001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.regionserver;
019
020import static org.junit.Assert.assertNotNull;
021import static org.junit.Assert.assertTrue;
022
023import java.security.Key;
024import java.util.ArrayList;
025import java.util.List;
026import org.apache.hadoop.conf.Configuration;
027import org.apache.hadoop.fs.Path;
028import org.apache.hadoop.hbase.HBaseClassTestRule;
029import org.apache.hadoop.hbase.HBaseTestingUtil;
030import org.apache.hadoop.hbase.HConstants;
031import org.apache.hadoop.hbase.TableName;
032import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;
033import org.apache.hadoop.hbase.client.Put;
034import org.apache.hadoop.hbase.client.Table;
035import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
036import org.apache.hadoop.hbase.io.crypto.Encryption;
037import org.apache.hadoop.hbase.io.crypto.MockAesKeyProvider;
038import org.apache.hadoop.hbase.io.hfile.CacheConfig;
039import org.apache.hadoop.hbase.io.hfile.HFile;
040import org.apache.hadoop.hbase.testclassification.MediumTests;
041import org.apache.hadoop.hbase.testclassification.RegionServerTests;
042import org.apache.hadoop.hbase.util.Bytes;
043import org.junit.AfterClass;
044import org.junit.BeforeClass;
045import org.junit.ClassRule;
046import org.junit.Test;
047import org.junit.experimental.categories.Category;
048
049@Category({ RegionServerTests.class, MediumTests.class })
050public class TestEncryptionRandomKeying {
051
052  @ClassRule
053  public static final HBaseClassTestRule CLASS_RULE =
054    HBaseClassTestRule.forClass(TestEncryptionRandomKeying.class);
055
056  private static final HBaseTestingUtil TEST_UTIL = new HBaseTestingUtil();
057  private static Configuration conf = TEST_UTIL.getConfiguration();
058  private static TableDescriptorBuilder tdb;
059
060  private static List<Path> findStorefilePaths(TableName tableName) throws Exception {
061    List<Path> paths = new ArrayList<>();
062    for (Region region : TEST_UTIL.getRSForFirstRegionInTable(tableName)
063      .getRegions(tdb.build().getTableName())) {
064      for (HStore store : ((HRegion) region).getStores()) {
065        for (HStoreFile storefile : store.getStorefiles()) {
066          paths.add(storefile.getPath());
067        }
068      }
069    }
070    return paths;
071  }
072
073  private static byte[] extractHFileKey(Path path) throws Exception {
074    HFile.Reader reader =
075      HFile.createReader(TEST_UTIL.getTestFileSystem(), path, new CacheConfig(conf), true, conf);
076    try {
077      Encryption.Context cryptoContext = reader.getFileContext().getEncryptionContext();
078      assertNotNull("Reader has a null crypto context", cryptoContext);
079      Key key = cryptoContext.getKey();
080      if (key == null) {
081        return null;
082      }
083      return key.getEncoded();
084    } finally {
085      reader.close();
086    }
087  }
088
089  @BeforeClass
090  public static void setUp() throws Exception {
091    conf.setInt("hfile.format.version", 3);
092    conf.set(HConstants.CRYPTO_KEYPROVIDER_CONF_KEY, MockAesKeyProvider.class.getName());
093    conf.set(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, "hbase");
094
095    // Create the table schema
096    // Specify an encryption algorithm without a key
097    tdb =
098      TableDescriptorBuilder.newBuilder(TableName.valueOf("default", "TestEncryptionRandomKeying"));
099    ColumnFamilyDescriptorBuilder columnFamilyDescriptorBuilder =
100      ColumnFamilyDescriptorBuilder.newBuilder(Bytes.toBytes("cf"));
101    String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
102    columnFamilyDescriptorBuilder.setEncryptionType(algorithm);
103    tdb.setColumnFamily(columnFamilyDescriptorBuilder.build());
104
105    // Start the minicluster
106    TEST_UTIL.startMiniCluster(1);
107
108    // Create the test table
109    TEST_UTIL.getAdmin().createTable(tdb.build());
110    TEST_UTIL.waitTableAvailable(tdb.build().getTableName(), 5000);
111
112    // Create a store file
113    Table table = TEST_UTIL.getConnection().getTable(tdb.build().getTableName());
114    try {
115      table.put(
116        new Put(Bytes.toBytes("testrow")).addColumn(columnFamilyDescriptorBuilder.build().getName(),
117          Bytes.toBytes("q"), Bytes.toBytes("value")));
118    } finally {
119      table.close();
120    }
121    TEST_UTIL.getAdmin().flush(tdb.build().getTableName());
122  }
123
124  @AfterClass
125  public static void tearDown() throws Exception {
126    TEST_UTIL.shutdownMiniCluster();
127  }
128
129  @Test
130  public void testRandomKeying() throws Exception {
131    // Verify we have store file(s) with a random key
132    final List<Path> initialPaths = findStorefilePaths(tdb.build().getTableName());
133    assertTrue(initialPaths.size() > 0);
134    for (Path path : initialPaths) {
135      assertNotNull("Store file " + path + " is not encrypted", extractHFileKey(path));
136    }
137  }
138
139}