org.apache.hadoop.hbase.security.access
Class SecureBulkLoadEndpoint
java.lang.Object
org.apache.hadoop.hbase.coprocessor.BaseEndpointCoprocessor
org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint
- All Implemented Interfaces:
- Coprocessor, CoprocessorProtocol, VersionedProtocol, SecureBulkLoadProtocol
@InterfaceAudience.Private
public class SecureBulkLoadEndpoint
- extends BaseEndpointCoprocessor
- implements SecureBulkLoadProtocol
Coprocessor service for bulk loads in secure mode.
This coprocessor has to be installed as part of enabling
security in HBase.
This service addresses two issues:
1. Moving files in a secure filesystem wherein the HBase Client
and HBase Server are different filesystem users.
2. Does moving in a secure manner. Assuming that the filesystem
is POSIX compliant.
The algorithm is as follows:
1. Create an hbase owned staging directory which is
world traversable (711): /hbase/staging
2. A user writes out data to his secure output directory: /user/foo/data
3. A call is made to hbase to create a secret staging directory
which globally rwx (777): /user/staging/averylongandrandomdirectoryname
4. The user makes the data world readable and writable, then moves it
into the random staging directory, then calls bulkLoadHFiles()
Like delegation tokens the strength of the security lies in the length
and randomness of the secret directory.
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
VERSION
public static final long VERSION
- See Also:
- Constant Field Values
SecureBulkLoadEndpoint
public SecureBulkLoadEndpoint()
start
public void start(CoprocessorEnvironment env)
- Specified by:
start
in interface Coprocessor
- Overrides:
start
in class BaseEndpointCoprocessor
prepareBulkLoad
public String prepareBulkLoad(byte[] tableName)
throws IOException
- Description copied from interface:
SecureBulkLoadProtocol
- Prepare for bulk load.
Will be called before bulkLoadHFiles()
- Specified by:
prepareBulkLoad
in interface SecureBulkLoadProtocol
- Returns:
- a bulkToken which uniquely identifies the bulk session
- Throws:
IOException
cleanupBulkLoad
public void cleanupBulkLoad(String bulkToken)
throws IOException
- Description copied from interface:
SecureBulkLoadProtocol
- Cleanup after bulk load.
Will be called after bulkLoadHFiles().
- Specified by:
cleanupBulkLoad
in interface SecureBulkLoadProtocol
- Throws:
IOException
bulkLoadHFiles
public boolean bulkLoadHFiles(List<Pair<byte[],String>> familyPaths,
org.apache.hadoop.security.token.Token<?> userToken,
String bulkToken)
throws IOException
- Description copied from interface:
SecureBulkLoadProtocol
- Secure version of HRegionServer.bulkLoadHFiles().
- Specified by:
bulkLoadHFiles
in interface SecureBulkLoadProtocol
- Parameters:
familyPaths
- column family to HFile path pairsuserToken
- requesting user's HDFS delegation token
- Returns:
-
- Throws:
IOException
getProtocolVersion
public long getProtocolVersion(String protocol,
long clientVersion)
throws IOException
- Description copied from interface:
VersionedProtocol
- Return protocol version corresponding to protocol interface.
- Specified by:
getProtocolVersion
in interface VersionedProtocol
- Overrides:
getProtocolVersion
in class BaseEndpointCoprocessor
- Parameters:
protocol
- The classname of the protocol interfaceclientVersion
- The version of the protocol that the client speaks
- Returns:
- the version that the server will speak
- Throws:
IOException
- if any IO error occurs
getStagingPath
public static org.apache.hadoop.fs.Path getStagingPath(org.apache.hadoop.conf.Configuration conf,
String bulkToken,
byte[] family)
- This returns the staging path for a given column family.
This is needed for clean recovery and called reflectively in LoadIncrementalHFiles
Copyright © 2013 The Apache Software Foundation. All Rights Reserved.