RANGER-230 Hbase plugin implementation using new pluggable service model.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/1d6a2590 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/1d6a2590 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/1d6a2590 Branch: refs/heads/stack Commit: 1d6a2590f850248d20065e2b3a58ed8bc86b9e95 Parents: 9784f53 Author: Alok Lal <[email protected]> Authored: Sat Jan 31 00:37:29 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Sat Jan 31 00:37:29 2015 -0800 ---------------------------------------------------------------------- .../.settings/org.eclipse.jdt.core.prefs | 23 +- ...rg.eclipse.wst.common.project.facet.core.xml | 2 +- .../.settings/org.eclipse.jdt.core.prefs | 13 +- .../hadoop/constants/RangerHadoopConstants.java | 3 - .../.settings/org.eclipse.jdt.core.prefs | 15 +- .../.settings/org.eclipse.jdt.core.prefs | 6 +- .../apache/ranger/pdp/hbase/HBaseAuthDB.java | 488 ---------- .../apache/ranger/pdp/hbase/HBaseAuthRules.java | 134 --- .../ranger/pdp/hbase/RangerAuthorizer.java | 107 --- .../apache/ranger/pdp/hbase/URLBasedAuthDB.java | 233 ----- .../.settings/org.eclipse.jdt.core.prefs | 6 +- .../.settings/org.eclipse.jdt.core.prefs | 6 +- .../.settings/org.eclipse.jdt.core.prefs | 6 +- .../.settings/org.eclipse.core.resources.prefs | 1 + .../.settings/org.eclipse.jdt.core.prefs | 6 +- .../conf/xasecure-hbase-security-changes.cfg | 1 - hbase-agent/conf/xasecure-hbase-security.xml | 10 - hbase-agent/pom.xml | 18 + .../hbase/HBaseAccessController.java | 40 - .../hbase/HBaseAccessControllerFactory.java | 61 -- .../hbase/RangerAccessControlFilter.java | 51 - .../hbase/RangerAuthorizationCoprocessor.java | 919 +++++++++---------- .../RangerAuthorizationCoprocessorBase.java | 539 +++-------- hdfs-agent/.settings/org.eclipse.jdt.core.prefs | 23 +- hive-agent/.settings/org.eclipse.jdt.core.prefs | 13 +- knox-agent/.settings/org.eclipse.jdt.core.prefs | 6 +- .../.settings/org.eclipse.jdt.core.prefs | 6 +- ...rg.eclipse.wst.common.project.facet.core.xml | 2 +- plugin-common/pom.xml | 12 + .../plugin/policyengine/RangerAccessResult.java | 14 + .../policyengine/RangerPolicyEngineImpl.java | 2 +- .../ranger/plugin/util/PolicyRefresher.java | 2 +- pom.xml | 1 + .../.settings/org.eclipse.jdt.core.prefs | 6 +- ...rg.eclipse.wst.common.project.facet.core.xml | 2 +- .../.settings/org.eclipse.jdt.core.prefs | 6 +- ugsync/.settings/org.eclipse.jdt.core.prefs | 6 +- .../.settings/org.eclipse.jdt.core.prefs | 6 +- ...rg.eclipse.wst.common.project.facet.core.xml | 2 +- .../.settings/org.eclipse.jdt.core.prefs | 6 +- 40 files changed, 697 insertions(+), 2106 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/agents-audit/.settings/org.eclipse.jdt.core.prefs ---------------------------------------------------------------------- diff --git a/agents-audit/.settings/org.eclipse.jdt.core.prefs b/agents-audit/.settings/org.eclipse.jdt.core.prefs index 107056a..facfa83 100644 --- a/agents-audit/.settings/org.eclipse.jdt.core.prefs +++ b/agents-audit/.settings/org.eclipse.jdt.core.prefs @@ -1,12 +1,17 @@ -eclipse.preferences.version=1 -org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled -org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6 -org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve -org.eclipse.jdt.core.compiler.compliance=1.6 -org.eclipse.jdt.core.compiler.debug.lineNumber=generate +#Wed Jan 21 11:38:44 PST 2015 +encoding/src/test/java=UTF-8 org.eclipse.jdt.core.compiler.debug.localVariable=generate +org.eclipse.jdt.core.compiler.compliance=1.7 +org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve +encoding/src/main/resources=UTF-8 org.eclipse.jdt.core.compiler.debug.sourceFile=generate -org.eclipse.jdt.core.compiler.problem.assertIdentifier=error -org.eclipse.jdt.core.compiler.problem.enumIdentifier=error org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning -org.eclipse.jdt.core.compiler.source=1.6 +encoding/src/main/java=UTF-8 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7 +org.eclipse.jdt.core.compiler.problem.enumIdentifier=error +org.eclipse.jdt.core.compiler.debug.lineNumber=generate +eclipse.preferences.version=1 +encoding/src/test/resources=UTF-8 +org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled +org.eclipse.jdt.core.compiler.source=1.7 +org.eclipse.jdt.core.compiler.problem.assertIdentifier=error http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/agents-audit/.settings/org.eclipse.wst.common.project.facet.core.xml ---------------------------------------------------------------------- diff --git a/agents-audit/.settings/org.eclipse.wst.common.project.facet.core.xml b/agents-audit/.settings/org.eclipse.wst.common.project.facet.core.xml index 08e864b..0bcc5bd 100644 --- a/agents-audit/.settings/org.eclipse.wst.common.project.facet.core.xml +++ b/agents-audit/.settings/org.eclipse.wst.common.project.facet.core.xml @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <faceted-project> - <installed facet="java" version="1.6"/> <installed facet="jpt.jpa" version="2.0"/> <installed facet="jst.utility" version="1.0"/> + <installed facet="java" version="1.7"/> </faceted-project> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/agents-common/.settings/org.eclipse.jdt.core.prefs ---------------------------------------------------------------------- diff --git a/agents-common/.settings/org.eclipse.jdt.core.prefs b/agents-common/.settings/org.eclipse.jdt.core.prefs index 60105c1..51f2cb3 100644 --- a/agents-common/.settings/org.eclipse.jdt.core.prefs +++ b/agents-common/.settings/org.eclipse.jdt.core.prefs @@ -1,5 +1,10 @@ -eclipse.preferences.version=1 -org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6 -org.eclipse.jdt.core.compiler.compliance=1.6 +#Wed Jan 21 11:38:44 PST 2015 +encoding/src/test/java=UTF-8 +org.eclipse.jdt.core.compiler.compliance=1.7 +encoding/src/main/resources=UTF-8 org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning -org.eclipse.jdt.core.compiler.source=1.6 +encoding/src/main/java=UTF-8 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7 +eclipse.preferences.version=1 +encoding/src/test/resources=UTF-8 +org.eclipse.jdt.core.compiler.source=1.7 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java index d87057d..906e941 100644 --- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java +++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java @@ -52,9 +52,6 @@ public class RangerHadoopConstants { public static final String KNOX_ACCESS_VERIFIER_CLASS_NAME_PROP = "knox.authorization.verifier.classname" ; public static final String KNOX_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "org.apache.ranger.pdp.knox.RangerAuthorizer" ; - public static final String HBASE_ACCESS_VERIFIER_CLASS_NAME_PROP = "hbase.authorization.verifier.classname" ; - public static final String HBASE_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "org.apache.ranger.pdp.hbase.RangerAuthorizer" ; - public static final String STORM_ACCESS_VERIFIER_CLASS_NAME_PROP = "storm.authorization.verifier.classname" ; public static final String STORM_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "org.apache.ranger.pdp.storm.RangerAuthorizer" ; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/agents-cred/.settings/org.eclipse.jdt.core.prefs ---------------------------------------------------------------------- diff --git a/agents-cred/.settings/org.eclipse.jdt.core.prefs b/agents-cred/.settings/org.eclipse.jdt.core.prefs index 69c31cd..93353a7 100644 --- a/agents-cred/.settings/org.eclipse.jdt.core.prefs +++ b/agents-cred/.settings/org.eclipse.jdt.core.prefs @@ -1,8 +1,13 @@ +#Wed Jan 21 11:38:44 PST 2015 +encoding/src/test/java=UTF-8 +org.eclipse.jdt.core.compiler.compliance=1.7 +encoding/src/main/resources=UTF-8 +org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning +encoding/src/main/java=UTF-8 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7 +org.eclipse.jdt.core.compiler.problem.enumIdentifier=error eclipse.preferences.version=1 +encoding/src/test/resources=UTF-8 org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled -org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6 -org.eclipse.jdt.core.compiler.compliance=1.6 +org.eclipse.jdt.core.compiler.source=1.7 org.eclipse.jdt.core.compiler.problem.assertIdentifier=error -org.eclipse.jdt.core.compiler.problem.enumIdentifier=error -org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning -org.eclipse.jdt.core.compiler.source=1.6 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/agents-impl/.settings/org.eclipse.jdt.core.prefs ---------------------------------------------------------------------- diff --git a/agents-impl/.settings/org.eclipse.jdt.core.prefs b/agents-impl/.settings/org.eclipse.jdt.core.prefs index 60105c1..ec4300d 100644 --- a/agents-impl/.settings/org.eclipse.jdt.core.prefs +++ b/agents-impl/.settings/org.eclipse.jdt.core.prefs @@ -1,5 +1,5 @@ eclipse.preferences.version=1 -org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6 -org.eclipse.jdt.core.compiler.compliance=1.6 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7 +org.eclipse.jdt.core.compiler.compliance=1.7 org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning -org.eclipse.jdt.core.compiler.source=1.6 +org.eclipse.jdt.core.compiler.source=1.7 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/HBaseAuthDB.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/HBaseAuthDB.java b/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/HBaseAuthDB.java deleted file mode 100644 index 9f9affd..0000000 --- a/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/HBaseAuthDB.java +++ /dev/null @@ -1,488 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.pdp.hbase; - -import java.util.ArrayList; -import java.util.Arrays; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; - -import org.apache.commons.io.FilenameUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.Permission.Action; -import org.apache.hadoop.hbase.security.access.UserPermission; -import org.apache.hadoop.hbase.util.Bytes; -import org.apache.hadoop.util.StringUtils; -import org.apache.ranger.authorization.hbase.HBaseAccessController; -import org.apache.ranger.pdp.constants.RangerConstants; - -public class HBaseAuthDB implements HBaseAccessController { - - private static final long MAX_CACHE_AUDIT_ENTRIES = 1000L ; - private static final long MAX_CACHE_ENCRYPT_ENTRIES = 1000L ; - - private static final Log LOG = LogFactory.getLog(HBaseAuthDB.class) ; - - private ArrayList<HBaseAuthRules> ruleList = null; - private ArrayList<HBaseAuthRules> globalList = null; - private ArrayList<HBaseAuthRules> tableList = null; - - private ArrayList<String> auditList = null ; - private HashMap<byte[],Boolean> cachedAuditTable = new HashMap<byte[],Boolean>() ; - - private ArrayList<String> encryptList = null ; - - private HashSet<String> encryptTableList = null ; - private HashMap<byte[],Boolean> cachedEncryptedTable = new HashMap<byte[],Boolean>() ; - - - public HBaseAuthDB(ArrayList<HBaseAuthRules> ruleList, ArrayList<String> auditList, ArrayList<String> encryptList) { - - if (LOG.isDebugEnabled()) { - LOG.debug("+Creating HBaseAuthDB is creating with ruleList [" + (ruleList == null ? 