From 50cceb15f0cf7865f6cc041c535076e1d6b71433 Mon Sep 17 00:00:00 2001 From: vintmd <61688729+vintmd@users.noreply.github.com> Date: Tue, 17 May 2022 14:37:54 +0800 Subject: [PATCH] expose ranger to upper, and fix ranger bug (#55) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * expose ranger to upper, and fix ranger bug * fix ranger bugs which change the init order before create native store Co-authored-by: alantong(佟明达) --- pom.xml | 2 +- .../org/apache/hadoop/fs/CosFileSystem.java | 161 +++++++++++++++++- .../org/apache/hadoop/fs/CosNConfigKeys.java | 2 +- .../org/apache/hadoop/fs/CosNFileSystem.java | 161 ------------------ .../fs/auth/RangerCredentialsProvider.java | 2 +- 5 files changed, 162 insertions(+), 166 deletions(-) diff --git a/pom.xml b/pom.xml index 20dd5766..06bf93b8 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.qcloud.cos hadoop-cos - 8.1.0 + 8.1.1 jar Apache Hadoop Tencent Cloud COS Support diff --git a/src/main/java/org/apache/hadoop/fs/CosFileSystem.java b/src/main/java/org/apache/hadoop/fs/CosFileSystem.java index a7aac94c..a7887b8c 100644 --- a/src/main/java/org/apache/hadoop/fs/CosFileSystem.java +++ b/src/main/java/org/apache/hadoop/fs/CosFileSystem.java @@ -7,11 +7,20 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.cosn.Constants; import org.apache.hadoop.fs.permission.FsPermission; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.util.Progressable; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.qcloud.chdfs.permission.RangerAccessType; +import org.apache.hadoop.fs.auth.RangerCredentialsProvider; +import org.apache.hadoop.fs.cosn.ranger.client.RangerQcloudObjectStorageClient; +import org.apache.hadoop.fs.cosn.ranger.security.authorization.AccessType; +import org.apache.hadoop.fs.cosn.ranger.security.authorization.PermissionRequest; +import org.apache.hadoop.fs.cosn.ranger.security.authorization.PermissionResponse; +import org.apache.hadoop.fs.cosn.ranger.security.authorization.ServiceType; + import java.io.FileNotFoundException; import java.io.IOException; import java.net.URI; @@ -46,6 +55,14 @@ public class CosFileSystem extends FileSystem { private boolean isDefaultNativeStore; private FileSystem actualImplFS = null; + private URI uri; + private String bucket; + private Path workingDir; + // Authorization related. + private UserGroupInformation userGroupInformation; + private boolean enableRangerPluginPermissionCheck = false; + public static RangerQcloudObjectStorageClient rangerQcloudObjectStorageStorageClient = null; + public CosFileSystem() { } @@ -70,7 +87,17 @@ public void initialize(URI uri, Configuration conf) throws IOException { super.initialize(uri, conf); setConf(conf); + // initialize the things authorization related. + UserGroupInformation.setConfiguration(conf); + this.userGroupInformation = UserGroupInformation.getCurrentUser(); + this.initRangerClientImpl(conf); + String bucket = uri.getHost(); + this.bucket = bucket; + this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority()); + this.workingDir = new Path("/user", System.getProperty("user.name")) + .makeQualified(this.uri, this.getWorkingDirectory()); + if (null == this.nativeStore) { this.nativeStore = CosNUtils.createDefaultStore(conf); this.nativeStore.initialize(uri, conf); @@ -116,6 +143,7 @@ public void initialize(URI uri, Configuration conf) throws IOException { ((CosNFileSystem) this.actualImplFS).withPosixBucket(this.isPosixFSStore); } + this.actualImplFS.initialize(uri, conf); } @@ -145,12 +173,14 @@ public Path getHomeDirectory() { public FSDataOutputStream append(Path f, int