Google Git
Sign in
apache / hbase-site / e5d2e6a6f9646196617268912ffe3d020e593a18 / . / apidocs / src-html / org / apache / hadoop / hbase / regionserver / SecureBulkLoadManager.html
blob: a2f5bf6130691ad33aec54cf57b08583e99f3135 [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="en">
<head>
<!-- Generated by javadoc (17) -->
<title>Source code</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="source: package: org.apache.hadoop.hbase.regionserver, class: SecureBulkLoadManager">
<meta name="generator" content="javadoc/SourceToHTMLConverter">
<link rel="stylesheet" type="text/css" href="../../../../../../stylesheet.css" title="Style">
</head>
<body class="source-page">
<main role="main">
<div class="source-container">
<pre><span class="source-line-no">001</span><span id="line-1">/*</span>
<span class="source-line-no">002</span><span id="line-2"> * Licensed to the Apache Software Foundation (ASF) under one</span>
<span class="source-line-no">003</span><span id="line-3"> * or more contributor license agreements. See the NOTICE file</span>
<span class="source-line-no">004</span><span id="line-4"> * distributed with this work for additional information</span>
<span class="source-line-no">005</span><span id="line-5"> * regarding copyright ownership. The ASF licenses this file</span>
<span class="source-line-no">006</span><span id="line-6"> * to you under the Apache License, Version 2.0 (the</span>
<span class="source-line-no">007</span><span id="line-7"> * "License"); you may not use this file except in compliance</span>
<span class="source-line-no">008</span><span id="line-8"> * with the License. You may obtain a copy of the License at</span>
<span class="source-line-no">009</span><span id="line-9"> *</span>
<span class="source-line-no">010</span><span id="line-10"> * http://www.apache.org/licenses/LICENSE-2.0</span>
<span class="source-line-no">011</span><span id="line-11"> *</span>
<span class="source-line-no">012</span><span id="line-12"> * Unless required by applicable law or agreed to in writing, software</span>
<span class="source-line-no">013</span><span id="line-13"> * distributed under the License is distributed on an "AS IS" BASIS,</span>
<span class="source-line-no">014</span><span id="line-14"> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="source-line-no">015</span><span id="line-15"> * See the License for the specific language governing permissions and</span>
<span class="source-line-no">016</span><span id="line-16"> * limitations under the License.</span>
<span class="source-line-no">017</span><span id="line-17"> */</span>
<span class="source-line-no">018</span><span id="line-18">package org.apache.hadoop.hbase.regionserver;</span>
<span class="source-line-no">019</span><span id="line-19"></span>
<span class="source-line-no">020</span><span id="line-20">import java.io.IOException;</span>
<span class="source-line-no">021</span><span id="line-21">import java.math.BigInteger;</span>
<span class="source-line-no">022</span><span id="line-22">import java.security.PrivilegedAction;</span>
<span class="source-line-no">023</span><span id="line-23">import java.security.SecureRandom;</span>
<span class="source-line-no">024</span><span id="line-24">import java.util.ArrayList;</span>
<span class="source-line-no">025</span><span id="line-25">import java.util.HashMap;</span>
<span class="source-line-no">026</span><span id="line-26">import java.util.List;</span>
<span class="source-line-no">027</span><span id="line-27">import java.util.Map;</span>
<span class="source-line-no">028</span><span id="line-28">import java.util.concurrent.ConcurrentHashMap;</span>
<span class="source-line-no">029</span><span id="line-29">import java.util.function.Consumer;</span>
<span class="source-line-no">030</span><span id="line-30">import org.apache.commons.lang3.StringUtils;</span>
<span class="source-line-no">031</span><span id="line-31">import org.apache.commons.lang3.mutable.MutableInt;</span>
<span class="source-line-no">032</span><span id="line-32">import org.apache.hadoop.conf.Configuration;</span>
<span class="source-line-no">033</span><span id="line-33">import org.apache.hadoop.fs.FileStatus;</span>
<span class="source-line-no">034</span><span id="line-34">import org.apache.hadoop.fs.FileSystem;</span>
<span class="source-line-no">035</span><span id="line-35">import org.apache.hadoop.fs.FileUtil;</span>
<span class="source-line-no">036</span><span id="line-36">import org.apache.hadoop.fs.Path;</span>
<span class="source-line-no">037</span><span id="line-37">import org.apache.hadoop.fs.permission.FsPermission;</span>
<span class="source-line-no">038</span><span id="line-38">import org.apache.hadoop.hbase.DoNotRetryIOException;</span>
<span class="source-line-no">039</span><span id="line-39">import org.apache.hadoop.hbase.HConstants;</span>
<span class="source-line-no">040</span><span id="line-40">import org.apache.hadoop.hbase.TableName;</span>
<span class="source-line-no">041</span><span id="line-41">import org.apache.hadoop.hbase.client.AsyncConnection;</span>
<span class="source-line-no">042</span><span id="line-42">import org.apache.hadoop.hbase.ipc.RpcServer;</span>
<span class="source-line-no">043</span><span id="line-43">import org.apache.hadoop.hbase.regionserver.HRegion.BulkLoadListener;</span>
<span class="source-line-no">044</span><span id="line-44">import org.apache.hadoop.hbase.security.User;</span>
<span class="source-line-no">045</span><span id="line-45">import org.apache.hadoop.hbase.security.UserProvider;</span>
<span class="source-line-no">046</span><span id="line-46">import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;</span>
<span class="source-line-no">047</span><span id="line-47">import org.apache.hadoop.hbase.security.token.ClientTokenUtil;</span>
<span class="source-line-no">048</span><span id="line-48">import org.apache.hadoop.hbase.security.token.FsDelegationToken;</span>
<span class="source-line-no">049</span><span id="line-49">import org.apache.hadoop.hbase.util.Bytes;</span>
<span class="source-line-no">050</span><span id="line-50">import org.apache.hadoop.hbase.util.CommonFSUtils;</span>