0 : ruleList.size()) + "]" ); - } - - this.auditList = auditList; - this.encryptList = encryptList; - - - this.ruleList = new ArrayList<HBaseAuthRules>() ; - this.globalList = new ArrayList<HBaseAuthRules>() ; - this.tableList = new ArrayList<HBaseAuthRules>() ; - - for(HBaseAuthRules rule : ruleList ) { - if (rule.isGlobalRule()) { - this.globalList.add(rule) ; - if (LOG.isDebugEnabled()) { - LOG.debug("RULE:[" + rule + "] is being added as GLOBAL Policy"); - } - } - else if (rule.isTableRule()) { - this.tableList.add(rule) ; - if (LOG.isDebugEnabled()) { - LOG.debug("RULE:[" + rule + "] is being added as Table Policy"); - } - } - else { - this.ruleList.add(rule) ; - if (LOG.isDebugEnabled()) { - LOG.debug("RULE:[" + rule + "] is being added as non-global, non-table Policy"); - } - } - } - - this.encryptTableList = new HashSet<String>() ; - - if (encryptList != null && encryptList.size() > 0) { - for(String encryptKey : encryptList) { - String[] objKeys = encryptKey.split("/") ; - String tableName = objKeys[0] ; - if (! encryptTableList.contains(tableName)) { - encryptTableList.add(tableName) ; - if (LOG.isDebugEnabled()) { - LOG.debug("EncryptionList:[" + tableName + "] is being added encrypted table."); - } - } - } - } - - - } - - - public boolean isAccessAllowed(User user, Action accessAction) { - - - String access = accessAction.toString().toLowerCase() ; - - if (user == null) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(GLOBAL," + access + ") => [FALSE] as user passed for check was null."); - } - return false ; - } - - - String username = user.getShortName() ; - - String[] groups = user.getGroupNames() ; - - if (LOG.isDebugEnabled()) { - LOG.debug("Init of Global access Verification - [" + access + "] for user [" + username + "], groups: [" + Arrays.toString(groups) + "]"); - } - - for (HBaseAuthRules rule : globalList) { - - if (rule.getAccessType().equals(access)) { - - String authorizedUser = rule.getUser() ; - String authorizedGroup = rule.getGroup(); - - if (authorizedGroup != null) { - if (RangerConstants.PUBLIC_ACCESS_ROLE.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(GLOBAL," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true ; - } - - for (String group : groups) { - if (group.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(GLOBAL," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - - if (authorizedUser != null) { - if (username.equals(authorizedUser)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(GLOBAL," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(GLOBAL," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [FALSE] as it did not match any rules."); - } - - return false; - } - - public boolean isAccessAllowed(User user, byte[] tableName, Action accessAction) { - - - if ( isAccessAllowed(user,accessAction)) { // Check Global Action - return true ; - } - - String tableNameStr = Bytes.toString(tableName) ; - - String access = accessAction.toString().toLowerCase() ; - - if (user == null) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + tableNameStr + "," + access + ") => [FALSE] as user passed for check was null."); - } - return false ; - } - - String username = user.getShortName() ; - - String[] groups = user.getGroupNames() ; - - if (LOG.isDebugEnabled()) { - LOG.debug("Init of Table access Verification - [" + access + "] for user [" + username + "], groups: [" + Arrays.toString(groups) + "], tableName: [" + tableNameStr + "]"); - } - - for (HBaseAuthRules rule : tableList) { - - if (rule.isTableNameMatched(tableNameStr)) { - if (rule.getAccessType().equals(access)) { - - String authorizedUser = rule.getUser() ; - - String authorizedGroup = rule.getGroup(); - - if (authorizedGroup != null) { - if (RangerConstants.PUBLIC_ACCESS_ROLE.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + tableNameStr + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true ; - } - - for (String group : groups) { - if (group.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + tableNameStr + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - if (authorizedUser != null && username.equals(authorizedUser)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + tableNameStr + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + tableNameStr + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [FALSE] as it did not match any rules."); - } - - return false; - } - - - - - - - public boolean isAccessAllowed(User user, byte[] tableName, byte[] columnFamily, byte[] qualifier, Action accessAction) { - - String FQColName = getFullyQualifiedColumnName(tableName, columnFamily, qualifier) ; - - String access = accessAction.toString().toLowerCase() ; - - if (LOG.isDebugEnabled()) { - LOG.debug("isAccessAllowed on HBaseAuthDB: for FQColName [" + FQColName + "]"); - } - - - if (user == null) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + FQColName + "," + access + ") => [FALSE] as as user passed for check was null."); - } - return false ; - } - - - if (isAccessAllowed(user, accessAction)) { // Check Global Action - return true ; - } - - if (isAccessAllowed(user,tableName, accessAction)) { // Check Table Action - return true; - } - - - String username = user.getShortName() ; - - String[] groups = user.getGroupNames() ; - - if (LOG.isDebugEnabled()) { - LOG.debug("Init of Table access Verification - [" + access + "] for user [" + username + "], groups: [" + Arrays.toString(groups) + "], FQColumnFamily: [" + FQColName + "]"); - } - - for (HBaseAuthRules rule : ruleList) { - - if (rule.isMatched(FQColName)) { - if (LOG.isDebugEnabled()) { - LOG.debug("Rule [" + rule + "] matched [" + FQColName + "]"); - } - if (rule.getAccessType().equals(access)) { - if (LOG.isDebugEnabled()) { - LOG.debug("Access [" + rule.getAccessType() + "] matched [" + access + "]"); - } - String authorizedUser = rule.getUser() ; - - String authorizedGroup = rule.getGroup(); - - if (authorizedGroup != null) { - if (RangerConstants.PUBLIC_ACCESS_ROLE.