This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 136ace27c67fded9934803151d94c0bedf44a391 Author: Madhan Neethiraj <[email protected]> AuthorDate: Mon Oct 19 17:41:47 2020 -0700 RANGER-3047: updated Hadoop version from 3.1.1 to 3.3.0 --- agents-audit/pom.xml | 5 + distro/src/main/assembly/admin-web.xml | 3 +- distro/src/main/assembly/hbase-agent.xml | 1 + embeddedwebserver/pom.xml | 5 + hbase-agent/pom.xml | 50 ++++++- .../hbase/RangerAuthorizationCoprocessor.java | 44 ++++--- .../hbase/HBaseRangerAuthorizationTest.java | 16 ++- hive-agent/pom.xml | 6 + .../services/hive/HIVERangerAuthorizerTest.java | 1 + knox-agent/pom.xml | 3 +- .../ranger/services/ozone/client/OzoneClient.java | 3 +- plugin-schema-registry/pom.xml | 7 +- .../DefaultSchemaRegistryClientTest.java | 3 +- pom.xml | 17 +-- .../security/access/RangerAccessControlLists.java | 104 --------------- .../hbase/RangerAuthorizationCoprocessor.java | 18 +++ .../ozone/authorizer/RangerOzoneAuthorizer.java | 8 +- security-admin/scripts/setup.sh | 144 +++++++++++---------- .../process/TestUnixUserGroupBuilder.java | 4 +- 19 files changed, 225 insertions(+), 217 deletions(-) diff --git a/agents-audit/pom.xml b/agents-audit/pom.xml index 85effa6..d2e7098 100644 --- a/agents-audit/pom.xml +++ b/agents-audit/pom.xml @@ -38,6 +38,11 @@ <version>${project.version}</version> </dependency> <dependency> + <groupId>commons-lang</groupId> + <artifactId>commons-lang</artifactId> + <version>${commons.lang.version}</version> + </dependency> + <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <version>${commons.logging.version}</version> diff --git a/distro/src/main/assembly/admin-web.xml b/distro/src/main/assembly/admin-web.xml index 19ab3bc..872747a 100644 --- a/distro/src/main/assembly/admin-web.xml +++ b/distro/src/main/assembly/admin-web.xml @@ -248,6 +248,7 @@ <include>com.fasterxml.woodstox:woodstox-core:jar:${fasterxml.woodstox.version}</include> <include>org.codehaus.woodstox:stax2-api:jar:${codehaus.woodstox.stax2api.version}</include> <include>org.apache.commons:commons-configuration2:jar:${commons.configuration.version}</include> + <include>org.apache.commons:commons-lang3:jar:${commons.lang3.version}</include> <include>com.kstruct:gethostname4j:jar:${kstruct.gethostname4j.version}</include> <include>net.java.dev.jna:jna:jar:${jna.version}</include> <include>net.java.dev.jna:jna-platform:jar:${jna-platform.version}</include> @@ -290,10 +291,10 @@ <include>commons-configuration:commons-configuration</include> <include>commons-io:commons-io:jar:${commons.io.version}</include> <include>commons-lang:commons-lang</include> - <include>commons-lang3:commons-lang3</include> <include>commons-logging:commons-logging</include> <include>com.google.guava:guava</include> <include>org.slf4j:slf4j-api</include> + <include>org.apache.commons:commons-lang3</include> <include>org.apache.hadoop:hadoop-common</include> <include>org.apache.hadoop:hadoop-auth</include> <include>org.apache.htrace:htrace-core4:jar:${htrace-core.version}</include> diff --git a/distro/src/main/assembly/hbase-agent.xml b/distro/src/main/assembly/hbase-agent.xml index 2a1d0b4..05b4bb0 100644 --- a/distro/src/main/assembly/hbase-agent.xml +++ b/distro/src/main/assembly/hbase-agent.xml @@ -55,6 +55,7 @@ <includes> <include>com.sun.jersey:jersey-client:jar:${jersey-bundle.version}</include> <include>com.sun.jersey:jersey-core:jar:${jersey-bundle.version}</include> + <include>org.codehaus.jackson:jackson-jaxrs:jar:${codehaus.jackson.version}</include> <include>org.eclipse.persistence:eclipselink</include> <include>org.eclipse.persistence:javax.persistence</include> <include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include> diff --git a/embeddedwebserver/pom.xml b/embeddedwebserver/pom.xml index 1d1128c..e00f5a1 100644 --- a/embeddedwebserver/pom.xml +++ b/embeddedwebserver/pom.xml @@ -88,5 +88,10 @@ <artifactId>credentialbuilder</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.apache.commons</groupId> + <artifactId>commons-lang3</artifactId> + <version>${commons.lang3.version}</version> + </dependency> </dependencies> </project> diff --git