<span class="source-line-no">051</span><span id="line-51">import org.apache.hadoop.hbase.util.FSUtils;</span>
<span class="source-line-no">052</span><span id="line-52">import org.apache.hadoop.hbase.util.Methods;</span>
<span class="source-line-no">053</span><span id="line-53">import org.apache.hadoop.hbase.util.Pair;</span>
<span class="source-line-no">054</span><span id="line-54">import org.apache.hadoop.io.Text;</span>
<span class="source-line-no">055</span><span id="line-55">import org.apache.hadoop.security.UserGroupInformation;</span>
<span class="source-line-no">056</span><span id="line-56">import org.apache.hadoop.security.token.Token;</span>
<span class="source-line-no">057</span><span id="line-57">import org.apache.yetus.audience.InterfaceAudience;</span>
<span class="source-line-no">058</span><span id="line-58">import org.slf4j.Logger;</span>
<span class="source-line-no">059</span><span id="line-59">import org.slf4j.LoggerFactory;</span>
<span class="source-line-no">060</span><span id="line-60"></span>
<span class="source-line-no">061</span><span id="line-61">import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos;</span>
<span class="source-line-no">062</span><span id="line-62">import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.BulkLoadHFileRequest;</span>
<span class="source-line-no">063</span><span id="line-63">import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CleanupBulkLoadRequest;</span>
<span class="source-line-no">064</span><span id="line-64">import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.PrepareBulkLoadRequest;</span>
<span class="source-line-no">065</span><span id="line-65"></span>
<span class="source-line-no">066</span><span id="line-66">/**</span>
<span class="source-line-no">067</span><span id="line-67"> * Bulk loads in secure mode. This service addresses two issues:</span>
<span class="source-line-no">068</span><span id="line-68"> * &lt;ol&gt;</span>
<span class="source-line-no">069</span><span id="line-69"> * &lt;li&gt;Moving files in a secure filesystem wherein the HBase Client and HBase Server are different</span>
<span class="source-line-no">070</span><span id="line-70"> * filesystem users.&lt;/li&gt;</span>
<span class="source-line-no">071</span><span id="line-71"> * &lt;li&gt;Does moving in a secure manner. Assuming that the filesystem is POSIX compliant.&lt;/li&gt;</span>
<span class="source-line-no">072</span><span id="line-72"> * &lt;/ol&gt;</span>
<span class="source-line-no">073</span><span id="line-73"> * The algorithm is as follows:</span>
<span class="source-line-no">074</span><span id="line-74"> * &lt;ol&gt;</span>
<span class="source-line-no">075</span><span id="line-75"> * &lt;li&gt;Create an hbase owned staging directory which is world traversable (711):</span>
<span class="source-line-no">076</span><span id="line-76"> * {@code /hbase/staging}&lt;/li&gt;</span>
<span class="source-line-no">077</span><span id="line-77"> * &lt;li&gt;A user writes out data to his secure output directory: {@code /user/foo/data}&lt;/li&gt;</span>
<span class="source-line-no">078</span><span id="line-78"> * &lt;li&gt;A call is made to hbase to create a secret staging directory which globally rwx (777):</span>
<span class="source-line-no">079</span><span id="line-79"> * {@code /user/staging/averylongandrandomdirectoryname}&lt;/li&gt;</span>
<span class="source-line-no">080</span><span id="line-80"> * &lt;li&gt;The user moves the data into the random staging directory, then calls bulkLoadHFiles()&lt;/li&gt;</span>
<span class="source-line-no">081</span><span id="line-81"> * &lt;/ol&gt;</span>
<span class="source-line-no">082</span><span id="line-82"> * Like delegation tokens the strength of the security lies in the length and randomness of the</span>
<span class="source-line-no">083</span><span id="line-83"> * secret directory.</span>
<span class="source-line-no">084</span><span id="line-84"> */</span>
<span class="source-line-no">085</span><span id="line-85">@InterfaceAudience.Private</span>
<span class="source-line-no">086</span><span id="line-86">public class SecureBulkLoadManager {</span>
<span class="source-line-no">087</span><span id="line-87"></span>
<span class="source-line-no">088</span><span id="line-88"> public static final long VERSION = 0L;</span>
<span class="source-line-no">089</span><span id="line-89"></span>
<span class="source-line-no">090</span><span id="line-90"> // 320/5 = 64 characters</span>
<span class="source-line-no">091</span><span id="line-91"> private static final int RANDOM_WIDTH = 320;</span>
<span class="source-line-no">092</span><span id="line-92"> private static final int RANDOM_RADIX = 32;</span>
<span class="source-line-no">093</span><span id="line-93"></span>
<span class="source-line-no">094</span><span id="line-94"> private static final Logger LOG = LoggerFactory.getLogger(SecureBulkLoadManager.class);</span>
<span class="source-line-no">095</span><span id="line-95"></span>
<span class="source-line-no">096</span><span id="line-96"> private final static FsPermission PERM_ALL_ACCESS = FsPermission.valueOf("-rwxrwxrwx");</span>
<span class="source-line-no">097</span><span id="line-97"> private final static FsPermission PERM_HIDDEN = FsPermission.valueOf("-rwx--x--x");</span>
<span class="source-line-no">098</span><span id="line-98"> private SecureRandom random;</span>
<span class="source-line-no">099</span><span id="line-99"> private FileSystem fs;</span>
<span class="source-line-no">100</span><span id="line-100"> private Configuration conf;</span>
<span class="source-line-no">101</span><span id="line-101"></span>
<span class="source-line-no">102</span><span id="line-102"> // two levels so it doesn't get deleted accidentally</span>
<span class="source-line-no">103</span><span id="line-103"> // no sticky bit in Hadoop 1.0</span>
<span class="source-line-no">104</span><span id="line-104"> private Path baseStagingDir;</span>
<span class="source-line-no">105</span><span id="line-105"></span>
<span class="source-line-no">106</span><span id="line-106"> private UserProvider userProvider;</span>
