[jira] [Updated] (HBASE-29143) Decouple the znode acl update logic from AccessController to support external implementations like RangerAuthorizationCoprocessor

[Nihal Jain (Jira)]

     [ 
https://issues.apache.org/jira/browse/HBASE-29143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nihal Jain updated HBASE-29143:
-------------------------------
    Component/s: security

> Decouple the znode acl update logic from AccessController to support external 
> implementations like RangerAuthorizationCoprocessor
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-29143
>                 URL: https://issues.apache.org/jira/browse/HBASE-29143
>             Project: HBase
>          Issue Type: Improvement
>          Components: acl, security
>            Reporter: Nihal Jain
>            Assignee: Anchal Kejriwal
>            Priority: Major
>
> The HBase 
> _[AccessController|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java]_
>  has hooks to update Zookeeper (zk) with ACL permissions, which are used to 
> perform validations across various parts of the code.
> For example, whenever a new record is added in ACL with a new permission, it 
> is synchronized with the znode via the 
> [{_}updateACL{_}()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L263]
>  call.
> The problem arises when a custom implementation of {_}AccessController{_}, 
> such as 
> {_}[RangerAuthorizationCoprocessor|https://github.com/apache/ranger/blob/master/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java]{_},
>  is used. In this case, attempting to perform certain operations, like adding 
> an rsgroup, fails because 
> _[MasterRpcServices#rpcPreCheck()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java#L979]_
>  requires global permissions, as enforced by 
> _[AccessChecker#requireGlobalPermission()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java#L138]._
> Below is a sample stack trace for the 2.6 code path:
> {code:java}
> org.apache.hadoop.hbase.security.AccessDeniedException: 
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
> permissions for user 'nihaljain' (global, action=ADMIN)
>   at 
> org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
>   at 
> org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
>   at 
> org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1342)
>   at 
> org.apache.hadoop.hbase.master.MasterRpcServices.rpcPreCheck(MasterRpcServices.java:474)
>   at 
> org.apache.hadoop.hbase.master.MasterRpcServices.execMasterService(MasterRpcServices.java:904)
>   at 
> org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java)
>   at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:443)
>   at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
>   at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:105)
>   at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:85) {code}
> This issue occurs because zk ACL data is only updated via 
> {_}AccessController{_}, and hence global permission data is not available for 
> Ranger. Consequently, there is no way to provide permissions to a user to 
> work through this for _RangerAuthorizationCoprocessor_ unless we copy logic 
> from _AccessController_ into Ranger, which is not ideal.
>  
> *Solution Proposal*
> We should extract all the zk update logic into a new separate class, say 
> {_}ZKAclUpdaterCoprocessor{_}, from _AccessController_ and chain it in the 
> coprocessor code path to preserve behavior. This can be achieved by setting 
> this new coprocessor at the ACL table level.
> Systems dependent on external coprocessors like 
> _RangerAuthorizationCoprocessor_ can either:
>  * Chain it in the coprocessor code path by setting this new coprocessor at 
> the ACL table level.
>  * Or, set the zk coprocessor as a preceding coprocessor to 
> _RangerAuthorizationCoprocessor_ in configurations.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)