001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.regionserver; 019 020import static org.junit.Assert.assertNotNull; 021import static org.junit.Assert.assertTrue; 022 023import java.security.Key; 024import java.util.ArrayList; 025import java.util.List; 026import org.apache.hadoop.conf.Configuration; 027import org.apache.hadoop.fs.Path; 028import org.apache.hadoop.hbase.HBaseClassTestRule; 029import org.apache.hadoop.hbase.HBaseTestingUtil; 030import org.apache.hadoop.hbase.HConstants; 031import org.apache.hadoop.hbase.TableName; 032import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder; 033import org.apache.hadoop.hbase.client.Put; 034import org.apache.hadoop.hbase.client.Table; 035import org.apache.hadoop.hbase.client.TableDescriptorBuilder; 036import org.apache.hadoop.hbase.io.crypto.Encryption; 037import org.apache.hadoop.hbase.io.crypto.MockAesKeyProvider; 038import org.apache.hadoop.hbase.io.hfile.CacheConfig; 039import org.apache.hadoop.hbase.io.hfile.HFile; 040import org.apache.hadoop.hbase.testclassification.MediumTests; 041import org.apache.hadoop.hbase.testclassification.RegionServerTests; 042import org.apache.hadoop.hbase.util.Bytes; 043import org.junit.AfterClass; 044import org.junit.BeforeClass; 045import org.junit.ClassRule; 046import org.junit.Test; 047import org.junit.experimental.categories.Category; 048 049@Category({ RegionServerTests.class, MediumTests.class }) 050public class TestEncryptionRandomKeying { 051 052 @ClassRule 053 public static final HBaseClassTestRule CLASS_RULE = 054 HBaseClassTestRule.forClass(TestEncryptionRandomKeying.class); 055 056 private static final HBaseTestingUtil TEST_UTIL = new HBaseTestingUtil(); 057 private static Configuration conf = TEST_UTIL.getConfiguration(); 058 private static TableDescriptorBuilder tdb; 059 060 private static List<Path> findStorefilePaths(TableName tableName) throws Exception { 061 List<Path> paths = new ArrayList<>(); 062 for (Region region : TEST_UTIL.getRSForFirstRegionInTable(tableName) 063 .getRegions(tdb.build().getTableName())) { 064 for (HStore store : ((HRegion) region).getStores()) { 065 for (HStoreFile storefile : store.getStorefiles()) { 066 paths.add(storefile.getPath()); 067 } 068 } 069 } 070 return paths; 071 } 072 073 private static byte[] extractHFileKey(Path path) throws Exception { 074 HFile.Reader reader = 075 HFile.createReader(TEST_UTIL.getTestFileSystem(), path, new CacheConfig(conf), true, conf); 076 try { 077 Encryption.Context cryptoContext = reader.getFileContext().getEncryptionContext(); 078 assertNotNull("Reader has a null crypto context", cryptoContext); 079 Key key = cryptoContext.getKey(); 080 if (key == null) { 081 return null; 082 } 083 return key.getEncoded(); 084 } finally { 085 reader.close(); 086 } 087 } 088 089 @BeforeClass 090 public static void setUp() throws Exception { 091 conf.setInt("hfile.format.version", 3); 092 conf.set(HConstants.CRYPTO_KEYPROVIDER_CONF_KEY, MockAesKeyProvider.class.getName()); 093 conf.set(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, "hbase"); 094 095 // Create the table schema 096 // Specify an encryption algorithm without a key 097 tdb = 098 TableDescriptorBuilder.newBuilder(TableName.valueOf("default", "TestEncryptionRandomKeying")); 099 ColumnFamilyDescriptorBuilder columnFamilyDescriptorBuilder = 100 ColumnFamilyDescriptorBuilder.newBuilder(Bytes.toBytes("cf")); 101 String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES); 102 columnFamilyDescriptorBuilder.setEncryptionType(algorithm); 103 tdb.setColumnFamily(columnFamilyDescriptorBuilder.build()); 104 105 // Start the minicluster 106 TEST_UTIL.startMiniCluster(1); 107 108 // Create the test table 109 TEST_UTIL.getAdmin().createTable(tdb.build()); 110 TEST_UTIL.waitTableAvailable(tdb.build().getTableName(), 5000); 111 112 // Create a store file 113 Table table = TEST_UTIL.getConnection().getTable(tdb.build().getTableName()); 114 try { 115 table.put( 116 new Put(Bytes.toBytes("testrow")).addColumn(columnFamilyDescriptorBuilder.build().getName(), 117 Bytes.toBytes("q"), Bytes.toBytes("value"))); 118 } finally { 119 table.close(); 120 } 121 TEST_UTIL.getAdmin().flush(tdb.build().getTableName()); 122 } 123 124 @AfterClass 125 public static void tearDown() throws Exception { 126 TEST_UTIL.shutdownMiniCluster(); 127 } 128 129 @Test 130 public void testRandomKeying() throws Exception { 131 // Verify we have store file(s) with a random key 132 final List<Path> initialPaths = findStorefilePaths(tdb.build().getTableName()); 133 assertTrue(initialPaths.size() > 0); 134 for (Path path : initialPaths) { 135 assertNotNull("Store file " + path + " is not encrypted", extractHFileKey(path)); 136 } 137 } 138 139}