You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by zhangh43 <gi...@git.apache.org> on 2016/12/12 07:42:23 UTC
[GitHub] incubator-hawq pull request #1047: HAWQ-1003. Implement bached ACL check thr...
GitHub user zhangh43 opened a pull request:
https://github.com/apache/incubator-hawq/pull/1047
HAWQ-1003. Implement bached ACL check through Ranger.
This pr includes :
HAWQ-1001. Implement HAWQ basic user ACL check through Ranger.
HAWQ-1002. Implement configuration GUC related to Ranger.
HAWQ-1003. Implement bached ACL check through Ranger.
when GUC enable_ranger is ON, we will use ranger_acl_check to determine where user has the permission to query the data.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/zhangh43/incubator-hawq ran5
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-hawq/pull/1047.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1047
----
commit 0c5a8402354b89ac865ea82cf7c0e2741d744f2e
Author: hzhang2 <zh...@163.com>
Date: 2016-12-12T06:29:29Z
HAWQ-1004. Implement calling Ranger REST Service using libcurl.
commit ca9f649338d0becbde15e24f43006aa8c5d20868
Author: hzhang2 <zh...@163.com>
Date: 2016-12-12T06:36:58Z
HAWQ-1002. Implement configuration GUC related to Ranger.
commit a5a02b197998261eed364b7c22c77b7da6afd3b0
Author: hzhang2 <zh...@163.com>
Date: 2016-12-12T06:46:38Z
HAWQ-1001. Implement HAWQ basic user ACL check through Ranger.
commit e408bcd6236d4ee20994966072c5b3db81008395
Author: hzhang2 <zh...@163.com>
Date: 2016-12-12T06:47:46Z
HAWQ-1003. Implement bached ACL check through Ranger.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1047: HAWQ-1003. Implement batched ACL check th...
Posted by paul-guo- <gi...@git.apache.org>.
Github user paul-guo- commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1047#discussion_r91898078
--- Diff: src/include/utils/rangerrest.h ---
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/*-------------------------------------------------------------------------
+ *
+ * rangerrest.h
+ * routines to interact with Ranger REST API
--- End diff --
REST API for Ranger interaction?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq issue #1047: HAWQ-1003. Implement batched ACL check through R...
Posted by paul-guo- <gi...@git.apache.org>.
Github user paul-guo- commented on the issue:
https://github.com/apache/incubator-hawq/pull/1047
ORCA did ACL check in their code also so please make sure your batch code works for them also.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1047: HAWQ-1003. Implement batched ACL check th...
Posted by zhangh43 <gi...@git.apache.org>.
Github user zhangh43 closed the pull request at:
https://github.com/apache/incubator-hawq/pull/1047
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq issue #1047: HAWQ-1003. Implement batched ACL check through R...
Posted by paul-guo- <gi...@git.apache.org>.
Github user paul-guo- commented on the issue:
https://github.com/apache/incubator-hawq/pull/1047
Seems there are file conflicts with https://github.com/apache/incubator-hawq/pull/1046
At least rangerrest.h
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1047: HAWQ-1003. Implement batched ACL check th...
Posted by paul-guo- <gi...@git.apache.org>.
Github user paul-guo- commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1047#discussion_r91898147
--- Diff: src/backend/utils/misc/guc.c ---
@@ -6250,6 +6261,15 @@ static struct config_int ConfigureNamesInt[] =
},
{
+ {"hawq_rps_address_port", PGC_POSTMASTER, PRESET_OPTIONS,
+ gettext_noop("rps server address port number"),
+ NULL
+ },
+ &rps_addr_port,
+ 1, 1, 65535, NULL, NULL
+ },
+
+ {
--- End diff --
What is rps? If this is Ranger specific, please specify in the descriptions.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1047: HAWQ-1003. Implement batched ACL check th...
Posted by zhangh43 <gi...@git.apache.org>.
Github user zhangh43 commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1047#discussion_r92317681
--- Diff: src/backend/utils/misc/guc.c ---
@@ -8154,6 +8174,15 @@ static struct config_string ConfigureNamesString[] =
},
{
+ {"hawq_rps_address_host", PGC_POSTMASTER, PRESET_OPTIONS,
+ gettext_noop("rps server address hostname"),
+ NULL
+ },
+ &rps_addr_host,
+ "localhost", NULL, NULL
+ },
+
+ {
--- End diff --
fixed
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1047: HAWQ-1003. Implement batched ACL check th...
Posted by zhangh43 <gi...@git.apache.org>.
Github user zhangh43 commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1047#discussion_r92317685
--- Diff: src/backend/utils/misc/guc.c ---
@@ -6250,6 +6261,15 @@ static struct config_int ConfigureNamesInt[] =
},
{
+ {"hawq_rps_address_port", PGC_POSTMASTER, PRESET_OPTIONS,
+ gettext_noop("rps server address port number"),
+ NULL
+ },
+ &rps_addr_port,
+ 1, 1, 65535, NULL, NULL
+ },
+
+ {
--- End diff --
fixed
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1047: HAWQ-1003. Implement batched ACL check th...
Posted by zhangh43 <gi...@git.apache.org>.
