Repository: incubator-hawq Updated Branches: refs/heads/ranger b22d20887 -> 125d013d3
Package oids inside one query to requestt RPS. Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/125d013d Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/125d013d Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/125d013d Branch: refs/heads/ranger Commit: 125d013d317fa46c7ea1904788a803b91e9a3f8b Parents: b22d208 Author: xunzhang <[email protected]> Authored: Mon Dec 5 19:12:18 2016 +0800 Committer: xunzhang <[email protected]> Committed: Mon Dec 5 19:12:18 2016 +0800 ---------------------------------------------------------------------- src/backend/catalog/aclchk.c | 49 ++++++++++++++++++- src/backend/cdb/cdbutil.c | 1 + src/backend/libpq/rangerrest.c | 4 ++ src/backend/libpq/rangerrest.h | 39 --------------- src/backend/parser/parse_relation.c | 82 +++++++++++++++++++++++++++++++- src/include/parser/parse_relation.h | 1 + src/include/utils/acl.h | 16 +++++++ src/include/utils/rangerrest.h | 39 +++++++++++++++ 8 files changed, 190 insertions(+), 41 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/backend/catalog/aclchk.c ---------------------------------------------------------------------- diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index 06f20f3..e6dfa46 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -227,6 +227,7 @@ restrict_and_check_grant(bool is_grant, AclMode avail_goptions, bool all_privs, if (avail_goptions == ACL_NO_RIGHTS) { if (enable_ranger) { + elog(LOG, "restrict_and_check_grant: here\n"); if (pg_rangercheck(objkind, objectId, grantorId, whole_mask | ACL_GRANT_OPTION_FOR(whole_mask), ACLMASK_ANY) != ACLCHECK_OK) @@ -2664,10 +2665,47 @@ List *getActionName(AclMode mask) return actions; } +List *pg_rangercheck_batch(List *arg_list) +{ + List *aclresults = NIL; + ListCell *arg = NULL; + foreach(arg, arg_list) { + RangerPrivilegeArgs *arg_ptr = (RangerPrivilegeArgs *)lfirst(arg); + AclObjectKind objkind = arg_ptr->objkind; + Oid object_oid = arg_ptr->object_oid; + char *objectname = getNameFromOid(objkind, object_oid); + char *rolename = getRoleName(arg_ptr->roleid); + List* actions = getActionName(arg_ptr->mask); + bool isAll = (arg_ptr->how == ACLMASK_ALL) ? true: false; + RangerPrivilegeResults *aclresult = (RangerPrivilegeResults *) palloc(sizeof(RangerPrivilegeResults)); + aclresult->result = check_privilege_from_ranger(rolename, objkind, objectname, actions, isAll); + aclresult->relOid = object_oid; + aclresults = lappend(aclresults, aclresult); + + if (objectname) + { + pfree(objectname); + objectname = NULL; + } + if(rolename) + { + pfree(rolename); + rolename = NULL; + } + if(actions) + { + list_free_deep(actions); + actions = NIL; + } + } // foreach + return aclresults; +} + AclResult pg_rangercheck(AclObjectKind objkind, Oid object_oid, Oid roleid, AclMode mask, AclMaskHow how) { + elog(LOG, "pg_rangercheck: here\n"); char* objectname = getNameFromOid(objkind, object_oid); char* rolename = getRoleName(roleid); List* actions = getActionName(mask); @@ -2691,7 +2729,6 @@ pg_rangercheck(AclObjectKind objkind, Oid object_oid, Oid roleid, return ACLCHECK_OK; } - /* * Relay for the various pg_*_mask routines depending on object kind */ @@ -3678,6 +3715,7 @@ pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode) { if(enable_ranger) { + elog(LOG, "pg_class_aclcheck: here\n"); return pg_rangercheck(ACL_KIND_CLASS, table_oid, roleid, mode, ACLMASK_ANY); } else @@ -3694,6 +3732,7 @@ pg_database_aclcheck(Oid db_oid, Oid roleid, AclMode mode) { if(enable_ranger) { + elog(LOG, "pg_database_aclcheck: here\n"); return pg_rangercheck(ACL_KIND_DATABASE, db_oid, roleid, mode, ACLMASK_ANY); } else @@ -3710,6 +3749,7 @@ pg_proc_aclcheck(Oid proc_oid, Oid roleid, AclMode mode) { if(enable_ranger) { + elog(LOG, "pg_proc_aclcheck: here\n"); return pg_rangercheck(ACL_KIND_PROC, proc_oid, roleid, mode, ACLMASK_ANY); } else @@ -3726,6 +3766,7 @@ pg_language_aclcheck(Oid lang_oid, Oid roleid, AclMode mode) { if(enable_ranger) { + elog(LOG, "pg_language_aclcheck: here\n"); return pg_rangercheck(ACL_KIND_LANGUAGE, lang_oid, roleid, mode, ACLMASK_ANY); } else @@ -3742,6 +3783,7 @@ pg_namespace_aclcheck(Oid nsp_oid, Oid roleid, AclMode mode) { if(enable_ranger) { + elog(LOG, "pg_namespace_aclcheck: here\n"); return pg_rangercheck(ACL_KIND_NAMESPACE, nsp_oid, roleid, mode, ACLMASK_ANY); } else @@ -3758,6 +3800,7 @@ pg_tablespace_aclcheck(Oid spc_oid, Oid roleid, AclMode mode) { if(enable_ranger) { + elog(LOG, "pg_tablespace_aclcheck: here\n"); return pg_rangercheck(ACL_KIND_TABLESPACE, spc_oid, roleid, mode, ACLMASK_ANY); } else @@ -3775,6 +3818,7 @@ pg_foreign_data_wrapper_aclcheck(Oid fdw_oid, Oid roleid, AclMode mode) { if(enable_ranger) { + elog(LOG, "pg_foreign_data_wrapper_aclcheck: here\n"); return pg_rangercheck(ACL_KIND_FDW, fdw_oid, roleid, mode, ACLMASK_ANY); } else @@ -3792,6 +3836,7 @@ pg_foreign_server_aclcheck(Oid srv_oid, Oid roleid, AclMode mode) { if(enable_ranger) { + elog(LOG, "pg_foreign_server_aclcheck: here\n"); return pg_rangercheck(ACL_KIND_FOREIGN_SERVER, srv_oid, roleid, mode, ACLMASK_ANY); } else @@ -3809,6 +3854,7 @@ pg_extprotocol_aclcheck(Oid ptcid, Oid roleid, AclMode mode) { if(enable_ranger) { + elog(LOG, "pg_extprotocol_aclcheck: here\n"); return pg_rangercheck(ACL_KIND_EXTPROTOCOL, ptcid, roleid, mode, ACLMASK_ANY); } else @@ -3825,6 +3871,7 @@ pg_filesystem_aclcheck(Oid fsysid, Oid roleid, AclMode mode) { if(enable_ranger) { + elog(LOG, "pg_filesystem_aclcheck: here\n"); return pg_rangercheck(ACL_KIND_FILESYSTEM, fsysid, roleid, mode, ACLMASK_ANY); } else http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/backend/cdb/cdbutil.c ---------------------------------------------------------------------- diff --git a/src/backend/cdb/cdbutil.c b/src/backend/cdb/cdbutil.c index 0391881..03395a9 100644 --- a/src/backend/cdb/cdbutil.c +++ b/src/backend/cdb/cdbutil.c @@ -585,6 +585,7 @@ cdb_setup(void) if (Gp_role == GP_ROLE_DISPATCH) { + elog(LOG, "cdb_setup: here\n"); /* check mirrored entry db configuration */ buildMirrorQDDefinition(); http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/backend/libpq/rangerrest.c ---------------------------------------------------------------------- diff --git a/src/backend/libpq/rangerrest.c b/src/backend/libpq/rangerrest.c index 032a6c0..d677b05 100644 --- a/src/backend/libpq/rangerrest.c +++ b/src/backend/libpq/rangerrest.c @@ -280,10 +280,14 @@ void call_ranger_rest(CURL_HANDLE curl_handle, char* request) // curl_easy_setopt(curl_handle, CURLOPT_POSTFIELDS, request); /* send all data to this function */ + elog(LOG, "debug xxx\n"); curl_easy_setopt(curl_handle->curl_handle, CURLOPT_WRITEFUNCTION, write_callback); + elog(LOG, "debug yyy\n"); curl_easy_setopt(curl_handle->curl_handle, CURLOPT_WRITEDATA, (void *)curl_handle); + elog(LOG, "debug zzz\n"); res = curl_easy_perform(curl_handle->curl_handle); + elog(LOG, "debug ttt\n"); /* check for errors */ if(res != CURLE_OK) http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/backend/libpq/rangerrest.h ---------------------------------------------------------------------- diff --git a/src/backend/libpq/rangerrest.h b/src/backend/libpq/rangerrest.h deleted file mode 100644 index 4b73f46..0000000 --- a/src/backend/libpq/rangerrest.h +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -/*------------------------------------------------------------------------- - * - * rangerrest.h - * routines to interact with Ranger REST API - * - *------------------------------------------------------------------------- - */ -#ifndef RANGERREST_H -#define RANGERREST_H - -#include <curl/curl.h> - -typedef enum -{ - RANGERCHECK_OK = 0, - RANGERCHECK_NO_PRIV, - RANGERCHECK_UNKNOWN -} RangerACLResult; - -#endif http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/backend/parser/parse_relation.c ---------------------------------------------------------------------- diff --git a/src/backend/parser/parse_relation.c b/src/backend/parser/parse_relation.c index 811d2e2..9d58b73 100644 --- a/src/backend/parser/parse_relation.c +++ b/src/backend/parser/parse_relation.c @@ -2712,15 +2712,94 @@ warnAutoRange(ParseState *pstate, RangeVar *relation, int location) void ExecCheckRTPerms(List *rangeTable) { + /* + if (enable_ranger) + { + ExecCheckRTPermsWithRanger(rangeTable); + return; + } + */ ListCell *l; + int i = 0; foreach(l, rangeTable) { + printf("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%d\n", i); ExecCheckRTEPerms((RangeTblEntry *) lfirst(l)); + i ++; } } /* + * ExecCheckRTPerms + * Batch implementation: Check access permissions for all relations listed in a range table with enable_ranger is true. + */ +void +ExecCheckRTPermsWithRanger(List *rangeTable) +{ + List *ranger_check_args = NIL; + ListCell *l; + foreach(l, rangeTable) + { + RangeTblEntry *rte = (RangeTblEntry *) lfirst(l); + + AclMode requiredPerms; + Oid relOid; + Oid userid; + + if (rte->rtekind != RTE_RELATION) + return; + requiredPerms = rte->requiredPerms; + if (requiredPerms == 0) + return; + + relOid = rte->relid; + userid = rte->checkAsUser ? rte->checkAsUser : GetUserId(); + + RangerPrivilegeArgs *ranger_check_arg = (RangerPrivilegeArgs *) palloc(sizeof(RangerPrivilegeArgs)); + ranger_check_arg->objkind = ACL_KIND_CLASS; + ranger_check_arg->object_oid = relOid; + ranger_check_arg->roleid = userid; + ranger_check_arg->mask = requiredPerms; + ranger_check_arg->how = ACLMASK_ALL; + ranger_check_args = lappend(ranger_check_args, ranger_check_arg); + + } // foreach + + // ranger ACL check with package Oids + List *aclresults = pg_rangercheck_batch(ranger_check_args); + if (aclresults == NIL) + { + printf("bugggggggggggggggg\n"); + return; + } + + // check result + ListCell *result; + foreach(result, aclresults) + { + RangerPrivilegeResults *result_ptr = (RangerPrivilegeResults *)lfirst(result); + if(result_ptr->result != RANGERCHECK_OK) + { + Oid relOid = result_ptr->relOid; + const char *rel_name = get_rel_name_partition(relOid); + aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_CLASS, rel_name); + } + } + + if (ranger_check_args) + { + list_free_deep(ranger_check_args); + ranger_check_args = NIL; + } + if (aclresults) + { + list_free_deep(aclresults); + aclresults = NIL; + } +} + +/* * ExecCheckRTEPerms * Check access permissions for a single RTE. */ @@ -2763,9 +2842,10 @@ ExecCheckRTEPerms(RangeTblEntry *rte) */ if (enable_ranger) { + elog(LOG, "ExecCheckRTEPerms: here"); /* ranger check required permission should all be approved.*/ if (pg_rangercheck(ACL_KIND_CLASS, relOid, userid, requiredPerms, ACLMASK_ALL) - != ACLCHECK_OK) + != RANGERCHECK_OK) { /* * If the table is a partition, return an error message that includes http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/include/parser/parse_relation.h ---------------------------------------------------------------------- diff --git a/src/include/parser/parse_relation.h b/src/include/parser/parse_relation.h index 4c13a79..3af717f 100644 --- a/src/include/parser/parse_relation.h +++ b/src/include/parser/parse_relation.h @@ -101,6 +101,7 @@ extern Name attnumAttName(Relation rd, int attid); extern Oid attnumTypeId(Relation rd, int attid); extern void ExecCheckRTPerms(List *rangeTable); +extern void ExecCheckRTPermsWithRanger(List *); extern void ExecCheckRTEPerms(RangeTblEntry *rte); #endif /* PARSE_RELATION_H */ http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/include/utils/acl.h ---------------------------------------------------------------------- diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h index b0ddde9..b0c7438 100644 --- a/src/include/utils/acl.h +++ b/src/include/utils/acl.h @@ -26,6 +26,7 @@ #include "nodes/parsenodes.h" #include "utils/array.h" +#include "utils/rangerrest.h" /* @@ -339,4 +340,19 @@ extern bool pg_conversion_ownercheck(Oid conv_oid, Oid roleid); extern bool pg_foreign_server_ownercheck(Oid srv_oid, Oid roleid); extern bool pg_extprotocol_ownercheck(Oid ptc_oid, Oid roleid); +typedef struct RangerPrivilegeArgs +{ + AclObjectKind objkind; + Oid object_oid; + Oid roleid; + AclMode mask; + AclMaskHow how; +} RangerPrivilegeArgs; + +typedef struct RangerPrivilegeResults +{ + RangerACLResult result; + Oid relOid; +} RangerPrivilegeResults; + #endif /* ACL_H */ http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/125d013d/src/include/utils/rangerrest.h ---------------------------------------------------------------------- diff --git a/src/include/utils/rangerrest.h b/src/include/utils/rangerrest.h new file mode 100644 index 0000000..4b73f46 --- /dev/null +++ b/src/include/utils/rangerrest.h @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*------------------------------------------------------------------------- + * + * rangerrest.h + * routines to interact with Ranger REST API + * + *------------------------------------------------------------------------- + */ +#ifndef RANGERREST_H +#define RANGERREST_H + +#include <curl/curl.h> + +typedef enum +{ + RANGERCHECK_OK = 0, + RANGERCHECK_NO_PRIV, + RANGERCHECK_UNKNOWN +} RangerACLResult; + +#endif
