1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.hadoop.hbase.security.access;
20
21 import java.io.IOException;
22 import java.net.URI;
23 import java.nio.file.PathMatcher;
24 import java.util.Collection;
25 import java.util.List;
26 import java.util.regex.Matcher;
27
28 import org.apache.commons.io.FilenameUtils;
29 import org.apache.commons.logging.Log;
30 import org.apache.commons.logging.LogFactory;
31
32 import org.apache.hadoop.conf.Configuration;
33 import org.apache.hadoop.fs.Path;
34
35 import org.apache.hadoop.hbase.classification.InterfaceAudience;
36 import org.apache.hadoop.hbase.coprocessor.BaseMasterObserver;
37 import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
38 import org.apache.hadoop.hbase.coprocessor.ObserverContext;
39 import org.apache.hadoop.hbase.HBaseInterfaceAudience;
40 import org.apache.hadoop.hbase.HConstants;
41 import org.apache.hadoop.hbase.HRegionInfo;
42 import org.apache.hadoop.hbase.HTableDescriptor;
43 import org.apache.hadoop.hbase.master.MasterServices;
44 import org.apache.hadoop.hbase.TableName;
45 import org.apache.hadoop.hbase.util.Bytes;
46
47
48
49
50 @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG)
51 public class CoprocessorWhitelistMasterObserver extends BaseMasterObserver {
52
53 public static final String CP_COPROCESSOR_WHITELIST_PATHS_KEY =
54 "hbase.coprocessor.region.whitelist.paths";
55
56 private static final Log LOG = LogFactory
57 .getLog(CoprocessorWhitelistMasterObserver.class);
58
59 @Override
60 public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx,
61 TableName tableName, HTableDescriptor htd) throws IOException {
62 verifyCoprocessors(ctx, htd);
63 }
64
65 @Override
66 public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> ctx,
67 HTableDescriptor htd, HRegionInfo[] regions) throws IOException {
68 verifyCoprocessors(ctx, htd);
69 }
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85 private static boolean validatePath(Path coprocPath, Path wlPath,
86 Configuration conf) throws IOException {
87
88 if (wlPath.toString().equals("*")) {
89 return(true);
90 }
91
92
93 if (!wlPath.isAbsoluteAndSchemeAuthorityNull()) {
94 String wlPathScheme = wlPath.toUri().getScheme();
95 String coprocPathScheme = coprocPath.toUri().getScheme();
96 String wlPathHost = wlPath.toUri().getHost();
97 String coprocPathHost = coprocPath.toUri().getHost();
98 if (wlPathScheme != null) {
99 wlPathScheme = wlPathScheme.toString().toLowerCase();
100 } else {
101 wlPathScheme = "";
102 }
103 if (wlPathHost != null) {
104 wlPathHost = wlPathHost.toString().toLowerCase();
105 } else {
106 wlPathHost = "";
107 }
108 if (coprocPathScheme != null) {
109 coprocPathScheme = coprocPathScheme.toString().toLowerCase();
110 } else {
111 coprocPathScheme = "";
112 }
113 if (coprocPathHost != null) {
114 coprocPathHost = coprocPathHost.toString().toLowerCase();
115 } else {
116 coprocPathHost = "";
117 }
118 if (!wlPathScheme.equals(coprocPathScheme) || !wlPathHost.equals(coprocPathHost)) {
119 return(false);
120 }
121 }
122
123
124 if (wlPath.isRoot()) {
125 return(true);
126 }
127
128
129 if (FilenameUtils.wildcardMatch(
130 Path.getPathWithoutSchemeAndAuthority(coprocPath).toString(),
131 Path.getPathWithoutSchemeAndAuthority(wlPath).toString())) {
132 return(true);
133 }
134 return(false);
135 }
136
137
138
139
140
141
142
143
144
145 private void verifyCoprocessors(ObserverContext<MasterCoprocessorEnvironment> ctx,
146 HTableDescriptor htd) throws IOException {
147
148 MasterServices services = ctx.getEnvironment().getMasterServices();
149 Configuration conf = services.getConfiguration();
150
151 Collection<String> paths =
152 conf.getStringCollection(
153 CP_COPROCESSOR_WHITELIST_PATHS_KEY);
154
155 List<String> coprocs = htd.getCoprocessors();
156 for (int i = 0; i < coprocs.size(); i++) {
157 String coproc = coprocs.get(i);
158
159 String coprocSpec = Bytes.toString(htd.getValue(
160 Bytes.toBytes("coprocessor$" + (i + 1))));
161 if (coprocSpec == null) {
162 continue;
163 }
164
165
166 Matcher matcher =
167 HConstants.CP_HTD_ATTR_VALUE_PATTERN.matcher(coprocSpec);
168 if (matcher == null || !matcher.matches()) {
169 continue;
170 }
171
172 String coprocPathStr = matcher.group(1).trim();
173
174 if (coprocPathStr.equals("")) {
175 break;
176 }
177 Path coprocPath = new Path(coprocPathStr);
178 String coprocessorClass = matcher.group(2).trim();
179
180 boolean foundPathMatch = false;
181 for (String pathStr : paths) {
182 Path wlPath = new Path(pathStr);
183 try {
184 foundPathMatch = validatePath(coprocPath, wlPath, conf);
185 if (foundPathMatch == true) {
186 LOG.debug(String.format("Coprocessor %s found in directory %s",
187 coprocessorClass, pathStr));
188 break;
189 }
190 } catch (IOException e) {
191 LOG.warn(String.format("Failed to validate white list path %s for coprocessor path %s",
192 pathStr, coprocPathStr));
193 }
194 }
195 if (!foundPathMatch) {
196 throw new IOException(String.format("Loading %s DENIED in %s",
197 coprocessorClass, CP_COPROCESSOR_WHITELIST_PATHS_KEY));
198 }
199 }
200 }
201 }