ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ab...@apache.org
Subject ranger git commit: RANGER-2027: Evaluate grantor's group membership in the plugin for grant/revoke request
Date Sun, 18 Mar 2018 19:44:21 GMT
Repository: ranger
Updated Branches:
  refs/heads/master 57222febb -> a1929a824


RANGER-2027: Evaluate grantor's group membership in the plugin for grant/revoke request


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/a1929a82
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/a1929a82
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/a1929a82

Branch: refs/heads/master
Commit: a1929a82446f5aa8ba662649e9ff3af9e61bec4b
Parents: 57222fe
Author: Abhay Kulkarni <akulkarni@hortonworks.com>
Authored: Sun Mar 18 09:13:25 2018 -0700
Committer: Abhay Kulkarni <akulkarni@hortonworks.com>
Committed: Sun Mar 18 09:13:25 2018 -0700

----------------------------------------------------------------------
 .../ranger/plugin/util/GrantRevokeRequest.java  | 27 ++++++++++++++++++--
 .../hbase/RangerAuthorizationCoprocessor.java   | 16 ++++++++++++
 .../hive/authorizer/RangerHiveAuthorizer.java   | 19 ++++++++++++++
 .../org/apache/ranger/rest/ServiceREST.java     |  8 +++---
 4 files changed, 64 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
index 0c5b2d8..f4fe589 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
@@ -44,6 +44,7 @@ public class GrantRevokeRequest implements Serializable {
 	private static final long serialVersionUID = 1L;
 
 	private String              grantor;
+	private Set<String>         grantorGroups;
 	private Map<String, String> resource;
 	private Set<String>         users;
 	private Set<String>         groups;
@@ -59,11 +60,12 @@ public class GrantRevokeRequest implements Serializable {
 	private String              clusterName;
 
 	public GrantRevokeRequest() {
-		this(null, null, null, null, null, null, null, null, null, null, null, null, null, null);
+		this(null, null, null, null, null, null, null, null, null, null, null, null, null, null,
null);
 	}
 
-	public GrantRevokeRequest(String grantor, Map<String, String> resource, Set<String>
users, Set<String> groups, Set<String> accessTypes, Boolean delegateAdmin, Boolean
enableAudit, Boolean replaceExistingPermissions, Boolean isRecursive, String clientIPAddress,
String clientType, String requestData, String sessionId, String clusterName) {
+	public GrantRevokeRequest(String grantor, Set<String> grantorGroups, Map<String,
String> resource, Set<String> users, Set<String> groups, Set<String>
accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions,
Boolean isRecursive, String clientIPAddress, String clientType, String requestData, String
sessionId, String clusterName) {
 		setGrantor(grantor);
+		setGrantorGroups(grantorGroups);
 		setResource(resource);
 		setUsers(users);
 		setGroups(groups);
@@ -94,6 +96,19 @@ public class GrantRevokeRequest implements Serializable {
 	}
 
 	/**
+	 * @return the grantorGroups
+	 */
+	public Set<String> getGrantorGroups() {
+		return grantorGroups;
+	}
+
+	/**
+	 * @param grantorGroups the grantorGroups to set
+	 */
+	public void setGrantorGroups(Set<String> grantorGroups) {
+		this.grantorGroups = grantorGroups == null ? new HashSet<String>() : grantorGroups;
+	}
+	/**
 	 * @return the resource
 	 */
 	public Map<String, String> getResource() {
@@ -289,6 +304,14 @@ public class GrantRevokeRequest implements Serializable {
 
 		sb.append("grantor={").append(grantor).append("} ");
 
+		sb.append("grantorGroups={");
+		if(grantorGroups != null) {
+			for(String grantorGroup : grantorGroups) {
+				sb.append(grantorGroup).append(" ");
+			}
+		}
+		sb.append("} ");
+
 		sb.append("resource={");
 		if(resource != null) {
 			for(Map.Entry<String, String> e : resource.entrySet()) {

http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 12b675b..d7b4673 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1315,6 +1315,13 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 
 		User   activeUser = getActiveUser();
 		String grantor    = activeUser != null ? activeUser.getShortName() : null;
+		String[] groups   = activeUser != null ? activeUser.getGroupNames() : null;
+
+		Set<String> grantorGroups = null;
+
+		if (groups != null && groups.length > 0) {
+			grantorGroups = new HashSet<>(Arrays.asList(groups));
+		}
 