a/hbase-agent/pom.xml b/hbase-agent/pom.xml index dd7c78d..03396ea 100644 --- a/hbase-agent/pom.xml +++ b/hbase-agent/pom.xml @@ -23,7 +23,8 @@ <packaging>jar</packaging> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> - <hadoop.hbase.version>2.5.1</hadoop.hbase.version> + <hbase.jetty.version>9.3.27.v20190418</hbase.jetty.version> + <hadoop.version>3.1.1</hadoop.version> </properties> <parent> <groupId>org.apache.ranger</groupId> @@ -48,6 +49,17 @@ </exclusions> </dependency> <dependency> + <groupId>org.apache.hbase</groupId> + <artifactId>hbase-common</artifactId> + <version>${hbase.version}</version> + <exclusions> + <exclusion> + <groupId>org.apache.hadoop</groupId> + <artifactId>*</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> <groupId>org.apache.ranger</groupId> <artifactId>ranger-plugins-common</artifactId> <version>${project.version}</version> @@ -146,6 +158,19 @@ </exclusions> </dependency> <dependency> + <groupId>org.apache.hbase</groupId> + <artifactId>hbase-common</artifactId> + <version>${hbase.version}</version> + <type>test-jar</type> + <scope>test</scope> + <exclusions> + <exclusion> + <groupId>org.apache.hadoop</groupId> + <artifactId>*</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> <groupId>org.apache.hadoop</groupId> <artifactId>hadoop-minicluster</artifactId> <version>${hadoop.version}</version> @@ -168,6 +193,29 @@ <version>${hadoop.version}</version> <scope>test</scope> </dependency> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-server</artifactId> + <version>${hbase.jetty.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-http</artifactId> + <version>${hbase.jetty.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + <version>${hbase.jetty.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> </dependencies> <build> <testResources> diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index ec6dfdd..b9dd52e 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -49,6 +49,7 @@ import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.UserProvider; import org.apache.hadoop.hbase.security.access.*; import org.apache.hadoop.hbase.security.access.Permission.Action; +import org.apache.hadoop.hbase.security.access.Permission.Builder; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter; import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CleanupBulkLoadRequest; @@ -1335,6 +1336,11 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte } @Override + public void hasPermission(RpcController controller, AccessControlProtos.HasPermissionRequest request, RpcCallback<AccessControlProtos.HasPermissionResponse> done) { + LOG.debug("hasPermission(): "); + } + + @Override public void checkPermissions(RpcController controller, AccessControlProtos.CheckPermissionsRequest request, RpcCallback<AccessControlProtos.CheckPermissionsResponse> done) { LOG.debug("checkPermissions(): "); } @@ -1396,8 +1402,8 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte } }); if (_userUtils.isSuperUser(user)) { - perms.add(new UserPermission(Bytes.toBytes(_userUtils.getUserAsString(user)), - AccessControlLists.ACL_TABLE_NAME, null, Action.values())); + perms.add(new UserPermission(_userUtils.getUserAsString(user), + Permission.newBuilder(AccessControlLists.ACL_TABLE_NAME).withActions(Action.values()).build())); } } response = AccessControlUtil.buildGetUserPermissionsResponse(perms); @@ -1439,11 +1445,11 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte if (!allowedPermissions.isEmpty()) { UserPermission up = null; if (isNamespace) { - up = new UserPermission(Bytes.toBytes(user), resource, - allowedPermissions.toArray(new Action[allowedPermissions.size()])); + up = new UserPermission(user, + Permission.newBuilder(resource).withActions(allowedPermissions.toArray(new Action[allowedPermissions.size()])).build()); } else { - up = new UserPermission(Bytes.toBytes(user), TableName.valueOf(resource), null, null, - allowedPermissions.toArray(new Action[allowedPermissions.size()])); + up = new UserPermission(user, + Permission.newBuilder(TableName.valueOf(resource)).withActions(allowedPermissions.toArray(new Action[allowedPermissions.size()])).build()); } userPermissions.add(up); } @@ -1455,8 +1461,8 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte AccessControlProtos.Permission perm = up == null ? null : up.getPermission(); UserPermission userPerm = up == null ? null : AccessControlUtil.toUserPermission(up); - Permission.Action[] actions = userPerm == null ? null : userPerm.getActions(); - String userName = userPerm == null ? null : Bytes.toString(userPerm.getUser()); + Permission.Action[] actions = userPerm == null ? null : userPerm.getPermission().getActions(); + String userName = userPerm == null ? null : userPerm.getUser(); String nameSpace = null; String tableName = null; String colFamily = null; @@ -1480,13 +1486,15 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte break; case Table: - tableName = Bytes.toString(userPerm.getTableName().getName()); - colFamily = Bytes.toString(userPerm.getFamily()); - qualifier = Bytes.toString(userPerm.getQualifier()); + TablePermission tablePerm = (TablePermission)userPerm.getPermission(); + tableName = Bytes.toString(tablePerm.getTableName().getName()); + colFamily = Bytes.toString(tablePerm.getFamily()); + qualifier = Bytes.toString(tablePerm.getQualifier()); break; case Namespace: - nameSpace = userPerm.getNamespace(); + NamespacePermission namepsacePermission = (NamespacePermission)userPerm.getPermission(); + nameSpace = namepsacePermission.getNamespace(); break; } @@ -1570,7 +1578,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte AccessControlProtos.Permission perm = up == null ? null : up.getPermission(); UserPermission userPerm = up == null ? null : AccessControlUtil.toUserPermission(up); - String userName = userPerm == null ? null : Bytes.toString(userPerm.getUser()); + String userName = userPerm == null ? null : userPerm.getUser(); String nameSpace = null; String tableName = null; String colFamily = null; @@ -1590,13 +1598,15 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte break; case Table : - tableName = Bytes.toString(userPerm.getTableName().getName()); - colFamily = Bytes.toString(userPerm.getFamily()); - qualifier = Bytes.toString(userPerm.getQualifier()); + TablePermission tablePerm = (TablePermission)userPerm.getPermission(); + tableName = Bytes.toString(tablePerm.getTableName().getName()); + colFamily = Bytes.toString(tablePerm.getFamily()); + qualifier = Bytes.toString(tablePerm.getQualifier()); break; case Namespace: - nameSpace = userPerm.getNamespace(); + NamespacePermission namespacePermission = (NamespacePermission)userPerm.getPermission(); + nameSpace = namespacePermission.getNamespace(); break; } diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java index 537c0b6..5241242 100644 --- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java +++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java @@ -24,6 +24,7 @@ import java.util.Arrays; import java.util.List; import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; @@ -43,6 +44,7 @@ import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.client.SnapshotDescription; import org.apache.hadoop.hbase.client.Table; import org.apache.hadoop.hbase.security.access.AccessControlClient; +import org.apache.hadoop.hbase.security.access.NamespacePermission; import org.apache.hadoop.hbase.security.access.Permission; import org.apache.hadoop.hbase.security.access.UserPermission; import org.apache.hadoop.hbase.util.Bytes; @@ -76,8 +78,7 @@ public class HBaseRangerAuthorizationTest { private static int port; private static HBaseTestingUtility utility; - - + @org.junit.BeforeClass public static void setup() throws Exception { port = getFreePort(); @@ -1007,8 +1008,8 @@ public class HBaseRangerAuthorizationTest { } boolean found = false; for (UserPermission namespacePermission : userPermissions) { - if (namespacePermission.hasNamespace()) { - found = Bytes.equals(namespacePermission.getUser(), Bytes.toBytes("@QA")); + if (namespacePermission.getPermission() instanceof NamespacePermission) { + found = StringUtils.equals(namespacePermission.getUser(), "@QA"); if (found) { break; } @@ -1025,8 +1026,10 @@ public class HBaseRangerAuthorizationTest { } catch (Throwable e) { throw new