ranger git commit: RANGER-2027: Evaluate grantor's group membership in the plugin for grant/revoke request

abhay Sun, 18 Mar 2018 12:44:35 -0700

Repository: ranger
Updated Branches:
  refs/heads/master 57222febb -> a1929a824



RANGER-2027: Evaluate grantor's group membership in the plugin for grant/revoke 
request


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/a1929a82
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/a1929a82
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/a1929a82

Branch: refs/heads/master
Commit: a1929a82446f5aa8ba662649e9ff3af9e61bec4b
Parents: 57222fe
Author: Abhay Kulkarni <akulka...@hortonworks.com>
Authored: Sun Mar 18 09:13:25 2018 -0700
Committer: Abhay Kulkarni <akulka...@hortonworks.com>
Committed: Sun Mar 18 09:13:25 2018 -0700

----------------------------------------------------------------------
 .../ranger/plugin/util/GrantRevokeRequest.java  | 27 ++++++++++++++++++--
 .../hbase/RangerAuthorizationCoprocessor.java   | 16 ++++++++++++
 .../hive/authorizer/RangerHiveAuthorizer.java   | 19 ++++++++++++++
 .../org/apache/ranger/rest/ServiceREST.java     |  8 +++---
 4 files changed, 64 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
index 0c5b2d8..f4fe589 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
@@ -44,6 +44,7 @@ public class GrantRevokeRequest implements Serializable {
        private static final long serialVersionUID = 1L;
 
        private String              grantor;
+       private Set<String>         grantorGroups;
        private Map<String, String> resource;
        private Set<String>         users;
        private Set<String>         groups;
@@ -59,11 +60,12 @@ public class GrantRevokeRequest implements Serializable {
        private String              clusterName;
 
        public GrantRevokeRequest() {
-               this(null, null, null, null, null, null, null, null, null, 
null, null, null, null, null);
+               this(null, null, null, null, null, null, null, null, null, 
null, null, null, null, null, null);
        }
 
-       public GrantRevokeRequest(String grantor, Map<String, String> resource, 
Set<String> users, Set<String> groups, Set<String> accessTypes, Boolean 
delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions, Boolean 
isRecursive, String clientIPAddress, String clientType, String requestData, 
String sessionId, String clusterName) {
+       public GrantRevokeRequest(String grantor, Set<String> grantorGroups, 
Map<String, String> resource, Set<String> users, Set<String> groups, 
Set<String> accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean 
replaceExistingPermissions, Boolean isRecursive, String clientIPAddress, String 
clientType, String requestData, String sessionId, String clusterName) {
                setGrantor(grantor);
+               setGrantorGroups(grantorGroups);
                setResource(resource);
                setUsers(users);
                setGroups(groups);
@@ -94,6 +96,19 @@ public class GrantRevokeRequest implements Serializable {
        }
 
        /**
+        * @return the grantorGroups
+        */
+       public Set<String> getGrantorGroups() {
+               return grantorGroups;
+       }
+
+       /**
+        * @param grantorGroups the grantorGroups to set
+        */
+       public void setGrantorGroups(Set<String> grantorGroups) {
+               this.grantorGroups = grantorGroups == null ? new 
HashSet<String>() : grantorGroups;
+       }
+       /**
         * @return the resource
         */
        public Map<String, String> getResource() {
@@ -289,6 +304,14 @@ public class GrantRevokeRequest implements Serializable {
 
                sb.append("grantor={").append(grantor).append("} ");
 
+               sb.append("grantorGroups={");
+               if(grantorGroups != null) {
+                       for(String grantorGroup : grantorGroups) {
+                               sb.append(grantorGroup).append(" ");
+                       }
+               }
+               sb.append("} ");
+
                sb.append("resource={");
                if(resource != null) {
                        for(Map.Entry<String, String> e : resource.entrySet()) {

http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git 
a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
 
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 12b675b..d7b4673 100644
--- 
a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ 
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1315,6 +1315,13 @@ public class RangerAuthorizationCoprocessor extends 
RangerAuthorizationCoprocess
 
                User   activeUser = getActiveUser();
                String grantor    = activeUser != null ? 
activeUser.getShortName() : null;
+               String[] groups   = activeUser != null ? 
activeUser.getGroupNames() : null;
+
+               Set<String> grantorGroups = null;
+
+               if (groups != null && groups.length > 0) {
+                       grantorGroups = new HashSet<>(Arrays.asList(groups));
+               }
 
                Map<String, String> mapResource = new HashMap<String, String>();
                mapResource.put("table", tableName);
@@ -1324,6 +1331,7 @@ public class RangerAuthorizationCoprocessor extends 
RangerAuthorizationCoprocess
                GrantRevokeRequest ret = new GrantRevokeRequest();
 
                ret.setGrantor(grantor);
+               ret.setGrantorGroups(grantorGroups);
                ret.setDelegateAdmin(Boolean.FALSE);
                ret.setEnableAudit(Boolean.TRUE);
                ret.setReplaceExistingPermissions(Boolean.TRUE);
@@ -1412,6 +1420,13 @@ public class RangerAuthorizationCoprocessor extends 
RangerAuthorizationCoprocess
 
