You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2018/03/18 19:44:21 UTC
ranger git commit: RANGER-2027: Evaluate grantor's group membership
in the plugin for grant/revoke request
Repository: ranger
Updated Branches:
refs/heads/master 57222febb -> a1929a824
RANGER-2027: Evaluate grantor's group membership in the plugin for grant/revoke request
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/a1929a82
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/a1929a82
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/a1929a82
Branch: refs/heads/master
Commit: a1929a82446f5aa8ba662649e9ff3af9e61bec4b
Parents: 57222fe
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Sun Mar 18 09:13:25 2018 -0700
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Sun Mar 18 09:13:25 2018 -0700
----------------------------------------------------------------------
.../ranger/plugin/util/GrantRevokeRequest.java | 27 ++++++++++++++++++--
.../hbase/RangerAuthorizationCoprocessor.java | 16 ++++++++++++
.../hive/authorizer/RangerHiveAuthorizer.java | 19 ++++++++++++++
.../org/apache/ranger/rest/ServiceREST.java | 8 +++---
4 files changed, 64 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
index 0c5b2d8..f4fe589 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
@@ -44,6 +44,7 @@ public class GrantRevokeRequest implements Serializable {
private static final long serialVersionUID = 1L;
private String grantor;
+ private Set<String> grantorGroups;
private Map<String, String> resource;
private Set<String> users;
private Set<String> groups;
@@ -59,11 +60,12 @@ public class GrantRevokeRequest implements Serializable {
private String clusterName;
public GrantRevokeRequest() {
- this(null, null, null, null, null, null, null, null, null, null, null, null, null, null);
+ this(null, null, null, null, null, null, null, null, null, null, null, null, null, null, null);
}
- public GrantRevokeRequest(String grantor, Map<String, String> resource, Set<String> users, Set<String> groups, Set<String> accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions, Boolean isRecursive, String clientIPAddress, String clientType, String requestData, String sessionId, String clusterName) {
+ public GrantRevokeRequest(String grantor, Set<String> grantorGroups, Map<String, String> resource, Set<String> users, Set<String> groups, Set<String> accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions, Boolean isRecursive, String clientIPAddress, String clientType, String requestData, String sessionId, String clusterName) {
setGrantor(grantor);
+ setGrantorGroups(grantorGroups);
setResource(resource);
setUsers(users);
setGroups(groups);
@@ -94,6 +96,19 @@ public class GrantRevokeRequest implements Serializable {
}
/**
+ * @return the grantorGroups
+ */
+ public Set<String> getGrantorGroups() {
+ return grantorGroups;
+ }
+
+ /**
+ * @param grantorGroups the grantorGroups to set
+ */
+ public void setGrantorGroups(Set<String> grantorGroups) {
+ this.grantorGroups = grantorGroups == null ? new HashSet<String>() : grantorGroups;
+ }
+ /**
* @return the resource
*/
public Map<String, String> getResource() {
@@ -289,6 +304,14 @@ public class GrantRevokeRequest implements Serializable {
sb.append("grantor={").append(grantor).append("} ");
+ sb.append("grantorGroups={");
+ if(grantorGroups != null) {
+ for(String grantorGroup : grantorGroups) {
+ sb.append(grantorGroup).append(" ");
+ }
+ }
+ sb.append("} ");
+
sb.append("resource={");
if(resource != null) {
for(Map.Entry<String, String> e : resource.entrySet()) {
http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 12b675b..d7b4673 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1315,6 +1315,13 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
User activeUser = getActiveUser();
String grantor = activeUser != null ? activeUser.getShortName() : null;
+ String[] groups = activeUser != null ? activeUser.getGroupNames() : null;
+
+ Set<String> grantorGroups = null;
+
+ if (groups != null && groups.length > 0) {
+ grantorGroups = new HashSet<>(Arrays.asList(groups));
+ }
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put("table", tableName);
@@ -1324,6 +1331,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
GrantRevokeRequest ret = new GrantRevokeRequest();
ret.setGrantor(grantor);
+ ret.setGrantorGroups(grantorGroups);
ret.setDelegateAdmin(Boolean.FALSE);
ret.setEnableAudit(Boolean.TRUE);
ret.setReplaceExistingPermissions(Boolean.TRUE);
@@ -1412,6 +1420,13 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
User activeUser = getActiveUser();
String grantor = activeUser != null ? activeUser.getShortName() : null;
+ String[] groups = activeUser != null ? activeUser.getGroupNames() : null;
+
+ Set<String> grantorGroups = null;
+
+ if (groups != null && groups.length > 0) {
+ grantorGroups = new HashSet<>(Arrays.asList(groups));
+ }
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put("table", tableName);
@@ -1421,6 +1436,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
GrantRevokeRequest ret = new GrantRevokeRequest();
ret.setGrantor(grantor);
+ ret.setGrantorGroups(grantorGroups);
ret.setDelegateAdmin(Boolean.TRUE); // remove delegateAdmin privilege as well
ret.setEnableAudit(Boolean.TRUE);
ret.setReplaceExistingPermissions(Boolean.TRUE);
http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 2c2a518..780afac 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -20,8 +20,10 @@
package org.apache.ranger.authorization.hive.authorizer;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -1363,6 +1365,22 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return grantor;
}
+ private Set<String> getGrantorGroupNames(HivePrincipal grantorPrincipal) {
+ Set<String> ret = null;
+
+ String grantor = grantorPrincipal != null ? grantorPrincipal.getName() : null;
+
+ UserGroupInformation ugi = StringUtil.isEmpty(grantor) ? this.getCurrentUserGroupInfo() : UserGroupInformation.createRemoteUser(grantor);
+
+ String[] groups = ugi != null ? ugi.getGroupNames() : null;
+
+ if (groups != null && groups.length > 0) {
+ ret = new HashSet<>(Arrays.asList(groups));
+ }
+
+ return ret;
+ }
+
private GrantRevokeRequest createGrantRevokeData(RangerHiveResource resource,
List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges,
@@ -1382,6 +1400,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
GrantRevokeRequest ret = new GrantRevokeRequest();
ret.setGrantor(getGrantorUsername(grantorPrincipal));
+ ret.setGrantorGroups(getGrantorGroupNames(grantorPrincipal));
ret.setDelegateAdmin(grantOption ? Boolean.TRUE : Boolean.FALSE);
ret.setEnableAudit(Boolean.TRUE);
ret.setReplaceExistingPermissions(Boolean.FALSE);
http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index dad8a97..3642252 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1066,7 +1066,7 @@ public class ServiceREST {
validateGrantRevokeRequest(grantRequest);
String userName = grantRequest.getGrantor();
- Set<String> userGroups = userMgr.getGroupsForUser(userName);
+ Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
@@ -1163,7 +1163,7 @@ public class ServiceREST {
validateGrantRevokeRequest(grantRequest);
String userName = grantRequest.getGrantor();
- Set<String> userGroups = userMgr.getGroupsForUser(userName);
+ Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
@@ -1278,7 +1278,7 @@ public class ServiceREST {
validateGrantRevokeRequest(revokeRequest);
String userName = revokeRequest.getGrantor();
- Set<String> userGroups = userMgr.getGroupsForUser(userName);
+ Set<String> userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
@@ -1339,7 +1339,7 @@ public class ServiceREST {
validateGrantRevokeRequest(revokeRequest);
String userName = revokeRequest.getGrantor();
- Set<String> userGroups = userMgr.getGroupsForUser(userName);
+ Set<String> userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
boolean isAllowed = false;