You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2020/05/23 12:57:28 UTC
[ranger] 01/03: RANGER-2763: Hive SET Role command in Ranger hive
plugin
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit d488d570d6b94a8987431d4424727c6a91d640b7
Author: pradeep <pr...@apache.org>
AuthorDate: Sun May 3 19:53:10 2020 +0530
RANGER-2763: Hive SET Role command in Ranger hive plugin
---
.../plugin/policyengine/RangerAccessRequest.java | 2 +
.../policyengine/RangerAccessRequestImpl.java | 23 +++-
.../policyengine/RangerAccessRequestReadOnly.java | 5 +
.../policyengine/RangerTagAccessRequest.java | 1 +
.../RangerDefaultPolicyEvaluator.java | 16 ++-
.../service/RangerDefaultRequestProcessor.java | 5 +-
.../RangerCustomConditionMatcherTest.java | 2 +-
.../plugin/contextenricher/TestTagEnricher.java | 2 +-
.../ranger/plugin/policyengine/TestPolicyACLs.java | 2 +-
.../plugin/policyengine/TestPolicyEngine.java | 2 +-
.../authorization/hbase/AuthorizationSession.java | 2 +-
.../hbase/RangerAuthorizationCoprocessor.java | 2 +-
.../hive/authorizer/RangerHiveAccessRequest.java | 10 +-
.../hive/authorizer/RangerHiveAuthorizer.java | 151 ++++++++++++++++++---
.../hive/authorizer/RangerHiveAuthorizerBase.java | 8 --
.../hive/authorizer/RangerHivePolicyProvider.java | 2 +-
.../atlas/authorizer/RangerAtlasAuthorizer.java | 6 +-
.../authorizer/RangerSystemAccessControl.java | 2 +-
.../examples/sampleapp/RangerAuthorizer.java | 2 +-
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 2 +-
20 files changed, 195 insertions(+), 52 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
index 89d585a..4a12168 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
@@ -37,6 +37,8 @@ public interface RangerAccessRequest {
Set<String> getUserGroups();
+ Set<String> getUserRoles();
+
Date getAccessTime();
String getClientIPAddress();
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index 2a28f70..74a7a26 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -38,6 +38,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
private String accessType;
private String user;
private Set<String> userGroups;
+ private Set<String> userRoles;
private Date accessTime;
private String clientIPAddress;
private List<String> forwardedAddresses;
@@ -55,14 +56,15 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
private ResourceMatchingScope resourceMatchingScope = ResourceMatchingScope.SELF;
public RangerAccessRequestImpl() {
- this(null, null, null, null);
+ this(null, null, null, null, null);
}
- public RangerAccessRequestImpl(RangerAccessResource resource, String accessType, String user, Set<String> userGroups) {
+ public RangerAccessRequestImpl(RangerAccessResource resource, String accessType, String user, Set<String> userGroups, Set<String> userRoles) {
setResource(resource);
setAccessType(accessType);
setUser(user);
setUserGroups(userGroups);
+ setUserRoles(userRoles);
setForwardedAddresses(null);
// set remaining fields to default value
@@ -97,6 +99,11 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
}
@Override
+ public Set<String> getUserRoles() {
+ return userRoles;
+ }
+
+ @Override
public Date getAccessTime() {
return accessTime;
}
@@ -174,6 +181,10 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
this.userGroups = (userGroups == null) ? new HashSet<String>() : userGroups;
}
+ public void setUserRoles(Set<String> userRoles) {
+ this.userRoles = (userRoles == null) ? new HashSet<String>() : userRoles;
+ }
+
public void setAccessTime(Date accessTime) {
this.accessTime = accessTime;
}
@@ -290,6 +301,14 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
}
sb.append("} ");
+ sb.append("userRoles={");
+ if(userRoles != null) {
+ for(String role : userRoles) {
+ sb.append(role).append(" ");
+ }
+ }
+ sb.append("} ");
+
sb.append("accessTime={").append(accessTime).append("} ");
sb.append("clientIPAddress={").append(getClientIPAddress()).append("} ");
sb.append("forwardedAddresses={").append(StringUtils.join(forwardedAddresses, " ")).append("} ");
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
index ea42c82..4887c01 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
@@ -31,6 +31,7 @@ public class RangerAccessRequestReadOnly implements RangerAccessRequest {
// Cached here for reducing access overhead
private final RangerAccessResource resource;
private final Set<String> userGroups;
+ private final Set<String> userRoles;
private final List<String> forwardedAddresses;
private final Map<String, Object> context;
@@ -38,6 +39,7 @@ public class RangerAccessRequestReadOnly implements RangerAccessRequest {
this.source = source;
this.resource = source.getResource().getReadOnlyCopy();
