/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ranger.authorization.hbase;
import java.io.IOException;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import com.google.common.base.Objects;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.filter.FilterBase;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.ranger.audit.model.AuthzAuditEvent;
public class RangerAuthorizationFilter extends FilterBase {
private static final Log LOG = LogFactory.getLog(RangerAuthorizationFilter.class.getName());
final Set<String> _familiesAccessAllowed;
final Set<String> _familiesAccessDenied;
final Set<String> _familiesAccessIndeterminate;
final Map<String, Set<String>> _columnsAccessAllowed;
final AuthorizationSession _session;
final HbaseAuditHandler _auditHandler = HbaseFactory.getInstance().getAuditHandler();
public RangerAuthorizationFilter(AuthorizationSession session, Set<String> familiesAccessAllowed, Set<String> familiesAccessDenied, Set<String> familiesAccessIndeterminate,
Map<String, Set<String>> columnsAccessAllowed) {
// the class assumes that all of these can be empty but none of these can be null
_familiesAccessAllowed = familiesAccessAllowed;
_familiesAccessDenied = familiesAccessDenied;
_familiesAccessIndeterminate = familiesAccessIndeterminate;
_columnsAccessAllowed = columnsAccessAllowed;
// this session should have everything set on it except family and column which would be altered based on need
_session = session;
// we don't want to audit denial, so we need to make sure the hander is what we need it to be.
_session.auditHandler(_auditHandler);
}
@SuppressWarnings("deprecation")
@Override
public ReturnCode filterKeyValue(Cell kv) throws IOException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> filterKeyValue");
}
String family = null;
byte[] familyBytes = kv.getFamily();
if (familyBytes != null && familyBytes.length > 0) {
family = Bytes.toString(familyBytes);
if (LOG.isDebugEnabled()) {
LOG.debug("filterKeyValue: evaluating family[" + family + "].");
}
}
String column = null;
if (kv.getQualifier() != null && kv.getQualifier().length > 0) {
column = Bytes.toString(kv.getQualifier());
if (LOG.isDebugEnabled()) {
LOG.debug("filterKeyValue: evaluating column[" + column + "].");
}
} else {
LOG.warn("filterKeyValue: empty/null column set! Unexpected!");
}
ReturnCode result = ReturnCode.NEXT_COL;
boolean authCheckNeeded = false;
if (family == null) {
LOG.warn("filterKeyValue: Unexpected - null/empty family! Access denied!");
} else if (_familiesAccessDenied.contains(family)) {
LOG.debug("filterKeyValue: family found in access denied families cache. Access denied.");
} else if (_columnsAccessAllowed.containsKey(family)) {
LOG.debug("filterKeyValue: family found in column level access results cache.");
if (_columnsAccessAllowed.get(family).contains(column)) {
LOG.debug("filterKeyValue: family/column found in column level access results cache. Access allowed.");
result = ReturnCode.INCLUDE;
} else {
LOG.debug("filterKeyValue: family/column not in column level access results cache. Access denied.");
}
} else if (_familiesAccessAllowed.contains(family)) {
LOG.debug("filterKeyValue: family found in access allowed families cache. Must re-authorize for correct audit generation.");
authCheckNeeded = true;
} else if (_familiesAccessIndeterminate.contains(family)) {
LOG.debug("filterKeyValue: family found in indeterminate families cache. Evaluating access...");
authCheckNeeded = true;
} else {
LOG.warn("filterKeyValue: Unexpected - alien family encountered that wasn't seen by pre-hook! Access Denied.!");
}
if (authCheckNeeded) {
LOG.debug("filterKeyValue: Checking authorization...");
_session.columnFamily(family)
.column(column)
.buildRequest()
.authorize();
// must always purge the captured audit event out of the audit handler to avoid messing up the next check
AuthzAuditEvent auditEvent = _auditHandler.getAndDiscardMostRecentEvent();
if (_session.isAuthorized()) {
LOG.debug("filterKeyValue: Access granted.");
result = ReturnCode.INCLUDE;
if (auditEvent != null) {
LOG.debug("filterKeyValue: access is audited.");
_auditHandler.logAuthzAudits(Collections.singletonList(auditEvent));
} else {
LOG.debug("filterKeyValue: no audit event returned. Access not audited.");
}
} else {
LOG.debug("filterKeyValue: Access denied. Denial not audited.");
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("filterKeyValue: " + result);
}
return result;
}
@Override
public String toString() {
return Objects.toStringHelper(getClass())
.add("familiesAccessAllowed", _familiesAccessAllowed)
.add("familiesAccessDenied", _familiesAccessDenied)
.add("familiesAccessUnknown", _familiesAccessIndeterminate)
.add("columnsAccessAllowed", _columnsAccessAllowed)
.toString();
}
}