test/omid

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 ## [Unreleased]
 
+### Added
+
+- Added `clusterConfig.authorization` property to support the OPA authorizer starting with HBase 2.6 ([#506]).
+- Configure log4j2 starting with HBase 2.6 upwards ([#506]).
+
+[#506]: https://github.com/stackabletech/hbase-operator/pull/506
+
 ## [24.3.0] - 2024-03-20
 
 ### Added

deploy/helm/hbase-operator/crds/crds.yaml

@@ -51,6 +51,25 @@ spec:
                       required:
                         - kerberos
                       type: object
+                    authorization:
+                      nullable: true
+                      properties:
+                        opa:
+                          description: Configure the OPA stacklet [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) and the name of the Rego package containing your authorization rules. Consult the [OPA authorization documentation](https://docs.stackable.tech/home/nightly/concepts/opa) to learn how to deploy Rego authorization rules with OPA.
+                          properties:
+                            configMapName:
+                              description: The [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for the OPA stacklet that should be used for authorization requests.
+                              type: string
+                            package:
+                              description: The name of the Rego package containing the Rego rules for the product.
+                              nullable: true
+                              type: string
+                          required:
+                            - configMapName
+                          type: object
+                      required:
+                        - opa
+                      type: object
                     hdfsConfigMapName:
                       description: Name of the [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for an HDFS cluster.
                       type: string

docs/modules/hbase/examples/rego/hbase.rego

@@ -0,0 +1,123 @@
+package hbase
+
+import rego.v1
+
+default allow := false
+default matches_identity(identity) := false
+
+# table is null if the request is for namespace permissions, but as parameters cannot be
+# undefined, we have to set it to something specific:
+checked_table_name := input.table.qualifierAsString if {input.table.qualifierAsString}
+checked_table_name := "__undefined__" if {not input.table.qualifierAsString}
+
+allow if {
+    some acl in acls
+    matches_identity(acl.identity)
+    matches_resource(input.namespace, checked_table_name, acl.resource)
+    action_sufficient_for_operation(acl.action, input.action)
+}
+
+# Identity mentions the (long) userName explicitly
+matches_identity(identity) if {
+    identity in {
+        concat("", ["user:", input.callerUgi.userName])
+    }
+}
+
+# Identity regex matches the (long) userName
+matches_identity(identity) if {
+    match_entire(identity, concat("", ["userRegex:", input.callerUgi.userName]))
+}
+
+# Identity mentions group the user is part of (by looking up using the (long) userName)
+matches_identity(identity) if {
+    some group in groups_for_user[input.callerUgi.userName]
+    identity == concat("", ["group:", group])
+}
+
+# Allow all resources
+matches_resource(namespace, table, resource) if {
+    resource == ":"
+}
+
+# Resource mentions the namespace explicitly
+matches_resource(namespace, table, resource) if {
+    resource == concat("", [namespace, ":"])
+}
+
+# Resource mentions the namespaced table explicitly
+matches_resource(namespace, table, resource) if {
+    resource == concat("", [namespace, ":", table])
+}
+
+match_entire(pattern, value) if {
+	# Add the anchors ^ and $
+	pattern_with_anchors := concat("", ["^", pattern, "$"])
+
+	regex.match(pattern_with_anchors, value)
+}
+
+action_sufficient_for_operation(action, operation) if {
+    action_hierarchy[action][_] == action_for_operation[operation]
+}
+
+action_hierarchy := {
+    "full": ["full", "rw", "ro"],
+    "rw": ["rw", "ro"],
+    "ro": ["ro"],
+}
+
+action_for_operation := {
+    "ADMIN": "full",
+    "CREATE": "full",
+    "WRITE": "rw",
+    "READ": "ro",
+}
+
+groups_for_user := {
+    "hbase/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["admins"],
+    "testuser/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["admins"],
+    "admin/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["admins"],
+    "alice/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["developers"],
+    "readonlyuser1/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": [],
+    "readonlyuser2/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": [],
+    "bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": []
+}
+
+acls := [
+    {
+        "identity": "group:admins",
+        "action": "full",
+        "resource": ":",
+    },
+    {
+        "identity": "group:developers",
+        "action": "full",
+        "resource": "developers:",
+    },
+    {
+        "identity": "user:alice/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "rw",
+        "resource": "developers:table2",
+    },
+    {
+        "identity": "user:bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "rw",
+        "resource": "developers:table1",
+    },
+    {
+        "identity": "user:bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "rw",
+        "resource": "public:table3",
+    },
+    {
+        "identity": "user:readonlyuser1/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "ro",
+        "resource": "public:test",
+    },
+    {
+        "identity": "user:readonlyuser2/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "ro",
+        "resource": ":",
+    },
+]