this.userGroups = Collections.unmodifiableSet(source.getUserGroups());
+ this.userRoles = Collections.unmodifiableSet(source.getUserRoles());
this.context = Collections.unmodifiableMap(source.getContext());
this.forwardedAddresses = Collections.unmodifiableList(source.getForwardedAddresses());
}
@@ -61,6 +63,9 @@ public class RangerAccessRequestReadOnly implements RangerAccessRequest {
public Set<String> getUserGroups() { return userGroups; }
@Override
+ public Set<String> getUserRoles() { return userRoles; }
+
+ @Override
public Date getAccessTime() { return source.getAccessTime(); }
@Override
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
index ee605e8..ebe85e9 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
@@ -35,6 +35,7 @@ public class RangerTagAccessRequest extends RangerAccessRequestImpl {
super.setResource(new RangerTagResource(resourceTag.getType(), tagServiceDef));
super.setUser(request.getUser());
super.setUserGroups(request.getUserGroups());
+ super.setUserRoles(request.getUserRoles());
super.setAction(request.getAction());
super.setAccessType(request.getAccessType());
super.setAccessTime(request.getAccessTime());
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 59a0405..d75bf46 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -608,7 +608,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if (LOG.isDebugEnabled()) {
LOG.debug("Using ACL Summary for access evaluation. PolicyId=[" + getId() + "]");
}
- Integer accessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getAccessType());
+ Integer accessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(), request.getAccessType());
if (accessResult != null) {
updateAccessResult(result, matchType, accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED), null);
}
@@ -631,7 +631,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
}
- private Integer lookupPolicyACLSummary(String user, Set<String> userGroups, String accessType) {
+ private Integer lookupPolicyACLSummary(String user, Set<String> userGroups, Set<String> userRoles, String accessType) {
Integer accessResult = null;
Map<String, PolicyACLSummary.AccessResult> accesses = aclSummary.getUsersAccessInfo().get(user);
@@ -651,6 +651,16 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
break;
}
}
+
+ if (userRoles !=null) {
+ for (String userRole : userRoles) {
+ accesses = aclSummary.getRolesAccessInfo().get(userRole);
+ accessResult = lookupAccess(userRole, accessType, accesses);
+ if (accessResult != null) {
+ break;
+ }
+ }
+ }
}
return accessResult;
@@ -810,7 +820,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("Using ACL Summary for checking if access is allowed. PolicyId=[" + getId() +"]");
}
- Integer accessResult = lookupPolicyACLSummary(user, userGroups, accessType);
+ Integer accessResult = lookupPolicyACLSummary(user, userGroups, roles, accessType);
if (accessResult != null && accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED)) {
ret = true;
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
index c951414..2f83434 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
@@ -63,7 +63,10 @@ public class RangerDefaultRequestProcessor implements RangerAccessRequestProcess
RangerAccessRequestUtil.setOwnerInContext(request.getContext(), owner);
}
- Set<String> roles = policyEngine.getPluginContext().getAuthContext().getRolesForUserAndGroups(request.getUser(), request.getUserGroups());
+ Set<String> roles = request.getUserRoles();
+ if (CollectionUtils.isEmpty(roles)) {
+ roles = policyEngine.getPluginContext().getAuthContext().getRolesForUserAndGroups(request.getUser(), request.getUserGroups());
+ }
if (CollectionUtils.isNotEmpty(roles)) {
RangerAccessRequestUtil.setCurrentUserRolesInContext(request.getContext(), roles);
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java
index b42353b..2c708d7 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java
@@ -169,7 +169,7 @@ public class RangerCustomConditionMatcherTest {
RangerAccessRequest createRequest(List<String> resourceTags) {
RangerAccessResource resource = mock(RangerAccessResource.class);
- RangerAccessRequest request = new RangerAccessRequestImpl(resource,"dummy","test", null);
+ RangerAccessRequest request = new RangerAccessRequestImpl(resource,"dummy","test", null, null);
Set<RangerTagForEval> rangerTagForEvals = new HashSet<>();
RangerPolicyResourceMatcher.MatchType matchType = RangerPolicyResourceMatcher.MatchType.NONE;
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java b/agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java
index 4cca8ce..83b39ed 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java
