Example 11 with GrantRevokeRequest
use of org.apache.ranger.plugin.util.GrantRevokeRequest in project ranger by apache.
the class RangerHivePlugin method grantPrivileges.
/**
* Grant privileges for principals on the object
* @param hivePrincipals
* @param hivePrivileges
* @param hivePrivObject
* @param grantorPrincipal
* @param grantOption
* @throws HiveAuthzPluginException
* @throws HiveAccessControlException
*/
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException {
if (LOG.isDebugEnabled()) {
LOG.debug("grantPrivileges() => HivePrivilegeObject:" + toString(hivePrivObject, new StringBuilder()) + "grantorPrincipal: " + grantorPrincipal + "hivePrincipals" + hivePrincipals + "hivePrivileges" + hivePrivileges);
}
if (!RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
}
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
try {
List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
RangerHiveResource resource = getHiveResource(HiveOperationType.GRANT_PRIVILEGE, hivePrivObject, null, outputs);
GrantRevokeRequest request = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);
LOG.info("grantPrivileges(): " + request);
if (LOG.isDebugEnabled()) {
LOG.debug("grantPrivileges(): " + request);
}
hivePlugin.grantAccess(request, auditHandler);
} catch (Exception excp) {
throw new HiveAccessControlException(excp);
} finally {
auditHandler.flushAudit();
}
}
Also used :
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
ArrayList(java.util.ArrayList)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
IOException(java.io.IOException)
Example 12 with GrantRevokeRequest
use of org.apache.ranger.plugin.util.GrantRevokeRequest in project ranger by apache.
the class RangerHBasePlugin method createGrantData.
private GrantRevokeRequest createGrantData(AccessControlProtos.GrantRequest request) throws Exception {
AccessControlProtos.UserPermission up = request.getUserPermission();
AccessControlProtos.Permission perm = up == null ? null : up.getPermission();
UserPermission userPerm = up == null ? null : AccessControlUtil.toUserPermission(up);
Permission.Action[] actions = userPerm == null ? null : userPerm.getPermission().getActions();
String userName = userPerm == null ? null : userPerm.getUser();
String nameSpace = null;
String tableName = null;
String colFamily = null;
String qualifier = null;
if (perm == null) {
throw new Exception("grant(): invalid data - permission is null");
}
if (StringUtil.isEmpty(userName)) {
throw new Exception("grant(): invalid data - username empty");
}
if ((actions == null) || (actions.length == 0)) {
throw new Exception("grant(): invalid data - no action specified");
}
switch(perm.getType()) {
case Global:
tableName = colFamily = qualifier = RangerHBaseResource.WILDCARD;
break;
case Table:
TablePermission tablePerm = (TablePermission) userPerm.getPermission();
tableName = Bytes.toString(tablePerm.getTableName().getName());
colFamily = Bytes.toString(tablePerm.getFamily());
qualifier = Bytes.toString(tablePerm.getQualifier());
break;
case Namespace:
NamespacePermission namepsacePermission = (NamespacePermission) userPerm.getPermission();
nameSpace = namepsacePermission.getNamespace();
break;
}
if (StringUtil.isEmpty(nameSpace) && StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) {
throw new Exception("grant(): namespace/table/columnFamily/columnQualifier not specified");
}
tableName = StringUtil.isEmpty(tableName) ? RangerHBaseResource.WILDCARD : tableName;
colFamily = StringUtil.isEmpty(colFamily) ? RangerHBaseResource.WILDCARD : colFamily;
qualifier = StringUtil.isEmpty(qualifier) ? RangerHBaseResource.WILDCARD : qualifier;
if (!StringUtil.isEmpty(nameSpace)) {
tableName = nameSpace + RangerHBaseResource.NAMESPACE_SEPARATOR + tableName;
}
User activeUser = getActiveUser(null);
String grantor = activeUser != null ? activeUser.getShortName() : null;
String[] groups = activeUser != null ? activeUser.getGroupNames() : null;
Set<String> grantorGroups = null;
if (groups != null && groups.length > 0) {
grantorGroups = new HashSet<>(Arrays.asList(groups));
}
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put(RangerHBaseResource.KEY_TABLE, tableName);
mapResource.put(RangerHBaseResource.KEY_COLUMN_FAMILY, colFamily);
mapResource.put(RangerHBaseResource.KEY_COLUMN, qualifier);
GrantRevokeRequest ret = new GrantRevokeRequest();
ret.setGrantor(grantor);
ret.setGrantorGroups(grantorGroups);
ret.setDelegateAdmin(Boolean.FALSE);
ret.setEnableAudit(Boolean.TRUE);
ret.setReplaceExistingPermissions(Boolean.TRUE);
ret.setResource(mapResource);
ret.setClientIPAddress(getRemoteAddress());
// TODO: Need to check with Knox proxy how they handle forwarded add.
