View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import java.io.ByteArrayInputStream;
22  import java.io.DataInput;
23  import java.io.DataInputStream;
24  import java.io.IOException;
25  import java.util.ArrayList;
26  import java.util.Arrays;
27  import java.util.List;
28  import java.util.Map;
29  import java.util.Set;
30  import java.util.TreeMap;
31  import java.util.TreeSet;
32  
33  import org.apache.commons.logging.Log;
34  import org.apache.commons.logging.LogFactory;
35  import org.apache.hadoop.conf.Configuration;
36  import org.apache.hadoop.hbase.Cell;
37  import org.apache.hadoop.hbase.CellUtil;
38  import org.apache.hadoop.hbase.HColumnDescriptor;
39  import org.apache.hadoop.hbase.HConstants;
40  import org.apache.hadoop.hbase.HTableDescriptor;
41  import org.apache.hadoop.hbase.KeyValue;
42  import org.apache.hadoop.hbase.NamespaceDescriptor;
43  import org.apache.hadoop.hbase.TableName;
44  import org.apache.hadoop.hbase.catalog.MetaReader;
45  import org.apache.hadoop.hbase.client.Delete;
46  import org.apache.hadoop.hbase.client.Get;
47  import org.apache.hadoop.hbase.client.HTable;
48  import org.apache.hadoop.hbase.client.Put;
49  import org.apache.hadoop.hbase.client.Result;
50  import org.apache.hadoop.hbase.client.ResultScanner;
51  import org.apache.hadoop.hbase.client.Scan;
52  import org.apache.hadoop.hbase.exceptions.DeserializationException;
53  import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp;
54  import org.apache.hadoop.hbase.filter.QualifierFilter;
55  import org.apache.hadoop.hbase.filter.RegexStringComparator;
56  import org.apache.hadoop.hbase.io.compress.Compression;
57  import org.apache.hadoop.hbase.master.MasterServices;
58  import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
59  import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
60  import org.apache.hadoop.hbase.regionserver.BloomType;
61  import org.apache.hadoop.hbase.regionserver.HRegion;
62  import org.apache.hadoop.hbase.regionserver.InternalScanner;
63  import org.apache.hadoop.hbase.util.Bytes;
64  import org.apache.hadoop.hbase.util.Pair;
65  import org.apache.hadoop.io.Text;
66  
67  import com.google.common.collect.ArrayListMultimap;
68  import com.google.common.collect.ListMultimap;
69  import com.google.protobuf.InvalidProtocolBufferException;
70  
71  /**
72   * Maintains lists of permission grants to users and groups to allow for
73   * authorization checks by {@link AccessController}.
74   *
75   * <p>
76   * Access control lists are stored in an "internal" metadata table named
77   * {@code _acl_}. Each table's permission grants are stored as a separate row,
78   * keyed by the table name. KeyValues for permissions assignments are stored
79   * in one of the formats:
80   * <pre>
81   * Key                      Desc
82   * --------                 --------
83   * user                     table level permissions for a user [R=read, W=write]
84   * group                    table level permissions for a group
85   * user,family              column family level permissions for a user
86   * group,family             column family level permissions for a group
87   * user,family,qualifier    column qualifier level permissions for a user
88   * group,family,qualifier   column qualifier level permissions for a group
89   * </pre>
90   * All values are encoded as byte arrays containing the codes from the
91   * org.apache.hadoop.hbase.security.access.TablePermission.Action enum.
92   * </p>
93   */
94  public class AccessControlLists {
95    /** Internal storage table for access control lists */
96    public static final TableName ACL_TABLE_NAME =
97        TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
98    public static final byte[] ACL_GLOBAL_NAME = ACL_TABLE_NAME.getName();
99    /** Column family used to store ACL grants */
100   public static final String ACL_LIST_FAMILY_STR = "l";
101   public static final byte[] ACL_LIST_FAMILY = Bytes.toBytes(ACL_LIST_FAMILY_STR);
102 
103   public static final char NAMESPACE_PREFIX = '@';
104 
105   /** Table descriptor for ACL internal table */
106   public static final HTableDescriptor ACL_TABLEDESC = new HTableDescriptor(ACL_TABLE_NAME);
107   static {
108     ACL_TABLEDESC.addFamily(
109         new HColumnDescriptor(ACL_LIST_FAMILY,
110             10, // Ten is arbitrary number.  Keep versions to help debugging.
