Nihal Jain created HBASE-29143:
----------------------------------
Summary: Decouple the znode acl update logic from AccessController
to support external implementations like RangerAuthorizationCoprocessor
Key: HBASE-29143
URL: https://issues.apache.org/jira/browse/HBASE-29143
Project: HBase
Issue Type: Improvement
Components: acl
Reporter: Nihal Jain
Assignee: Anchal Kejriwal
*Description*
The HBase
_[AccessController|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java]_
has hooks to update Zookeeper (zk) with ACL permissions, which are used to
perform validations across various parts of the code.
For example, whenever a new record is added in ACL with a new permission, it is
synchronized with the znode via the
[{_}updateACL{_}()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L263]
call.
The problem arises when a custom implementation of {_}AccessController{_}, such
as
{_}[RangerAuthorizationCoprocessor|https://github.com/apache/ranger/blob/master/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java]{_},
is used. In this case, attempting to perform certain operations, like adding
an rsgroup, fails because
_[MasterRpcServices#rpcPreCheck()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java#L979]_
requires global permissions, as enforced by
_[AccessChecker#requireGlobalPermission()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java#L138]._
Below is a sample stack trace for the 2.6 code path:
{code:java}
org.apache.hadoop.hbase.security.AccessDeniedException:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'nihaljain' (global, action=ADMIN)
at
org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
at
org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1342)
at
org.apache.hadoop.hbase.master.MasterRpcServices.rpcPreCheck(MasterRpcServices.java:474)
at
org.apache.hadoop.hbase.master.MasterRpcServices.execMasterService(MasterRpcServices.java:904)
at
org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:443)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:105)
at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:85) {code}
This issue occurs because zk ACL data is only updated via
{_}AccessController{_}, and hence global permission data is not available for
Ranger. Consequently, there is no way to provide permissions to a user to work
through this for _RangerAuthorizationCoprocessor_ unless we copy logic from
_AccessController_ into Ranger, which is not ideal.
*Solution Proposal*
We should extract all the zk update logic into a new separate class, say
{_}ZKAclUpdaterCoprocessor{_}, from _AccessController_ and chain it in the
coprocessor code path to preserve behavior. This can be achieved by setting
this new coprocessor at the ACL table level.
Systems dependent on external coprocessors like
_RangerAuthorizationCoprocessor_ can either:
* Chain it in the coprocessor code path by setting this new coprocessor at the
ACL table level.
* Or, set the zk coprocessor as a preceding coprocessor to
`RangerAuthorizationCoprocessor` in configurations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
