RANGER-586:Ranger plugins should not add dependent libraries to component's CLASSPATH
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/a2c72902 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/a2c72902 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/a2c72902 Branch: refs/heads/tag-policy Commit: a2c729021d7e3c04680c1c1002a17dac92b06d32 Parents: 11f73cd Author: rmani <[email protected]> Authored: Tue Oct 27 16:30:08 2015 -0700 Committer: rmani <[email protected]> Committed: Tue Oct 27 16:30:08 2015 -0700 ---------------------------------------------------------------------- agents-common/scripts/enable-agent.sh | 24 +- hbase-agent/pom.xml | 5 + .../hbase/XaSecureAuthorizationCoprocessor.java | 35 - .../access/RangerAccessControlLists.java | 104 - .../access/RangerAccessControlListsTest.java | 61 - .../pdp/knox/filter/XASecurePDPKnoxFilter.java | 25 - plugin-kafka/pom.xml | 5 + .../kafka/authorizer/RangerKafkaAuthorizer.java | 6 +- pom.xml | 16 +- ranger-hbase-plugin-shim/pom.xml | 73 + .../hbase/XaSecureAuthorizationCoprocessor.java | 33 + .../access/RangerAccessControlLists.java | 104 + .../hbase/RangerAuthorizationCoprocessor.java | 3701 ++++++++++++++++++ .../access/RangerAccessControlListsTest.java | 61 + ranger-hdfs-plugin-shim/pom.xml | 74 + .../hadoop/RangerHdfsAuthorizer.java | 191 + ranger-hive-plugin-shim/pom.xml | 105 + .../XaSecureHiveAuthorizerFactory.java | 32 + .../authorizer/RangerHiveAuthorizerFactory.java | 121 + ranger-kafka-plugin-shim/pom.xml | 56 + .../kafka/authorizer/RangerKafkaAuthorizer.java | 248 ++ ranger-knox-plugin-shim/pom.xml | 91 + .../pdp/knox/filter/XASecurePDPKnoxFilter.java | 25 + .../authorization/knox/RangerPDPKnoxFilter.java | 153 + ranger-plugin-classloader/pom.xml | 55 + .../classloader/RangerPluginClassLoader.java | 292 ++ .../RangerPluginClassLoaderUtil.java | 150 + .../test/Impl/TestChildFistClassLoader.java | 56 + .../classloader/test/Impl/TestPluginImpl.java | 32 + .../plugin/classloader/test/Impl/TestPrint.java | 28 + .../plugin/classloader/test/TestPlugin.java | 24 + .../classloader/test/TestPrintParent.java | 29 + ranger-storm-plugin-shim/pom.xml | 76 + .../authorizer/XaSecureStormAuthorizer.java | 32 + .../storm/authorizer/RangerStormAuthorizer.java | 138 + ranger-yarn-plugin-shim/pom.xml | 66 + .../yarn/authorizer/RangerYarnAuthorizer.java | 205 + src/main/assembly/hbase-agent.xml | 25 +- src/main/assembly/hdfs-agent.xml | 65 +- src/main/assembly/hive-agent.xml | 25 +- src/main/assembly/knox-agent.xml | 23 +- src/main/assembly/plugin-kafka.xml | 40 +- src/main/assembly/plugin-yarn.xml | 24 +- src/main/assembly/storm-agent.xml | 23 +- .../authorizer/XaSecureStormAuthorizer.java | 32 - 45 files changed, 6454 insertions(+), 335 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/agents-common/scripts/enable-agent.sh ---------------------------------------------------------------------- diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index f3db125..32e922d 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -121,6 +121,9 @@ INSTALL_ARGS="${PROJ_INSTALL_DIR}/install.properties" COMPONENT_INSTALL_ARGS="${PROJ_INSTALL_DIR}/${COMPONENT_NAME}-install.properties" JAVA=$JAVA_HOME/bin/java +PLUGIN_DEPENDENT_LIB_DIR=lib/"${PROJ_NAME}-${COMPONENT_NAME}-impl" +PROJ_LIB_PLUGIN_DIR=${PROJ_INSTALL_DIR}/${PLUGIN_DEPENDENT_LIB_DIR} + HCOMPONENT_INSTALL_DIR_NAME=$(getInstallProperty 'COMPONENT_INSTALL_DIR_NAME') @@ -179,6 +182,8 @@ elif [ "${HCOMPONENT_NAME}" = "solr" ]; then HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/solr-webapp/webapp/WEB-INF/lib elif [ "${HCOMPONENT_NAME}" = "kafka" ]; then HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/libs +elif [ "${HCOMPONENT_NAME}" = "storm" ]; then + HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/extlib-daemon fi HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/conf @@ -496,8 +501,7 @@ then #if [ -d "${PROJ_LIB_DIR}" ] #then dt=`date '+%Y%m%d%H%M%S'` - dbJar=$(getInstallProperty 'SQL_CONNECTOR_JAR') - for f in ${PROJ_LIB_DIR}/*.jar ${dbJar} + for f in ${PROJ_LIB_DIR}/*.jar do if [ -f "${f}" ] then @@ -513,6 +517,22 @@ then fi fi done + + # ADD SQL CONNECTOR JAR TO PLUGIN DEPENDENCY JAR FOLDER + dbJar=$(getInstallProperty 'SQL_CONNECTOR_JAR') + if [ -f "${dbJar}" ] + then + bn=`basename ${dbJar}` + if [ -f ${PROJ_LIB_PLUGIN_DIR}/${bn} ] + then + rm ${PROJ_LIB_PLUGIN_DIR}/${bn} + fi + if [ ! -f ${PROJ_LIB_PLUGIN_DIR}/${bn} ] + then + ln -s ${dbJar} ${PROJ_LIB_PLUGIN_DIR}/${bn} + fi + fi + #fi # http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/hbase-agent/pom.xml ---------------------------------------------------------------------- diff --git a/hbase-agent/pom.xml b/hbase-agent/pom.xml index b4664f3..edad495 100644 --- a/hbase-agent/pom.xml +++ b/hbase-agent/pom.xml @@ -48,6 +48,11 @@ <version>${project.version}</version> </dependency> <dependency> + <groupId>security_plugins.ranger-hbase-plugin-shim</groupId> + <artifactId>ranger-hbase-plugin-shim</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> <groupId>security_plugins.ranger-plugins-audit</groupId> <artifactId>ranger-plugins-audit</artifactId> <version>${project.version}</version> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java b/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java deleted file mode 100644 index 574a07c..0000000 --- a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java +++ /dev/null @@ -1,35 +0,0 @@ -/** - * - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.xasecure.authorization.hbase; - -import org.apache.hadoop.hbase.coprocessor.CoprocessorService; -import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos; -import org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor; - -/** - * This class exists only to provide for seamless upgrade/downgrade capabilities. Coprocessor name is in hbase config files in /etc/.../conf which - * is not only out of bounds for any upgrade script but also must be of a form to allow for downgrad! Thus when class names were changed XaSecure* -> Ranger* - * this shell class serves to allow for seamles upgrade as well as downgrade. - * - * This class is final because if one needs to customize coprocessor it is expected that RangerAuthorizationCoprocessor would be modified/extended as that is - * the "real" coprocessor! This class, hence, should NEVER be more than an EMPTY shell! - */ -public final class XaSecureAuthorizationCoprocessor extends RangerAuthorizationCoprocessor implements AccessControlProtos.AccessControlService.Interface, CoprocessorService { - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java b/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java deleted file mode 100644 index 7f33b15..0000000 --- a/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java +++ /dev/null @@ -1,104 +0,0 @@ -/** - * - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.hbase.security.access; - -import java.io.IOException; -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; - -import org.apache.hadoop.hbase.TableExistsException; -import org.apache.hadoop.hbase.master.MasterServices; -import org.apache.log4j.Logger; - - -public class RangerAccessControlLists { - - private static final Logger LOG = Logger.getLogger(RangerAccessControlLists.class) ; - - public static void init(MasterServices master) throws IOException { - - Class<AccessControlLists> accessControlListsClass = AccessControlLists.class ; - String cName = accessControlListsClass.getName() ; - - Class<?>[] params = new Class[1] ; - params[0] = MasterServices.class ; - - for (String mname : new String[] { "init", "createACLTable" } ) { - try { - try { - Method m = accessControlListsClass.getDeclaredMethod(mname, params) ; - if (m != null) { - try { - - try { - m.invoke(null, master) ; - logInfo("Execute method name [" + mname + "] in Class [" + cName + "] is successful."); - } catch (InvocationTargetException e) { - Throwable cause = e ; - boolean tableExistsExceptionFound = false ; - if (e != null) { - Throwable ecause = e.getTargetException() ; - if (ecause != null) { - cause = ecause ; - if (ecause instanceof TableExistsException) { - tableExistsExceptionFound = true ; - } - } - } - if (! tableExistsExceptionFound) { - logError("Unable to execute the method [" + mname + "] on [" + cName + "] due to exception", cause) ; - throw new IOException(cause) ; - } - } - return ; - } catch (IllegalArgumentException