111             Compression.Algorithm.NONE.getName(), true, true, 8 * 1024,
112             HConstants.FOREVER, BloomType.NONE.toString(),
113             HConstants.REPLICATION_SCOPE_LOCAL));
114   }
115 
116   /**
117    * Delimiter to separate user, column family, and qualifier in
118    * _acl_ table info: column keys */
119   public static final char ACL_KEY_DELIMITER = ',';
120   /** Prefix character to denote group names */
121   public static final String GROUP_PREFIX = "@";
122   /** Configuration key for superusers */
123   public static final String SUPERUSER_CONF_KEY = "hbase.superuser";
124 
125   private static Log LOG = LogFactory.getLog(AccessControlLists.class);
126 
127   /**
128    * Check for existence of {@code _acl_} table and create it if it does not exist
129    * @param master reference to HMaster
130    */
131   static void init(MasterServices master) throws IOException {
132     if (!MetaReader.tableExists(master.getCatalogTracker(), ACL_TABLE_NAME)) {
133       master.createTable(ACL_TABLEDESC, null);
134     }
135   }
136 
137   /**
138    * Stores a new user permission grant in the access control lists table.
139    * @param conf the configuration
140    * @param userPerm the details of the permission to be granted
141    * @throws IOException in the case of an error accessing the metadata table
142    */
143   static void addUserPermission(Configuration conf, UserPermission userPerm)
144       throws IOException {
145     Permission.Action[] actions = userPerm.getActions();
146     byte[] rowKey = userPermissionRowKey(userPerm);
147     Put p = new Put(rowKey);
148     byte[] key = userPermissionKey(userPerm);
149 
150     if ((actions == null) || (actions.length == 0)) {
151       String msg = "No actions associated with user '" + Bytes.toString(userPerm.getUser()) + "'";
152       LOG.warn(msg);
153       throw new IOException(msg);
154     }
155 
156     byte[] value = new byte[actions.length];
157     for (int i = 0; i < actions.length; i++) {
158       value[i] = actions[i].code();
159     }
160     p.addImmutable(ACL_LIST_FAMILY, key, value);
161     if (LOG.isDebugEnabled()) {
162       LOG.debug("Writing permission with rowKey "+
163           Bytes.toString(rowKey)+" "+
164           Bytes.toString(key)+": "+Bytes.toStringBinary(value)
165       );
166     }
167     HTable acls = null;
168     try {
169       acls = new HTable(conf, ACL_TABLE_NAME);
170       acls.put(p);
171     } finally {
172       if (acls != null) acls.close();
173     }
174   }
175 
176   /**
177    * Removes a previously granted permission from the stored access control
178    * lists.  The {@link TablePermission} being removed must exactly match what
179    * is stored -- no wildcard matching is attempted.  Ie, if user "bob" has
180    * been granted "READ" access to the "data" table, but only to column family
181    * plus qualifier "info:colA", then trying to call this method with only
182    * user "bob" and the table name "data" (but without specifying the
183    * column qualifier "info:colA") will have no effect.
184    *
185    * @param conf the configuration
186    * @param userPerm the details of the permission to be revoked
187    * @throws IOException if there is an error accessing the metadata table
188    */
189   static void removeUserPermission(Configuration conf, UserPermission userPerm)
190       throws IOException {
191     Delete d = new Delete(userPermissionRowKey(userPerm));
192     byte[] key = userPermissionKey(userPerm);
193 
194     if (LOG.isDebugEnabled()) {
195       LOG.debug("Removing permission "+ userPerm.toString());
196     }
197     d.deleteColumns(ACL_LIST_FAMILY, key);
198     HTable acls = null;
199     try {
200       acls = new HTable(conf, ACL_TABLE_NAME);
201       acls.delete(d);
202     } finally {
203       if (acls != null) acls.close();
204     }
205   }
206 
207   /**
208    * Remove specified table from the _acl_ table.
