This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 1edd066  RANGER-3159: Having any permission on Hbase namespace and 
tables should allow listing of namespace and tables
1edd066 is described below

commit 1edd0665486da44531fbb2e32cb748476f5731e8
Author: Ramesh Mani <[email protected]>
AuthorDate: Tue Jan 26 10:35:14 2021 -0800

    RANGER-3159: Having any permission on Hbase namespace and tables should 
allow listing of namespace and tables
---
 .../hbase/RangerAuthorizationCoprocessor.java      | 57 ++++++++++++++++++++--
 1 file changed, 53 insertions(+), 4 deletions(-)

diff --git 
a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
 
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 2232953..9be6914 100644
--- 
a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ 
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -70,6 +70,7 @@ import 
org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
 import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
 import org.apache.ranger.plugin.policyengine.RangerResourceACLs.AccessResult;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
@@ -1190,7 +1191,7 @@ public class RangerAuthorizationCoprocessor implements 
AccessControlService.Inte
                if (LOG.isDebugEnabled()) {
                        LOG.debug(String.format("==> 
postGetTableNames(count(descriptors)=%s, regex=%s)", descriptors == null ? 0 : 
descriptors.size(), regex));
                }
-               checkAccess(ctx, "getTableNames", descriptors, regex);
+               checkGetTableInfoAccess(ctx, "getTableNames", descriptors, 
regex, RangerPolicyEngine.ANY_ACCESS);
 
                if (LOG.isDebugEnabled()) {
                        LOG.debug(String.format("<== 
postGetTableNames(count(descriptors)=%s, regex=%s)", descriptors == null ? 0 : 
descriptors.size(), regex));
@@ -1204,7 +1205,7 @@ public class RangerAuthorizationCoprocessor implements 
AccessControlService.Inte
                                        descriptors == null ? 0 : 
descriptors.size(), regex));
                }
 
-               checkAccess(ctx, "getTableDescriptors", descriptors, regex);
+               checkGetTableInfoAccess(ctx, "getTableDescriptors", 
descriptors, regex, _authUtils.getAccess(Action.CREATE));
                
                if (LOG.isDebugEnabled()) {
                        LOG.debug(String.format("<== 
postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, 
regex=%s)", tableNamesList == null ? 0 : tableNamesList.size(),
@@ -1212,6 +1213,19 @@ public class RangerAuthorizationCoprocessor implements 
AccessControlService.Inte
                }
        }
 
+       @Override
+       public void 
postListNamespaceDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, 
    List<NamespaceDescriptor> descriptors) throws IOException {
+               if(LOG.isDebugEnabled()) {
+                       LOG.debug("==> 
RangerAuthorizationCoprocessor.postListNamespaceDescriptors()");
+               }
+
+               checkAccessForNamespaceDescriptor(ctx, 
"getNameSpaceDescriptors", descriptors);
+
+               if(LOG.isDebugEnabled()) {
+                       LOG.debug("<== 
RangerAuthorizationCoprocessor.postListNamespaceDescriptors()");
+               }
+       }
+
 
        public void 
prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx, 
PrepareBulkLoadRequest request) throws IOException {
                List<byte[]> cfs = null;
@@ -1770,12 +1784,12 @@ public class RangerAuthorizationCoprocessor implements 
AccessControlService.Inte
                return ret.toString();
        }
 
-       private void checkAccess(ObserverContext<MasterCoprocessorEnvironment> 
ctx, String operation, List<TableDescriptor> descriptors, String regex) {
+       private void 
checkGetTableInfoAccess(ObserverContext<MasterCoprocessorEnvironment> ctx, 
String operation, List<TableDescriptor> descriptors, String regex, String 
accessPermission) {
 
                if (CollectionUtils.isNotEmpty(descriptors)) {
                        // Retains only those which passes authorization checks
                        User user = getActiveUser(ctx);
-                       String access = _authUtils.getAccess(Action.CREATE);
+                       String access = accessPermission;
                        HbaseAuditHandler auditHandler = 
_factory.getAuditHandler();  // this will accumulate audits for all tables that 
succeed.
                        AuthorizationSession session = new 
AuthorizationSession(hbasePlugin)
                                        .operation(operation)
@@ -1806,6 +1820,41 @@ public class RangerAuthorizationCoprocessor implements 
AccessControlService.Inte
                }
        }
 
+       private void 
checkAccessForNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> 
ctx, String operation, List<NamespaceDescriptor> descriptors) {
+
+               if (CollectionUtils.isNotEmpty(descriptors)) {
+                       // Retains only those which passes authorization checks
+                       User user = getActiveUser(ctx);
+                       String access = _authUtils.getAccess(Action.ADMIN);
+                       HbaseAuditHandler auditHandler = 
_factory.getAuditHandler();  // this will accumulate audits for all tables that 
succeed.
+                       AuthorizationSession session = new 
AuthorizationSession(hbasePlugin)
+                                       .operation(operation)
+                                       .remoteAddress(getRemoteAddress())
+                                       .auditHandler(auditHandler)
+                                       .user(user)
+                                       .access(access);
+
+                       Iterator<NamespaceDescriptor> itr = 
descriptors.iterator();
+                       while (itr.hasNext()) {
+                               NamespaceDescriptor namespaceDescriptor = 
itr.next();
+                               String namespace = 
namespaceDescriptor.getName();
+                               
session.table(namespace).buildRequest().authorize();
+                               if (!session.isAuthorized()) {
+                                       List<AuthzAuditEvent> events = null;
+                                       itr.remove();
+                                       AuthzAuditEvent event = 
auditHandler.getAndDiscardMostRecentEvent();
+                                       if (event != null) {
+                                               events = 
Lists.newArrayList(event);
+                                       }
+                                       auditHandler.logAuthzAudits(events);
+                               }
+                       }
+                       if (descriptors.size() > 0) {
+                               session.logCapturedEvents();
+                       }
+               }
+       }
+
        enum PredicateType {STARTROW, STOPROW, FILTER, COLUMNS, ROW};
 }
 

Reply via email to