feat: add support for 2.6.0 and OPA authorizer (#506)

* feat(test): make it easy to test custom images

* revert some tests to hbase-latest

* fix indentation

* fix access-hbase container image

* wip: temp test setup

* fix yaml lint

* fix opa pull policy

* use AllowAccessController

* Added custom logging to the kerberos test

* Set log4j2 properties in the kerberos test

* Use log4j2 properties starting with HBase 2.6

* Fix clippy errors

* fix kerberos test

* separated opa from kerberos tests

* restore kerberos tests from main

* readd custom image support to the kerberos tests

* reduce opa test dimensions

* example rego rules and test

* use 2.6.0 sandbox image for tests

* working integration test

* update profiler integration test

* fix logging test

* update krb5 image for opa tests

* fix snapshot tests

* fix yaml lint

* working rego rules test

* Operator adds OPA authorizer props

* regenerate charts

* adapted tests to addition of scanner checks

* Update OPA test with authorization props

* replace realm dimension with CLUSTER.LOCAL

* add docs

* Update changelog and test-definition.yaml

* Minor doc tweaks

* docs: separate Rego examples from authorizer configuration

* fix yaml lint

* temporarily use 2.6 for most tests

* Use Hbase 2.6 built in Prometheus exporter.

* Update CHANGELOG.md

Co-authored-by: Sebastian Bernauer <sebastian.bernauer@stackable.de>

* Cleanup

* fix markdown lint

* temp: ignore metrics port

* Revert "temp: ignore metrics port"

This reverts commit 4f89ebf.

* Remove dedicated metrics port for 2.6

* Fix typo

* Update monitoring docs

* Move the function closer to where it's actually used.

* Validate custom resource

* regenerate charts

* Add resource type to OPA rules.

* Update op-rs branch

* Add support for 2.4.18

* Update changelog

* Update changelog

* test 2.4.18 and 2.6.0 at the same time

* Fix the log4j2 filename

* cleanups

* Update Cargo.lock

* Update docs/modules/hbase/pages/usage-guide/security.adoc

Co-authored-by: Lars Francke <git@lars-francke.de>

* Update docs/modules/hbase/pages/usage-guide/security.adoc

Co-authored-by: Lars Francke <git@lars-francke.de>

* Update docs/modules/hbase/pages/usage-guide/security.adoc

Co-authored-by: Lars Francke <git@lars-francke.de>

* Update docs/modules/hbase/pages/usage-guide/security.adoc

Co-authored-by: Lars Francke <git@lars-francke.de>

* Update docs/modules/hbase/pages/usage-guide/security.adoc

Co-authored-by: Lars Francke <git@lars-francke.de>

* Update docs/modules/hbase/partials/supported-versions.adoc

Co-authored-by: Lars Francke <git@lars-francke.de>

* Update docs/modules/hbase/pages/usage-guide/security.adoc

Co-authored-by: Lars Francke <git@lars-francke.de>

* Update docs/modules/hbase/pages/usage-guide/security.adoc

Co-authored-by: Lars Francke <git@lars-francke.de>

* review feedback

* Update docs/modules/hbase/pages/usage-guide/security.adoc

Co-authored-by: Lars Francke <git@lars-francke.de>

* Update docs/modules/hbase/pages/usage-guide/security.adoc

Co-authored-by: Lars Francke <git@lars-francke.de>

---------

Co-authored-by: Andrew Kenworthy <andrew.kenworthy@stackable.de>
Co-authored-by: Sebastian Bernauer <sebastian.bernauer@stackable.de>
Co-authored-by: Lars Francke <git@lars-francke.de>
Co-authored-by: Siegfried Weber <mail@siegfriedweber.net>

Author: 5 people

CHANGELOG.md

@@ -2,11 +2,23 @@
 
 ## [Unreleased]
 
+### Added
+
+- Added support for HBase 2.6.0 with the following changes ([#506]):
+  - Added `clusterConfig.authorization` property to support the OPA authorizer
+  - Configure log4j2 properties
+  - Use built-in prometheus metric exporter
+- Added support for HBase 2.4.18 ([#523])
+
 ### Changed
 
 - Bump `stackable-operator` from `0.64.0` to `0.70.0` ([#524]).
 - Bump `product-config` from `0.6.0` to `0.7.0` ([#524]).
 
+[#506]: https://github.com/stackabletech/hbase-operator/pull/506
+[#523]: https://github.com/stackabletech/hbase-operator/pull/523
+[#524]: https://github.com/stackabletech/hbase-operator/pull/524
+
 ## [24.3.0] - 2024-03-20
 
 ### Added
@@ -37,7 +49,6 @@
 [#441]: https://github.com/stackabletech/hbase-operator/pull/441
 [#454]: https://github.com/stackabletech/hbase-operator/pull/454
 [#511]: https://github.com/stackabletech/hbase-operator/pull/511
-[#524]: https://github.com/stackabletech/hbase-operator/pull/524
 
 ## [23.11.0] - 2023-11-24
 

Cargo.lock

@@ -27,5 +27,5 @@ strum = { version = "0.26", features = ["derive"] }
 tokio = { version = "1.37", features = ["full"] }
 tracing = "0.1"
 
-# [patch."https://github.com/stackabletech/operator-rs.git"]
-# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
+#[patch."https://github.com/stackabletech/operator-rs.git"]
+#stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }

