ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [3/4] git commit: ARGUS-17: added a flag to control whether HBase GRANT/REVOKE would update policies in Argus.
Date Thu, 28 Aug 2014 14:45:59 GMT
ARGUS-17: added a flag to control whether HBase GRANT/REVOKE would
update policies in Argus.

Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/45150f00
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/45150f00
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/45150f00

Branch: refs/heads/master
Commit: 45150f00539a32f28e4c217c06282ab4149aa530
Parents: ebbb163
Author: mneethiraj <mneethiraj@hortonworks.com>
Authored: Thu Aug 28 07:09:16 2014 -0700
Committer: mneethiraj <mneethiraj@hortonworks.com>
Committed: Thu Aug 28 07:09:16 2014 -0700

----------------------------------------------------------------------
 .../constants/XaSecureHadoopConstants.java      |   5 +-
 .../conf/xasecure-hbase-security-changes.cfg    |   2 +-
 hbase-agent/conf/xasecure-hbase-security.xml    |   7 +-
 .../hbase/XaSecureAuthorizationCoprocessor.java | 113 ++++++++++---------
 hive-agent/conf/xasecure-hive-security.xml      |   2 +-
 5 files changed, 71 insertions(+), 58 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/45150f00/agents-common/src/main/java/com/xasecure/authorization/hadoop/constants/XaSecureHadoopConstants.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/com/xasecure/authorization/hadoop/constants/XaSecureHadoopConstants.java
b/agents-common/src/main/java/com/xasecure/authorization/hadoop/constants/XaSecureHadoopConstants.java
index fd265b4..6c69442 100644
--- a/agents-common/src/main/java/com/xasecure/authorization/hadoop/constants/XaSecureHadoopConstants.java
+++ b/agents-common/src/main/java/com/xasecure/authorization/hadoop/constants/XaSecureHadoopConstants.java
@@ -43,8 +43,11 @@ public class XaSecureHadoopConstants {
 	public static final String HIVE_ACCESS_VERIFIER_CLASS_NAME_PROP 	= "hive.authorization.verifier.classname"
;
 	public static final String HIVE_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "com.xasecure.pdp.hive.XASecureAuthorizer"
;
 
-	public static final String  HIVE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_PROP 	     = "xasecure.hive.authorizer.update.xapolicies.on.grant.revoke"
;
+	public static final String  HIVE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_PROP 	     = "xasecure.hive.update.xapolicies.on.grant.revoke"
;
 	public static final boolean HIVE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true;
+
+	public static final String  HBASE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_PROP 	     = "xasecure.hbase.update.xapolicies.on.grant.revoke"
;
+	public static final boolean HBASE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true;
 	
 	public static final String KNOX_ACCESS_VERIFIER_CLASS_NAME_PROP 	= "knox.authorization.verifier.classname"
;
 	public static final String KNOX_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "com.xasecure.pdp.knox.XASecureAuthorizer"
;

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/45150f00/hbase-agent/conf/xasecure-hbase-security-changes.cfg
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/xasecure-hbase-security-changes.cfg b/hbase-agent/conf/xasecure-hbase-security-changes.cfg
index 4a4d8b0..094d2a7 100644
--- a/hbase-agent/conf/xasecure-hbase-security-changes.cfg
+++ b/hbase-agent/conf/xasecure-hbase-security-changes.cfg
@@ -9,4 +9,4 @@ xasecure.hbase.policymgr.url.laststoredfile				%POLICY_CACHE_FILE_PATH%/hbase_%R
 xasecure.hbase.policymgr.url.reloadIntervalInMillis 	30000 																mod create-if-not-exists
 xasecure.hbase.policymgr.ssl.config						/etc/hbase/conf/xasecure-policymgr-ssl.xml					
	mod create-if-not-exists
 xasecure.policymgr.url							        %POLICY_MGR_URL% 													mod create-if-not-exists
-xasecure.policymgr.sslconfig.filename				    /etc/hive/conf/xasecure-policymgr-ssl.xml		
				mod create-if-not-exists
+xasecure.policymgr.sslconfig.filename				    /etc/hbase/conf/xasecure-policymgr-ssl.xml	
					mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/45150f00/hbase-agent/conf/xasecure-hbase-security.xml
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/xasecure-hbase-security.xml b/hbase-agent/conf/xasecure-hbase-security.xml
index f335e4a..451e727 100644
--- a/hbase-agent/conf/xasecure-hbase-security.xml
+++ b/hbase-agent/conf/xasecure-hbase-security.xml
@@ -55,7 +55,7 @@
 	</property>
 	<property>
 		<name>xasecure.policymgr.sslconfig.filename</name>
-		<value>/etc/hive/conf/xasecure-policymgr-ssl.xml</value>
+		<value>/etc/hbase/conf/xasecure-policymgr-ssl.xml</value>
 		<description>Path to the file containing SSL details to contact XASecure PolicyManager</description>
 	</property>
 
