Add ranger permission check

sdk/java/pom.xml

@@ -82,10 +82,6 @@
 							<pattern>com.google.common</pattern>
 							<shadedPattern>io.juicefs.shaded.com.google.common</shadedPattern>
 						</relocation>
-						<relocation>
-							<pattern>com.google.common</pattern>
-							<shadedPattern>io.juicefs.shaded.com.google.common</shadedPattern>
-						</relocation>
 					</relocations>
 				</configuration>
 			</plugin>

sdk/java/src/main/java/io/juicefs/permission/RangerPermissionChecker.java

@@ -59,10 +59,6 @@ public class RangerPermissionChecker {
 
   private final JuiceFileSystemImpl superGroupFileSystem;
 
-  private final String name;
-
-  private final String scheme;
-
   private final String user;
 
   private final Set<String> groups;
@@ -73,11 +69,8 @@ public class RangerPermissionChecker {
 
   private static final String RANGER_SERVICE_TYPE = "hdfs";
 
-  public RangerPermissionChecker(JuiceFileSystemImpl superGroupFileSystem, RangerConfig config, String scheme,
-                                 String name, String user, String group) {
+  public RangerPermissionChecker(JuiceFileSystemImpl superGroupFileSystem, RangerConfig config, String user, String group) {
     this.superGroupFileSystem = superGroupFileSystem;
-    this.name = name;
-    this.scheme = scheme;
     this.user = user;
     this.groups = Arrays.stream(group.split(",")).collect(Collectors.toSet());
 
@@ -107,37 +100,39 @@ protected RangerPluginConfig buildRangerPluginContext(String serviceType, String
         null, null, buildRangerPolicyEngineOptions(startRangerRefresher));
   }
 
-  public void checkPermission(Path path, boolean checkOwner, FsAction ancestorAccess, FsAction parentAccess,
-                              FsAction access, String operationName) throws IOException {
+  public boolean checkPermission(Path path, boolean checkOwner, FsAction ancestorAccess, FsAction parentAccess,
+                                 FsAction access, String operationName) throws IOException {
     RangerPermissionContext context = new RangerPermissionContext(user, groups, operationName);
     PathObj obj = path2Obj(path);
 
-    if (obj.parent.getPermission().getStickyBit() && access != null && parentAccess != null
-        && parentAccess.implies(FsAction.WRITE) && obj.parent != null && obj.current != null) {
+    boolean fallback = true;
+    AuthzStatus authzStatus = AuthzStatus.ALLOW;
+
+    if (access != null && parentAccess != null
+        && parentAccess.implies(FsAction.WRITE) && obj.parent != null && obj.current != null && obj.parent.getPermission().getStickyBit()) {
       if (!StringUtils.equals(obj.parent.getOwner(), user) && !StringUtils.equals(obj.current.getOwner(), user)) {
-        throw new AccessControlException(
-            assembleExceptionMessage(user, access.toString(), toPathString(obj.current.getPath())));
+        authzStatus = AuthzStatus.NOT_DETERMINED;
       }
     }
 
-    if (ancestorAccess != null && obj.ancestor != null) {
-      if (!isAccessAllowed(obj.ancestor, ancestorAccess, context)) {
-        throw new AccessControlException(
-            assembleExceptionMessage(user, ancestorAccess.toString(), toPathString(obj.ancestor.getPath())));
+    if (authzStatus == AuthzStatus.ALLOW && ancestorAccess != null && obj.ancestor != null) {
+      authzStatus = isAccessAllowed(obj.ancestor, ancestorAccess, context);
+      if (checkResult(authzStatus, user, ancestorAccess.toString(), toPathString(obj.ancestor.getPath()))) {
+        return fallback;
       }
     }
 
-    if (parentAccess != null && obj.parent != null) {
-      if (!isAccessAllowed(obj.parent, parentAccess, context)) {
-        throw new AccessControlException(
-            assembleExceptionMessage(user, parentAccess.toString(), toPathString(obj.parent.getPath())));
+    if (authzStatus == AuthzStatus.ALLOW && parentAccess != null && obj.parent != null) {
+      authzStatus = isAccessAllowed(obj.parent, parentAccess, context);
+      if (checkResult(authzStatus, user, parentAccess.toString(), toPathString(obj.parent.getPath()))) {
+        return fallback;
       }
     }
 
-    if (access != null && obj.current != null) {
-      if (!isAccessAllowed(obj.current, access, context)) {
-        throw new AccessControlException(
-            assembleExceptionMessage(user, access.toString(), toPathString(obj.current.getPath())));
+    if (authzStatus == AuthzStatus.ALLOW && access != null && obj.current != null) {
+      authzStatus = isAccessAllowed(obj.current, access, context);
+      if (checkResult(authzStatus, user, access.toString(), toPathString(obj.current.getPath()))) {
+        return fallback;
       }
     }
 
@@ -152,6 +147,8 @@ public void checkPermission(Path path, boolean checkOwner, FsAction ancestorAcce
                 toPathString(obj.current.getPath())));
       }
     }
+    // check access by ranger success
+    return !fallback;
   }
 
   public void cleanUp() {
@@ -163,6 +160,14 @@ public void cleanUp() {
     LockFileChecker.cleanUp(rangerCacheDir);
   }
 
