You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/04/10 02:38:47 UTC
incubator-ranger git commit: RANGER-386: HBase plugin updates for
recent changes in HBase
Repository: incubator-ranger
Updated Branches:
refs/heads/master 376d32497 -> 0e5e27896
RANGER-386: HBase plugin updates for recent changes in HBase
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/0e5e2789
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/0e5e2789
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/0e5e2789
Branch: refs/heads/master
Commit: 0e5e27896aecd58534e6d90c57eac7c626a0ca06
Parents: 376d324
Author: Enis Soztutar <en...@apache.org>
Authored: Thu Apr 9 16:13:24 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Apr 9 16:14:21 2015 -0700
----------------------------------------------------------------------
.../authorization/hbase/HbaseUserUtilsImpl.java | 10 +---
.../hbase/RangerAuthorizationCoprocessor.java | 61 +++++++++++++++-----
.../RangerAuthorizationCoprocessorBase.java | 54 +++++++++++++++--
3 files changed, 96 insertions(+), 29 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0e5e2789/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseUserUtilsImpl.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseUserUtilsImpl.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseUserUtilsImpl.java
index 6b32e54..fd15aaa 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseUserUtilsImpl.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseUserUtilsImpl.java
@@ -27,7 +27,7 @@ import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.hbase.ipc.RequestContext;
+import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.security.User;
public class HbaseUserUtilsImpl implements HbaseUserUtils {
@@ -61,12 +61,8 @@ public class HbaseUserUtilsImpl implements HbaseUserUtils {
@Override
public User getUser() {
// current implementation does not use the request object!
- User user;
- if (RequestContext.isInRequestContext()) {
- // this is the more common case
- user = RequestContext.getRequestUser();
- }
- else {
+ User user = RpcServer.getRequestUser();
+ if (user == null) {
try {
user = User.getCurrent();
} catch (IOException e) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0e5e2789/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index aac1f96..edc769b 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -66,7 +66,7 @@ import org.apache.hadoop.hbase.filter.ByteArrayComparable;
import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp;
import org.apache.hadoop.hbase.filter.Filter;
import org.apache.hadoop.hbase.filter.FilterList;
-import org.apache.hadoop.hbase.ipc.RequestContext;
+import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.ResponseConverter;
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
@@ -74,7 +74,8 @@ import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessCont
import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.SnapshotDescription;
import org.apache.hadoop.hbase.protobuf.generated.SecureBulkLoadProtos.CleanupBulkLoadRequest;
import org.apache.hadoop.hbase.protobuf.generated.SecureBulkLoadProtos.PrepareBulkLoadRequest;
-import org.apache.hadoop.hbase.regionserver.HRegion;
+import org.apache.hadoop.hbase.protobuf.generated.QuotaProtos.Quotas;
+import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.regionserver.InternalScanner;
import org.apache.hadoop.hbase.regionserver.RegionScanner;
import org.apache.hadoop.hbase.regionserver.ScanType;
@@ -134,7 +135,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
// Utilities Methods
protected byte[] getTableName(RegionCoprocessorEnvironment e) {
- HRegion region = e.getRegion();
+ Region region = e.getRegion();
byte[] tableName = null;
if (region != null) {
HRegionInfo regionInfo = region.getRegionInfo();
@@ -184,8 +185,8 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
}
private User getActiveUser() {
- User user = RequestContext.getRequestUser();
- if (!RequestContext.isInRequestContext()) {
+ User user = RpcServer.getRequestUser();
+ if (user == null) {
// for non-rpc handling, fallback to system user
try {
user = User.getCurrent();
@@ -198,8 +199,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
}
private String getRemoteAddress() {
- RequestContext reqContext = RequestContext.get();
- InetAddress remoteAddr = reqContext != null ? reqContext.getRemoteAddress() : null;
+ InetAddress remoteAddr = RpcServer.getRemoteAddress();
String strAddr = remoteAddr != null ? remoteAddr.getHostAddress() : null;
return strAddr;
@@ -207,13 +207,11 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
// Methods that are used within the CoProcessor
private void requireScannerOwner(InternalScanner s) throws AccessDeniedException {
- if (RequestContext.isInRequestContext()) {
- String requestUserName = RequestContext.getRequestUserName();
- String owner = scannerOwners.get(s);
- if (owner != null && !owner.equals(requestUserName)) {
- throw new AccessDeniedException("User '" + requestUserName + "' is not the scanner owner!");
- }
- }
+ String requestUserName = RpcServer.getRequestUserName();
+ String owner = scannerOwners.get(s);
+ if (owner != null && !owner.equals(requestUserName)) {
+ throw new AccessDeniedException("User '"+ requestUserName +"' is not the scanner owner!");
+ }
}
/**
@@ -792,7 +790,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
@Override
public void preOpen(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
RegionCoprocessorEnvironment env = e.getEnvironment();
- final HRegion region = env.getRegion();
+ final Region region = env.getRegion();
if (region == null) {
LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");
return;
@@ -864,6 +862,37 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo, boolean force) throws IOException {
requirePermission("unassign", regionInfo.getTable().getName(), null, null, Action.ADMIN);
}
+
+ @Override
+ public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String userName, final Quotas quotas) throws IOException {
