Example 16 with GrantRevokeRequest
use of org.apache.ranger.plugin.util.GrantRevokeRequest in project ranger by apache.
the class TestServiceUtil method testToGrantRevokeRequestForPermMapList.
@Test
public void testToGrantRevokeRequestForPermMapList() throws Exception {
GrantRevokeRequest expectedGrantRevokeRequest = new GrantRevokeRequest();
expectedGrantRevokeRequest.setGrantor("rangerAdmin");
expectedGrantRevokeRequest.setEnableAudit(true);
expectedGrantRevokeRequest.setIsRecursive(false);
expectedGrantRevokeRequest.setReplaceExistingPermissions(true);
List<String> userList = new ArrayList<String>();
userList.add("rangerAdmin");
List<String> groupList = new ArrayList<String>();
groupList.add("rangerGroup");
List<String> permObjList = new ArrayList<String>();
permObjList.add("Admin");
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put("database", "myDatabase");
mapResource.put("table", "myTable");
mapResource.put("column", "myColumn");
expectedGrantRevokeRequest.setResource(mapResource);
List<VXPermObj> vXPermObjList = new ArrayList<VXPermObj>();
VXPermObj vXPermObj = new VXPermObj();
vXPermObj.setUserList(userList);
vXPermObj.setGroupList(groupList);
vXPermObj.setPermList(permObjList);
vXPermObjList.add(vXPermObj);
String serviceName = "hive";
RangerService rangerService = new RangerService();
rangerService.setId(1L);
rangerService.setName("hiveService");
rangerService.setIsEnabled(true);
rangerService.setType("hive");
VXPolicy vXPolicy = new VXPolicy();
vXPolicy.setRepositoryName("hive");
vXPolicy.setGrantor("rangerAdmin");
vXPolicy.setReplacePerm(true);
vXPolicy.setColumns("myColumn");
vXPolicy.setDatabases("myDatabase");
vXPolicy.setTables("myTable");
vXPolicy.setPermMapList(vXPermObjList);
Mockito.when(svcStore.getServiceByName(serviceName)).thenReturn(rangerService);
GrantRevokeRequest actualGrantRevokeRequest = serviceUtil.toGrantRevokeRequest(vXPolicy);
Assert.assertNotNull(actualGrantRevokeRequest);
Assert.assertTrue(actualGrantRevokeRequest.getEnableAudit());
Assert.assertTrue(actualGrantRevokeRequest.getDelegateAdmin());
Assert.assertFalse(actualGrantRevokeRequest.getIsRecursive());
Assert.assertTrue(actualGrantRevokeRequest.getReplaceExistingPermissions());
Assert.assertTrue(actualGrantRevokeRequest.getUsers().contains("rangerAdmin"));
Assert.assertTrue(actualGrantRevokeRequest.getGroups().contains("rangerGroup"));
Assert.assertEquals(expectedGrantRevokeRequest.getGrantor(), actualGrantRevokeRequest.getGrantor());
Assert.assertEquals(expectedGrantRevokeRequest.getResource(), actualGrantRevokeRequest.getResource());
}
Also used :
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
VXPolicy(org.apache.ranger.view.VXPolicy)
RangerService(org.apache.ranger.plugin.model.RangerService)
VXPermObj(org.apache.ranger.view.VXPermObj)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
Test(org.junit.Test)
Example 17 with GrantRevokeRequest
use of org.apache.ranger.plugin.util.GrantRevokeRequest in project ranger by apache.
the class AssetREST method revokePermission.
