Repository: incubator-ranger Updated Branches: refs/heads/master b1e1135b6 -> edc4f2b6e
RANGER-802 HBase plugin: Implement the new methods added to MasterObservers Interface and mimic their implementation in Hbase AccessController Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/edc4f2b6 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/edc4f2b6 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/edc4f2b6 Branch: refs/heads/master Commit: edc4f2b6eab3dc3637788c0be21213be94ade17e Parents: b1e1135 Author: Alok Lal <[email protected]> Authored: Thu Jan 7 15:54:12 2016 -0800 Committer: Alok Lal <[email protected]> Committed: Mon Feb 22 12:30:18 2016 -0800 ---------------------------------------------------------------------- .../hbase/RangerAuthorizationCoprocessor.java | 50 +++++++++++-- .../RangerAuthorizationCoprocessorBase.java | 10 +++ pom.xml | 2 +- .../hbase/RangerAuthorizationCoprocessor.java | 75 ++++++++++++++++++++ 4 files changed, 129 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/edc4f2b6/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index 8762bf5..c40b7de 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -46,6 +46,7 @@ import org.apache.hadoop.hbase.HColumnDescriptor; import org.apache.hadoop.hbase.HRegionInfo; import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.NamespaceDescriptor; +import org.apache.hadoop.hbase.ProcedureInfo; import org.apache.hadoop.hbase.ServerName; import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.client.Append; @@ -67,6 +68,8 @@ import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp; import org.apache.hadoop.hbase.filter.Filter; import org.apache.hadoop.hbase.filter.FilterList; import org.apache.hadoop.hbase.ipc.RpcServer; +import org.apache.hadoop.hbase.master.procedure.MasterProcedureEnv; +import org.apache.hadoop.hbase.procedure2.ProcedureExecutor; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.ResponseConverter; import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos; @@ -651,6 +654,10 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess authorizeAccess(request, objName, action, null, null, null); } + protected void requirePermission(String request, Permission.Action action) throws AccessDeniedException { + requirePermission(request, null, action); + } + protected void requirePermission(String request, byte[] tableName, Permission.Action action) throws AccessDeniedException { String table = Bytes.toString(tableName); @@ -710,11 +717,11 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess } @Override public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException { - requirePermission("balance", null, Permission.Action.ADMIN); + requirePermission("balance", Permission.Action.ADMIN); } @Override public boolean preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c, boolean newValue) throws IOException { - requirePermission("balanceSwitch", null, Permission.Action.ADMIN); + requirePermission("balanceSwitch", Permission.Action.ADMIN); return newValue; } @Override @@ -741,7 +748,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess } @Override public void preCloneSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException { - requirePermission("cloneSnapshot", null, Permission.Action.ADMIN); + requirePermission("cloneSnapshot", Permission.Action.ADMIN); } @Override public void preClose(ObserverContext<RegionCoprocessorEnvironment> e, boolean abortRequested) throws IOException { @@ -771,7 +778,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess } @Override public void preDeleteSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot) throws IOException { - requirePermission("deleteSnapshot", null, Permission.Action.ADMIN); + requirePermission("deleteSnapshot", Permission.Action.ADMIN); } @Override public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) throws IOException { @@ -822,6 +829,35 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo region, ServerName srcServer, ServerName destServer) throws IOException { requirePermission("move", region.getTable().getName() , null, null, Action.ADMIN); } + + @Override + public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext, ProcedureExecutor<MasterProcedureEnv> procEnv, long procId) throws IOException { + if(!procEnv.isProcedureOwner(procId, this.getActiveUser())) { + requirePermission("abortProcedure", Action.ADMIN); + } + } + + @Override + public void postListProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<ProcedureInfo> procInfoList) throws IOException { + if(!procInfoList.isEmpty()) { + Iterator itr = procInfoList.iterator(); + User user = this.getActiveUser(); + + while(itr.hasNext()) { + ProcedureInfo procInfo = (ProcedureInfo)itr.next(); + + try { + if(!ProcedureInfo.isProcedureOwner(procInfo, user)) { + requirePermission("listProcedures", Action.ADMIN); + } + } catch (AccessDeniedException var7) { + itr.remove(); + } + } + + } + } + @Override public void preOpen(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException { RegionCoprocessorEnvironment