+ requireGlobalPermission("setUserQuota", null, Action.ADMIN);
+ }
+
+ @Override
+ public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String userName, final TableName tableName, final Quotas quotas) throws IOException {
+ requirePermission("setUserTableQuota", tableName.getName(), null, null, Action.ADMIN);
+ }
+
+ @Override
+ public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String userName, final String namespace, final Quotas quotas) throws IOException {
+ requireGlobalPermission("setUserNamespaceQuota", namespace, Action.ADMIN);
+ }
+
+ @Override
+ public void preSetTableQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final TableName tableName, final Quotas quotas) throws IOException {
+ requirePermission("setTableQuota", tableName.getName(), null, null, Action.ADMIN);
+ }
+
+ @Override
+ public void preSetNamespaceQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String namespace, final Quotas quotas) throws IOException {
+ requireGlobalPermission("setNamespaceQuota", namespace, Action.ADMIN);
+ }
+
private String coprocessorType = "unknown";
private static final String MASTER_COPROCESSOR_TYPE = "master";
private static final String REGIONAL_COPROCESSOR_TYPE = "regional";
@@ -971,7 +1000,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
}
}
@Override
- public void preMerge(ObserverContext<RegionServerCoprocessorEnvironment> ctx, HRegion regionA, HRegion regionB) throws IOException {
+ public void preMerge(ObserverContext<RegionServerCoprocessorEnvironment> ctx, Region regionA, Region regionB) throws IOException {
requirePermission("mergeRegions", regionA.getTableDesc().getTableName().getName(), null, null, Action.ADMIN);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0e5e2789/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
index e767bfe..871f7f8 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
@@ -45,8 +45,9 @@ import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.RegionServerObserver;
import org.apache.hadoop.hbase.master.RegionPlan;
import org.apache.hadoop.hbase.protobuf.generated.AdminProtos.WALEntry;
+import org.apache.hadoop.hbase.protobuf.generated.QuotaProtos.Quotas;
import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.SnapshotDescription;
-import org.apache.hadoop.hbase.regionserver.HRegion;
+import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.regionserver.wal.WALEdit;
import org.apache.hadoop.hbase.replication.ReplicationEndpoint;
@@ -62,7 +63,7 @@ public abstract class RangerAuthorizationCoprocessorBase extends BaseRegionObser
@Override
public void preMergeCommit(
ObserverContext<RegionServerCoprocessorEnvironment> ctx,
- HRegion regionA, HRegion regionB, List<Mutation> metaEntries)
+ Region regionA, Region regionB, List<Mutation> metaEntries)
throws IOException {
// Not applicable. Expected to be empty
}
@@ -70,7 +71,7 @@ public abstract class RangerAuthorizationCoprocessorBase extends BaseRegionObser
@Override
public void postMergeCommit(
ObserverContext<RegionServerCoprocessorEnvironment> ctx,
- HRegion regionA, HRegion regionB, HRegion mergedRegion)
+ Region regionA, Region regionB, Region mergedRegion)
throws IOException {
// Not applicable. Expected to be empty
}
@@ -78,14 +79,14 @@ public abstract class RangerAuthorizationCoprocessorBase extends BaseRegionObser
@Override
public void preRollBackMerge(
ObserverContext<RegionServerCoprocessorEnvironment> ctx,
- HRegion regionA, HRegion regionB) throws IOException {
+ Region regionA, Region regionB) throws IOException {
// Not applicable. Expected to be empty
}
@Override
public void postRollBackMerge(
ObserverContext<RegionServerCoprocessorEnvironment> ctx,
- HRegion regionA, HRegion regionB) throws IOException {
+ Region regionA, Region regionB) throws IOException {
// Not applicable. Expected to be empty
}
@@ -385,7 +386,7 @@ public abstract class RangerAuthorizationCoprocessorBase extends BaseRegionObser
}
@Override
- public void postMerge(ObserverContext<RegionServerCoprocessorEnvironment> c, HRegion regionA, HRegion regionB, HRegion mergedRegion) throws IOException {
+ public void postMerge(ObserverContext<RegionServerCoprocessorEnvironment> c, Region regionA, Region regionB, Region mergedRegion) throws IOException {
// Not applicable. Expected to be empty
}
@@ -398,4 +399,45 @@ public abstract class RangerAuthorizationCoprocessorBase extends BaseRegionObser
public void postUnassign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo, boolean force) throws IOException {
// Not applicable. Expected to be empty
}
+
+ public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String userName, final Quotas quotas) throws IOException {
+ }
+
+ public void postSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String userName, final Quotas quotas) throws IOException {
+ }
+
+ public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String userName, final TableName tableName, final Quotas quotas) throws IOException {
+ }
+
+ public void postSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String userName, final TableName tableName, final Quotas quotas) throws IOException {
+ }
+
+ public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String userName, final String namespace, final Quotas quotas) throws IOException {
+ }
+
+ public void postSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String userName, final String namespace, final Quotas quotas) throws IOException {
+ }
+
+ public void preSetTableQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final TableName tableName, final Quotas quotas) throws IOException {
+ }
+
+ public void postSetTableQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final TableName tableName, final Quotas quotas) throws IOException {
+ }
+
+ public void preSetNamespaceQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String namespace, final Quotas quotas) throws IOException {
+ }
+
+ public void postSetNamespaceQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+ final String namespace, final Quotas quotas) throws IOException{
+ }
+
}