You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by me...@apache.org on 2020/09/11 12:20:09 UTC
[ranger] branch ranger-2.2 updated: RANGER-2983 : Add hbase users
with Decrypteek permission in default policy for cm_kms repo
This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 7d3e3f8 RANGER-2983 : Add hbase users with Decrypteek permission in default policy for cm_kms repo
7d3e3f8 is described below
commit 7d3e3f83539e3ad2e9a5b968ceada4fe5e9b3356
Author: Dhaval B. Shah <dh...@gmail.com>
AuthorDate: Fri Sep 4 16:31:32 2020 +0530
RANGER-2983 : Add hbase users with Decrypteek permission in default policy for cm_kms repo
Signed-off-by: Mehul Parikh <me...@apache.org>
---
.../org/apache/ranger/services/kms/RangerServiceKMS.java | 12 ++++++++++++
.../src/main/resources/conf.dist/ranger-admin-site.xml | 4 ++++
2 files changed, 16 insertions(+)
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
index d33d608..8af592b 100644
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
@@ -115,6 +115,7 @@ public class RangerServiceKMS extends RangerBaseService {
// Add default policies for HDFS & HIVE users.
List<RangerServiceDef.RangerAccessTypeDef> hdfsAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
List<RangerServiceDef.RangerAccessTypeDef> hiveAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
+ List<RangerServiceDef.RangerAccessTypeDef> hbaseAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
for(RangerServiceDef.RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) {
@@ -124,6 +125,7 @@ public class RangerServiceKMS extends RangerBaseService {
hdfsAccessTypeDefs.add(accessTypeDef);
} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) {
hiveAccessTypeDefs.add(accessTypeDef);
+ hbaseAccessTypeDefs.add(accessTypeDef);
}
}
@@ -164,6 +166,16 @@ public class RangerServiceKMS extends RangerBaseService {
RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(hiveAccessTypeDefs, users);
policyItems.add(policyItem);
}
+
+ String hbaseUser = getConfig().get("ranger.kms.service.user.hbase", "hbase");
+
+ if (hbaseUser != null && !hbaseUser.isEmpty()) {
+ LOG.info("Creating default KMS policy item for " + hbaseUser);
+ List<String> users = new ArrayList<String>();
+ users.add(hbaseUser);
+ RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(hbaseAccessTypeDefs, users);
+ policyItems.add(policyItem);
+ }
}
if (LOG.isDebugEnabled()) {
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index c410984..12eb8fe 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -309,6 +309,10 @@
<name>ranger.kms.service.user.hive</name>
<value>hive</value>
</property>
+ <property>
+ <name>ranger.kms.service.user.hbase</name>
+ <value>hbase</value>
+ </property>
<property>
<name>ranger.audit.hive.query.visibility</name>