@@ -102,7 +102,7 @@ public class TestTagEnricher {
List<String> resultTags = new ArrayList<>();
for (TestData test : testCase.tests) {
- RangerAccessRequestImpl request = new RangerAccessRequestImpl(test.resource, test.accessType, "testUser", null);
+ RangerAccessRequestImpl request = new RangerAccessRequestImpl(test.resource, test.accessType, "testUser", null, null);
tagEnricher.enrich(request);
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
index e9954c3..e1709ad 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
@@ -99,7 +99,7 @@ public class TestPolicyACLs {
if(oneTest == null) {
continue;
}
- RangerAccessRequestImpl request = new RangerAccessRequestImpl(oneTest.resource, RangerPolicyEngine.ANY_ACCESS, null, null);
+ RangerAccessRequestImpl request = new RangerAccessRequestImpl(oneTest.resource, RangerPolicyEngine.ANY_ACCESS, null, null, null);
RangerResourceACLs acls = policyEngine.getResourceACLs(request);
boolean userACLsMatched = true, groupACLsMatched = true, roleACLsMatched = true;
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index c71461b..cc16655 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -567,7 +567,7 @@ public class TestPolicyEngine {
// Create a new AccessRequest
RangerAccessRequestImpl newRequest =
new RangerAccessRequestImpl(request.getResource(), request.getAccessType(),
- request.getUser(), request.getUserGroups());
+ request.getUser(), request.getUserGroups(), null);
newRequest.setClientType(request.getClientType());
newRequest.setAccessTime(request.getAccessTime());
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
index 6461a24..1b13d3b 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
@@ -189,7 +189,7 @@ public class AuthorizationSession {
resource.setValue(RangerHBaseResource.KEY_COLUMN, _column);
String user = _userUtils.getUserAsString(_user);
- RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, _access, user, _groups);
+ RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, _access, user, _groups, null);
request.setAction(_operation);
request.setRequestData(_otherInformation);
request.setClientIPAddress(_remoteAddress);
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index d304bec..c50a192 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1345,7 +1345,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
}
}
RangerAccessRequestImpl rangerAccessrequest = new RangerAccessRequestImpl(resource, null,
- _userUtils.getUserAsString(user), groups);
+ _userUtils.getUserAsString(user), groups, null);
rangerAccessrequest.setAction(operation);
rangerAccessrequest.setClientIPAddress(getRemoteAddress());
rangerAccessrequest.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
index 188f2b1..deb467f 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
@@ -39,6 +39,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
public RangerHiveAccessRequest(RangerHiveResource resource,
String user,
Set<String> userGroups,
+ Set<String> userRoles,
String hiveOpTypeName,
HiveAccessType accessType,
HiveAuthzContext context,
@@ -46,6 +47,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
this.setResource(resource);
this.setUser(user);
this.setUserGroups(userGroups);
+ this.setUserRoles(userRoles);
this.setAccessTime(new Date());
this.setAction(hiveOpTypeName);
this.setHiveAccessType(accessType);
@@ -66,15 +68,16 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
public RangerHiveAccessRequest(RangerHiveResource resource,
String user,
Set<String> userGroups,
+ Set<String> userRoles,
HiveOperationType hiveOpType,
HiveAccessType accessType,
HiveAuthzContext context,
HiveAuthzSessionContext sessionContext) {
- this(resource, user, userGroups, hiveOpType.name(), accessType, context, sessionContext);
+ this(resource, user, userGroups, userRoles, hiveOpType.name(), accessType, context, sessionContext);
}
- public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) {
- this(resource, user, groups, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext);
+ public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, Set<String> roles, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) {
+ this(resource, user, groups, roles, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext);
}
public HiveAccessType getHiveAccessType() {
@@ -98,6 +101,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
ret.setAccessType(getAccessType());
ret.setUser(getUser());
ret.setUserGroups(getUserGroups());
+ ret.setUserRoles(getUserRoles());
ret.setAccessTime(getAccessTime());
ret.setAction(getAction());
ret.setClientIPAddress(getClientIPAddress());