<span class="source-line-no">107</span><span id="line-107"> private ConcurrentHashMap&lt;UserGroupInformation, MutableInt&gt; ugiReferenceCounter;</span>
<span class="source-line-no">108</span><span id="line-108"> private AsyncConnection conn;</span>
<span class="source-line-no">109</span><span id="line-109"></span>
<span class="source-line-no">110</span><span id="line-110"> SecureBulkLoadManager(Configuration conf, AsyncConnection conn) {</span>
<span class="source-line-no">111</span><span id="line-111"> this.conf = conf;</span>
<span class="source-line-no">112</span><span id="line-112"> this.conn = conn;</span>
<span class="source-line-no">113</span><span id="line-113"> }</span>
<span class="source-line-no">114</span><span id="line-114"></span>
<span class="source-line-no">115</span><span id="line-115"> public void start() throws IOException {</span>
<span class="source-line-no">116</span><span id="line-116"> random = new SecureRandom();</span>
<span class="source-line-no">117</span><span id="line-117"> userProvider = UserProvider.instantiate(conf);</span>
<span class="source-line-no">118</span><span id="line-118"> ugiReferenceCounter = new ConcurrentHashMap&lt;&gt;();</span>
<span class="source-line-no">119</span><span id="line-119"> fs = FileSystem.get(conf);</span>
<span class="source-line-no">120</span><span id="line-120"> baseStagingDir = new Path(CommonFSUtils.getRootDir(conf), HConstants.BULKLOAD_STAGING_DIR_NAME);</span>
<span class="source-line-no">121</span><span id="line-121"></span>
<span class="source-line-no">122</span><span id="line-122"> if (conf.get("hbase.bulkload.staging.dir") != null) {</span>
<span class="source-line-no">123</span><span id="line-123"> LOG.warn("hbase.bulkload.staging.dir " + " is deprecated. Bulkload staging directory is "</span>
<span class="source-line-no">124</span><span id="line-124"> + baseStagingDir);</span>
<span class="source-line-no">125</span><span id="line-125"> }</span>
<span class="source-line-no">126</span><span id="line-126"> if (!fs.exists(baseStagingDir)) {</span>
<span class="source-line-no">127</span><span id="line-127"> fs.mkdirs(baseStagingDir, PERM_HIDDEN);</span>
<span class="source-line-no">128</span><span id="line-128"> if (!PERM_HIDDEN.equals(PERM_HIDDEN.applyUMask(FsPermission.getUMask(conf)))) {</span>
<span class="source-line-no">129</span><span id="line-129"> LOG.info("Modifying permissions to " + PERM_HIDDEN);</span>
<span class="source-line-no">130</span><span id="line-130"> fs.setPermission(baseStagingDir, PERM_HIDDEN);</span>
<span class="source-line-no">131</span><span id="line-131"> }</span>
<span class="source-line-no">132</span><span id="line-132"> }</span>
<span class="source-line-no">133</span><span id="line-133"> }</span>
<span class="source-line-no">134</span><span id="line-134"></span>
<span class="source-line-no">135</span><span id="line-135"> public void stop() throws IOException {</span>
<span class="source-line-no">136</span><span id="line-136"> }</span>
<span class="source-line-no">137</span><span id="line-137"></span>
<span class="source-line-no">138</span><span id="line-138"> public String prepareBulkLoad(final HRegion region, final PrepareBulkLoadRequest request)</span>
<span class="source-line-no">139</span><span id="line-139"> throws IOException {</span>
<span class="source-line-no">140</span><span id="line-140"> User user = getActiveUser();</span>
<span class="source-line-no">141</span><span id="line-141"> region.getCoprocessorHost().prePrepareBulkLoad(user);</span>
<span class="source-line-no">142</span><span id="line-142"></span>
<span class="source-line-no">143</span><span id="line-143"> String bulkToken =</span>
<span class="source-line-no">144</span><span id="line-144"> createStagingDir(baseStagingDir, user, region.getTableDescriptor().getTableName()).toString();</span>
<span class="source-line-no">145</span><span id="line-145"></span>
<span class="source-line-no">146</span><span id="line-146"> return bulkToken;</span>
<span class="source-line-no">147</span><span id="line-147"> }</span>
<span class="source-line-no">148</span><span id="line-148"></span>
<span class="source-line-no">149</span><span id="line-149"> public void cleanupBulkLoad(final HRegion region, final CleanupBulkLoadRequest request)</span>
<span class="source-line-no">150</span><span id="line-150"> throws IOException {</span>
<span class="source-line-no">151</span><span id="line-151"> region.getCoprocessorHost().preCleanupBulkLoad(getActiveUser());</span>
<span class="source-line-no">152</span><span id="line-152"></span>
<span class="source-line-no">153</span><span id="line-153"> Path path = new Path(request.getBulkToken());</span>
<span class="source-line-no">154</span><span id="line-154"> if (!fs.delete(path, true)) {</span>
<span class="source-line-no">155</span><span id="line-155"> if (fs.exists(path)) {</span>
<span class="source-line-no">156</span><span id="line-156"> throw new IOException("Failed to clean up " + path);</span>
<span class="source-line-no">157</span><span id="line-157"> }</span>
<span class="source-line-no">158</span><span id="line-158"> }</span>
<span class="source-line-no">159</span><span id="line-159"> LOG.trace("Cleaned up {} successfully.", path);</span>
<span class="source-line-no">160</span><span id="line-160"> }</span>
<span class="source-line-no">161</span><span id="line-161"></span>
<span class="source-line-no">162</span><span id="line-162"> private Consumer&lt;HRegion&gt; fsCreatedListener;</span>
<span class="source-line-no">163</span><span id="line-163"></span>
<span class="source-line-no">164</span><span id="line-164"> void setFsCreatedListener(Consumer&lt;HRegion&gt; fsCreatedListener) {</span>
<span class="source-line-no">165</span><span id="line-165"> this.fsCreatedListener = fsCreatedListener;</span>
<span class="source-line-no">166</span><span id="line-166"> }</span>
<span class="source-line-no">167</span><span id="line-167"></span>
<span class="source-line-no">168</span><span id="line-168"> private void incrementUgiReference(UserGroupInformation ugi) {</span>
