Example 11 with RangerDefaultAuditHandler
use of org.apache.ranger.plugin.audit.RangerDefaultAuditHandler in project ranger by apache.
the class TestPolicyEngine method runTests.
private void runTests(InputStreamReader reader, String testName) {
PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setServiceName(testCase.serviceName);
servicePolicies.setServiceDef(testCase.serviceDef);
servicePolicies.setPolicies(testCase.policies);
if (StringUtils.isNotBlank(testCase.auditMode)) {
servicePolicies.setAuditMode(testCase.auditMode);
}
if (null != testCase.tagPolicyInfo) {
ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
if (StringUtils.isNotBlank(testCase.auditMode)) {
tagPolicies.setAuditMode(testCase.auditMode);
}
servicePolicies.setTagPolicies(tagPolicies);
}
RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
policyEngineOptions.disableTagPolicyEvaluation = false;
boolean useForwardedIPAddress = RangerConfiguration.getInstance().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
String trustedProxyAddressString = RangerConfiguration.getInstance().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
if (trustedProxyAddresses != null) {
for (int i = 0; i < trustedProxyAddresses.length; i++) {
trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
}
}
RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
long requestCount = 0L;
RangerAccessRequest request = null;
for (TestData test : testCase.tests) {
request = test.request;
if ((requestCount++ % 10) == 1) {
policyEngine.reorderPolicyEvaluators();
}
if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS) || request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
// Create a new AccessRequest
RangerAccessRequestImpl newRequest = new RangerAccessRequestImpl(request.getResource(), request.getAccessType(), request.getUser(), request.getUserGroups());
newRequest.setClientType(request.getClientType());
newRequest.setAccessTime(request.getAccessTime());
newRequest.setAction(request.getAction());
newRequest.setRemoteIPAddress(request.getRemoteIPAddress());
newRequest.setForwardedAddresses(request.getForwardedAddresses());
newRequest.setRequestData(request.getRequestData());
newRequest.setSessionId(request.getSessionId());
Map<String, Object> context = request.getContext();
String tagsJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
context.remove(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
if (!StringUtils.isEmpty(tagsJsonString)) {
try {
Type setType = new TypeToken<Set<RangerTagForEval>>() {
}.getType();
Set<RangerTagForEval> tags = gsonBuilder.fromJson(tagsJsonString, setType);
context.put(RangerAccessRequestUtil.KEY_CONTEXT_TAGS, tags);
} catch (Exception e) {
System.err.println("TestPolicyEngine.runTests(): error parsing TAGS JSON string in file " + testName + ", tagsJsonString=" + tagsJsonString + ", exception=" + e);
}
} else if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
String resourcesJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
context.remove(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
if (!StringUtils.isEmpty(resourcesJsonString)) {
try {
/*
Reader stringReader = new StringReader(resourcesJsonString);
RangerRequestedResources resources = gsonBuilder.fromJson(stringReader, RangerRequestedResources.class);
*/
Type myType = new TypeToken<RangerRequestedResources>() {
}.getType();
RangerRequestedResources resources = gsonBuilder.fromJson(resourcesJsonString, myType);
context.put(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES, resources);
} catch (Exception e) {
System.err.println("TestPolicyEngine.runTests(): error parsing REQUESTED_RESOURCES string in file " + testName + ", resourcesJsonString=" + resourcesJsonString + ", exception=" + e);
}
}
}
newRequest.setContext(context);
// accessResource.ServiceDef is set here, so that we can skip call to policyEngine.preProcess() which
// sets the serviceDef in the resource AND calls enrichers. We dont want enrichers to be called when
// context already contains tags -- This may change when we want enrichers to enrich request in the
// presence of tags!!!
