You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2020/11/16 05:06:56 UTC
[ranger] branch master updated (6e8873b -> 44f633b)
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git.
from 6e8873b RANGER-3058: [ranger-hive] create table fails when ViewDFS(client side HDFS mounting fs) mount points are targeting to Ozone/S3 FS.
new ce4de4e RANGER-3035: plugin-presto: M-M user can not access presto with right permission
new 7849c65 RANGER-3040: add read permission for lookupuser on default policies of presto/storm/es
new 44f633b RANGER-3042: plugin-presto: some log mistake fix
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../elasticsearch/RangerServiceElasticsearch.java | 31 ++++++++++++++++++
.../authorizer/RangerSystemAccessControl.java | 11 ++++---
.../services/presto/RangerServicePresto.java | 32 +++++++++++++++++++
.../ranger/services/storm/RangerServiceStorm.java | 37 ++++++++++++++++++++++
4 files changed, 107 insertions(+), 4 deletions(-)
[ranger] 01/03: RANGER-3035: plugin-presto: M-M user can not access
presto with right permission
Posted by pr...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit ce4de4e7e34f95f6a6df02bc1e9873fd1d423101
Author: rujia1019 <82...@163.com>
AuthorDate: Mon Oct 12 20:06:35 2020 +0800
RANGER-3035: plugin-presto: M-M user can not access presto with right permission
Signed-off-by: pradeep <pr...@apache.org>
---
.../authorization/presto/authorizer/RangerSystemAccessControl.java | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java b/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
index f4fc89d..5794a82 100644
--- a/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
+++ b/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
@@ -642,23 +642,26 @@ public class RangerSystemAccessControl
/** HELPER FUNCTIONS **/
private RangerPrestoAccessRequest createAccessRequest(RangerPrestoResource resource, SystemSecurityContext context, PrestoAccessType accessType) {
- Set<String> userGroups = null;
+ String userName = null;
+ Set<String> userGroups = null;
if (useUgi) {
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(context.getIdentity().getUser());
+ userName = ugi.getShortUserName();
String[] groups = ugi != null ? ugi.getGroupNames() : null;
if (groups != null && groups.length > 0) {
userGroups = new HashSet<>(Arrays.asList(groups));
}
} else {
+ userName = context.getIdentity().getUser();
userGroups = context.getIdentity().getGroups();
}
RangerPrestoAccessRequest request = new RangerPrestoAccessRequest(
resource,
- context.getIdentity().getUser(),
+ userName,
userGroups,
accessType
);
[ranger] 03/03: RANGER-3042: plugin-presto: some log mistake fix
Posted by pr...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 44f633b3de5c68c60a0710327787cc806e48bc8f
Author: rujia1019 <82...@163.com>
AuthorDate: Fri Oct 16 16:12:21 2020 +0800
RANGER-3042: plugin-presto: some log mistake fix
Signed-off-by: pradeep <pr...@apache.org>
---
.../authorization/presto/authorizer/RangerSystemAccessControl.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java b/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
index 5794a82..f9f3e4f 100644
--- a/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
+++ b/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
@@ -290,7 +290,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, String catalogName, String propertyName) {
if (!hasPermission(createCatalogSessionResource(catalogName, propertyName), context, PrestoAccessType.ALTER)) {
- LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty(" + catalogName + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanSetCatalogSessionProperty(" + catalogName + ") denied");
AccessDeniedException.denySetCatalogSessionProperty(catalogName, propertyName);
}
}
@@ -485,7 +485,7 @@ public class RangerSystemAccessControl
public void checkCanDropView(SystemSecurityContext context, CatalogSchemaTableName view) {
if (!hasPermission(createResource(view), context, PrestoAccessType.DROP)) {
LOG.debug("RangerSystemAccessControl.checkCanDropView(" + view.getSchemaTableName().getTableName() + ") denied");
- AccessDeniedException.denyCreateView(view.getSchemaTableName().getTableName());
+ AccessDeniedException.denyDropView(view.getSchemaTableName().getTableName());
}
}
[ranger] 02/03: RANGER-3040: add read permission for lookupuser on
default policies of presto/storm/es
Posted by pr...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 7849c658f7b5ca71d43ed3299fb36992c48b4b2c
Author: rujia1019 <82...@163.com>
AuthorDate: Thu Oct 15 11:16:01 2020 +0800
RANGER-3040: add read permission for lookupuser on default policies of presto/storm/es
Signed-off-by: pradeep <pr...@apache.org>
---
.../elasticsearch/RangerServiceElasticsearch.java | 31 ++++++++++++++++++
.../services/presto/RangerServicePresto.java | 32 +++++++++++++++++++
.../ranger/services/storm/RangerServiceStorm.java | 37 ++++++++++++++++++++++
3 files changed, 100 insertions(+)
diff --git a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java
index 100851d..a8953e1 100644