Exception(e); } - UserPermission userPermission = new UserPermission(Bytes.toBytes("@IT"), TableName.valueOf("temp5"), null, - Permission.Action.READ, Permission.Action.WRITE, Permission.Action.EXEC); + + UserPermission userPermission = new UserPermission("@IT", + Permission.newBuilder(TableName.valueOf("temp5")).withActions(Permission.Action.READ, Permission.Action.WRITE, Permission.Action.EXEC).build()); + Assert.assertTrue("@IT permission should be there", userPermissions.contains(userPermission)); } @@ -1037,5 +1040,4 @@ public class HBaseRangerAuthorizationTest { serverSocket.close(); return port; } - } diff --git a/hive-agent/pom.xml b/hive-agent/pom.xml index e29a433..bfe8d47 100644 --- a/hive-agent/pom.xml +++ b/hive-agent/pom.xml @@ -23,6 +23,7 @@ <packaging>jar</packaging> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + <hadoop.version>3.1.1</hadoop.version> </properties> <parent> <groupId>org.apache.ranger</groupId> @@ -112,6 +113,11 @@ <version>${hadoop.version}</version> <scope>test</scope> </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> </dependencies> <build> <testResources> diff --git a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java index f901f71..2f6f1d8 100644 --- a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java +++ b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java @@ -57,6 +57,7 @@ import org.junit.Test; * b) The tag "HiveDatabaseTag" is associated with "create" permission to the "dev" group to the "hivetable" database. * c) The tag "HiveColumnTag" is associated with "select" permission to the "frank" user to the "word" column of the "words" table. */ [email protected] public class HIVERangerAuthorizerTest { private static final File hdfsBaseDir = new File("./target/hdfs/").getAbsoluteFile(); diff --git a/knox-agent/pom.xml b/knox-agent/pom.xml index 87eb836..49623c3 100644 --- a/knox-agent/pom.xml +++ b/knox-agent/pom.xml @@ -23,6 +23,7 @@ <packaging>jar</packaging> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + <knox.jetty.version>9.4.31.v20200723</knox.jetty.version> </properties> <parent> <groupId>org.apache.ranger</groupId> @@ -167,7 +168,7 @@ <dependency> <groupId>org.eclipse.jetty</groupId> <artifactId>jetty-server</artifactId> - <version>9.4.12.v20180830</version> + <version>${knox.jetty.version}</version> <scope>test</scope> </dependency> </dependencies> diff --git a/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/client/OzoneClient.java b/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/client/OzoneClient.java index 0f6be18..695510f 100644 --- a/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/client/OzoneClient.java +++ b/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/client/OzoneClient.java @@ -22,6 +22,7 @@ package org.apache.ranger.services.ozone.client; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.ozone.client.OzoneBucket; import org.apache.hadoop.ozone.client.OzoneClientFactory; import org.apache.hadoop.ozone.client.OzoneKey; @@ -53,7 +54,7 @@ public class OzoneClient extends BaseClient { conf.set(key, value); } } - ozoneClient = OzoneClientFactory.getRpcClient(conf.get("ozone.om.http-address")); + ozoneClient = OzoneClientFactory.getRpcClient(new OzoneConfiguration(conf)); } public void close() { diff --git a/plugin-schema-registry/pom.xml b/plugin-schema-registry/pom.xml index 8ff8159..28e8b7e 100644 --- a/plugin-schema-registry/pom.xml +++ b/plugin-schema-registry/pom.xml @@ -37,7 +37,7 @@ <kafkaArtifact>kafka_2.11</kafkaArtifact> <jersey.version>2.22.1</jersey.version> <junit.version>4.5</junit.version> - <schema.registry.version>0.8.1</schema.registry.version> + <schema.registry.version>0.9.1</schema.registry.version> <jettison.version>1.1</jettison.version> <servlet-api.version>3.0.1</servlet-api.version> </properties> @@ -225,6 +225,11 @@ <version>${servlet-api.version}</version> <scope>test</scope> </dependency> + <dependency> + <groupId>org.glassfish.jersey.core</groupId> + <artifactId>jersey-client</artifactId> + <version>${jersey.version}</version> + </dependency> </dependencies> <build> diff --git