                User   activeUser = getActiveUser();
                String grantor    = activeUser != null ? 
activeUser.getShortName() : null;
+               String[] groups   = activeUser != null ? 
activeUser.getGroupNames() : null;
+
+               Set<String> grantorGroups = null;
+
+               if (groups != null && groups.length > 0) {
+                       grantorGroups = new HashSet<>(Arrays.asList(groups));
+               }
 
                Map<String, String> mapResource = new HashMap<String, String>();
                mapResource.put("table", tableName);
@@ -1421,6 +1436,7 @@ public class RangerAuthorizationCoprocessor extends 
RangerAuthorizationCoprocess
                GrantRevokeRequest ret = new GrantRevokeRequest();
 
                ret.setGrantor(grantor);
+               ret.setGrantorGroups(grantorGroups);
                ret.setDelegateAdmin(Boolean.TRUE); // remove delegateAdmin 
privilege as well
                ret.setEnableAudit(Boolean.TRUE);
                ret.setReplaceExistingPermissions(Boolean.TRUE);

http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git 
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
 
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 2c2a518..780afac 100644
--- 
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ 
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -20,8 +20,10 @@
 package org.apache.ranger.authorization.hive.authorizer;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -1363,6 +1365,22 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                return grantor;
        }
 
+       private Set<String> getGrantorGroupNames(HivePrincipal 
grantorPrincipal) {
+               Set<String> ret = null;
+
+               String grantor = grantorPrincipal != null ? 
grantorPrincipal.getName() : null;
+
+               UserGroupInformation ugi = StringUtil.isEmpty(grantor) ? 
this.getCurrentUserGroupInfo() : UserGroupInformation.createRemoteUser(grantor);
+
+               String[] groups = ugi != null ? ugi.getGroupNames() : null;
+
+               if (groups != null && groups.length > 0) {
+                       ret = new HashSet<>(Arrays.asList(groups));
+               }
+
+               return ret;
+       }
+
        private GrantRevokeRequest createGrantRevokeData(RangerHiveResource  
resource,
                                                                                
                         List<HivePrincipal> hivePrincipals,
                                                                                
                         List<HivePrivilege> hivePrivileges,
@@ -1382,6 +1400,7 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                GrantRevokeRequest ret = new GrantRevokeRequest();
 
                ret.setGrantor(getGrantorUsername(grantorPrincipal));
+               ret.setGrantorGroups(getGrantorGroupNames(grantorPrincipal));
                ret.setDelegateAdmin(grantOption ? Boolean.TRUE : 
Boolean.FALSE);
                ret.setEnableAudit(Boolean.TRUE);
                ret.setReplaceExistingPermissions(Boolean.FALSE);

http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git 
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index dad8a97..3642252 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1066,7 +1066,7 @@ public class ServiceREST {
 
                                        
validateGrantRevokeRequest(grantRequest);
                                        String               userName   = 
grantRequest.getGrantor();
-                                       Set<String>          userGroups = 
userMgr.getGroupsForUser(userName);
+                                       Set<String>          userGroups = 
CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? 
grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                                        RangerAccessResource resource   = new 
RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
        
                                        boolean isAdmin = 
hasAdminAccess(serviceName, userName, userGroups, resource);
@@ -1163,7 +1163,7 @@ public class ServiceREST {
                                        
validateGrantRevokeRequest(grantRequest);
 
                                        String               userName   = 
grantRequest.getGrantor();
-                                       Set<String>          userGroups = 
userMgr.getGroupsForUser(userName);
+                                       Set<String>          userGroups = 
CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? 
grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                                        RangerAccessResource resource   = new 
RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
                                        boolean isAdmin = 
hasAdminAccess(serviceName, userName, userGroups, resource);
 
@@ -1278,7 +1278,7 @@ public class ServiceREST {
                                        
validateGrantRevokeRequest(revokeRequest);
 
                                        String               userName   = 
revokeRequest.getGrantor();
-                                       Set<String>          userGroups =  
userMgr.getGroupsForUser(userName);
+                                       Set<String>          userGroups = 
CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? 
revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                                        RangerAccessResource resource   = new 
RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
 
                                        boolean isAdmin = 
hasAdminAccess(serviceName, userName, userGroups, resource);
@@ -1339,7 +1339,7 @@ public class ServiceREST {
                                        
validateGrantRevokeRequest(revokeRequest);
 
                                        String               userName   = 
revokeRequest.getGrantor();
-                                       Set<String>          userGroups =  
userMgr.getGroupsForUser(userName);
+                                       Set<String>          userGroups = 
CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? 
revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                                        RangerAccessResource resource   = new 
RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
                                        boolean isAdmin = 
hasAdminAccess(serviceName, userName, userGroups, resource);
                                        boolean isAllowed = false;

ranger git commit: RANGER-2027: Evaluate grantor's group membership in the plugin for grant/revoke request

Reply via email to