// Safe cast
RangerAccessResourceImpl accessResource = (RangerAccessResourceImpl) request.getResource();
accessResource.setServiceDef(testCase.serviceDef);
request = newRequest;
} else if (!request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
policyEngine.preProcess(request);
}
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
if (test.result != null) {
RangerAccessResult expected = test.result;
RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
assertNotNull("result was null! - " + test.name, result);
assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
}
if (test.dataMaskResult != null) {
RangerAccessResult expected = test.dataMaskResult;
RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
assertNotNull("result was null! - " + test.name, result);
assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType());
assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition());
assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue());
assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
}
if (test.rowFilterResult != null) {
RangerAccessResult expected = test.rowFilterResult;
RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
assertNotNull("result was null! - " + test.name, result);
assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr());
assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
}
if (test.resourceAccessInfo != null) {
RangerResourceAccessInfo expected = new RangerResourceAccessInfo(test.resourceAccessInfo);
RangerResourceAccessInfo result = policyEngine.getResourceAccessInfo(test.request);
assertNotNull("result was null! - " + test.name, result);
assertEquals("allowedUsers mismatched! - " + test.name, expected.getAllowedUsers(), result.getAllowedUsers());
assertEquals("allowedGroups mismatched! - " + test.name, expected.getAllowedGroups(), result.getAllowedGroups());
assertEquals("deniedUsers mismatched! - " + test.name, expected.getDeniedUsers(), result.getDeniedUsers());
assertEquals("deniedGroups mismatched! - " + test.name, expected.getDeniedGroups(), result.getDeniedGroups());
}
}
}
Also used :
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
Set(java.util.Set)
TestData(org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData)
RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval)
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
RangerRequestedResources(org.apache.ranger.plugin.util.RangerRequestedResources)
JsonParseException(com.google.gson.JsonParseException)
Type(java.lang.reflect.Type)
TypeToken(com.google.gson.reflect.TypeToken)
Example 12 with RangerDefaultAuditHandler
use of org.apache.ranger.plugin.audit.RangerDefaultAuditHandler in project ranger by apache.
the class RangerHBasePlugin method authorizeAccess.
Filter authorizeAccess(String operation, Action action, final RegionCoprocessorEnvironment env, final Map<byte[], NavigableSet<byte[]>> familyMap) throws AccessDeniedException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> authorizeAccess");
}
RangerPerfTracer perf = null;
try {
perf = RangerPerfTracer.getPerfTracer(PERF_HBASEAUTH_REQUEST_LOG, "RangerAuthorizationCoprocessor.authorizeAccess(request=Operation[" + operation + "]");
ColumnFamilyAccessResult accessResult = evaluateAccess(operation, action, env, familyMap);
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
if (accessResult._everythingIsAccessible) {
auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
auditHandler.logAuthzAudits(accessResult._familyLevelAccessEvents);
LOG.debug("authorizeAccess: exiting: No filter returned since all access was allowed");
// no filter needed since we are good to go.
return null;
} else if (accessResult._somethingIsAccessible) {
// NOTE: audit logging is split beween logging here (in scope of preOp/preGet) and logging in the filter component for those that couldn't be determined
auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
LOG.debug("authorizeAccess: exiting: Filter returned since some access was allowed");
return accessResult._filter;
} else {
// If we are here then it means nothing was accessible! So let's log one denial (in our case, the last denial) and throw an exception
auditHandler.logAuthzAudit(accessResult._accessDeniedEvent);
LOG.debug("authorizeAccess: exiting: Throwing exception since nothing was accessible");
throw new AccessDeniedException(accessResult._denialReason);
}
} finally {
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== authorizeAccess");
}
}
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
Example 13 with RangerDefaultAuditHandler
use of org.apache.ranger.plugin.audit.RangerDefaultAuditHandler in project ranger by apache.
the class RangerHBasePlugin method grant.
@Override
public void grant(RpcController controller, AccessControlProtos.GrantRequest request, RpcCallback<AccessControlProtos.GrantResponse> done) {
boolean isSuccess = false;
if (UpdateRangerPoliciesOnGrantRevoke) {
GrantRevokeRequest grData = null;
try {
grData = createGrantData(request);
RangerHBasePlugin plugin = hbasePlugin;
if (plugin != null) {
String clusterName = plugin.getClusterName();
grData.setClusterName(clusterName);
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
plugin.grantAccess(grData, auditHandler);
isSuccess = true;
}
} catch (AccessControlException excp) {
LOG.warn("grant() failed", excp);
ResponseConverter.setControllerException(controller, new AccessDeniedException(excp));
} catch (IOException excp) {
LOG.warn("grant() failed", excp);
ResponseConverter.setControllerException(controller, excp);
} catch (Exception excp) {
LOG.warn("grant() failed", excp);
ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage()));
}
}
AccessControlProtos.GrantResponse response = isSuccess ? AccessControlProtos.GrantResponse.getDefaultInstance() : null;
done.run(response);
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
IOException(java.io.IOException)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
IOException(java.io.IOException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
RangerAccessResultProcessor(org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor)
AccessControlProtos(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
Example 14 with RangerDefaultAuditHandler
use of org.apache.ranger.plugin.audit.RangerDefaultAuditHandler in project ranger by apache.
the class RangerHBasePlugin method revoke.
