Repository: ranger Updated Branches: refs/heads/ranger-0.7 10d3513f3 -> 977a1611c
RANGER-1984: Hbase audit log records may not show all tags associated with accessed column Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/977a1611 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/977a1611 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/977a1611 Branch: refs/heads/ranger-0.7 Commit: 977a1611c6cfb9e8f8d4d26cf7f242c03efccc82 Parents: 10d3513 Author: Abhay Kulkarni <[email protected]> Authored: Wed Sep 26 16:19:12 2018 -0700 Committer: Abhay Kulkarni <[email protected]> Committed: Wed Sep 26 16:19:12 2018 -0700 ---------------------------------------------------------------------- .../contextenricher/RangerTagForEval.java | 2 +- .../RangerDefaultPolicyEvaluator.java | 2 +- .../hbase/RangerAuthorizationCoprocessor.java | 49 +++++++++----------- .../hbase/HBaseRangerAuthorizationTest.java | 10 ++-- 4 files changed, 31 insertions(+), 32 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/977a1611/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java index b8f5b42..e31efa3 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java @@ -33,7 +33,7 @@ import java.util.Map; @JsonAutoDetect(fieldVisibility=JsonAutoDetect.Visibility.ANY) @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) -@JsonIgnoreProperties(ignoreUnknown=true, value="matchType") +@JsonIgnoreProperties(ignoreUnknown=true) @XmlRootElement @XmlAccessorType(XmlAccessType.FIELD) http://git-wip-us.apache.org/repos/asf/ranger/blob/977a1611/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 6126f60..213a25c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -184,7 +184,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else { - isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR; + isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR; } if (isMatched) { http://git-wip-us.apache.org/repos/asf/ranger/blob/977a1611/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index 038bf08..4c863c0 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -404,47 +404,33 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess if (columns == null || columns.isEmpty()) { LOG.debug("evaluateAccess: columns collection null or empty, ok. Family level access is desired."); session.column(null) // zap stale column from prior iteration of this loop, if any - .buildRequest() - .authorize(); + .buildRequest() + .authorize(); AuthzAuditEvent auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // capture it only for success if (session.isAuthorized()) { - if (LOG.isDebugEnabled()) { - LOG.debug("evaluateAccess: has family level access [" + family + "]"); - } - // we need to do 3 things: housekeeping, decide about audit events, building the results cache for filter somethingIsAccessible = true; - familesAccessAllowed.add(family); - if (auditEvent != null) { - LOG.debug("evaluateAccess: adding to family-level-access-granted-event-set"); - familyLevelAccessEvents.add(auditEvent); - } - } else { - everythingIsAccessible = false; - if (auditEvent != null && deniedEvent == null) { // we need to capture just one denial event - LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event."); - deniedEvent = auditEvent; - } if (LOG.isDebugEnabled()) { - LOG.debug("evaluateAccess: no family level access [" + family + "]. Checking if has partial access (of any type)..."); + LOG.debug("evaluateAccess: has family level access [" + family + "]. Checking if [" + family + "] descendants have access."); } - session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) .buildRequest() .authorize(); auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // capture it only for failure if (session.isAuthorized()) { if (LOG.isDebugEnabled()) { - LOG.debug("evaluateAccess: has partial access (of some type) in family [" + family + "]"); + LOG.debug("evaluateAccess: [" + family + "] descendants have access"); + } + familesAccessAllowed.add(family); + if (auditEvent != null) { + LOG.debug("evaluateAccess: adding to family-level-access-granted-event-set"); + familyLevelAccessEvents.add(auditEvent); } - // we need to do 3 things: housekeeping, decide about audit events, building the results cache for filter - somethingIsAccessible = true; - familesAccessIndeterminate.add(family); } else { if (LOG.isDebugEnabled()) { - LOG.debug("evaluateAccess: has no access of ["+ access + "] type in family [" + family + "]"); + LOG.debug("evaluateAccess: has partial access (of some type) in family [" + family + "]"); } - familesAccessDenied.add(family); - denialReason = String.format("Insufficient permissions for user â%s',action: %s, tableName:%s, family:%s.", user.getName(), operation, table, family); + everythingIsAccessible = false; + familesAccessIndeterminate.add(family); if (auditEvent != null && deniedEvent == null) { // we need to capture just one denial event LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event."); deniedEvent = auditEvent; @@ -452,6 +438,17 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess } // Restore the headMatch setting session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF); + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("evaluateAccess: has no access of [" + access + "] type in family [" + family + "]"); + } + everythingIsAccessible = false; + familesAccessDenied.add(family); + denialReason = String.format("Insufficient permissions for user â%s',action: %s, tableName:%s, family:%s.", user.getName(), operation, table, family); + if (auditEvent != null && deniedEvent == null) { // we need to capture just one denial event + LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event."); + deniedEvent = auditEvent; + } } } else { LOG.debug("evaluateAccess: columns collection not empty. Skipping Family level check, will do finer level access check."); http://git-wip-us.apache.org/repos/asf/ranger/blob/977a1611/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java index 7aec352..90e09ad 100644 --- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java +++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java @@ -317,8 +317,9 @@ public class HBaseRangerAuthorizationTest { // Read a row try { Get get = new Get(Bytes.toBytes("row1")); - table.get(get); - Assert.fail("Failure expected on an unauthorized user"); + Result result = table.get(get); + byte[] valResult = result.getValue(Bytes.toBytes("colfam1"), Bytes.toBytes("col1")); + Assert.assertNull("Failure expected on an unauthorized user", valResult); } catch (IOException ex) { // expected } @@ -526,8 +527,9 @@ public class HBaseRangerAuthorizationTest { // Read a row try { Get get = new Get(Bytes.toBytes("row1")); - table.get(get); - Assert.fail("Failure expected on an unauthorized user"); + Result result = table.get(get); + byte[] valResult = result.getValue(Bytes.toBytes("colfam2"), Bytes.toBytes("col1")); + Assert.assertNull("Failure expected on an unauthorized user", valResult); } catch (IOException ex) { // expected }
