Repository: incubator-ranger Updated Branches: refs/heads/master 7d95b475b -> e20ad3d38
RANGER-1087: Hive authorizer to block updates when row-filter/column-mask is enabled for the user Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e20ad3d3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e20ad3d3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e20ad3d3 Branch: refs/heads/master Commit: e20ad3d38435f84abfdc4c8fc54026e56b4f263f Parents: 7d95b47 Author: Madhan Neethiraj <mad...@apache.org> Authored: Thu Jul 7 17:41:13 2016 -0700 Committer: Madhan Neethiraj <mad...@apache.org> Committed: Thu Jul 7 22:43:07 2016 -0700 ---------------------------------------------------------------------- .../hadoop/constants/RangerHadoopConstants.java | 2 + .../authorizer/RangerHiveAccessRequest.java | 23 ++++++----- .../hive/authorizer/RangerHiveAuthorizer.java | 41 +++++++++++++++----- 3 files changed, 46 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e20ad3d3/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java index 9a059b4..906a156 100644 --- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java +++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java @@ -31,6 +31,8 @@ public class RangerHadoopConstants { public static final String HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP = "xasecure.hive.update.xapolicies.on.grant.revoke" ; public static final boolean HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true; + public static final String HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_PROP = "xasecure.hive.block.update.if.rowfilter.columnmask.specified"; + public static final boolean HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE = true; public static final String HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP = "xasecure.hbase.update.xapolicies.on.grant.revoke" ; public static final boolean HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e20ad3d3/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java index ae83cf4..6f1c8a4 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java @@ -48,6 +48,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl { this.setUserGroups(userGroups); this.setAccessTime(new Date()); this.setAction(hiveOpTypeName); + this.setHiveAccessType(accessType); if(context != null) { this.setRequestData(context.getCommandString()); @@ -59,16 +60,6 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl { this.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString()); this.setSessionId(sessionContext.getSessionString()); } - - this.accessType = accessType; - - if(accessType == HiveAccessType.USE) { - this.setAccessType(RangerPolicyEngine.ANY_ACCESS); - } else if(accessType == HiveAccessType.ADMIN) { - this.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); - } else { - this.setAccessType(accessType.name().toLowerCase()); - } } public RangerHiveAccessRequest(RangerHiveResource resource, @@ -89,6 +80,18 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl { return accessType; } + public void setHiveAccessType(HiveAccessType accessType) { + this.accessType = accessType; + + if(accessType == HiveAccessType.USE) { + this.setAccessType(RangerPolicyEngine.ANY_ACCESS); + } else if(accessType == HiveAccessType.ADMIN) { + this.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); + } else { + this.setAccessType(accessType.name().toLowerCase()); + } + } + public RangerHiveAccessRequest copy() { RangerHiveAccessRequest ret = new RangerHiveAccessRequest(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e20ad3d3/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 86a6418..69fa293 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -360,21 +360,22 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } else { result = hivePlugin.isAccessAllowed(request, auditHandler); - if(hiveOpType == HiveOperationType.EXPORT && result != null && result.getIsAllowed()) { + if(result != null && result.getIsAllowed() && blockAccessIfRowfilterColumnMaskSpecified(hiveOpType, request.getHiveAccessType())) { + // check if row-filtering or column-masking is applicable for the table/view being accessed RangerHiveResource res = (RangerHiveResource)request.getResource(); if(res.getObjectType() == HiveObjectType.TABLE || res.getObjectType() == HiveObjectType.VIEW) { + HiveAccessType savedAccessType = request.getHiveAccessType(); + + request.setHiveAccessType(HiveAccessType.SELECT); // filtering/masking policies are defined only for SELECT + RangerRowFilterResult rowFilterResult = getRowFilterResult(request); if (isRowFilterEnabled(rowFilterResult)) { result.setIsAllowed(false); result.setPolicyId(rowFilterResult.getPolicyId()); result.setReason("User does not have acces to all rows of the table"); - - auditHandler.processResult(result); - } - - if(result.getIsAllowed()) { + } else { // check if masking is enabled for any column in the table/view request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS); @@ -384,10 +385,14 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { result.setIsAllowed(false); result.setPolicyId(dataMaskResult.getPolicyId()); result.setReason("User does not have acces to unmasked column values"); - - auditHandler.processResult(result); } } + + request.setHiveAccessType(savedAccessType); + + if(! result.getIsAllowed()) { + auditHandler.processResult(result); + } } } } @@ -1205,6 +1210,20 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return requestedResources; } + private boolean blockAccessIfRowfilterColumnMaskSpecified(HiveOperationType hiveOpType, HiveAccessType accessType) { + boolean ret = hiveOpType == HiveOperationType.EXPORT; + + if(! ret && accessType == HiveAccessType.UPDATE && hivePlugin.BlockUpdateIfRowfilterColumnMaskSpecified) { + ret = true; + } + + if(LOG.isDebugEnabled()) { + LOG.debug("blockAccessIfRowfilterColumnMaskSpecified(" + hiveOpType + ", " + accessType + "): " + ret); + } + + return ret; + } + private String toString(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, @@ -1271,7 +1290,8 @@ enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUN enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, ALL, ADMIN }; class RangerHivePlugin extends RangerBasePlugin { - public static boolean UpdateXaPoliciesOnGrantRevoke = RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE; + public static boolean UpdateXaPoliciesOnGrantRevoke = RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE; + public static boolean BlockUpdateIfRowfilterColumnMaskSpecified = RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE; public RangerHivePlugin(String appType) { super("hive", appType); @@ -1281,7 +1301,8 @@ class RangerHivePlugin extends RangerBasePlugin { public void init() { super.init(); - RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP, RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE); + RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP, RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE); + RangerHivePlugin.BlockUpdateIfRowfilterColumnMaskSpecified = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_PROP, RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE); } }