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index a6f74b9..c876110 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -28,6 +28,7 @@ import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
+import java.util.Objects;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
@@ -100,6 +101,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
private static volatile RangerHivePlugin hivePlugin = null;
private static final String ROLE_ALL = "ALL", ROLE_DEFAULT = "DEFAULT", ROLE_NONE = "NONE";
+ private static final String ROLE_ADMIN = "admin";
private static final String CMD_CREATE_ROLE = "create role %s";
private static final String CMD_DROP_ROLE = "drop role %s";
@@ -121,6 +123,10 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
RESERVED_ROLE_NAMES = Collections.unmodifiableSet(roleNames);
}
+ private String currentUserName;
+ private Set<String> currentRoles;
+ private String adminRole;
+
public RangerHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf hiveConf,
HiveAuthenticationProvider hiveAuthenticator,
@@ -265,39 +271,136 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
@Override
public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("RangerHiveAuthorizer.getCurrentRoleNames()");
}
UserGroupInformation ugi = getCurrentUserGroupInfo();
- boolean result = false;
-
- if(ugi == null) {
+ boolean result = false;
+ if (ugi == null) {
throw new HiveAuthzPluginException("User information not available");
}
- List<String> ret = null;
+ List<String> ret = new ArrayList<String>();
String user = ugi.getShortUserName();
List<String> userNames = Arrays.asList(user);
-
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== getCurrentRoleNames() for user " + user);
}
-
- ret = hivePlugin.getUserRoles(user, auditHandler);
+ for (String role : getCurrentRoles()) {
+ ret.add(role);
+ }
result = true;
- } catch(Exception excp) {
+ } catch (Exception excp) {
throw new HiveAuthzPluginException(excp);
} finally {
- RangerAccessResult accessResult = createAuditEvent(hivePlugin, user, userNames, HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, null, result);
+ RangerAccessResult accessResult = createAuditEvent(hivePlugin, user, userNames,
+ HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, ret, result);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
+ return ret;
+ }
+
+ private void initUserRoles() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(" ==> RangerHiveAuthorizer.initUserRoles()");
+ }
+ // from SQLStdHiveAccessController.initUserRoles()
+ // to aid in testing through .q files, authenticator is passed as argument to
+ // the interface. this helps in being able to switch the user within a session.
+ // so we need to check if the user has changed
+ String newUserName = getHiveAuthenticator().getUserName();
+ if (Objects.equals(currentUserName, newUserName)) {
+ // no need to (re-)initialize the currentUserName, currentRoles fields
+ return;
+ }
+ this.currentUserName = newUserName;
+ try {
+ currentRoles = getCurrentRoleNamesFromRanger();
+ } catch (HiveAuthzPluginException e) {
+ LOG.error("Error while fetching roles from ranger for user : " + currentUserName, e);
+ }
+ LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
+ }
+
+ private Set<String> getCurrentRoles() {
+ // from SQLStdHiveAccessController.getCurrentRoles()
+ initUserRoles();
+ return currentRoles;
+ }
+
+ private Set<String> getCurrentRoleNamesFromRanger() throws HiveAuthzPluginException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerHiveAuthorizer.getCurrentRoleNamesFromRanger()");
+ }
+ UserGroupInformation ugi = getCurrentUserGroupInfo();
+ if (ugi == null) {
+ throw new HiveAuthzPluginException("User information not available");
+ }
+ Set<String> ret = new HashSet<String>();
+ String user = ugi.getShortUserName();
+
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ try {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== getCurrentRoleNamesFromRanger() for user " + user);
+ }
+ Set<String> userRoles = new HashSet<String>(hivePlugin.getUserRoles(user, auditHandler));
+ for (String role : userRoles) {
+ if (!ROLE_ADMIN.equalsIgnoreCase(role)) {
+ ret.add(role);
+ } else {
+ this.adminRole = role;
+ }
+ }
+ } catch (Exception excp) {
+ throw new HiveAuthzPluginException(excp);
+ } finally {
+ auditHandler.flushAudit();
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user " + user);
+ }
return ret;
}
@Override
+ public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException {
+ // from SQLStdHiveAccessController.setCurrentRole()
+ initUserRoles();
+ if (ROLE_NONE.equalsIgnoreCase(roleName)) {
+ // for set role NONE, clear all roles for current session.
