Examples with CellVisibility org.apache.hadoop.hbase.security.visibility.CellVisibility used on opensource projects

Example 1 with CellVisibility

use of org.apache.hadoop.hbase.security.visibility.CellVisibility in project hbase by apache.

the class TestSecureExport method testVisibilityLabels.

@Test
// See HBASE-23990
@org.junit.Ignore
public void testVisibilityLabels() throws IOException, Throwable {
    final String exportTable = name.getMethodName() + "_export";
    final String importTable = name.getMethodName() + "_import";
    final TableDescriptor exportHtd = TableDescriptorBuilder.newBuilder(TableName.valueOf(exportTable)).setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYA)).build();
    User owner = User.createUserForTesting(UTIL.getConfiguration(), USER_OWNER, new String[0]);
    SecureTestUtil.createTable(UTIL, owner, exportHtd, new byte[][] { Bytes.toBytes("s") });
    AccessTestAction putAction = () -> {
        Put p1 = new Put(ROW1);
        p1.addColumn(FAMILYA, QUAL, NOW, QUAL);
        p1.setCellVisibility(new CellVisibility(SECRET));
        Put p2 = new Put(ROW2);
        p2.addColumn(FAMILYA, QUAL, NOW, QUAL);
        p2.setCellVisibility(new CellVisibility(PRIVATE + " & " + CONFIDENTIAL));
        Put p3 = new Put(ROW3);
        p3.addColumn(FAMILYA, QUAL, NOW, QUAL);
        p3.setCellVisibility(new CellVisibility("!" + CONFIDENTIAL + " & " + TOPSECRET));
        try (Connection conn = ConnectionFactory.createConnection(UTIL.getConfiguration());
            Table t = conn.getTable(TableName.valueOf(exportTable))) {
            t.put(p1);
            t.put(p2);
            t.put(p3);
        }
        return null;
    };
    SecureTestUtil.verifyAllowed(putAction, getUserByLogin(USER_OWNER));
    List<Pair<List<String>, Integer>> labelsAndRowCounts = new LinkedList<>();
    labelsAndRowCounts.add(new Pair<>(Arrays.asList(SECRET), 1));
    labelsAndRowCounts.add(new Pair<>(Arrays.asList(PRIVATE, CONFIDENTIAL), 1));
    labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET), 1));
    labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET, CONFIDENTIAL), 0));
    labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET, CONFIDENTIAL, PRIVATE, SECRET), 2));
    for (final Pair<List<String>, Integer> labelsAndRowCount : labelsAndRowCounts) {
        final List<String> labels = labelsAndRowCount.getFirst();
        final int rowCount = labelsAndRowCount.getSecond();
        // create a open permission directory.
        final Path openDir = new Path("testAccessCase");
        final FileSystem fs = openDir.getFileSystem(UTIL.getConfiguration());
        fs.mkdirs(openDir);
        fs.setPermission(openDir, new FsPermission(FsAction.ALL, FsAction.ALL, FsAction.ALL));
        final Path output = fs.makeQualified(new Path(openDir, "output"));
        AccessTestAction exportAction = () -> {
            StringBuilder buf = new StringBuilder();
            labels.forEach(v -> buf.append(v).append(","));
            buf.deleteCharAt(buf.length() - 1);
            try {
                String[] args = new String[] { "-D " + ExportUtils.EXPORT_VISIBILITY_LABELS + "=" + buf.toString(), exportTable, output.toString() };
                Export.run(new Configuration(UTIL.getConfiguration()), args);
                return null;
            } catch (ServiceException | IOException ex) {
                throw ex;
            } catch (Throwable ex) {
                throw new Exception(ex);
            }
        };
        SecureTestUtil.verifyAllowed(exportAction, getUserByLogin(USER_OWNER));
        final TableDescriptor importHtd = TableDescriptorBuilder.newBuilder(TableName.valueOf(importTable)).setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYB)).build();
        SecureTestUtil.createTable(UTIL, owner, importHtd, new byte[][] { Bytes.toBytes("s") });
        AccessTestAction importAction = () -> {
            String[] args = new String[] { "-D" + Import.CF_RENAME_PROP + "=" + FAMILYA_STRING + ":" + FAMILYB_STRING, importTable, output.toString() };
            assertEquals(0, ToolRunner.run(new Configuration(UTIL.getConfiguration()), new Import(), args));
            return null;
        };
        SecureTestUtil.verifyAllowed(importAction, getUserByLogin(USER_OWNER));
        AccessTestAction scanAction = () -> {
            Scan scan = new Scan();
            scan.setAuthorizations(new Authorizations(labels));
            try (Connection conn = ConnectionFactory.createConnection(UTIL.getConfiguration());
                Table table = conn.getTable(importHtd.getTableName());
                ResultScanner scanner = table.getScanner(scan)) {
                int count = 0;
                for (Result r : scanner) {
                    ++count;
                }
                assertEquals(rowCount, count);
            }
            return null;
        };
        SecureTestUtil.verifyAllowed(scanAction, getUserByLogin(USER_OWNER));
        AccessTestAction deleteAction = () -> {
            UTIL.deleteTable(importHtd.getTableName());
            return null;
        };
        SecureTestUtil.verifyAllowed(deleteAction, getUserByLogin(USER_OWNER));
        clearOutput(output);
    }
    AccessTestAction deleteAction = () -> {
        UTIL.deleteTable(exportHtd.getTableName());
        return null;
    };
    SecureTestUtil.verifyAllowed(deleteAction, getUserByLogin(USER_OWNER));
}