docs/modules/hbase/examples/rego/hbase_test.rego

@@ -0,0 +1,210 @@
+package hbase
+
+import rego.v1
+
+test_permission_admin if {
+    allow with input as {
+    "callerUgi" : {
+      "userName" : "admin/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "primaryGroup" : "admin",
+    },
+    "table" : {
+      "namespaceAsString" : "hbase",
+      "qualifierAsString" : "meta",
+    },
+    "namespace" : "hbase",
+    "action" : "WRITE"
+    }
+}
+
+test_namespace_admin if {
+    allow with input as {
+    "callerUgi" : {
+      "realUser" : null,
+      "userName" : "admin/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "shortUserName" : "admin",
+      "primaryGroup" : null,
+      "groups" : [ ],
+      "authenticationMethod" : "KERBEROS",
+      "realAuthenticationMethod" : "KERBEROS"
+    },
+    "table" : null,
+    "namespace" : "developers",
+    "action" : "ADMIN"
+    }
+}
+
+test_permission_developers if {
+    allow with input as {
+    "callerUgi" : {
+      "userName" : "alice/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "primaryGroup" : "admin",
+    },
+    "table" : {
+      "namespaceAsString" : "developers",
+      "qualifierAsString" : "table1",
+    },
+    "namespace" : "developers",
+    "action" : "WRITE"
+    }
+}
+
+test_permission_alice if {
+    allow with input as {
+    "callerUgi" : {
+      "userName" : "alice/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "primaryGroup" : "admin",
+    },
+    "table" : {
+      "namespaceAsString" : "developers",
+      "qualifierAsString" : "table2",
+    },
+    "namespace" : "developers",
+    "action" : "WRITE"
+    }
+}
+
+test_no_permission_bob if {
+    not allow with input as {
+    "callerUgi" : {
+      "userName" : "bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "primaryGroup" : "admin",
+    },
+    "table" : {
+      "namespaceAsString" : "developers",
+      "qualifierAsString" : "table2",
+    },
+    "namespace" : "developers",
+    "action" : "WRITE"
+    }
+}
+
+test_permission_bob1 if {
+    allow with input as {
+    "callerUgi" : {
+      "userName" : "bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "primaryGroup" : "admin",
+    },
+    "table" : {
+      "namespaceAsString" : "public",
+      "qualifierAsString" : "table3",
+    },
+    "namespace" : "public",
+    "action" : "WRITE"
+    }
+}
+
+test_permission_bob2 if {
+    allow with input as {
+    "callerUgi" : {
+      "userName" : "bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "primaryGroup" : "admin",
+    },
+    "table" : {
+      "namespaceAsString" : "developers",
+      "qualifierAsString" : "table1",
+    },
+    "namespace" : "developers",
+    "action" : "WRITE"
+    }
+}
+
+test_permission_hbase if {
+    allow with input as {
+    "callerUgi" : {
+      "realUser" : null,
+      "userName" : "hbase/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "shortUserName" : "hbase",
+      "primaryGroup" : null,
+      "groups" : [ ],
+      "authenticationMethod" : "KERBEROS",
+      "realAuthenticationMethod" : "KERBEROS"
+    },
+    "table" : {
+      "name" : "aGJhc2U6bWV0YQ==",
+      "nameAsString" : "hbase:meta",
+      "namespace" : "aGJhc2U=",
+      "namespaceAsString" : "hbase",
+      "qualifier" : "bWV0YQ==",
+      "qualifierAsString" : "meta",
+      "nameWithNamespaceInclAsString" : "hbase:meta"
+    },
+    "namespace" : "hbase",
+    "action" : "WRITE"
+    }
+}
+
+test_permission_testuser if {
+    allow with input as {
+    "callerUgi" : {
+      "realUser" : null,
+      "userName" : "testuser/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "shortUserName" : "testuser",
+      "primaryGroup" : null,
+      "groups" : [ ],
+      "authenticationMethod" : "KERBEROS",
+      "realAuthenticationMethod" : "KERBEROS"
+    },
+    "table" : {
+      "name" : "dGVzdA==",
+      "nameAsString" : "test",
+      "namespace" : "ZGVmYXVsdA==",
+      "namespaceAsString" : "default",
+      "qualifier" : "dGVzdA==",
+      "qualifierAsString" : "test",
+      "nameWithNamespaceInclAsString" : "default:test"
+    },
+    "namespace" : "default",
+    "action" : "WRITE"
+    }
+}
+
+test_permission_readonlyuser1 if {
+    allow with input as {
+    "callerUgi" : {
+      "realUser" : null,
+      "userName" : "readonlyuser1/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "shortUserName" : "readonlyuser",
+      "primaryGroup" : null,
+      "groups" : [ ],
+      "authenticationMethod" : "KERBEROS",
+      "realAuthenticationMethod" : "KERBEROS"
+    },
+    "table" : {
+      "name" : "cHVibGljOnRlc3Q=",
+      "nameAsString" : "public:test",
+      "namespace" : "cHVibGlj",
+      "namespaceAsString" : "public",
+      "qualifier" : "dGVzdA==",
+      "qualifierAsString" : "test",
+      "nameWithNamespaceInclAsString" : "public:test"
+    },
+    "namespace" : "public",
+    "action" : "READ"
+    }
+}
+
+test_permission_readonlyuser2 if {
+    allow with input as {
+    "callerUgi" : {
+      "realUser" : null,
+      "userName" : "readonlyuser2/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "shortUserName" : "readonlyuser",
+      "primaryGroup" : null,
+      "groups" : [ ],
+      "authenticationMethod" : "KERBEROS",
+      "realAuthenticationMethod" : "KERBEROS"
+    },
+    "table" : {
+      "name" : "cHVibGljOnRlc3Q=",
+      "nameAsString" : "public:test",
+      "namespace" : "cHVibGlj",
+      "namespaceAsString" : "public",
+      "qualifier" : "dGVzdA==",
+      "qualifierAsString" : "test",
+      "nameWithNamespaceInclAsString" : "public:test"
+    },
+    "namespace" : "public",
+    "action" : "READ"
+    }
+}

docs/modules/hbase/examples/usage-guide/hbase-regorules.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hbase-regorules
+  labels:
+    opa.stackable.tech/bundle: "true"
+data:
+  hdfs.rego: |
+    package hbase
+
+    import rego.v1
+
+    default allow = true