ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [1/2] git commit: ARGUS-3: update to handle access check on LOCAL_URI and DFS_URI
Date Fri, 15 Aug 2014 18:39:58 GMT
Repository: incubator-argus
Updated Branches:
  refs/heads/master 0d0637972 -> cb7363d7e


ARGUS-3: update to handle access check on LOCAL_URI and DFS_URI

Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/820f1aee
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/820f1aee
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/820f1aee

Branch: refs/heads/master
Commit: 820f1aeeab949bd1db39bb14635bf63ce74b632a
Parents: 185f7c5
Author: mneethiraj <mneethiraj@hortonworks.com>
Authored: Thu Aug 14 18:31:40 2014 -0700
Committer: mneethiraj <mneethiraj@hortonworks.com>
Committed: Thu Aug 14 18:31:40 2014 -0700

----------------------------------------------------------------------
 .../java/com/xasecure/pdp/hive/HiveAuthDB.java  | 10 ++-
 .../hive/XaHiveObjectAccessInfo.java            | 81 ++++++++++++--------
 .../hive/authorizer/XaSecureHiveAuthorizer.java | 73 +++++++++++++++++-
 3 files changed, 127 insertions(+), 37 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/820f1aee/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java
index 624bd31..ef801b6 100644
--- a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java
+++ b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java
@@ -107,6 +107,10 @@ public class HiveAuthDB {
 				ret = isUDFAccessAllowed(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getFunction());
 			break;
 
+			case URI:
+				// Handled in XaSecureHiveAuthorizer
+			break;
+
 			case NONE:
 			break;
 		}
@@ -117,7 +121,10 @@ public class HiveAuthDB {
 	public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) {
 		boolean ret = false;
 
-		if(objAccessInfo.getAccessType() == HiveAccessType.NONE || objAccessInfo.getObjectType()
== HiveObjectType.NONE) {
+		if(   objAccessInfo.getAccessType() == HiveAccessType.NONE
+           || objAccessInfo.getObjectType() == HiveObjectType.NONE
+           || objAccessInfo.getObjectType() == HiveObjectType.URI
+           ) {
 			return false;
 		}
 		
@@ -156,6 +163,7 @@ public class HiveAuthDB {
 			break;
 
 			case NONE:
+			case URI:
 			break;
 		}
 		

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/820f1aee/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java
b/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java
index 63dfbc7..942a86a 100644
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java
+++ b/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java
@@ -6,21 +6,22 @@ import java.util.List;
 import com.xasecure.authorization.utils.StringUtil;
 
 public class XaHiveObjectAccessInfo {
-	public enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION
};
+	public enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION,
URI };
 	public enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, INSERT, SELECT, UPDATE,
USE };
 
-	private String            mOperType;
-	private XaHiveAccessContext mContext;
-	private HiveAccessType    mAccessType;
-	private HiveObjectType    mObjectType;
-	private String            mDatabase;
-	private String            mTable;
-	private String            mView;
-	private String            mPartition;
-	private String            mIndex;
-	private List<String>      mColumns;
-	private String            mFunction;
-	private String            mDeniedObjectName;
+	private String              mOperType         = null;
+	private XaHiveAccessContext mContext          = null;
+	private HiveAccessType      mAccessType       = HiveAccessType.NONE;
+	private HiveObjectType      mObjectType       = HiveObjectType.NONE;
+	private String              mDatabase         = null;
+	private String              mTable            = null;
+	private String              mView             = null;
+	private String              mPartition        = null;
+	private String              mIndex            = null;
+	private List<String>        mColumns          = null;
+	private String              mFunction         = null;
+	private String              mUri              = null;
+	private String              mDeniedObjectName = null;
 
 	public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType
accessType, String dbName) {
 		this(operType, context, accessType, dbName, null, HiveObjectType.DATABASE, dbName);
@@ -34,6 +35,10 @@ public class XaHiveObjectAccessInfo {
 		this(operType, context, accessType, dbName, null, objType, objName);
 	}
 
+	public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType
accessType, HiveObjectType objType, String objName) {
+		this(operType, context, accessType, null, null, objType, objName);
+	}
+
 	public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType
accessType, String dbName, String tblOrViewName, List<String> columns) {
 		mOperType    = operType;
 		mContext     = context;
@@ -42,8 +47,6 @@ public class XaHiveObjectAccessInfo {
 		mDatabase    = dbName;
 		mTable       = tblOrViewName;
 		mView        = tblOrViewName;
-		mPartition   = null;
-		mIndex       = null;
 		mColumns     = columns;
 	}
 
@@ -55,9 +58,6 @@ public class XaHiveObjectAccessInfo {
 		mDatabase    = dbName;
 		mTable       = tblName;
 		mView        = tblName;
-		mPartition   = null;
-		mIndex       = null;
-		mColumns     = null;
 
 		if(objName != null && ! objName.trim().isEmpty()) {
 			switch(objType) {
@@ -90,6 +90,10 @@ public class XaHiveObjectAccessInfo {
 					mFunction = objName;
 				break;
 
+				case URI:
+					mUri = objName;
+				break;
+
 				case NONE:
 				break;
 			}
@@ -140,6 +144,10 @@ public class XaHiveObjectAccessInfo {
 		return mFunction;
 	}
 
