You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2019/12/04 06:10:00 UTC
[ranger] branch master updated: RANGER-2656:RangerHiveAuthorizer
filterListCmdObjects failed to filter database / tables when HMS calls the
authorizer for filtering
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 8ac5fdd RANGER-2656:RangerHiveAuthorizer filterListCmdObjects failed to filter database / tables when HMS calls the authorizer for filtering
8ac5fdd is described below
commit 8ac5fdd407ecfe69dadad466a78eb283c847c7a1
Author: rmani <rm...@hortonworks.com>
AuthorDate: Tue Dec 3 17:37:20 2019 -0800
RANGER-2656:RangerHiveAuthorizer filterListCmdObjects failed to filter database / tables when HMS calls the authorizer for filtering
Signed-off-by: rmani <rm...@hortonworks.com>
---
.../RangerDefaultPolicyEvaluator.java | 12 ++++++-----
.../policyengine/test_policyengine_hive.json | 22 +++++++++++++++++++++
.../hive/authorizer/RangerHiveAuditHandler.java | 23 ++++++++++++++++++++++
.../hive/authorizer/RangerHiveAuthorizer.java | 8 ++++++--
4 files changed, 58 insertions(+), 7 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 843fabc..6664d1b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -476,11 +476,13 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
} else {
if (!result.getIsAllowed()) { // if access is not yet allowed by another policy
- result.setIsAllowed(true);
- result.setPolicyPriority(getPolicyPriority());
- result.setPolicyId(getId());
- result.setReason(reason);
- result.setPolicyVersion(getPolicy().getVersion());
+ if (matchType != RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
+ result.setIsAllowed(true);
+ result.setPolicyPriority(getPolicyPriority());
+ result.setPolicyId(getId());
+ result.setReason(reason);
+ result.setPolicyVersion(getPolicy().getVersion());
+ }
}
}
if (LOG.isDebugEnabled()) {
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
index efc1dcc..ba5a53c 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
@@ -86,6 +86,20 @@
{"accesses":[{"type":"serviceadmin","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
]
}
+ ,
+ {"id":6,"name":"db=demo1,demo2","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"database":{"values":["demo1", "demo2"]}},
+ "policyItems":[
+ {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":7,"name":"db=demo1; table=demo1_tbl1,demo1_tbl2; column=*","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"database":{"values":["demo1"]},"table":{"values":["demo1_tbl1", "demo1_tbl2"]},"column":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"create","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false}
+ ]
+ }
],
"tests":[
@@ -393,6 +407,14 @@
},
"result":{"isAudited":true,"isAllowed":true,"policyId":5}
}
+ ,
+ {"name":"ALLOW '_any access to demo1/demo_tbl1' for user1: show table test",
+ "request":{
+ "resource":{"elements":{"database":"demo1", "table":"demo1_tbl1"}},
+ "accessType":"","user":"user1","userGroups":["users"],"requestData":"show tables"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":7}
+ }
]
}
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
index c6a9c66..5959e5f 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
@@ -40,6 +40,7 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
private static final Log LOG = LogFactory.getLog(RangerDefaultAuditHandler.class);
public static final String ACCESS_TYPE_ROWFILTER = "ROW_FILTER";
+ public static final String ACTION_TYPE_METADATA_OPERATION = "METADATA OPERATION";
Collection<AuthzAuditEvent> auditEvents = null;
boolean deniedExists = false;
@@ -115,6 +116,11 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest) request;
accessType = hiveRequest.getHiveAccessType().toString();
+
+ String action = request.getAction();
+ if (ACTION_TYPE_METADATA_OPERATION.equals(action)) {
+ accessType = ACTION_TYPE_METADATA_OPERATION;
+ }
}
if (StringUtils.isEmpty(accessType)) {
@@ -174,6 +180,11 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
if(! result.getIsAudited()) {
return;
}
+
+ if (skipFilterOperationAuditing(result)) {
+ return;
+ }
+
AuthzAuditEvent auditEvent = createAuditEvent(result);
if(auditEvent != null) {
@@ -276,4 +287,16 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
}
return ret;
}
+
+ private boolean skipFilterOperationAuditing(RangerAccessResult result) {
+ boolean ret = false;
+ RangerAccessRequest accessRequest = result.getAccessRequest();
+ if (accessRequest != null) {
+ String action = accessRequest.getAction();
+ if (ACTION_TYPE_METADATA_OPERATION.equals(action) && !result.getIsAllowed()) {
+ ret = true;
+ }
+ }
+ return ret;
+ }
}
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index b80f1bd..5a7de43 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -837,6 +837,8 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
RangerPerfTracer perf = null;
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+
if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.filterListCmdObjects()");
}
@@ -891,7 +893,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
LOG.error("filterListCmdObjects: RangerHiveResource returned by createHiveResource is null");
} else {
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, context, sessionContext);
- RangerAccessResult result = hivePlugin.isAccessAllowed(request);
+ RangerAccessResult result = hivePlugin.isAccessAllowed(request, auditHandler);
if (result == null) {
LOG.error("filterListCmdObjects: Internal error: null RangerAccessResult object received back from isAccessAllowed()!");
} else if (!result.getIsAllowed()) {
@@ -910,6 +912,8 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
}
+ auditHandler.flushAudit();
+
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
@@ -1155,7 +1159,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
switch(objectType) {
case DATABASE:
- resource = new RangerHiveResource(HiveObjectType.DATABASE, objectName);
+ resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName);
//when fix is in place for HIVE-22128 we can un comment this.
//resource.setOwnerUser(privilegeObject.getOwnerName());
break;