a/plugin-schema-registry/src/test/java/org/apache/ranger/services/schema/registry/client/connection/DefaultSchemaRegistryClientTest.java b/plugin-schema-registry/src/test/java/org/apache/ranger/services/schema/registry/client/connection/DefaultSchemaRegistryClientTest.java index 7eaaab9..4f2c12e 100644 --- a/plugin-schema-registry/src/test/java/org/apache/ranger/services/schema/registry/client/connection/DefaultSchemaRegistryClientTest.java +++ b/plugin-schema-registry/src/test/java/org/apache/ranger/services/schema/registry/client/connection/DefaultSchemaRegistryClientTest.java @@ -41,6 +41,7 @@ import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; [email protected] public class DefaultSchemaRegistryClientTest { private static final String V1_API_PATH = "api/v1"; @@ -187,4 +188,4 @@ public class DefaultSchemaRegistryClientTest { public void checkConnection2() throws Exception { new DefaultSchemaRegistryClient(new HashMap<>()).checkConnection(); } -} \ No newline at end of file +} diff --git a/pom.xml b/pom.xml index 55b3acb..cd60038 100644 --- a/pom.xml +++ b/pom.xml @@ -103,6 +103,7 @@ <commons.digester.version>2.1</commons.digester.version> <commons.io.version>2.5</commons.io.version> <commons.lang.version>2.6</commons.lang.version> + <commons.lang3.version>3.3.2</commons.lang3.version> <commons.logging.version>1.2</commons.logging.version> <commons.math.version>2.2</commons.math.version> <commons.net.version>3.6</commons.net.version> @@ -113,18 +114,18 @@ <elasticsearch.version>7.6.0</elasticsearch.version> <enunciate.version>2.11.1</enunciate.version> <findbugs.plugin.version>3.0.3</findbugs.plugin.version> - <google.guava.version>25.1-jre</google.guava.version> + <google.guava.version>27.0-jre</google.guava.version> <googlecode.log4jdbc.version>1.2</googlecode.log4jdbc.version> <gson.version>2.2.4</gson.version> <guice.version>4.0</guice.version> - <hadoop.version>3.1.1</hadoop.version> - <ozone.version>0.4.0-alpha</ozone.version> + <hadoop.version>3.3.0</hadoop.version> + <ozone.version>1.0.0</ozone.version> <hamcrest.all.version>1.3</hamcrest.all.version> - <hbase.version>2.0.2</hbase.version> + <hbase.version>2.2.6</hbase.version> <hive.version>3.1.2</hive.version> - <hbase-shaded-protobuf>2.0.0</hbase-shaded-protobuf> - <hbase-shaded-netty>2.0.0</hbase-shaded-netty> - <hbase-shaded-miscellaneous>2.0.0</hbase-shaded-miscellaneous> + <hbase-shaded-protobuf>3.3.0</hbase-shaded-protobuf> + <hbase-shaded-netty>3.3.0</hbase-shaded-netty> + <hbase-shaded-miscellaneous>3.3.0</hbase-shaded-miscellaneous> <libfb303.version>0.9.3</libfb303.version> <libthrift.version>0.13.0</libthrift.version> <htrace-core.version>4.1.0-incubating</htrace-core.version> @@ -153,7 +154,7 @@ <junit.version>4.12</junit.version> <kafka.version>2.4.0</kafka.version> <kerby.version>1.0.0</kerby.version> - <knox.gateway.version>1.2.0</knox.gateway.version> + <knox.gateway.version>1.4.0</knox.gateway.version> <kylin.version>2.6.4</kylin.version> <libpam4j.version>1.10</libpam4j.version> <local.lib.dir>${project.basedir}/../lib/local</local.lib.dir> diff --git a/ranger-hbase-plugin-shim/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java b/ranger-hbase-plugin-shim/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java deleted file mode 100644 index 8da972a..0000000 --- a/ranger-hbase-plugin-shim/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java +++ /dev/null @@ -1,104 +0,0 @@ -/** - * - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.hbase.security.access; - -import java.io.IOException; -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; - -import org.apache.hadoop.hbase.TableExistsException; -import org.apache.hadoop.hbase.master.MasterServices; -import org.apache.log4j.Logger; - - -public class RangerAccessControlLists { - - private static final Logger LOG = Logger.getLogger(RangerAccessControlLists.class); - - public static void init(MasterServices master) throws IOException { - - Class<AccessControlLists> accessControlListsClass = AccessControlLists.class; - String cName = accessControlListsClass.getName(); - - Class<?