@@ -70,5 +70,10 @@
 			log file
 		</description>
 	</property>
+	<property>
+		<name>xasecure.hbase.update.xapolicies.on.grant.revoke</name>
+		<value>true</value>
+		<description>Should Hbase agent update XASecure policies for updates to permissions
done using GRANT/REVOKE?</description>
+	</property>
 
 </configuration>

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/45150f00/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
b/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
index 7547e36..0399c0a 100644
--- a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
@@ -107,6 +107,7 @@ public class XaSecureAuthorizationCoprocessor extends XaSecureAuthorizationCopro
 	private static final short  accessGrantedFlag  = 1;
 	private static final short  accessDeniedFlag   = 0;
 	private static final String repositoryName          = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_REPOSITORY_NAME_PROP);
+	private static final boolean UpdateXaPoliciesOnGrantRevoke = XaSecureConfiguration.getInstance().getBoolean(XaSecureHadoopConstants.HBASE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_PROP,
XaSecureHadoopConstants.HBASE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE);
 	private static final String GROUP_PREFIX = "@";
 
 		
@@ -881,34 +882,36 @@ public class XaSecureAuthorizationCoprocessor extends XaSecureAuthorizationCopro
 	@Override
 	public void grant(RpcController controller, AccessControlProtos.GrantRequest request, RpcCallback<AccessControlProtos.GrantResponse>
done) {
 		boolean isSuccess = false;
-		
-		GrantRevokeData grData = null;
-
-		try {
-			grData = createGrantData(request);
-
-			XaAdminRESTClient xaAdmin = new XaAdminRESTClient();
-
-		    xaAdmin.grantPrivilege(grData);
-
-		    isSuccess = true;
-		} catch(IOException excp) {
-			LOG.warn("grant() failed", excp);
-
-			ResponseConverter.setControllerException(controller, excp);
-		} catch (Exception excp) {
-			LOG.warn("grant() failed", excp);
-
-			ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage()));
-		} finally {
-			byte[] tableName = grData == null ? null : StringUtil.getBytes(grData.getTables());
-
-			if(accessController.isAudited(tableName)) {
-				byte[] colFamily = grData == null ? null : StringUtil.getBytes(grData.getColumnFamilies());
-				byte[] qualifier = grData == null ? null : StringUtil.getBytes(grData.getColumns());
 
-				// Note: failed return from REST call will be logged as 'DENIED'
-				auditEvent("grant", tableName, colFamily, qualifier, null, null, getActiveUser(), isSuccess
? accessGrantedFlag : accessDeniedFlag);
+		if(UpdateXaPoliciesOnGrantRevoke) {
+			GrantRevokeData grData = null;
+	
+			try {
+				grData = createGrantData(request);
+	
+				XaAdminRESTClient xaAdmin = new XaAdminRESTClient();
+	
+			    xaAdmin.grantPrivilege(grData);
+	
+			    isSuccess = true;
+			} catch(IOException excp) {
+				LOG.warn("grant() failed", excp);
+	
+				ResponseConverter.setControllerException(controller, excp);
+			} catch (Exception excp) {
+				LOG.warn("grant() failed", excp);
+	
+				ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage()));
+			} finally {
+				byte[] tableName = grData == null ? null : StringUtil.getBytes(grData.getTables());
+	
+				if(accessController.isAudited(tableName)) {
+					byte[] colFamily = grData == null ? null : StringUtil.getBytes(grData.getColumnFamilies());
+					byte[] qualifier = grData == null ? null : StringUtil.getBytes(grData.getColumns());
+	
+					// Note: failed return from REST call will be logged as 'DENIED'
+					auditEvent("grant", tableName, colFamily, qualifier, null, null, getActiveUser(), isSuccess
? accessGrantedFlag : accessDeniedFlag);
+				}
 			}
 		}
 
