RANGER-524 hbase shell list command should prune the list of tables returned based on user's access
Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e0261055 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e0261055 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e0261055 Branch: refs/heads/ranger-0.5 Commit: e0261055d86b6c09f23b2773e0ee2470fe08aac7 Parents: 4c45671 Author: Alok Lal <[email protected]> Authored: Tue Jun 2 23:10:51 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Tue Jun 2 23:41:42 2015 -0700 ---------------------------------------------------------------------- .../hbase/AuthorizationSession.java | 9 +++- .../hbase/RangerAuthorizationCoprocessor.java | 47 ++++++++++++++++---- .../RangerAuthorizationCoprocessorBase.java | 12 ++--- 3 files changed, 54 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e0261055/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java index 46ed758..e0b652e 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java @@ -29,8 +29,8 @@ import org.apache.hadoop.hbase.security.User; import org.apache.ranger.audit.model.AuthzAuditEvent; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; -import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.service.RangerBasePlugin; import com.google.common.base.Objects; @@ -204,6 +204,13 @@ public class AuthorizationSession { return this; } + void logCapturedEvents() { + if (_auditHandler != null) { + List<AuthzAuditEvent> events = _auditHandler.getCapturedEvents(); + _auditHandler.logAuthzAudits(events); + } + } + void publishResults() throws AccessDeniedException { boolean authorized = isAuthorized(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e0261055/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index 3a67dd9..fd93332 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -37,7 +37,6 @@ import java.util.Set; import java.util.TimeZone; import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; @@ -980,17 +979,49 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, NamespaceDescriptor ns) throws IOException { requireGlobalPermission("modifyNamespace", ns.getName(), Action.ADMIN); } + @Override - public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors) throws IOException { - if (tableNamesList == null || tableNamesList.isEmpty()) { // If the list is empty, this is a request for all table descriptors and requires GLOBAL ADMIN privs. - requireGlobalPermission("getTableDescriptors", WILDCARD, Action.ADMIN); - } else { // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the request can be granted. - for (TableName tableName: tableNamesList) { - requirePermission("getTableDescriptors", tableName.getName(), null, null, Action.CREATE); + public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String regex) throws IOException { + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("==> postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", tableNamesList == null ? 0 : tableNamesList.size(), + descriptors == null ? 0 : descriptors.size(), regex)); + } + + if (CollectionUtils.isNotEmpty(descriptors)) { + // Retains only those which passes authorization checks + User user = getActiveUser(); + String access = _authUtils.getAccess(Action.CREATE); + HbaseAuditHandler auditHandler = _factory.getAuditHandler(); // this will accumulate audits for all tables that succeed. + AuthorizationSession session = new AuthorizationSession(hbasePlugin) + .operation("getTableDescriptors") + .otherInformation("regex=" + regex) + .remoteAddress(getRemoteAddress()) + .auditHandler(auditHandler) + .user(user) + .access(access); + + Iterator<HTableDescriptor> itr = descriptors.iterator(); + while (itr.hasNext()) { + HTableDescriptor htd = itr.next(); + String tableName = htd.getTableName().getNameAsString(); + session.table(tableName).buildRequest().authorize(); + if (!session.isAuthorized()) { + itr.remove(); + auditHandler.discardMostRecentEvent(); + } } + if (descriptors.size() > 0) { + session.logCapturedEvents(); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("<== postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", tableNamesList == null ? 0 : tableNamesList.size(), + descriptors == null ? 0 : descriptors.size(), regex)); } } - @Override + + @Override public void preMerge(ObserverContext<RegionServerCoprocessorEnvironment> ctx, Region regionA, Region regionB) throws IOException { requirePermission("mergeRegions", regionA.getTableDesc().getTableName().getName(), null, null, Action.ADMIN); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e0261055/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java index b9076b0..31f9e22 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java @@ -225,11 +225,13 @@ public abstract class RangerAuthorizationCoprocessorBase extends BaseRegionObser public void postReplicateLogEntries(final ObserverContext<RegionServerCoprocessorEnvironment> ctx, List<WALEntry> entries, CellScanner cells) throws IOException { } - public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String regex) throws IOException { - } - - public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String regex) throws IOException { - } + @Override + public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors) throws IOException { + } + + @Override + public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx, List<TableName> tableNamesList, List<HTableDescriptor> descriptors, String regex) throws IOException { + } public void preGetTableNames(ObserverContext<MasterCoprocessorEnvironment> ctx, List<HTableDescriptor> descriptors, String regex) throws IOException { }