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + FQColName + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true ; - } - for (String group : groups) { - if (group.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + FQColName + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - - if (authorizedUser != null) { - if (username.equals(authorizedUser)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + FQColName + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - else { - if (LOG.isDebugEnabled()) { - LOG.debug("Access [" + rule.getAccessType() + "] DID NOT match [" + access + "]"); - } - } - } - else { - if (LOG.isDebugEnabled()) { - LOG.debug("Rule [" + rule + "] not matched [" + FQColName + "]"); - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + FQColName + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [FALSE] as it did not match any rules."); - } - - return false; - - } - - public boolean isEncrypted(byte[] tableName, byte[] columnFamily, byte[] qualifier) { - String colName = getFullyQualifiedColumnName(tableName, columnFamily, qualifier) ; - for(String encryptable : encryptList) { - if (FilenameUtils.wildcardMatch(colName,encryptable)) { - return true ; - } - } - return false; - } - - public boolean isAudited(byte[] tableName) { - Boolean ret = cachedAuditTable.get(tableName) ; - if (ret == null) { - ret = isAuditedFromTableList(tableName) ; - synchronized(cachedAuditTable) { - if (cachedAuditTable.size() > MAX_CACHE_AUDIT_ENTRIES) { - cachedAuditTable.clear(); - } - cachedAuditTable.put(tableName,ret) ; - } - } - return ret.booleanValue(); - } - - private boolean isAuditedFromTableList(byte[] tableName) { - boolean ret = false ; - String tableNameStr = Bytes.toString(tableName) ; - for(String auditable : auditList) { - if (FilenameUtils.wildcardMatch(tableNameStr,auditable)) { - ret = true ; - break ; - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("isAudited(" + tableNameStr + "):" + ret) ; - } - - return ret; - } - - - public boolean isTableHasEncryptedColumn(byte[] tableName) { - Boolean ret = cachedEncryptedTable.get(tableName) ; - if (ret == null) { - ret = isTableHasEncryptedColumnFromTableList(tableName) ; - synchronized(cachedEncryptedTable) { - if (cachedEncryptedTable.size() > MAX_CACHE_ENCRYPT_ENTRIES) { - cachedEncryptedTable.clear(); - } - cachedEncryptedTable.put(tableName, ret) ; - } - } - return ret.booleanValue() ; - } - - - private boolean isTableHasEncryptedColumnFromTableList(byte[] tableName) - { - boolean ret = false ; - - String tableNameStr = Bytes.toString(tableName) ; - - for(String encryptTable : encryptTableList) { - ret = FilenameUtils.wildcardMatch(tableNameStr, encryptTable) ; - if (ret) { - break ; - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("isTableHasEncryptedColumn(" + tableNameStr + "):" + ret); - } - - return ret ; - } - - - - public static String getFullyQualifiedColumnName(byte[] tableName, byte[] columnFamily, byte[] qualifier) { - StringBuilder sb = new StringBuilder() ; - - sb.append(((tableName != null && tableName.length > 0) ? Bytes.toString(tableName) : "*")) - .append("/") - .append(((columnFamily != null && columnFamily.length > 0) ? Bytes.toString(columnFamily) : "*")) - .append("/") - .append(((qualifier != null && qualifier.length > 0) ? Bytes.toString(qualifier) : "*")) ; - - return sb.toString() ; - } - - public List<UserPermission> getUserPermissions(User user) { - List<UserPermission> ret = new ArrayList<UserPermission>() ; - - if (user != null) { - ArrayList<ArrayList<HBaseAuthRules>> allList = new ArrayList<ArrayList<HBaseAuthRules>>(); - allList.add(globalList) ; - allList.add(tableList) ; - allList.add(ruleList) ; - for(ArrayList<HBaseAuthRules> rList : allList) { - for(HBaseAuthRules rule : rList) { - UserPermission perm = rule.getUserPermission(user) ; - if (perm != null) { - ret.add(perm) ; - } - } - } - } - - return ret ; - } - - public List<UserPermission> getUserPermissions(User user, byte[] tableName) { - - String tableNameStr = Bytes.toString(tableName) ; - - List<UserPermission> ret = new ArrayList<UserPermission>() ; - - if (user != null) { - ArrayList<ArrayList<HBaseAuthRules>> allList = new ArrayList<ArrayList<HBaseAuthRules>>(); - allList.add(globalList) ; - allList.add(tableList) ; - allList.add(ruleList) ; - for(ArrayList<HBaseAuthRules> rList : allList) { - for(HBaseAuthRules rule : rList) { - if (rule.isTableNameMatched(tableNameStr)) { - UserPermission perm = rule.getUserPermission(user) ; - if (perm != null) { - ret.add(perm) ; - } - } - } - } - } - - return ret ; - } - - - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/HBaseAuthRules.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/HBaseAuthRules.java b/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/HBaseAuthRules.java deleted file mode 100644 index ae3980d..0000000 --- a/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/HBaseAuthRules.java +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.pdp.hbase; - -import org.apache.commons.io.FilenameUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.hbase.TableName; -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.Permission; -import org.apache.hadoop.hbase.security.access.UserPermission; -import org.apache.ranger.pdp.constants.RangerConstants; - -public class HBaseAuthRules { - private String tableName ; - private String columnGroupName; - private String columnName ; - private String accessType ; - private String group ; - private String user ; - private String fullyQualifiedColumnName ; - - private static final Log LOG = LogFactory.getLog(HBaseAuthRules.class) ; - - public HBaseAuthRules(String tableName, String columnGroupName, String columnName, String