You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/12/02 21:33:58 UTC
[2/2] incubator-ranger git commit: RANGER-1239: fix in hbase grant
handling of namespace level permissions
RANGER-1239: fix in hbase grant handling of namespace level permissions
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/39b23e5a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/39b23e5a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/39b23e5a
Branch: refs/heads/master
Commit: 39b23e5a6cd6185c45853e43af72e6eb2f68f5cd
Parents: 3989b67
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Wed Nov 30 12:25:50 2016 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Fri Dec 2 13:16:14 2016 -0800
----------------------------------------------------------------------
.../plugin/policyengine/TestPolicyEngine.java | 7 +++
.../test_policyengine_hbase_namespace.json | 57 ++++++++++++++++++++
.../hbase/AuthorizationSession.java | 17 +++++-
3 files changed, 79 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/39b23e5a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 9176808..b0d103e 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -223,6 +223,13 @@ public class TestPolicyEngine {
}
@Test
+ public void testPolicyEngine_hbase_namespace() {
+ String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase_namespace.json" };
+
+ runTestsFromResourceFiles(hbaseTestResourceFiles);
+ }
+
+ @Test
public void testPolicyEngine_conditions() {
String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_conditions.json" };
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/39b23e5a/agents-common/src/test/resources/policyengine/test_policyengine_hbase_namespace.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hbase_namespace.json b/agents-common/src/test/resources/policyengine/test_policyengine_hbase_namespace.json
new file mode 100644
index 0000000..258d8b8
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hbase_namespace.json
@@ -0,0 +1,57 @@
+{
+ "serviceName":"hbasedev",
+
+ "serviceDef":{
+ "name":"hbase",
+ "id":2,
+ "resources":[
+ {"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Table","description":"HBase Table"},
+ {"name":"column-family","level":2,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column-Family","description":"HBase Column-Family"},
+ {"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column","description":"HBase Column"}
+ ],
+ "accessTypes":[
+ {"name":"read","label":"Read"},
+ {"name":"write","label":"Write"},
+ {"name":"create","label":"Create"},
+ {"name":"admin","label":"Admin","impliedGrants":["read","write","create"]}
+ ]
+ },
+
+ "policies":[
+ {"id":1,"name":"table=*; column-family=*; column=*: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"table":{"values":["*"]},"column-family":{"values":["*"]}, "column":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}, {"type":"create", "isAllowed":true},
+ {"type":"admin", "isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":2,"name":"table=namespace_1:*; column-family=*; column=*: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"table":{"values":["namespace_1:*"]},"column-family":{"values":["*"]}, "column":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}, {"type":"create", "isAllowed":true},
+ {"type":"admin", "isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
+ ,
+ {"accesses":[{"type":"admin","isAllowed":true}],"users":["hrt_qa"],"groups":[],"delegateAdmin":false}
+ ]
+ }
+ ],
+
+ "tests":[
+ {"name":"TEST!!! ALLOW 'create namespace namespace_1;' for hrt_qa",
+ "request":{
+ "resource":{"elements":{"table":"namespace_1:"}},
+ "accessType":"admin","user":"hrt_qa","userGroups":[],"requestData":"create namespace namespace_1;' for hrt_qa"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"TEST!!! DENY 'create namespace namespace_2;' for hrt_qa",
+ "request":{
+ "resource":{"elements":{"table":"namespace_2:"}},
+ "accessType":"admin","user":"hrt_qa","userGroups":[],"requestData":"create namespace namespace_2;' for hrt_qa"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ]
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/39b23e5a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
index e49405d..dedbe1e 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
@@ -22,6 +22,7 @@ package org.apache.ranger.authorization.hbase;
import java.util.List;
import java.util.Set;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.hbase.security.AccessDeniedException;
@@ -159,7 +160,15 @@ public class AuthorizationSession {
boolean isProvided(String aString) {
return aString != null && !aString.isEmpty();
}
-
+
+ boolean isNameSpaceOperation() {
+ return StringUtils.equals(_operation, "createNamespace") ||
+ StringUtils.equals(_operation, "deleteNamespace") ||
+ StringUtils.equals(_operation, "modifyNamespace") ||
+ StringUtils.equals(_operation, "setUserNamespaceQuota") ||
+ StringUtils.equals(_operation, "setNamespaceQuota");
+ }
+
AuthorizationSession buildRequest() {
verifyBuildable();
@@ -168,7 +177,11 @@ public class AuthorizationSession {
// TODO get this via a factory instead
RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
// policy engine should deal sensibly with null/empty values, if any
- resource.setValue("table", _table);
+ if (isNameSpaceOperation() && StringUtils.isNotBlank(_otherInformation)) {
+ resource.setValue("table", _otherInformation + ":");
+ } else {
+ resource.setValue("table", _table);
+ }
resource.setValue("column-family", _columnFamily);
resource.setValue("column", _column);