@@ -921,33 +924,35 @@ public class XaSecureAuthorizationCoprocessor extends XaSecureAuthorizationCopro
 	public void revoke(RpcController controller, AccessControlProtos.RevokeRequest request,
RpcCallback<AccessControlProtos.RevokeResponse> done) {
 		boolean isSuccess = false;
 
-		GrantRevokeData grData = null;
-
-		try {
-			grData = createRevokeData(request);
-
-			XaAdminRESTClient xaAdmin = new XaAdminRESTClient();
-
-		    xaAdmin.revokePrivilege(grData);
-
-		    isSuccess = true;
-		} catch(IOException excp) {
-			LOG.warn("grant() failed", excp);
-
-			ResponseConverter.setControllerException(controller, excp);
-		} catch (Exception excp) {
-			LOG.warn("grant() failed", excp);
-
-			ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage()));
-		} finally {
-			byte[] tableName = grData == null ? null : StringUtil.getBytes(grData.getTables());
-
-			if(accessController.isAudited(tableName)) {
-				byte[] colFamily = grData == null ? null : StringUtil.getBytes(grData.getColumnFamilies());
-				byte[] qualifier = grData == null ? null : StringUtil.getBytes(grData.getColumns());
-
-				// Note: failed return from REST call will be logged as 'DENIED'
-				auditEvent("revoke", tableName, colFamily, qualifier, null, null, getActiveUser(), isSuccess
? accessGrantedFlag : accessDeniedFlag);
+		if(UpdateXaPoliciesOnGrantRevoke) {
+			GrantRevokeData grData = null;
+	
+			try {
+				grData = createRevokeData(request);
+	
+				XaAdminRESTClient xaAdmin = new XaAdminRESTClient();
+	
+			    xaAdmin.revokePrivilege(grData);
+	
+			    isSuccess = true;
+			} catch(IOException excp) {
+				LOG.warn("revoke() failed", excp);
+	
+				ResponseConverter.setControllerException(controller, excp);
+			} catch (Exception excp) {
+				LOG.warn("revoke() failed", excp);
+	
+				ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage()));
+			} finally {
+				byte[] tableName = grData == null ? null : StringUtil.getBytes(grData.getTables());
+	
+				if(accessController.isAudited(tableName)) {
+					byte[] colFamily = grData == null ? null : StringUtil.getBytes(grData.getColumnFamilies());
+					byte[] qualifier = grData == null ? null : StringUtil.getBytes(grData.getColumns());
+	
+					// Note: failed return from REST call will be logged as 'DENIED'
+					auditEvent("revoke", tableName, colFamily, qualifier, null, null, getActiveUser(), isSuccess
? accessGrantedFlag : accessDeniedFlag);
+				}
 			}
 		}
 

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/45150f00/hive-agent/conf/xasecure-hive-security.xml
----------------------------------------------------------------------
diff --git a/hive-agent/conf/xasecure-hive-security.xml b/hive-agent/conf/xasecure-hive-security.xml
index b1ed747..f78dbc0 100644
--- a/hive-agent/conf/xasecure-hive-security.xml
+++ b/hive-agent/conf/xasecure-hive-security.xml
@@ -60,7 +60,7 @@
 		<description>Path to the file containing SSL details to contact XASecure PolicyManager</description>
 	</property>
 	<property>
-		<name>xasecure.hive.authorizer.update.xapolicies.on.grant.revoke</name>
+		<name>xasecure.hive.update.xapolicies.on.grant.revoke</name>
 		<value>true</value>
 		<description>Should Hive agent update XASecure policies for updates to permissions
done using GRANT/REVOKE?</description>
 	</property>


Mime
View raw message