You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2020/05/07 16:58:52 UTC
[ranger] branch master updated: RANGER-2813 [HBase]Not able to pull
execute permission given to user from getUserPermissions API in HBase
Ranger Coprocessor(Rajeshbabu)
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new c5fb46e RANGER-2813 [HBase]Not able to pull execute permission given to user from getUserPermissions API in HBase Ranger Coprocessor(Rajeshbabu)
c5fb46e is described below
commit c5fb46ebde5d2d257f79ca3b33aff01b286b1664
Author: Rajeshbabu Chintaguntla <ra...@apache.org>
AuthorDate: Thu May 7 10:25:18 2020 +0530
RANGER-2813 [HBase]Not able to pull execute permission given to user from getUserPermissions API in HBase Ranger Coprocessor(Rajeshbabu)
Signed-off-by: Ramesh Mani <ra...@gmail.com>
---
.../admin/service-defs/test-hbase-servicedef.json | 5 +++++
.../ranger/authorization/hbase/HbaseAuthUtils.java | 2 ++
.../ranger/authorization/hbase/HbaseAuthUtilsImpl.java | 18 ++++++++++++++++++
.../hbase/RangerAuthorizationCoprocessor.java | 17 ++++++++++-------
.../hbase/HBaseRangerAuthorizationTest.java | 2 +-
hbase-agent/src/test/resources/hbase-policies.json | 4 ++++
.../admin/service-defs/test-hbase-servicedef.json | 6 +++++-
7 files changed, 45 insertions(+), 9 deletions(-)
diff --git a/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json b/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
index 71fae66..5356ed7 100644
--- a/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
+++ b/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
@@ -95,6 +95,11 @@
"write",
"create"
]
+ },
+ {
+ "itemId": 5,
+ "name": "execute",
+ "label": "Execute"
}
],
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java
index 928a135..c9c598f 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java
@@ -30,6 +30,8 @@ public interface HbaseAuthUtils {
String getAccess(Action action);
+ String getActionName(String access);
+
boolean isReadAccess(String access);
boolean isWriteAccess(String access);
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java
index 5754942..ffd99f6 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java
@@ -72,4 +72,22 @@ public class HbaseAuthUtilsImpl implements HbaseAuthUtils {
}
return tableNameStr;
}
+
+ @Override
+ public String getActionName(String access) {
+ switch(access) {
+ case ACCESS_TYPE_READ:
+ return Action.READ.name();
+ case ACCESS_TYPE_WRITE:
+ return Action.WRITE.name();
+ case ACCESS_TYPE_CREATE:
+ return Action.CREATE.name();
+ case ACCESS_TYPE_ADMIN:
+ return Action.ADMIN.name();
+ case ACCESS_TYPE_EXECUTE:
+ return Action.EXEC.name();
+ default:
+ return access.toUpperCase();
+ }
+ }
}
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index a5697f2..d304bec 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1357,7 +1357,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
- return getUserPrermissions(
+ return getUserPermissions(
hbasePlugin.getResourceACLs(rangerAccessrequest),
table.getNameAsString(), false);
}
@@ -1370,7 +1370,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
- return getUserPrermissions(
+ return getUserPermissions(
hbasePlugin.getResourceACLs(rangerAccessrequest),
namespace, true);
}
@@ -1380,7 +1380,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
- return getUserPrermissions(
+ return getUserPermissions(
hbasePlugin.getResourceACLs(rangerAccessrequest), null,
false);
}
@@ -1398,8 +1398,8 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
done.run(response);
}
- private List<UserPermission> getUserPrermissions(RangerResourceACLs rangerResourceACLs, String resource,
- boolean isNamespace) {
+ private List<UserPermission> getUserPermissions(RangerResourceACLs rangerResourceACLs, String resource,
+ boolean isNamespace) {
List<UserPermission> userPermissions = new ArrayList<UserPermission>();
Action[] hbaseActions = Action.values();
List<String> hbaseActionsList = new ArrayList<String>();
@@ -1419,7 +1419,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
String user = !isGroup ? userAcls.getKey() : AuthUtil.toGroupEntry(userAcls.getKey());
List<Action> allowedPermissions = new ArrayList<Action>();
for (Entry<String, AccessResult> permissionAccess : userAcls.getValue().entrySet()) {
- String permission = permissionAccess.getKey().toUpperCase();
+ String permission = _authUtils.getActionName(permissionAccess.getKey());
if (hbaseActionsList.contains(permission)
&& permissionAccess.getValue().getResult() == RangerPolicyEvaluator.ACCESS_ALLOWED) {
allowedPermissions.add(Action.valueOf(permission));
@@ -1544,7 +1544,9 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
ret.setDelegateAdmin(Boolean.TRUE);
break;
-
+ case 'X':
+ ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
+ break;
default:
LOG.warn("grant(): ignoring action '" + action.name() + "' for user '" + userName + "'");
}
@@ -1639,6 +1641,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
+ ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
return ret;
}
diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
index bf4bc97..537c0b6 100644
--- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
+++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
@@ -1026,7 +1026,7 @@ public class HBaseRangerAuthorizationTest {
throw new Exception(e);
}
UserPermission userPermission = new UserPermission(Bytes.toBytes("@IT"), TableName.valueOf("temp5"), null,
- Permission.Action.READ, Permission.Action.WRITE);
+ Permission.Action.READ, Permission.Action.WRITE, Permission.Action.EXEC);
Assert.assertTrue("@IT permission should be there", userPermissions.contains(userPermission));
}
diff --git a/hbase-agent/src/test/resources/hbase-policies.json b/hbase-agent/src/test/resources/hbase-policies.json
index 6213a0e..61960c0 100644
--- a/hbase-agent/src/test/resources/hbase-policies.json
+++ b/hbase-agent/src/test/resources/hbase-policies.json
@@ -169,6 +169,10 @@
{
"type": "write",
"isAllowed": true
+ },
+ {
+ "type": "execute",
+ "isAllowed": true
}
],
"users": [],
diff --git a/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json b/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json
index 71fae66..7e458cf 100644
--- a/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json
+++ b/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json
@@ -84,7 +84,6 @@
"name": "create",
"label": "Create"
},
-
{
"itemId": 4,
"name": "admin",
@@ -95,6 +94,11 @@
"write",
"create"
]
+ },
+ {
+ "itemId": 5,
+ "name": "execute",
+ "label": "Execute"
}
],