Repository: ranger Updated Branches: refs/heads/master f7230f70a -> 1b4e78b0d
RANGER-1737: Fixed RANGER-1181 by providing correct set of parameters to Hdfs Native Authorizer in case of fall-back Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/1b4e78b0 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/1b4e78b0 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/1b4e78b0 Branch: refs/heads/master Commit: 1b4e78b0dcfad74b7fd2baea16364b7daf32159e Parents: f7230f7 Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Wed Aug 16 13:14:32 2017 -0700 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Wed Aug 16 13:14:32 2017 -0700 ---------------------------------------------------------------------- .../hadoop/RangerHdfsAuthorizer.java | 110 +++++++++++-------- 1 file changed, 65 insertions(+), 45 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/1b4e78b0/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index f82fd57..97fd5cd 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -279,7 +279,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { if (authzStatus == AuthzStatus.NOT_DETERMINED) { authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes, pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner, - ancestorAccess, FsAction.NONE, FsAction.NONE, FsAction.NONE, ignoreEmptyDir, + ancestorAccess, null, null, null, ignoreEmptyDir, isTraverseOnlyCheck, ancestor, parent, inode, auditHandler); } } @@ -292,7 +292,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { if (authzStatus == AuthzStatus.NOT_DETERMINED) { authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes, pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner, - FsAction.NONE, parentAccess, FsAction.NONE, FsAction.NONE, ignoreEmptyDir, + null, parentAccess, null, null, ignoreEmptyDir, isTraverseOnlyCheck, ancestor, parent, inode, auditHandler); } } @@ -305,7 +305,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { if (authzStatus == AuthzStatus.NOT_DETERMINED) { authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes, pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner, - FsAction.NONE, FsAction.NONE, access, FsAction.NONE, ignoreEmptyDir, + null, null, access, null, ignoreEmptyDir, isTraverseOnlyCheck, ancestor, parent, inode, auditHandler); } } @@ -345,18 +345,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { } } if (authzStatus == AuthzStatus.NOT_DETERMINED) { - RangerPerfTracer hadoopAuthPerf = null; - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_HDFSAUTH_REQUEST_LOG)) { - hadoopAuthPerf = RangerPerfTracer.getPerfTracer(PERF_HDFSAUTH_REQUEST_LOG, "defaultEnforcer.checkPermission(path=" + path + ")"); - } authzStatus = checkDefaultEnforcer(fsOwner, superGroup, ugi, inodeAttrs, inodes, pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner, - FsAction.NONE, FsAction.NONE, FsAction.NONE, subAccess, ignoreEmptyDir, + null, null, null, subAccess, ignoreEmptyDir, isTraverseOnlyCheck, ancestor, parent, inode, auditHandler); - RangerPerfTracer.log(hadoopAuthPerf); } } @@ -412,50 +406,76 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { boolean isTraverseOnlyCheck, INode ancestor, INode parent, INode inode, RangerHdfsAuditHandler auditHandler ) throws AccessControlException { - AuthzStatus authzStatus = AuthzStatus.NOT_DETERMINED; - if(RangerHdfsPlugin.isHadoopAuthEnabled() && defaultEnforcer != null) { - - try { - defaultEnforcer.checkPermission(fsOwner, superGroup, ugi, inodeAttrs, inodes, - pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner, - ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir); - - authzStatus = AuthzStatus.ALLOW; - } finally { - if(auditHandler != null) { - INode nodeChecked = inode; - FsAction action = access; - if(isTraverseOnlyCheck) { - if(nodeChecked == null || nodeChecked.isFile()) { - if(parent != null) { - nodeChecked = parent; - } else if(ancestor != null) { - nodeChecked = ancestor; - } - } + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerAccessControlEnforcer.checkDefaultEnforcer(" + + "fsOwner=" + fsOwner + "; superGroup=" + superGroup + ", inodesCount=" + (inodes != null ? inodes.length : 0) + + ", snapshotId=" + snapshotId + ", path=" + path + ", ancestorIndex=" + ancestorIndex + + ", doCheckOwner=" + doCheckOwner + ", ancestorAccess=" + ancestorAccess + ", parentAccess=" + parentAccess + + ", access=" + access + ", subAccess=" + subAccess + ", ignoreEmptyDir=" + ignoreEmptyDir + + ", isTraverseOnlyCheck=" + isTraverseOnlyCheck + ",ancestor=" + (ancestor == null ? null : ancestor.getFullPathName()) + + ", parent=" + (parent == null ? null : parent.getFullPathName()) + ", inode=" + (inode == null ? null : inode.getFullPathName()) + + ")"); + } + + AuthzStatus authzStatus = AuthzStatus.NOT_DETERMINED; + if(RangerHdfsPlugin.isHadoopAuthEnabled() && defaultEnforcer != null) { + + RangerPerfTracer hadoopAuthPerf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_HDFSAUTH_REQUEST_LOG)) { + hadoopAuthPerf = RangerPerfTracer.getPerfTracer(PERF_HDFSAUTH_REQUEST_LOG, "RangerAccessControlEnforcer.checkDefaultEnforcer(path=" + path + ")"); + } - action = FsAction.EXECUTE; - } else if(action == null || action == FsAction.NONE) { - if(parentAccess != null && parentAccess != FsAction.NONE ) { + try { + defaultEnforcer.checkPermission(fsOwner, superGroup, ugi, inodeAttrs, inodes, + pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner, + ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir); + + authzStatus = AuthzStatus.ALLOW; + } finally { + if (auditHandler != null) { + INode nodeChecked = inode; + FsAction action = access; + if (isTraverseOnlyCheck) { + if (nodeChecked == null || nodeChecked.isFile()) { + if (parent != null) { nodeChecked = parent; - action = parentAccess; - } else if(ancestorAccess != null && ancestorAccess != FsAction.NONE ) { + } else if (ancestor != null) { nodeChecked = ancestor; - action = ancestorAccess; - } else if(subAccess != null && subAccess != FsAction.NONE ) { - action = subAccess; } } - String pathChecked = nodeChecked != null ? nodeChecked.getFullPathName() : path; - - auditHandler.logHadoopEvent(pathChecked, action, authzStatus == AuthzStatus.ALLOW); + action = FsAction.EXECUTE; + } else if (action == null || action == FsAction.NONE) { + if (parentAccess != null && parentAccess != FsAction.NONE) { + nodeChecked = parent; + action = parentAccess; + } else if (ancestorAccess != null && ancestorAccess != FsAction.NONE) { + nodeChecked = ancestor; + action = ancestorAccess; + } else if (subAccess != null && subAccess != FsAction.NONE) { + action = subAccess; + } } + + String pathChecked = nodeChecked != null ? nodeChecked.getFullPathName() : path; + + auditHandler.logHadoopEvent(pathChecked, action, authzStatus == AuthzStatus.ALLOW); } - return authzStatus; + RangerPerfTracer.log(hadoopAuthPerf); } - return authzStatus; - } + } + LOG.debug("<== RangerAccessControlEnforcer.checkDefaultEnforcer(" + + "fsOwner=" + fsOwner + "; superGroup=" + superGroup + ", inodesCount=" + (inodes != null ? inodes.length : 0) + + ", snapshotId=" + snapshotId + ", path=" + path + ", ancestorIndex=" + ancestorIndex + + ", doCheckOwner="+ doCheckOwner + ", ancestorAccess=" + ancestorAccess + ", parentAccess=" + parentAccess + + ", access=" + access + ", subAccess=" + subAccess + ", ignoreEmptyDir=" + ignoreEmptyDir + + ", isTraverseOnlyCheck=" + isTraverseOnlyCheck + ",ancestor=" + (ancestor == null ? null : ancestor.getFullPathName()) + + ", parent=" + (parent == null ? null : parent.getFullPathName()) + ", inode=" + (inode == null ? null : inode.getFullPathName()) + + ") : " + authzStatus ); + + return authzStatus; + } private AuthzStatus isAccessAllowed(INode inode, INodeAttributes inodeAttribs, FsAction access, String user, Set<String> groups, RangerHdfsPlugin plugin, RangerHdfsAuditHandler auditHandler) { AuthzStatus ret = null;
