diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java index 183abb6ca1..3c5f5213a4 100644 --- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java +++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java @@ -53,7 +53,6 @@ public class RangerHadoopConstants { public static final boolean HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true; public static final String HBASE_COLUMN_AUTH_OPTIMIZATION = "ranger.plugin.hbase.column.auth.optimization"; - public static final String KNOX_ACCESS_VERIFIER_CLASS_NAME_PROP = "knox.authorization.verifier.classname"; public static final String KNOX_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "org.apache.ranger.pdp.knox.RangerAuthorizer"; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java index 8f39b5ceaf..b7a0a8ccf1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java @@ -70,7 +70,7 @@ default Map getResourceElementMatchingScop return Collections.emptyMap(); } - enum ResourceMatchingScope { SELF, SELF_OR_DESCENDANTS, SELF_AND_ALL_DESCENDANTS} + enum ResourceMatchingScope { SELF, SELF_OR_DESCENDANTS, SELF_AND_ALL_DESCENDANTS } enum ResourceElementMatchingScope { SELF, SELF_OR_CHILD, SELF_OR_PREFIX } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 40018e07d0..19a17f7314 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -231,10 +231,8 @@ public void evaluate(RangerAccessRequest request, RangerAccessResult result) { matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getResourceElementMatchingScopes(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE; } - final boolean isMatchedResource; - isMatchedResource = isMatchForResourceMatchingScope(request.getResourceMatchingScope(), matchType, request.isAccessTypeAny()); - - if (isMatchedResource) { + final boolean isMatchedResource = isMatchForResourceMatchingScope(request.getResourceMatchingScope(), matchType, request.isAccessTypeAny()); + if ( isMatchedResource ) { //Evaluate Policy Level Custom Conditions, if any and allowed then go ahead for policyItem level evaluation if (matchPolicyCustomConditions(request)) { if (!result.getIsAuditedDetermined()) { @@ -260,29 +258,7 @@ public void evaluate(RangerAccessRequest request, RangerAccessResult result) { LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(policyId=" + getPolicyId() + ", " + request + ", " + result + ")"); } } - private boolean isMatchForResourceMatchingScope(final RangerAccessRequest.ResourceMatchingScope scope, final RangerPolicyResourceMatcher.MatchType matchType, boolean isAnyMatch) { - if (isAnyMatch){ - return matchType != RangerPolicyResourceMatcher.MatchType.NONE; - } - boolean ret = false; - if (scope!=null){ - switch (scope) { - case SELF_OR_DESCENDANTS: { - ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE; - break; - } - case SELF_AND_ALL_DESCENDANTS: { - ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE; - break; - } - default: { - ret = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS; - break; - } - } - } - return ret; - } + @Override public boolean isMatch(RangerAccessResource resource, Map evalContext) { if(LOG.isDebugEnabled()) { @@ -1528,4 +1504,27 @@ private List createPolicyConditionEvaluators(RangerPol return ret; } + private boolean isMatchForResourceMatchingScope(final RangerAccessRequest.ResourceMatchingScope scope, final RangerPolicyResourceMatcher.MatchType matchType, boolean isAnyMatch) { + boolean ret = false; + if (isAnyMatch){ + ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE; + } + else if (scope!=null) { + switch (scope) { + case SELF_OR_DESCENDANTS: { + ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE; + break; + } + case SELF_AND_ALL_DESCENDANTS: { + ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE; + break; + } + default: { + ret = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS; + break; + } + } + } + return ret; + } } diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java index 50552bc64a..69221b5acf 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java @@ -168,7 +168,7 @@ boolean isNameSpaceOperation() { StringUtils.equals(_operation, "getUserPermissionForNamespace"); } - private RangerAccessResource createHBaseResource(){ + private RangerAccessResource createHBaseResource() { // TODO get this via a factory instead RangerAccessResourceImpl resource = new RangerHBaseResource(); // policy engine should deal sensibly with null/empty values, if any @@ -181,7 +181,7 @@ private RangerAccessResource createHBaseResource(){ resource.setValue(RangerHBaseResource.KEY_COLUMN, _column); return resource; } - private