You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2017/08/16 20:28:57 UTC
ranger git commit: RANGER-1737: Fixed RANGER-1181 by providing
correct set of parameters to Hdfs Native Authorizer in case of fall-back
Repository: ranger
Updated Branches:
refs/heads/master f7230f70a -> 1b4e78b0d
RANGER-1737: Fixed RANGER-1181 by providing correct set of parameters to Hdfs Native Authorizer in case of fall-back
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/1b4e78b0
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/1b4e78b0
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/1b4e78b0
Branch: refs/heads/master
Commit: 1b4e78b0dcfad74b7fd2baea16364b7daf32159e
Parents: f7230f7
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Wed Aug 16 13:14:32 2017 -0700
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Wed Aug 16 13:14:32 2017 -0700
----------------------------------------------------------------------
.../hadoop/RangerHdfsAuthorizer.java | 110 +++++++++++--------
1 file changed, 65 insertions(+), 45 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/1b4e78b0/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index f82fd57..97fd5cd 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -279,7 +279,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
if (authzStatus == AuthzStatus.NOT_DETERMINED) {
authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
- ancestorAccess, FsAction.NONE, FsAction.NONE, FsAction.NONE, ignoreEmptyDir,
+ ancestorAccess, null, null, null, ignoreEmptyDir,
isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
}
}
@@ -292,7 +292,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
if (authzStatus == AuthzStatus.NOT_DETERMINED) {
authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
- FsAction.NONE, parentAccess, FsAction.NONE, FsAction.NONE, ignoreEmptyDir,
+ null, parentAccess, null, null, ignoreEmptyDir,
isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
}
}
@@ -305,7 +305,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
if (authzStatus == AuthzStatus.NOT_DETERMINED) {
authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
- FsAction.NONE, FsAction.NONE, access, FsAction.NONE, ignoreEmptyDir,
+ null, null, access, null, ignoreEmptyDir,
isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
}
}
@@ -345,18 +345,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
}
}
if (authzStatus == AuthzStatus.NOT_DETERMINED) {
- RangerPerfTracer hadoopAuthPerf = null;
-
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_HDFSAUTH_REQUEST_LOG)) {
- hadoopAuthPerf = RangerPerfTracer.getPerfTracer(PERF_HDFSAUTH_REQUEST_LOG, "defaultEnforcer.checkPermission(path=" + path + ")");
- }
authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
- FsAction.NONE, FsAction.NONE, FsAction.NONE, subAccess, ignoreEmptyDir,
+ null, null, null, subAccess, ignoreEmptyDir,
isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
- RangerPerfTracer.log(hadoopAuthPerf);
}
}
@@ -412,50 +406,76 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
boolean isTraverseOnlyCheck, INode ancestor,
INode parent, INode inode, RangerHdfsAuditHandler auditHandler
) throws AccessControlException {
- AuthzStatus authzStatus = AuthzStatus.NOT_DETERMINED;
- if(RangerHdfsPlugin.isHadoopAuthEnabled() && defaultEnforcer != null) {
-
- try {
- defaultEnforcer.checkPermission(fsOwner, superGroup, ugi, inodeAttrs, inodes,
- pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
- ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
-
- authzStatus = AuthzStatus.ALLOW;
- } finally {
- if(auditHandler != null) {
- INode nodeChecked = inode;
- FsAction action = access;
- if(isTraverseOnlyCheck) {
- if(nodeChecked == null || nodeChecked.isFile()) {
- if(parent != null) {
- nodeChecked = parent;
- } else if(ancestor != null) {
- nodeChecked = ancestor;
- }