<span class="source-line-no">169</span><span id="line-169"> // if we haven't seen this ugi before, make a new counter</span>
<span class="source-line-no">170</span><span id="line-170"> ugiReferenceCounter.compute(ugi, (key, value) -&gt; {</span>
<span class="source-line-no">171</span><span id="line-171"> if (value == null) {</span>
<span class="source-line-no">172</span><span id="line-172"> value = new MutableInt(1);</span>
<span class="source-line-no">173</span><span id="line-173"> } else {</span>
<span class="source-line-no">174</span><span id="line-174"> value.increment();</span>
<span class="source-line-no">175</span><span id="line-175"> }</span>
<span class="source-line-no">176</span><span id="line-176"> return value;</span>
<span class="source-line-no">177</span><span id="line-177"> });</span>
<span class="source-line-no">178</span><span id="line-178"> }</span>
<span class="source-line-no">179</span><span id="line-179"></span>
<span class="source-line-no">180</span><span id="line-180"> private void decrementUgiReference(UserGroupInformation ugi) {</span>
<span class="source-line-no">181</span><span id="line-181"> // if the count drops below 1 we remove the entry by returning null</span>
<span class="source-line-no">182</span><span id="line-182"> ugiReferenceCounter.computeIfPresent(ugi, (key, value) -&gt; {</span>
<span class="source-line-no">183</span><span id="line-183"> if (value.intValue() &gt; 1) {</span>
<span class="source-line-no">184</span><span id="line-184"> value.decrement();</span>
<span class="source-line-no">185</span><span id="line-185"> } else {</span>
<span class="source-line-no">186</span><span id="line-186"> value = null;</span>
<span class="source-line-no">187</span><span id="line-187"> }</span>
<span class="source-line-no">188</span><span id="line-188"> return value;</span>
<span class="source-line-no">189</span><span id="line-189"> });</span>
<span class="source-line-no">190</span><span id="line-190"> }</span>
<span class="source-line-no">191</span><span id="line-191"></span>
<span class="source-line-no">192</span><span id="line-192"> private boolean isUserReferenced(UserGroupInformation ugi) {</span>
<span class="source-line-no">193</span><span id="line-193"> // if the ugi is in the map, based on invariants above</span>
<span class="source-line-no">194</span><span id="line-194"> // the count must be above zero</span>
<span class="source-line-no">195</span><span id="line-195"> return ugiReferenceCounter.containsKey(ugi);</span>
<span class="source-line-no">196</span><span id="line-196"> }</span>
<span class="source-line-no">197</span><span id="line-197"></span>
<span class="source-line-no">198</span><span id="line-198"> public Map&lt;byte[], List&lt;Path&gt;&gt; secureBulkLoadHFiles(final HRegion region,</span>
<span class="source-line-no">199</span><span id="line-199"> final BulkLoadHFileRequest request) throws IOException {</span>
<span class="source-line-no">200</span><span id="line-200"> return secureBulkLoadHFiles(region, request, null);</span>
<span class="source-line-no">201</span><span id="line-201"> }</span>
<span class="source-line-no">202</span><span id="line-202"></span>
<span class="source-line-no">203</span><span id="line-203"> public Map&lt;byte[], List&lt;Path&gt;&gt; secureBulkLoadHFiles(final HRegion region,</span>
<span class="source-line-no">204</span><span id="line-204"> final BulkLoadHFileRequest request, List&lt;String&gt; clusterIds) throws IOException {</span>
<span class="source-line-no">205</span><span id="line-205"> final List&lt;Pair&lt;byte[], String&gt;&gt; familyPaths = new ArrayList&lt;&gt;(request.getFamilyPathCount());</span>
<span class="source-line-no">206</span><span id="line-206"> for (ClientProtos.BulkLoadHFileRequest.FamilyPath el : request.getFamilyPathList()) {</span>
<span class="source-line-no">207</span><span id="line-207"> familyPaths.add(new Pair&lt;&gt;(el.getFamily().toByteArray(), el.getPath()));</span>
<span class="source-line-no">208</span><span id="line-208"> }</span>
<span class="source-line-no">209</span><span id="line-209"></span>
<span class="source-line-no">210</span><span id="line-210"> Token&lt;AuthenticationTokenIdentifier&gt; userToken = null;</span>
<span class="source-line-no">211</span><span id="line-211"> if (userProvider.isHadoopSecurityEnabled()) {</span>
<span class="source-line-no">212</span><span id="line-212"> userToken = new Token&lt;&gt;(request.getFsToken().getIdentifier().toByteArray(),</span>
<span class="source-line-no">213</span><span id="line-213"> request.getFsToken().getPassword().toByteArray(), new Text(request.getFsToken().getKind()),</span>
<span class="source-line-no">214</span><span id="line-214"> new Text(request.getFsToken().getService()));</span>
<span class="source-line-no">215</span><span id="line-215"> }</span>
<span class="source-line-no">216</span><span id="line-216"> final String bulkToken = request.getBulkToken();</span>
<span class="source-line-no">217</span><span id="line-217"> User user = getActiveUser();</span>
<span class="source-line-no">218</span><span id="line-218"> final UserGroupInformation ugi = user.getUGI();</span>
<span class="source-line-no">219</span><span id="line-219"> if (userProvider.isHadoopSecurityEnabled()) {</span>
<span class="source-line-no">220</span><span id="line-220"> try {</span>
<span class="source-line-no">221</span><span id="line-221"> Token&lt;AuthenticationTokenIdentifier&gt; tok = ClientTokenUtil.obtainToken(conn).get();</span>
<span class="source-line-no">222</span><span id="line-222"> if (tok != null) {</span>
<span class="source-line-no">223</span><span id="line-223"> boolean b = ugi.addToken(tok);</span>
<span class="source-line-no">224</span><span id="line-224"> LOG.debug("token added " + tok + " for user " + ugi + " return=" + b);</span>
<span class="source-line-no">225</span><span id="line-225"> }</span>
<span class="source-line-no">226</span><span id="line-226"> } catch (Exception ioe) {</span>
<span class="source-line-no">227</span><span id="line-227"> LOG.warn("unable to add token", ioe);</span>
<span class="source-line-no">228</span><span id="line-228"> }</span>