+ currentRoles.clear();
+ return;
+ }
+ if (ROLE_ALL.equalsIgnoreCase(roleName)) {
+ // for set role ALL, reset roles to default roles.
+ currentRoles.clear();
+ currentRoles.addAll(getCurrentRoleNamesFromRanger());
+ return;
+ }
+ for (String role : getCurrentRoleNamesFromRanger()) {
+ // set to one of the roles user belongs to.
+ if (role.equalsIgnoreCase(roleName)) {
+ currentRoles.clear();
+ currentRoles.add(role);
+ return;
+ }
+ }
+ // set to ADMIN role, if user belongs there.
+ if (ROLE_ADMIN.equalsIgnoreCase(roleName) && null != this.adminRole) {
+ currentRoles.clear();
+ currentRoles.add(adminRole);
+ return;
+ }
+ LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
+ // If we are here it means, user is requesting a role he doesn't belong to.
+ throw new HiveAccessControlException(currentUserName + " doesn't belong to role " + roleName);
+ }
+
+ @Override
public List<String> getAllRoles()
throws HiveAuthzPluginException, HiveAccessControlException {
LOG.debug("RangerHiveAuthorizer.getAllRoles()");
@@ -673,6 +776,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
+ Set<String> roles = getCurrentRoles();
if(LOG.isDebugEnabled()) {
LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, context, sessionContext));
@@ -718,7 +822,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
if(!existsByResourceAndAccessType(requests, resource, accessType)) {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType, accessType, context, sessionContext);
requests.add(request);
}
}
@@ -726,7 +830,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
// this should happen only for SHOWDATABASES
if (hiveOpType == HiveOperationType.SHOWDATABASES) {
RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.USE, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType.name(), HiveAccessType.USE, context, sessionContext);
requests.add(request);
} else if ( hiveOpType == HiveOperationType.REPLDUMP) {
// This happens when REPL DUMP command with null inputHObjs is sent in checkPrivileges()
@@ -742,7 +846,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName, null);
}
//
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
requests.add(request);
} else {
if (LOG.isDebugEnabled()) {
@@ -779,7 +883,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
if(!existsByResourceAndAccessType(requests, resource, accessType)) {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType, accessType, context, sessionContext);
requests.add(request);
}
@@ -798,7 +902,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
} else {
resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName, null);
}
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
requests.add(request);
}
}
@@ -869,7 +973,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
result.setIsAllowed(false);
result.setPolicyId(rowFilterResult.getPolicyId());
- result.setReason("User does not have acces to all rows of the table");
+ result.setReason("User does not have access to all rows of the table");
} else {
// check if masking is enabled for any column in the table/view
request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
@@ -956,6 +1060,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
+ Set<String> roles = getCurrentRoles();
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("filterListCmdObjects: user[%s], groups%s", user, groups));
}
@@ -982,7 +1087,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
if (resource == null) {
LOG.error("filterListCmdObjects: RangerHiveResource returned by createHiveResource is null");
} else {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, context, sessionContext);
RangerAccessResult result = hivePlugin.isAccessAllowed(request, auditHandler);
if (result == null) {
LOG.error("filterListCmdObjects: Internal error: null RangerAccessResult object received back from isAccessAllowed()!");
@@ -1148,9 +1253,10 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
+ Set<String> roles = getCurrentRoles();
HiveObjectType objectType = HiveObjectType.TABLE;
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
RangerAccessResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);
@@ -1188,9 +1294,10 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
+ Set<String> roles = getCurrentRoles();
HiveObjectType objectType = HiveObjectType.COLUMN;
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
RangerAccessResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);
@@ -2464,7 +2571,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
RangerHiveResource hiveResource = RangerHiveAuthorizer.createHiveResource(hiveObject);
- RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null);
+ RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null, null);
ret = hivePlugin.getResourceACLs(request);
@@ -2620,7 +2727,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
HiveAuthzContext hiveAuthzContext = builder.build();
RangerHiveResource rangerHiveResource = new RangerHiveResource(HiveObjectType.GLOBAL,"*");
