You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/11/10 05:42:37 UTC
incubator-ranger git commit: RANGER-1181: Ranger HDFS authorizer
should fall back to native authorizer for each level of access to be
authorized i.e. ancestor/parent/node/sub-access
Repository: incubator-ranger
Updated Branches:
refs/heads/master 4fbab5515 -> f70fdbf79
RANGER-1181: Ranger HDFS authorizer should fall back to native authorizer for each level of access to be authorized i.e. ancestor/parent/node/sub-access
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/f70fdbf7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/f70fdbf7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/f70fdbf7
Branch: refs/heads/master
Commit: f70fdbf7947509c0975bd3c61b96b63f9b5daaa4
Parents: 4fbab55
Author: Yan Zhou <yz...@yahoo.com>
Authored: Wed Nov 9 21:40:46 2016 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Wed Nov 9 21:41:04 2016 -0800
----------------------------------------------------------------------
.../hadoop/RangerHdfsAuthorizer.java | 97 ++++++++++++++------
1 file changed, 70 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f70fdbf7/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 6f452da..4d6cb0d 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -251,6 +251,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
INodeAttributes ancestorAttribs = inodeAttrs.length > ancestorIndex ? inodeAttrs[ancestorIndex] : null;
authzStatus = isAccessAllowed(ancestor, ancestorAttribs, ancestorAccess, user, groups, plugin, auditHandler);
+ if (authzStatus == AuthzStatus.NOT_DETERMINED) {
+ authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
+ pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
+ ancestorAccess, FsAction.NONE, FsAction.NONE, FsAction.NONE, ignoreEmptyDir,
+ isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
+ }
}
// checkParentAccess
@@ -258,6 +264,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
INodeAttributes parentAttribs = inodeAttrs.length > 1 ? inodeAttrs[inodeAttrs.length - 2] : null;
authzStatus = isAccessAllowed(parent, parentAttribs, parentAccess, user, groups, plugin, auditHandler);
+ if (authzStatus == AuthzStatus.NOT_DETERMINED) {
+ authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
+ pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
+ FsAction.NONE, parentAccess, FsAction.NONE, FsAction.NONE, ignoreEmptyDir,
+ isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
+ }
}
// checkINodeAccess
@@ -265,6 +277,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
INodeAttributes inodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null;
authzStatus = isAccessAllowed(inode, inodeAttribs, access, user, groups, plugin, auditHandler);
+ if (authzStatus == AuthzStatus.NOT_DETERMINED) {
+ authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
+ pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
+ FsAction.NONE, FsAction.NONE, access, FsAction.NONE, ignoreEmptyDir,
+ isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
+ }
}
// checkSubAccess
@@ -291,6 +309,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
}
}
}
+ if (authzStatus == AuthzStatus.NOT_DETERMINED) {
+ authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
+ pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
+ FsAction.NONE, FsAction.NONE, FsAction.NONE, subAccess, ignoreEmptyDir,
+ isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
+ }
}
// checkOwnerAccess
@@ -302,7 +326,49 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
}
}
- if(authzStatus == AuthzStatus.NOT_DETERMINED && RangerHdfsPlugin.isHadoopAuthEnabled() && defaultEnforcer != null) {
+ if (authzStatus == AuthzStatus.NOT_DETERMINED) {
+ authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes,
+ pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
+ ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir,
+ isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
+ }
+
+ if(authzStatus != AuthzStatus.ALLOW) {
+ FsAction action = access;
+
+ if(action == null) {
+ if(parentAccess != null) {
+ action = parentAccess;
+ } else if(ancestorAccess != null) {
+ action = ancestorAccess;
+ } else {
+ action = FsAction.EXECUTE;
+ }
+ }
+
+ throw new RangerAccessControlException("Permission denied: user=" + user + ", access=" + action + ", inode=\"" + path + "\"");
+ }
+ } finally {
+ if(auditHandler != null) {
+ auditHandler.flushAudit();
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAccessControlEnforcer.checkPermission(" + path + ", " + access + ", user=" + user + ") : " + authzStatus);
+ }
+ }
+ }
+
+ private AuthzStatus checkDefaultEnforcer(String fsOwner, String superGroup, UserGroupInformation ugi,
+ INodeAttributes[] inodeAttrs, INode[] inodes, byte[][] pathByNameArr,
+ int snapshotId, String path, int ancestorIndex, boolean doCheckOwner,
+ FsAction ancestorAccess, FsAction parentAccess, FsAction access,
+ FsAction subAccess, boolean ignoreEmptyDir,
+ boolean isTraverseOnlyCheck, INode ancestor,
+ INode parent, INode inode, RangerHdfsAuditHandler auditHandler
+ ) throws AccessControlException {
+ AuthzStatus authzStatus = AuthzStatus.NOT_DETERMINED;
+ if(RangerHdfsPlugin.isHadoopAuthEnabled() && defaultEnforcer != null) {
try {
defaultEnforcer.checkPermission(fsOwner, superGroup, ugi, inodeAttrs, inodes,
pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
@@ -341,33 +407,10 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
auditHandler.logHadoopEvent(pathChecked, action, authzStatus == AuthzStatus.ALLOW);
}
}
+ return authzStatus;
}
-
- if(authzStatus != AuthzStatus.ALLOW) {
- FsAction action = access;
-
- if(action == null) {
- if(parentAccess != null) {
- action = parentAccess;
- } else if(ancestorAccess != null) {
- action = ancestorAccess;
- } else {
- action = FsAction.EXECUTE;
- }
- }
-
- throw new RangerAccessControlException("Permission denied: user=" + user + ", access=" + action + ", inode=\"" + path + "\"");
- }
- } finally {
- if(auditHandler != null) {
- auditHandler.flushAudit();
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerAccessControlEnforcer.checkPermission(" + path + ", " + access + ", user=" + user + ") : " + authzStatus);
- }
- }
- }
+ return authzStatus;
+ }
private AuthzStatus isAccessAllowed(INode inode, INodeAttributes inodeAttribs, FsAction access, String user, Set<String> groups, RangerHdfsPlugin plugin, RangerHdfsAuditHandler auditHandler) {
AuthzStatus ret = null;