accessType, String user, String group) { - this.tableName = tableName; - this.columnGroupName = columnGroupName; - this.columnName = columnName; - if (accessType != null) { - this.accessType = accessType.toLowerCase() ; - } - this.user = user ; - this.group = group; - this.fullyQualifiedColumnName = tableName + "/" + columnGroupName + "/" + columnName ; - } - - public String getTableName() { - return tableName; - } - public String getColumnGroupName() { - return columnGroupName; - } - public String getColumnName() { - return columnName; - } - public String getAccessType() { - return accessType; - } - public String getGroup() { - return group; - } - - public String getUser() { - return user; - } - - @Override - public String toString() { - return "table: " + tableName + ", columnGroup:" + columnGroupName + ", columnName: " + columnName + ", accessType: " + accessType + ", user:" + user + ", group: " + group ; - } - - public boolean isMatched(String FQColName) { - return FQColName.equals(fullyQualifiedColumnName) || FilenameUtils.wildcardMatch(FQColName,fullyQualifiedColumnName) ; - } - - public boolean isGlobalRule() { - return ("*".equals(tableName) && "*".equals(columnGroupName) && "*".equals(columnName)) ; - } - - public boolean isTableRule() { - return ( ("*".equals(columnGroupName) && "*".equals(columnName)) || ("admin".equals(accessType) || "control".equals(accessType)) ) ; - } - - public boolean isTableNameMatched(String tableNameStr) { - boolean ret = (tableNameStr == null) || (tableNameStr.equals(tableName)) || FilenameUtils.wildcardMatch(tableNameStr,tableName) ; - if (LOG.isDebugEnabled()) { - LOG.debug("TableMatched returns (" + tableNameStr + ", rule:" + tableName + ") returns: " + ret ); - } - return ret ; - } - - public UserPermission getUserPermission(User aUser) { - - if (user == null) { - return null ; - } - - Permission.Action action = null ; - - try { - action = Permission.Action.valueOf(accessType.toUpperCase()) ; - } catch (Throwable e) { - return null ; - } - - if (RangerConstants.PUBLIC_ACCESS_ROLE.equals(group)) { - return new UserPermission("public".getBytes(), TableName.valueOf ( tableName ) , columnGroupName.getBytes(), columnName.getBytes(), action) ; - } - - if (user != null) { - if (aUser.getShortName().equals(user)) { - return new UserPermission(("user:(" + aUser.getShortName() + ")").getBytes(), TableName.valueOf( tableName ) , columnGroupName.getBytes(), columnName.getBytes(), action) ; - } - } - - if (group != null) { - for (String ugroups : aUser.getGroupNames()) { - if (ugroups.equals(group)) { - return new UserPermission(("group:(" + ugroups + ")").getBytes(), TableName.valueOf( tableName ) , columnGroupName.getBytes(), columnName.getBytes(), action) ; - } - } - } - - return null; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/RangerAuthorizer.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/RangerAuthorizer.java b/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/RangerAuthorizer.java deleted file mode 100644 index f832cfd..0000000 --- a/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/RangerAuthorizer.java +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.pdp.hbase; - -import java.util.List; - -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.Permission.Action; -import org.apache.hadoop.hbase.security.access.UserPermission; -import org.apache.ranger.authorization.hbase.HBaseAccessController; - -public class RangerAuthorizer implements HBaseAccessController { - - private HBaseAccessController authDB = URLBasedAuthDB.getInstance(); - - @Override - public boolean isAccessAllowed(User user, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, accessAction); - } else { - return false; - } - } - - @Override - public boolean isAccessAllowed(User user, byte[] tableName, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, tableName, accessAction); - } else { - return false; - } - } - - - @Override - public boolean isAccessAllowed(User user, byte[] tableName, byte[] columnFamily, byte[] qualifier, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, tableName, columnFamily, qualifier, accessAction); - } else { - return false; - } - } - - @Override - public boolean isEncrypted(byte[] tableName, byte[] columnFamily, byte[] qualifier) { - if (authDB != null) { - return authDB.isEncrypted(tableName, columnFamily, qualifier); - } else { - return false; - } - } - - @Override - public boolean isTableHasEncryptedColumn(byte[] tableName) { - if (authDB != null) { - return authDB.isTableHasEncryptedColumn(tableName); - } else { - return false; - } - } - - - @Override - public boolean isAudited(byte[] tableName) { - if (authDB != null) { - return authDB.isAudited(tableName); - } else { - return false; - } - } - - @Override - public List<UserPermission> getUserPermissions(User aUser) { - if (authDB != null) { - return authDB.getUserPermissions(aUser) ; - } else { - return null; - } - } - - @Override - public List<UserPermission> getUserPermissions(User aUser, byte[] aTableName) { - if (authDB != null) { - return authDB.getUserPermissions(aUser, aTableName) ; - } else { - return null; - } - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/URLBasedAuthDB.