 		Map<String, String> mapResource = new HashMap<String, String>();
 		mapResource.put("table", tableName);
@@ -1324,6 +1331,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 		GrantRevokeRequest ret = new GrantRevokeRequest();
 
 		ret.setGrantor(grantor);
+		ret.setGrantorGroups(grantorGroups);
 		ret.setDelegateAdmin(Boolean.FALSE);
 		ret.setEnableAudit(Boolean.TRUE);
 		ret.setReplaceExistingPermissions(Boolean.TRUE);
@@ -1412,6 +1420,13 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 
 		User   activeUser = getActiveUser();
 		String grantor    = activeUser != null ? activeUser.getShortName() : null;
+		String[] groups   = activeUser != null ? activeUser.getGroupNames() : null;
+
+		Set<String> grantorGroups = null;
+
+		if (groups != null && groups.length > 0) {
+			grantorGroups = new HashSet<>(Arrays.asList(groups));
+		}
 
 		Map<String, String> mapResource = new HashMap<String, String>();
 		mapResource.put("table", tableName);
@@ -1421,6 +1436,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 		GrantRevokeRequest ret = new GrantRevokeRequest();
 
 		ret.setGrantor(grantor);
+		ret.setGrantorGroups(grantorGroups);
 		ret.setDelegateAdmin(Boolean.TRUE); // remove delegateAdmin privilege as well
 		ret.setEnableAudit(Boolean.TRUE);
 		ret.setReplaceExistingPermissions(Boolean.TRUE);

http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 2c2a518..780afac 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -20,8 +20,10 @@
 package org.apache.ranger.authorization.hive.authorizer;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -1363,6 +1365,22 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase
{
 		return grantor;
 	}
 
+	private Set<String> getGrantorGroupNames(HivePrincipal grantorPrincipal) {
+		Set<String> ret = null;
+
+		String grantor = grantorPrincipal != null ? grantorPrincipal.getName() : null;
+
+		UserGroupInformation ugi = StringUtil.isEmpty(grantor) ? this.getCurrentUserGroupInfo()
: UserGroupInformation.createRemoteUser(grantor);
+
+		String[] groups = ugi != null ? ugi.getGroupNames() : null;
+
+		if (groups != null && groups.length > 0) {
+			ret = new HashSet<>(Arrays.asList(groups));
+		}
+
+		return ret;
+	}
+
 	private GrantRevokeRequest createGrantRevokeData(RangerHiveResource  resource,
 													 List<HivePrincipal> hivePrincipals,
 													 List<HivePrivilege> hivePrivileges,
@@ -1382,6 +1400,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		GrantRevokeRequest ret = new GrantRevokeRequest();
 
 		ret.setGrantor(getGrantorUsername(grantorPrincipal));
+		ret.setGrantorGroups(getGrantorGroupNames(grantorPrincipal));
 		ret.setDelegateAdmin(grantOption ? Boolean.TRUE : Boolean.FALSE);
 		ret.setEnableAudit(Boolean.TRUE);
 		ret.setReplaceExistingPermissions(Boolean.FALSE);

http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index dad8a97..3642252 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1066,7 +1066,7 @@ public class ServiceREST {
 
 					validateGrantRevokeRequest(grantRequest);
 					String               userName   = grantRequest.getGrantor();
-					Set<String>          userGroups = userMgr.getGroupsForUser(userName);
+					Set<String>          userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups())
? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
 					RangerAccessResource resource   = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
 	
 					boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
@@ -1163,7 +1163,7 @@ public class ServiceREST {
 					validateGrantRevokeRequest(grantRequest);
 
 					String               userName   = grantRequest.getGrantor();
-					Set<String>          userGroups = userMgr.getGroupsForUser(userName);
+					Set<String>          userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups())
? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
 					RangerAccessResource resource   = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
 					boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
 
@@ -1278,7 +1278,7 @@ public class ServiceREST {
 					validateGrantRevokeRequest(revokeRequest);
 
 					String               userName   = revokeRequest.getGrantor();
-					Set<String>          userGroups =  userMgr.getGroupsForUser(userName);
+					Set<String>          userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups())
? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
 					RangerAccessResource resource   = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
 
 					boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
@@ -1339,7 +1339,7 @@ public class ServiceREST {
 					validateGrantRevokeRequest(revokeRequest);
 
 					String               userName   = revokeRequest.getGrantor();
-					Set<String>          userGroups =  userMgr.getGroupsForUser(userName);
+					Set<String>          userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups())
? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
 					RangerAccessResource resource   = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
 					boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
 					boolean isAllowed = false;


Mime
View raw message