<span class="source-line-no">229</span><span id="line-229"> }</span>
<span class="source-line-no">230</span><span id="line-230"> if (userToken != null) {</span>
<span class="source-line-no">231</span><span id="line-231"> ugi.addToken(userToken);</span>
<span class="source-line-no">232</span><span id="line-232"> } else if (userProvider.isHadoopSecurityEnabled()) {</span>
<span class="source-line-no">233</span><span id="line-233"> // we allow this to pass through in "simple" security mode</span>
<span class="source-line-no">234</span><span id="line-234"> // for mini cluster testing</span>
<span class="source-line-no">235</span><span id="line-235"> throw new DoNotRetryIOException("User token cannot be null");</span>
<span class="source-line-no">236</span><span id="line-236"> }</span>
<span class="source-line-no">237</span><span id="line-237"></span>
<span class="source-line-no">238</span><span id="line-238"> if (region.getCoprocessorHost() != null) {</span>
<span class="source-line-no">239</span><span id="line-239"> region.getCoprocessorHost().preBulkLoadHFile(familyPaths);</span>
<span class="source-line-no">240</span><span id="line-240"> }</span>
<span class="source-line-no">241</span><span id="line-241"> Map&lt;byte[], List&lt;Path&gt;&gt; map = null;</span>
<span class="source-line-no">242</span><span id="line-242"></span>
<span class="source-line-no">243</span><span id="line-243"> try {</span>
<span class="source-line-no">244</span><span id="line-244"> incrementUgiReference(ugi);</span>
<span class="source-line-no">245</span><span id="line-245"> // Get the target fs (HBase region server fs) delegation token</span>
<span class="source-line-no">246</span><span id="line-246"> // Since we have checked the permission via 'preBulkLoadHFile', now let's give</span>
<span class="source-line-no">247</span><span id="line-247"> // the 'request user' necessary token to operate on the target fs.</span>
<span class="source-line-no">248</span><span id="line-248"> // After this point the 'doAs' user will hold two tokens, one for the source fs</span>
<span class="source-line-no">249</span><span id="line-249"> // ('request user'), another for the target fs (HBase region server principal).</span>
<span class="source-line-no">250</span><span id="line-250"> if (userProvider.isHadoopSecurityEnabled()) {</span>
<span class="source-line-no">251</span><span id="line-251"> FsDelegationToken targetfsDelegationToken = new FsDelegationToken(userProvider, "renewer");</span>
<span class="source-line-no">252</span><span id="line-252"> targetfsDelegationToken.acquireDelegationToken(fs);</span>
<span class="source-line-no">253</span><span id="line-253"></span>
<span class="source-line-no">254</span><span id="line-254"> Token&lt;?&gt; targetFsToken = targetfsDelegationToken.getUserToken();</span>
<span class="source-line-no">255</span><span id="line-255"> if (</span>
<span class="source-line-no">256</span><span id="line-256"> targetFsToken != null</span>
<span class="source-line-no">257</span><span id="line-257"> &amp;&amp; (userToken == null || !targetFsToken.getService().equals(userToken.getService()))</span>
<span class="source-line-no">258</span><span id="line-258"> ) {</span>
<span class="source-line-no">259</span><span id="line-259"> ugi.addToken(targetFsToken);</span>
<span class="source-line-no">260</span><span id="line-260"> }</span>
<span class="source-line-no">261</span><span id="line-261"> }</span>
<span class="source-line-no">262</span><span id="line-262"></span>
<span class="source-line-no">263</span><span id="line-263"> map = ugi.doAs(new PrivilegedAction&lt;Map&lt;byte[], List&lt;Path&gt;&gt;&gt;() {</span>
<span class="source-line-no">264</span><span id="line-264"> @Override</span>
<span class="source-line-no">265</span><span id="line-265"> public Map&lt;byte[], List&lt;Path&gt;&gt; run() {</span>
<span class="source-line-no">266</span><span id="line-266"> FileSystem fs = null;</span>
<span class="source-line-no">267</span><span id="line-267"> try {</span>
<span class="source-line-no">268</span><span id="line-268"> /*</span>
<span class="source-line-no">269</span><span id="line-269"> * This is creating and caching a new FileSystem instance. Other code called "beneath"</span>
<span class="source-line-no">270</span><span id="line-270"> * this method will rely on this FileSystem instance being in the cache. This is</span>
<span class="source-line-no">271</span><span id="line-271"> * important as those methods make _no_ attempt to close this FileSystem instance. It is</span>
<span class="source-line-no">272</span><span id="line-272"> * critical that here, in SecureBulkLoadManager, we are tracking the lifecycle and</span>
<span class="source-line-no">273</span><span id="line-273"> * closing the FS when safe to do so.</span>
<span class="source-line-no">274</span><span id="line-274"> */</span>
<span class="source-line-no">275</span><span id="line-275"> fs = FileSystem.get(conf);</span>
<span class="source-line-no">276</span><span id="line-276"> for (Pair&lt;byte[], String&gt; el : familyPaths) {</span>
<span class="source-line-no">277</span><span id="line-277"> Path stageFamily = new Path(bulkToken, Bytes.toString(el.getFirst()));</span>
<span class="source-line-no">278</span><span id="line-278"> if (!fs.exists(stageFamily)) {</span>
<span class="source-line-no">279</span><span id="line-279"> fs.mkdirs(stageFamily);</span>
<span class="source-line-no">280</span><span id="line-280"> fs.setPermission(stageFamily, PERM_ALL_ACCESS);</span>
<span class="source-line-no">281</span><span id="line-281"> }</span>
<span class="source-line-no">282</span><span id="line-282"> }</span>
<span class="source-line-no">283</span><span id="line-283"> if (fsCreatedListener != null) {</span>
<span class="source-line-no">284</span><span id="line-284"> fsCreatedListener.accept(region);</span>
<span class="source-line-no">285</span><span id="line-285"> }</span>
<span class="source-line-no">286</span><span id="line-286"> // We call bulkLoadHFiles as requesting user</span>
<span class="source-line-no">287</span><span id="line-287"> // To enable access prior to staging</span>
