ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a...@apache.org
Subject incubator-ranger git commit: RANGER-802 HBase plugin: Implement the new methods added to MasterObservers Interface and mimic their implementation in Hbase AccessController
Date Mon, 22 Feb 2016 20:31:31 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/master b1e1135b6 -> edc4f2b6e


RANGER-802 HBase plugin: Implement the new methods added to MasterObservers Interface and
mimic their implementation in Hbase AccessController


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/edc4f2b6
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/edc4f2b6
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/edc4f2b6

Branch: refs/heads/master
Commit: edc4f2b6eab3dc3637788c0be21213be94ade17e
Parents: b1e1135
Author: Alok Lal <alok@apache.org>
Authored: Thu Jan 7 15:54:12 2016 -0800
Committer: Alok Lal <alok@apache.org>
Committed: Mon Feb 22 12:30:18 2016 -0800

----------------------------------------------------------------------
 .../hbase/RangerAuthorizationCoprocessor.java   | 50 +++++++++++--
 .../RangerAuthorizationCoprocessorBase.java     | 10 +++
 pom.xml                                         |  2 +-
 .../hbase/RangerAuthorizationCoprocessor.java   | 75 ++++++++++++++++++++
 4 files changed, 129 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/edc4f2b6/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 8762bf5..c40b7de 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -46,6 +46,7 @@ import org.apache.hadoop.hbase.HColumnDescriptor;
 import org.apache.hadoop.hbase.HRegionInfo;
 import org.apache.hadoop.hbase.HTableDescriptor;
 import org.apache.hadoop.hbase.NamespaceDescriptor;
+import org.apache.hadoop.hbase.ProcedureInfo;
 import org.apache.hadoop.hbase.ServerName;
 import org.apache.hadoop.hbase.TableName;
 import org.apache.hadoop.hbase.client.Append;
@@ -67,6 +68,8 @@ import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp;
 import org.apache.hadoop.hbase.filter.Filter;
 import org.apache.hadoop.hbase.filter.FilterList;
 import org.apache.hadoop.hbase.ipc.RpcServer;
+import org.apache.hadoop.hbase.master.procedure.MasterProcedureEnv;
+import org.apache.hadoop.hbase.procedure2.ProcedureExecutor;
 import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
 import org.apache.hadoop.hbase.protobuf.ResponseConverter;
 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
@@ -651,6 +654,10 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 		authorizeAccess(request, objName, action, null, null, null);
 	}
 
+	protected void requirePermission(String request, Permission.Action action) throws AccessDeniedException
{
+		requirePermission(request, null, action);
+	}
+
 	protected void requirePermission(String request, byte[] tableName, Permission.Action action)
throws AccessDeniedException {
 		String table = Bytes.toString(tableName);
 
@@ -710,11 +717,11 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 	}
 	@Override
 	public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException
{
-		requirePermission("balance", null, Permission.Action.ADMIN);
+		requirePermission("balance", Permission.Action.ADMIN);
 	}
 	@Override
 	public boolean preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c, boolean
newValue) throws IOException {
-		requirePermission("balanceSwitch", null, Permission.Action.ADMIN);
+		requirePermission("balanceSwitch", Permission.Action.ADMIN);
 		return newValue;
 	}
 	@Override
@@ -741,7 +748,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 	}
 	@Override
 	public void preCloneSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription
snapshot, HTableDescriptor hTableDescriptor) throws IOException {
-		requirePermission("cloneSnapshot", null, Permission.Action.ADMIN);
+		requirePermission("cloneSnapshot", Permission.Action.ADMIN);
 	}
 	@Override
 	public void preClose(ObserverContext<RegionCoprocessorEnvironment> e, boolean abortRequested)
throws IOException {
@@ -771,7 +778,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 	}
 	@Override
 	public void preDeleteSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription
snapshot) throws IOException {
-		requirePermission("deleteSnapshot", null, Permission.Action.ADMIN);
+		requirePermission("deleteSnapshot", Permission.Action.ADMIN);
 	}
 	@Override
 	public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName
tableName) throws IOException {
@@ -822,6 +829,35 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 	public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo region,
ServerName srcServer, ServerName destServer) throws IOException {
 		requirePermission("move", region.getTable().getName() , null, null, Action.ADMIN);
 	}
+
+	@Override
+	public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext,
ProcedureExecutor<MasterProcedureEnv> procEnv, long procId) throws IOException {
+		if(!procEnv.isProcedureOwner(procId, this.getActiveUser())) {
+			requirePermission("abortProcedure", Action.ADMIN);
+		}
+	}
+
+	@Override
+	public void postListProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext,
List<ProcedureInfo> procInfoList) throws IOException {
+		if(!procInfoList.isEmpty()) {
+			Iterator itr = procInfoList.iterator();
+			User user = this.getActiveUser();
+
+			while(itr.hasNext()) {
+				ProcedureInfo procInfo = (ProcedureInfo)itr.next();
+
+				try {
+					if(!ProcedureInfo.isProcedureOwner(procInfo, user)) {
+						requirePermission("listProcedures", Action.ADMIN);
+					}
+				} catch (AccessDeniedException var7) {
+					itr.remove();
+				}
+			}
+
+		}
+	}
+
 	@Override
 	public void preOpen(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException
{
 		RegionCoprocessorEnvironment env = e.getEnvironment();
@@ -884,7 +920,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 	}
 	@Override
 	public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException
{
-		requirePermission("shutdown", null, Permission.Action.ADMIN);
+		requirePermission("shutdown", Permission.Action.ADMIN);
 	}
 	@Override
 	public void preSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription
snapshot, HTableDescriptor hTableDescriptor) throws IOException {
@@ -896,11 +932,11 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 	}
 	@Override
 	public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c) throws
IOException {
-		requirePermission("stopMaster", null, Permission.Action.ADMIN);
+		requirePermission("stopMaster", Permission.Action.ADMIN);
 	}
 	@Override
 	public void preStopRegionServer(ObserverContext<RegionServerCoprocessorEnvironment>
env) throws IOException {
-		requirePermission("stop", null, Permission.Action.ADMIN);
+		requirePermission("stop", Permission.Action.ADMIN);
 	}
 	@Override
 	public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo
regionInfo, boolean force) throws IOException {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/edc4f2b6/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
index 9a5bf05..3b489af 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java
@@ -425,6 +425,16 @@ public abstract class RangerAuthorizationCoprocessorBase extends BaseRegionObser
 		// Not applicable.  Expected to be empty
 	}
 
