You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2017/08/16 20:28:57 UTC

ranger git commit: RANGER-1737: Fixed RANGER-1181 by providing correct set of parameters to Hdfs Native Authorizer in case of fall-back

Repository: ranger
Updated Branches:
  refs/heads/master f7230f70a -> 1b4e78b0d


RANGER-1737: Fixed RANGER-1181 by providing correct set of parameters to Hdfs Native Authorizer in case of fall-back


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/1b4e78b0
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/1b4e78b0
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/1b4e78b0

Branch: refs/heads/master
Commit: 1b4e78b0dcfad74b7fd2baea16364b7daf32159e
Parents: f7230f7
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Wed Aug 16 13:14:32 2017 -0700
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Wed Aug 16 13:14:32 2017 -0700

----------------------------------------------------------------------
 .../hadoop/RangerHdfsAuthorizer.java            | 110 +++++++++++--------
 1 file changed, 65 insertions(+), 45 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/1b4e78b0/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index f82fd57..97fd5cd 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -279,7 +279,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
 						if (authzStatus == AuthzStatus.NOT_DETERMINED) {
 							authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
 											pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
-											ancestorAccess, FsAction.NONE, FsAction.NONE, FsAction.NONE, ignoreEmptyDir,
+											ancestorAccess, null, null, null, ignoreEmptyDir,
 											isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
 						}
 					}
@@ -292,7 +292,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
 						if (authzStatus == AuthzStatus.NOT_DETERMINED) {
 							authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
 											pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
-											FsAction.NONE, parentAccess, FsAction.NONE, FsAction.NONE, ignoreEmptyDir,
+											null, parentAccess, null, null, ignoreEmptyDir,
 											isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
 						}
 					}
@@ -305,7 +305,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
 						if (authzStatus == AuthzStatus.NOT_DETERMINED) {
 							authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
 											pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
-											FsAction.NONE, FsAction.NONE, access, FsAction.NONE, ignoreEmptyDir,
+											null, null, access, null, ignoreEmptyDir,
 											isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
 						}
 					}
@@ -345,18 +345,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
 							}
 						}
 						if (authzStatus == AuthzStatus.NOT_DETERMINED) {
-							RangerPerfTracer hadoopAuthPerf = null;
-
-							if(RangerPerfTracer.isPerfTraceEnabled(PERF_HDFSAUTH_REQUEST_LOG)) {
-								hadoopAuthPerf = RangerPerfTracer.getPerfTracer(PERF_HDFSAUTH_REQUEST_LOG, "defaultEnforcer.checkPermission(path=" + path + ")");
-							}
 
 							authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
 											pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
-											FsAction.NONE, FsAction.NONE, FsAction.NONE, subAccess, ignoreEmptyDir,
+											null, null, null, subAccess, ignoreEmptyDir,
 											isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
 
-							RangerPerfTracer.log(hadoopAuthPerf);
 						}
 					}
 
@@ -412,50 +406,76 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
                                     boolean isTraverseOnlyCheck, INode ancestor,
 												 INode parent, INode inode, RangerHdfsAuditHandler auditHandler
 												 ) throws AccessControlException {
-			    AuthzStatus authzStatus = AuthzStatus.NOT_DETERMINED;
-				if(RangerHdfsPlugin.isHadoopAuthEnabled() && defaultEnforcer != null) {
-
-					try {
-						defaultEnforcer.checkPermission(fsOwner, superGroup, ugi, inodeAttrs, inodes,
-														pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
-														ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
-
-						authzStatus = AuthzStatus.ALLOW;
-					} finally {
-						if(auditHandler != null) {
-							INode    nodeChecked = inode;
-							FsAction action      = access;
-							if(isTraverseOnlyCheck) {
-								if(nodeChecked == null || nodeChecked.isFile()) {
-									if(parent != null) {
-										nodeChecked = parent;
-									} else if(ancestor != null) {
-										nodeChecked = ancestor;
-									}
-								}
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("==> RangerAccessControlEnforcer.checkDefaultEnforcer("
+						+ "fsOwner=" + fsOwner + "; superGroup=" + superGroup + ", inodesCount=" + (inodes != null ? inodes.length : 0)
+						+ ", snapshotId=" + snapshotId + ", path=" + path + ", ancestorIndex=" + ancestorIndex
+						+ ", doCheckOwner=" + doCheckOwner + ", ancestorAccess=" + ancestorAccess + ", parentAccess=" + parentAccess
+						+ ", access=" + access + ", subAccess=" + subAccess + ", ignoreEmptyDir=" + ignoreEmptyDir
+						+ ", isTraverseOnlyCheck=" + isTraverseOnlyCheck + ",ancestor=" + (ancestor == null ? null : ancestor.getFullPathName())
+						+ ", parent=" + (parent == null ? null : parent.getFullPathName()) + ", inode=" + (inode == null ? null : inode.getFullPathName())
+						+ ")");
+			}
+
+			AuthzStatus authzStatus = AuthzStatus.NOT_DETERMINED;
+			if(RangerHdfsPlugin.isHadoopAuthEnabled() && defaultEnforcer != null) {
+
+				RangerPerfTracer hadoopAuthPerf = null;
+
+				if(RangerPerfTracer.isPerfTraceEnabled(PERF_HDFSAUTH_REQUEST_LOG)) {
+					hadoopAuthPerf = RangerPerfTracer.getPerfTracer(PERF_HDFSAUTH_REQUEST_LOG, "RangerAccessControlEnforcer.checkDefaultEnforcer(path=" + path + ")");
+				}
 