- }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAccessControlEnforcer.checkDefaultEnforcer("
+ + "fsOwner=" + fsOwner + "; superGroup=" + superGroup + ", inodesCount=" + (inodes != null ? inodes.length : 0)
+ + ", snapshotId=" + snapshotId + ", path=" + path + ", ancestorIndex=" + ancestorIndex
+ + ", doCheckOwner=" + doCheckOwner + ", ancestorAccess=" + ancestorAccess + ", parentAccess=" + parentAccess
+ + ", access=" + access + ", subAccess=" + subAccess + ", ignoreEmptyDir=" + ignoreEmptyDir
+ + ", isTraverseOnlyCheck=" + isTraverseOnlyCheck + ",ancestor=" + (ancestor == null ? null : ancestor.getFullPathName())
+ + ", parent=" + (parent == null ? null : parent.getFullPathName()) + ", inode=" + (inode == null ? null : inode.getFullPathName())
+ + ")");
+ }
+
+ AuthzStatus authzStatus = AuthzStatus.NOT_DETERMINED;
+ if(RangerHdfsPlugin.isHadoopAuthEnabled() && defaultEnforcer != null) {
+
+ RangerPerfTracer hadoopAuthPerf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_HDFSAUTH_REQUEST_LOG)) {
+ hadoopAuthPerf = RangerPerfTracer.getPerfTracer(PERF_HDFSAUTH_REQUEST_LOG, "RangerAccessControlEnforcer.checkDefaultEnforcer(path=" + path + ")");
+ }
- action = FsAction.EXECUTE;
- } else if(action == null || action == FsAction.NONE) {
- if(parentAccess != null && parentAccess != FsAction.NONE ) {
+ try {
+ defaultEnforcer.checkPermission(fsOwner, superGroup, ugi, inodeAttrs, inodes,
+ pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
+ ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
+
+ authzStatus = AuthzStatus.ALLOW;
+ } finally {
+ if (auditHandler != null) {
+ INode nodeChecked = inode;
+ FsAction action = access;
+ if (isTraverseOnlyCheck) {
+ if (nodeChecked == null || nodeChecked.isFile()) {
+ if (parent != null) {
nodeChecked = parent;
- action = parentAccess;
- } else if(ancestorAccess != null && ancestorAccess != FsAction.NONE ) {
+ } else if (ancestor != null) {
nodeChecked = ancestor;
- action = ancestorAccess;
- } else if(subAccess != null && subAccess != FsAction.NONE ) {
- action = subAccess;
}
}
- String pathChecked = nodeChecked != null ? nodeChecked.getFullPathName() : path;
-
- auditHandler.logHadoopEvent(pathChecked, action, authzStatus == AuthzStatus.ALLOW);
+ action = FsAction.EXECUTE;
+ } else if (action == null || action == FsAction.NONE) {
+ if (parentAccess != null && parentAccess != FsAction.NONE) {
+ nodeChecked = parent;
+ action = parentAccess;
+ } else if (ancestorAccess != null && ancestorAccess != FsAction.NONE) {
+ nodeChecked = ancestor;
+ action = ancestorAccess;
+ } else if (subAccess != null && subAccess != FsAction.NONE) {
+ action = subAccess;
+ }
}
+
+ String pathChecked = nodeChecked != null ? nodeChecked.getFullPathName() : path;
+
+ auditHandler.logHadoopEvent(pathChecked, action, authzStatus == AuthzStatus.ALLOW);
}
- return authzStatus;
+ RangerPerfTracer.log(hadoopAuthPerf);
}
- return authzStatus;
- }
+ }
+ LOG.debug("<== RangerAccessControlEnforcer.checkDefaultEnforcer("
+ + "fsOwner=" + fsOwner + "; superGroup=" + superGroup + ", inodesCount=" + (inodes != null ? inodes.length : 0)
+ + ", snapshotId=" + snapshotId + ", path=" + path + ", ancestorIndex=" + ancestorIndex
+ + ", doCheckOwner="+ doCheckOwner + ", ancestorAccess=" + ancestorAccess + ", parentAccess=" + parentAccess
+ + ", access=" + access + ", subAccess=" + subAccess + ", ignoreEmptyDir=" + ignoreEmptyDir
+ + ", isTraverseOnlyCheck=" + isTraverseOnlyCheck + ",ancestor=" + (ancestor == null ? null : ancestor.getFullPathName())
+ + ", parent=" + (parent == null ? null : parent.getFullPathName()) + ", inode=" + (inode == null ? null : inode.getFullPathName())
+ + ") : " + authzStatus );
+
+ return authzStatus;
+ }
private AuthzStatus isAccessAllowed(INode inode, INodeAttributes inodeAttribs, FsAction access, String user, Set<String> groups, RangerHdfsPlugin plugin, RangerHdfsAuditHandler auditHandler) {
AuthzStatus ret = null;