<span class="source-line-no">288</span><span id="line-288"> return region.bulkLoadHFiles(familyPaths, true,</span>
<span class="source-line-no">289</span><span id="line-289"> new SecureBulkLoadListener(fs, bulkToken, conf), request.getCopyFile(), clusterIds,</span>
<span class="source-line-no">290</span><span id="line-290"> request.getReplicate());</span>
<span class="source-line-no">291</span><span id="line-291"> } catch (Exception e) {</span>
<span class="source-line-no">292</span><span id="line-292"> LOG.error("Failed to complete bulk load", e);</span>
<span class="source-line-no">293</span><span id="line-293"> }</span>
<span class="source-line-no">294</span><span id="line-294"> return null;</span>
<span class="source-line-no">295</span><span id="line-295"> }</span>
<span class="source-line-no">296</span><span id="line-296"> });</span>
<span class="source-line-no">297</span><span id="line-297"> } finally {</span>
<span class="source-line-no">298</span><span id="line-298"> decrementUgiReference(ugi);</span>
<span class="source-line-no">299</span><span id="line-299"> try {</span>
<span class="source-line-no">300</span><span id="line-300"> if (!UserGroupInformation.getLoginUser().equals(ugi) &amp;&amp; !isUserReferenced(ugi)) {</span>
<span class="source-line-no">301</span><span id="line-301"> FileSystem.closeAllForUGI(ugi);</span>
<span class="source-line-no">302</span><span id="line-302"> }</span>
<span class="source-line-no">303</span><span id="line-303"> } catch (IOException e) {</span>
<span class="source-line-no">304</span><span id="line-304"> LOG.error("Failed to close FileSystem for: {}", ugi, e);</span>
<span class="source-line-no">305</span><span id="line-305"> }</span>
<span class="source-line-no">306</span><span id="line-306"> if (region.getCoprocessorHost() != null) {</span>
<span class="source-line-no">307</span><span id="line-307"> region.getCoprocessorHost().postBulkLoadHFile(familyPaths, map);</span>
<span class="source-line-no">308</span><span id="line-308"> }</span>
<span class="source-line-no">309</span><span id="line-309"> }</span>
<span class="source-line-no">310</span><span id="line-310"> return map;</span>
<span class="source-line-no">311</span><span id="line-311"> }</span>
<span class="source-line-no">312</span><span id="line-312"></span>
<span class="source-line-no">313</span><span id="line-313"> private Path createStagingDir(Path baseDir, User user, TableName tableName) throws IOException {</span>
<span class="source-line-no">314</span><span id="line-314"> String tblName = tableName.getNameAsString().replace(":", "_");</span>
<span class="source-line-no">315</span><span id="line-315"> String randomDir = user.getShortName() + "__" + tblName + "__"</span>
<span class="source-line-no">316</span><span id="line-316"> + (new BigInteger(RANDOM_WIDTH, random).toString(RANDOM_RADIX));</span>
<span class="source-line-no">317</span><span id="line-317"> return createStagingDir(baseDir, user, randomDir);</span>
<span class="source-line-no">318</span><span id="line-318"> }</span>
<span class="source-line-no">319</span><span id="line-319"></span>
<span class="source-line-no">320</span><span id="line-320"> private Path createStagingDir(Path baseDir, User user, String randomDir) throws IOException {</span>
<span class="source-line-no">321</span><span id="line-321"> Path p = new Path(baseDir, randomDir);</span>
<span class="source-line-no">322</span><span id="line-322"> fs.mkdirs(p, PERM_ALL_ACCESS);</span>
<span class="source-line-no">323</span><span id="line-323"> fs.setPermission(p, PERM_ALL_ACCESS);</span>
<span class="source-line-no">324</span><span id="line-324"> return p;</span>
<span class="source-line-no">325</span><span id="line-325"> }</span>
<span class="source-line-no">326</span><span id="line-326"></span>
<span class="source-line-no">327</span><span id="line-327"> private User getActiveUser() throws IOException {</span>
<span class="source-line-no">328</span><span id="line-328"> // for non-rpc handling, fallback to system user</span>
<span class="source-line-no">329</span><span id="line-329"> User user = RpcServer.getRequestUser().orElse(userProvider.getCurrent());</span>
<span class="source-line-no">330</span><span id="line-330"> // this is for testing</span>
<span class="source-line-no">331</span><span id="line-331"> if (</span>
<span class="source-line-no">332</span><span id="line-332"> userProvider.isHadoopSecurityEnabled()</span>
<span class="source-line-no">333</span><span id="line-333"> &amp;&amp; "simple".equalsIgnoreCase(conf.get(User.HBASE_SECURITY_CONF_KEY))</span>
<span class="source-line-no">334</span><span id="line-334"> ) {</span>
<span class="source-line-no">335</span><span id="line-335"> return User.createUserForTesting(conf, user.getShortName(), new String[] {});</span>
<span class="source-line-no">336</span><span id="line-336"> }</span>
<span class="source-line-no">337</span><span id="line-337"></span>
<span class="source-line-no">338</span><span id="line-338"> return user;</span>
<span class="source-line-no">339</span><span id="line-339"> }</span>
<span class="source-line-no">340</span><span id="line-340"></span>
<span class="source-line-no">341</span><span id="line-341"> // package-private for test purpose only</span>
<span class="source-line-no">342</span><span id="line-342"> static class SecureBulkLoadListener implements BulkLoadListener {</span>
<span class="source-line-no">343</span><span id="line-343"> // Target filesystem</span>
<span class="source-line-no">344</span><span id="line-344"> private final FileSystem fs;</span>
<span class="source-line-no">345</span><span id="line-345"> private final String stagingDir;</span>
<span class="source-line-no">346</span><span id="line-346"> private final Configuration conf;</span>
<span class="source-line-no">347</span><span id="line-347"> // Source filesystem</span>
<span class="source-line-no">348</span><span id="line-348"> private FileSystem srcFs = null;</span>
<span class="source-line-no">349</span><span id="line-349"> private Map&lt;String, FsPermission&gt; origPermissions = null;</span>
