Example 1 with RangerAccessRequest
use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.
the class RangerPDPKnoxFilter method doFilter.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String sourceUrl = (String) request.getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
String topologyName = getTopologyName(sourceUrl);
String serviceName = getServiceName();
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_KNOXAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_KNOXAUTH_REQUEST_LOG, "RangerPDPKnoxFilter.doFilter(url=" + sourceUrl + ", topologyName=" + topologyName + ")");
}
Subject subject = Subject.getSubject(AccessController.getContext());
Principal primaryPrincipal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
String primaryUser = primaryPrincipal.getName();
String impersonatedUser = null;
Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
if (impersonations != null && impersonations.length > 0) {
impersonatedUser = ((Principal) impersonations[0]).getName();
}
String user = (impersonatedUser != null) ? impersonatedUser : primaryUser;
if (LOG.isDebugEnabled()) {
LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user);
}
Object[] groupObjects = subject.getPrincipals(GroupPrincipal.class).toArray();
Set<String> groups = new HashSet<String>();
for (Object obj : groupObjects) {
groups.add(((Principal) obj).getName());
}
String clientIp = request.getRemoteAddr();
String clusterName = plugin.getClusterName();
if (LOG.isDebugEnabled()) {
LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user + ", groups: " + groups + ", clientIp: " + clientIp + ", clusterName: " + clusterName);
}
RangerAccessRequest accessRequest = new KnoxRangerPlugin.RequestBuilder().service(serviceName).topology(topologyName).user(user).groups(groups).clientIp(clientIp).clusterName(clusterName).build();
boolean accessAllowed = false;
if (plugin != null) {
RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
accessAllowed = result != null && result.getIsAllowed();
}
if (LOG.isDebugEnabled()) {
LOG.debug("Access allowed: " + accessAllowed);
}
RangerPerfTracer.log(perf);
if (accessAllowed) {
chain.doFilter(request, response);
} else {
sendForbidden((HttpServletResponse) response);
}
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
Subject(javax.security.auth.Subject)
GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)
GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
Principal(java.security.Principal)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
HashSet(java.util.HashSet)
Example 2 with RangerAccessRequest
use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.
the class RangerIpMatcherTest method test_extractIp.
@Test
public void test_extractIp() {
RangerIpMatcher matcher = new RangerIpMatcher();
Assert.assertNull(matcher.extractIp(null));
RangerAccessRequest request = mock(RangerAccessRequest.class);
when(request.getClientIPAddress()).thenReturn(null);
Assert.assertNull(matcher.extractIp(request));
// note ip address is merely a string. It can be any string.
when(request.getClientIPAddress()).thenReturn("anIp");
Assert.assertEquals("anIp", matcher.extractIp(request));
}
Also used :
RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)
Test(org.junit.Test)
Example 3 with RangerAccessRequest
use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.
the class RangerTimeOfDayMatcherTest method test_end2end_happyPath.
@Test
public void test_end2end_happyPath() {
RangerPolicyItemCondition itemCondition = mock(RangerPolicyItemCondition.class);
when(itemCondition.getValues()).thenReturn(Arrays.asList("2:45a.m. -7:00 AM", " 9:15AM- 5:30P.M. ", "11pm-2am"));
RangerTimeOfDayMatcher matcher = new RangerTimeOfDayMatcher();
matcher.setConditionDef(null);
matcher.setPolicyItemCondition(itemCondition);
matcher.init();
Object[][] input = new Object[][] { { 1, 0, true }, { 2, 0, true }, { 2, 1, false }, { 2, 44, false }, { 2, 45, true }, { 3, 0, true }, { 7, 0, true }, { 7, 01, false }, { 8, 0, false }, { 9, 15, true }, { 10, 0, true }, { 17, 0, true }, { 17, 30, true }, { 17, 31, false }, { 18, 0, false }, { 22, 59, false }, { 23, 0, true } };
RangerAccessRequest request = mock(RangerAccessRequest.class);
for (Object[] data : input) {
int hour = (int) data[0];
int minute = (int) data[1];
Calendar c = new GregorianCalendar(2015, Calendar.APRIL, 1, hour, minute);
Date aDate = c.getTime();
when(request.getAccessTime()).thenReturn(aDate);
boolean matchExpected = (boolean) data[2];
if (matchExpected) {
Assert.assertTrue("" + hour, matcher.isMatched(request));
} else {
Assert.assertFalse("" + hour, matcher.isMatched(request));
}
}
}
Also used :
GregorianCalendar(java.util.GregorianCalendar)
Calendar(java.util.Calendar)
GregorianCalendar(java.util.GregorianCalendar)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)
Date(java.util.Date)
Test(org.junit.Test)
Example 4 with RangerAccessRequest
use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.
the class RangerTimeOfDayMatcherTest method test_end2end_happyPath_12_oClock.