@POST
@Path("/resources/revoke")
@Produces({ "application/xml", "application/json" })
public VXPolicy revokePermission(@Context HttpServletRequest request, VXPolicy vXPolicy) {
RESTResponse ret = null;
if (logger.isDebugEnabled()) {
logger.debug("==> AssetREST.revokePermission(" + vXPolicy + ")");
}
if (vXPolicy != null) {
String serviceName = vXPolicy.getRepositoryName();
GrantRevokeRequest grantRevokeRequest = serviceUtil.toGrantRevokeRequest(vXPolicy);
try {
ret = serviceREST.revokeAccess(serviceName, grantRevokeRequest, request);
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable e) {
logger.error(HttpServletResponse.SC_BAD_REQUEST + "Revoke Access Failed for the request " + vXPolicy, e);
throw restErrorUtil.createRESTException("Revoke Access Failed for the request: " + vXPolicy + ". " + e.getMessage());
}
} else {
logger.error(HttpServletResponse.SC_BAD_REQUEST + "Bad Request parameter");
throw restErrorUtil.createRESTException("Bad Request parameter");
}
if (logger.isDebugEnabled()) {
logger.debug("<== AssetREST.revokePermission(" + ret + ")");
}
return vXPolicy;
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
Example 18 with GrantRevokeRequest
use of org.apache.ranger.plugin.util.GrantRevokeRequest in project ranger by apache.
the class RangerHBasePlugin method revoke.
@Override
public void revoke(RpcController controller, AccessControlProtos.RevokeRequest request, RpcCallback<AccessControlProtos.RevokeResponse> done) {
boolean isSuccess = false;
if (UpdateRangerPoliciesOnGrantRevoke) {
GrantRevokeRequest grData = null;
try {
grData = createRevokeData(request);
RangerHBasePlugin plugin = hbasePlugin;
if (plugin != null) {
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler(hbasePlugin.getConfig());
plugin.revokeAccess(grData, auditHandler);
isSuccess = true;
}
} catch (AccessControlException excp) {
LOG.warn("revoke() failed", excp);
ResponseConverter.setControllerException(controller, new AccessDeniedException(excp));
} catch (IOException excp) {
LOG.warn("revoke() failed", excp);
ResponseConverter.setControllerException(controller, excp);
} catch (Exception excp) {
LOG.warn("revoke() failed", excp);
ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage()));
}
}
AccessControlProtos.RevokeResponse response = isSuccess ? AccessControlProtos.RevokeResponse.getDefaultInstance() : null;
done.run(response);
}
Also used :
RangerAccessResultProcessor(org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor)
AccessControlProtos(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
IOException(java.io.IOException)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
IOException(java.io.IOException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
Example 19 with GrantRevokeRequest
use of org.apache.ranger.plugin.util.GrantRevokeRequest in project ranger by apache.
the class RangerHBasePlugin method createRevokeData.
private GrantRevokeRequest createRevokeData(AccessControlProtos.RevokeRequest request) throws Exception {
AccessControlProtos.UserPermission up = request.getUserPermission();
AccessControlProtos.Permission perm = up == null ? null : up.getPermission();
UserPermission userPerm = up == null ? null : AccessControlUtil.toUserPermission(up);
String userName = userPerm == null ? null : userPerm.getUser();
String nameSpace = null;
String tableName = null;
String colFamily = null;
String qualifier = null;
if (perm == null) {
throw new Exception("revoke(): invalid data - permission is null");
}
if (StringUtil.isEmpty(userName)) {
throw new Exception("revoke(): invalid data - username empty");
}
switch(perm.getType()) {
case Global:
tableName = colFamily = qualifier = RangerHBaseResource.WILDCARD;
break;
case Table:
TablePermission tablePerm = (TablePermission) userPerm.getPermission();
tableName = Bytes.toString(tablePerm.getTableName().getName());
colFamily = Bytes.toString(tablePerm.getFamily());
qualifier = Bytes.toString(tablePerm.getQualifier());
break;
case Namespace:
NamespacePermission namespacePermission = (NamespacePermission) userPerm.getPermission();
nameSpace = namespacePermission.getNamespace();
break;
}
if (StringUtil.isEmpty(nameSpace) && StringUtil.isEmpty(tableName) && StringUtil.isEmpty(colFamily) && StringUtil.isEmpty(qualifier)) {
throw new Exception("revoke(): table/columnFamily/columnQualifier not specified");
}
tableName = StringUtil.isEmpty(tableName) ? RangerHBaseResource.WILDCARD : tableName;
colFamily = StringUtil.isEmpty(colFamily) ? RangerHBaseResource.WILDCARD : colFamily;
qualifier = StringUtil.isEmpty(qualifier) ? RangerHBaseResource.WILDCARD : qualifier;
if (!StringUtil.isEmpty(nameSpace)) {
tableName = nameSpace + RangerHBaseResource.NAMESPACE_SEPARATOR + tableName;
}
User activeUser = getActiveUser(null);
String grantor = activeUser != null ? activeUser.getShortName() : null;
String[] groups = activeUser != null ? activeUser.getGroupNames() : null;
Set<String> grantorGroups = null;
if (groups != null && groups.length > 0) {
grantorGroups = new HashSet<>(Arrays.asList(groups));
}
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put(RangerHBaseResource.KEY_TABLE, tableName);
mapResource.put(RangerHBaseResource.KEY_COLUMN_FAMILY, colFamily);
mapResource.put(RangerHBaseResource.KEY_COLUMN, qualifier);
GrantRevokeRequest ret = new GrantRevokeRequest();
ret.setGrantor(grantor);
ret.setGrantorGroups(grantorGroups);
// remove delegateAdmin privilege as well
ret.setDelegateAdmin(Boolean.TRUE);
ret.setEnableAudit(Boolean.TRUE);
ret.setReplaceExistingPermissions(Boolean.TRUE);
ret.setResource(mapResource);
ret.setClientIPAddress(getRemoteAddress());
// TODO: Need to check with Knox proxy how they handle forwarded add.
