You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/09/12 05:33:28 UTC
[ranger] branch master updated (15f5c38 -> 0f0285c)
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git.
from 15f5c38 RANGER-3387 : Ranger Admin Header Validation
new 6ee120f RANGER-3400:Include htrace-core.jar in tagsync, usersync and kms module to avoid startup issue
new 0f0285c RANGER-3368:Ranger HiveAuthorizer improvements to handle uncharted hive commands-exclude some hive commands from the check for input output HiveObjects
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
distro/src/main/assembly/kms.xml | 4 +++
distro/src/main/assembly/tagsync.xml | 1 +
distro/src/main/assembly/usersync.xml | 1 +
.../hive/authorizer/RangerHiveAuthorizer.java | 40 ++++++++++++++++++++--
4 files changed, 44 insertions(+), 2 deletions(-)
[ranger] 01/02: RANGER-3400:Include htrace-core.jar in tagsync,
usersync and kms module to avoid startup issue
Posted by rm...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 6ee120f8d3911701c41b810191249d0b8756db89
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Mon Sep 6 22:44:31 2021 -0700
RANGER-3400:Include htrace-core.jar in tagsync, usersync and kms module to avoid startup issue
Signed-off-by: Ramesh Mani <rm...@cloudera.com>
---
distro/src/main/assembly/kms.xml | 4 ++++
distro/src/main/assembly/tagsync.xml | 1 +
distro/src/main/assembly/usersync.xml | 1 +
3 files changed, 6 insertions(+)
diff --git a/distro/src/main/assembly/kms.xml b/distro/src/main/assembly/kms.xml
index 598ac17..aacdcf1 100755
--- a/distro/src/main/assembly/kms.xml
+++ b/distro/src/main/assembly/kms.xml
@@ -80,6 +80,7 @@
<include>org.apache.curator:curator-recipes</include>
<include>com.google.code.gson:gson</include>
<include>org.apache.hadoop:hadoop-annotations</include>
+ <include>org.apache.htrace:htrace-core4</include>
<include>org.apache.httpcomponents:httpcore</include>
<include>org.codehaus.jackson:jackson-core-asl</include>
<include>org.codehaus.jackson:jackson-jaxrs</include>
@@ -102,6 +103,7 @@
<include>org.noggit:noggit:jar:${noggit.version}</include>
<include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include>
<include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include>
+ <include>org.apache.htrace:htrace-core4:jar:${htrace-core.version}</include>
<include>org.codehaus.woodstox:stax2-api</include>
<include>com.fasterxml.woodstox:woodstox-core</include>
<include>com.fasterxml.jackson.core:jackson-core</include>
@@ -191,6 +193,7 @@
<include>org.eclipse.jdt.core.compiler:ecj:jar:P20140317-1600</include>
<include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include>
<include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include>
+ <include>org.apache.htrace:htrace-core4:jar:${htrace-core.version}</include>
<include>org.apache.solr:solr-solrj:jar:${solr.version}</include>
<include>org.apache.ranger:ranger-plugins-common</include>
<include>com.kstruct:gethostname4j:jar:${kstruct.gethostname4j.version}</include>
@@ -348,6 +351,7 @@
<include>org.slf4j:slf4j-api</include>
<include>org.apache.hadoop:hadoop-common</include>
<include>org.apache.hadoop:hadoop-auth</include>
+ <include>org.apache.htrace:htrace-core4</include>
<include>org.codehaus.woodstox:stax2-api</include>
<include>com.fasterxml.woodstox:woodstox-core</include>
<include>org.apache.commons:commons-compress:jar:${commons.compress.version}</include>
diff --git a/distro/src/main/assembly/tagsync.xml b/distro/src/main/assembly/tagsync.xml
index 6919ad5..82d716f 100644
--- a/distro/src/main/assembly/tagsync.xml