Example 2 with CellVisibility

use of org.apache.hadoop.hbase.security.visibility.CellVisibility in project hbase by apache.

the class PutSortReducer method reduce.

@Override
protected void reduce(ImmutableBytesWritable row, java.lang.Iterable<Put> puts, Reducer<ImmutableBytesWritable, Put, ImmutableBytesWritable, KeyValue>.Context context) throws java.io.IOException, InterruptedException {
    // although reduce() is called per-row, handle pathological case
    long threshold = context.getConfiguration().getLong("putsortreducer.row.threshold", 1L * (1 << 30));
    Iterator<Put> iter = puts.iterator();
    while (iter.hasNext()) {
        TreeSet<KeyValue> map = new TreeSet<>(CellComparator.getInstance());
        long curSize = 0;
        // stop at the end or the RAM threshold
        List<Tag> tags = new ArrayList<>();
        while (iter.hasNext() && curSize < threshold) {
            // clear the tags
            tags.clear();
            Put p = iter.next();
            long t = p.getTTL();
            if (t != Long.MAX_VALUE) {
                // add TTL tag if found
                tags.add(new ArrayBackedTag(TagType.TTL_TAG_TYPE, Bytes.toBytes(t)));
            }
            byte[] acl = p.getACL();
            if (acl != null) {
                // add ACL tag if found
                tags.add(new ArrayBackedTag(TagType.ACL_TAG_TYPE, acl));
            }
            try {
                CellVisibility cellVisibility = p.getCellVisibility();
                if (cellVisibility != null) {
                    // add the visibility labels if any
                    tags.addAll(kvCreator.getVisibilityExpressionResolver().createVisibilityExpTags(cellVisibility.getExpression()));
                }
            } catch (DeserializationException e) {
                // just ignoring the bad one?
                throw new IOException("Invalid visibility expression found in mutation " + p, e);
            }
            for (List<Cell> cells : p.getFamilyCellMap().values()) {
                for (Cell cell : cells) {
                    // Creating the KV which needs to be directly written to HFiles. Using the Facade
                    // KVCreator for creation of kvs.
                    KeyValue kv = null;
                    TagUtil.carryForwardTags(tags, cell);
                    if (!tags.isEmpty()) {
                        kv = (KeyValue) kvCreator.create(cell.getRowArray(), cell.getRowOffset(), cell.getRowLength(), cell.getFamilyArray(), cell.getFamilyOffset(), cell.getFamilyLength(), cell.getQualifierArray(), cell.getQualifierOffset(), cell.getQualifierLength(), cell.getTimestamp(), cell.getValueArray(), cell.getValueOffset(), cell.getValueLength(), tags);
                    } else {
                        kv = KeyValueUtil.ensureKeyValue(cell);
                    }
                    if (map.add(kv)) {
                        // don't count duplicated kv into size
                        curSize += kv.heapSize();
                    }
                }
            }
        }
        context.setStatus("Read " + map.size() + " entries of " + map.getClass() + "(" + StringUtils.humanReadableInt(curSize) + ")");
        int index = 0;
        for (KeyValue kv : map) {
            context.write(row, kv);
            if (++index % 100 == 0)
                context.setStatus("Wrote " + index);
        }
        // if we have more entries to process
        if (iter.hasNext()) {
            // force flush because we cannot guarantee intra-row sorted order
            context.write(null, null);
        }
    }
}