<span class="source-line-no">350</span><span id="line-350"> private Map&lt;String, String&gt; origSources = null;</span>
<span class="source-line-no">351</span><span id="line-351"></span>
<span class="source-line-no">352</span><span id="line-352"> public SecureBulkLoadListener(FileSystem fs, String stagingDir, Configuration conf) {</span>
<span class="source-line-no">353</span><span id="line-353"> this.fs = fs;</span>
<span class="source-line-no">354</span><span id="line-354"> this.stagingDir = stagingDir;</span>
<span class="source-line-no">355</span><span id="line-355"> this.conf = conf;</span>
<span class="source-line-no">356</span><span id="line-356"> this.origPermissions = new HashMap&lt;&gt;();</span>
<span class="source-line-no">357</span><span id="line-357"> this.origSources = new HashMap&lt;&gt;();</span>
<span class="source-line-no">358</span><span id="line-358"> }</span>
<span class="source-line-no">359</span><span id="line-359"></span>
<span class="source-line-no">360</span><span id="line-360"> @Override</span>
<span class="source-line-no">361</span><span id="line-361"> public String prepareBulkLoad(final byte[] family, final String srcPath, boolean copyFile,</span>
<span class="source-line-no">362</span><span id="line-362"> String customStaging) throws IOException {</span>
<span class="source-line-no">363</span><span id="line-363"> Path p = new Path(srcPath);</span>
<span class="source-line-no">364</span><span id="line-364"></span>
<span class="source-line-no">365</span><span id="line-365"> // store customStaging for failedBulkLoad</span>
<span class="source-line-no">366</span><span id="line-366"> String currentStaging = stagingDir;</span>
<span class="source-line-no">367</span><span id="line-367"> if (StringUtils.isNotEmpty(customStaging)) {</span>
<span class="source-line-no">368</span><span id="line-368"> currentStaging = customStaging;</span>
<span class="source-line-no">369</span><span id="line-369"> }</span>
<span class="source-line-no">370</span><span id="line-370"></span>
<span class="source-line-no">371</span><span id="line-371"> Path stageP = new Path(currentStaging, new Path(Bytes.toString(family), p.getName()));</span>
<span class="source-line-no">372</span><span id="line-372"></span>
<span class="source-line-no">373</span><span id="line-373"> // In case of Replication for bulk load files, hfiles are already copied in staging directory</span>
<span class="source-line-no">374</span><span id="line-374"> if (p.equals(stageP)) {</span>
<span class="source-line-no">375</span><span id="line-375"> LOG.debug(</span>
<span class="source-line-no">376</span><span id="line-376"> p.getName() + " is already available in staging directory. Skipping copy or rename.");</span>
<span class="source-line-no">377</span><span id="line-377"> return stageP.toString();</span>
<span class="source-line-no">378</span><span id="line-378"> }</span>
<span class="source-line-no">379</span><span id="line-379"></span>
<span class="source-line-no">380</span><span id="line-380"> if (srcFs == null) {</span>
<span class="source-line-no">381</span><span id="line-381"> srcFs = FileSystem.newInstance(p.toUri(), conf);</span>
<span class="source-line-no">382</span><span id="line-382"> }</span>
<span class="source-line-no">383</span><span id="line-383"></span>
<span class="source-line-no">384</span><span id="line-384"> if (!isFile(p)) {</span>
<span class="source-line-no">385</span><span id="line-385"> throw new IOException("Path does not reference a file: " + p);</span>
<span class="source-line-no">386</span><span id="line-386"> }</span>
<span class="source-line-no">387</span><span id="line-387"></span>
<span class="source-line-no">388</span><span id="line-388"> // Check to see if the source and target filesystems are the same</span>
<span class="source-line-no">389</span><span id="line-389"> if (!FSUtils.isSameHdfs(conf, srcFs, fs)) {</span>
<span class="source-line-no">390</span><span id="line-390"> LOG.debug("Bulk-load file " + srcPath + " is on different filesystem than "</span>
<span class="source-line-no">391</span><span id="line-391"> + "the destination filesystem. Copying file over to destination staging dir.");</span>
<span class="source-line-no">392</span><span id="line-392"> FileUtil.copy(srcFs, p, fs, stageP, false, conf);</span>
<span class="source-line-no">393</span><span id="line-393"> } else if (copyFile) {</span>
<span class="source-line-no">394</span><span id="line-394"> LOG.debug("Bulk-load file " + srcPath + " is copied to destination staging dir.");</span>
<span class="source-line-no">395</span><span id="line-395"> FileUtil.copy(srcFs, p, fs, stageP, false, conf);</span>
<span class="source-line-no">396</span><span id="line-396"> } else {</span>
<span class="source-line-no">397</span><span id="line-397"> LOG.debug("Moving " + p + " to " + stageP);</span>
<span class="source-line-no">398</span><span id="line-398"> FileStatus origFileStatus = fs.getFileStatus(p);</span>
<span class="source-line-no">399</span><span id="line-399"> origPermissions.put(srcPath, origFileStatus.getPermission());</span>
<span class="source-line-no">400</span><span id="line-400"> origSources.put(stageP.toString(), srcPath);</span>
<span class="source-line-no">401</span><span id="line-401"> if (!fs.rename(p, stageP)) {</span>
<span class="source-line-no">402</span><span id="line-402"> throw new IOException("Failed to move HFile: " + p + " to " + stageP);</span>
<span class="source-line-no">403</span><span id="line-403"> }</span>
<span class="source-line-no">404</span><span id="line-404"> }</span>
<span class="source-line-no">405</span><span id="line-405"> fs.setPermission(stageP, PERM_ALL_ACCESS);</span>
<span class="source-line-no">406</span><span id="line-406"></span>
<span class="source-line-no">407</span><span id="line-407"> return stageP.toString();</span>
<span class="source-line-no">408</span><span id="line-408"> }</span>
<span class="source-line-no">409</span><span id="line-409"></span>
<span class="source-line-no">410</span><span id="line-410"> @Override</span>