bufferSize, Progressable progress) throws IOException { LOG.debug("append file [{}] in COS.", f); + checkPermission(f, RangerAccessType.WRITE); return this.actualImplFS.append(f, bufferSize, progress); } @Override public boolean truncate(Path f, long newLength) throws IOException { LOG.debug("truncate file [{}] in COS.", f); + checkPermission(f, RangerAccessType.WRITE); return this.actualImplFS.truncate(f, newLength); } @@ -161,6 +191,7 @@ public FSDataOutputStream create(Path f, FsPermission permission, long blockSize, Progressable progress) throws IOException { LOG.debug("Creating a new file [{}] in COS.", f); + checkPermission(f, RangerAccessType.WRITE); return this.actualImplFS.create(f, permission, overwrite, bufferSize, replication, blockSize, progress); } @@ -169,12 +200,14 @@ public FSDataOutputStream create(Path f, FsPermission permission, @Override public boolean delete(Path f, boolean recursive) throws IOException { LOG.debug("Ready to delete path: {}. recursive: {}.", f, recursive); + checkPermission(f, RangerAccessType.DELETE); return this.actualImplFS.delete(f, recursive); } @Override public FileStatus getFileStatus(Path f) throws IOException { LOG.debug("Get file status: {}.", f); + checkPermission(f, RangerAccessType.READ); return this.actualImplFS.getFileStatus(f); } @@ -196,6 +229,7 @@ public URI getUri() { @Override public FileStatus[] listStatus(Path f) throws FileNotFoundException, IOException { LOG.debug("list status:" + f); + checkPermission(f, RangerAccessType.LIST); return this.actualImplFS.listStatus(f); } @@ -203,18 +237,22 @@ public FileStatus[] listStatus(Path f) throws FileNotFoundException, IOException public boolean mkdirs(Path f, FsPermission permission) throws IOException { LOG.debug("mkdirs path: {}.", f); + checkPermission(f, RangerAccessType.WRITE); return this.actualImplFS.mkdirs(f, permission); } @Override public FSDataInputStream open(Path f, int bufferSize) throws IOException { LOG.debug("Open file [{}] to read, buffer [{}]", f, bufferSize); + checkPermission(f, RangerAccessType.READ); return this.actualImplFS.open(f, bufferSize); } @Override public boolean rename(Path src, Path dst) throws IOException { LOG.debug("Rename the source path [{}] to the dest path [{}].", src, dst); + checkPermission(src, RangerAccessType.DELETE); + checkPermission(dst, RangerAccessType.WRITE); return this.actualImplFS.rename(src, dst); } @@ -228,17 +266,19 @@ public long getDefaultBlockSize() { */ @Override public void setWorkingDirectory(Path newDir) { + this.workingDir = newDir; this.actualImplFS.setWorkingDirectory(newDir); } @Override public Path getWorkingDirectory() { - return this.actualImplFS.getWorkingDirectory(); + return this.workingDir; } @Override public FileChecksum getFileChecksum(Path f, long length) throws IOException { LOG.debug("call the checksum for the path: {}.", f); + checkPermission(f, RangerAccessType.READ); Preconditions.checkArgument(length >= 0); return this.actualImplFS.getFileChecksum(f, length); } @@ -256,6 +296,7 @@ public FileChecksum getFileChecksum(Path f, long length) throws IOException { @Override public void setXAttr(Path f, String name, byte[] value, EnumSet flag) throws IOException { LOG.debug("set XAttr: {}.", f); + checkPermission(f, RangerAccessType.WRITE); this.actualImplFS.setXAttr(f, name, value, flag); } @@ -270,6 +311,7 @@ public void setXAttr(Path f, String name, byte[] value, EnumSet fl @Override public byte[] getXAttr(Path f, String name) throws IOException { LOG.debug("get XAttr: {}.", f); + checkPermission(f, RangerAccessType.READ); return