-								action = FsAction.EXECUTE;
-							} else if(action == null || action == FsAction.NONE)  {
-								if(parentAccess != null && parentAccess != FsAction.NONE ) {
+				try {
+					defaultEnforcer.checkPermission(fsOwner, superGroup, ugi, inodeAttrs, inodes,
+							pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
+							ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
+
+					authzStatus = AuthzStatus.ALLOW;
+				} finally {
+					if (auditHandler != null) {
+						INode nodeChecked = inode;
+						FsAction action = access;
+						if (isTraverseOnlyCheck) {
+							if (nodeChecked == null || nodeChecked.isFile()) {
+								if (parent != null) {
 									nodeChecked = parent;
-									action      = parentAccess;
-								} else if(ancestorAccess != null  && ancestorAccess != FsAction.NONE ) {
+								} else if (ancestor != null) {
 									nodeChecked = ancestor;
-									action      = ancestorAccess;
-								} else if(subAccess != null && subAccess != FsAction.NONE ) {
-									action = subAccess;
 								}
 							}
 
-							String pathChecked = nodeChecked != null ? nodeChecked.getFullPathName() : path;
-
-							auditHandler.logHadoopEvent(pathChecked, action, authzStatus == AuthzStatus.ALLOW);
+							action = FsAction.EXECUTE;
+						} else if (action == null || action == FsAction.NONE) {
+							if (parentAccess != null && parentAccess != FsAction.NONE) {
+								nodeChecked = parent;
+								action = parentAccess;
+							} else if (ancestorAccess != null && ancestorAccess != FsAction.NONE) {
+								nodeChecked = ancestor;
+								action = ancestorAccess;
+							} else if (subAccess != null && subAccess != FsAction.NONE) {
+								action = subAccess;
+							}
 						}
+
+						String pathChecked = nodeChecked != null ? nodeChecked.getFullPathName() : path;
+
+						auditHandler.logHadoopEvent(pathChecked, action, authzStatus == AuthzStatus.ALLOW);
 					}
-                                        return authzStatus;
+					RangerPerfTracer.log(hadoopAuthPerf);
 				}
-                                return authzStatus;
-                }
+			}
+			LOG.debug("<== RangerAccessControlEnforcer.checkDefaultEnforcer("
+					+ "fsOwner=" + fsOwner + "; superGroup=" + superGroup + ", inodesCount=" + (inodes != null ? inodes.length : 0)
+					+ ", snapshotId=" + snapshotId + ", path=" + path + ", ancestorIndex=" + ancestorIndex
+					+ ", doCheckOwner="+ doCheckOwner + ", ancestorAccess=" + ancestorAccess + ", parentAccess=" + parentAccess
+					+ ", access=" + access + ", subAccess=" + subAccess + ", ignoreEmptyDir=" + ignoreEmptyDir
+					+ ", isTraverseOnlyCheck=" + isTraverseOnlyCheck + ",ancestor=" + (ancestor == null ? null : ancestor.getFullPathName())
+					+ ", parent=" + (parent == null ? null : parent.getFullPathName()) + ", inode=" + (inode == null ? null : inode.getFullPathName())
+					+ ") : " + authzStatus );
+
+			return authzStatus;
+		}
 
 		private AuthzStatus isAccessAllowed(INode inode, INodeAttributes inodeAttribs, FsAction access, String user, Set<String> groups, RangerHdfsPlugin plugin, RangerHdfsAuditHandler auditHandler) {
 			AuthzStatus ret       = null;