RangerAccessRequest createRangerRequest(){ + private RangerAccessRequest createRangerRequest() { RangerAccessResource resource = createHBaseResource(); String user = _userUtils.getUserAsString(_user); RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, _access, user, _groups, null); @@ -378,7 +378,7 @@ AuthorizationSession resourceMatchingScope(RangerAccessRequest.ResourceMatchingS _resourceMatchingScope = scope; return this; } - public boolean getPropertyIsColumnAuthOptimizationEnabled(){ + public boolean getPropertyIsColumnAuthOptimizationEnabled() { return _authorizer.getPropertyIsColumnAuthOptimizationEnabled(); } } diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index 32dc3e6f7c..959d7d6c45 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -104,7 +104,6 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte final HbaseAuthUtils _authUtils = _factory.getAuthUtils(); private static volatile RangerHBasePlugin hbasePlugin = null; - public void setColumnAuthOptimizationEnabled(boolean enable) throws Exception { if (hbasePlugin!=null) { hbasePlugin.setColumnAuthOptimizationEnabled(enable); @@ -270,13 +269,13 @@ Map> getColumnFamilies(Map> if (CollectionUtils.isEmpty(columnCollection)) { // family points to null map, OK. // if column auth disabled, then also empty set is fine - if (LOG.isDebugEnabled()){ + if (LOG.isDebugEnabled()) { LOG.debug("RangerAuthorizationCoprocessor getColumnFamilies: columns are empty. " + "Setting columns to emptySet in familyMap"); } result.put(family, Collections. emptySet()); } else { - if (LOG.isDebugEnabled()){ + if (LOG.isDebugEnabled()) { LOG.debug("RangerAuthorizationCoprocessor getColumnFamilies: columns exist"); } Iterator columnIterator = new ColumnIterator(columnCollection); @@ -338,7 +337,7 @@ public String toString() { ColumnFamilyAccessResult evaluateAccess(ObserverContext ctx, String operation, Action action, final RegionCoprocessorEnvironment env, final Map> familyMap, String commandStr) throws AccessDeniedException { - if (LOG.isDebugEnabled()){ + if (LOG.isDebugEnabled()) { LOG.debug("evaluateAccess: isColumnAuthOptimizationEnabled="+hbasePlugin.getPropertyIsColumnAuthOptimizationEnabled()); } @@ -443,7 +442,7 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext ctx, String operation if (columns == null || columns.isEmpty()) { // family points to null map, OK. // if column auth disabled, then also empty set is fine - if (LOG.isDebugEnabled()){ + if (LOG.isDebugEnabled()) { LOG.debug("RangerAuthorizationCoprocessor evaluateAccess: (No tags found for resource, "+ " all policies are * at column level for resource and "+ RangerHadoopConstants.HBASE_COLUMN_AUTH_OPTIMIZATION + @@ -524,7 +523,7 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext ctx, String operation " Skipping Family level check, will do finer level access check."); } boolean isColumnAuthShortCircuitingEnabled = hbasePlugin.getPropertyIsColumnAuthOptimizationEnabled(); - if (isColumnAuthShortCircuitingEnabled){ + if (isColumnAuthShortCircuitingEnabled) { session.column(null) .resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_AND_ALL_DESCENDANTS) .buildRequest() @@ -533,10 +532,10 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext ctx, String operation AuthzAuditEvent auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // reset ResourceMatchingScope to SELF session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF); - if (LOG.isDebugEnabled()){ + if (LOG.isDebugEnabled()) { LOG.debug("evaluateAccess: isColumnAuthShortCircuitingEnabled=true, isColumnFamilyAndDescendantsAuthorized={}",isColumnFamilyAndDescendantsAuthorized); } - if (isColumnFamilyAndDescendantsAuthorized){ + if (isColumnFamilyAndDescendantsAuthorized) { familesFullyAuthorized.add(family); if (auditEvent != null) { if (LOG.isDebugEnabled()) { @@ -1953,7 +1952,7 @@ public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAcc return ret; } @Override - public void setPolicies(ServicePolicies policies){ + public void setPolicies(ServicePolicies policies) { super.setPolicies(policies); this.serviceConfigs = policies.getServiceConfig(); this.isColumnAuthOptimizationEnabled = Boolean.parseBoolean(this.serviceConfigs.get(RangerHadoopConstants.HBASE_COLUMN_AUTH_OPTIMIZATION)); diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilter.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilter.java index 84687afd27..5da8fbb871 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilter.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilter.java @@ -89,15 +89,12 @@ public ReturnCode filterKeyValue(Cell kv) throws IOException { boolean authCheckNeeded = false; if (family == null) { LOG.warn("filterKeyValue: Unexpected - null/empty family! Access denied!"); - } - else if (_familiesAccessDenied.contains(family)) { + } else if (_familiesAccessDenied.contains(family)) { LOG.debug("filterKeyValue: family found in access denied families cache. Access denied."); - } - else if (_session.getPropertyIsColumnAuthOptimizationEnabled() && _familiesFullyAuthorized.contains(family)){ + } else if (_session.getPropertyIsColumnAuthOptimizationEnabled() && _familiesFullyAuthorized.contains(family)){ LOG.debug("filterKeyValue: ColumnAuthOptimizationEnabled and family found in fully authorized families cache. Column authorization is not required"); result = ReturnCode.INCLUDE; - } - else if (_columnsAccessAllowed.containsKey(family)) { + } else if (_columnsAccessAllowed.containsKey(family)) { LOG.debug("filterKeyValue: family found in column level access results cache."); if (_columnsAccessAllowed.get(family).contains(column)) { LOG.debug("filterKeyValue: family/column found in column level access results cache. Access allowed."); @@ -114,6 +111,7 @@ else if (_columnsAccessAllowed.containsKey(family)) { } else { LOG.warn("filterKeyValue: Unexpected - alien family encountered that wasn't seen by pre-hook! Access Denied.!"); } + if (authCheckNeeded) { LOG.debug("filterKeyValue: Checking authorization..."); _session.columnFamily(family) diff --git a/hbase-agent/src/test/resources/hbase-policies.json b/hbase-agent/src/test/resources/hbase-policies.json index cc6b5bbf1c..b217992fdf 100644 --- a/hbase-agent/src/test/resources/hbase-policies.json +++ b/hbase-agent/src/test/resources/hbase-policies.json @@ -247,316 +247,99 @@ "version": 1 }, { - "service": "cl1_hbase", - "name": "TempPolicyForOptimizedColAuth", - "policyType": 0, - "description": "", - "isAuditEnabled": true, + "service": "cl1_hbase", "name": "TempPolicyForOptimizedColAuth", "policyType": 0, "description": "", "isAuditEnabled": true, "resources": { - "column-family": { - "values": [ - "colfam1" - ], - "isExcludes": false, - "isRecursive": false - }, - "column": { - "values": [ - "col1" - ], - "isExcludes": false, - "isRecursive": false - }, - "table": { - "values": [ - "temp6" - ], - "isExcludes": false, - "isRecursive": false - } + "column-family": {"values": ["colfam1"], "isExcludes": false, "isRecursive": false }, + "column": {"values": ["col1"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["temp6"], "isExcludes": false, "isRecursive": false} }, "policyItems": [ { "accesses": [ - { - "type": "read", - "isAllowed": true - }, - { - "type": "write", - "isAllowed": true - }, - { - "type": "execute", - "isAllowed": true - } - ], - "users": [], - "groups": [ - "IT" + {"type": "read", "isAllowed": true}, + {"type": "write", "isAllowed": true}, + {"type": "execute", "isAllowed": true} ], - "conditions": [], - "delegateAdmin": false + "users": [], "groups": ["IT"], "conditions": [], "delegateAdmin": false } ], - "denyPolicyItems": [], - "allowExceptions": [], - "denyExceptions": [], - "dataMaskPolicyItems": [], - "rowFilterPolicyItems": [], - "id": 101, - "isEnabled": true, - "version": 1 + "id": 101, "isEnabled": true, "version": 1 }, { - "service": "cl1_hbase", - "name": "AllowColFamWhenColDeniedForOptimized", - "policyType": 0, - "description": "", - "isAuditEnabled": true, + "service": "cl1_hbase", "name": "AllowColFamWhenColDeniedForOptimized", "policyType": 0, "description": "", "isAuditEnabled": true, "resources": { - "column-family": { - "values": [ - "colfam1" - ], - "isExcludes": false, - "isRecursive": false - }, - "column": { - "values": [ - "*" - ], - "isExcludes": false, - "isRecursive": false - }, - "table": { - "values": [ - "temp7" - ], - "isExcludes": false, - "isRecursive": false - } + "column-family": {"values": ["colfam1"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["temp7"], "isExcludes": false, "isRecursive": false} }, "policyItems": [ { "accesses": [ - { - "type": "read", - "isAllowed": true - }, - { - "type": "write", - "isAllowed": true - }, - { - "type": "execute", - "isAllowed": true - } + {"type": "read", "isAllowed": true}, + {"type": "write", "isAllowed": true}, + {"type": "execute", "isAllowed": true} ], - "users": [], - "groups": [ - "IT" - ], - "conditions": [], - "delegateAdmin": false + "users": [], "groups": ["IT"], "conditions": [], "delegateAdmin": false } ], - "denyPolicyItems": [], - "allowExceptions": [], - "denyExceptions": [], - "dataMaskPolicyItems": [], - "rowFilterPolicyItems": [], - "id": 