<span class="source-line-no">411</span><span id="line-411"> public void doneBulkLoad(byte[] family, String srcPath) throws IOException {</span>
<span class="source-line-no">412</span><span id="line-412"> LOG.debug("Bulk Load done for: " + srcPath);</span>
<span class="source-line-no">413</span><span id="line-413"> closeSrcFs();</span>
<span class="source-line-no">414</span><span id="line-414"> }</span>
<span class="source-line-no">415</span><span id="line-415"></span>
<span class="source-line-no">416</span><span id="line-416"> private void closeSrcFs() throws IOException {</span>
<span class="source-line-no">417</span><span id="line-417"> if (srcFs != null) {</span>
<span class="source-line-no">418</span><span id="line-418"> srcFs.close();</span>
<span class="source-line-no">419</span><span id="line-419"> srcFs = null;</span>
<span class="source-line-no">420</span><span id="line-420"> }</span>
<span class="source-line-no">421</span><span id="line-421"> }</span>
<span class="source-line-no">422</span><span id="line-422"></span>
<span class="source-line-no">423</span><span id="line-423"> @Override</span>
<span class="source-line-no">424</span><span id="line-424"> public void failedBulkLoad(final byte[] family, final String stagedPath) throws IOException {</span>
<span class="source-line-no">425</span><span id="line-425"> try {</span>
<span class="source-line-no">426</span><span id="line-426"> String src = origSources.get(stagedPath);</span>
<span class="source-line-no">427</span><span id="line-427"> if (StringUtils.isEmpty(src)) {</span>
<span class="source-line-no">428</span><span id="line-428"> LOG.debug(stagedPath + " was not moved to staging. No need to move back");</span>
<span class="source-line-no">429</span><span id="line-429"> return;</span>
<span class="source-line-no">430</span><span id="line-430"> }</span>
<span class="source-line-no">431</span><span id="line-431"></span>
<span class="source-line-no">432</span><span id="line-432"> Path stageP = new Path(stagedPath);</span>
<span class="source-line-no">433</span><span id="line-433"> if (!fs.exists(stageP)) {</span>
<span class="source-line-no">434</span><span id="line-434"> throw new IOException(</span>
<span class="source-line-no">435</span><span id="line-435"> "Missing HFile: " + stageP + ", can't be moved back to it's original place");</span>
<span class="source-line-no">436</span><span id="line-436"> }</span>
<span class="source-line-no">437</span><span id="line-437"></span>
<span class="source-line-no">438</span><span id="line-438"> // we should not move back files if the original exists</span>
<span class="source-line-no">439</span><span id="line-439"> Path srcPath = new Path(src);</span>
<span class="source-line-no">440</span><span id="line-440"> if (srcFs.exists(srcPath)) {</span>
<span class="source-line-no">441</span><span id="line-441"> LOG.debug(src + " is already at it's original place. No need to move.");</span>
<span class="source-line-no">442</span><span id="line-442"> return;</span>
<span class="source-line-no">443</span><span id="line-443"> }</span>
<span class="source-line-no">444</span><span id="line-444"></span>
<span class="source-line-no">445</span><span id="line-445"> LOG.debug("Moving " + stageP + " back to " + srcPath);</span>
<span class="source-line-no">446</span><span id="line-446"> if (!fs.rename(stageP, srcPath)) {</span>
<span class="source-line-no">447</span><span id="line-447"> throw new IOException("Failed to move HFile: " + stageP + " to " + srcPath);</span>
<span class="source-line-no">448</span><span id="line-448"> }</span>
<span class="source-line-no">449</span><span id="line-449"></span>
<span class="source-line-no">450</span><span id="line-450"> // restore original permission</span>
<span class="source-line-no">451</span><span id="line-451"> if (origPermissions.containsKey(stagedPath)) {</span>
<span class="source-line-no">452</span><span id="line-452"> fs.setPermission(srcPath, origPermissions.get(src));</span>
<span class="source-line-no">453</span><span id="line-453"> } else {</span>
<span class="source-line-no">454</span><span id="line-454"> LOG.warn("Can't find previous permission for path=" + stagedPath);</span>
<span class="source-line-no">455</span><span id="line-455"> }</span>
<span class="source-line-no">456</span><span id="line-456"> } finally {</span>
<span class="source-line-no">457</span><span id="line-457"> closeSrcFs();</span>
<span class="source-line-no">458</span><span id="line-458"> }</span>
<span class="source-line-no">459</span><span id="line-459"> }</span>
<span class="source-line-no">460</span><span id="line-460"></span>
<span class="source-line-no">461</span><span id="line-461"> /**</span>
<span class="source-line-no">462</span><span id="line-462"> * Check if the path is referencing a file. This is mainly needed to avoid symlinks.</span>
<span class="source-line-no">463</span><span id="line-463"> * @return true if the p is a file</span>
<span class="source-line-no">464</span><span id="line-464"> */</span>
<span class="source-line-no">465</span><span id="line-465"> private boolean isFile(Path p) throws IOException {</span>
<span class="source-line-no">466</span><span id="line-466"> FileStatus status = srcFs.getFileStatus(p);</span>
<span class="source-line-no">467</span><span id="line-467"> boolean isFile = !status.isDirectory();</span>
<span class="source-line-no">468</span><span id="line-468"> try {</span>
<span class="source-line-no">469</span><span id="line-469"> isFile =</span>
<span class="source-line-no">470</span><span id="line-470"> isFile &amp;&amp; !(Boolean) Methods.call(FileStatus.class, status, "isSymlink", null, null);</span>
<span class="source-line-no">471</span><span id="line-471"> } catch (Exception e) {</span>
<span class="source-line-no">472</span><span id="line-472"> }</span>
<span class="source-line-no">473</span><span id="line-473"> return isFile;</span>
<span class="source-line-no">474</span><span id="line-474"> }</span>
<span class="source-line-no">475</span><span id="line-475"> }</span>
<span class="source-line-no">476</span><span id="line-476">}</span>
</pre>
</div>
</main>
</body>
</html>