[java] KUDU-2972: Add Kudu Ranger plugin

This commit adds the Kudu Ranger plugin for retrieving authorization
decision from the Ranger service. It also introduces the Ranger subprocess
which utilizes the plugin and communicates the authz decision with
Kudu master via protobuf message.

Change-Id: I0c995ac1a48ebf57667231cd3a82d3794f6ddf8d
Reviewed-on: http://gerrit.cloudera.org:8080/15074
Tested-by: Hao Hao <hao.hao@cloudera.com>
Reviewed-by: Adar Dembo <adar@cloudera.com>
Reviewed-by: Andrew Wong <awong@cloudera.com>

Author: haohaoc

CMakeLists.txt

@@ -1417,6 +1417,7 @@ add_subdirectory(src/kudu/integration-tests)
 add_subdirectory(src/kudu/kserver)
 add_subdirectory(src/kudu/master)
 add_subdirectory(src/kudu/mini-cluster)
+add_subdirectory(src/kudu/ranger)
 add_subdirectory(src/kudu/rebalance)
 add_subdirectory(src/kudu/rpc)
 add_subdirectory(src/kudu/security)

java/gradle/dependencies.gradle

@@ -51,6 +51,7 @@ versions += [
     osdetector     : "1.6.2",
     parquet        : "1.11.0",
     protobuf       : "3.11.3",
+    ranger         : "2.0.0",
     scala          : "2.11.12",
     scalatest      : "3.0.8",
     scopt          : "3.7.1",
@@ -106,6 +107,7 @@ libs += [
     protobufJava         : "com.google.protobuf:protobuf-java:$versions.protobuf",
     protobufJavaUtil     : "com.google.protobuf:protobuf-java-util:$versions.protobuf",
     protoc               : "com.google.protobuf:protoc:$versions.protobuf",
+    rangerPlugin         : "org.apache.ranger:ranger-plugins-common:$versions.ranger",
     scalaLibrary         : "org.scala-lang:scala-library:$versions.scala",
     scalap               : "org.scala-lang:scalap:$versions.scala",
     scalatest            : "org.scalatest:scalatest_$versions.scalaBase:$versions.scalatest",

java/kudu-subprocess/build.gradle

@@ -19,17 +19,23 @@ apply from: "$rootDir/gradle/protobuf.gradle"
 apply from: "$rootDir/gradle/shadow.gradle"
 
 dependencies {
+  compile libs.hadoopCommon
   compile libs.protobufJava
   compile libs.protobufJavaUtil
-  compile libs.hadoopCommon
+  compile libs.rangerPlugin
   compile libs.slf4jApi
 
+  // Workaround for RANGER-2749. Remove once resolved.
+  compile "commons-lang:commons-lang:2.6"
+
+  optional libs.jsr305
   optional libs.yetusAnnotations
 
   testCompile project(path: ":kudu-test-utils", configuration: "shadow")
   testCompile libs.junit
   testCompile libs.log4j
   testCompile libs.log4jSlf4jImpl
+  testCompile libs.mockitoCore
 }
 
 // Add protobuf files to the proto source set.

java/kudu-subprocess/src/main/java/org/apache/kudu/subprocess/ranger/RangerProtocolHandler.java

@@ -0,0 +1,71 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.kudu.subprocess.ranger;
+
+import org.apache.kudu.ranger.Ranger.RangerRequestListPB;
+import org.apache.kudu.ranger.Ranger.RangerResponseListPB;
+import org.apache.kudu.ranger.Ranger.RangerResponsePB;
+import org.apache.kudu.subprocess.ProtocolHandler;
+import org.apache.kudu.subprocess.ranger.authorization.RangerKuduAuthorizer;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Class that sends requests to Ranger and gets authorization decision
+ * (e.g. allow or deny) as a response.
+ */
+@InterfaceAudience.Private
+class RangerProtocolHandler extends ProtocolHandler<RangerRequestListPB,
+                                                    RangerResponseListPB> {
+  private static final Logger LOG = LoggerFactory.getLogger(RangerProtocolHandler.class);
+
+  // The Ranger Kudu authorizer plugin. This field is not final
+  // as it is used in the mock test.
+  @InterfaceAudience.LimitedPrivate("Test")
+  static RangerKuduAuthorizer authz = new RangerKuduAuthorizer();
+
+  RangerProtocolHandler() {
+    authz.init();
+  }
+
+  @Override
+  protected RangerResponseListPB executeRequest(RangerRequestListPB requests) {
+    RangerResponseListPB.Builder responses = RangerResponseListPB.newBuilder();
+    for (RangerAccessResult result : authz.authorize(requests)) {
+      // The result can be null when Ranger plugin fails to load the policies
+      // from the Ranger admin server.
+      // TODO(Hao): add a test for the above case.
+      boolean isAllowed = (result != null && result.getIsAllowed());
+      RangerResponsePB.Builder response = RangerResponsePB.newBuilder();
+      response.setAllowed(isAllowed);
+      responses.addResponses(response);
+      if (LOG.isDebugEnabled()) {
+        LOG.debug(String.format("RangerAccessRequest [%s] receives result [%s]",
+                                result.getAccessRequest().toString(), result.toString()));
+      }
+    }
+    return responses.build();
+  }
+
+  @Override
+  protected Class<RangerRequestListPB> getRequestClass() {
+    return RangerRequestListPB.class;
+  }
+}

