Repository: ranger Updated Branches: refs/heads/master 57222febb -> a1929a824
RANGER-2027: Evaluate grantor's group membership in the plugin for grant/revoke request Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/a1929a82 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/a1929a82 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/a1929a82 Branch: refs/heads/master Commit: a1929a82446f5aa8ba662649e9ff3af9e61bec4b Parents: 57222fe Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Sun Mar 18 09:13:25 2018 -0700 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Sun Mar 18 09:13:25 2018 -0700 ---------------------------------------------------------------------- .../ranger/plugin/util/GrantRevokeRequest.java | 27 ++++++++++++++++++-- .../hbase/RangerAuthorizationCoprocessor.java | 16 ++++++++++++ .../hive/authorizer/RangerHiveAuthorizer.java | 19 ++++++++++++++ .../org/apache/ranger/rest/ServiceREST.java | 8 +++--- 4 files changed, 64 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java index 0c5b2d8..f4fe589 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java @@ -44,6 +44,7 @@ public class GrantRevokeRequest implements Serializable { private static final long serialVersionUID = 1L; private String grantor; + private Set<String> grantorGroups; private Map<String, String> resource; private Set<String> users; private Set<String> groups; @@ -59,11 +60,12 @@ public class GrantRevokeRequest implements Serializable { private String clusterName; public GrantRevokeRequest() { - this(null, null, null, null, null, null, null, null, null, null, null, null, null, null); + this(null, null, null, null, null, null, null, null, null, null, null, null, null, null, null); } - public GrantRevokeRequest(String grantor, Map<String, String> resource, Set<String> users, Set<String> groups, Set<String> accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions, Boolean isRecursive, String clientIPAddress, String clientType, String requestData, String sessionId, String clusterName) { + public GrantRevokeRequest(String grantor, Set<String> grantorGroups, Map<String, String> resource, Set<String> users, Set<String> groups, Set<String> accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions, Boolean isRecursive, String clientIPAddress, String clientType, String requestData, String sessionId, String clusterName) { setGrantor(grantor); + setGrantorGroups(grantorGroups); setResource(resource); setUsers(users); setGroups(groups); @@ -94,6 +96,19 @@ public class GrantRevokeRequest implements Serializable { } /** + * @return the grantorGroups + */ + public Set<String> getGrantorGroups() { + return grantorGroups; + } + + /** + * @param grantorGroups the grantorGroups to set + */ + public void setGrantorGroups(Set<String> grantorGroups) { + this.grantorGroups = grantorGroups == null ? new HashSet<String>() : grantorGroups; + } + /** * @return the resource */ public Map<String, String> getResource() { @@ -289,6 +304,14 @@ public class GrantRevokeRequest implements Serializable { sb.append("grantor={").append(grantor).append("} "); + sb.append("grantorGroups={"); + if(grantorGroups != null) { + for(String grantorGroup : grantorGroups) { + sb.append(grantorGroup).append(" "); + } + } + sb.append("} "); + sb.append("resource={"); if(resource != null) { for(Map.Entry<String, String> e : resource.entrySet()) { http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index 12b675b..d7b4673 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -1315,6 +1315,13 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess User activeUser = getActiveUser(); String grantor = activeUser != null ? activeUser.getShortName() : null; + String[] groups = activeUser != null ? activeUser.getGroupNames() : null; + + Set<String> grantorGroups = null; + + if (groups != null && groups.length > 0) { + grantorGroups = new HashSet<>(Arrays.asList(groups)); + } Map<String, String> mapResource = new HashMap<String, String>(); mapResource.put("table", tableName); @@ -1324,6 +1331,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess GrantRevokeRequest ret = new GrantRevokeRequest(); ret.setGrantor(grantor); + ret.setGrantorGroups(grantorGroups); ret.setDelegateAdmin(Boolean.FALSE); ret.setEnableAudit(Boolean.TRUE); ret.setReplaceExistingPermissions(Boolean.TRUE); @@ -1412,6 +1420,13 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess User activeUser = getActiveUser(); String grantor = activeUser != null ? activeUser.getShortName() : null; + String[] groups = activeUser != null ? activeUser.getGroupNames() : null; + + Set<String> grantorGroups = null; + + if (groups != null && groups.length > 0) { + grantorGroups = new HashSet<>(Arrays.asList(groups)); + } Map<String, String> mapResource = new HashMap<String, String>(); mapResource.put("table", tableName); @@ -1421,6 +1436,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess GrantRevokeRequest ret = new GrantRevokeRequest(); ret.setGrantor(grantor); + ret.setGrantorGroups(grantorGroups); ret.setDelegateAdmin(Boolean.TRUE); // remove delegateAdmin privilege as well ret.setEnableAudit(Boolean.TRUE); ret.setReplaceExistingPermissions(Boolean.TRUE); http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 2c2a518..780afac 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -20,8 +20,10 @@ package org.apache.ranger.authorization.hive.authorizer; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; @@ -1363,6 +1365,22 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return grantor; } + private Set<String> getGrantorGroupNames(HivePrincipal grantorPrincipal) { + Set<String> ret = null; + + String grantor = grantorPrincipal != null ? grantorPrincipal.getName() : null; + + UserGroupInformation ugi = StringUtil.isEmpty(grantor) ? this.getCurrentUserGroupInfo() : UserGroupInformation.createRemoteUser(grantor); + + String[] groups = ugi != null ? ugi.getGroupNames() : null; + + if (groups != null && groups.length > 0) { + ret = new HashSet<>(Arrays.asList(groups)); + } + + return ret; + } + private GrantRevokeRequest createGrantRevokeData(RangerHiveResource resource, List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, @@ -1382,6 +1400,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { GrantRevokeRequest ret = new GrantRevokeRequest(); ret.setGrantor(getGrantorUsername(grantorPrincipal)); + ret.setGrantorGroups(getGrantorGroupNames(grantorPrincipal)); ret.setDelegateAdmin(grantOption ? Boolean.TRUE : Boolean.FALSE); ret.setEnableAudit(Boolean.TRUE); ret.setReplaceExistingPermissions(Boolean.FALSE); http://git-wip-us.apache.org/repos/asf/ranger/blob/a1929a82/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index dad8a97..3642252 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -1066,7 +1066,7 @@ public class ServiceREST { validateGrantRevokeRequest(grantRequest); String userName = grantRequest.getGrantor(); - Set<String> userGroups = userMgr.getGroupsForUser(userName); + Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource())); boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); @@ -1163,7 +1163,7 @@ public class ServiceREST { validateGrantRevokeRequest(grantRequest); String userName = grantRequest.getGrantor(); - Set<String> userGroups = userMgr.getGroupsForUser(userName); + Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource())); boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); @@ -1278,7 +1278,7 @@ public class ServiceREST { validateGrantRevokeRequest(revokeRequest); String userName = revokeRequest.getGrantor(); - Set<String> userGroups = userMgr.getGroupsForUser(userName); + Set<String> userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource())); boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); @@ -1339,7 +1339,7 @@ public class ServiceREST { validateGrantRevokeRequest(revokeRequest); String userName = revokeRequest.getGrantor(); - Set<String> userGroups = userMgr.getGroupsForUser(userName); + Set<String> userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource())); boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); boolean isAllowed = false;