RANGER-2813 [HBase]Not able to pull execute permission given to user from getUserPermissions API in HBase Ranger Coprocessor(Rajeshbabu)
Signed-off-by: Ramesh Mani <ramesh.mani@gmail.com>
diff --git a/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json b/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
index 71fae66..5356ed7 100644
--- a/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
+++ b/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
@@ -95,6 +95,11 @@
"write",
"create"
]
+ },
+ {
+ "itemId": 5,
+ "name": "execute",
+ "label": "Execute"
}
],
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java
index 928a135..c9c598f 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtils.java
@@ -30,6 +30,8 @@
String getAccess(Action action);
+ String getActionName(String access);
+
boolean isReadAccess(String access);
boolean isWriteAccess(String access);
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java
index 5754942..ffd99f6 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuthUtilsImpl.java
@@ -72,4 +72,22 @@
}
return tableNameStr;
}
+
+ @Override
+ public String getActionName(String access) {
+ switch(access) {
+ case ACCESS_TYPE_READ:
+ return Action.READ.name();
+ case ACCESS_TYPE_WRITE:
+ return Action.WRITE.name();
+ case ACCESS_TYPE_CREATE:
+ return Action.CREATE.name();
+ case ACCESS_TYPE_ADMIN:
+ return Action.ADMIN.name();
+ case ACCESS_TYPE_EXECUTE:
+ return Action.EXEC.name();
+ default:
+ return access.toUpperCase();
+ }
+ }
}
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index a5697f2..d304bec 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1357,7 +1357,7 @@
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
- return getUserPrermissions(
+ return getUserPermissions(
hbasePlugin.getResourceACLs(rangerAccessrequest),
table.getNameAsString(), false);
}
@@ -1370,7 +1370,7 @@
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
- return getUserPrermissions(
+ return getUserPermissions(
hbasePlugin.getResourceACLs(rangerAccessrequest),
namespace, true);
}
@@ -1380,7 +1380,7 @@
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
- return getUserPrermissions(
+ return getUserPermissions(
hbasePlugin.getResourceACLs(rangerAccessrequest), null,
false);
}
@@ -1398,8 +1398,8 @@
done.run(response);
}
- private List<UserPermission> getUserPrermissions(RangerResourceACLs rangerResourceACLs, String resource,
- boolean isNamespace) {
+ private List<UserPermission> getUserPermissions(RangerResourceACLs rangerResourceACLs, String resource,
+ boolean isNamespace) {
List<UserPermission> userPermissions = new ArrayList<UserPermission>();
Action[] hbaseActions = Action.values();
List<String> hbaseActionsList = new ArrayList<String>();
@@ -1419,7 +1419,7 @@
String user = !isGroup ? userAcls.getKey() : AuthUtil.toGroupEntry(userAcls.getKey());
List<Action> allowedPermissions = new ArrayList<Action>();
for (Entry<String, AccessResult> permissionAccess : userAcls.getValue().entrySet()) {
- String permission = permissionAccess.getKey().toUpperCase();
+ String permission = _authUtils.getActionName(permissionAccess.getKey());
if (hbaseActionsList.contains(permission)
&& permissionAccess.getValue().getResult() == RangerPolicyEvaluator.ACCESS_ALLOWED) {
allowedPermissions.add(Action.valueOf(permission));
@@ -1544,7 +1544,9 @@
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
ret.setDelegateAdmin(Boolean.TRUE);
break;
-
+ case 'X':
+ ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
+ break;
default:
LOG.warn("grant(): ignoring action '" + action.name() + "' for user '" + userName + "'");
}
@@ -1639,6 +1641,7 @@
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
+ ret.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
return ret;
}
diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
index bf4bc97..537c0b6 100644
--- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
+++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
@@ -1026,7 +1026,7 @@
throw new Exception(e);
}
UserPermission userPermission = new UserPermission(Bytes.toBytes("@IT"), TableName.valueOf("temp5"), null,
- Permission.Action.READ, Permission.Action.WRITE);
+ Permission.Action.READ, Permission.Action.WRITE, Permission.Action.EXEC);
Assert.assertTrue("@IT permission should be there", userPermissions.contains(userPermission));
}
diff --git a/hbase-agent/src/test/resources/hbase-policies.json b/hbase-agent/src/test/resources/hbase-policies.json
index 6213a0e..61960c0 100644
--- a/hbase-agent/src/test/resources/hbase-policies.json
+++ b/hbase-agent/src/test/resources/hbase-policies.json
@@ -169,6 +169,10 @@
{
"type": "write",
"isAllowed": true
+ },
+ {
+ "type": "execute",
+ "isAllowed": true
}
],
"users": [],
diff --git a/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json b/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json
index 71fae66..7e458cf 100644
--- a/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json
+++ b/security-admin/src/test/resources/admin/service-defs/test-hbase-servicedef.json
@@ -84,7 +84,6 @@
"name": "create",
"label": "Create"
},
-
{
"itemId": 4,
"name": "admin",
@@ -95,6 +94,11 @@
"write",
"create"
]
+ },
+ {
+ "itemId": 5,
+ "name": "execute",
+ "label": "Execute"
}
],