e) { - logError("Unable to execute method name [" + mname + "] in Class [" + cName + "].", e); - throw new IOException(e) ; - } catch (IllegalAccessException e) { - logError("Unable to execute method name [" + mname + "] in Class [" + cName + "].", e); - throw new IOException(e) ; - } - } - } - catch(NoSuchMethodException nsme) { - logInfo("Unable to get method name [" + mname + "] in Class [" + cName + "]. Ignoring the exception"); - } - } catch (SecurityException e) { - logError("Unable to get method name [" + mname + "] in Class [" + cName + "].", e); - throw new IOException(e) ; - } - } - throw new IOException("Unable to initialize() [" + cName + "]") ; - } - - - private static void logInfo(String msg) { - // System.out.println(msg) ; - LOG.info(msg) ; - } - - private static void logError(String msg, Throwable t) { -// System.err.println(msg) ; -// if (t != null) { -// t.printStackTrace(System.err); -// } - LOG.error(msg, t); - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/hbase-agent/src/test/java/org/apache/hadoop/hbase/security/access/RangerAccessControlListsTest.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/test/java/org/apache/hadoop/hbase/security/access/RangerAccessControlListsTest.java b/hbase-agent/src/test/java/org/apache/hadoop/hbase/security/access/RangerAccessControlListsTest.java deleted file mode 100644 index aa66d08..0000000 --- a/hbase-agent/src/test/java/org/apache/hadoop/hbase/security/access/RangerAccessControlListsTest.java +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.hadoop.hbase.security.access; - -import java.io.IOException; - -import org.apache.hadoop.hbase.master.MasterServices; -import org.junit.After; -import org.junit.Assert; -import org.junit.AfterClass; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; - -public class RangerAccessControlListsTest { - - @BeforeClass - public static void setUpBeforeClass() throws Exception { - } - - @AfterClass - public static void tearDownAfterClass() throws Exception { - } - - @Before - public void setUp() throws Exception { - } - - @After - public void tearDown() throws Exception { - } - - @Test - public void testInit() { - IOException exceptionFound = null ; - try { - MasterServices service = null ; - RangerAccessControlLists.init(service) ; - } catch (IOException e) { - exceptionFound = e ; - } - Assert.assertFalse("Expected to get a NullPointerExecution after init method Execution - Found [" + exceptionFound + "]", (!(exceptionFound != null && exceptionFound.getCause() instanceof NullPointerException))) ; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/knox-agent/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java ---------------------------------------------------------------------- diff --git a/knox-agent/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java b/knox-agent/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java deleted file mode 100644 index 6b9d6fd..0000000 --- a/knox-agent/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.knox.filter; - -import org.apache.ranger.authorization.knox.RangerPDPKnoxFilter; - -public class XASecurePDPKnoxFilter extends RangerPDPKnoxFilter { -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/plugin-kafka/pom.xml ---------------------------------------------------------------------- diff --git a/plugin-kafka/pom.xml b/plugin-kafka/pom.xml index afee47d..e14e48c 100644 --- a/plugin-kafka/pom.xml +++ b/plugin-kafka/pom.xml @@ -47,5 +47,10 @@ <artifactId>kafka_2.10</artifactId> <version>${kafka.version}</version> </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-hdfs</artifactId> + <version>${hadoop.version}</version> + </dependency> </dependencies> </project> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index dbb2723..c5e955d 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -19,10 +19,7 @@ package org.apache.ranger.authorization.kafka.authorizer; -import java.io.IOException; -import java.security.Principal; import java.util.Date; - import javax.security.auth.Subject; import kafka.security.auth.Acl; @@ -104,8 +101,7 @@ public class RangerKafkaAuthorizer implements Authorizer { } @Override - public boolean authorize(Session session, Operation