You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/01/05 16:21:21 UTC

[ranger] branch master updated: RANGER-3140:Ranger ShutdownHook hook to be called in RangerHBaseCoprocessor preShutdown apis for a clean shutdown of HBase

This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 391877b  RANGER-3140:Ranger ShutdownHook hook to be called in RangerHBaseCoprocessor preShutdown apis for a clean shutdown of HBase
391877b is described below

commit 391877b92e385a0f815798e4fb57cbaf8a93c22b
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Mon Jan 4 23:33:32 2021 -0800

    RANGER-3140:Ranger ShutdownHook hook to be called in RangerHBaseCoprocessor preShutdown apis for a clean shutdown of HBase
    
    Signed-off-by: Ramesh Mani <rm...@cloudera.com>
---
 .../audit/provider/AuditProviderFactory.java       |  7 +++-
 .../apache/ranger/audit/queue/AuditFileSpool.java  |  1 +
 .../authorization/hbase/AuthorizationSession.java  |  2 +-
 .../hbase/RangerAuthorizationCoprocessor.java      | 44 ++++++++++++++++++++++
 4 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
index 1be9c2f..f971a76 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
@@ -19,6 +19,7 @@
 package org.apache.ranger.audit.provider;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 import java.util.Properties;
 import java.util.concurrent.Semaphore;
@@ -71,6 +72,7 @@ public class AuditProviderFactory {
 	private String componentAppType = "";
 	private boolean mInitDone = false;
 	private JVMShutdownHook jvmShutdownHook = null;
+	private ArrayList<String> hbaseAppTypes = new ArrayList<>(Arrays.asList("hbaseMaster","hbaseRegional"));
 
 	public AuditProviderFactory() {
 		LOG.info("AuditProviderFactory: creating..");
@@ -476,7 +478,10 @@ public class AuditProviderFactory {
 	private void installJvmSutdownHook(Properties props) {
 		int shutdownHookMaxWaitSeconds = MiscUtil.getIntProperty(props, AUDIT_SHUTDOWN_HOOK_MAX_WAIT_SEC, AUDIT_SHUTDOWN_HOOK_MAX_WAIT_SEC_DEFAULT);
 		jvmShutdownHook = new JVMShutdownHook(mProvider, shutdownHookMaxWaitSeconds);
-		ShutdownHookManager.get().addShutdownHook(jvmShutdownHook, RANGER_AUDIT_SHUTDOWN_HOOK_PRIORITY);
+		String appType = this.componentAppType;
+		if (appType != null && !hbaseAppTypes.contains(appType)) {
+			ShutdownHookManager.get().addShutdownHook(jvmShutdownHook, RANGER_AUDIT_SHUTDOWN_HOOK_PRIORITY);
+		}
 	}
 
 	private static class RangerAsyncAuditCleanup implements Runnable {
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java
index cbd819d..f8c2aa5 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java
@@ -864,6 +864,7 @@ public class AuditFileSpool implements Runnable {
 				}
 			} catch (InterruptedException e) {
 				logger.info("Caught exception in consumer thread. Shutdown might be in progress");
+				break;
 			} catch (Throwable t) {
 				logger.error("Exception in destination writing thread.", t);
 			}
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
index 1b13d3b..95ab504 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
@@ -243,7 +243,7 @@ public class AuthorizationSession {
 		}
 		
 		boolean authorized = isAuthorized();
-		if (_auditHandler != null) {
+		if (_auditHandler != null && isAudited()) {
 			List<AuthzAuditEvent> events = null;
 			/*
 			 * What we log to audit depends on authorization status.  For success we log all accumulated events.  In case of failure
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index d9872ff..2232953 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -58,10 +58,13 @@ import org.apache.hadoop.hbase.util.Pair;
 import org.apache.hadoop.hbase.wal.WALEdit;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.ranger.audit.model.AuthzAuditEvent;
+import org.apache.ranger.audit.provider.AuditProviderFactory;
 import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
 import org.apache.ranger.authorization.utils.StringUtil;
 import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
@@ -1022,6 +1025,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 	@Override
 	public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException {
 		requirePermission(c, "shutdown", Permission.Action.ADMIN);
+		cleanUp_HBaseRangerPlugin();
 	}
 	@Override
 	public void preSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot, TableDescriptor hTableDescriptor) throws IOException {
@@ -1031,10 +1035,12 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 	@Override
 	public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException {
 		requirePermission(c, "stopMaster", Permission.Action.ADMIN);
+		cleanUp_HBaseRangerPlugin();
 	}
 	@Override
 	public void preStopRegionServer(ObserverContext<RegionServerCoprocessorEnvironment> env) throws IOException {
 		requirePermission(env, "stop", Permission.Action.ADMIN);
+		cleanUp_HBaseRangerPlugin();
 	}
 	@Override
 	public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo, boolean force) throws IOException {
@@ -1645,6 +1651,24 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 
 		return ret;
 	}
+
+	private void cleanUp_HBaseRangerPlugin() {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerAuthorizationCoprocessor.cleanUp_HBaseRangerPlugin()");
+		}
+		if (hbasePlugin != null) {
+			hbasePlugin.setHBaseShuttingDown(true);
+			hbasePlugin.cleanup();
+			AuditProviderFactory auditProviderFactory = hbasePlugin.getAuditProviderFactory();
+			if (auditProviderFactory != null) {
+				auditProviderFactory.shutdown();
+			}
+		}
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerAuthorizationCoprocessor.cleanUp_HBaseRangerPlugin() completed!");
+		}
+	}
+
 	private String getCommandString(String operationName, String tableNameStr, Map<String,Object> opMetaData) {
 		StringBuilder ret = new StringBuilder();
 		if (!HbaseConstants.HBASE_META_TABLE.equals(tableNameStr)) {
@@ -1787,10 +1811,30 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 
 
 class RangerHBasePlugin extends RangerBasePlugin {
+	private static final Log LOG = LogFactory.getLog(RangerHBasePlugin.class);
+	boolean isHBaseShuttingDown  = false;
+
 	public RangerHBasePlugin(String appType) {
 		super("hbase", appType);
 	}
 
+	public void setHBaseShuttingDown(boolean hbaseShuttingDown) {
+		isHBaseShuttingDown = hbaseShuttingDown;
+	}
+
+	@Override
+	public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
+		RangerAccessResult ret = null;
+		if (isHBaseShuttingDown) {
+			ret = new RangerAccessResult(RangerPolicy.POLICY_TYPE_ACCESS, this.getServiceName(), this.getServiceDef(), request);
+			ret.setIsAllowed(true);
+			ret.setIsAudited(false);
+			LOG.warn("Auth request came after HBase shutdown....");
+		} else {
+			ret = super.isAccessAllowed(request, resultProcessor);
+		}
+		return ret;
+	}
 }