hbase-server/src/main/java/org/apache/hadoop/hbase/security/HBasePolicyProvider.java

   1 /*
   2  * Licensed to the Apache Software Foundation (ASF) under one
   3  * or more contributor license agreements.  See the NOTICE file
   4  * distributed with this work for additional information
   5  * regarding copyright ownership.  The ASF licenses this file
   6  * to you under the Apache License, Version 2.0 (the
   7  * "License"); you may not use this file except in compliance
   8  * with the License.  You may obtain a copy of the License at
   9  *
  10  *     http://www.apache.org/licenses/LICENSE-2.0
  11  *
  12  * Unless required by applicable law or agreed to in writing, software
  13  * distributed under the License is distributed on an "AS IS" BASIS,
  14  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  15  * See the License for the specific language governing permissions and
  16  * limitations under the License.
  17  */
  18 package org.apache.hadoop.hbase.security;
  19
  20 import org.apache.hadoop.conf.Configuration;
  21 import org.apache.hadoop.security.authorize.PolicyProvider;
  22 import org.apache.hadoop.security.authorize.ProxyUsers;
  23 import org.apache.hadoop.security.authorize.Service;
  24 import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
  25 import org.apache.yetus.audience.InterfaceAudience;
  26
  27 import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos.AdminService;
  28 import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.ClientService;
  29 import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos;
  30 import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos.MasterService;
  31 import org.apache.hadoop.hbase.shaded.protobuf.generated.RegionServerStatusProtos.RegionServerStatusService;
  32 import org.apache.hadoop.hbase.shaded.protobuf.generated.RegistryProtos;
  33
  34 /**
  35  * Implementation of secure Hadoop policy provider for mapping
  36  * protocol interfaces to hbase-policy.xml entries.
  37  */
  38 @InterfaceAudience.Private
  39 public class HBasePolicyProvider extends PolicyProvider {
  40   protected final static Service[] services = {
  41     new Service("security.client.protocol.acl", ClientService.BlockingInterface.class),
  42     new Service("security.client.protocol.acl", AdminService.BlockingInterface.class),
  43     new Service("security.client.protocol.acl",
  44       MasterProtos.HbckService.BlockingInterface.class),
  45     new Service("security.client.protocol.acl",
  46       RegistryProtos.ClientMetaService.BlockingInterface.class),
  47     new Service("security.admin.protocol.acl", MasterService.BlockingInterface.class),
  48     new Service("security.masterregion.protocol.acl",
  49       RegionServerStatusService.BlockingInterface.class)
  50   };
  51
  52   @Override
  53   public Service[] getServices() {
  54     return services;
  55   }
  56
  57   public static void init(Configuration conf, ServiceAuthorizationManager authManager) {
  58     // set service-level authorization security policy
  59     System.setProperty("hadoop.policy.file", "hbase-policy.xml");
  60     if (conf.getBoolean(ServiceAuthorizationManager.SERVICE_AUTHORIZATION_CONFIG, false)) {
  61       authManager.refresh(conf, new HBasePolicyProvider());
  62       ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
  63     }
  64   }
  65 }