Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RANGER-4670: (hbase plugin) Config to support disabling column authorization for fully authorized column families #417

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

RANGER-4670: (hbase plugin) Config to support disabling column authorization for fully authorized column families #417

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a0e6850
RANGER-4670: (hbase plugin) Config to support disabling column author…
fateh288 Nov 26, 2024
87a13c0
RANGER-4670: Minicluster based unit tests (only compatible with hadoo…
fateh288 Nov 26, 2024
05fcd87
RANGER-4670: Add comments
fateh288 Nov 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ...src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ public class RangerHadoopConstants {

public static final String HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP = "xasecure.hbase.update.xapolicies.on.grant.revoke";
public static final boolean HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true;
public static final String HBASE_COLUMN_AUTH_OPTIMIZATION = "ranger.plugin.hbase.column.auth.optimization";

public static final String KNOX_ACCESS_VERIFIER_CLASS_NAME_PROP = "knox.authorization.verifier.classname";
public static final String KNOX_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "org.apache.ranger.pdp.knox.RangerAuthorizer";
Expand Down
Binary file added agents-common/src/main/java/org/apache/ranger/plugin/service/.RangerBasePlugin.java.swp
View file
Open in desktop
Binary file not shown.
93 changes: 51 additions & 42 deletions hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,7 @@
import org.apache.hadoop.thirdparty.com.google.common.collect.Sets;
import org.apache.hadoop.thirdparty.com.google.common.base.MoreObjects;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.policyengine.*;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand All @@ -47,7 +43,7 @@ public class AuthorizationSession {
final HbaseUserUtils _userUtils = _factory.getUserUtils();
final HbaseAuthUtils _authUtils = _factory.getAuthUtils();
// immutable state
final RangerBasePlugin _authorizer;
final RangerHBasePlugin _authorizer;
// Mutable state: Use supplied state information
String _operation;
String _otherInformation;
Expand All @@ -69,8 +65,8 @@ public class AuthorizationSession {
// internal state per-authorization
RangerAccessRequest _request;
RangerAccessResult _result;
public AuthorizationSession(RangerBasePlugin authorizer) {

public AuthorizationSession(RangerHBasePlugin authorizer) {
_authorizer = authorizer;
}

Expand All @@ -83,12 +79,12 @@ AuthorizationSession otherInformation(String information) {
_otherInformation = information;
return this;
}

AuthorizationSession remoteAddress(String ipAddress) {
_remoteAddress = ipAddress;
return this;
}

AuthorizationSession access(String anAccess) {
_access = anAccess;
return this;
Expand Down Expand Up @@ -127,7 +123,7 @@ AuthorizationSession column(String aColumn) {
}

void verifyBuildable() {

String template = "Internal error: Incomplete/inconsisten state: [%s]. Can't build auth request!";
if (_factory == null) {
String message = String.format(template, "factory is null");
Expand Down Expand Up @@ -174,11 +170,7 @@ boolean isNameSpaceOperation() {
StringUtils.equals(_operation, "getUserPermissionForNamespace");
}

AuthorizationSession buildRequest() {

verifyBuildable();
// session can be reused so reset its state
zapAuthorizationState();
private RangerAccessResource createHBaseResource() {
// TODO get this via a factory instead
RangerAccessResourceImpl resource = new RangerHBaseResource();
// policy engine should deal sensibly with null/empty values, if any
Expand All @@ -189,7 +181,11 @@ AuthorizationSession buildRequest() {
}
resource.setValue(RangerHBaseResource.KEY_COLUMN_FAMILY, _columnFamily);
resource.setValue(RangerHBaseResource.KEY_COLUMN, _column);

return resource;
}

private RangerAccessRequest createRangerRequest() {
RangerAccessResource resource = createHBaseResource();
String user = _userUtils.getUserAsString(_user);
RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, _access, user, _groups, null);
request.setAction(_operation);
Expand All @@ -198,18 +194,25 @@ AuthorizationSession buildRequest() {
request.setResourceMatchingScope(_resourceMatchingScope);
request.setAccessTime(new Date());
request.setIgnoreDescendantDeny(_ignoreDescendantDeny);
_request = request;
return request;
}

AuthorizationSession buildRequest() {
verifyBuildable();
// session can be reused so reset its state
zapAuthorizationState();
_request = createRangerRequest();
if (LOG.isDebugEnabled()) {
LOG.debug("Built request: " + request.toString());
LOG.debug("Built request: " + _request.toString());
}
return this;
}