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/URLBasedAuthDB.java b/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/URLBasedAuthDB.java deleted file mode 100644 index b0e543a..0000000 --- a/agents-impl/src/main/java/org/apache/ranger/pdp/hbase/URLBasedAuthDB.java +++ /dev/null @@ -1,233 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.pdp.hbase; - -import java.util.ArrayList; -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.Permission.Action; -import org.apache.hadoop.hbase.security.access.UserPermission; -import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; -import org.apache.ranger.authorization.hbase.HBaseAccessController; -import org.apache.ranger.pdp.config.PolicyChangeListener; -import org.apache.ranger.pdp.config.PolicyRefresher; -import org.apache.ranger.pdp.constants.RangerConstants; -import org.apache.ranger.pdp.model.Policy; -import org.apache.ranger.pdp.model.PolicyContainer; -import org.apache.ranger.pdp.model.RolePermission; - -public class URLBasedAuthDB implements HBaseAccessController, PolicyChangeListener { - - private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class); - - private HBaseAuthDB authDB = null; - - private static URLBasedAuthDB me = null ; - - private PolicyRefresher refresher = null ; - - public static URLBasedAuthDB getInstance() { - if (me == null) { - synchronized(URLBasedAuthDB.class) { - URLBasedAuthDB temp = me ; - if (temp == null) { - me = new URLBasedAuthDB() ; - me.init() ; - } - } - } - return me ; - } - - - private URLBasedAuthDB() { - String url = RangerConfiguration.getInstance().get(RangerConstants.RANGER_HBASE_POLICYMGR_URL_PROP); - long refreshInMilli = RangerConfiguration.getInstance().getLong( - RangerConstants.RANGER_HBASE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP, - RangerConstants.RANGER_HBASE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT); - - String lastStoredFileName = RangerConfiguration.getInstance().get(RangerConstants.RANGER_HBASE_LAST_SAVED_POLICY_FILE_PROP) ; - - String sslConfigFileName = RangerConfiguration.getInstance().get(RangerConstants.RANGER_HBASE_POLICYMGR_SSL_CONFIG_FILE_PROP) ; - refresher = new PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ; - - String saveAsFileName = RangerConfiguration.getInstance().get(RangerConstants.RANGER_HBASE_POLICYMGR_URL_SAVE_FILE_PROP) ; - if (saveAsFileName != null) { - refresher.setSaveAsFileName(saveAsFileName) ; - } - - if (lastStoredFileName != null) { - refresher.setLastStoredFileName(lastStoredFileName); - } - } - - private void init() { - refresher.setPolicyChangeListener(this); - } - - public boolean isAccessAllowed(User user, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, accessAction); - } else { - return false; - } - } - - public boolean isAccessAllowed(User user, byte[] tableName, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, tableName, accessAction); - } else { - return false; - } - } - - - public boolean isAccessAllowed(User user, byte[] tableName, byte[] columnFamily, byte[] qualifier, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, tableName, columnFamily, qualifier, accessAction); - } else { - return false; - } - } - - public boolean isEncrypted(byte[] tableName, byte[] columnFamily, byte[] qualifier) { - if (authDB != null) { - return authDB.isEncrypted(tableName, columnFamily, qualifier); - } else { - return false; - } - } - - public boolean isTableHasEncryptedColumn(byte[] tableName) { - if (authDB != null) { - return authDB.isTableHasEncryptedColumn(tableName); - } else { - return false; - } - } - - - public boolean isAudited(byte[] tableName) { - if (authDB != null) { - return authDB.isAudited(tableName); - } else { - return false; - } - } - - public List<UserPermission> getUserPermissions(User aUser) { - if (authDB != null) { - return authDB.getUserPermissions(aUser) ; - } else { - return null; - } - } - - public List<UserPermission> getUserPermissions(User aUser, byte[] aTableName) { - if (authDB != null) { - return authDB.getUserPermissions(aUser, aTableName) ; - } else { - return null; - } - } - - @Override - public void OnPolicyChange(PolicyContainer aPolicyContainer) { - - if (aPolicyContainer == null) { - return ; - } - - ArrayList<HBaseAuthRules> ruleListTemp = new ArrayList<HBaseAuthRules>(); - - HBaseAuthRules globalRule = new HBaseAuthRules(".META.", "*", "*", "read", null, RangerConstants.PUBLIC_ACCESS_ROLE) ; - ruleListTemp.add(globalRule) ; - globalRule = new HBaseAuthRules("-ROOT-", "*", "*", "read", null, RangerConstants.PUBLIC_ACCESS_ROLE) ; - ruleListTemp.add(globalRule) ; - - ArrayList<String> auditListTemp = new ArrayList<String>(); - - ArrayList<String> encryptList = new ArrayList<String>(); - - for(Policy acl : aPolicyContainer.getAcl()) { - - if (! acl.isEnabled()) { - LOG.debug("Diabled acl found [" + acl + "]. Skipping this acl ...") ; - continue ; - } - - for(String table : acl.getTableList()) { - for(String colfamily : acl.getColumnFamilyList()) { - for(String col : acl.getColumnList()) { - if (table == null || table.isEmpty()) { - table = "*" ; - } - if (colfamily == null || colfamily.isEmpty()) { - colfamily = "*" ; - } - if (col == null || col.isEmpty()) { - col = "*" ; - } - - if (acl.getAuditInd() == 1) { - if (!auditListTemp.contains(table)) { - LOG.debug("Adding [" + table + "] to audit list"); - auditListTemp.add(table); - } - } - - if (acl.getEncryptInd() == 1) { - String fqn = table + "/" + colfamily + "/" + col ; - if (!encryptList.contains(fqn)) { - LOG.debug("Adding [" + fqn + "] to encrypt list"); - encryptList.add(fqn); - } - } - - for(RolePermission rp : acl.getPermissions()) { - for (String accessLevel : rp.getAccess() ) { - if (rp.getGroups() != null && rp.getGroups().size() > 0) { - for (String group : rp.getGroups()) { - HBaseAuthRules rule = new HBaseAuthRules(table, colfamily, col, accessLevel, null, group); - LOG.debug("Adding (group) rule: [" + rule + "]") ; - ruleListTemp.add(rule); - } - } - if (rp.getUsers() != null && rp.getUsers().size() > 0) { - for (String user : rp.getUsers()) { - HBaseAuthRules rule = new HBaseAuthRules(table, colfamily, col, accessLevel, user, null); - LOG.debug("Adding (user) rule: [" + rule + "]") ; - ruleListTemp.add(rule); - } - } - } - } - } - } - } - } - HBaseAuthDB