Cargo.toml

@@ -51,6 +51,25 @@ spec:
                       required:
                         - kerberos
                       type: object
+                    authorization:
+                      nullable: true
+                      properties:
+                        opa:
+                          description: Configure the OPA stacklet [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) and the name of the Rego package containing your authorization rules. Consult the [OPA authorization documentation](https://docs.stackable.tech/home/nightly/concepts/opa) to learn how to deploy Rego authorization rules with OPA.
+                          properties:
+                            configMapName:
+                              description: The [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for the OPA stacklet that should be used for authorization requests.
+                              type: string
+                            package:
+                              description: The name of the Rego package containing the Rego rules for the product.
+                              nullable: true
+                              type: string
+                          required:
+                            - configMapName
+                          type: object
+                      required:
+                        - opa
+                      type: object
                     hdfsConfigMapName:
                       description: Name of the [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for an HDFS cluster.
                       type: string

deploy/helm/hbase-operator/crds/crds.yaml

@@ -131,7 +131,7 @@ version() {
 echo "Check cluster version..."
 cluster_version=$(version | jq -r '.Version')
 
-if [ "$cluster_version" == "2.4.17" ]; then
+if [ "$cluster_version" == "2.4.18" ]; then
   echo "Cluster version: $cluster_version"
 else
   echo "Unexpected version: $cluster_version"

docs/modules/hbase/examples/getting_started/getting_started.sh

@@ -131,7 +131,7 @@ version() {
 echo "Check cluster version..."
 cluster_version=$(version | jq -r '.Version')
 
-if [ "$cluster_version" == "2.4.17" ]; then
+if [ "$cluster_version" == "2.4.18" ]; then
   echo "Cluster version: $cluster_version"
 else
   echo "Unexpected version: $cluster_version"

docs/modules/hbase/examples/getting_started/getting_started.sh.j2

@@ -5,7 +5,7 @@ metadata:
   name: simple-hbase
 spec:
   image:
-    productVersion: 2.4.17
+    productVersion: 2.4.18
   clusterConfig:
     hdfsConfigMapName: simple-hdfs
     zookeeperConfigMapName: simple-hbase-znode

docs/modules/hbase/examples/getting_started/hbase.yaml

@@ -5,7 +5,7 @@ metadata:
   name: simple-hbase
 spec:
   image:
-    productVersion: 2.4.17
+    productVersion: 2.4.18
   clusterConfig:
     hdfsConfigMapName: simple-hdfs
     zookeeperConfigMapName: simple-hbase-znode

docs/modules/hbase/examples/getting_started/hbase.yaml.j2

@@ -0,0 +1,128 @@
+package hbase
+
+import rego.v1
+
+default allow := false
+default matches_identity(identity) := false
+
+# table is null if the request is for namespace permissions, but as parameters cannot be
+# undefined, we have to set it to something specific:
+checked_table_name := input.table.qualifierAsString if {input.table.qualifierAsString}
+checked_table_name := "__undefined__" if {not input.table.qualifierAsString}
+
+allow if {
+    some acl in acls
+    matches_identity(acl.identity)
+    matches_resource(input.namespace, checked_table_name, acl.resource)
+    action_sufficient_for_operation(acl.action, input.action)
+}
+
+# Identity mentions the (long) userName explicitly
+matches_identity(identity) if {
+    identity in {
+        concat("", ["user:", input.callerUgi.userName])
+    }
+}
+
+# Identity regex matches the (long) userName
+matches_identity(identity) if {
+    match_entire(identity, concat("", ["userRegex:", input.callerUgi.userName]))
+}
+
+# Identity mentions group the user is part of (by looking up using the (long) userName)
+matches_identity(identity) if {
+    some group in groups_for_user[input.callerUgi.userName]
+    identity == concat("", ["group:", group])
+}
+
+# Allow all resources
+matches_resource(namespace, table, resource) if {
+    resource == "hbase:"
+}
+
+# Allow all namespaces
+matches_resource(namespace, table, resource) if {
+    resource == "hbase:namespace:"
+}
+
+# Resource mentions the namespace explicitly
+matches_resource(namespace, table, resource) if {
+    resource == concat(":", ["hbase:namespace", namespace])
+}
+
+# Resource mentions the namespaced table explicitly
+matches_resource(namespace, table, resource) if {
+    resource == concat("", ["hbase:table:", namespace, "/", table])
+}
+
+match_entire(pattern, value) if {
+	# Add the anchors ^ and $
+	pattern_with_anchors := concat("", ["^", pattern, "$"])
+
+	regex.match(pattern_with_anchors, value)
+}
+
+action_sufficient_for_operation(action, operation) if {
+    action_hierarchy[action][_] == action_for_operation[operation]
+}
+
+action_hierarchy := {
+    "full": ["full", "rw", "ro"],
+    "rw": ["rw", "ro"],
+    "ro": ["ro"],
+}
+
+action_for_operation := {
+    "ADMIN": "full",
+    "CREATE": "full",
+    "WRITE": "rw",
+    "READ": "ro",
+}
+
+groups_for_user := {
+    "hbase/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["admins"],
+    "testuser/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["admins"],
+    "admin/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["admins"],
+    "alice/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["developers"],
+    "readonlyuser1/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": [],
+    "readonlyuser2/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": [],
+    "bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": []
+}
+
+acls := [
+    {
+        "identity": "group:admins",
+        "action": "full",
+        "resource": "hbase:",
+    },
+    {
+        "identity": "group:developers",
+        "action": "full",
+        "resource": "hbase:namespace:developers",
+    },
+    {
+        "identity": "user:alice/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "rw",
+        "resource": "hbase:table:developers/table2",
+    },
+    {
+        "identity": "user:bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "rw",
+        "resource": "hbase:table:developers/table1",
+    },
+    {
+        "identity": "user:bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "rw",
+        "resource": "hbase:table:public/table3",
+    },
+    {
+        "identity": "user:readonlyuser1/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "ro",
+        "resource": "hbase:table:public/test",
+    },
+    {
+        "identity": "user:readonlyuser2/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "ro",
+        "resource": "hbase:namespace:",
+    },
+]