this.actualImplFS.getXAttr(f, name); } @@ -284,12 +326,14 @@ public byte[] getXAttr(Path f, String name) throws IOException { @Override public Map getXAttrs(Path f, List names) throws IOException { LOG.debug("get XAttrs: {}.", f); + checkPermission(f, RangerAccessType.READ); return this.actualImplFS.getXAttrs(f, names); } @Override public Map getXAttrs(Path f) throws IOException { LOG.debug("get XAttrs: {}.", f); + checkPermission(f, RangerAccessType.READ); return this.actualImplFS.getXAttrs(f); } @@ -303,12 +347,14 @@ public Map getXAttrs(Path f) throws IOException { @Override public void removeXAttr(Path f, String name) throws IOException { LOG.debug("remove XAttr: {}.", f); + checkPermission(f, RangerAccessType.WRITE); this.actualImplFS.removeXAttr(f, name); } @Override public List listXAttrs(Path f) throws IOException { LOG.debug("list XAttrs: {}.", f); + checkPermission(f, RangerAccessType.READ); return this.actualImplFS.listXAttrs(f); } @@ -316,7 +362,10 @@ public List listXAttrs(Path f) throws IOException { public Token getDelegationToken(String renewer) throws IOException { LOG.info("getDelegationToken, renewer: {}, stack: {}", renewer, Arrays.toString(Thread.currentThread().getStackTrace()).replace(',', '\n')); - return this.actualImplFS.getDelegationToken(renewer); + if (rangerQcloudObjectStorageStorageClient != null) { + return rangerQcloudObjectStorageStorageClient.getDelegationToken(renewer); + } + return super.getDelegationToken(renewer); } public NativeFileSystemStore getStore() { @@ -355,6 +404,114 @@ public void releaseFileLock(Path f) throws IOException { } } + @Override + public String getCanonicalServiceName() { + if (rangerQcloudObjectStorageStorageClient != null) { + return rangerQcloudObjectStorageStorageClient.getCanonicalServiceName(); + } + return null; + } + + private void initRangerClientImpl(Configuration conf) throws IOException { + Class[] cosClasses = CosNUtils.loadCosProviderClasses( + conf, + CosNConfigKeys.COSN_CREDENTIALS_PROVIDER); + + if (cosClasses.length == 0) { + this.enableRangerPluginPermissionCheck = false; + return; + } + + for (Class credClass : cosClasses) { + if (credClass.getName().contains(RangerCredentialsProvider.class.getName())) { + this.enableRangerPluginPermissionCheck = true; + break; + } + } + + if (!this.enableRangerPluginPermissionCheck) { + return; + } + + Class rangerClientImplClass = conf.getClass(CosNConfigKeys.COSN_RANGER_PLUGIN_CLIENT_IMPL, null); + if (rangerClientImplClass == null) { + try { + rangerClientImplClass = conf.getClassByName(CosNConfigKeys.DEFAULT_COSN_RANGER_PLUGIN_CLIENT_IMPL); + } catch (ClassNotFoundException e) { + throw new RuntimeException(e); + } + } + + if (rangerQcloudObjectStorageStorageClient == null) { + synchronized (CosFileSystem.class) { + if (rangerQcloudObjectStorageStorageClient == null) { + try { + RangerQcloudObjectStorageClient tmpClient = + (RangerQcloudObjectStorageClient) rangerClientImplClass.newInstance(); + tmpClient.init(conf); + rangerQcloudObjectStorageStorageClient = tmpClient; + } catch (Exception e) { + LOG.error(String.format("init %s failed", CosNConfigKeys.COSN_RANGER_PLUGIN_CLIENT_IMPL), e); + throw new IOException(String.format("init %s failed", + CosNConfigKeys.COSN_RANGER_PLUGIN_CLIENT_IMPL), e); + } + } + } + } + + } + + private void checkPermission(Path f, RangerAccessType rangerAccessType) throws IOException { + if (!this.enableRangerPluginPermissionCheck) { + return; + } + + AccessType accessType = null; + switch (rangerAccessType) { + case LIST: + accessType = AccessType.LIST; + break; + case WRITE: + accessType = AccessType.WRITE; + break; + case READ: + accessType = AccessType.READ; + break; + case DELETE: + accessType = AccessType.DELETE; + break; + default: + throw new IOException(String.format("unknown access type %s", rangerAccessType.toString())); + } + + Path absolutePath = makeAbsolute(f); + String allowKey = CosNFileSystem.pathToKey(absolutePath); + if (allowKey.startsWith("/")) { + allowKey = allowKey.substring(1); + } + + PermissionRequest permissionReq = new PermissionRequest(ServiceType.COS, accessType, + CosNUtils.getBucketNameWithoutAppid(this.bucket, this.getConf().get(CosNConfigKeys.COSN_APPID_KEY)), + allowKey, "", ""); + boolean allowed = false; + PermissionResponse permission = rangerQcloudObjectStorageStorageClient.checkPermission(permissionReq); + if (permission != null) { + allowed = permission.isAllowed(); + } + if (!allowed) { + throw new IOException(String.format("Permission denied, [key: %s], [user: %s], [operation: %s]", + allowKey, this.userGroupInformation.getShortUserName(), rangerAccessType.name())); + } + } + + private Path makeAbsolute(Path path) { + if (path.isAbsolute()) { + return path; + } + return new Path(workingDir, path); + } + + @Override public void close() throws IOException { LOG.info("begin to close cos file system"); diff --git a/src/main/java/org/apache/hadoop/fs/CosNConfigKeys.java b/src/main/java/org/apache/hadoop/fs/CosNConfigKeys.java index 86391e14..304a18b1 100644 --- a/src/main/java/org/apache/hadoop/fs/CosNConfigKeys.java +++ b/src/main/java/org/apache/hadoop/fs/CosNConfigKeys.java @@ -12,7 +12,7 @@ @InterfaceStability.Unstable public class CosNConfigKeys extends CommonConfigurationKeys { public static final String USER_AGENT = "fs.cosn.user.agent"; - public static final String DEFAULT_USER_AGENT = "cos-hadoop-plugin-v8.1.0"; + public static final String DEFAULT_USER_AGENT = "cos-hadoop-plugin-v8.1.1"; public static final String TENCENT_EMR_VERSION_KEY = "fs.emr.version"; diff --git a/src/main/java/org/apache/hadoop/fs/CosNFileSystem.java b/src/main/java/org/apache/hadoop/fs/CosNFileSystem.java index bf6e2592..95463bf5 100644 --- a/src/main/java/org/apache/hadoop/fs/CosNFileSystem.java +++ b/src/main/java/org/apache/hadoop/fs/CosNFileSystem.java @@ -2,23 +2,15 @@ import com.google.common.base.Preconditions; import com.google.common.util.concurrent.ThreadFactoryBuilder; -import com.qcloud.chdfs.permission.RangerAccessType; import com.qcloud.cos.utils.StringUtils; import org.apache.hadoop.HadoopIllegalArgumentException; import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.auth.RangerCredentialsProvider; import org.apache.hadoop.fs.cosn.BufferPool; import org.apache.hadoop.fs.cosn.CRC32CCheckSum; import org.apache.hadoop.fs.cosn.CRC64Checksum; import org.apache.hadoop.fs.cosn.Unit; -import org.apache.hadoop.fs.cosn.ranger.client.RangerQcloudObjectStorageClient; -import org.apache.hadoop.fs.cosn.ranger.security.authorization.AccessType; -import org.apache.hadoop.fs.cosn.ranger.security.authorization.PermissionRequest; -import org.apache.hadoop.fs.cosn.ranger.security.authorization.PermissionResponse; -import org.apache.hadoop.fs.cosn.ranger.security.authorization.ServiceType; import org.apache.hadoop.fs.permission.FsPermission; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.token.Token; import org.apache.hadoop.util.Progressable; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -58,11 +50,6 @@ public class CosNFileSystem extends FileSystem { private ExecutorService boundedIOThreadPool; private ExecutorService boundedCopyThreadPool; - // Authorization