102, - "isEnabled": true, - "version": 1 + "id": 102, "isEnabled": true, "version": 1 }, { - "service": "cl1_hbase", - "name": "DenyColWhenColFamAllowedForOptimizedCheck", - "policyType": 0, - "description": "", - "isAuditEnabled": true, + "service": "cl1_hbase", "name": "DenyColWhenColFamAllowedForOptimizedCheck", "policyType": 0, "description": "", "isAuditEnabled": true, "resources": { - "column-family": { - "values": [ - "colfam1" - ], - "isExcludes": false, - "isRecursive": false - }, - "column": { - "values": [ - "col1" - ], - "isExcludes": false, - "isRecursive": false - }, - "table": { - "values": [ - "temp7" - ], - "isExcludes": false, - "isRecursive": false - } + "column-family": {"values": ["colfam1"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["col1"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["temp7"], "isExcludes": false, "isRecursive": false} }, - "policyItems": [ - ], "denyPolicyItems": [ { "accesses": [ - { - "type": "read", - "isAllowed": true - }, - { - "type": "write", - "isAllowed": true - }, - { - "type": "execute", - "isAllowed": true - } - ], - "users": [], - "groups": [ - "IT" + {"type": "read", "isAllowed": true}, + {"type": "write", "isAllowed": true}, + {"type": "execute", "isAllowed": true} ], - "conditions": [], - "delegateAdmin": false + "users": [], "groups": ["IT"], "conditions": [], "delegateAdmin": false } ], - "allowExceptions": [], - "denyExceptions": [], - "dataMaskPolicyItems": [], - "rowFilterPolicyItems": [], - "id": 103, - "isEnabled": true, - "version": 1 + "id": 103, "isEnabled": true, "version": 1 }, { - "service": "cl1_hbase", - "name": "PolicyForAllowColumnFamilyForScan", - "policyType": 0, - "description": "", - "isAuditEnabled": true, + "service": "cl1_hbase", "name": "PolicyForAllowColumnFamilyForScan", "policyType": 0, "description": "", "isAuditEnabled": true, "resources": { - "column-family": { - "values": [ - "colfam1" - ], - "isExcludes": false, - "isRecursive": false - }, - "column": { - "values": [ - "*" - ], - "isExcludes": false, - "isRecursive": false - }, - "table": { - "values": [ - "temp8" - ], - "isExcludes": false, - "isRecursive": false - } + "column-family": {"values": ["colfam1"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["temp8"], "isExcludes": false, "isRecursive": false} }, "policyItems": [ { "accesses": [ - { - "type": "read", - "isAllowed": true - }, - { - "type": "write", - "isAllowed": true - }, - { - "type": "execute", - "isAllowed": true - } + {"type": "read", "isAllowed": true}, + {"type": "write", "isAllowed": true}, + {"type": "execute", "isAllowed": true} ], - "users": [], - "groups": [ - "IT","IT2" - ], - "conditions": [], - "delegateAdmin": false + "users": [], "groups": ["IT","IT2"], "conditions": [], "delegateAdmin": false } ], - "denyPolicyItems": [], - "allowExceptions": [], - "denyExceptions": [], - "dataMaskPolicyItems": [], - "rowFilterPolicyItems": [], - "id": 104, - "isEnabled": true, - "version": 1 + "id": 104, "isEnabled": true, "version": 1 }, { - "service": "cl1_hbase", - "name": "PolicyForDenyColumnForScan", - "policyType": 0, - "description": "", - "isAuditEnabled": true, + "service": "cl1_hbase", "name": "PolicyForDenyColumnForScan", "policyType": 0, "description": "", "isAuditEnabled": true, "resources": { - "column-family": { - "values": [ - "colfam1" - ], - "isExcludes": false, - "isRecursive": false - }, - "column": { - "values": [ - "col1" - ], - "isExcludes": false, - "isRecursive": false - }, - "table": { - "values": [ - "temp8" - ], - "isExcludes": false, - "isRecursive": false - } + "column-family": {"values": ["colfam1"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["col1"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["temp8"], "isExcludes": false, "isRecursive": false} }, - "policyItems": [ - ], "denyPolicyItems": [ { "accesses": [ - { - "type": "read", - "isAllowed": true - }, - { - "type": "write", - "isAllowed": true - }, - { - "type": "execute", - "isAllowed": true - } - ], - "users": [], - "groups": [ - "IT" + {"type": "read", "isAllowed": true}, + {"type": "write", "isAllowed": true}, + {"type": "execute", "isAllowed": true} ], - "conditions": [], - "delegateAdmin": false + "users": [], "groups": ["IT"], "conditions": [], "delegateAdmin": false } ], - "allowExceptions": [], - "denyExceptions": [], - "dataMaskPolicyItems": [], - "rowFilterPolicyItems": [], - "id": 105, - "isEnabled": true, - "version": 1 + "id": 105, "isEnabled": true, "version": 1 } ], "serviceDef": {