env = e.getEnvironment(); @@ -884,7 +920,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess } @Override public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException { - requirePermission("shutdown", null, Permission.Action.ADMIN); + requirePermission("shutdown", Permission.Action.ADMIN); } @Override public void preSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException { @@ -896,11 +932,11 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess } @Override public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException { - requirePermission("stopMaster", null, Permission.Action.ADMIN); + requirePermission("stopMaster", Permission.Action.ADMIN); } @Override public void preStopRegionServer(ObserverContext<RegionServerCoprocessorEnvironment> env) throws IOException { - requirePermission("stop", null, Permission.Action.ADMIN); + requirePermission("stop", Permission.Action.ADMIN); } @Override public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo, boolean force) throws IOException { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/edc4f2b6/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java index 9a5bf05..3b489af 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java @@ -425,6 +425,16 @@ public abstract class RangerAuthorizationCoprocessorBase extends BaseRegionObser // Not applicable. Expected to be empty } + @Override + public void postAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException { + + } + + @Override + public void preListProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException { + + } + public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx, final String userName, final Quotas quotas) throws IOException { } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/edc4f2b6/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 3835fb4..27f6d7f 100644 --- a/pom.xml +++ b/pom.xml @@ -143,7 +143,7 @@ <hadoop.version>2.7.0</hadoop.version> <htrace-core.version>3.1.0-incubating</htrace-core.version> <hamcrest.all.version>1.3</hamcrest.all.version> - <hbase.version>1.1.0</hbase.version> + <hbase.version>1.1.3</hbase.version> <hive.version>1.2.0</hive.version> <storm.version>0.9.2-incubating</storm.version> <httpcomponent.httpmime.version>4.2.5</httpcomponent.httpmime.version> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/edc4f2b6/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index 7c45fd0..8218f62 100644 --- a/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -34,6 +34,7 @@ import org.apache.hadoop.hbase.HColumnDescriptor; import org.apache.hadoop.hbase.HRegionInfo; import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.NamespaceDescriptor; +import org.apache.hadoop.hbase.ProcedureInfo; import org.apache.hadoop.hbase.ServerName; import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.client.Append; @@ -60,6 +61,8 @@ import org.apache.hadoop.hbase.io.FSDataInputStreamWrapper; import org.apache.hadoop.hbase.io.Reference; import org.apache.hadoop.hbase.io.hfile.CacheConfig; import org.apache.hadoop.hbase.master.RegionPlan; +import org.apache.hadoop.hbase.master.procedure.MasterProcedureEnv; +import org.apache.hadoop.hbase.procedure2.ProcedureExecutor; import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos; import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.CheckPermissionsRequest; import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.CheckPermissionsResponse; @@ -3094,6 +3097,78 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs } @Override + public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext, ProcedureExecutor<MasterProcedureEnv> procEnv, long procId) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preAbortProcedure()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preAbortProcedure(observerContext, procEnv, procId); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preAbortProcedure()"); + } + } + + @Override + public void postAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postAbortProcedure()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postAbortProcedure(observerContext); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postAbortProcedure()"); + } + } + + @Override + public void preListProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preListProcedures()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preListProcedures(observerContext); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preListProcedures()"); + } + } + + @Override + public void postListProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<ProcedureInfo> procInfoList) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postListProcedures()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postListProcedures(observerContext, procInfoList); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postListProcedures()"); + } + } + + @Override public void postAssign(ObserverContext<MasterCoprocessorEnvironment> ctx, HRegionInfo regionInfo) throws IOException { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postAssign()");
