Example 6 with RangerDefaultAuditHandler
use of org.apache.ranger.plugin.audit.RangerDefaultAuditHandler in project nifi by apache.
the class RangerNiFiAuthorizer method onConfigured.
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
try {
if (nifiPlugin == null) {
logger.info("RangerNiFiAuthorizer(): initializing base plugin");
final PropertyValue securityConfigValue = configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue);
final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue);
final String rangerKerberosEnabledValue = getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString());
rangerKerberosEnabled = rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false;
if (rangerKerberosEnabled) {
// configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled()
final Configuration securityConf = new Configuration();
securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
UserGroupInformation.setConfiguration(securityConf);
// login with the nifi principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which
// will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab();
final String nifiPrincipal = nifiProperties.getKerberosServicePrincipal();
final String nifiKeytab = nifiProperties.getKerberosServiceKeytabLocation();
if (StringUtils.isBlank(nifiPrincipal) || StringUtils.isBlank(nifiKeytab)) {
throw new AuthorizerCreationException("Principal and Keytab must be provided when Kerberos is enabled");
}
UserGroupInformation.loginUserFromKeytab(nifiPrincipal.trim(), nifiKeytab.trim());
}
final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE);
final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID);
nifiPlugin = createRangerBasePlugin(serviceType, appId);
nifiPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler();
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
} else {
logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
}
} catch (Throwable t) {
throw new AuthorizerCreationException("Error creating RangerBasePlugin", t);
}
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
RangerConfiguration(org.apache.ranger.authorization.hadoop.config.RangerConfiguration)
AuthorizerCreationException(org.apache.nifi.authorization.exception.AuthorizerCreationException)
PropertyValue(org.apache.nifi.components.PropertyValue)
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
Example 7 with RangerDefaultAuditHandler
use of org.apache.ranger.plugin.audit.RangerDefaultAuditHandler in project ranger by apache.
the class KnoxRangerPlugin method init.
// must be synchronized so that accidental double init of plugin does not happen .. in case servlet instantiates multiple filters.
@Override
public synchronized void init() {
if (!initialized) {
// mandatory call to base plugin
super.init();
// One time call to register the audit hander with the policy engine.
super.setResultProcessor(new RangerDefaultAuditHandler());
initialized = true;
}
}
Also used :
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
Example 8 with RangerDefaultAuditHandler
use of org.apache.ranger.plugin.audit.RangerDefaultAuditHandler in project ranger by apache.
the class RangerAtlasAuthorizer method init.
@Override
public void init() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerAtlasPlugin.init()");
}
RangerBasePlugin plugin = atlasPlugin;
if (plugin == null) {
synchronized (RangerAtlasPlugin.class) {
plugin = atlasPlugin;
if (plugin == null) {
plugin = new RangerAtlasPlugin();
plugin.init();
plugin.setResultProcessor(new RangerDefaultAuditHandler());
atlasPlugin = plugin;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerAtlasPlugin.init()");
}
}
Also used :
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin)
Example 9 with RangerDefaultAuditHandler
use of org.apache.ranger.plugin.audit.RangerDefaultAuditHandler in project ranger by apache.
the class RangerKafkaAuthorizer method configure.
/*
* (non-Javadoc)
*
* @see kafka.security.auth.Authorizer#configure(Map<String, Object>)
*/
@Override
public void configure(Map<String, ?> configs) {
RangerBasePlugin me = rangerPlugin;
if (me == null) {
synchronized (RangerKafkaAuthorizer.class) {
me = rangerPlugin;
if (me == null) {
try {
// Possible to override JAAS configuration which is used by Ranger, otherwise
// SASL_PLAINTEXT is used, which force Kafka to use 'sasl_plaintext.KafkaServer',
// if it's not defined, then it reverts to 'KafkaServer' configuration.
final Object jaasContext = configs.get("ranger.jaas.context");
final String listenerName = (jaasContext instanceof String && StringUtils.isNotEmpty((String) jaasContext)) ? (String) jaasContext : SecurityProtocol.SASL_PLAINTEXT.name();
JaasContext context = JaasContext.load(Type.SERVER, new ListenerName(listenerName), configs);
LoginManager loginManager = LoginManager.acquireLoginManager(context, true, configs);
Subject subject = loginManager.subject();
UserGroupInformation ugi = MiscUtil.createUGIFromSubject(subject);
if (ugi != null) {
MiscUtil.setUGILoginUser(ugi, subject);
}
logger.info("LoginUser=" + MiscUtil.getUGILoginUser());
} catch (Throwable t) {
logger.error("Error getting principal.", t);
}
me = rangerPlugin = new RangerBasePlugin("kafka", "kafka");
}
}
}
logger.info("Calling plugin.init()");
rangerPlugin.init();
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
rangerPlugin.setResultProcessor(auditHandler);
}
Also used :
JaasContext(org.apache.kafka.common.security.JaasContext)
LoginManager(org.apache.kafka.common.security.authenticator.LoginManager)
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
ListenerName(org.apache.kafka.common.network.ListenerName)
RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin)
Subject(javax.security.auth.Subject)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 10 with RangerDefaultAuditHandler
use of org.apache.ranger.plugin.audit.RangerDefaultAuditHandler in project ranger by apache.
the class RangerKMSAccessRequest method init.
@Override
public void init() {
super.init();
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
super.setResultProcessor(auditHandler);
}
Also used :
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
Aggregations
RangerDefaultAuditHandler (org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)16
AccessDeniedException (org.apache.hadoop.hbase.security.AccessDeniedException)4
RangerAccessResultProcessor (org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor)3
RangerBasePlugin (org.apache.ranger.plugin.service.RangerBasePlugin)3
IOException (java.io.IOException)2
CoprocessorException (org.apache.hadoop.hbase.coprocessor.CoprocessorException)2
AccessControlProtos (org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)2
AccessControlException (org.apache.hadoop.security.AccessControlException)2
GrantRevokeRequest (org.apache.ranger.plugin.util.GrantRevokeRequest)2
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)2
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)2
JsonParseException (com.google.gson.JsonParseException)1
TypeToken (com.google.gson.reflect.TypeToken)1
Type (java.lang.reflect.Type)1
Set (java.util.Set)1
Subject (javax.security.auth.Subject)1
Configuration (org.apache.hadoop.conf.Configuration)1
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1
ListenerName (org.apache.kafka.common.network.ListenerName)1
JaasContext (org.apache.kafka.common.security.JaasContext)1