authDBTemp = new HBaseAuthDB(ruleListTemp, auditListTemp, encryptList); - authDB = authDBTemp; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/agents-installer/.settings/org.eclipse.jdt.core.prefs ---------------------------------------------------------------------- diff --git a/agents-installer/.settings/org.eclipse.jdt.core.prefs b/agents-installer/.settings/org.eclipse.jdt.core.prefs index 60105c1..ec4300d 100644 --- a/agents-installer/.settings/org.eclipse.jdt.core.prefs +++ b/agents-installer/.settings/org.eclipse.jdt.core.prefs @@ -1,5 +1,5 @@ eclipse.preferences.version=1 -org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6 -org.eclipse.jdt.core.compiler.compliance=1.6 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7 +org.eclipse.jdt.core.compiler.compliance=1.7 org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning -org.eclipse.jdt.core.compiler.source=1.6 +org.eclipse.jdt.core.compiler.source=1.7 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/credentialbuilder/.settings/org.eclipse.jdt.core.prefs ---------------------------------------------------------------------- diff --git a/credentialbuilder/.settings/org.eclipse.jdt.core.prefs b/credentialbuilder/.settings/org.eclipse.jdt.core.prefs index 60105c1..ec4300d 100644 --- a/credentialbuilder/.settings/org.eclipse.jdt.core.prefs +++ b/credentialbuilder/.settings/org.eclipse.jdt.core.prefs @@ -1,5 +1,5 @@ eclipse.preferences.version=1 -org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6 -org.eclipse.jdt.core.compiler.compliance=1.6 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7 +org.eclipse.jdt.core.compiler.compliance=1.7 org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning -org.eclipse.jdt.core.compiler.source=1.6 +org.eclipse.jdt.core.compiler.source=1.7 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/embededwebserver/.settings/org.eclipse.jdt.core.prefs ---------------------------------------------------------------------- diff --git a/embededwebserver/.settings/org.eclipse.jdt.core.prefs b/embededwebserver/.settings/org.eclipse.jdt.core.prefs index 60105c1..ec4300d 100644 --- a/embededwebserver/.settings/org.eclipse.jdt.core.prefs +++ b/embededwebserver/.settings/org.eclipse.jdt.core.prefs @@ -1,5 +1,5 @@ eclipse.preferences.version=1 -org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6 -org.eclipse.jdt.core.compiler.compliance=1.6 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7 +org.eclipse.jdt.core.compiler.compliance=1.7 org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning -org.eclipse.jdt.core.compiler.source=1.6 +org.eclipse.jdt.core.compiler.source=1.7 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/hbase-agent/.settings/org.eclipse.core.resources.prefs ---------------------------------------------------------------------- diff --git a/hbase-agent/.settings/org.eclipse.core.resources.prefs b/hbase-agent/.settings/org.eclipse.core.resources.prefs index f9fe345..cdfe4f1 100644 --- a/hbase-agent/.settings/org.eclipse.core.resources.prefs +++ b/hbase-agent/.settings/org.eclipse.core.resources.prefs @@ -1,4 +1,5 @@ eclipse.preferences.version=1 encoding//src/main/java=UTF-8 encoding//src/test/java=UTF-8 +encoding//src/test/resources=UTF-8 encoding/<project>=UTF-8 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/hbase-agent/.settings/org.eclipse.jdt.core.prefs ---------------------------------------------------------------------- diff --git a/hbase-agent/.settings/org.eclipse.jdt.core.prefs b/hbase-agent/.settings/org.eclipse.jdt.core.prefs index 60105c1..ec4300d 100644 --- a/hbase-agent/.settings/org.eclipse.jdt.core.prefs +++ b/hbase-agent/.settings/org.eclipse.jdt.core.prefs @@ -1,5 +1,5 @@ eclipse.preferences.version=1 -org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6 -org.eclipse.jdt.core.compiler.compliance=1.6 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7 +org.eclipse.jdt.core.compiler.compliance=1.7 org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning -org.eclipse.jdt.core.compiler.source=1.6 +org.eclipse.jdt.core.compiler.source=1.7 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/hbase-agent/conf/xasecure-hbase-security-changes.cfg ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/xasecure-hbase-security-changes.cfg b/hbase-agent/conf/xasecure-hbase-security-changes.cfg index dc3ec1a..86354ff 100644 --- a/hbase-agent/conf/xasecure-hbase-security-changes.cfg +++ b/hbase-agent/conf/xasecure-hbase-security-changes.cfg @@ -16,7 +16,6 @@ # Change the original policy parameter to work with policy manager based. # # -hbase.authorization.verifier.classname org.apache.ranger.pdp.hbase.RangerAuthorizer mod create-if-not-exists xasecure.hbase.policymgr.url %POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME% mod create-if-not-exists xasecure.hbase.policymgr.url.saveAsFile /tmp/hbase_%REPOSITORY_NAME%_json mod create-if-not-exists xasecure.hbase.policymgr.url.laststoredfile %POLICY_CACHE_FILE_PATH%/hbase_%REPOSITORY_NAME%_json mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/hbase-agent/conf/xasecure-hbase-security.xml ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/xasecure-hbase-security.xml b/hbase-agent/conf/xasecure-hbase-security.xml index 01e17a3..8ea2665 100644 --- a/hbase-agent/conf/xasecure-hbase-security.xml +++ b/hbase-agent/conf/xasecure-hbase-security.xml @@ -18,16 +18,6 @@ <?xml-stylesheet type="text/xsl" href="configuration.xsl"?> <configuration xmlns:xi="http://www.w3.org/2001/XInclude";> - <!-- The following property is used to select appropriate XASecure - Authorizer Module (file-based, policy-manager based) --> - <property> - <name>hbase.authorization.verifier.classname</name> - <value>org.apache.ranger.pdp.hbase.RangerAuthorizer</value> - <description> - Class Name of the authorization Module - </description> - </property> - <!