Github user zhangh43 commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1047#discussion_r92317398
--- Diff: src/backend/parser/parse_relation.c ---
@@ -2713,15 +2712,90 @@ warnAutoRange(ParseState *pstate, RangeVar *relation, int location)
void
ExecCheckRTPerms(List *rangeTable)
{
+ if (enable_ranger)
+ {
+ if(rangeTable!=NULL)
+ ExecCheckRTPermsWithRanger(rangeTable);
+ return;
+ }
ListCell *l;
-
foreach(l, rangeTable)
{
ExecCheckRTEPerms((RangeTblEntry *) lfirst(l));
}
}
/*
+ * ExecCheckRTPerms
+ * Batch implementation: Check access permissions for all relations listed in a range table with enable_ranger is true.
+ */
+void
+ExecCheckRTPermsWithRanger(List *rangeTable)
+{
+ List *ranger_check_args = NIL;
+ ListCell *l;
+ foreach(l, rangeTable)
+ {
+
+ AclMode requiredPerms;
+ Oid relOid;
+ Oid userid;
+ RangeTblEntry *rte = (RangeTblEntry *) lfirst(l);
+
+ if (rte->rtekind != RTE_RELATION)
+ return;
+ requiredPerms = rte->requiredPerms;
+ if (requiredPerms == 0)
+ return;
+
+ relOid = rte->relid;
+ userid = rte->checkAsUser ? rte->checkAsUser : GetUserId();
+
+ RangerPrivilegeArgs *ranger_check_arg = (RangerPrivilegeArgs *) palloc(sizeof(RangerPrivilegeArgs));
+ ranger_check_arg->objkind = ACL_KIND_CLASS;
+ ranger_check_arg->object_oid = relOid;
+ ranger_check_arg->roleid = userid;
+ ranger_check_arg->mask = requiredPerms;
+ ranger_check_arg->how = ACLMASK_ALL;
+ ranger_check_args = lappend(ranger_check_args, ranger_check_arg);
+
+ } // foreach
+
+ // ranger ACL check with package Oids
+ List *aclresults = NIL;
+ aclresults = pg_rangercheck_batch(ranger_check_args);
+ if (aclresults == NIL)
+ {
+ elog(ERROR, "ERROR\n");
--- End diff --
yes, this error message should be replaced by the exact error message in future. for example, which table doesn't pass the acl check.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1047: HAWQ-1003. Implement batched ACL check th...
Posted by paul-guo- <gi...@git.apache.org>.
Github user paul-guo- commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1047#discussion_r91897627
--- Diff: src/backend/parser/parse_relation.c ---
@@ -2713,15 +2712,90 @@ warnAutoRange(ParseState *pstate, RangeVar *relation, int location)
void
ExecCheckRTPerms(List *rangeTable)
{
+ if (enable_ranger)
+ {
+ if(rangeTable!=NULL)
+ ExecCheckRTPermsWithRanger(rangeTable);
+ return;
+ }
ListCell *l;
-
foreach(l, rangeTable)
{
ExecCheckRTEPerms((RangeTblEntry *) lfirst(l));
}
}
/*
+ * ExecCheckRTPerms
+ * Batch implementation: Check access permissions for all relations listed in a range table with enable_ranger is true.
+ */
+void
+ExecCheckRTPermsWithRanger(List *rangeTable)
+{
+ List *ranger_check_args = NIL;
+ ListCell *l;
+ foreach(l, rangeTable)
+ {
+
+ AclMode requiredPerms;
+ Oid relOid;
+ Oid userid;
+ RangeTblEntry *rte = (RangeTblEntry *) lfirst(l);
+
+ if (rte->rtekind != RTE_RELATION)
+ return;
+ requiredPerms = rte->requiredPerms;
+ if (requiredPerms == 0)
+ return;
+
+ relOid = rte->relid;
+ userid = rte->checkAsUser ? rte->checkAsUser : GetUserId();
+
+ RangerPrivilegeArgs *ranger_check_arg = (RangerPrivilegeArgs *) palloc(sizeof(RangerPrivilegeArgs));
+ ranger_check_arg->objkind = ACL_KIND_CLASS;
+ ranger_check_arg->object_oid = relOid;
+ ranger_check_arg->roleid = userid;
+ ranger_check_arg->mask = requiredPerms;
+ ranger_check_arg->how = ACLMASK_ALL;
+ ranger_check_args = lappend(ranger_check_args, ranger_check_arg);
+
+ } // foreach
+
+ // ranger ACL check with package Oids
+ List *aclresults = NIL;
+ aclresults = pg_rangercheck_batch(ranger_check_args);
+ if (aclresults == NIL)
+ {
+ elog(ERROR, "ERROR\n");
--- End diff --
I would think this log does not help debugging much. Could we provide more info?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1047: HAWQ-1003. Implement batched ACL check th...
Posted by paul-guo- <gi...@git.apache.org>.
Github user paul-guo- commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1047#discussion_r91898169
--- Diff: src/backend/utils/misc/guc.c ---
@@ -8154,6 +8174,15 @@ static struct config_string ConfigureNamesString[] =
},
{
+ {"hawq_rps_address_host", PGC_POSTMASTER, PRESET_OPTIONS,
+ gettext_noop("rps server address hostname"),
+ NULL
+ },
+ &rps_addr_host,
+ "localhost", NULL, NULL
+ },
+
+ {
--- End diff --
Same as before.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---