209    */
210   static void removeTablePermissions(Configuration conf, TableName tableName)
211       throws IOException{
212     Delete d = new Delete(tableName.getName());
213 
214     if (LOG.isDebugEnabled()) {
215       LOG.debug("Removing permissions of removed table "+ tableName);
216     }
217 
218     HTable acls = null;
219     try {
220       acls = new HTable(conf, ACL_TABLE_NAME);
221       acls.delete(d);
222     } finally {
223       if (acls != null) acls.close();
224     }
225   }
226 
227   /**
228    * Remove specified namespace from the acl table.
229    */
230   static void removeNamespacePermissions(Configuration conf, String namespace)
231       throws IOException{
232     Delete d = new Delete(Bytes.toBytes(toNamespaceEntry(namespace)));
233 
234     if (LOG.isDebugEnabled()) {
235       LOG.debug("Removing permissions of removed namespace "+ namespace);
236     }
237 
238     HTable acls = null;
239     try {
240       acls = new HTable(conf, ACL_TABLE_NAME);
241       acls.delete(d);
242     } finally {
243       if (acls != null) acls.close();
244     }
245   }
246 
247   /**
248    * Remove specified table column from the acl table.
249    */
250   static void removeTablePermissions(Configuration conf, TableName tableName, byte[] column)
251       throws IOException{
252 
253     if (LOG.isDebugEnabled()) {
254       LOG.debug("Removing permissions of removed column " + Bytes.toString(column) +
255                 " from table "+ tableName);
256     }
257 
258     HTable acls = null;
259     try {
260       acls = new HTable(conf, ACL_TABLE_NAME);
261 
262       Scan scan = new Scan();
263       scan.addFamily(ACL_LIST_FAMILY);
264 
265       String columnName = Bytes.toString(column);
266       scan.setFilter(new QualifierFilter(CompareOp.EQUAL, new RegexStringComparator(
267                      String.format("(%s%s%s)|(%s%s)$",
268                      ACL_KEY_DELIMITER, columnName, ACL_KEY_DELIMITER,
269                      ACL_KEY_DELIMITER, columnName))));
270 
271       Set<byte[]> qualifierSet = new TreeSet<byte[]>(Bytes.BYTES_COMPARATOR);
272       ResultScanner scanner = acls.getScanner(scan);
273       try {
274         for (Result res : scanner) {
275           for (byte[] q : res.getFamilyMap(ACL_LIST_FAMILY).navigableKeySet()) {
276             qualifierSet.add(q);
277           }
278         }
279       } finally {
280         scanner.close();
281       }
282 
283       if (qualifierSet.size() > 0) {
284         Delete d = new Delete(tableName.getName());
285         for (byte[] qualifier : qualifierSet) {
286           d.deleteColumns(ACL_LIST_FAMILY, qualifier);
287         }
288         acls.delete(d);
289       }
290     } finally {
291       if (acls != null) acls.close();
292     }
293   }
294 
295   static byte[] userPermissionRowKey(UserPermission userPerm) {
296     byte[] row;
297     if(userPerm.hasNamespace()) {
298       row = Bytes.toBytes(toNamespaceEntry(userPerm.getNamespace()));
299     } else if(userPerm.isGlobal()) {
300       row = ACL_GLOBAL_NAME;
301     } else {
302       row = userPerm.getTableName().getName();
303     }
304     return row;
305   }
306 
307   /**
308    * Build qualifier key from user permission:
309    *  username
310    *  username,family
311    *  username,family,qualifier
312    */
313   static byte[] userPermissionKey(UserPermission userPerm) {
314     byte[] qualifier = userPerm.getQualifier();
315     byte[] family = userPerm.getFamily();
316     byte[] key = userPerm.getUser();
317 
318     if (family != null && family.length > 0) {
319       key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, family));
320       if (qualifier != null && qualifier.length > 0) {
321         key = Bytes.add(key, Bytes.add(new byte[]{ACL_KEY_DELIMITER}, qualifier));
322       }
323     }
324 
325     return key;
326   }
327 
328   /**
329    * Returns {@code true} if the given region is part of the {@code _acl_}
330    * metadata table.