ret.setForwardedAddresses(null);
ret.setRemoteIPAddress(getRemoteAddress());
ret.setRequestData(up.toString());
if (userName.startsWith(GROUP_PREFIX)) {
ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
} else {
ret.getUsers().add(userName);
}
for (Permission.Action action : actions) {
switch(action.code()) {
case 'R':
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_READ);
break;
case 'W':
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
break;
case 'C':
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
break;
case 'A':
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
ret.setDelegateAdmin(Boolean.TRUE);
break;
case 'X':
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
break;
default:
LOG.warn("grant(): ignoring action '" + action.name() + "' for user '" + userName + "'");
}
}
return ret;
}
Also used :
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Action(org.apache.hadoop.hbase.security.access.Permission.Action)
User(org.apache.hadoop.hbase.security.User)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
IOException(java.io.IOException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
AccessControlProtos(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)
Action(org.apache.hadoop.hbase.security.access.Permission.Action)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
Example 13 with GrantRevokeRequest
use of org.apache.ranger.plugin.util.GrantRevokeRequest in project ranger by apache.
the class TestServiceUtil method testToGrantRevokeRequestForHive.
@Test
public void testToGrantRevokeRequestForHive() throws Exception {
GrantRevokeRequest expectedGrantRevokeRequest = new GrantRevokeRequest();
expectedGrantRevokeRequest.setGrantor("rangerAdmin");
expectedGrantRevokeRequest.setEnableAudit(true);
expectedGrantRevokeRequest.setIsRecursive(false);
expectedGrantRevokeRequest.setReplaceExistingPermissions(true);
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put("database", "myDatabase");
mapResource.put("table", "myTable");
mapResource.put("column", "myColumn");
expectedGrantRevokeRequest.setResource(mapResource);
String serviceName = "hive";
RangerService rangerService = new RangerService();
rangerService.setId(1L);
rangerService.setName("hiveService");
rangerService.setIsEnabled(true);
rangerService.setType("hive");
VXPolicy vXPolicy = new VXPolicy();
vXPolicy.setRepositoryName("hive");
vXPolicy.setGrantor("rangerAdmin");
vXPolicy.setReplacePerm(true);
vXPolicy.setDatabases("myDatabase");
vXPolicy.setColumns("myColumn");
vXPolicy.setTables("myTable");
Mockito.when(svcStore.getServiceByName(serviceName)).thenReturn(rangerService);
GrantRevokeRequest actualGrantRevokeRequest = serviceUtil.toGrantRevokeRequest(vXPolicy);
Assert.assertNotNull(actualGrantRevokeRequest);
Assert.assertTrue(actualGrantRevokeRequest.getEnableAudit());
Assert.assertFalse(actualGrantRevokeRequest.getIsRecursive());
Assert.assertTrue(actualGrantRevokeRequest.getReplaceExistingPermissions());
Assert.assertEquals(expectedGrantRevokeRequest.getGrantor(), actualGrantRevokeRequest.getGrantor());
Assert.assertEquals(expectedGrantRevokeRequest.getResource(), actualGrantRevokeRequest.getResource());
}
Also used :
HashMap(java.util.HashMap)
VXPolicy(org.apache.ranger.view.VXPolicy)
RangerService(org.apache.ranger.plugin.model.RangerService)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
Test(org.junit.Test)
Example 14 with GrantRevokeRequest
use of org.apache.ranger.plugin.util.GrantRevokeRequest in project ranger by apache.
the class TestAssetREST method testGrantPermission.