operation, - Resource resource) { + public boolean authorize(Session session, Operation operation, Resource resource) { if (rangerPlugin == null) { MiscUtil.logErrorMessageByInterval(logger, http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 0ccf12e..835894d 100644 --- a/pom.xml +++ b/pom.xml @@ -14,8 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ---> -<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> +--><project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> <modelVersion>4.0.0</modelVersion> <parent> <groupId>org.apache</groupId> @@ -97,6 +96,13 @@ <module>unixauthservice</module> <module>ranger-util</module> <module>plugin-kms</module> + <module>ranger-hdfs-plugin-shim</module> + <module>ranger-plugin-classloader</module> + <module>ranger-hive-plugin-shim</module> + <module>ranger-hbase-plugin-shim</module> + <module>ranger-knox-plugin-shim</module> + <module>ranger-yarn-plugin-shim</module> + <module>ranger-storm-plugin-shim</module> </modules> <properties> <javac.source.version>1.7</javac.source.version> @@ -151,7 +157,7 @@ <jersey-client.version>2.6</jersey-client.version> <junit.version>4.11</junit.version> <kafka.version>0.8.2.0</kafka.version> - <!-- <kafka.version>0.8.2.2.3.0.0-2208</kafka.version> --> + <!-- <kafka.version>0.8.2.2.3.2.0-2950</kafka.version> --> <mockito.version>1.8.4</mockito.version> <hamcrest-version>1.3</hamcrest-version> <knox.gateway.version>0.6.0</knox.gateway.version> @@ -505,7 +511,7 @@ <phase>process-resources</phase> <configuration> <target> - <echo message="${project.version}" file="${project.build.directory}/version" /> + <echo message="${project.version}" file="${project.build.directory}/version"/> </target> </configuration> <goals> @@ -524,4 +530,4 @@ </plugin> </plugins> </build> -</project> +</project> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/ranger-hbase-plugin-shim/pom.xml ---------------------------------------------------------------------- diff --git a/ranger-hbase-plugin-shim/pom.xml b/ranger-hbase-plugin-shim/pom.xml new file mode 100644 index 0000000..39fa139 --- /dev/null +++ b/ranger-hbase-plugin-shim/pom.xml @@ -0,0 +1,73 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <modelVersion>4.0.0</modelVersion> + <groupId>security_plugins.ranger-hbase-plugin-shim</groupId> + <artifactId>ranger-hbase-plugin-shim</artifactId> + <name>HBase Security Plugin Shim</name> + <description>HBase Security Plugins Shim</description> + <packaging>jar</packaging> + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + </properties> + <parent> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger</artifactId> + <version>0.5.0</version> + <relativePath>..</relativePath> + </parent> + <dependencies> + <dependency> + <groupId>org.apache.hbase</groupId> + <artifactId>hbase-server</artifactId> + <version>${hbase.version}</version> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-hdfs</artifactId> + <version>${hadoop.version}</version> + </dependency> + <dependency> + <groupId>security_plugins.ranger-plugins-common</groupId> + <artifactId>ranger-plugins-common</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>security_plugins.ranger-plugins-audit</groupId> + <artifactId>ranger-plugins-audit</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>security_plugins.ranger-plugin-classloader</groupId> + <artifactId>ranger-plugin-classloader</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>com.google.code.gson</groupId> + <artifactId>gson</artifactId> + </dependency> + <dependency> + <groupId>org.mockito</groupId> + <artifactId>mockito-core</artifactId> + </dependency> + <dependency> + <groupId>org.hamcrest</groupId> + <artifactId>hamcrest-integration</artifactId> + </dependency> + </dependencies> +</project> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/ranger-hbase-plugin-shim/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/ranger-hbase-plugin-shim/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java b/ranger-hbase-plugin-shim/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java new file mode 100644 index 0000000..bc01e51 --- /dev/null +++ b/ranger-hbase-plugin-shim/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java @@ -0,0 +1,33 @@ +/** + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.xasecure.authorization.hbase; + +import org.apache.hadoop.hbase.coprocessor.CoprocessorService; +import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService; +import org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor; +/** + * This class exists only to provide for seamless upgrade/downgrade capabilities. Coprocessor name is in hbase config files in /etc/.../conf which + * is not only out of bounds for any upgrade script but also must be of a form to allow for downgrad! Thus when class names were changed XaSecure* -> Ranger* + * this shell class serves to allow for seamles upgrade as well as downgrade. + * + * This class is final because if one needs to customize coprocessor it is expected that RangerAuthorizationCoprocessor would be modified/extended as that is + * the "real" coprocessor! This class, hence, should NEVER be more than an EMPTY shell! + */ +public final class XaSecureAuthorizationCoprocessor extends RangerAuthorizationCoprocessor implements AccessControlService.Interface, CoprocessorService { +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c72902/ranger-hbase-plugin-shim/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java ---------------------------------------------------------------------- diff --git a/ranger-hbase-plugin-shim/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java b/ranger-hbase-plugin-shim/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java new file mode 100644 index 0000000..7f33b15 --- /dev/null +++ b/ranger-hbase-plugin-shim/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java @@ -0,0 +1,104 @@ +/** + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.security.access; + +import java.io.IOException; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; + +import org.apache.hadoop.hbase.TableExistsException; +import org.apache.hadoop.hbase.master.MasterServices; +import org.apache.log4j.Logger; + + +public class RangerAccessControlLists { + + private static final Logger LOG = Logger.getLogger(RangerAccessControlLists.class) ; + + public static void init(MasterServices master) throws IOException { + + Class<AccessControlLists> accessControlListsClass = AccessControlLists.class ; + String cName = accessControlListsClass.getName() ; + + Class<?>[] params = new Class[1] ; + params[0] = MasterServices.class ; + + for (String mname : new String[] { "init", "createACLTable" } ) { + try { + try { + Method m = accessControlListsClass.getDeclaredMethod(mname, params) ; + if (m != null) { + try { + + try { + m.invoke(null, master) ; + logInfo("Execute method name [" + mname + "] in Class [" + cName + "] is successful."); + } catch (InvocationTargetException e) { + Throwable cause = e ; + boolean tableExistsExceptionFound = false ; + if (e != null) { + Throwable ecause = e.getTargetException() ; + if (ecause != null) { + cause = ecause ; + if (ecause instanceof TableExistsException) { + tableExistsExceptionFound = true ; + } + } + } + if (! tableExistsExceptionFound) { + logError("Unable to execute the method [" + mname + "] on [" + cName + "] due to exception", cause) ; + throw new IOException(cause) ; + } + } + return ; + } catch (IllegalArgumentException e) { + logError("Unable to execute method name [" + mname + "] in Class [" + cName + "].", e); + throw new IOException(e) ; + } catch (IllegalAccessException e) { + logError("Unable to execute method name [" + mname + "] in Class [" + cName + "].", e); + throw new IOException(e) ; + } + } + } + catch(NoSuchMethodException nsme) { + logInfo("Unable to get method name [" + mname + "] in Class [" + cName + "]. Ignoring the exception"); + } + } catch (SecurityException e) { + logError("Unable to get method name [" + mname + "] in Class [" + cName + "].", e); + throw new IOException(e) ; + } + } + throw new IOException("Unable to initialize() [" + cName + "]") ; + } + + + private static void logInfo(String msg) { + // System.out.println(msg) ; + LOG.info(msg) ; + } + + private static void logError(String msg, Throwable t) { +// System.err.println(msg) ; +// if (t != null) { +// t.printStackTrace(System.err); +// } + LOG.error(msg, t); + } + +}
