RANGER-202: support authorization at namespace level
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/89c524da Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/89c524da Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/89c524da Branch: refs/heads/tag-policy Commit: 89c524da9ea7b3360ffb460007df1570ca31d1b8 Parents: 3683ac0 Author: Madhan Neethiraj <[email protected]> Authored: Thu Jun 4 10:48:58 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Jun 4 10:48:58 2015 -0700 ---------------------------------------------------------------------- .../hbase/RangerAuthorizationCoprocessor.java | 25 +++++++++++++------- 1 file changed, 17 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/89c524da/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index fd93332..abf8a33 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -116,6 +116,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess private static final String GROUP_PREFIX = "@"; private static final String WILDCARD = "*"; + private static final String NAMESPACE_SEPARATOR = ":"; private static final TimeZone gmtTimeZone = TimeZone.getTimeZone("GMT+0"); @@ -1147,6 +1148,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess UserPermission userPerm = up == null ? null : ProtobufUtil.toUserPermission(up); Permission.Action[] actions = userPerm == null ? null : userPerm.getActions(); String userName = userPerm == null ? null : Bytes.toString(userPerm.getUser()); + String nameSpace = null; String tableName = null; String colFamily = null; String qualifier = null; @@ -1175,19 +1177,22 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess break; case Namespace: - default: - LOG.warn("grant(): ignoring type '" + perm.getType().name() + "'"); + nameSpace = userPerm.getNamespace(); break; } - if(StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) { - throw new Exception("grant(): table/columnFamily/columnQualifier not specified"); + if(StringUtil.isEmpty(nameSpace) && StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) { + throw new Exception("grant(): namespace/table/columnFamily/columnQualifier not specified"); } tableName = StringUtil.isEmpty(tableName) ? WILDCARD : tableName; colFamily = StringUtil.isEmpty(colFamily) ? WILDCARD : colFamily; qualifier = StringUtil.isEmpty(qualifier) ? WILDCARD : qualifier; + if(! StringUtil.isEmpty(nameSpace)) { + tableName = nameSpace + NAMESPACE_SEPARATOR + tableName; + } + User activeUser = getActiveUser(); String grantor = activeUser != null ? activeUser.getShortName() : null; @@ -1244,6 +1249,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess UserPermission userPerm = up == null ? null : ProtobufUtil.toUserPermission(up); String userName = userPerm == null ? null : Bytes.toString(userPerm.getUser()); + String nameSpace = null; String tableName = null; String colFamily = null; String qualifier = null; @@ -1268,12 +1274,11 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess break; case Namespace: - default: - LOG.warn("revoke(): ignoring type '" + perm.getType().name() + "'"); + nameSpace = userPerm.getNamespace(); break; } - - if(StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) { + + if(StringUtil.isEmpty(nameSpace) && StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) { throw new Exception("revoke(): table/columnFamily/columnQualifier not specified"); } @@ -1281,6 +1286,10 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess colFamily = StringUtil.isEmpty(colFamily) ? WILDCARD : colFamily; qualifier = StringUtil.isEmpty(qualifier) ? WILDCARD : qualifier; + if(! StringUtil.isEmpty(nameSpace)) { + tableName = nameSpace + NAMESPACE_SEPARATOR + tableName; + } + User activeUser = getActiveUser(); String grantor = activeUser != null ? activeUser.getShortName() : null;