@Override
public void revoke(RpcController controller, AccessControlProtos.RevokeRequest request, RpcCallback<AccessControlProtos.RevokeResponse> done) {
boolean isSuccess = false;
if (UpdateRangerPoliciesOnGrantRevoke) {
GrantRevokeRequest grData = null;
try {
grData = createRevokeData(request);
RangerHBasePlugin plugin = hbasePlugin;
if (plugin != null) {
String clusterName = plugin.getClusterName();
grData.setClusterName(clusterName);
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
plugin.revokeAccess(grData, auditHandler);
isSuccess = true;
}
} catch (AccessControlException excp) {
LOG.warn("revoke() failed", excp);
ResponseConverter.setControllerException(controller, new AccessDeniedException(excp));
} catch (IOException excp) {
LOG.warn("revoke() failed", excp);
ResponseConverter.setControllerException(controller, excp);
} catch (Exception excp) {
LOG.warn("revoke() failed", excp);
ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage()));
}
}
AccessControlProtos.RevokeResponse response = isSuccess ? AccessControlProtos.RevokeResponse.getDefaultInstance() : null;
done.run(response);
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
IOException(java.io.IOException)
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
IOException(java.io.IOException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
RangerAccessResultProcessor(org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor)
AccessControlProtos(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
Example 15 with RangerDefaultAuditHandler
use of org.apache.ranger.plugin.audit.RangerDefaultAuditHandler in project ranger by apache.
the class RangerHBasePlugin method requirePermission.
void requirePermission(final String operation, final Action action, final RegionCoprocessorEnvironment regionServerEnv, final Map<byte[], ? extends Collection<?>> familyMap) throws AccessDeniedException {
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_HBASEAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_HBASEAUTH_REQUEST_LOG, "RangerAuthorizationCoprocessor.requirePermission(request=Operation[" + operation + "]");
}
ColumnFamilyAccessResult accessResult = evaluateAccess(operation, action, regionServerEnv, familyMap);
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
if (accessResult._everythingIsAccessible) {
auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
auditHandler.logAuthzAudits(accessResult._familyLevelAccessEvents);
LOG.debug("requirePermission: exiting: all access was allowed");
return;
} else {
auditHandler.logAuthzAudit(accessResult._accessDeniedEvent);
LOG.debug("requirePermission: exiting: throwing exception as everything wasn't accessible");
throw new AccessDeniedException(accessResult._denialReason);
}
} finally {
RangerPerfTracer.log(perf);
}
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
Aggregations
RangerDefaultAuditHandler (org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)16
AccessDeniedException (org.apache.hadoop.hbase.security.AccessDeniedException)4
RangerAccessResultProcessor (org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor)3
RangerBasePlugin (org.apache.ranger.plugin.service.RangerBasePlugin)3
IOException (java.io.IOException)2
CoprocessorException (org.apache.hadoop.hbase.coprocessor.CoprocessorException)2
AccessControlProtos (org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos)2
AccessControlException (org.apache.hadoop.security.AccessControlException)2
GrantRevokeRequest (org.apache.ranger.plugin.util.GrantRevokeRequest)2
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)2
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)2
JsonParseException (com.google.gson.JsonParseException)1
TypeToken (com.google.gson.reflect.TypeToken)1
Type (java.lang.reflect.Type)1
Set (java.util.Set)1
Subject (javax.security.auth.Subject)1
Configuration (org.apache.hadoop.conf.Configuration)1
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1
ListenerName (org.apache.kafka.common.network.ListenerName)1
JaasContext (org.apache.kafka.common.security.JaasContext)1