>[] params = new Class[1]; - params[0] = MasterServices.class; - - for (String mname : new String[] { "init", "createACLTable" } ) { - try { - try { - Method m = accessControlListsClass.getDeclaredMethod(mname, params); - if (m != null) { - try { - - try { - m.invoke(null, master); - logInfo("Execute method name [" + mname + "] in Class [" + cName + "] is successful."); - } catch (InvocationTargetException e) { - Throwable cause = e; - boolean tableExistsExceptionFound = false; - if (e != null) { - Throwable ecause = e.getTargetException(); - if (ecause != null) { - cause = ecause; - if (ecause instanceof TableExistsException) { - tableExistsExceptionFound = true; - } - } - } - if (! tableExistsExceptionFound) { - logError("Unable to execute the method [" + mname + "] on [" + cName + "] due to exception", cause); - throw new IOException(cause); - } - } - return; - } catch (IllegalArgumentException e) { - logError("Unable to execute method name [" + mname + "] in Class [" + cName + "].", e); - throw new IOException(e); - } catch (IllegalAccessException e) { - logError("Unable to execute method name [" + mname + "] in Class [" + cName + "].", e); - throw new IOException(e); - } - } - } - catch(NoSuchMethodException nsme) { - logInfo("Unable to get method name [" + mname + "] in Class [" + cName + "]. Ignoring the exception"); - } - } catch (SecurityException e) { - logError("Unable to get method name [" + mname + "] in Class [" + cName + "].", e); - throw new IOException(e); - } - } - throw new IOException("Unable to initialize() [" + cName + "]"); - } - - - private static void logInfo(String msg) { - // System.out.println(msg); - LOG.info(msg); - } - - private static void logError(String msg, Throwable t) { -// System.err.println(msg); -// if (t != null) { -// t.printStackTrace(System.err); -// } - LOG.error(msg, t); - } - -} diff --git a/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index 50bec07..a2089f7 100644 --- a/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -1116,6 +1116,24 @@ public class RangerAuthorizationCoprocessor implements RegionCoprocessor, Master } @Override + public void hasPermission(RpcController controller, AccessControlProtos.HasPermissionRequest request, RpcCallback<AccessControlProtos.HasPermissionResponse> done) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.hasPermission()"); + } + + try { + activatePluginClassLoader(); + implAccessControlService.hasPermission(controller, request, done); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.hasPermission()"); + } + } + + @Override public void getUserPermissions(RpcController controller, GetUserPermissionsRequest request, RpcCallback<GetUserPermissionsResponse> done) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.getUserPermissions()"); diff --git a/ranger-ozone-plugin-shim/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java b/ranger-ozone-plugin-shim/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java index 5d7c291..d7f8f52 100644 --- a/ranger-ozone-plugin-shim/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java +++ b/ranger-ozone-plugin-shim/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java @@ -21,9 +21,9 @@ package org.apache.ranger.authorization.ozone.authorizer; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.ozone.om.exceptions.OMException; import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer; import org.apache.hadoop.ozone.security.acl.IOzoneObj; -import org.apache.hadoop.ozone.security.acl.OzoneAclException; import org.apache.hadoop.ozone.security.acl.RequestContext; import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; @@ -76,11 +76,11 @@ public class RangerOzoneAuthorizer implements IAccessAuthorizer { } @Override - public boolean checkAccess(IOzoneObj ozoneObject, RequestContext context) throws OzoneAclException { + public boolean checkAccess(IOzoneObj ozoneObject, RequestContext context) throws OMException { boolean ret = false; - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerOzoneAuthorizer.checkAccess()"); } @@ -92,7 +92,7 @@ public class RangerOzoneAuthorizer implements IAccessAuthorizer { deactivatePluginClassLoader(); } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerOzoneAuthorizer.checkAccess()"); } diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 