Re: Review Request 65950: Add support to allow clients to access resource permissions stored in Ranger
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65950/ --- (Updated March 7, 2018, 2:13 p.m.) Review request for ranger and Ramesh Mani. Bugs: RANGER-1958 https://issues.apache.org/jira/browse/RANGER-1958 Repository: ranger Description --- RANGER-1958 [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger Diffs - agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 189dc2c agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java f8241c5 agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceInfo.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 2b66c70 agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 7a890b8 agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java aad7834 hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java 12b675b hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java 665640f hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java 9f0e5ac hbase-agent/src/test/resources/policyengine/test_policyengine_hbase.json f563c28 Diff: https://reviews.apache.org/r/65950/diff/1/ Testing --- Unit testing is done Thanks, Ankit Singhal
Re: Review Request 65950: Add support to allow clients to access resource permissions stored in Ranger
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65950/ --- (Updated Aug. 20, 2018, 6:14 p.m.) Review request for ranger and Ramesh Mani. Changes --- Now leveraged RANGER-2061 to implement getUserPermissions() API of HBase plugin Bugs: RANGER-1958 https://issues.apache.org/jira/browse/RANGER-1958 Repository: ranger Description --- RANGER-1958 [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger Diffs (updated) - hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java cdaad00a4 hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java d85339a09 hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java 38408855d hbase-agent/src/test/resources/hbase-policies.json b7b44c9ea Diff: https://reviews.apache.org/r/65950/diff/2/ Changes: https://reviews.apache.org/r/65950/diff/1-2/ Testing --- Unit testing is done Thanks, Ankit Singhal
Re: Review Request 65950: Add support to allow clients to access resource permissions stored in Ranger
> On March 7, 2018, 11:31 p.m., Abhay Kulkarni wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > > Line 384 (original), 384 (patched) > > <https://reviews.apache.org/r/65950/diff/1/?file=1972226#file1972226line384> > > > > Please consider adding another method with a diffrent signature to get > > list of RangerPolicyItemEvaluators, instead of changing signature and > > implementation of this critical method. > > > > Signature of new method may look like: > > > > List getDeterminingPolicyItems(String user, > > Set userGroups, List accessType); > > > > Then have the caller provide list of all available hbase accessTypes - > > they can be figured out from hbase Service-definition). > > > > Method implementation may call getDeterminingPolicyItem for each > > accessType to build a list. > > > > This will isolate current implementation from hbase specific changes. > > > > Thanks! Now using getResourceAcls API from RANGER-2061. - Ankit --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65950/#review198831 --- On Aug. 20, 2018, 6:14 p.m., Ankit Singhal wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65950/ > --- > > (Updated Aug. 20, 2018, 6:14 p.m.) > > > Review request for ranger and Ramesh Mani. > > > Bugs: RANGER-1958 > https://issues.apache.org/jira/browse/RANGER-1958 > > > Repository: ranger > > > Description > --- > > RANGER-1958 [HBase] Implement getUserPermissions API of > AccessControlService.Interface to allow clients to access HBase permissions > stored in Ranger > > > Diffs > - > > > hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java > cdaad00a4 > > hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java > d85339a09 > > hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java > 38408855d > hbase-agent/src/test/resources/hbase-policies.json b7b44c9ea > > > Diff: https://reviews.apache.org/r/65950/diff/2/ > > > Testing > --- > > Unit testing is done > > > Thanks, > > Ankit Singhal > >
Re: Review Request 65950: Add support to allow clients to access resource permissions stored in Ranger
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65950/ --- (Updated Sept. 26, 2018, 10:40 p.m.) Review request for ranger and Ramesh Mani. Changes --- removed permissionAccess.getValue().getIsFinal() unnecessary check as per Abhay Kulkarni review comment. Bugs: RANGER-1958 https://issues.apache.org/jira/browse/RANGER-1958 Repository: ranger Description --- RANGER-1958 [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger Diffs (updated) - hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java cdaad00a4 hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java d85339a09 hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java 38408855d hbase-agent/src/test/resources/hbase-policies.json b7b44c9ea Diff: https://reviews.apache.org/r/65950/diff/3/ Changes: https://reviews.apache.org/r/65950/diff/2-3/ Testing --- Unit testing is done Thanks, Ankit Singhal
Re: Review Request 65950: Add support to allow clients to access resource permissions stored in Ranger
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65950/ --- (Updated Oct. 4, 2018, 11:38 p.m.) Review request for ranger and Ramesh Mani. Bugs: RANGER-1958 https://issues.apache.org/jira/browse/RANGER-1958 Repository: ranger Description --- RANGER-1958 [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger Diffs (updated) - hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java cdaad00a4 hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java d85339a09 hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java 38408855d hbase-agent/src/test/resources/hbase-policies.json b7b44c9ea Diff: https://reviews.apache.org/r/65950/diff/4/ Changes: https://reviews.apache.org/r/65950/diff/3-4/ Testing --- Unit testing is done Thanks, Ankit Singhal
[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16381995#comment-16381995
]
Ankit Singhal commented on RANGER-1958:
---
bq. do you have patch ready for this?