Example 3 with CellVisibility

use of org.apache.hadoop.hbase.security.visibility.CellVisibility in project hbase by apache.

the class ProtobufUtil method toCellVisibility.

/**
 * Convert a protocol buffer CellVisibility bytes to a client CellVisibility
 *
 * @param protoBytes
 * @return the converted client CellVisibility
 * @throws DeserializationException
 */
public static CellVisibility toCellVisibility(byte[] protoBytes) throws DeserializationException {
    if (protoBytes == null)
        return null;
    ClientProtos.CellVisibility.Builder builder = ClientProtos.CellVisibility.newBuilder();
    ClientProtos.CellVisibility proto = null;
    try {
        ProtobufUtil.mergeFrom(builder, protoBytes);
        proto = builder.build();
    } catch (IOException e) {
        throw new DeserializationException(e);
    }
    return toCellVisibility(proto);
}

Example 4 with CellVisibility

use of org.apache.hadoop.hbase.security.visibility.CellVisibility in project hbase by apache.

the class TestScannersWithLabels method insertData.

private static int insertData(TableName tableName, String column, double prob) throws IOException {
    byte[] k = new byte[3];
    byte[][] famAndQf = CellUtil.parseColumn(Bytes.toBytes(column));
    List<Put> puts = new ArrayList<>(9);
    for (int i = 0; i < 9; i++) {
        Put put = new Put(Bytes.toBytes("row" + i));
        put.setDurability(Durability.SKIP_WAL);
        put.addColumn(famAndQf[0], famAndQf[1], k);
        put.setCellVisibility(new CellVisibility("(" + SECRET + "|" + CONFIDENTIAL + ")" + "&" + "!" + TOPSECRET));
        puts.add(put);
    }
    try (Table table = TEST_UTIL.getConnection().getTable(tableName)) {
        table.put(puts);
    }
    return puts.size();
}

Example 5 with CellVisibility

use of org.apache.hadoop.hbase.security.visibility.CellVisibility in project hbase by apache.

the class Mutation method toCellVisibility.

/**
 * Convert a protocol buffer CellVisibility bytes to a client CellVisibility
 *
 * @param protoBytes
 * @return the converted client CellVisibility
 * @throws DeserializationException
 */
private static CellVisibility toCellVisibility(byte[] protoBytes) throws DeserializationException {
    if (protoBytes == null)
        return null;
    ClientProtos.CellVisibility.Builder builder = ClientProtos.CellVisibility.newBuilder();
    ClientProtos.CellVisibility proto = null;
    try {
        ProtobufUtil.mergeFrom(builder, protoBytes);
        proto = builder.build();
    } catch (IOException e) {
        throw new DeserializationException(e);
    }
    return toCellVisibility(proto);
}