You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/01/27 06:50:52 UTC
[ranger] branch ranger-2.2 updated: RANGER-3159: Having any
permission on Hbase namespace and tables should allow listing of namespace
and tables
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 88c3915 RANGER-3159: Having any permission on Hbase namespace and tables should allow listing of namespace and tables
88c3915 is described below
commit 88c3915e51ff4b30a0d96a1855668cbcaeb45d38
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Tue Jan 26 10:35:14 2021 -0800
RANGER-3159: Having any permission on Hbase namespace and tables should allow listing of namespace and tables
---
.../hbase/RangerAuthorizationCoprocessor.java | 57 ++++++++++++++++++++--
1 file changed, 53 insertions(+), 4 deletions(-)
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 2232953..9be6914 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -70,6 +70,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs.AccessResult;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
@@ -1190,7 +1191,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> postGetTableNames(count(descriptors)=%s, regex=%s)", descriptors == null ? 0 : descriptors.size(), regex));
}
- checkAccess(ctx, "getTableNames", descriptors, regex);
+ checkGetTableInfoAccess(ctx, "getTableNames", descriptors, regex, RangerPolicyEngine.ANY_ACCESS);
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== postGetTableNames(count(descriptors)=%s, regex=%s)", descriptors == null ? 0 : descriptors.size(), regex));
@@ -1204,7 +1205,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
descriptors == null ? 0 : descriptors.size(), regex));
}
- checkAccess(ctx, "getTableDescriptors", descriptors, regex);
+ checkGetTableInfoAccess(ctx, "getTableDescriptors", descriptors, regex, _authUtils.getAccess(Action.CREATE));
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", tableNamesList == null ? 0 : tableNamesList.size(),
@@ -1212,6 +1213,19 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
}
}
+ @Override
+ public void postListNamespaceDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<NamespaceDescriptor> descriptors) throws IOException {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAuthorizationCoprocessor.postListNamespaceDescriptors()");
+ }
+
+ checkAccessForNamespaceDescriptor(ctx, "getNameSpaceDescriptors", descriptors);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAuthorizationCoprocessor.postListNamespaceDescriptors()");
+ }
+ }
+
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx, PrepareBulkLoadRequest request) throws IOException {
List<byte[]> cfs = null;
@@ -1770,12 +1784,12 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
return ret.toString();
}
- private void checkAccess(ObserverContext<MasterCoprocessorEnvironment> ctx, String operation, List<TableDescriptor> descriptors, String regex) {
+ private void checkGetTableInfoAccess(ObserverContext<MasterCoprocessorEnvironment> ctx, String operation, List<TableDescriptor> descriptors, String regex, String accessPermission) {
if (CollectionUtils.isNotEmpty(descriptors)) {
// Retains only those which passes authorization checks
User user = getActiveUser(ctx);
- String access = _authUtils.getAccess(Action.CREATE);
+ String access = accessPermission;
HbaseAuditHandler auditHandler = _factory.getAuditHandler(); // this will accumulate audits for all tables that succeed.
AuthorizationSession session = new AuthorizationSession(hbasePlugin)
.operation(operation)
@@ -1806,6 +1820,41 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
}
}
+ private void checkAccessForNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx, String operation, List<NamespaceDescriptor> descriptors) {
+
+ if (CollectionUtils.isNotEmpty(descriptors)) {
+ // Retains only those which passes authorization checks
+ User user = getActiveUser(ctx);
+ String access = _authUtils.getAccess(Action.ADMIN);
+ HbaseAuditHandler auditHandler = _factory.getAuditHandler(); // this will accumulate audits for all tables that succeed.
+ AuthorizationSession session = new AuthorizationSession(hbasePlugin)
+ .operation(operation)
+ .remoteAddress(getRemoteAddress())
+ .auditHandler(auditHandler)
+ .user(user)
+ .access(access);
+
+ Iterator<NamespaceDescriptor> itr = descriptors.iterator();
+ while (itr.hasNext()) {
+ NamespaceDescriptor namespaceDescriptor = itr.next();
+ String namespace = namespaceDescriptor.getName();
+ session.table(namespace).buildRequest().authorize();
+ if (!session.isAuthorized()) {
+ List<AuthzAuditEvent> events = null;
+ itr.remove();
+ AuthzAuditEvent event = auditHandler.getAndDiscardMostRecentEvent();
+ if (event != null) {
+ events = Lists.newArrayList(event);
+ }
+ auditHandler.logAuthzAudits(events);
+ }
+ }
+ if (descriptors.size() > 0) {
+ session.logCapturedEvents();
+ }
+ }
+ }
+
enum PredicateType {STARTROW, STOPROW, FILTER, COLUMNS, ROW};
}