Return-Path: 
 <commits-return-1506-apmail-ranger-commits-archive=ranger.apache.org@ranger.incubator.apache.org>
X-Original-To: apmail-ranger-commits-archive@www.apache.org
Delivered-To: apmail-ranger-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id DBD45177F8
	for <apmail-ranger-commits-archive@www.apache.org>;
 Wed,  3 Jun 2015 10:28:58 +0000 (UTC)
Received: (qmail 821 invoked by uid 500); 3 Jun 2015 10:28:58 -0000
Delivered-To: apmail-ranger-commits-archive@ranger.apache.org
Received: (qmail 795 invoked by uid 500); 3 Jun 2015 10:28:58 -0000
Mailing-List: contact commits-help@ranger.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@ranger.incubator.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@ranger.incubator.apache.org>
List-Post: <mailto:commits@ranger.incubator.apache.org>
List-Id: <commits.ranger.incubator.apache.org>
Reply-To: dev@ranger.incubator.apache.org
Delivered-To: mailing list commits@ranger.incubator.apache.org
Received: (qmail 756 invoked by uid 99); 3 Jun 2015 10:28:58 -0000
Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jun 2015 10:28:58 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org)
 with ESMTP id 5CA651802E8
	for <commits@ranger.apache.org>; Wed,  3 Jun 2015 10:28:58 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.771
X-Spam-Level: *
X-Spam-Status: No, score=1.771 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled
Received: from mx1-us-east.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new,
 port 10024)
	with ESMTP id 1qkJCdFL5llh for <commits@ranger.apache.org>;
	Wed,  3 Jun 2015 10:28:51 +0000 (UTC)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with
 SMTP id 7201343E5C
	for <commits@ranger.incubator.apache.org>;
 Wed,  3 Jun 2015 10:28:49 +0000 (UTC)
Received: (qmail 141 invoked by uid 99); 3 Jun 2015 10:28:48 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org)
 (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jun 2015 10:28:48 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at
 git1-us-west.apache.org, from userid 33)
	id B9567E01CA; Wed,  3 Jun 2015 10:28:48 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: sneethir@apache.org
To: commits@ranger.incubator.apache.org
Date: Wed, 03 Jun 2015 10:28:56 -0000
Message-Id: <abe87b8e5d5343e599ba99a5326995ed@git.apache.org>
In-Reply-To: <94825217671c4763850b09cc73d95089@git.apache.org>
References: <94825217671c4763850b09cc73d95089@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [09/10] incubator-ranger git commit: RANGER-524 hbase shell list
 command should prune the list of tables returned based on user's access

RANGER-524 hbase shell list command should prune the list of tables returned based on user's access

Signed-off-by: Madhan Neethiraj <madhan@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e0261055
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e0261055
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e0261055

Branch: refs/heads/ranger-0.5
Commit: e0261055d86b6c09f23b2773e0ee2470fe08aac7
Parents: 4c45671
Author: Alok Lal <alal@hortonworks.com>
Authored: Tue Jun 2 23:10:51 2015 -0700
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Tue Jun 2 23:41:42 2015 -0700

----------------------------------------------------------------------
 .../hbase/AuthorizationSession.java             |  9 +++-
 .../hbase/RangerAuthorizationCoprocessor.java   | 47 ++++++++++++++++----
 .../RangerAuthorizationCoprocessorBase.java     | 12 ++---
 3 files changed, 54 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e0261055/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
index 46ed758..e0b652e 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
@@ -29,8 +29,8 @@ import org.apache.hadoop.hbase.security.User;
 import org.apache.ranger.audit.model.AuthzAuditEvent;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 
 import com.google.common.base.Objects;
@@ -204,6 +204,13 @@ public class AuthorizationSession {
 		return this;
 	}
 	
+	void logCapturedEvents() {
+		if (_auditHandler != null) {
+			List<AuthzAuditEvent> events = _auditHandler.getCapturedEvents();
+			_auditHandler.logAuthzAudits(events);
+		}
+	}
+	
 	void publishResults() throws AccessDeniedException {
 
 		boolean authorized = isAuthorized();

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e0261055/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 3a67dd9..fd93332 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -37,7 +37,6 @@ import java.util.Set;
 import java.util.TimeZone;
 
 import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
@@ -980,17 +979,49 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 	public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, NamespaceDescriptor ns) throws IOException {
 		requireGlobalPermission("modifyNamespace", ns.getName(), Action.ADMIN);
 	}
+
 	@Override
-	public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList,  List<HTableDescriptor> descriptors) throws IOException {
-		if (tableNamesList == null || tableNamesList.isEmpty()) { // If the list is empty, this is a request for all table descriptors and requires GLOBAL ADMIN privs.
-			requireGlobalPermission("getTableDescriptors", WILDCARD, Action.ADMIN);
-		} else { // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the request can be granted.
-			for (TableName tableName: tableNamesList) {
-				requirePermission("getTableDescriptors", tableName.getName(), null, null, Action.CREATE);
+	public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String regex) throws IOException {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug(String.format("==> postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", tableNamesList == null ? 0 : tableNamesList.size(),
+					descriptors == null ? 0 : descriptors.size(), regex));
+		}
+
+		if (CollectionUtils.isNotEmpty(descriptors)) {
+			// Retains only those which passes authorization checks
+			User user = getActiveUser();
+			String access = _authUtils.getAccess(Action.CREATE);
+			HbaseAuditHandler auditHandler = _factory.getAuditHandler();  // this will accumulate audits for all tables that succeed.
+			AuthorizationSession session = new AuthorizationSession(hbasePlugin)
+				.operation("getTableDescriptors")
+				.otherInformation("regex=" + regex)
+				.remoteAddress(getRemoteAddress())
+				.auditHandler(auditHandler)
+				.user(user)
+				.access(access);
+	
+			Iterator<HTableDescriptor> itr = descriptors.iterator();
+			while (itr.hasNext()) {
+				HTableDescriptor htd = itr.next();
+				String tableName = htd.getTableName().getNameAsString();
+				session.table(tableName).buildRequest().authorize();
+				if (!session.isAuthorized()) {
+					itr.remove();
+					auditHandler.discardMostRecentEvent();
+				}
 			}
+			if (descriptors.size() > 0) {
+				session.logCapturedEvents();
+			}
+		}
+		
+		if (LOG.isDebugEnabled()) {
+			LOG.debug(String.format("<== postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", tableNamesList == null ? 0 : tableNamesList.size(),
+					descriptors == null ? 0 : descriptors.size(), regex));
 		}
 	}
-	@Override
+
+    @Override
 	public void preMerge(ObserverContext<RegionServerCoprocessorEnvironment> ctx, Region regionA, Region regionB) throws IOException {
 		requirePermission("mergeRegions", regionA.getTableDesc().getTableName().getName(), null, null, Action.ADMIN);
 	}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e0261055/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
index b9076b0..31f9e22 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
@@ -225,11 +225,13 @@ public abstract class RangerAuthorizationCoprocessorBase extends BaseRegionObser
     public void postReplicateLogEntries(final ObserverContext<RegionServerCoprocessorEnvironment> ctx, List<WALEntry> entries, CellScanner cells) throws IOException {
     }
 
-    public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String regex) throws IOException {
-    }
-
-    public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String regex) throws IOException {
-    }
+	@Override
+	public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList,  List<HTableDescriptor> descriptors) throws IOException {
+	}
+	
+	@Override
+	public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String regex) throws IOException {
+	}
 
     public  void preGetTableNames(ObserverContext<MasterCoprocessorEnvironment> ctx, List<HTableDescriptor> descriptors, String regex) throws IOException {
     }