- ret = new RangerHiveAccessRequest(rangerHiveResource, userOrGrantor, null, hiveOperationType, accessType, hiveAuthzContext, null);
+ ret = new RangerHiveAccessRequest(rangerHiveResource, userOrGrantor, null, null, hiveOperationType, accessType, hiveAuthzContext, null);
ret.setClusterName(hivePlugin.getClusterName());
ret.setAction(hiveOperationType.name());
ret.setClientIPAddress(getRemoteIp());
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
index c752489..e06f135 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
@@ -147,14 +147,6 @@ public abstract class RangerHiveAuthorizerBase extends AbstractHiveAuthorizer {
return VERSION.V1;
}
- @Override
- public void setCurrentRole(String roleName)
- throws HiveAccessControlException, HiveAuthzPluginException {
- LOG.debug("RangerHiveAuthorizerBase.setCurrentRole()");
-
- throwNotImplementedException("setCurrentRole");
- }
-
private void throwNotImplementedException(String method) throws HiveAuthzPluginException {
throw new HiveAuthzPluginException(method + "() not implemented in Ranger AbstractHiveAuthorizer");
}
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java
index ba6b459..7bdd4b3 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java
@@ -97,7 +97,7 @@ public class RangerHivePolicyProvider implements HivePolicyProvider {
public HiveResourceACLs getResourceACLs(RangerHiveResource hiveResource) {
HiveResourceACLs ret;
- RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null);
+ RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null, null);
RangerResourceACLs acls = rangerPlugin.getResourceACLs(request);
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index dc2ed8a..28d71de 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -107,7 +107,7 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
String action = request.getAction() != null ? request.getAction().getType() : null;
RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(Collections.singletonMap(RESOURCE_SERVICE, "*"));
- RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
+ RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups(), null);
rangerRequest.setClientIPAddress(request.getClientIPAddress());
rangerRequest.setAccessTime(request.getAccessTime());
@@ -183,7 +183,7 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
rangerResource.setValue(RESOURCE_TYPE_NAME, typeName);
rangerResource.setValue(RESOURCE_TYPE_CATEGORY, typeCategory);
- RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
+ RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups(), null);
rangerRequest.setClientIPAddress(request.getClientIPAddress());
rangerRequest.setAccessTime(request.getAccessTime());
rangerRequest.setAction(action);
@@ -229,7 +229,7 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
- RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
+ RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups(), null);
rangerRequest.setClientIPAddress(request.getClientIPAddress());
rangerRequest.setAccessTime(request.getAccessTime());
rangerRequest.setAction(action);
diff --git a/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java b/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
index 4742847..f4fc89d 100644
--- a/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
+++ b/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
@@ -833,7 +833,7 @@ class RangerPrestoAccessRequest
String user,
Set<String> userGroups,
PrestoAccessType prestoAccessType) {
- super(resource, prestoAccessType.name().toLowerCase(ENGLISH), user, userGroups);
+ super(resource, prestoAccessType.name().toLowerCase(ENGLISH), user, userGroups, null);
setAccessTime(new Date());
}
}
diff --git a/ranger-examples/plugin-sampleapp/src/main/java/org/apache/ranger/examples/sampleapp/RangerAuthorizer.java b/ranger-examples/plugin-sampleapp/src/main/java/org/apache/ranger/examples/sampleapp/RangerAuthorizer.java
index 6b3d6ea..28db88e 100644
--- a/ranger-examples/plugin-sampleapp/src/main/java/org/apache/ranger/examples/sampleapp/RangerAuthorizer.java
+++ b/ranger-examples/plugin-sampleapp/src/main/java/org/apache/ranger/examples/sampleapp/RangerAuthorizer.java
@@ -53,7 +53,7 @@ public class RangerAuthorizer implements IAuthorizer {
RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue("path", fileName); // "path" must be a value resource name in servicedef JSON
- RangerAccessRequest request = new RangerAccessRequestImpl(resource, accessType, user, userGroups);
+ RangerAccessRequest request = new RangerAccessRequestImpl(resource, accessType, user, userGroups, null);
RangerAccessResult result = plugin.isAccessAllowed(request);
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index 5e93291..1c63e94 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -319,7 +319,7 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
}
List<RangerPolicy> ret = new ArrayList<>();
- RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, accessType, null, null);
+ RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, accessType, null, null, null);
requestProcessor.preProcess(request);