();
+      }
+      if (masterServices == null) {
+        throw new RuntimeException("master services can not be null");
+      }
+      hdfsAclHelper = new HDFSAclHelper(masterServices);
+      pathHelper = hdfsAclHelper.getPathHelper();
+      fs = pathHelper.getFileSystem();
+      // Set public directory permission to 751 to make all users have access permission.
+      // And we also need the access permission of the parent of HBase root directory, but
+      // it's not set here, because the owner of HBase root directory may don't own permission
+      // to change it's parent permission to 751.
+      // The {root/.tmp} and {root/.tmp/data} directories are created to make global user HDFS
+      // acls can be inherited.
+      Path[] paths = new Path[] { pathHelper.getRootDir(), pathHelper.getDataDir(),
+          pathHelper.getTmpDir(), pathHelper.getTmpDataDir(), pathHelper.getArchiveDir(),
+          pathHelper.getArchiveDataDir(), pathHelper.getSnapshotRootDir() };
+      for (Path path : paths) {
+        if (!fs.exists(path)) {
+          fs.mkdirs(path);
+        }
+        fs.setPermission(path, ACL_ENABLE_PUBLIC_HFILE_PERMISSION);
+      }
+      // create snapshot restore directory
+      Path restoreDir = new Path(
+          mEnv.getConfiguration().get(SNAPSHOT_RESTORE_TMP_DIR, SNAPSHOT_RESTORE_TMP_DIR_DEFAULT));
+      if (!fs.exists(restoreDir)) {
+        fs.mkdirs(restoreDir);
+        fs.setPermission(restoreDir, ACL_ENABLE_RESTORE_HFILE_PERMISSION);
+      }
+    }
+  }
+
+  @Override
+  public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> ctx)
+      throws IOException {
+    try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
+      if (admin.tableExists(PermissionStorage.ACL_TABLE_NAME)) {
+        // check if hbase:acl table has 'm' CF
+        TableDescriptor tableDescriptor = admin.getDescriptor(PermissionStorage.ACL_TABLE_NAME);
 
 Review comment:
   The new CF is only used in this CP, it records if the hbase read permission is synchronized to related hfile. 
   This flag has two usages: 
   1. check if we need to remove hdfs acls for a grant without READ permission;
   2. skip some hdfs acl sync because it may be already added.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services