Not yet, but I can check if I can put up something soon.
bq. But incase that is a long way to go and want to leverage on
RangerHBasePlugin what is the expected implementation on getUserPernissions
API? Could you please elaborate on the Phoenix request and what is expected out
from Ranger? That will help us to move forward on this.
getUserPermissions API is expected to return all permission of the requesting
user on the particular resource(table/namespace/global only) specified in the
request.
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
>Priority: Major
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ankit Singhal updated RANGER-1958:
--
Attachment: RANGER-1958.patch
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16385874#comment-16385874
]
Ankit Singhal commented on RANGER-1958:
---
[~rmani], can you please review the attached patch.
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16389609#comment-16389609
]
Ankit Singhal commented on RANGER-1958:
---
Thanks [~rmani] for volunteering the review, Here is the review request.
[https://reviews.apache.org/r/65950/]
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
>Assignee: Ankita Sinha
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16389609#comment-16389609
]
Ankit Singhal edited comment on RANGER-1958 at 3/7/18 2:30 PM:
---
Thanks [~rmani] for volunteering the review, Here is the review request.
[https://reviews.apache.org/r/65950/]
And, also can you please assign this ticket to me(Ankit Singhal).
was (Author: an...@apache.org):
Thanks [~rmani] for volunteering the review, Here is the review request.
[https://reviews.apache.org/r/65950/]
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
>Assignee: Ankita Sinha
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16586360#comment-16586360
]
Ankit Singhal commented on RANGER-1958:
---
Sorry guys [~abhayk],[~rmani],[~vperiasamy], for not working on this for a long
time.
but now I have made the changes by leveraging getResourceACLs() API exposed by
RANGER-2061 to implement getUserPermission() API of HBase and updated the
request for review.
https://reviews.apache.org/r/65950/
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
>Assignee: Ankit Singhal
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (RANGER-2194) Implement ranger support for Phoenix
Ankit Singhal created RANGER-2194: - Summary: Implement ranger support for Phoenix Key: RANGER-2194 URL: https://issues.apache.org/jira/browse/RANGER-2194 Project: Ranger Issue Type: New Feature Components: plugins Reporter: Ankit Singhal Currently, Phoenix relies on HBase coprocessor for authorization but there are some logical entities like View, Function, Sequence which cannot be mapped directly to entities in HBase and requires a separate authorization. >From an implementation perspective, Phoenix also does pre-checks for access >with the help of coprocessor only. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16586453#comment-16586453
]
Ankit Singhal commented on RANGER-1958:
---
bq. Although the long-term solution for Ranger could be to implement the
coprocessor hooks for Phoenix as how it has been done for HBase so that we can
also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can not be
supported with native HBase ACLs) along with Table and Schema.
bq. Ankit Singhal - could you file a Jira for the above? Thanks.
yes [~vperiasamy], just created RANGER-2194 for the same.
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
>Assignee: Ankit Singhal
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ankit Singhal updated RANGER-1958:
--
Attachment: (was: 12940637_PHOENIX-4908.002.patch)
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
> Assignee: Ankit Singhal
>Priority: Major
> Attachments:
> 0001-RANGER-1958-HBase-Implement-getUserPermissions-API-o.patch,
> RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ankit Singhal updated RANGER-1958:
--
Attachment: 0001-RANGER-1958-HBase-Implement-getUserPermissions-API-o.patch
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
> Assignee: Ankit Singhal
>Priority: Major
> Attachments:
> 0001-RANGER-1958-HBase-Implement-getUserPermissions-API-o.patch,
> RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ankit Singhal updated RANGER-1958:
--
Attachment: 12940637_PHOENIX-4908.002.patch
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
> Assignee: Ankit Singhal
>Priority: Major
> Attachments:
> 0001-RANGER-1958-HBase-Implement-getUserPermissions-API-o.patch,
> RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16622451#comment-16622451
]
Ankit Singhal commented on RANGER-1958:
---
[~rmani], Uploaded the patch after taking care [~abhayk]'s review comments.
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
>Reporter: Ankit Singhal
>Assignee: Ankit Singhal
>Priority: Major
> Attachments:
> 0001-RANGER-1958-HBase-Implement-getUserPermissions-API-o.patch,
> RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629493#comment-16629493
]
Ankit Singhal commented on RANGER-1958:
---
{quote}could you please upload to review board? Or update
[https://reviews.apache.org/r/65950/] with latest patch?
{quote}
[~vperiasamy], done, uploaded the latest patch on review board as well, but I
thought [~rmani] requested the patch on ticket to sign off (as per comment)
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
>Assignee: Ankit Singhal
>Priority: Major
> Attachments:
> 0001-RANGER-1958-HBase-Implement-getUserPermissions-API-o.patch,
> RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629493#comment-16629493
]
Ankit Singhal edited comment on RANGER-1958 at 9/26/18 10:43 PM:
-
{quote}could you please upload to review board? Or update
[https://reviews.apache.org/r/65950/] with latest patch?
