You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2020/05/07 16:58:52 UTC

[ranger] branch master updated: RANGER-2813 [HBase]Not able to pull execute permission given to user from getUserPermissions API in HBase Ranger Coprocessor(Rajeshbabu)

This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new c5fb46e  RANGER-2813 [HBase]Not able to pull execute permission given to user from getUserPermissions API in HBase Ranger Coprocessor(Rajeshbabu)
c5fb46e is described below

commit c5fb46ebde5d2d257f79ca3b33aff01b286b1664
Author: Rajeshbabu Chintaguntla <ra...@apache.org>
AuthorDate: Thu May 7 10:25:18 2020 +0530

    RANGER-2813 [HBase]Not able to pull execute permission given to user from getUserPermissions API in HBase Ranger Coprocessor(Rajeshbabu)
    
    Signed-off-by: Ramesh Mani <ra...@gmail.com>
---
 .../admin/service-defs/test-hbase-servicedef.json      |  5 +++++
 .../ranger/authorization/hbase/HbaseAuthUtils.java     |  2 ++
 .../ranger/authorization/hbase/HbaseAuthUtilsImpl.java | 18 ++++++++++++++++++
 .../hbase/RangerAuthorizationCoprocessor.java          | 17 ++++++++++-------
 .../hbase/HBaseRangerAuthorizationTest.java            |  2 +-
 hbase-agent/src/test/resources/hbase-policies.json     |  4 ++++
 .../admin/service-defs/test-hbase-servicedef.json      |  6 +++++-
 7 files changed, 45 insertions(+), 9 deletions(-)

diff --git a/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json b/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
index 71fae66..5356ed7 100644
--- a/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
+++ b/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
@@ -95,6 +95,11 @@
 				"write",
 				"create"
 			]
+		},
+		{
+			"itemId": 5,
+			"name": "execute",
+			"label": "Execute"
 		}
 	],
 
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java
index 928a135..c9c598f 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java
@@ -30,6 +30,8 @@ public interface HbaseAuthUtils {
 
 	String getAccess(Action action);
 
+	String getActionName(String access);
+
 	boolean isReadAccess(String access);
 	
 	boolean isWriteAccess(String access);
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java
index 5754942..ffd99f6 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java
@@ -72,4 +72,22 @@ public class HbaseAuthUtilsImpl implements HbaseAuthUtils {
 		}
 		return tableNameStr;
 	}
+
+	@Override
+	public String getActionName(String access) {
+		switch(access) {
+			case ACCESS_TYPE_READ:
+				return Action.READ.name();
+			case ACCESS_TYPE_WRITE:
+				return Action.WRITE.name();
+			case ACCESS_TYPE_CREATE:
+				return Action.CREATE.name();
+			case ACCESS_TYPE_ADMIN:
+				return Action.ADMIN.name();
+			case ACCESS_TYPE_EXECUTE:
+				return Action.EXEC.name();
+			default:
+				return access.toUpperCase();
+		}
+	}
 }
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index a5697f2..d304bec 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1357,7 +1357,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 				perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
 					@Override
 					public List<UserPermission> run() throws Exception {
-						return getUserPrermissions(
+						return getUserPermissions(
 								hbasePlugin.getResourceACLs(rangerAccessrequest),
 								table.getNameAsString(), false);
 					}
@@ -1370,7 +1370,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 				perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
 					@Override
 					public List<UserPermission> run() throws Exception {
-						return getUserPrermissions(
+						return getUserPermissions(
 								hbasePlugin.getResourceACLs(rangerAccessrequest),
 								namespace, true);
 					}
@@ -1380,7 +1380,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 				perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
 					@Override
 					public List<UserPermission> run() throws Exception {
-						return getUserPrermissions(
+						return getUserPermissions(
 								hbasePlugin.getResourceACLs(rangerAccessrequest), null,
 								false);
 					}
@@ -1398,8 +1398,8 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 		done.run(response);
 	}
 
-	private List<UserPermission> getUserPrermissions(RangerResourceACLs rangerResourceACLs, String resource,
-			boolean isNamespace) {
+	private List<UserPermission> getUserPermissions(RangerResourceACLs rangerResourceACLs, String resource,
+                                                    boolean isNamespace) {
 		List<UserPermission> userPermissions = new ArrayList<UserPermission>();
 		Action[] hbaseActions = Action.values();
 		List<String> hbaseActionsList = new ArrayList<String>();
@@ -1419,7 +1419,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 			String user = !isGroup ? userAcls.getKey() : AuthUtil.toGroupEntry(userAcls.getKey());
 			List<Action> allowedPermissions = new ArrayList<Action>();
 			for (Entry<String, AccessResult> permissionAccess : userAcls.getValue().entrySet()) {
-				String permission = permissionAccess.getKey().toUpperCase();
+				String permission = _authUtils.getActionName(permissionAccess.getKey());
 				if (hbaseActionsList.contains(permission)
 						&& permissionAccess.getValue().getResult() == RangerPolicyEvaluator.ACCESS_ALLOWED) {
 					allowedPermissions.add(Action.valueOf(permission));
@@ -1544,7 +1544,9 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 					ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
 					ret.setDelegateAdmin(Boolean.TRUE);
 				break;
-
+				case 'X':
+					ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
+				break;
 				default:
 					LOG.warn("grant(): ignoring action '" + action.name() + "' for user '" + userName + "'");
 			}
@@ -1639,6 +1641,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 		ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
 		ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
 		ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
+		ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
 
 		return ret;
 	}
diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
index bf4bc97..537c0b6 100644
--- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
+++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
@@ -1026,7 +1026,7 @@ public class HBaseRangerAuthorizationTest {
 			throw new Exception(e);
 		}
 		UserPermission userPermission = new UserPermission(Bytes.toBytes("@IT"), TableName.valueOf("temp5"), null,
-				Permission.Action.READ, Permission.Action.WRITE);
+				Permission.Action.READ, Permission.Action.WRITE, Permission.Action.EXEC);
 		Assert.assertTrue("@IT permission should be there", userPermissions.contains(userPermission));
 
 	}
diff --git a/hbase-agent/src/test/resources/hbase-policies.json b/hbase-agent/src/test/resources/hbase-policies.json
index 6213a0e..61960c0 100644
--- a/hbase-agent/src/test/resources/hbase-policies.json
+++ b/hbase-agent/src/test/resources/hbase-policies.json
@@ -169,6 +169,10 @@
             {
               "type": "write",
               "isAllowed": true
+            },
+            {
+              "type": "execute",
+              "isAllowed": true
             }
           ],
           "users": [],
diff --git a/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json b/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json
index 71fae66..7e458cf 100644
--- a/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json
+++ b/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json
@@ -84,7 +84,6 @@
 			"name": "create",
 			"label": "Create"
 		},
-
 		{
 			"itemId": 4,
 			"name": "admin",
@@ -95,6 +94,11 @@
 				"write",
 				"create"
 			]
+		},
+		{
+			"itemId": 5,
+			"name": "execute",
+			"label": "Execute"
 		}
 	],