ret.setForwardedAddresses(null);
ret.setRemoteIPAddress(getRemoteAddress());
ret.setRequestData(up.toString());
if (userName.startsWith(GROUP_PREFIX)) {
ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
} else {
ret.getUsers().add(userName);
}
// revoke removes all permissions
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_READ);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
return ret;
}
Also used :
User(org.apache.hadoop.hbase.security.User)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
IOException(java.io.IOException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
AccessControlProtos(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
Example 20 with GrantRevokeRequest
use of org.apache.ranger.plugin.util.GrantRevokeRequest in project ranger by apache.
the class RangerHBasePlugin method grant.
@Override
public void grant(RpcController controller, AccessControlProtos.GrantRequest request, RpcCallback<AccessControlProtos.GrantResponse> done) {
boolean isSuccess = false;
if (UpdateRangerPoliciesOnGrantRevoke) {
GrantRevokeRequest grData = null;
try {
grData = createGrantData(request);
RangerHBasePlugin plugin = hbasePlugin;
if (plugin != null) {
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler(hbasePlugin.getConfig());
plugin.grantAccess(grData, auditHandler);
isSuccess = true;
}
} catch (AccessControlException excp) {
LOG.warn("grant() failed", excp);
ResponseConverter.setControllerException(controller, new AccessDeniedException(excp));
} catch (IOException excp) {
LOG.warn("grant() failed", excp);
ResponseConverter.setControllerException(controller, excp);
} catch (Exception excp) {
LOG.warn("grant() failed", excp);
ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage()));
}
}
AccessControlProtos.GrantResponse response = isSuccess ? AccessControlProtos.GrantResponse.getDefaultInstance() : null;
done.run(response);
}
Also used :
RangerAccessResultProcessor(org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor)
AccessControlProtos(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
IOException(java.io.IOException)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
IOException(java.io.IOException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
Aggregations
GrantRevokeRequest (org.apache.ranger.plugin.util.GrantRevokeRequest)21
Test (org.junit.Test)11
RangerService (org.apache.ranger.plugin.model.RangerService)8
HashMap (java.util.HashMap)7
WebApplicationException (javax.ws.rs.WebApplicationException)7
VXPolicy (org.apache.ranger.view.VXPolicy)7
IOException (java.io.IOException)6
RESTResponse (org.apache.ranger.admin.client.datatype.RESTResponse)6
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)6
ArrayList (java.util.ArrayList)5
AccessControlProtos (org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)4
AccessDeniedException (org.apache.hadoop.hbase.security.AccessDeniedException)4
AccessControlException (org.apache.hadoop.security.AccessControlException)4
VXString (org.apache.ranger.view.VXString)4
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)3
LinkedHashMap (java.util.LinkedHashMap)2
HttpServletRequest (javax.servlet.http.HttpServletRequest)2
POST (javax.ws.rs.POST)2
Path (javax.ws.rs.Path)2
Produces (javax.ws.rs.Produces)2
