[jira] [Updated] (HBASE-29143) Decouple the znode acl update logic from AccessController to support external implementations like RangerAuthorizationCoprocessor

[Nihal Jain (Jira)]

     [ 
https://issues.apache.org/jira/browse/HBASE-29143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nihal Jain updated HBASE-29143:
-------------------------------
    Description: 
The HBase 
_[AccessController|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java]_
 has hooks to update Zookeeper (zk) with ACL permissions, which are used to 
perform validations across various parts of the code.

For example, whenever a new record is added in ACL with a new permission, it is 
synchronized with the znode via the 
[{_}updateACL{_}()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L263]
 call.

The problem arises when a custom implementation of {_}AccessController{_}, such 
as 
{_}[RangerAuthorizationCoprocessor|https://github.com/apache/ranger/blob/master/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java]{_},
 is used. In this case, attempting to perform certain operations, like adding 
an rsgroup, fails because 
_[MasterRpcServices#rpcPreCheck()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java#L979]_
 requires global permissions, as enforced by 
_[AccessChecker#requireGlobalPermission()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java#L138]._

Below is a sample stack trace for the 2.6 code path:
{code:java}
org.apache.hadoop.hbase.security.AccessDeniedException: 
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
permissions for user 'nihaljain' (global, action=ADMIN)
  at 
org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
  at 
org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
  at 
org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1342)
  at 
org.apache.hadoop.hbase.master.MasterRpcServices.rpcPreCheck(MasterRpcServices.java:474)
  at 
org.apache.hadoop.hbase.master.MasterRpcServices.execMasterService(MasterRpcServices.java:904)
  at 
org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java)
  at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:443)
  at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
  at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:105)
  at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:85) {code}
This issue occurs because zk ACL data is only updated via 
{_}AccessController{_}, and hence global permission data is not available for 
Ranger. Consequently, there is no way to provide permissions to a user to work 
through this for _RangerAuthorizationCoprocessor_ unless we copy logic from 
_AccessController_ into Ranger, which is not ideal.

 

*Solution Proposal*

We should extract all the zk update logic into a new separate class, say 
{_}ZKAclUpdaterCoprocessor{_}, from _AccessController_ and chain it in the 
coprocessor code path to preserve behavior. This can be achieved by setting 
this new coprocessor at the ACL table level.

Systems dependent on external coprocessors like 
_RangerAuthorizationCoprocessor_ can either:
 * Chain it in the coprocessor code path by setting this new coprocessor at the 
ACL table level.
 * Or, set the zk coprocessor as a preceding coprocessor to 
_RangerAuthorizationCoprocessor_ in configurations.

  was:
The HBase 
_[AccessController|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java]_
 has hooks to update Zookeeper (zk) with ACL permissions, which are used to 
perform validations across various parts of the code.

For example, whenever a new record is added in ACL with a new permission, it is 
synchronized with the znode via the 
[{_}updateACL{_}()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L263]
 call.

The problem arises when a custom implementation of {_}AccessController{_}, such 
as 
{_}[RangerAuthorizationCoprocessor|https://github.com/apache/ranger/blob/master/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java]{_},
 is used. In this case, attempting to perform certain operations, like adding 
an rsgroup, fails because 
_[MasterRpcServices#rpcPreCheck()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java#L979]_
 requires global permissions, as enforced by 
_[AccessChecker#requireGlobalPermission()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java#L138]._

Below is a sample stack trace for the 2.6 code path:
{code:java}
org.apache.hadoop.hbase.security.AccessDeniedException: 
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
permissions for user 'nihaljain' (global, action=ADMIN)
  at 
org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
  at 
org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
  at 
org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1342)
  at 
org.apache.hadoop.hbase.master.MasterRpcServices.rpcPreCheck(MasterRpcServices.java:474)
  at 
org.apache.hadoop.hbase.master.MasterRpcServices.execMasterService(MasterRpcServices.java:904)
  at 
org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java)
  at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:443)
  at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
  at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:105)
  at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:85) {code}
This issue occurs because zk ACL data is only updated via 
{_}AccessController{_}, and hence global permission data is not available for 
Ranger. Consequently, there is no way to provide permissions to a user to work 
through this for _RangerAuthorizationCoprocessor_ unless we copy logic from 
_AccessController_ into Ranger, which is not ideal.

 

*Solution Proposal*

We should extract all the zk update logic into a new separate class, say 
{_}ZKAclUpdaterCoprocessor{_}, from _AccessController_ and chain it in the 
coprocessor code path to preserve behavior. This can be achieved by setting 
this new coprocessor at the ACL table level.

Systems dependent on external coprocessors like 
_RangerAuthorizationCoprocessor_ can either:
 * Chain it in the coprocessor code path by setting this new coprocessor at the 
ACL table level.
 * Or, set the zk coprocessor as a preceding coprocessor to 
`RangerAuthorizationCoprocessor` in configurations.


> Decouple the znode acl update logic from AccessController to support external 
> implementations like RangerAuthorizationCoprocessor
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-29143
>                 URL: https://issues.apache.org/jira/browse/HBASE-29143
>             Project: HBase
>          Issue Type: Improvement
>          Components: acl
>            Reporter: Nihal Jain
>            Assignee: Anchal Kejriwal
>            Priority: Major
>
> The HBase 
> _[AccessController|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java]_
>  has hooks to update Zookeeper (zk) with ACL permissions, which are used to 
> perform validations across various parts of the code.
> For example, whenever a new record is added in ACL with a new permission, it 
> is synchronized with the znode via the 
> [{_}updateACL{_}()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L263]
>  call.
> The problem arises when a custom implementation of {_}AccessController{_}, 
> such as 
> {_}[RangerAuthorizationCoprocessor|https://github.com/apache/ranger/blob/master/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java]{_},
>  is used. In this case, attempting to perform certain operations, like adding 
> an rsgroup, fails because 
> _[MasterRpcServices#rpcPreCheck()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java#L979]_
>  requires global permissions, as enforced by 
> _[AccessChecker#requireGlobalPermission()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java#L138]._
> Below is a sample stack trace for the 2.6 code path:
> {code:java}
> org.apache.hadoop.hbase.security.AccessDeniedException: 
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
> permissions for user 'nihaljain' (global, action=ADMIN)
>   at 
> org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
>   at 
> org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
>   at 
> org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1342)
>   at 
> org.apache.hadoop.hbase.master.MasterRpcServices.rpcPreCheck(MasterRpcServices.java:474)
>   at 
> org.apache.hadoop.hbase.master.MasterRpcServices.execMasterService(MasterRpcServices.java:904)
>   at 
> org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java)
>   at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:443)
>   at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
>   at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:105)
>   at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:85) {code}
> This issue occurs because zk ACL data is only updated via 
> {_}AccessController{_}, and hence global permission data is not available for 
> Ranger. Consequently, there is no way to provide permissions to a user to 
> work through this for _RangerAuthorizationCoprocessor_ unless we copy logic 
> from _AccessController_ into Ranger, which is not ideal.
>  
> *Solution Proposal*
> We should extract all the zk update logic into a new separate class, say 
> {_}ZKAclUpdaterCoprocessor{_}, from _AccessController_ and chain it in the 
> coprocessor code path to preserve behavior. This can be achieved by setting 
> this new coprocessor at the ACL table level.
> Systems dependent on external coprocessors like 
> _RangerAuthorizationCoprocessor_ can either:
>  * Chain it in the coprocessor code path by setting this new coprocessor at 
> the ACL table level.
>  * Or, set the zk coprocessor as a preceding coprocessor to 
> _RangerAuthorizationCoprocessor_ in configurations.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)