From 4fd3b110f3d35dfd093d3d02ae77699b7c0447f4 Mon Sep 17 00:00:00 2001 From: Ramkrishna Date: Fri, 1 Aug 2014 13:18:09 -0700 Subject: [PATCH] HBASE-11384 - [Visibility Controller]Check for users covering authorizations for every mutation (Ram) --- .../visibility/VisibilityConstants.java | 3 + .../src/main/resources/hbase-default.xml | 8 +++ .../visibility/VisibilityController.java | 56 ++++++++++++++----- .../visibility/VisibilityLabelsManager.java | 15 +++++ 4 files changed, 68 insertions(+), 14 deletions(-) diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java index f98efec8ebd..d91f0ef36ee 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java @@ -49,4 +49,7 @@ public final class VisibilityConstants { public static final byte[] SORTED_ORDINAL_SERIALIZATION_FORMAT = new byte[] { VISIBILITY_SERIALIZATION_VERSION }; + public static final String CHECK_AUTHS_FOR_MUTATION = + "hbase.security.visibility.mutations.checkauths"; + } diff --git a/hbase-common/src/main/resources/hbase-default.xml b/hbase-common/src/main/resources/hbase-default.xml index 98a18c0f533..a4e6578d89e 100644 --- a/hbase-common/src/main/resources/hbase-default.xml +++ b/hbase-common/src/main/resources/hbase-default.xml @@ -1337,6 +1337,14 @@ possible configurations would overwhelm and obscure the important. The default StaticUserWebFilter add a user principal as defined by the hbase.http.staticuser.user property. + + + hbase.security.visibility.mutations.checkauths + false + + This property if enabled, will check whether the labels in the visibility expression are associated + with the user issuing the mutation + hbase.http.max.threads diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java index 6920f7baf49..7a4481e4a5d 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java @@ -35,6 +35,7 @@ import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; +import java.util.Set; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -52,11 +53,11 @@ import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.KeyValue; import org.apache.hadoop.hbase.KeyValue.Type; import org.apache.hadoop.hbase.KeyValueUtil; +import org.apache.hadoop.hbase.MetaTableAccessor; import org.apache.hadoop.hbase.NamespaceDescriptor; import org.apache.hadoop.hbase.ServerName; import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.Tag; -import org.apache.hadoop.hbase.MetaTableAccessor; import org.apache.hadoop.hbase.client.Append; import org.apache.hadoop.hbase.client.Delete; import org.apache.hadoop.hbase.client.Get; @@ -114,6 +115,7 @@ import org.apache.hadoop.hbase.security.visibility.expression.LeafExpressionNode import org.apache.hadoop.hbase.security.visibility.expression.NonLeafExpressionNode; import org.apache.hadoop.hbase.security.visibility.expression.Operator; import org.apache.hadoop.hbase.util.ByteRange; +import org.apache.hadoop.hbase.util.ByteStringer; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.Pair; import org.apache.hadoop.hbase.util.SimpleMutableByteRange; @@ -122,7 +124,6 @@ import org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher; import com.google.common.collect.Lists; import com.google.common.collect.MapMaker; import com.google.protobuf.ByteString; -import org.apache.hadoop.hbase.util.ByteStringer; import com.google.protobuf.RpcCallback; import com.google.protobuf.RpcController; import com.google.protobuf.Service; @@ -155,6 +156,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb private boolean acOn = false; private Configuration conf; private volatile boolean initialized = false; + private boolean checkAuths = false; /** Mapping of scanner instances to the user who created them */ private Map scannerOwners = new MapMaker().weakKeys().makeMap(); @@ -620,6 +622,8 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb initialize(e); } } else { + checkAuths = e.getEnvironment().getConfiguration() + .getBoolean(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION, false); this.initialized = true; } } @@ -692,6 +696,11 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb } // TODO this can be made as a global LRU cache at HRS level? Map> labelCache = new HashMap>(); + Set auths = null; + User user = getActiveUser(); + if (checkAuths && user != null && user.getShortName() != null) { + auths = this.visibilityManager.getAuthsAsOrdinals(user.getShortName()); + } for (int i = 0; i < miniBatchOp.size(); i++) { Mutation m = miniBatchOp.getOperation(i); CellVisibility cellVisibility = null; @@ -717,7 +726,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb List visibilityTags = labelCache.get(labelsExp); if (visibilityTags == null) { try { - visibilityTags = createVisibilityTags(labelsExp, true); + visibilityTags = createVisibilityTags(labelsExp, true, auths, user.getShortName()); } catch (ParseException e) { miniBatchOp.setOperationStatus(i, new OperationStatus(SANITY_CHECK_FAILURE, e.getMessage())); @@ -777,7 +786,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb if (cellVisibility != null) { String labelsExp = cellVisibility.getExpression(); try { - visibilityTags = createVisibilityTags(labelsExp, false); + visibilityTags = createVisibilityTags(labelsExp, false, null, null); } catch (ParseException e) { throw new IOException("Invalid cell visibility expression " + labelsExp, e); } catch (InvalidLabelException e) { @@ -911,8 +920,9 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb return true; } - private List createVisibilityTags(String visibilityLabelsExp, boolean addSerializationTag) - throws IOException, ParseException, InvalidLabelException { + private List createVisibilityTags(String visibilityLabelsExp, boolean addSerializationTag, + Set auths, String userName) throws IOException, ParseException, + InvalidLabelException { ExpressionNode node = null; node = this.expressionParser.parse(visibilityLabelsExp); node = this.expressionExpander.expand(node); @@ -926,7 +936,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb tags.add(VisibilityUtils.VIS_SERIALIZATION_TAG); } if (node.isSingleNode()) { - getLabelOrdinals(node, labelOrdinals); + getLabelOrdinals(node, labelOrdinals, auths, userName); writeLabelOrdinalsToStream(labelOrdinals, dos); tags.add(new Tag(VisibilityUtils.VISIBILITY_TAG_TYPE, baos.toByteArray())); baos.reset(); @@ -934,14 +944,14 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb NonLeafExpressionNode nlNode = (NonLeafExpressionNode) node; if (nlNode.getOperator() == Operator.OR) { for (ExpressionNode child : nlNode.getChildExps()) { - getLabelOrdinals(child, labelOrdinals); + getLabelOrdinals(child, labelOrdinals, auths, userName); writeLabelOrdinalsToStream(labelOrdinals, dos); tags.add(new Tag(VisibilityUtils.VISIBILITY_TAG_TYPE, baos.toByteArray())); baos.reset(); labelOrdinals.clear(); } } else { - getLabelOrdinals(nlNode, labelOrdinals); + getLabelOrdinals(nlNode, labelOrdinals, auths, userName); writeLabelOrdinalsToStream(labelOrdinals, dos); tags.add(new Tag(VisibilityUtils.VISIBILITY_TAG_TYPE, baos.toByteArray())); baos.reset(); @@ -958,8 +968,8 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb } } - private void getLabelOrdinals(ExpressionNode node, List labelOrdinals) - throws IOException, InvalidLabelException { + private void getLabelOrdinals(ExpressionNode node, List labelOrdinals, + Set auths, String userName) throws IOException, InvalidLabelException { if (node.isSingleNode()) { String identifier = null; int labelOrdinal = 0; @@ -970,12 +980,14 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb LOG.trace("The identifier is "+identifier); } labelOrdinal = this.visibilityManager.getLabelOrdinal(identifier); + checkAuths(auths, userName, labelOrdinal, identifier); } else { // This is a NOT node. LeafExpressionNode lNode = (LeafExpressionNode) ((NonLeafExpressionNode) node) .getChildExps().get(0); identifier = lNode.getIdentifier(); labelOrdinal = this.visibilityManager.getLabelOrdinal(identifier); + checkAuths(auths, userName, labelOrdinal, identifier); labelOrdinal = -1 * labelOrdinal; // Store NOT node as -ve ordinal. } if (labelOrdinal == 0) { @@ -985,11 +997,21 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb } else { List childExps = ((NonLeafExpressionNode) node).getChildExps(); for (ExpressionNode child : childExps) { - getLabelOrdinals(child, labelOrdinals); + getLabelOrdinals(child, labelOrdinals, auths, userName); } } } - + + private void checkAuths(Set auths, String userName, int labelOrdinal, String identifier) + throws IOException { + if (checkAuths && !isSystemOrSuperUser()) { + if (auths == null || (!auths.contains(labelOrdinal))) { + throw new AccessDeniedException("Visibility label " + identifier + + " not authorized for the user " + userName); + } + } + } + @Override public RegionScanner preScannerOpen(ObserverContext e, Scan scan, RegionScanner s) throws IOException { @@ -1231,6 +1253,11 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb if (cellVisibility == null) { return newCell; } + Set auths = null; + User user = getActiveUser(); + if (checkAuths && user != null && user.getShortName() != null) { + auths = this.visibilityManager.getAuthsAsOrdinals(user.getShortName()); + } // Adding all other tags Iterator tagsItr = CellUtil.tagsIterator(newCell.getTagsArray(), newCell.getTagsOffset(), newCell.getTagsLength()); @@ -1242,7 +1269,8 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb } } try { - tags.addAll(createVisibilityTags(cellVisibility.getExpression(), true)); + tags.addAll(createVisibilityTags(cellVisibility.getExpression(), true, auths, + user.getShortName())); } catch (ParseException e) { throw new IOException(e); } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java index 7f1f278c8bb..e840c64532e 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java @@ -172,6 +172,21 @@ public class VisibilityLabelsManager { return auths; } + /** + * Returns the list of ordinals of authentications associated with the user + * + * @param user + * @return the list of ordinals + */ + public Set getAuthsAsOrdinals(String user) { + this.lock.readLock().lock(); + try { + return userAuths.get(user); + } finally { + this.lock.readLock().unlock(); + } + } + /** * Writes the labels data to zookeeper node. * @param data