{quote}
[~vperiasamy], done, uploaded the latest patch on review board as well, but I
thought [~rmani] requested the patch on ticket to sign off (as per comment)
was (Author: an...@apache.org):
{quote}could you please upload to review board? Or update
[https://reviews.apache.org/r/65950/] with latest patch?
{quote}
[~vperiasamy], done, uploaded the latest patch on review board as well, but I
thought [~rmani] requested the patch on ticket to sign off (as per comment)
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Ankit Singhal
>Assignee: Ankit Singhal
>Priority: Major
> Attachments:
> 0001-RANGER-1958-HBase-Implement-getUserPermissions-API-o.patch,
> RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629493#comment-16629493
]
Ankit Singhal edited comment on RANGER-1958 at 9/26/18 10:43 PM:
-
{quote}could you please upload to review board? Or update
[https://reviews.apache.org/r/65950/] with latest patch?
{quote}
[~vperiasamy], done, uploaded the latest patch on review board as well, but I
thought [~rmani] requested the patch on ticket to sign off (as per
[comment|https://issues.apache.org/jira/browse/RANGER-1958?focusedCommentId=16609883&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16609883])
was (Author: an...@apache.org):
{quote}could you please upload to review board? Or update
[https://reviews.apache.org/r/65950/] with latest patch?
{quote}
[~vperiasamy], done, uploaded the latest patch on review board as well, but I
thought [~rmani] requested the patch on ticket to sign off (as per comment)
> [HBase] Implement getUserPermissions API of AccessControlService.Interface to
> allow clients to access HBase permissions stored in Ranger
>
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
> Issue Type: Bug
> Components: plugins
>Reporter: Ankit Singhal
>Assignee: Ankit Singhal
>Priority: Major
> Attachments:
> 0001-RANGER-1958-HBase-Implement-getUserPermissions-API-o.patch,
> RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198.
> Currently, the implementation relies on some of the APIs provided by
> AccessControlService.Interface to get the user permission of the table but we
> see that the API "AccessControlService.Interface#getUserPermissions" is not
> yet implemented in Ranger authorization module for HBase and thus, we are
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
> public void getUserPermissions(RpcController controller,
> AccessControlProtos.GetUserPermissionsRequest request,
> RpcCallback done) {
> LOG.debug("getUserPermissions(): ");
> }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the
> coprocessor hooks for Phoenix as how it has been done for HBase so that we
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can
> not be supported with native HBase ACLs) along with Table and Schema.
> Let me know your thoughts, I can try to put up a patch soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (RANGER-2301) [HBASE] Ranger should check for Admin permission along with CREATE during postGetTableDescriptor()
Ankit Singhal created RANGER-2301: - Summary: [HBASE] Ranger should check for Admin permission along with CREATE during postGetTableDescriptor() Key: RANGER-2301 URL: https://issues.apache.org/jira/browse/RANGER-2301 Project: Ranger Issue Type: Bug Components: plugins Reporter: Ankit Singhal Assignee: Ankit Singhal -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-2300) UnderPrivileged user should get AccessDeniedException instead of TableNotFoundException when getTableDescriptor() API is used
Ankit Singhal created RANGER-2300: - Summary: UnderPrivileged user should get AccessDeniedException instead of TableNotFoundException when getTableDescriptor() API is used Key: RANGER-2300 URL: https://issues.apache.org/jira/browse/RANGER-2300 Project: Ranger Issue Type: Bug Components: plugins Reporter: Ankit Singhal Assignee: Ankit Singhal Currently HBase native authorization throws AccessDeniedException when getTableDescriptor() is called by underprivileged user. In order to have parity, I think Ranger should also do the same. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-2300) [HBase] UnderPrivileged user should get AccessDeniedException instead of TableNotFoundException when getTableDescriptor() API is used
[ https://issues.apache.org/jira/browse/RANGER-2300?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Singhal updated RANGER-2300: -- Summary: [HBase] UnderPrivileged user should get AccessDeniedException instead of TableNotFoundException when getTableDescriptor() API is used (was: UnderPrivileged user should get AccessDeniedException instead of TableNotFoundException when getTableDescriptor() API is used) > [HBase] UnderPrivileged user should get AccessDeniedException instead of > TableNotFoundException when getTableDescriptor() API is used > - > > Key: RANGER-2300 > URL: https://issues.apache.org/jira/browse/RANGER-2300 > Project: Ranger > Issue Type: Bug > Components: plugins > Reporter: Ankit Singhal > Assignee: Ankit Singhal >Priority: Major > > Currently HBase native authorization throws AccessDeniedException when > getTableDescriptor() is called by underprivileged user. In order to have > parity, I think Ranger should also do the same. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