+++ b/distro/src/main/assembly/tagsync.xml
@@ -85,6 +85,7 @@
<include>log4j:log4j:jar:${log4j.version}</include>
<include>org.codehaus.woodstox:stax2-api</include>
<include>com.fasterxml.woodstox:woodstox-core</include>
+ <include>org.apache.htrace:htrace-core4</include>
<include>com.kstruct:gethostname4j:jar:${kstruct.gethostname4j.version}</include>
<include>net.java.dev.jna:jna:jar:${jna.version}</include>
<include>net.java.dev.jna:jna-platform:jar:${jna-platform.version}</include>
diff --git a/distro/src/main/assembly/usersync.xml b/distro/src/main/assembly/usersync.xml
index fb4abbb..5279f65 100644
--- a/distro/src/main/assembly/usersync.xml
+++ b/distro/src/main/assembly/usersync.xml
@@ -62,6 +62,7 @@
<include>org.apache.ranger:ugsync-util</include>
<include>org.codehaus.woodstox:stax2-api</include>
<include>com.fasterxml.woodstox:woodstox-core</include>
+ <include>org.apache.htrace:htrace-core4</include>
<include>com.kstruct:gethostname4j:jar:${kstruct.gethostname4j.version}</include>
<include>net.java.dev.jna:jna:jar:${jna.version}</include>
<include>net.java.dev.jna:jna-platform:jar:${jna-platform.version}</include>
[ranger] 02/02: RANGER-3368:Ranger HiveAuthorizer improvements to
handle uncharted hive commands-exclude some hive commands from the check
for input output HiveObjects
Posted by rm...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 0f0285cb94e9b36221d673936320a82f5a3f3806
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Mon Sep 6 22:02:47 2021 -0700
RANGER-3368:Ranger HiveAuthorizer improvements to handle uncharted hive commands-exclude some hive commands from the check for input output HiveObjects
Signed-off-by: Ramesh Mani <rm...@cloudera.com>
---
.../hive/authorizer/RangerHiveAuthorizer.java | 40 ++++++++++++++++++++--
1 file changed, 38 insertions(+), 2 deletions(-)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 7558034..e0934de 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -995,8 +995,9 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
}
- if (CollectionUtils.isEmpty(requests)) {
- throw new HiveAccessControlException(String.format("Unable to authorize...HivePrivilegeObjects are not available to authorize this command!"));
+ if (CollectionUtils.isEmpty(requests) && !IsCommandInExceptionList(hiveOpType)) {
+ String commandString = context == null ? "" : context.getCommandString();
+ throw new HiveAccessControlException(String.format("Unable to authorize command: [%s] , HivePrivilegeObjects are not available to authorize this command!", commandString));
}
buildRequestContextWithAllAccessedResources(requests);
@@ -2467,6 +2468,41 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
}
+ private boolean IsCommandInExceptionList(HiveOperationType hiveOpType) {
+ boolean ret = false;
+ switch (hiveOpType) {
+ case CREATEMACRO:
+ case CREATEROLE:
+ case DESCFUNCTION:
+ case DELETE:
+ case DFS:
+ case DROPMACRO:
+ case DROPROLE:
+ case EXPLAIN:
+ case GRANT_ROLE:
+ case REVOKE_ROLE:
+ case RESET:
+ case SET:
+ case SHOWDATABASES:
+ case SHOWCONF:
+ case SHOWFUNCTIONS:
+ case SHOWLOCKS:
+ case SHOW_COMPACTIONS:
+ case SHOW_GRANT:
+ case SHOW_ROLES:
+ case SHOW_ROLE_GRANT:
+ case SHOW_ROLE_PRINCIPALS:
+ case SHOW_TRANSACTIONS:
+ case REPLDUMP:
+ case REPLLOAD:
+ case REPLSTATUS:
+ case ADD:
+ ret = true;
+ break;
+ }
+ return ret;
+ }
+
private RangerRequestedResources buildRequestContextWithAllAccessedResources(List<RangerHiveAccessRequest> requests) {
RangerRequestedResources requestedResources = new RangerRequestedResources();