949c242..696d0c9 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -798,16 +798,16 @@ update_properties() { propertyName=ranger.jpa.jdbc.password newPropertyValue="_" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - else - propertyName=ranger.jpa.jdbc.password - newPropertyValue="${db_password}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - fi - if test -f $keystore; then - #echo "$keystore found." - chown -R ${unix_user}:${unix_group} ${keystore} - chmod 640 ${keystore} + if test -f "${keystore}"; then + #echo "$keystore found." + chown -R ${unix_user}:${unix_group} ${keystore} + chmod 640 ${keystore} + else + propertyName=ranger.jpa.jdbc.password + newPropertyValue="${db_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi else propertyName=ranger.jpa.jdbc.password newPropertyValue="${db_password}" @@ -844,14 +844,14 @@ update_properties() { propertyName=ranger.solr.audit.user.password newPropertyValue="_" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - else - propertyName=ranger.solr.audit.user.password - newPropertyValue="${audit_solr_password}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - fi - if test -f $keystore; then - chown -R ${unix_user}:${unix_group} ${keystore} + if test -f "${keystore}"; then + chown -R ${unix_user}:${unix_group} ${keystore} + else + propertyName=ranger.solr.audit.user.password + newPropertyValue="${audit_solr_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi else propertyName=ranger.solr.audit.user.password newPropertyValue="${audit_solr_password}" @@ -911,14 +911,14 @@ update_properties() { updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$javax_net_ssl_keyStoreAlias" -v "$javax_net_ssl_keyStorePassword" -c 1 - else - propertyName=ranger.keystore.password - newPropertyValue="${javax_net_ssl_keyStorePassword}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default - fi - if test -f $keystore; then - chown -R ${unix_user}:${unix_group} ${keystore} + if test -f "${keystore}"; then + chown -R ${unix_user}:${unix_group} ${keystore} + else + propertyName=ranger.keystore.password + newPropertyValue="${javax_net_ssl_keyStorePassword}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default + fi else propertyName=ranger.keystore.password newPropertyValue="${javax_net_ssl_keyStorePassword}" @@ -944,13 +944,14 @@ update_properties() { updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$javax_net_ssl_trustStoreAlias" -v "$javax_net_ssl_trustStorePassword" -c 1 - else - propertyName=ranger.truststore.password - newPropertyValue="${javax_net_ssl_trustStorePassword}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default - fi - if test -f $keystore; then - chown -R ${unix_user}:${unix_group} ${keystore} + + if test -f "${keystore}"; then + chown -R ${unix_user}:${unix_group} ${keystore} + else + propertyName=ranger.truststore.password + newPropertyValue="${javax_net_ssl_trustStorePassword}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default + fi else propertyName=ranger.truststore.password newPropertyValue="${javax_net_ssl_trustStorePassword}" @@ -993,13 +994,14 @@ update_properties() { newPropertyValue="_" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$policymgr_https_keystore_credential_alias" -v "$policymgr_https_keystore_password" -c 1 - else - propertyName=ranger.service.https.attrib.keystore.pass - newPropertyValue="${policymgr_https_keystore_password}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - fi - if test -f $keystore; then - chown -R ${unix_user}:${unix_group} ${keystore} + + if test -f "${keystore}"; then + chown -R ${unix_user}:${unix_group} ${keystore} + else + propertyName=ranger.service.https.attrib.keystore.pass + newPropertyValue="${policymgr_https_keystore_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi else propertyName=ranger.service.https.attrib.keystore.pass newPropertyValue="${policymgr_https_keystore_password}" @@ -1024,13 +1026,14 @@ update_properties() { newPropertyValue="_" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$ranger_unixauth_keystore_alias" -v "$ranger_unixauth_keystore_password" -c 