ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sneet...@apache.org
Subject [09/10] incubator-ranger git commit: RANGER-524 hbase shell list command should prune the list of tables returned based on user's access
Date Wed, 03 Jun 2015 10:28:56 GMT
RANGER-524 hbase shell list command should prune the list of tables returned based on user's
access

Signed-off-by: Madhan Neethiraj <madhan@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e0261055
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e0261055
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e0261055

Branch: refs/heads/ranger-0.5
Commit: e0261055d86b6c09f23b2773e0ee2470fe08aac7
Parents: 4c45671
Author: Alok Lal <alal@hortonworks.com>
Authored: Tue Jun 2 23:10:51 2015 -0700
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Tue Jun 2 23:41:42 2015 -0700

----------------------------------------------------------------------
 .../hbase/AuthorizationSession.java             |  9 +++-
 .../hbase/RangerAuthorizationCoprocessor.java   | 47 ++++++++++++++++----
 .../RangerAuthorizationCoprocessorBase.java     | 12 ++---
 3 files changed, 54 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e0261055/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
index 46ed758..e0b652e 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
@@ -29,8 +29,8 @@ import org.apache.hadoop.hbase.security.User;
 import org.apache.ranger.audit.model.AuthzAuditEvent;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 
 import com.google.common.base.Objects;
@@ -204,6 +204,13 @@ public class AuthorizationSession {
 		return this;
 	}
 	
+	void logCapturedEvents() {
+		if (_auditHandler != null) {
+			List<AuthzAuditEvent> events = _auditHandler.getCapturedEvents();
+			_auditHandler.logAuthzAudits(events);
+		}
+	}
+	
 	void publishResults() throws AccessDeniedException {
 
 		boolean authorized = isAuthorized();

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e0261055/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 3a67dd9..fd93332 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -37,7 +37,6 @@ import java.util.Set;
 import java.util.TimeZone;
 
 import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
@@ -980,17 +979,49 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 	public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,
NamespaceDescriptor ns) throws IOException {
 		requireGlobalPermission("modifyNamespace", ns.getName(), Action.ADMIN);
 	}
+
 	@Override
-	public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
List<TableName> tableNamesList,  List<HTableDescriptor> descriptors) throws IOException
{
-		if (tableNamesList == null || tableNamesList.isEmpty()) { // If the list is empty, this
is a request for all table descriptors and requires GLOBAL ADMIN privs.
-			requireGlobalPermission("getTableDescriptors", WILDCARD, Action.ADMIN);
-		} else { // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables,
the request can be granted.
-			for (TableName tableName: tableNamesList) {
-				requirePermission("getTableDescriptors", tableName.getName(), null, null, Action.CREATE);
+	public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment>
ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String
regex) throws IOException {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug(String.format("==> postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s,
regex=%s)", tableNamesList == null ? 0 : tableNamesList.size(),
+					descriptors == null ? 0 : descriptors.size(), regex));
+		}
+
+		if (CollectionUtils.isNotEmpty(descriptors)) {
+			// Retains only those which passes authorization checks
+			User user = getActiveUser();
+			String access = _authUtils.getAccess(Action.CREATE);
+			HbaseAuditHandler auditHandler = _factory.getAuditHandler();  // this will accumulate
audits for all tables that succeed.
+			AuthorizationSession session = new AuthorizationSession(hbasePlugin)
+				.operation("getTableDescriptors")
+				.otherInformation("regex=" + regex)
+				.remoteAddress(getRemoteAddress())
+				.auditHandler(auditHandler)
+				.user(user)
+				.access(access);
+	
+			Iterator<HTableDescriptor> itr = descriptors.iterator();
+			while (itr.hasNext()) {
+				HTableDescriptor htd = itr.next();
+				String tableName = htd.getTableName().getNameAsString();
+				session.table(tableName).buildRequest().authorize();
+				if (!session.isAuthorized()) {
+					itr.remove();
+					auditHandler.discardMostRecentEvent();
+				}
 			}
+			if (descriptors.size() > 0) {
+				session.logCapturedEvents();
+			}
+		}
+		
+		if (LOG.isDebugEnabled()) {
+			LOG.debug(String.format("<== postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s,
regex=%s)", tableNamesList == null ? 0 : tableNamesList.size(),
+					descriptors == null ? 0 : descriptors.size(), regex));
 		}
 	}
-	@Override
+
+    @Override
 	public void preMerge(ObserverContext<RegionServerCoprocessorEnvironment> ctx, Region
regionA, Region regionB) throws IOException {
 		requirePermission("mergeRegions", regionA.getTableDesc().getTableName().getName(), null,
null, Action.ADMIN);
 	}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e0261055/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
index b9076b0..31f9e22 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
@@ -225,11 +225,13 @@ public abstract class RangerAuthorizationCoprocessorBase extends BaseRegionObser
     public void postReplicateLogEntries(final ObserverContext<RegionServerCoprocessorEnvironment>
ctx, List<WALEntry> entries, CellScanner cells) throws IOException {
     }
 
-    public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment>
ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String
regex) throws IOException {
-    }
-
-    public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment>
ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String
regex) throws IOException {
-    }
+	@Override
+	public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
List<TableName> tableNamesList,  List<HTableDescriptor> descriptors) throws IOException
{
+	}
+	
+	@Override
+	public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String regex)
throws IOException {
+	}
 
     public  void preGetTableNames(ObserverContext<MasterCoprocessorEnvironment> ctx,
List<HTableDescriptor> descriptors, String regex) throws IOException {
     }


Mime
View raw message