related. - private UserGroupInformation userGroupInformation; - private boolean enableRangerPluginPermissionCheck = false; - public static RangerQcloudObjectStorageClient rangerQcloudObjectStorageStorageClient = null; - // todo: flink or some other case must replace with inner structure. public CosNFileSystem() { } @@ -201,11 +188,6 @@ public void rejectedExecution(Runnable r, } } ); - - // initialize the things authorization related. - UserGroupInformation.setConfiguration(conf); - this.userGroupInformation = UserGroupInformation.getCurrentUser(); - this.initRangerClientImpl(conf); } @Override @@ -235,8 +217,6 @@ public FSDataOutputStream append(Path f, int bufferSize, throw new UnsupportedOperationException("Not supported currently"); } - checkPermission(f, RangerAccessType.WRITE); - FileStatus fileStatus = this.getFileStatus(f); if (fileStatus.isDirectory()) { throw new FileAlreadyExistsException(f + " is a directory."); @@ -257,8 +237,6 @@ public boolean truncate(Path f, long newLength) throws IOException { throw new UnsupportedOperationException("Not supported currently."); } - checkPermission(f, RangerAccessType.WRITE); - FileStatus fileStatus = this.getFileStatus(f); if (fileStatus.isDirectory()) { throw new FileNotFoundException(f + " is a directory."); @@ -302,8 +280,6 @@ public FSDataOutputStream create(Path f, FsPermission permission, int bufferSize, short replication, long blockSize, Progressable progress) throws IOException { - checkPermission(f, RangerAccessType.WRITE); - // preconditions try { FileStatus targetFileStatus = this.getFileStatus(f); @@ -346,8 +322,6 @@ private boolean rejectRootDirectoryDelete(boolean isEmptyDir, @Override public boolean delete(Path f, boolean recursive) throws IOException { - checkPermission(f, RangerAccessType.DELETE); - FileStatus status; try { status = getFileStatus(f); @@ -447,8 +421,6 @@ private void internalAutoRecursiveDelete(String key) throws IOException { @Override public FileStatus getFileStatus(Path f) throws IOException { - checkPermission(f, RangerAccessType.READ); - Path absolutePath = makeAbsolute(f); String key = pathToKey(absolutePath); @@ -502,8 +474,6 @@ public FileStatus getFileStatus(Path f) throws IOException { @Override public FileStatus[] listStatus(Path f) throws IOException { - checkPermission(f, RangerAccessType.LIST); - Path absolutePath = makeAbsolute(f); String key = pathToKey(absolutePath); int listMaxLength = CosNFileSystem.BUCKET_LIST_LIMIT; @@ -611,8 +581,6 @@ private void validatePath(Path path) throws IOException { // blew is the target @Override public boolean mkdirs(Path f, FsPermission permission) throws IOException { - checkPermission(f, RangerAccessType.WRITE); - try { FileStatus fileStatus = getFileStatus(f); if (fileStatus.isDirectory()) { @@ -704,8 +672,6 @@ public boolean mkDirAutoRecursively(Path f, FsPermission permission) @Override public FSDataInputStream open(Path f, int bufferSize) throws IOException { - checkPermission(f, RangerAccessType.READ); - FileStatus fileStatus = getFileStatus(f); // will throw if the file doesn't // exist if (fileStatus.isDirectory()) { @@ -722,9 +688,6 @@ public FSDataInputStream open(Path f, int bufferSize) throws IOException { @Override public boolean rename(Path src, Path dst) throws IOException { - checkPermission(src, RangerAccessType.DELETE); - checkPermission(dst, RangerAccessType.WRITE); - // Renaming the root directory is not allowed if (src.isRoot()) { LOG.debug("Cannot rename the root directory of a filesystem."); @@ -936,20 +899,10 @@ public Path getWorkingDirectory() { return