java/kudu-subprocess/src/main/java/org/apache/kudu/subprocess/ranger/RangerSubprocessMain.java

@@ -0,0 +1,38 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.kudu.subprocess.ranger;
+
+import org.apache.kudu.subprocess.SubprocessExecutor;
+import org.apache.yetus.audience.InterfaceAudience;
+
+// The Ranger subprocess that wraps the Kudu Ranger plugin. For the
+// plugin to successfully connect to the Ranger service, configurations
+// such as ranger-kudu-security.xml (and ranger-kudu-policymgr-ssl.xml
+// for SSL connection) are required. To enable auditing in Ranger,
+// ranger-kudu-security.xml is needed. The plugin also requires
+// core-site.xml to use Hadoop UserGroupInformation for user group
+// resolution.
+@InterfaceAudience.Private
+class RangerSubprocessMain {
+
+  public static void main(String[] args) throws Exception {
+    SubprocessExecutor subprocessExecutor = new SubprocessExecutor();
+    RangerProtocolHandler protocolProcessor = new RangerProtocolHandler();
+    subprocessExecutor.run(args, protocolProcessor, /* timeoutMs= */-1);
+  }
+}

java/kudu-subprocess/src/main/java/org/apache/kudu/subprocess/ranger/authorization/RangerKuduAuthorizer.java

