[
https://issues.apache.org/jira/browse/HBASE-29143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nihal Jain updated HBASE-29143:
-------------------------------
Description:
The HBase
_[AccessController|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java]_
has hooks to update Zookeeper (zk) with ACL permissions, which are used to
perform validations across various parts of the code.
For example, whenever a new record is added in ACL with a new permission, it is
synchronized with the znode via the
[{_}updateACL{_}()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L263]
call.
The problem arises when a custom implementation of {_}AccessController{_}, such
as
{_}[RangerAuthorizationCoprocessor|https://github.com/apache/ranger/blob/master/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java]{_},
is used. In this case, attempting to perform certain operations, like adding
an rsgroup, fails (for any non super user) because
_[MasterRpcServices#rpcPreCheck()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java#L979]_
requires global permissions, as enforced by
_[AccessChecker#requireGlobalPermission()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java#L138]._
Below is a sample stack trace for the 2.6 code path:
{code:java}
org.apache.hadoop.hbase.security.AccessDeniedException:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'nihaljain' (global, action=ADMIN)
at
org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
at
org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1342)
at
org.apache.hadoop.hbase.master.MasterRpcServices.rpcPreCheck(MasterRpcServices.java:474)
at
org.apache.hadoop.hbase.master.MasterRpcServices.execMasterService(MasterRpcServices.java:904)
at
org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:443)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:105)
at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:85) {code}
This issue occurs because zk ACL data is only updated via
{_}AccessController{_}, and hence global permission data is not available for
Ranger. Consequently, there is no way to provide permissions to a user to work
through this for _RangerAuthorizationCoprocessor_ unless we copy zk updation
logic from _AccessController_ into Ranger, which is not ideal and not
maintainable in long run.
*Solution Proposal*
We should extract all the zk update logic into a new separate class, say
{_}ZKAclUpdaterCoprocessor{_}, from _AccessController_ and chain it in the
coprocessor code path to preserve behavior. This can be achieved by setting
this new coprocessor at the ACL table level.
Systems dependent on custom coprocessors like _RangerAuthorizationCoprocessor_
can either:
* Chain it in the coprocessor code path by setting this new coprocessor at the
ACL table level.
* Or, set the zk coprocessor as a preceding coprocessor to
_RangerAuthorizationCoprocessor_ in configurations.
was:
The HBase
_[AccessController|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java]_
has hooks to update Zookeeper (zk) with ACL permissions, which are used to
perform validations across various parts of the code.
For example, whenever a new record is added in ACL with a new permission, it is
synchronized with the znode via the
[{_}updateACL{_}()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L263]
call.
The problem arises when a custom implementation of {_}AccessController{_}, such
as
{_}[RangerAuthorizationCoprocessor|https://github.com/apache/ranger/blob/master/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java]{_},
is used. In this case, attempting to perform certain operations, like adding
an rsgroup, fails (for any non super user) because
_[MasterRpcServices#rpcPreCheck()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java#L979]_
requires global permissions, as enforced by
_[AccessChecker#requireGlobalPermission()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java#L138]._
Below is a sample stack trace for the 2.6 code path:
{code:java}
org.apache.hadoop.hbase.security.AccessDeniedException:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'nihaljain' (global, action=ADMIN)
at
org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
at
org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1342)
at
org.apache.hadoop.hbase.master.MasterRpcServices.rpcPreCheck(MasterRpcServices.java:474)
at
org.apache.hadoop.hbase.master.MasterRpcServices.execMasterService(MasterRpcServices.java:904)
at
org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:443)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:105)
at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:85) {code}
This issue occurs because zk ACL data is only updated via
{_}AccessController{_}, and hence global permission data is not available for
Ranger. Consequently, there is no way to provide permissions to a user to work
through this for _RangerAuthorizationCoprocessor_ unless we copy logic from
_AccessController_ into Ranger, which is not ideal.
*Solution Proposal*
We should extract all the zk update logic into a new separate class, say
{_}ZKAclUpdaterCoprocessor{_}, from _AccessController_ and chain it in the
coprocessor code path to preserve behavior. This can be achieved by setting
this new coprocessor at the ACL table level.
Systems dependent on custom coprocessors like _RangerAuthorizationCoprocessor_
can either:
* Chain it in the coprocessor code path by setting this new coprocessor at the
ACL table level.
* Or, set the zk coprocessor as a preceding coprocessor to
_RangerAuthorizationCoprocessor_ in configurations.
> Decouple the znode acl update logic from AccessController to support custom
> implementations like RangerAuthorizationCoprocessor
> -------------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-29143
> URL: https://issues.apache.org/jira/browse/HBASE-29143
> Project: HBase
> Issue Type: Improvement
> Components: acl, security
> Reporter: Nihal Jain
> Assignee: Anchal Kejriwal
> Priority: Major
>
> The HBase
> _[AccessController|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java]_
> has hooks to update Zookeeper (zk) with ACL permissions, which are used to
> perform validations across various parts of the code.
> For example, whenever a new record is added in ACL with a new permission, it
> is synchronized with the znode via the
> [{_}updateACL{_}()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L263]
> call.
> The problem arises when a custom implementation of {_}AccessController{_},
> such as
> {_}[RangerAuthorizationCoprocessor|https://github.com/apache/ranger/blob/master/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java]{_},
> is used. In this case, attempting to perform certain operations, like adding
> an rsgroup, fails (for any non super user) because
> _[MasterRpcServices#rpcPreCheck()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java#L979]_
> requires global permissions, as enforced by
> _[AccessChecker#requireGlobalPermission()|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java#L138]._
> Below is a sample stack trace for the 2.6 code path:
> {code:java}
> org.apache.hadoop.hbase.security.AccessDeniedException:
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions for user 'nihaljain' (global, action=ADMIN)
> at
> org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
> at
> org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1342)
> at
> org.apache.hadoop.hbase.master.MasterRpcServices.rpcPreCheck(MasterRpcServices.java:474)
> at
> org.apache.hadoop.hbase.master.MasterRpcServices.execMasterService(MasterRpcServices.java:904)
> at
> org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:443)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
> at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:105)
> at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:85) {code}
> This issue occurs because zk ACL data is only updated via
> {_}AccessController{_}, and hence global permission data is not available for
> Ranger. Consequently, there is no way to provide permissions to a user to
> work through this for _RangerAuthorizationCoprocessor_ unless we copy zk
> updation logic from _AccessController_ into Ranger, which is not ideal and
> not maintainable in long run.
>
> *Solution Proposal*
> We should extract all the zk update logic into a new separate class, say
> {_}ZKAclUpdaterCoprocessor{_}, from _AccessController_ and chain it in the
> coprocessor code path to preserve behavior. This can be achieved by setting
> this new coprocessor at the ACL table level.
> Systems dependent on custom coprocessors like
> _RangerAuthorizationCoprocessor_ can either:
> * Chain it in the coprocessor code path by setting this new coprocessor at
> the ACL table level.
> * Or, set the zk coprocessor as a preceding coprocessor to
> _RangerAuthorizationCoprocessor_ in configurations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
