RANGER-3347: Add default policy for hbase user in hdfs services
Signed-off-by: Mehul Parikh <mehul@apache.org>
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
index 5354636..8de142e 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
@@ -43,15 +43,19 @@
public class RangerServiceHdfs extends RangerBaseService {
- private static final Log LOG = LogFactory.getLog(RangerServiceHdfs.class);
- private static final String AUDITTOHDFS_KMS_PATH = "/ranger/audit/kms";
- private static final String AUDITTOHDFS_POLICY_NAME = "kms-audit-path";
- public static final String ACCESS_TYPE_READ = "read";
-
+ private static final Log LOG = LogFactory.getLog(RangerServiceHdfs.class);
+ private static final String AUDITTOHDFS_KMS_PATH = "/ranger/audit/kms";
+ private static final String AUDITTOHDFS_POLICY_NAME = "kms-audit-path";
+ public static final String ACCESS_TYPE_READ = "read";
+
+ private static final String HBASE_ARCHIVE_POLICY_NAME = "hbase-archive";
+ private static final String HBASE_ARCHIVE_POLICY_PATH = "/hbase/archive";
+ private static final String HBASE_ARCHIVE_POLICY_DESC = "Policy for hbase archive location";
+
public RangerServiceHdfs() {
super();
}
-
+
@Override
public void init(RangerServiceDef serviceDef, RangerService service) {
super.init(serviceDef, service);
@@ -154,18 +158,24 @@
}
}
- try {
- // we need to create one policy for keyadmin user for audit to HDFS
- RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
- for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.filterHierarchies_containsOnlyMandatoryResources(RangerPolicy.POLICY_TYPE_ACCESS)) {
- RangerPolicy policy = getPolicyForKMSAudit(aHierarchy);
- if (policy != null) {
- ret.add(policy);
- }
- }
- } catch (Exception e) {
- LOG.error("Error creating policy for keyadmin for audit to HDFS : " + service.getName(), e);
- }
+ try {
+ RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
+ for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.filterHierarchies_containsOnlyMandatoryResources(RangerPolicy.POLICY_TYPE_ACCESS)) {
+ // we need to create one policy for keyadmin user for audit to HDFS
+ RangerPolicy policy = getPolicyForKMSAudit(aHierarchy);
+ if (policy != null) {
+ ret.add(policy);
+ }
+
+ // default policy for hbase user to have access on archive location
+ RangerPolicy hbaseArchivePolicy = getPolicyForHBaseArchive(aHierarchy);
+ if (hbaseArchivePolicy != null) {
+ ret.add(hbaseArchivePolicy);
+ }
+ }
+ } catch (Exception e) {
+ LOG.error("Error creating policy for keyadmin for audit to HDFS : " + service.getName(), e);
+ }
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceHdfs.getDefaultRangerPolicies() : " + ret);
@@ -187,7 +197,7 @@
policy.setService(service.getName());
policy.setDescription("Policy for " + AUDITTOHDFS_POLICY_NAME);
policy.setIsAuditEnabled(true);
- policy.setResources(createKMSAuditResource(resourceHierarchy));
+ policy.setResources(createPathBasedResourceMap(resourceHierarchy, AUDITTOHDFS_KMS_PATH));
List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
//Create policy item for keyadmin
@@ -208,25 +218,61 @@
return policy;
}
- private Map<String, RangerPolicy.RangerPolicyResource> createKMSAuditResource(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerServiceHdfs.createKMSAuditResource()");
- }
- Map<String, RangerPolicy.RangerPolicyResource> resourceMap = super.createDefaultPolicyResource(resourceHierarchy);
+ private RangerPolicy getPolicyForHBaseArchive(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceHdfs.getPolicyForHBaseArchive()");
+ }
- RangerPolicy.RangerPolicyResource pathResource = resourceMap.get(RangerHdfsAuthorizer.KEY_RESOURCE_PATH);
+ RangerPolicy policy = new RangerPolicy();
- if (pathResource != null) {
- pathResource.setValue(AUDITTOHDFS_KMS_PATH);
- } else {
- LOG.error("Internal error: Could not find RangerPolicyResource corresponding to " + RangerHdfsAuthorizer.KEY_RESOURCE_PATH + " in default policy-resource");
- }
+ policy.setIsEnabled(true);
+ policy.setVersion(1L);
+ policy.setName(HBASE_ARCHIVE_POLICY_NAME);
+ policy.setService(service.getName());
+ policy.setDescription(HBASE_ARCHIVE_POLICY_DESC);
+ policy.setIsAuditEnabled(true);
+ policy.setResources(createPathBasedResourceMap(resourceHierarchy, HBASE_ARCHIVE_POLICY_PATH));
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerServiceHdfs.createKMSAuditResource():" + resourceMap);
- }
- return resourceMap;
- }
+ List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
+
+ // create policy item
+ RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
+ List<String> user = new ArrayList<String>();
+ user.add("hbase");
+ policyItem.setUsers(user);
+
+ policyItem.setAccesses(getAllowedAccesses(policy.getResources()));
+ policyItem.setDelegateAdmin(false);
+
+ policyItems.add(policyItem);
+ policy.setPolicyItems(policyItems);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceHdfs.getPolicyForHBaseArchive(): ret=" + policy);
+ }
+ return policy;
+ }
+
+ private Map<String, RangerPolicy.RangerPolicyResource> createPathBasedResourceMap(List<RangerServiceDef.RangerResourceDef> resourceHierarchy, String resourcePath) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceHdfs.createPathBasedResourceMap()");
+ }
+
+ Map<String, RangerPolicy.RangerPolicyResource> ret = super.createDefaultPolicyResource(resourceHierarchy);
+ RangerPolicy.RangerPolicyResource pathResource = ret.get(RangerHdfsAuthorizer.KEY_RESOURCE_PATH);
+
+ if (pathResource != null) {
+ pathResource.setValue(resourcePath);
+ } else {
+ LOG.error("Internal error: Could not find RangerPolicyResource corresponding to " + RangerHdfsAuthorizer.KEY_RESOURCE_PATH + " in default policy-resource");
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceHdfs.createPathBasedResourceMap(): ret="+ret);
+ }
+
+ return ret;
+ }
}