@Test
public void test_end2end_happyPath_12_oClock() {
RangerPolicyItemCondition itemCondition = mock(RangerPolicyItemCondition.class);
when(itemCondition.getValues()).thenReturn(Arrays.asList("12am-1am", "11am-12pm", "12pm-1pm", "11pm-12am"));
RangerTimeOfDayMatcher matcher = new RangerTimeOfDayMatcher();
matcher.setConditionDef(null);
matcher.setPolicyItemCondition(itemCondition);
matcher.init();
Object[][] input = new Object[][] { { 0, 00, true }, { 0, 01, true }, { 1, 00, true }, { 1, 01, false }, { 10, 59, false }, { 11, 00, true }, { 11, 59, true }, { 12, 00, true }, { 12, 01, true }, { 12, 59, true }, { 13, 00, true }, { 13, 01, false }, { 22, 59, false }, { 23, 0, true }, { 23, 59, true } };
RangerAccessRequest request = mock(RangerAccessRequest.class);
for (Object[] data : input) {
int hour = (int) data[0];
int minute = (int) data[1];
Calendar c = new GregorianCalendar(2015, Calendar.APRIL, 1, hour, minute);
Date aDate = c.getTime();
when(request.getAccessTime()).thenReturn(aDate);
boolean matchExpected = (boolean) data[2];
if (matchExpected) {
Assert.assertTrue("" + hour, matcher.isMatched(request));
} else {
Assert.assertFalse("" + hour, matcher.isMatched(request));
}
}
}
Also used :
GregorianCalendar(java.util.GregorianCalendar)
Calendar(java.util.Calendar)
GregorianCalendar(java.util.GregorianCalendar)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)
Date(java.util.Date)
Test(org.junit.Test)
Example 5 with RangerAccessRequest
use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.
the class RangerHdfsAuditHandler method processResult.
@Override
public void processResult(RangerAccessResult result) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerHdfsAuditHandler.logAudit(" + result + ")");
}
if (!isAuditEnabled && result.getIsAudited()) {
isAuditEnabled = true;
}
if (auditEvent == null) {
auditEvent = super.getAuthzEvents(result);
}
if (auditEvent != null) {
RangerAccessRequest request = result.getAccessRequest();
RangerAccessResource resource = request.getResource();
String resourcePath = resource != null ? resource.getAsString() : null;
// Overwrite fields in original auditEvent
auditEvent.setEventTime(request.getAccessTime());
auditEvent.setAccessType(request.getAction());
auditEvent.setResourcePath(this.pathToBeValidated);
auditEvent.setResultReason(resourcePath);
auditEvent.setAccessResult((short) (result.getIsAllowed() ? 1 : 0));
auditEvent.setPolicyId(result.getPolicyId());
Set<String> tags = getTags(request);
if (tags != null) {
auditEvent.setTags(tags);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerHdfsAuditHandler.logAudit(" + result + "): " + auditEvent);
}
}
Also used :
RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)
RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource)
Aggregations
RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)18
RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)5
Test (org.junit.Test)5
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)3
RangerAccessResource (org.apache.ranger.plugin.policyengine.RangerAccessResource)3
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)3
Principal (java.security.Principal)2
Calendar (java.util.Calendar)2
Date (java.util.Date)2
GregorianCalendar (java.util.GregorianCalendar)2
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2
AuthzAuditEvent (org.apache.ranger.audit.model.AuthzAuditEvent)2
RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)2
RangerPolicyEngineImpl (org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl)2
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)2
Gson (com.google.gson.Gson)1
ArrayList (java.util.ArrayList)1
HashMap (java.util.HashMap)1
HashSet (java.util.HashSet)1
CountDownLatch (java.util.concurrent.CountDownLatch)1
