Example 1 with RangerAccessResult
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerPDPKnoxFilter method doFilter.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String sourceUrl = (String) request.getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
String topologyName = getTopologyName(sourceUrl);
String serviceName = getServiceName();
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_KNOXAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_KNOXAUTH_REQUEST_LOG, "RangerPDPKnoxFilter.doFilter(url=" + sourceUrl + ", topologyName=" + topologyName + ")");
}
Subject subject = Subject.getSubject(AccessController.getContext());
Principal primaryPrincipal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
String primaryUser = primaryPrincipal.getName();
String impersonatedUser = null;
Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
if (impersonations != null && impersonations.length > 0) {
impersonatedUser = ((Principal) impersonations[0]).getName();
}
String user = (impersonatedUser != null) ? impersonatedUser : primaryUser;
if (LOG.isDebugEnabled()) {
LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user);
}
Object[] groupObjects = subject.getPrincipals(GroupPrincipal.class).toArray();
Set<String> groups = new HashSet<String>();
for (Object obj : groupObjects) {
groups.add(((Principal) obj).getName());
}
String clientIp = request.getRemoteAddr();
String clusterName = plugin.getClusterName();
if (LOG.isDebugEnabled()) {
LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user + ", groups: " + groups + ", clientIp: " + clientIp + ", clusterName: " + clusterName);
}
RangerAccessRequest accessRequest = new KnoxRangerPlugin.RequestBuilder().service(serviceName).topology(topologyName).user(user).groups(groups).clientIp(clientIp).clusterName(clusterName).build();
boolean accessAllowed = false;
if (plugin != null) {
RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
accessAllowed = result != null && result.getIsAllowed();
}
if (LOG.isDebugEnabled()) {
LOG.debug("Access allowed: " + accessAllowed);
}
RangerPerfTracer.log(perf);
if (accessAllowed) {
chain.doFilter(request, response);
} else {
sendForbidden((HttpServletResponse) response);
}
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
Subject(javax.security.auth.Subject)
GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)
GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
Principal(java.security.Principal)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
HashSet(java.util.HashSet)
Example 2 with RangerAccessResult
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerAtlasAuthorizer method checkAccess.
private boolean checkAccess(RangerAccessRequestImpl request, RangerAtlasAuditHandler auditHandler) {
boolean ret = false;
RangerBasePlugin plugin = atlasPlugin;
if (plugin != null) {
RangerAccessResult result = plugin.isAccessAllowed(request, auditHandler);
ret = result != null && result.getIsAllowed();
} else {
LOG.warn("RangerAtlasPlugin not initialized. Access blocked!!!");
}
return ret;
}
Also used :
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin)
Example 3 with RangerAccessResult
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerBasePlugin method auditGrantRevoke.
private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) {
if (request != null && resultProcessor != null) {
RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl();
accessRequest.setResource(new RangerAccessResourceImpl(StringUtil.toStringObjectMap(request.getResource())));
accessRequest.setUser(request.getGrantor());
accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
accessRequest.setAction(action);
accessRequest.setClientIPAddress(request.getClientIPAddress());
accessRequest.setClientType(request.getClientType());
accessRequest.setRequestData(request.getRequestData());
accessRequest.setSessionId(request.getSessionId());
accessRequest.setClusterName(request.getClusterName());
// call isAccessAllowed() to determine if audit is enabled or not
RangerAccessResult accessResult = isAccessAllowed(accessRequest, null);
if (accessResult != null && accessResult.getIsAudited()) {
accessRequest.setAccessType(action);
accessResult.setIsAllowed(isSuccess);
if (!isSuccess) {
accessResult.setPolicyId(-1);
}
resultProcessor.processResult(accessResult);
}
}
}
Also used :
RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
Example 4 with RangerAccessResult
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerKMSAccessRequest method hasAccess.
public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName, String clientIp) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + " , " + keyName + ")");
}
boolean ret = false;
RangerKMSPlugin plugin = kmsPlugin;
String rangerAccessType = getRangerAccessType(type);
AccessControlList blacklist = blacklistedAcls.get(type);
ret = (blacklist == null) || !blacklist.isUserInList(ugi);
if (!ret) {
LOG.debug("Operation " + rangerAccessType + " blocked in the blacklist for user " + ugi.getUserName());
}
String clusterName = kmsPlugin.getClusterName();
if (plugin != null && ret) {
RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi, clientIp, clusterName);
RangerAccessResult result = plugin.isAccessAllowed(request);
ret = result == null ? false : result.getIsAllowed();
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerkmsAuthorizer.hasAccess(" + type + ", " + ugi + " , " + keyName + "): " + ret);
}
return ret;
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
Example 5 with RangerAccessResult
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerHiveAuditHandler method createAuditEvents.
List<AuthzAuditEvent> createAuditEvents(Collection<RangerAccessResult> results) {
Map<Long, AuthzAuditEvent> auditEvents = new HashMap<Long, AuthzAuditEvent>();
Iterator<RangerAccessResult> iterator = results.iterator();
AuthzAuditEvent deniedAuditEvent = null;
while (iterator.hasNext() && deniedAuditEvent == null) {
RangerAccessResult result = iterator.next();
if (result.getIsAudited()) {
if (!result.getIsAllowed()) {
deniedAuditEvent = createAuditEvent(result);
} else {
long policyId = result.getPolicyId();
if (auditEvents.containsKey(policyId)) {
// add this result to existing event by updating column values
AuthzAuditEvent auditEvent = auditEvents.get(policyId);
RangerHiveAccessRequest request = (RangerHiveAccessRequest) result.getAccessRequest();
RangerHiveResource resource = (RangerHiveResource) request.getResource();
String resourcePath = auditEvent.getResourcePath() + "," + resource.getColumn();
auditEvent.setResourcePath(resourcePath);
Set<String> tags = getTags(request);
if (tags != null) {
auditEvent.getTags().addAll(tags);
}
} else {
// new event as this approval was due to a different policy.
AuthzAuditEvent auditEvent = createAuditEvent(result);
if (auditEvent != null) {
auditEvents.put(policyId, auditEvent);
}
}
}
}
}
List<AuthzAuditEvent> result;
if (deniedAuditEvent == null) {
result = new ArrayList<>(auditEvents.values());
} else {
result = Lists.newArrayList(deniedAuditEvent);
}
return result;
}
Also used :
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
AuthzAuditEvent(org.apache.ranger.audit.model.AuthzAuditEvent)
Aggregations
RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)20
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)6
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)6
RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)5
HiveAuthzSessionContext (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext)4
RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)4
RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)4
Principal (java.security.Principal)2
Date (java.util.Date)2
SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)2
HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)2
AuthzAuditEvent (org.apache.ranger.audit.model.AuthzAuditEvent)2
RangerBasePlugin (org.apache.ranger.plugin.service.RangerBasePlugin)2
ArrayList (java.util.ArrayList)1
HashSet (java.util.HashSet)1
Subject (javax.security.auth.Subject)1
IAE (org.apache.druid.java.util.common.IAE)1
Access (org.apache.druid.server.security.Access)1
FsAction (org.apache.hadoop.fs.permission.FsAction)1
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)1