workingDir; } - @Override - public String getCanonicalServiceName() { - if (rangerQcloudObjectStorageStorageClient != null) { - return rangerQcloudObjectStorageStorageClient.getCanonicalServiceName(); - } - return null; - } - @Override public FileChecksum getFileChecksum(Path f, long length) throws IOException { Preconditions.checkArgument(length >= 0); - checkPermission(f, RangerAccessType.READ); - if (this.getConf().getBoolean(CosNConfigKeys.CRC64_CHECKSUM_ENABLED, CosNConfigKeys.DEFAULT_CRC64_CHECKSUM_ENABLED)) { Path absolutePath = makeAbsolute(f); @@ -989,8 +942,6 @@ public FileChecksum getFileChecksum(Path f, long length) throws IOException { */ @Override public void setXAttr(Path f, String name, byte[] value, EnumSet flag) throws IOException { - checkPermission(f, RangerAccessType.WRITE); - // First, determine whether the length of the name and value exceeds the limit. if (name.getBytes(METADATA_ENCODING).length + value.length > MAX_XATTR_SIZE) { throw new HadoopIllegalArgumentException(String.format("The maximum combined size of " + @@ -1025,8 +976,6 @@ public void setXAttr(Path f, String name, byte[] value, EnumSet fl */ @Override public byte[] getXAttr(Path f, String name) throws IOException { - checkPermission(f, RangerAccessType.READ); - Path absolutePath = makeAbsolute(f); String key = pathToKey(absolutePath); FileMetadata fileMetadata = nativeStore.retrieveMetadata(key); @@ -1051,10 +1000,8 @@ public byte[] getXAttr(Path f, String name) throws IOException { */ @Override public Map getXAttrs(Path f, List names) throws IOException { - checkPermission(f, RangerAccessType.READ); Path absolutePath = makeAbsolute(f); - String key = pathToKey(absolutePath); FileMetadata fileMetadata = nativeStore.retrieveMetadata(key); if (null == fileMetadata) { @@ -1076,10 +1023,8 @@ public Map getXAttrs(Path f, List names) throws IOExcept @Override public Map getXAttrs(Path f) throws IOException { - checkPermission(f, RangerAccessType.READ); Path absolutePath = makeAbsolute(f); - String key = pathToKey(absolutePath); FileMetadata fileMetadata = nativeStore.retrieveMetadata(key); if (null == fileMetadata) { @@ -1098,8 +1043,6 @@ public Map getXAttrs(Path f) throws IOException { */ @Override public void removeXAttr(Path f, String name) throws IOException { - checkPermission(f, RangerAccessType.WRITE); - Path absolutPath = makeAbsolute(f); String key = pathToKey(absolutPath); FileMetadata fileMetadata = nativeStore.retrieveMetadata(key); @@ -1122,8 +1065,6 @@ public void removeXAttr(Path f, String name) throws IOException { @Override public List listXAttrs(Path f) throws IOException { - checkPermission(f, RangerAccessType.READ); - Path absolutePath = makeAbsolute(f); String key = pathToKey(absolutePath); FileMetadata fileMetadata = nativeStore.retrieveMetadata(key); @@ -1134,16 +1075,6 @@ public List listXAttrs(Path f) throws IOException { return new ArrayList<>(fileMetadata.getUserAttributes().keySet()); } - @Override - public Token getDelegationToken(String renewer) throws IOException { - LOG.info("getDelegationToken, renewer: {}, stack: {}", - renewer, Arrays.toString(Thread.currentThread().getStackTrace()).replace(',', '\n')); - if (rangerQcloudObjectStorageStorageClient != null) { - return rangerQcloudObjectStorageStorageClient.getDelegationToken(renewer); - } - return super.getDelegationToken(renewer); - } - @Override public void close() throws IOException { try { @@ -1229,98 +1160,6 @@ private String getOwnerInfo(boolean getOwnerId) { return ownerInfoId; } - private void initRangerClientImpl(Configuration conf) throws