stackabletech · razvan · Jul 12, 2024 · Jun 4, 2024 · Jun 4, 2024 · Jun 4, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,11 +2,23 @@
 
 ## [Unreleased]
 
+### Added
+
+- Added support for HBase 2.6.0 with the following changes ([#506]):
+  - Added `clusterConfig.authorization` property to support the OPA authorizer
+  - Configure log4j2 properties
+  - Use built-in prometheus metric exporter
+- Added support for HBase 2.4.18 ([#523])
+
 ### Changed
 
 - Bump `stackable-operator` from `0.64.0` to `0.70.0` ([#524]).
 - Bump `product-config` from `0.6.0` to `0.7.0` ([#524]).
 
+[#506]: https://github.com/stackabletech/hbase-operator/pull/506
+[#523]: https://github.com/stackabletech/hbase-operator/pull/523
+[#524]: https://github.com/stackabletech/hbase-operator/pull/524
+
 ## [24.3.0] - 2024-03-20
 
 ### Added
@@ -37,7 +49,6 @@
 [#441]: https://github.com/stackabletech/hbase-operator/pull/441
 [#454]: https://github.com/stackabletech/hbase-operator/pull/454
 [#511]: https://github.com/stackabletech/hbase-operator/pull/511
-[#524]: https://github.com/stackabletech/hbase-operator/pull/524
 
 ## [23.11.0] - 2023-11-24
 

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -27,5 +27,5 @@ strum = { version = "0.26", features = ["derive"] }
 tokio = { version = "1.37", features = ["full"] }
 tracing = "0.1"
 
-# [patch."https://github.com/stackabletech/operator-rs.git"]
-# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
+#[patch."https://github.com/stackabletech/operator-rs.git"]
+#stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
diff --git a/deploy/helm/hbase-operator/crds/crds.yaml b/deploy/helm/hbase-operator/crds/crds.yaml
@@ -51,6 +51,25 @@ spec:
                       required:
                         - kerberos
                       type: object
+                    authorization:
+                      nullable: true
+                      properties:
+                        opa:
+                          description: Configure the OPA stacklet [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) and the name of the Rego package containing your authorization rules. Consult the [OPA authorization documentation](https://docs.stackable.tech/home/nightly/concepts/opa) to learn how to deploy Rego authorization rules with OPA.
+                          properties:
+                            configMapName:
+                              description: The [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for the OPA stacklet that should be used for authorization requests.
+                              type: string
+                            package:
+                              description: The name of the Rego package containing the Rego rules for the product.
+                              nullable: true
+                              type: string
+                          required:
+                            - configMapName
+                          type: object
+                      required:
+                        - opa
+                      type: object
                     hdfsConfigMapName:
                       description: Name of the [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for an HDFS cluster.
                       type: string

diff --git a/docs/modules/hbase/examples/getting_started/getting_started.sh b/docs/modules/hbase/examples/getting_started/getting_started.sh
@@ -131,7 +131,7 @@ version() {
 echo "Check cluster version..."
 cluster_version=$(version | jq -r '.Version')
 
-if [ "$cluster_version" == "2.4.17" ]; then
+if [ "$cluster_version" == "2.4.18" ]; then
   echo "Cluster version: $cluster_version"
 else
   echo "Unexpected version: $cluster_version"

diff --git a/docs/modules/hbase/examples/getting_started/getting_started.sh.j2 b/docs/modules/hbase/examples/getting_started/getting_started.sh.j2
@@ -131,7 +131,7 @@ version() {
 echo "Check cluster version..."
 cluster_version=$(version | jq -r '.Version')
 
-if [ "$cluster_version" == "2.4.17" ]; then
+if [ "$cluster_version" == "2.4.18" ]; then
   echo "Cluster version: $cluster_version"
 else
   echo "Unexpected version: $cluster_version"

diff --git a/docs/modules/hbase/examples/getting_started/hbase.yaml b/docs/modules/hbase/examples/getting_started/hbase.yaml
@@ -5,7 +5,7 @@ metadata:
   name: simple-hbase
 spec:
   image:
-    productVersion: 2.4.17
+    productVersion: 2.4.18
   clusterConfig:
     hdfsConfigMapName: simple-hdfs
     zookeeperConfigMapName: simple-hbase-znode

