You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/01/05 16:23:20 UTC
[ranger] branch ranger-2.2 updated: RANGER-3140:Ranger ShutdownHook
hook to be called in RangerHBaseCoprocessor preShutdown apis for a clean
shutdown of HBase
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 38dbf7c RANGER-3140:Ranger ShutdownHook hook to be called in RangerHBaseCoprocessor preShutdown apis for a clean shutdown of HBase
38dbf7c is described below
commit 38dbf7cceae8bc43aee53be4cc10d04a2821dda4
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Mon Jan 4 23:33:32 2021 -0800
RANGER-3140:Ranger ShutdownHook hook to be called in RangerHBaseCoprocessor preShutdown apis for a clean shutdown of HBase
Signed-off-by: Ramesh Mani <rm...@cloudera.com>
---
.../audit/provider/AuditProviderFactory.java | 7 +++-
.../apache/ranger/audit/queue/AuditFileSpool.java | 1 +
.../authorization/hbase/AuthorizationSession.java | 2 +-
.../hbase/RangerAuthorizationCoprocessor.java | 44 ++++++++++++++++++++++
4 files changed, 52 insertions(+), 2 deletions(-)
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
index 1be9c2f..f971a76 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
@@ -19,6 +19,7 @@
package org.apache.ranger.audit.provider;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
import java.util.Properties;
import java.util.concurrent.Semaphore;
@@ -71,6 +72,7 @@ public class AuditProviderFactory {
private String componentAppType = "";
private boolean mInitDone = false;
private JVMShutdownHook jvmShutdownHook = null;
+ private ArrayList<String> hbaseAppTypes = new ArrayList<>(Arrays.asList("hbaseMaster","hbaseRegional"));
public AuditProviderFactory() {
LOG.info("AuditProviderFactory: creating..");
@@ -476,7 +478,10 @@ public class AuditProviderFactory {
private void installJvmSutdownHook(Properties props) {
int shutdownHookMaxWaitSeconds = MiscUtil.getIntProperty(props, AUDIT_SHUTDOWN_HOOK_MAX_WAIT_SEC, AUDIT_SHUTDOWN_HOOK_MAX_WAIT_SEC_DEFAULT);
jvmShutdownHook = new JVMShutdownHook(mProvider, shutdownHookMaxWaitSeconds);
- ShutdownHookManager.get().addShutdownHook(jvmShutdownHook, RANGER_AUDIT_SHUTDOWN_HOOK_PRIORITY);
+ String appType = this.componentAppType;
+ if (appType != null && !hbaseAppTypes.contains(appType)) {
+ ShutdownHookManager.get().addShutdownHook(jvmShutdownHook, RANGER_AUDIT_SHUTDOWN_HOOK_PRIORITY);
+ }
}
private static class RangerAsyncAuditCleanup implements Runnable {
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java
index cbd819d..f8c2aa5 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java
@@ -864,6 +864,7 @@ public class AuditFileSpool implements Runnable {
}
} catch (InterruptedException e) {
logger.info("Caught exception in consumer thread. Shutdown might be in progress");
+ break;
} catch (Throwable t) {
logger.error("Exception in destination writing thread.", t);
}
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
index 1b13d3b..95ab504 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
@@ -243,7 +243,7 @@ public class AuthorizationSession {
}
boolean authorized = isAuthorized();
- if (_auditHandler != null) {
+ if (_auditHandler != null && isAudited()) {
List<AuthzAuditEvent> events = null;
/*
* What we log to audit depends on authorization status. For success we log all accumulated events. In case of failure
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index d9872ff..2232953 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -58,10 +58,13 @@ import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.hbase.wal.WALEdit;
import org.apache.hadoop.security.AccessControlException;
import org.apache.ranger.audit.model.AuthzAuditEvent;
+import org.apache.ranger.audit.provider.AuditProviderFactory;
import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
@@ -1022,6 +1025,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
@Override
public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException {
requirePermission(c, "shutdown", Permission.Action.ADMIN);
+ cleanUp_HBaseRangerPlugin();
}
@Override
public void preSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot, TableDescriptor hTableDescriptor) throws IOException {
@@ -1031,10 +1035,12 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
@Override
public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException {
requirePermission(c, "stopMaster", Permission.Action.ADMIN);
+ cleanUp_HBaseRangerPlugin();
}
@Override
public void preStopRegionServer(ObserverContext<RegionServerCoprocessorEnvironment> env) throws IOException {
requirePermission(env, "stop", Permission.Action.ADMIN);
+ cleanUp_HBaseRangerPlugin();
}
@Override
public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo, boolean force) throws IOException {
@@ -1645,6 +1651,24 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
return ret;
}
+
+ private void cleanUp_HBaseRangerPlugin() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAuthorizationCoprocessor.cleanUp_HBaseRangerPlugin()");
+ }
+ if (hbasePlugin != null) {
+ hbasePlugin.setHBaseShuttingDown(true);
+ hbasePlugin.cleanup();
+ AuditProviderFactory auditProviderFactory = hbasePlugin.getAuditProviderFactory();
+ if (auditProviderFactory != null) {
+ auditProviderFactory.shutdown();
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAuthorizationCoprocessor.cleanUp_HBaseRangerPlugin() completed!");
+ }
+ }
+
private String getCommandString(String operationName, String tableNameStr, Map<String,Object> opMetaData) {
StringBuilder ret = new StringBuilder();
if (!HbaseConstants.HBASE_META_TABLE.equals(tableNameStr)) {
@@ -1787,10 +1811,30 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
class RangerHBasePlugin extends RangerBasePlugin {
+ private static final Log LOG = LogFactory.getLog(RangerHBasePlugin.class);
+ boolean isHBaseShuttingDown = false;
+
public RangerHBasePlugin(String appType) {
super("hbase", appType);
}
+ public void setHBaseShuttingDown(boolean hbaseShuttingDown) {
+ isHBaseShuttingDown = hbaseShuttingDown;
+ }
+
+ @Override
+ public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
+ RangerAccessResult ret = null;
+ if (isHBaseShuttingDown) {
+ ret = new RangerAccessResult(RangerPolicy.POLICY_TYPE_ACCESS, this.getServiceName(), this.getServiceDef(), request);
+ ret.setIsAllowed(true);
+ ret.setIsAudited(false);
+ LOG.warn("Auth request came after HBase shutdown....");
+ } else {
+ ret = super.isAccessAllowed(request, resultProcessor);
+ }
+ return ret;
+ }
}