331    */
332   static boolean isAclRegion(HRegion region) {
333     return ACL_TABLE_NAME.equals(region.getTableDesc().getTableName());
334   }
335 
336   /**
337    * Returns {@code true} if the given table is {@code _acl_} metadata table.
338    */
339   static boolean isAclTable(HTableDescriptor desc) {
340     return ACL_TABLE_NAME.equals(desc.getTableName());
341   }
342 
343   /**
344    * Loads all of the permission grants stored in a region of the {@code _acl_}
345    * table.
346    *
347    * @param aclRegion
348    * @return a map of the permissions for this table.
349    * @throws IOException
350    */
351   static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
352       HRegion aclRegion)
353     throws IOException {
354 
355     if (!isAclRegion(aclRegion)) {
356       throw new IOException("Can only load permissions from "+ACL_TABLE_NAME);
357     }
358 
359     Map<byte[], ListMultimap<String, TablePermission>> allPerms =
360         new TreeMap<byte[], ListMultimap<String, TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
361 
362     // do a full scan of _acl_ table
363 
364     Scan scan = new Scan();
365     scan.addFamily(ACL_LIST_FAMILY);
366 
367     InternalScanner iScanner = null;
368     try {
369       iScanner = aclRegion.getScanner(scan);
370 
371       while (true) {
372         List<Cell> row = new ArrayList<Cell>();
373 
374         boolean hasNext = iScanner.next(row);
375         ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
376         byte[] entry = null;
377         for (Cell kv : row) {
378           if (entry == null) {
379             entry = CellUtil.cloneRow(kv);
380           }
381           Pair<String,TablePermission> permissionsOfUserOnTable =
382               parsePermissionRecord(entry, kv);
383           if (permissionsOfUserOnTable != null) {
384             String username = permissionsOfUserOnTable.getFirst();
385             TablePermission permissions = permissionsOfUserOnTable.getSecond();
386             perms.put(username, permissions);
387           }
388         }
389         if (entry != null) {
390           allPerms.put(entry, perms);
391         }
392         if (!hasNext) {
393           break;
394         }
395       }
396     } finally {
397       if (iScanner != null) {
398         iScanner.close();
399       }
400     }
401 
402     return allPerms;
403   }
404 
405   /**
406    * Load all permissions from the region server holding {@code _acl_},
407    * primarily intended for testing purposes.
408    */
409   static Map<byte[], ListMultimap<String,TablePermission>> loadAll(
410       Configuration conf) throws IOException {
411     Map<byte[], ListMultimap<String,TablePermission>> allPerms =
412         new TreeMap<byte[], ListMultimap<String,TablePermission>>(Bytes.BYTES_RAWCOMPARATOR);
413 
414     // do a full scan of _acl_, filtering on only first table region rows
415 
416     Scan scan = new Scan();
417     scan.addFamily(ACL_LIST_FAMILY);
418 
419     HTable acls = null;
420     ResultScanner scanner = null;
421     try {
422       acls = new HTable(conf, ACL_TABLE_NAME);
423       scanner = acls.getScanner(scan);
424       for (Result row : scanner) {
425         ListMultimap<String,TablePermission> resultPerms =
426             parsePermissions(row.getRow(), row);
427         allPerms.put(row.getRow(), resultPerms);
428       }
429     } finally {
430       if (scanner != null) scanner.close();
431       if (acls != null) acls.close();
432     }
433 
434     return allPerms;
435   }
436 
437   static ListMultimap<String, TablePermission> getTablePermissions(Configuration conf,
438         TableName tableName) throws IOException {
439     return getPermissions(conf, tableName != null ? tableName.getName() : null);
440   }
441 
442   static ListMultimap<String, TablePermission> getNamespacePermissions(Configuration conf,
443         String namespace) throws IOException {
444     return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
445   }
446 
447   /**
448    * Reads user permission assignments stored in the <code>l:</code> column
449    * family of the first table row in <code>_acl_</code>.
450    *
451    * <p>
452    * See {@link AccessControlLists class documentation} for the key structure
453    * used for storage.