-- The following properties are used only when PolicyManager is used as main storage for all policy --> <property> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/hbase-agent/pom.xml ---------------------------------------------------------------------- diff --git a/hbase-agent/pom.xml b/hbase-agent/pom.xml index b309222..2749ca4 100644 --- a/hbase-agent/pom.xml +++ b/hbase-agent/pom.xml @@ -52,5 +52,23 @@ <artifactId>ranger-plugins-audit</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>plugin-common</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>com.google.code.gson</groupId> + <artifactId>gson</artifactId> + <version>${gson.version}</version> + </dependency> + <dependency> + <groupId>org.mockito</groupId> + <artifactId>mockito-core</artifactId> + </dependency> + <dependency> + <groupId>org.hamcrest</groupId> + <artifactId>hamcrest-integration</artifactId> + </dependency> </dependencies> </project> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HBaseAccessController.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HBaseAccessController.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HBaseAccessController.java deleted file mode 100644 index ab69712..0000000 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HBaseAccessController.java +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.authorization.hbase; - -import java.util.List; - -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.Permission.Action; -import org.apache.hadoop.hbase.security.access.UserPermission; - -public interface HBaseAccessController { - public boolean isAccessAllowed(User user, Action accessAction) ; - public boolean isAccessAllowed(User user, byte[] tableName, Action accessAction) ; - public boolean isAccessAllowed(User user, byte[] tableName, byte[] columnFamily, byte[] qualifier, Action accessAction) ; - public boolean isEncrypted(byte[] tableName, byte[] columnFamily, byte[] qualifier) ; - public boolean isAudited(byte[] tableName) ; - public boolean isTableHasEncryptedColumn(byte[] tableName) ; - public List<UserPermission> getUserPermissions(User user) ; - public List<UserPermission> getUserPermissions(User user, byte[] tableName) ; - - - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HBaseAccessControllerFactory.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HBaseAccessControllerFactory.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HBaseAccessControllerFactory.java deleted file mode 100644 index 6f4301e..0000000 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HBaseAccessControllerFactory.java +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.authorization.hbase; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; -import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; - -public class HBaseAccessControllerFactory { - - private static final Log LOG = LogFactory.getLog(HBaseAccessControllerFactory.class) ; - - private static HBaseAccessController hBaseAccessController = null ; - - public static HBaseAccessController getInstance() { - if (hBaseAccessController == null) { - synchronized(HBaseAccessControllerFactory.class) { - HBaseAccessController temp = hBaseAccessController ; - if (temp == null) { - - String hBaseAccessControllerClassName = RangerConfiguration.getInstance().get(RangerHadoopConstants.HBASE_ACCESS_VERIFIER_CLASS_NAME_PROP, RangerHadoopConstants.HBASE_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE) ; - if (hBaseAccessControllerClassName != null) { - try { - hBaseAccessControllerClassName = hBaseAccessControllerClassName.trim(); - hBaseAccessController = (HBaseAccessController) (Class.forName(hBaseAccessControllerClassName).newInstance()) ; - LOG.info("Created a new instance of class: [" + hBaseAccessControllerClassName + "] for HBase Access verification."); - } catch (InstantiationException e) { - LOG.error("Unable to create HBaseAccessController : [" + hBaseAccessControllerClassName + "]", e); - } catch (IllegalAccessException e) { - LOG.error("Unable to create HBaseAccessController : [" + hBaseAccessControllerClassName + "]", e); - } catch (ClassNotFoundException e) { - LOG.error("Unable to create HBaseAccessController : [" + hBaseAccessControllerClassName + "]", e); - } - } - } - } - } - return hBaseAccessController ; - - } - - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d6a2590/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAccessControlFilter.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAccessControlFilter.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAccessControlFilter.java deleted file mode 100644 index 9ba5331..0000000 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAccessControlFilter.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.authorization.hbase; - -import java.io.IOException; - -import org.apache.hadoop.hbase.Cell; -import org.apache.hadoop.hbase.filter.FilterBase; -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.TablePermission; - -public class RangerAccessControlFilter extends FilterBase { - - private byte[] table = null; - private User user = null; - - public RangerAccessControlFilter(User ugi, byte[] tableName) { - table = tableName; - user = ugi; - } - - - @SuppressWarnings("deprecation") - @Override - public ReturnCode filterKeyValue(Cell kv) throws IOException { - HBaseAccessController accessController = HBaseAccessControllerFactory.getInstance(); - if (accessController.isAccessAllowed(user, table, kv.getFamily(), kv.getQualifier(), TablePermission.Action.READ)) { - return ReturnCode.INCLUDE; - } else { - return ReturnCode.NEXT_COL; - } - } - -}
