[jira] [Created] (RANGER-2724) Support EXECUTE permission in HBase Authorisation

[Rajeshbabu Chintaguntla (Jira)]

Rajeshbabu Chintaguntla created RANGER-2724:
-----------------------------------------------

             Summary: Support EXECUTE permission in HBase Authorisation
                 Key: RANGER-2724
                 URL: https://issues.apache.org/jira/browse/RANGER-2724
             Project: Ranger
          Issue Type: Improvement
          Components: Ranger
            Reporter: Rajeshbabu Chintaguntla
            Assignee: Rajeshbabu Chintaguntla


HBase Authorisation supports execute permission along with read,write,create 
and admin. 
https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cdh_sg_hbase_authorization.html#
# Read (R) - can read data at the given scope
# Write (W) - can write data at the given scope
# Execute (X) - can execute coprocessor endpoints at the given scope
# Create (C) - can create tables or drop tables (even those they did not 
create) at the given scope
# Admin (A) - can perform cluster operations such as balancing the cluster or 
assigning regions at the given scope

In the HBase we can define the endpoint implementations to extend the HBase 
functionality without touching the core. These endpoints can be called in table 
scope.
Example: Endpoint section in 
https://blogs.apache.org/hbase/entry/coprocessor_introduction

To run the endpoint implementations users can be authorised  with execute 
permissions. There are hooks also coprocessor hooks also supported for this 
endpoint invocations.
{noformat}
    public Message 
preEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> ctx, 
Service service, String methodName, Message request) throws IOException {
        if (this.shouldCheckExecPermission && !(service instanceof 
AccessControlService)) {
            this.requirePermission(ctx, "invoke(" + 
service.getDescriptorForType().getName() + "." + methodName + ")", 
this.getTableName((RegionCoprocessorEnvironment)ctx.getEnvironment()), 
(byte[])null, (byte[])null, Action.EXEC);
        }

        return request;
    }

    public void 
postEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> ctx, 
Service service, String methodName, Message request, Builder responseBuilder) 
throws IOException {
    }
{noformat}
Any way this execute permission is optional but better to have in the Ranger 
mainly in case of Phoenix we do use most of the coprocessor endpoints to tackle 
with meta data for tables/resources to be written to system tables. So It would 
be helpful to have it.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)