1 - else - propertyName=ranger.unixauth.keystore.password - newPropertyValue="${ranger_unixauth_keystore_password}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default - fi - if test -f $keystore; then - chown -R ${unix_user}:${unix_group} ${keystore} + + if test -f "${keystore}"; then + chown -R ${unix_user}:${unix_group} ${keystore} + else + propertyName=ranger.unixauth.keystore.password + newPropertyValue="${ranger_unixauth_keystore_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default + fi else propertyName=ranger.unixauth.keystore.password newPropertyValue="${ranger_unixauth_keystore_password}" @@ -1055,13 +1058,14 @@ update_properties() { newPropertyValue="_" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$ranger_unixauth_truststore_alias" -v "$ranger_unixauth_truststore_password" -c 1 - else - propertyName=ranger.unixauth.truststore.password - newPropertyValue="${ranger_unixauth_truststore_password}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default - fi - if test -f $keystore; then - chown -R ${unix_user}:${unix_group} ${keystore} + + if test -f $keystore; then + chown -R ${unix_user}:${unix_group} ${keystore} + else + propertyName=ranger.unixauth.truststore.password + newPropertyValue="${ranger_unixauth_truststore_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default + fi else propertyName=ranger.unixauth.truststore.password newPropertyValue="${ranger_unixauth_truststore_password}" @@ -1181,15 +1185,16 @@ do_authentication_setup(){ else log "[E] $to_file_default does not exists" ; exit 1; fi - else - propertyName=ranger.ldap.bind.password - newPropertyValue="${xa_ldap_bind_password}" - updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file - fi - if test -f $keystore; then - #echo "$keystore found." - chown -R ${unix_user}:${unix_group} ${keystore} - chmod 640 ${keystore} + + if test -f $keystore; then + #echo "$keystore found." + chown -R ${unix_user}:${unix_group} ${keystore} + chmod 640 ${keystore} + else + propertyName=ranger.ldap.bind.password + newPropertyValue="${xa_ldap_bind_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + fi else propertyName=ranger.ldap.bind.password newPropertyValue="${xa_ldap_bind_password}" @@ -1267,15 +1272,16 @@ do_authentication_setup(){ else log "[E] $to_file_default does not exists" ; exit 1; fi - else - propertyName=ranger.ldap.ad.bind.password - newPropertyValue="${xa_ldap_ad_bind_password}" - updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file - fi - if test -f $keystore; then - #echo "$keystore found." - chown -R ${unix_user}:${unix_group} ${keystore} - chmod 640 ${keystore} + + if test -f $keystore; then + #echo "$keystore found." + chown -R ${unix_user}:${unix_group} ${keystore} + chmod 640 ${keystore} + else + propertyName=ranger.ldap.ad.bind.password + newPropertyValue="${xa_ldap_ad_bind_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + fi else propertyName=ranger.ldap.ad.bind.password newPropertyValue="${xa_ldap_ad_bind_password}" diff --git a/ugsync/src/test/java/org/apache/ranger/unixusersync/process/TestUnixUserGroupBuilder.java b/ugsync/src/test/java/org/apache/ranger/unixusersync/process/TestUnixUserGroupBuilder.java index 21184d0..0de95ad 100644 --- a/ugsync/src/test/java/org/apache/ranger/unixusersync/process/TestUnixUserGroupBuilder.java +++ b/ugsync/src/test/java/org/apache/ranger/unixusersync/process/TestUnixUserGroupBuilder.java @@ -61,7 +61,7 @@ public class TestUnixUserGroupBuilder { assertThat(name, anyOf(equalTo("wheel"), equalTo("root"))); Map<String, Set<String>> groupUsers = builder.getGroupUserListMap(); - Set<String> users = groupUsers.get("wheel"); + Set<String> users = groupUsers.get("root"); assertNotNull(users); assertThat(users, anyOf(hasItem("wheel"), hasItem("root"))); @@ -79,7 +79,7 @@ public class TestUnixUserGroupBuilder { assertThat(name, anyOf(equalTo("wheel"), equalTo("root"))); Map<String, Set<String>> groupUsers = builder.getGroupUserListMap(); - Set<String> users = groupUsers.get("wheel"); + Set<String> users = groupUsers.get("root"); assertNotNull(users); assertThat(users, anyOf(hasItem("wheel"), hasItem("root"))); }