@@ -0,0 +1,185 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.kudu.subprocess.ranger.authorization;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Preconditions;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.kudu.ranger.Ranger.RangerRequestListPB;
+import org.apache.kudu.ranger.Ranger.RangerRequestPB;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.annotation.Nullable;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+public class RangerKuduAuthorizer {
+  private static final Logger LOG = LoggerFactory.getLogger(RangerKuduAuthorizer.class);
+  // The following properties need to match the Kudu service def in Ranger
+  // (https://github.com/apache/ranger/blob/master/agents-common/src/main/resources/service-defs/ranger-servicedef-kudu.json).
+  private static final String APP_ID = "kudu";
+  private static final String RANGER_DB_RESOURCE_NAME = "database";
+  private static final String RANGER_TABLE_RESOURCE_NAME = "table";
+  private static final String RANGER_COLUMN_RESOURCE_NAME = "column";
+  private static final String SERVICE_TYPE = "kudu";
+
+  // The Ranger Kudu plugin. This field is not final as it is used in the
+  // mock test.
+  @InterfaceAudience.LimitedPrivate("Test")
+  RangerBasePlugin plugin;
+
+  public RangerKuduAuthorizer() {
+    plugin = new RangerBasePlugin(SERVICE_TYPE, APP_ID);
+    plugin.setResultProcessor(new RangerDefaultAuditHandler());
+  }
+
+  /**
+   * Initializes the Ranger Kudu plugin, which has to be called explicitly
+   * before doing any authorizations.
+   */
+  public void init() {
+    LOG.info("Initializing Ranger Kudu plugin");
+    plugin.init();
+  }
+
+  /**
+   *  Authorizes a given <code>RangerRequestListPB</code> in Ranger and returns
+   *  a list of <code>RangerAccessResult</code> which contains the authorization
+   *  decisions. Note that the order of results is determined by the order of
+   *  requests.
+   *
+   * @param requests a RangerRequestListPB
+   * @return a list of RangerAccessResult
+   */
+  @VisibleForTesting
+  public Collection<RangerAccessResult> authorize(RangerRequestListPB requests) {
+    Collection<RangerAccessRequest> rangerRequests = createRequests(requests);
+    // Reject requests if user field is empty.
+    if (!requests.hasUser() || requests.getUser().isEmpty()) {
+      Collection<RangerAccessResult> results = new ArrayList<>();
+      for (RangerAccessRequest request : rangerRequests) {
+        // Create a 'dummy' RangerAccessResult that denies the request (to have
+        // a short cut), instead of sending the request to Ranger.
+        RangerAccessResult result = new RangerAccessResult(
+            /* policyType= */1, APP_ID,
+            new RangerServiceDef(), request);
+        result.setIsAllowed(false);
+        results.add(result);
+      }
+      return results;
+    }
+    return plugin.isAccessAllowed(rangerRequests);
+  }
+
+  /**
+   * Gets a list of authorization decision from Ranger with the specified list
+   * of ranger access request.
+   *
+   * @param requests a list of RangerAccessRequest
+   * @return a list of RangerAccessResult
+   */
+  @VisibleForTesting
+  Collection<RangerAccessResult> authorize(Collection<RangerAccessRequest> requests) {
+    return plugin.isAccessAllowed(requests);
+  }
+
+  /**
+   * Creates a Ranger access request for the specified user who performs
+   * the given action on the resource.
+   *
+   * @param action action to be authorized on the resource. Note that when it
+   *               is null, Ranger will match to any valid actions
+   * @param user user who is performing the action
+   * @param groups the set of groups the user belongs to
+   * @param db the database name the action is to be performed on
+   * @param table the table name the action is to be performed on
+   * @param col the column name the action is to be performed on
+   * @return the ranger access request
+   */
+  private static RangerAccessRequestImpl createRequest(
+      @Nullable String action, String user,
+      @Nullable Set<String> groups, @Nullable String db,
+      @Nullable String table, @Nullable String col) {
+    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
+    resource.setValue(RANGER_DB_RESOURCE_NAME, db);
+    resource.setValue(RANGER_TABLE_RESOURCE_NAME, table);
+    resource.setValue(RANGER_COLUMN_RESOURCE_NAME, col);
+
+    final RangerAccessRequestImpl request = new RangerAccessRequestImpl();
+    request.setResource(resource);
+    request.setAccessType(action);
+    // Add action as it is used for auditing in Ranger.
+    request.setAction(action);
+    request.setUser(user);
+    request.setUserGroups(groups);
+    return request;
+  }
+
+  /**
+   * Creates a list of <code>RangerAccessRequest</code> for the given
+   * <code>RangerRequestListPB</code>.
+   *
+   * @param requests the given RangerRequestListPB
+   * @return a list of RangerAccessRequest
+   */
+  private static List<RangerAccessRequest> createRequests(RangerRequestListPB requests) {
+    List<RangerAccessRequest> rangerRequests = new ArrayList<>();
+    Preconditions.checkArgument(requests.hasUser());
+    Preconditions.checkArgument(!requests.getUser().isEmpty());
+    final String user = requests.getUser();
+    Set<String> groups = getUserGroups(user);
+    for (RangerRequestPB request : requests.getRequestsList()) {
+      // Action should be lower case to match the Kudu service def in Ranger.
+      String action = request.getAction().name().toLowerCase();
+      String db = request.hasDatabase() ? request.getDatabase() : null;
+      String table = request.hasTable() ? request.getTable() : null;
+      String column = request.hasColumn() ? request.getColumn() : null;
+      rangerRequests.add(createRequest(action, user, groups,
+                                       db, table, column));
+    }
+    return rangerRequests;
+  }
+
+  /**
+   * Gets the user group mapping from Hadoop. The groups of a user is determined by a
+   * group mapping service provider. See more detail at
+   * https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/GroupsMapping.html.
+   *
+   * @param user the user name
+   * @return the set of groups the user belongs to
+   */
+  private static Set<String> getUserGroups(String user) {
+    Preconditions.checkNotNull(user);
+    Preconditions.checkArgument(!user.isEmpty());
+    UserGroupInformation ugi;
+    ugi = UserGroupInformation.createRemoteUser(user);
+    return new HashSet<>(ugi.getGroups());
+  }
+}