From 9494fa9f1ea9d1b8331d9e439df06999490dba6d Mon Sep 17 00:00:00 2001 From: Josh Elser Date: Sat, 19 May 2018 00:17:08 -0400 Subject: [PATCH] HBASE-20605 Excludes Azure's new filesystem from the SecureBulkLoadEndpoint perm check --- .../security/access/SecureBulkLoadEndpoint.java | 14 ++++- .../access/TestSecureBulkLoadEndpoint.java | 65 ++++++++++++++++++++++ 2 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestSecureBulkLoadEndpoint.java diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java index 68f31ccad2..fef5c682a7 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java @@ -22,6 +22,7 @@ import com.google.protobuf.RpcCallback; import com.google.protobuf.RpcController; import com.google.protobuf.Service; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.hbase.classification.InterfaceAudience; @@ -73,6 +74,7 @@ import java.security.PrivilegedAction; import java.security.SecureRandom; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -119,7 +121,9 @@ public class SecureBulkLoadEndpoint extends SecureBulkLoadService private final static FsPermission PERM_ALL_ACCESS = FsPermission.valueOf("-rwxrwxrwx"); private final static FsPermission PERM_HIDDEN = FsPermission.valueOf("-rwx--x--x"); - private final static String[] FsWithoutSupportPermission = {"s3", "s3a", "s3n", "wasb", "wasbs", "swift"}; + + public static final String FS_WITHOUT_SUPPORT_PERMISSION_KEY = "hbase.secure.bulkload.fs.permission.lacking"; + public static final String FS_WITHOUT_SUPPORT_PERMISSION_DEFAULT = "s3,s3a,s3n,wasb,wasbs,swift,adfs,abfs"; private SecureRandom random; private FileSystem fs; @@ -143,7 +147,7 @@ public class SecureBulkLoadEndpoint extends SecureBulkLoadService conf = env.getConfiguration(); baseStagingDir = SecureBulkLoadUtil.getBaseStagingDir(conf); this.userProvider = UserProvider.instantiate(conf); - Set fsSet = new HashSet(Arrays.asList(FsWithoutSupportPermission)); + Set fsSet = getFileSystemSchemesWithoutPermissionSupport(conf); try { fs = baseStagingDir.getFileSystem(conf); @@ -179,6 +183,12 @@ public class SecureBulkLoadEndpoint extends SecureBulkLoadService } } + Set getFileSystemSchemesWithoutPermissionSupport(Configuration conf) { + final String value = conf.get( + FS_WITHOUT_SUPPORT_PERMISSION_KEY, FS_WITHOUT_SUPPORT_PERMISSION_DEFAULT); + return new HashSet(Arrays.asList(StringUtils.split(value, ','))); + } + @Override public void stop(CoprocessorEnvironment env) throws IOException { } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestSecureBulkLoadEndpoint.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestSecureBulkLoadEndpoint.java new file mode 100644 index 0000000000..16d70e02da --- /dev/null +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestSecureBulkLoadEndpoint.java @@ -0,0 +1,65 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hbase.security.access; + +import static org.junit.Assert.assertEquals; + +import java.util.Arrays; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.testclassification.SmallTests; +import org.apache.commons.lang.StringUtils; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +/** + * Tests the SecureBulkLoadEndpoint code. + */ +@Category(SmallTests.class) +public class TestSecureBulkLoadEndpoint { + + @Test + public void testFileSystemsWithoutPermissionSupport() { + final Configuration emptyConf = new Configuration(false); + final Configuration defaultConf = HBaseConfiguration.create(); + + final Set expectedDefaultIgnoredSchemes = new HashSet<>( + Arrays.asList( + StringUtils.split(SecureBulkLoadEndpoint.FS_WITHOUT_SUPPORT_PERMISSION_DEFAULT, ','))); + + final SecureBulkLoadEndpoint endpoint = new SecureBulkLoadEndpoint(); + + // Empty configuration should return the default list of schemes + Set defaultIgnoredSchemes = endpoint.getFileSystemSchemesWithoutPermissionSupport(emptyConf); + assertEquals(defaultIgnoredSchemes, expectedDefaultIgnoredSchemes); + + // Default configuration (unset) should be the default list of schemes + defaultIgnoredSchemes = endpoint.getFileSystemSchemesWithoutPermissionSupport(defaultConf); + assertEquals(defaultIgnoredSchemes, expectedDefaultIgnoredSchemes); + + defaultConf.set(SecureBulkLoadEndpoint.FS_WITHOUT_SUPPORT_PERMISSION_KEY, "foo,bar"); + defaultIgnoredSchemes = endpoint.getFileSystemSchemesWithoutPermissionSupport(defaultConf); + assertEquals(defaultIgnoredSchemes, new HashSet(Arrays.asList("foo", "bar"))); + } +} -- 2.16.3