ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [1/3] git commit: ARGUS-39: hbase:meta table is now added to special table list. Get/Scan access to these tables will not be audited. Audit log updated to include client ip-address when available.
Date Tue, 16 Sep 2014 20:58:27 GMT
Repository: incubator-argus
Updated Branches:
  refs/heads/master a4ec210ed -> 26705298b


ARGUS-39: hbase:meta table is now added to special table list. Get/Scan
access to these tables will not be audited. Audit log updated to include
client ip-address when available.

Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/830c6212
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/830c6212
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/830c6212

Branch: refs/heads/master
Commit: 830c62124c02c6d323555cabbe460b388b950f0c
Parents: d3e9ad6
Author: mneethiraj <mneethiraj@hortonworks.com>
Authored: Tue Sep 16 00:01:26 2014 -0700
Committer: mneethiraj <mneethiraj@hortonworks.com>
Committed: Tue Sep 16 00:01:26 2014 -0700

----------------------------------------------------------------------
 .../hbase/XaSecureAuthorizationCoprocessor.java | 36 +++++++++++++++-----
 .../security/access/XaAccessControlLists.java   |  5 ++-
 2 files changed, 31 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/830c6212/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
b/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
index c078dfd..db70d2a 100644
--- a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java
@@ -31,6 +31,7 @@
   */
 package com.xasecure.authorization.hbase;
 import java.io.IOException;
+import java.net.InetAddress;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Calendar;
@@ -44,7 +45,7 @@ import java.util.Map;
 import java.util.NavigableSet;
 import java.util.Set;
 import java.util.TimeZone;
-
+
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -98,7 +99,7 @@ import org.apache.hadoop.hbase.security.access.UserPermission;
 import org.apache.hadoop.hbase.security.access.XaAccessControlLists;
 import org.apache.hadoop.hbase.util.Bytes;
 import org.apache.hadoop.hbase.util.Pair;
-
+
 import com.google.common.collect.Lists;
 import com.google.common.collect.MapMaker;
 import com.google.common.collect.Maps;
@@ -173,7 +174,7 @@ public class XaSecureAuthorizationCoprocessor extends XaSecureAuthorizationCopro
 		return isSpecialTable(Bytes.toString(tableName));
 	}
 	protected boolean isSpecialTable(String tableNameStr) {
-		return tableNameStr.equals("-ROOT-") || tableNameStr.equals(".META.");
+		return tableNameStr.equals("hbase:meta") ||  tableNameStr.equals("-ROOT-") || tableNameStr.equals(".META.");
 	}
 	@SuppressWarnings("unused")
 	private String getUser() {
@@ -186,7 +187,7 @@ public class XaSecureAuthorizationCoprocessor extends XaSecureAuthorizationCopro
 		}
 	}
 	private User getActiveUser() {
-		User user = RequestContext.getRequestUser();
+		User user = RequestContext.getRequestUser();
 		if (!RequestContext.isInRequestContext()) {
 			// for non-rpc handling, fallback to system user
 			try {
@@ -197,7 +198,16 @@ public class XaSecureAuthorizationCoprocessor extends XaSecureAuthorizationCopro
 			}
 		}
 		return user;
-	}
+	}
+	
+	private String getRemoteAddress() {
+		RequestContext reqContext = RequestContext.get();
+		InetAddress    remoteAddr = reqContext != null ? reqContext.getRemoteAddress() : null;
+		String         strAddr    = remoteAddr != null ? remoteAddr.getHostAddress() : null;
+
+		return strAddr;
+	}
+
 	// Methods that are used within the CoProcessor 
 	private void requireScannerOwner(InternalScanner s) throws AccessDeniedException {
 		if (RequestContext.isInRequestContext()) {
@@ -479,7 +489,11 @@ public class XaSecureAuthorizationCoprocessor extends XaSecureAuthorizationCopro
 		try {
 			scannerOwners.remove(s);
 		} finally {
-			auditEvent("scannerClose", getTableName(c.getEnvironment()), null, null, null, null, getActiveUser(),
accessGrantedFlag);
+			byte[] tableName = getTableName(c.getEnvironment());
+
+			if (!isSpecialTable(tableName)) {
+				auditEvent("scannerClose", tableName, null, null, null, null, getActiveUser(), accessGrantedFlag);
+			}
 		}
 	}
 	@Override
@@ -489,8 +503,12 @@ public class XaSecureAuthorizationCoprocessor extends XaSecureAuthorizationCopro
 			if (user != null && user.getShortName() != null) {
 				scannerOwners.put(s, user.getShortName());
 			}
-		} finally {
-			auditEvent("scannerOpen", getTableName(c.getEnvironment()), null, null, null, null, getActiveUser(),
accessGrantedFlag);
+		} finally {
+			byte[] tableName = getTableName(c.getEnvironment());
+
+			if (!isSpecialTable(tableName)) {
+				auditEvent("scannerOpen", tableName, null, null, null, null, getActiveUser(), accessGrantedFlag);
+			}
 		}
 		return s;
 	}
@@ -866,7 +884,7 @@ public class XaSecureAuthorizationCoprocessor extends XaSecureAuthorizationCopro
 			auditEvent.setAccessType(eventName);
 			auditEvent.setUser(user == null ? XaSecureHadoopConstants.AUDITLOG_EMPTY_STRING  : user.getShortName());
 			auditEvent.setAccessResult(accessFlag);
-			auditEvent.setClientIP(null); // TODO:
+			auditEvent.setClientIP(getRemoteAddress());
 			auditEvent.setEventTime(getUTCDate());
 			auditEvent.setRepositoryType(EnumRepositoryType.HBASE);
 			auditEvent.setRepositoryName(repositoryName);

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/830c6212/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/XaAccessControlLists.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/XaAccessControlLists.java
b/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/XaAccessControlLists.java
index 5f23598..5c337bb 100644
--- a/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/XaAccessControlLists.java
+++ b/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/XaAccessControlLists.java
@@ -20,11 +20,14 @@ package org.apache.hadoop.hbase.security.access;
 
 import java.io.IOException;
 
+import org.apache.hadoop.hbase.catalog.MetaReader;
 import org.apache.hadoop.hbase.master.MasterServices;
 import org.apache.hadoop.hbase.security.access.AccessControlLists;
 
 public class XaAccessControlLists {
 	public static void init(MasterServices master) throws IOException {
-		AccessControlLists.init(master);
+	    if (!MetaReader.tableExists(master.getCatalogTracker(), AccessControlLists.ACL_TABLE_NAME))
{
+			AccessControlLists.init(master);
+	    }
 	}
 }


Mime
View raw message