@Test
public void testGrantPermission() {
RangerPolicy policy = rangerPolicy(Id);
RangerService service = rangerService(Id);
VXPolicy vXPolicy = vXPolicy(policy, service);
GrantRevokeRequest grantRequestObj = new GrantRevokeRequest();
grantRequestObj.setAccessTypes(null);
grantRequestObj.setDelegateAdmin(true);
grantRequestObj.setEnableAudit(true);
grantRequestObj.setGrantor("read");
grantRequestObj.setIsRecursive(true);
RESTResponse response = Mockito.mock(RESTResponse.class);
Mockito.when(serviceUtil.toGrantRevokeRequest(vXPolicy)).thenReturn(grantRequestObj);
try {
Mockito.when(serviceREST.grantAccess(vXPolicy.getRepositoryName(), grantRequestObj, request)).thenReturn(response);
} catch (Exception e) {
fail("test failed due to: " + e.getMessage());
}
VXPolicy expectedVXPolicy = assetREST.grantPermission(request, vXPolicy);
Assert.assertEquals(vXPolicy, expectedVXPolicy);
Mockito.verify(serviceUtil).toGrantRevokeRequest(vXPolicy);
try {
Mockito.verify(serviceREST).grantAccess(vXPolicy.getRepositoryName(), grantRequestObj, request);
} catch (Exception e) {
fail("test failed due to: " + e.getMessage());
}
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse)
VXPolicy(org.apache.ranger.view.VXPolicy)
RangerService(org.apache.ranger.plugin.model.RangerService)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
WebApplicationException(javax.ws.rs.WebApplicationException)
Test(org.junit.Test)
Example 15 with GrantRevokeRequest
use of org.apache.ranger.plugin.util.GrantRevokeRequest in project ranger by apache.
the class TestAssetREST method testRevokePermission.
@Test
public void testRevokePermission() {
RangerPolicy policy = rangerPolicy(Id);
RangerService service = rangerService(Id);
VXPolicy vXPolicy = vXPolicy(policy, service);
GrantRevokeRequest grantRequestObj = new GrantRevokeRequest();
grantRequestObj.setAccessTypes(null);
grantRequestObj.setDelegateAdmin(true);
grantRequestObj.setEnableAudit(true);
grantRequestObj.setGrantor("read");
grantRequestObj.setIsRecursive(true);
RESTResponse response = Mockito.mock(RESTResponse.class);
Mockito.when(serviceUtil.toGrantRevokeRequest(vXPolicy)).thenReturn(grantRequestObj);
try {
Mockito.when(serviceREST.revokeAccess(vXPolicy.getRepositoryName(), grantRequestObj, request)).thenReturn(response);
} catch (Exception e) {
fail("test failed due to: " + e.getMessage());
}
VXPolicy expectedVXPolicy = assetREST.revokePermission(request, vXPolicy);
Assert.assertEquals(vXPolicy, expectedVXPolicy);
Mockito.verify(serviceUtil).toGrantRevokeRequest(vXPolicy);
try {
Mockito.verify(serviceREST).revokeAccess(vXPolicy.getRepositoryName(), grantRequestObj, request);
} catch (Exception e) {
fail("test failed due to: " + e.getMessage());
}
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse)
VXPolicy(org.apache.ranger.view.VXPolicy)
RangerService(org.apache.ranger.plugin.model.RangerService)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
WebApplicationException(javax.ws.rs.WebApplicationException)
Test(org.junit.Test)
Aggregations
GrantRevokeRequest (org.apache.ranger.plugin.util.GrantRevokeRequest)21
Test (org.junit.Test)11
RangerService (org.apache.ranger.plugin.model.RangerService)8
HashMap (java.util.HashMap)7
WebApplicationException (javax.ws.rs.WebApplicationException)7
VXPolicy (org.apache.ranger.view.VXPolicy)7
IOException (java.io.IOException)6
RESTResponse (org.apache.ranger.admin.client.datatype.RESTResponse)6
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)6
ArrayList (java.util.ArrayList)5
AccessControlProtos (org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)4
AccessDeniedException (org.apache.hadoop.hbase.security.AccessDeniedException)4
AccessControlException (org.apache.hadoop.security.AccessControlException)4
VXString (org.apache.ranger.view.VXString)4
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)3
LinkedHashMap (java.util.LinkedHashMap)2
HttpServletRequest (javax.servlet.http.HttpServletRequest)2
POST (javax.ws.rs.POST)2
Path (javax.ws.rs.Path)2
Produces (javax.ws.rs.Produces)2