454    * </p>
455    */
456   static ListMultimap<String, TablePermission> getPermissions(Configuration conf,
457       byte[] entryName) throws IOException {
458     if (entryName == null) entryName = ACL_TABLE_NAME.getName();
459 
460     // for normal user tables, we just read the table row from _acl_
461     ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
462     HTable acls = null;
463     try {
464       acls = new HTable(conf, ACL_TABLE_NAME);
465       Get get = new Get(entryName);
466       get.addFamily(ACL_LIST_FAMILY);
467       Result row = acls.get(get);
468       if (!row.isEmpty()) {
469         perms = parsePermissions(entryName, row);
470       } else {
471         LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry "
472             + Bytes.toString(entryName));
473       }
474     } finally {
475       if (acls != null) acls.close();
476     }
477 
478     return perms;
479   }
480 
481   /**
482    * Returns the currently granted permissions for a given table as a list of
483    * user plus associated permissions.
484    */
485   static List<UserPermission> getUserTablePermissions(
486       Configuration conf, TableName tableName) throws IOException {
487     return getUserPermissions(conf, tableName == null ? null : tableName.getName());
488   }
489 
490   static List<UserPermission> getUserNamespacePermissions(
491       Configuration conf, String namespace) throws IOException {
492     return getUserPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)));
493   }
494 
495   static List<UserPermission> getUserPermissions(
496       Configuration conf, byte[] entryName)
497   throws IOException {
498     ListMultimap<String,TablePermission> allPerms = getPermissions(
499       conf, entryName);
500 
501     List<UserPermission> perms = new ArrayList<UserPermission>();
502 
503     for (Map.Entry<String, TablePermission> entry : allPerms.entries()) {
504       UserPermission up = new UserPermission(Bytes.toBytes(entry.getKey()),
505           entry.getValue().getTableName(), entry.getValue().getFamily(),
506           entry.getValue().getQualifier(), entry.getValue().getActions());
507       perms.add(up);
508     }
509     return perms;
510   }
511 
512   private static ListMultimap<String, TablePermission> parsePermissions(
513       byte[] entryName, Result result) {
514     ListMultimap<String, TablePermission> perms = ArrayListMultimap.create();
515     if (result != null && result.size() > 0) {
516       for (Cell kv : result.rawCells()) {
517 
518         Pair<String,TablePermission> permissionsOfUserOnTable =
519             parsePermissionRecord(entryName, kv);
520 
521         if (permissionsOfUserOnTable != null) {
522           String username = permissionsOfUserOnTable.getFirst();
523           TablePermission permissions = permissionsOfUserOnTable.getSecond();
524           perms.put(username, permissions);
525         }
526       }
527     }
528     return perms;
529   }
530 
531   private static Pair<String, TablePermission> parsePermissionRecord(
532       byte[] entryName, Cell kv) {
533     // return X given a set of permissions encoded in the permissionRecord kv.
534     byte[] family = CellUtil.cloneFamily(kv);
535 
536     if (!Bytes.equals(family, ACL_LIST_FAMILY)) {
537       return null;
538     }
539 
540     byte[] key = CellUtil.cloneQualifier(kv);
541     byte[] value = CellUtil.cloneValue(kv);
542     if (LOG.isDebugEnabled()) {
543       LOG.debug("Read acl: kv ["+
544                 Bytes.toStringBinary(key)+": "+
545                 Bytes.toStringBinary(value)+"]");
546     }
547 
548     // check for a column family appended to the key
549     // TODO: avoid the string conversion to make this more efficient
550     String username = Bytes.toString(key);
551 
552     //Handle namespace entry
553     if(isNamespaceEntry(entryName)) {
554       return new Pair<String, TablePermission>(username,
555           new TablePermission(Bytes.toString(fromNamespaceEntry(entryName)), value));
556     }
557 
558     //Handle table and global entry
559     //TODO global entry should be handled differently
560     int idx = username.indexOf(ACL_KEY_DELIMITER);
561     byte[] permFamily = null;
562     byte[] permQualifier = null;
563     if (idx > 0 && idx < username.length()-1) {
564       String remainder = username.substring(idx+1);
565       username = username.substring(0, idx);
566       idx = remainder.indexOf(ACL_KEY_DELIMITER);
567       if (idx > 0 && idx < remainder.length()-1) {
568         permFamily = Bytes.toBytes(remainder.substring(0, idx));
569         permQualifier = Bytes.toBytes(remainder.substring(idx+1));
570       } else {
571         permFamily = Bytes.toBytes(remainder);
572       }
573     }
574 
575     return new Pair<String,TablePermission>(username,
576         new TablePermission(TableName.valueOf(entryName), permFamily, permQualifier, value));
577   }
578 
579   /**
580    * Writes a set of permissions as {@link org.apache.hadoop.io.Writable} instances
581    * and returns the resulting byte array.