IOException { - Class[] cosClasses = CosNUtils.loadCosProviderClasses( - conf, - CosNConfigKeys.COSN_CREDENTIALS_PROVIDER); - - if (cosClasses.length == 0) { - this.enableRangerPluginPermissionCheck = false; - return; - } - - for (Class credClass : cosClasses) { - if (credClass.getName().contains(RangerCredentialsProvider.class.getName())) { - this.enableRangerPluginPermissionCheck = true; - break; - } - } - - if (!this.enableRangerPluginPermissionCheck) { - return; - } - - Class rangerClientImplClass = conf.getClass(CosNConfigKeys.COSN_RANGER_PLUGIN_CLIENT_IMPL, null); - if (rangerClientImplClass == null) { - try { - rangerClientImplClass = conf.getClassByName(CosNConfigKeys.DEFAULT_COSN_RANGER_PLUGIN_CLIENT_IMPL); - } catch (ClassNotFoundException e) { - throw new RuntimeException(e); - } - } - - if (rangerQcloudObjectStorageStorageClient == null) { - synchronized (CosFileSystem.class) { - if (rangerQcloudObjectStorageStorageClient == null) { - try { - RangerQcloudObjectStorageClient tmpClient = - (RangerQcloudObjectStorageClient) rangerClientImplClass.newInstance(); - tmpClient.init(conf); - rangerQcloudObjectStorageStorageClient = tmpClient; - } catch (Exception e) { - LOG.error(String.format("init %s failed", CosNConfigKeys.COSN_RANGER_PLUGIN_CLIENT_IMPL), e); - throw new IOException(String.format("init %s failed", - CosNConfigKeys.COSN_RANGER_PLUGIN_CLIENT_IMPL), e); - } - } - } - } - - } - - private void checkPermission(Path f, RangerAccessType rangerAccessType) throws IOException { - if (!this.enableRangerPluginPermissionCheck) { - return; - } - - AccessType accessType = null; - switch (rangerAccessType) { - case LIST: - accessType = AccessType.LIST; - break; - case WRITE: - accessType = AccessType.WRITE; - break; - case READ: - accessType = AccessType.READ; - break; - case DELETE: - accessType = AccessType.DELETE; - break; - default: - throw new IOException(String.format("unknown access type %s", rangerAccessType.toString())); - } - - Path absolutePath = makeAbsolute(f); - String allowKey = CosNFileSystem.pathToKey(absolutePath); - if (allowKey.startsWith("/")) { - allowKey = allowKey.substring(1); - } - - PermissionRequest permissionReq = new PermissionRequest(ServiceType.COS, accessType, - CosNUtils.getBucketNameWithoutAppid(this.bucket, this.getConf().get(CosNConfigKeys.COSN_APPID_KEY)), - allowKey, "", ""); - boolean allowed = false; - PermissionResponse permission = rangerQcloudObjectStorageStorageClient.checkPermission(permissionReq); - if (permission != null) { - allowed = permission.isAllowed(); - } - if (!allowed) { - throw new IOException(String.format("Permission denied, [key: %s], [user: %s], [operation: %s]", - allowKey, this.userGroupInformation.getShortUserName(), rangerAccessType.name())); - } - } - private Path makeAbsolute(Path path) { if (path.isAbsolute()) { return path; diff --git a/src/main/java/org/apache/hadoop/fs/auth/RangerCredentialsProvider.java b/src/main/java/org/apache/hadoop/fs/auth/RangerCredentialsProvider.java index dccb19a5..19a2f442 100644 --- a/src/main/java/org/apache/hadoop/fs/auth/RangerCredentialsProvider.java +++ b/src/main/java/org/apache/hadoop/fs/auth/RangerCredentialsProvider.java @@ -76,7 +76,7 @@ private boolean needSyncFetchNewCredentials() { private COSCredentials fetchNewCredentials() { try { - GetSTSResponse stsResp = CosNFileSystem.rangerQcloudObjectStorageStorageClient.getSTS(bucketRegion, + GetSTSResponse stsResp = CosFileSystem.rangerQcloudObjectStorageStorageClient.getSTS(bucketRegion, bucketNameWithoutAppid); COSCredentials cosCredentials = null;