AuthorizationSession authorize() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> AuthorizationSession.authorize: " + getRequestMessage());
}

if (_request == null) {
String message = String.format("Invalid state transition: buildRequest() must be called before authorize(). This request would ultimately get denied.!");
throw new IllegalStateException(message);
Expand All @@ -223,27 +226,27 @@ AuthorizationSession authorize() {
}
_result = _authorizer.isAccessAllowed(_request, _auditHandler);
}

if (LOG.isDebugEnabled()) {
boolean allowed = isAuthorized();
String reason = getDenialReason();
LOG.debug("<== AuthorizationSession.authorize: " + getLogMessage(allowed, reason));
}
return this;
}

void logCapturedEvents() {
if (_auditHandler != null) {
List<AuthzAuditEvent> events = _auditHandler.getCapturedEvents();
_auditHandler.logAuthzAudits(events);
}
}

void publishResults() throws AccessDeniedException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> AuthorizationSession.publishResults()");
}

boolean authorized = isAuthorized();
if (_auditHandler != null && isAudited()) {
List<AuthzAuditEvent> events = null;
Expand Down Expand Up @@ -284,7 +287,7 @@ void publishResults() throws AccessDeniedException {
LOG.debug("<== AuthorizationSession.publishResults()");
}
}

boolean isAudited() {

boolean audited = false;
Expand Down Expand Up @@ -313,7 +316,7 @@ boolean isAuthorized() {
}
return allowed;
}

String getDenialReason() {
String reason = "";
if (_result == null) {
Expand All @@ -327,20 +330,21 @@ String getDenialReason() {
}
return reason;
}

String requestToString() {
return MoreObjects.toStringHelper(_request.getClass())
.add("operation", _operation)
.add("otherInformation", _otherInformation)
.add("access", _access)
.add("user", _user == null ? null : _user.getName())
.add("groups", _groups)
.add("auditHandler", _auditHandler == null ? null : _auditHandler.getClass().getSimpleName())
.add(RangerHBaseResource.KEY_TABLE, _table)
.add(RangerHBaseResource.KEY_COLUMN, _column)
.add(RangerHBaseResource.KEY_COLUMN_FAMILY, _columnFamily)
.add("resource-matching-scope", _resourceMatchingScope)
.toString();
.add("operation", _operation)
.add("otherInformation", _otherInformation)
.add("access", _access)
.add("user", _user == null ? null : _user.getName())
.add("groups", _groups)
.add("auditHandler", _auditHandler == null ? null : _auditHandler.getClass().getSimpleName())
.add(RangerHBaseResource.KEY_TABLE, _table)
.add(RangerHBaseResource.KEY_COLUMN, _column)
.add(RangerHBaseResource.KEY_COLUMN_FAMILY, _columnFamily)
.add("resource-matching-scope", _resourceMatchingScope)
.add("ignoreDescendantDeny", _ignoreDescendantDeny)
.toString();
}

String getPrintableValue(String value) {
Expand All @@ -350,15 +354,15 @@ String getPrintableValue(String value) {
return "";
}
}

String getRequestMessage() {
String format = "Access[%s] by user[%s] belonging to groups[%s] to table[%s] for column-family[%s], column[%s] triggered by operation[%s], otherInformation[%s]";
String user = _userUtils.getUserAsString();
String message = String.format(format, getPrintableValue(_access), getPrintableValue(user), _groups, getPrintableValue(_table),
getPrintableValue(_columnFamily), getPrintableValue(_column), getPrintableValue(_operation), getPrintableValue(_otherInformation));
return message;
}

String getLogMessage(boolean allowed, String reason) {
String format = " %s: status[%s], reason[%s]";
String message = String.format(format, getRequestMessage(), allowed ? "allowed" : "denied", reason);
Expand All @@ -379,8 +383,13 @@ AuthorizationSession resourceMatchingScope(RangerAccessRequest.ResourceMatchingS
_resourceMatchingScope = scope;
return this;
}

AuthorizationSession ignoreDescendantDeny(boolean ignoreDescendantDeny) {
_ignoreDescendantDeny = ignoreDescendantDeny;
return this;
}
}

public boolean getPropertyIsColumnAuthOptimizationEnabled() {
return _authorizer.getPropertyIsColumnAuthOptimizationEnabled();
}
}
Loading
Loading