+  private static boolean checkResult(AuthzStatus authzStatus, String user, String action, String path) throws AccessControlException {
+    if (authzStatus == AuthzStatus.DENY) {
+      throw new AccessControlException(assembleExceptionMessage(user, action, path));
+    } else {
+      return authzStatus == AuthzStatus.NOT_DETERMINED;
+    }
+  }
+
   private static String assembleExceptionMessage(String user, String action, String path) {
     return "Permission denied: user=" + user + ", access=" + action + ", path=\"" + path + "\"";
   }
@@ -180,31 +185,46 @@ private static String getFirstNonNullAccess(FsAction ancestorAccess, FsAction pa
     return FsAction.EXECUTE.toString();
   }
 
-  private boolean isAccessAllowed(FileStatus file, FsAction access, RangerPermissionContext context) {
-
+  private AuthzStatus isAccessAllowed(FileStatus file, FsAction access, RangerPermissionContext context) {
     String path = toPathString(file.getPath());
-    String schemePath = scheme + "://" + name + path;
     Set<String> accessTypes = fsAction2ActionMapper.getOrDefault(access, new HashSet<>());
     String pathOwner = file.getOwner();
+    AuthzStatus authzStatus = null;
     for (String accessType : accessTypes) {
-      RangerJfsAccessRequest request = new RangerJfsAccessRequest(schemePath, pathOwner, accessType,
-          context.operationName, user, context.userGroups);
+      RangerJfsAccessRequest request = new RangerJfsAccessRequest(path, pathOwner, accessType, context.operationName, user, context.userGroups);
       LOG.debug(request.toString());
-      boolean tmpRes = false;
+
+      RangerAccessResult result = null;
       try {
-        RangerAccessResult result = rangerPlugin.isAccessAllowed(request);
-        tmpRes = result.getIsAllowed();
-        LOG.debug(result.toString());
+        result = rangerPlugin.isAccessAllowed(request);
+        if (result != null) {
+          LOG.debug(result.toString());
+        }
       } catch (Throwable e) {
         throw new RuntimeException("Check Permission Error. ", e);
       }
-      if (!tmpRes) {
-        return false;
+
+      if (result == null || !result.getIsAccessDetermined()) {
+        authzStatus = AuthzStatus.NOT_DETERMINED;
+      } else if (!result.getIsAllowed()) {
+        authzStatus = AuthzStatus.DENY;
+        break;
+      } else {
+        if (!AuthzStatus.NOT_DETERMINED.equals(authzStatus)) {
+          authzStatus = AuthzStatus.ALLOW;
+        }
       }
+
     }
-    return true;
+    if (authzStatus == null) {
+      authzStatus = AuthzStatus.NOT_DETERMINED;
+    }
+    return authzStatus;
   }
 
+  private enum AuthzStatus {ALLOW, DENY, NOT_DETERMINED}
+  ;
+
   private static String toPathString(Path path) {
     return path.toUri().getPath();
   }

sdk/java/src/test/java/io/juicefs/permission/RangerAdminClientImpl.java

@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.juicefs.permission;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.ranger.admin.client.AbstractRangerAdminClient;
+import org.apache.ranger.plugin.util.ServicePolicies;
+import org.apache.ranger.plugin.util.ServiceTags;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.util.List;
+
+public class RangerAdminClientImpl extends AbstractRangerAdminClient {
+
+  private static final Logger LOG = LoggerFactory.getLogger(RangerAdminClientImpl.class);
+
+  private final static String cacheFilename = "hdfs-policies.json";
+  private final static String tagFilename = "hdfs-policies-tag.json";
+  public void init(String serviceName, String appId, String configPropertyPrefix, Configuration config) {
+    super.init(serviceName, appId, configPropertyPrefix, config);
+  }
+
+  public ServicePolicies getServicePoliciesIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception {
+
+    String basedir = System.getProperty("basedir");
+    if (basedir == null) {
+      basedir = new File(".").getCanonicalPath();
+    }
+    final String relativePath  = "/src/test/resources/";
+    java.nio.file.Path cachePath = FileSystems.getDefault().getPath(basedir, relativePath + cacheFilename);
+    byte[] cacheBytes = Files.readAllBytes(cachePath);
+    return gson.fromJson(new String(cacheBytes), ServicePolicies.class);
+  }
+
+  public ServiceTags getServiceTagsIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception {
+    String basedir = System.getProperty("basedir");
+    if (basedir == null) {
+      basedir = new File(".").getCanonicalPath();
+    }
+    final String relativePath = "/src/test/resources/";
+    java.nio.file.Path cachePath = FileSystems.getDefault().getPath(basedir, relativePath + tagFilename);
+    byte[] cacheBytes = Files.readAllBytes(cachePath);
+    return gson.fromJson(new String(cacheBytes), ServiceTags.class);
+  }
+
+  public List<String> getTagTypes(String tagTypePattern) throws Exception {
+    return null;
+  }
+
+
+}