+	@Override
+	public void postAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext)
throws IOException {
+
+	}
+
+	@Override
+	public void preListProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext)
throws IOException {
+
+	}
+
 	public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       final String userName, final Quotas quotas) throws IOException {
   }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/edc4f2b6/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 3835fb4..27f6d7f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -143,7 +143,7 @@
         <hadoop.version>2.7.0</hadoop.version>
         <htrace-core.version>3.1.0-incubating</htrace-core.version>
         <hamcrest.all.version>1.3</hamcrest.all.version>
-        <hbase.version>1.1.0</hbase.version>
+        <hbase.version>1.1.3</hbase.version>
         <hive.version>1.2.0</hive.version>
         <storm.version>0.9.2-incubating</storm.version>
         <httpcomponent.httpmime.version>4.2.5</httpcomponent.httpmime.version>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/edc4f2b6/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 7c45fd0..8218f62 100644
--- a/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -34,6 +34,7 @@ import org.apache.hadoop.hbase.HColumnDescriptor;
 import org.apache.hadoop.hbase.HRegionInfo;
 import org.apache.hadoop.hbase.HTableDescriptor;
 import org.apache.hadoop.hbase.NamespaceDescriptor;
+import org.apache.hadoop.hbase.ProcedureInfo;
 import org.apache.hadoop.hbase.ServerName;
 import org.apache.hadoop.hbase.TableName;
 import org.apache.hadoop.hbase.client.Append;
@@ -60,6 +61,8 @@ import org.apache.hadoop.hbase.io.FSDataInputStreamWrapper;
 import org.apache.hadoop.hbase.io.Reference;
 import org.apache.hadoop.hbase.io.hfile.CacheConfig;
 import org.apache.hadoop.hbase.master.RegionPlan;
+import org.apache.hadoop.hbase.master.procedure.MasterProcedureEnv;
+import org.apache.hadoop.hbase.procedure2.ProcedureExecutor;
 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.CheckPermissionsRequest;
 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.CheckPermissionsResponse;
@@ -3094,6 +3097,78 @@ public class RangerAuthorizationCoprocessor implements MasterObserver,
RegionObs
 	}
 
 	@Override
+	public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext,
ProcedureExecutor<MasterProcedureEnv> procEnv, long procId) throws IOException {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerAuthorizationCoprocessor.preAbortProcedure()");
+		}
+
+		try {
+			activatePluginClassLoader();
+			implMasterObserver.preAbortProcedure(observerContext, procEnv, procId);
+		} finally {
+			deactivatePluginClassLoader();
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerAuthorizationCoprocessor.preAbortProcedure()");
+		}
+	}
+
+	@Override
+	public void postAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext)
throws IOException {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerAuthorizationCoprocessor.postAbortProcedure()");
+		}
+
+		try {
+			activatePluginClassLoader();
+			implMasterObserver.postAbortProcedure(observerContext);
+		} finally {
+			deactivatePluginClassLoader();
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerAuthorizationCoprocessor.postAbortProcedure()");
+		}
+	}
+
+	@Override
+	public void preListProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext)
throws IOException {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerAuthorizationCoprocessor.preListProcedures()");
+		}
+
+		try {
+			activatePluginClassLoader();
+			implMasterObserver.preListProcedures(observerContext);
+		} finally {
+			deactivatePluginClassLoader();
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerAuthorizationCoprocessor.preListProcedures()");
+		}
+	}
+
+	@Override
+	public void postListProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext,
List<ProcedureInfo> procInfoList) throws IOException {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerAuthorizationCoprocessor.postListProcedures()");
+		}
+
+		try {
+			activatePluginClassLoader();
+			implMasterObserver.postListProcedures(observerContext, procInfoList);
+		} finally {
+			deactivatePluginClassLoader();
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerAuthorizationCoprocessor.postListProcedures()");
+		}
+	}
+
+	@Override
 	public void postAssign(ObserverContext<MasterCoprocessorEnvironment> ctx, HRegionInfo
regionInfo) throws IOException {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerAuthorizationCoprocessor.postAssign()");


Mime
View raw message