582    *
583    * Writes a set of permission [user: table permission]
584    */
585   public static byte[] writePermissionsAsBytes(ListMultimap<String, TablePermission> perms,
586       Configuration conf) {
587     return ProtobufUtil.prependPBMagic(ProtobufUtil.toUserTablePermissions(perms).toByteArray());
588   }
589 
590   /**
591    * Reads a set of permissions as {@link org.apache.hadoop.io.Writable} instances
592    * from the input stream.
593    */
594   public static ListMultimap<String, TablePermission> readPermissions(byte[] data,
595       Configuration conf)
596   throws DeserializationException {
597     if (ProtobufUtil.isPBMagicPrefix(data)) {
598       int pblen = ProtobufUtil.lengthOfPBMagic();
599       try {
600         AccessControlProtos.UsersAndPermissions perms =
601           AccessControlProtos.UsersAndPermissions.newBuilder().mergeFrom(
602             data, pblen, data.length - pblen).build();
603         return ProtobufUtil.toUserTablePermissions(perms);
604       } catch (InvalidProtocolBufferException e) {
605         throw new DeserializationException(e);
606       }
607     } else {
608       ListMultimap<String,TablePermission> perms = ArrayListMultimap.create();
609       try {
610         DataInput in = new DataInputStream(new ByteArrayInputStream(data));
611         int length = in.readInt();
612         for (int i=0; i<length; i++) {
613           String user = Text.readString(in);
614           List<TablePermission> userPerms =
615             (List)HbaseObjectWritableFor96Migration.readObject(in, conf);
616           perms.putAll(user, userPerms);
617         }
618       } catch (IOException e) {
619         throw new DeserializationException(e);
620       }
621       return perms;
622     }
623   }
624 
625   /**
626    * Returns whether or not the given name should be interpreted as a group
627    * principal.  Currently this simply checks if the name starts with the
628    * special group prefix character ("@").
629    */
630   public static boolean isGroupPrincipal(String name) {
631     return name != null && name.startsWith(GROUP_PREFIX);
632   }
633 
634   /**
635    * Returns the actual name for a group principal (stripped of the
636    * group prefix).
637    */
638   public static String getGroupName(String aclKey) {
639     if (!isGroupPrincipal(aclKey)) {
640       return aclKey;
641     }
642 
643     return aclKey.substring(GROUP_PREFIX.length());
644   }
645 
646   public static boolean isNamespaceEntry(String entryName) {
647     return entryName.charAt(0) == NAMESPACE_PREFIX;
648   }
649 
650   public static boolean isNamespaceEntry(byte[] entryName) {
651     return entryName[0] == NAMESPACE_PREFIX;
652   }
653   
654   public static String toNamespaceEntry(String namespace) {
655      return NAMESPACE_PREFIX + namespace;
656    }
657 
658    public static String fromNamespaceEntry(String namespace) {
659      if(namespace.charAt(0) != NAMESPACE_PREFIX)
660        throw new IllegalArgumentException("Argument is not a valid namespace entry");
661      return namespace.substring(1);
662    }
663 
664    public static byte[] toNamespaceEntry(byte[] namespace) {
665      byte[] ret = new byte[namespace.length+1];
666      ret[0] = NAMESPACE_PREFIX;
667      System.arraycopy(namespace, 0, ret, 1, namespace.length);
668      return ret;
669    }
670 
671    public static byte[] fromNamespaceEntry(byte[] namespace) {
672      if(namespace[0] != NAMESPACE_PREFIX) {
673        throw new IllegalArgumentException("Argument is not a valid namespace entry: " +
674            Bytes.toString(namespace));
675      }
676      return Arrays.copyOfRange(namespace, 1, namespace.length);
677    }
678 }