--- a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java
+++ b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java
@@ -18,10 +18,15 @@
package org.apache.ranger.services.elasticsearch;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.slf4j.Logger;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -33,6 +38,7 @@ import org.slf4j.LoggerFactory;
public class RangerServiceElasticsearch extends RangerBaseService {
private static final Logger LOG = LoggerFactory.getLogger(RangerServiceElasticsearch.class);
+ public static final String ACCESS_TYPE_READ = "read";
public RangerServiceElasticsearch() {
super();
@@ -44,6 +50,31 @@ public class RangerServiceElasticsearch extends RangerBaseService {
}
@Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceElasticsearch.getDefaultRangerPolicies()");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+ for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ List<RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicyItemAccess>();
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ));
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(accessListForLookupUser);
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceElasticsearch.getDefaultRangerPolicies()");
+ }
+ return ret;
+ }
+
+ @Override
public Map<String, Object> validateConfig() throws Exception {
Map<String, Object> ret = new HashMap<String, Object>();
String serviceName = getServiceName();
diff --git a/plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java b/plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java
index 810fc3f..d95876a 100644
--- a/plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java
+++ b/plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java
@@ -18,15 +18,20 @@
*/
package org.apache.ranger.services.presto;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.client.HadoopConfigHolder;
import org.apache.ranger.plugin.client.HadoopException;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.presto.client.PrestoResourceManager;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -34,6 +39,33 @@ import java.util.Map;
public class RangerServicePresto extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServicePresto.class);
+ public static final String ACCESS_TYPE_SELECT = "select";
+
+ @Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServicePresto.getDefaultRangerPolicies()");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+ for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ List<RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicyItemAccess>();
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_SELECT));
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(accessListForLookupUser);
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServicePresto.getDefaultRangerPolicies()");
+ }
+ return ret;
+ }
+
@Override
public Map<String, Object> validateConfig() throws Exception {
Map<String, Object> ret = new HashMap<String, Object>();
diff --git a/storm-agent/src/main/java/org/apache/ranger/services/storm/RangerServiceStorm.java b/storm-agent/src/main/java/org/apache/ranger/services/storm/RangerServiceStorm.java
index 1b71cd7..ffe26b6 100644
--- a/storm-agent/src/main/java/org/apache/ranger/services/storm/RangerServiceStorm.java
+++ b/storm-agent/src/main/java/org/apache/ranger/services/storm/RangerServiceStorm.java
@@ -19,10 +19,15 @@
package org.apache.ranger.services.storm;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.service.RangerBaseService;
@@ -34,6 +39,10 @@ import org.apache.commons.logging.LogFactory;
public class RangerServiceStorm extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceStorm.class);
+ public static final String ACCESS_TYPE_GET_TOPOLOGY = "getTopology";
+ public static final String ACCESS_TYPE_GET_TOPOLOGY_CONF = "getTopologyConf";
+ public static final String ACCESS_TYPE_GET_USER_TOPOLOGY = "getUserTopology";
+ public static final String ACCESS_TYPE_GET_TOPOLOGY_INFO = "getTopologyInfo";
public RangerServiceStorm() {
super();
@@ -45,6 +54,34 @@ public class RangerServiceStorm extends RangerBaseService {
}
@Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceStorm.getDefaultRangerPolicies()");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+ for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ List<RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicyItemAccess>();
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_GET_TOPOLOGY));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_GET_TOPOLOGY_CONF));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_GET_USER_TOPOLOGY));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_GET_TOPOLOGY_INFO));
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(accessListForLookupUser);
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceStorm.getDefaultRangerPolicies()");
+ }
+ return ret;
+ }
+
+ @Override
public Map<String,Object> validateConfig() throws Exception {
Map<String, Object> ret = new HashMap<String, Object>();
String serviceName = getServiceName();