+	public String getUri() {
+		return mUri;
+	}
+
 	public void setDeinedObjectName(String deniedObjectName) {
 		mDeniedObjectName = deniedObjectName;
 	}
@@ -149,20 +157,29 @@ public class XaHiveObjectAccessInfo {
 	}
 
 	public String getObjectName() {
-		String objName = StringUtil.isEmpty(mDatabase) ? "" : mDatabase;
-
-		if(! StringUtil.isEmpty(mTable))
-			objName += ("/" + mTable);
-		else if(! StringUtil.isEmpty(mView))
-			objName += ("/" + mView);
-		else if(! StringUtil.isEmpty(mFunction))
-			objName += ("/" + mFunction);
-
-		if(! StringUtil.isEmpty(mColumns))
-			objName += ("/" + StringUtil.toString(mColumns));
-		else if(! StringUtil.isEmpty(mIndex))
-			objName += ("/" + mIndex);
-		
+        String objName = null;
+
+        if(this.mObjectType == HiveObjectType.URI) {
+            objName = mUri;
+        } else {
+            String tblName = null;
+            String colName = null;
+
+            if(! StringUtil.isEmpty(mTable))
+                tblName = mTable;
+            else if(! StringUtil.isEmpty(mView))
+                tblName = mView;
+            else if(! StringUtil.isEmpty(mFunction))
+                tblName = mFunction;
+
+            if(! StringUtil.isEmpty(mColumns))
+                colName = StringUtil.toString(mColumns);
+            else if(! StringUtil.isEmpty(mIndex))
+                colName = mIndex;
+
+            objName = getObjectName(mDatabase, tblName, colName);
+        }
+
 		return objName;
 	}
 	

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/820f1aee/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
index eb8bd62..cc0fa44 100644
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
+++ b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
@@ -5,6 +5,11 @@ import java.util.List;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.fs.FileStatus;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.permission.FsAction;
+import org.apache.hadoop.hive.common.FileUtils;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
@@ -66,7 +71,13 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 		List<XaHiveObjectAccessInfo> objAccessList = getObjectAccessInfo(hiveOpType, inputHObjs,
outputHObjs, context);
 
 		for(XaHiveObjectAccessInfo objAccessInfo : objAccessList) {
-			boolean ret = mHiveAccessVerifier.isAccessAllowed(ugi, objAccessInfo);
+            boolean ret = false;
+
+            if(objAccessInfo.getObjectType() == HiveObjectType.URI) {
+                ret = isURIAccessAllowed(ugi, objAccessInfo.getAccessType(), objAccessInfo.getUri(),
getHiveConf());
+            } else {
+                ret = mHiveAccessVerifier.isAccessAllowed(ugi, objAccessInfo);
+            }
 
 			if(! ret) {
 				if(mHiveAccessVerifier.isAudited(objAccessInfo)) {
@@ -163,7 +174,11 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 			case FUNCTION:
 				ret = new XaHiveObjectAccessInfo(operType, hiveContext, accessType, hiveObj.getDbname(),
HiveObjectType.FUNCTION, hiveObj.getObjectName());
 			break;
-	
+
+            case URI:
+                ret = new XaHiveObjectAccessInfo(operType, hiveContext, accessType, HiveObjectType.URI,
hiveObj.getObjectName());
+            break;
+
 			case NONE:
 			break;
 		}
@@ -202,6 +217,9 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 
 			case DFS_URI:
 			case LOCAL_URI:
+                objType = HiveObjectType.URI;
+            break;
+
 			case COMMAND_PARAMS:
 			case GLOBAL:
 			break;
@@ -297,8 +315,9 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 				break;
 
 				case IMPORT:
+				case EXPORT:
 				case LOAD:
-					accessType = HiveAccessType.INSERT;
+					accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.INSERT;
 				break;
 
 				case LOCKDB:
@@ -308,7 +327,6 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 					accessType = HiveAccessType.LOCK;
 				break;
 
-				case EXPORT:
 				case QUERY:
 					accessType = HiveAccessType.SELECT;
 				break;
@@ -364,6 +382,53 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 		return accessType;
 	}
 
+    private boolean isURIAccessAllowed(UserGroupInformation ugi, HiveAccessType accessType,
String uri, HiveConf conf) {
+        boolean ret = false;
+
+        FsAction action = FsAction.NONE;
+
+        switch(accessType) {
+            case ALTER:
+            case CREATE:
+            case UPDATE:
+            case DROP:
+            case INDEX:
+            case INSERT:
+            case LOCK:
+                action = FsAction.WRITE;
+            break;
+
+            case SELECT:
+            case USE:
+                action = FsAction.READ;
+            break;
+
+            case NONE:
+            break;
+        }
+
+        if(action == FsAction.NONE) {
+            ret = true;
+        } else {
+            try {
+                Path       filePath   = new Path(uri);
+                FileSystem fs         = FileSystem.get(filePath.toUri(), conf);
+                Path       path       = FileUtils.getPathOrParentThatExists(fs, filePath);
+                FileStatus fileStatus = fs.getFileStatus(path);
+                String     userName   = ugi.getShortUserName();
+
+                if (FileUtils.isOwnerOfFileHierarchy(fs, fileStatus, userName)) {
+                    ret = true;
+                } else {
+                    ret = FileUtils.isActionPermittedForFileHierarchy(fs, fileStatus, userName,
action);
+                }
+            } catch(Exception excp) {
+                LOG.error("Error getting permissions for " + uri, excp);
+            }
+        }
+
+        return ret;
+    }
 	private void logAuditEvent(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo,
boolean accessGranted) {
 		
 		HiveAuditEvent auditEvent = new HiveAuditEvent();


Mime
View raw message