diff --git a/docs/modules/hbase/examples/getting_started/hbase.yaml.j2 b/docs/modules/hbase/examples/getting_started/hbase.yaml.j2
@@ -5,7 +5,7 @@ metadata:
   name: simple-hbase
 spec:
   image:
-    productVersion: 2.4.17
+    productVersion: 2.4.18
   clusterConfig:
     hdfsConfigMapName: simple-hdfs
     zookeeperConfigMapName: simple-hbase-znode

diff --git a/docs/modules/hbase/examples/rego/hbase.rego b/docs/modules/hbase/examples/rego/hbase.rego
@@ -0,0 +1,128 @@
+package hbase
+
+import rego.v1
+
+default allow := false
+default matches_identity(identity) := false
+
+# table is null if the request is for namespace permissions, but as parameters cannot be
+# undefined, we have to set it to something specific:
+checked_table_name := input.table.qualifierAsString if {input.table.qualifierAsString}
+checked_table_name := "__undefined__" if {not input.table.qualifierAsString}
+
+allow if {
+    some acl in acls
+    matches_identity(acl.identity)
+    matches_resource(input.namespace, checked_table_name, acl.resource)
+    action_sufficient_for_operation(acl.action, input.action)
+}
+
+# Identity mentions the (long) userName explicitly
+matches_identity(identity) if {
+    identity in {
+        concat("", ["user:", input.callerUgi.userName])
+    }
+}
+
+# Identity regex matches the (long) userName
+matches_identity(identity) if {
+    match_entire(identity, concat("", ["userRegex:", input.callerUgi.userName]))
+}
+
+# Identity mentions group the user is part of (by looking up using the (long) userName)
+matches_identity(identity) if {
+    some group in groups_for_user[input.callerUgi.userName]
+    identity == concat("", ["group:", group])
+}
+
+# Allow all resources
+matches_resource(namespace, table, resource) if {
+    resource == "hbase:"
+}
+
+# Allow all namespaces
+matches_resource(namespace, table, resource) if {
+    resource == "hbase:namespace:"
+}
+
+# Resource mentions the namespace explicitly
+matches_resource(namespace, table, resource) if {
+    resource == concat(":", ["hbase:namespace", namespace])
+}
+
+# Resource mentions the namespaced table explicitly
+matches_resource(namespace, table, resource) if {
+    resource == concat("", ["hbase:table:", namespace, "/", table])
+}
+
+match_entire(pattern, value) if {
+	# Add the anchors ^ and $
+	pattern_with_anchors := concat("", ["^", pattern, "$"])
+
+	regex.match(pattern_with_anchors, value)
+}
+
+action_sufficient_for_operation(action, operation) if {
+    action_hierarchy[action][_] == action_for_operation[operation]
+}
+
+action_hierarchy := {
+    "full": ["full", "rw", "ro"],
+    "rw": ["rw", "ro"],
+    "ro": ["ro"],
+}
+
+action_for_operation := {
+    "ADMIN": "full",
+    "CREATE": "full",
+    "WRITE": "rw",
+    "READ": "ro",
+}
+
+groups_for_user := {
+    "hbase/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["admins"],
+    "testuser/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["admins"],
+    "admin/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["admins"],
+    "alice/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["developers"],
+    "readonlyuser1/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": [],
+    "readonlyuser2/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": [],
+    "bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL": []
+}
+
+acls := [
+    {
+        "identity": "group:admins",
+        "action": "full",
+        "resource": "hbase:",
+    },
+    {
+        "identity": "group:developers",
+        "action": "full",
+        "resource": "hbase:namespace:developers",
+    },
+    {
+        "identity": "user:alice/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "rw",
+        "resource": "hbase:table:developers/table2",
+    },
+    {
+        "identity": "user:bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "rw",
+        "resource": "hbase:table:developers/table1",
+    },
+    {
+        "identity": "user:bob/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "rw",
+        "resource": "hbase:table:public/table3",
+    },
+    {
+        "identity": "user:readonlyuser1/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "ro",
+        "resource": "hbase:table:public/test",
+    },
+    {
+        "identity": "user:readonlyuser2/test-hbase-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "ro",
+        "resource": "hbase:namespace:",
+    },
+]