Search in sources :

Example 1 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerPDPKnoxFilter method doFilter.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    String sourceUrl = (String) request.getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
    String topologyName = getTopologyName(sourceUrl);
    String serviceName = getServiceName();
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_KNOXAUTH_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_KNOXAUTH_REQUEST_LOG, "RangerPDPKnoxFilter.doFilter(url=" + sourceUrl + ", topologyName=" + topologyName + ")");
    }
    Subject subject = Subject.getSubject(AccessController.getContext());
    Principal primaryPrincipal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
    String primaryUser = primaryPrincipal.getName();
    String impersonatedUser = null;
    Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
    if (impersonations != null && impersonations.length > 0) {
        impersonatedUser = ((Principal) impersonations[0]).getName();
    }
    String user = (impersonatedUser != null) ? impersonatedUser : primaryUser;
    if (LOG.isDebugEnabled()) {
        LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user);
    }
    Object[] groupObjects = subject.getPrincipals(GroupPrincipal.class).toArray();
    Set<String> groups = new HashSet<String>();
    for (Object obj : groupObjects) {
        groups.add(((Principal) obj).getName());
    }
    String clientIp = request.getRemoteAddr();
    String clusterName = plugin.getClusterName();
    if (LOG.isDebugEnabled()) {
        LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user + ", groups: " + groups + ", clientIp: " + clientIp + ", clusterName: " + clusterName);
    }
    RangerAccessRequest accessRequest = new KnoxRangerPlugin.RequestBuilder().service(serviceName).topology(topologyName).user(user).groups(groups).clientIp(clientIp).clusterName(clusterName).build();
    boolean accessAllowed = false;
    if (plugin != null) {
        RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
        accessAllowed = result != null && result.getIsAllowed();
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("Access allowed: " + accessAllowed);
    }
    RangerPerfTracer.log(perf);
    if (accessAllowed) {
        chain.doFilter(request, response);
    } else {
        sendForbidden((HttpServletResponse) response);
    }
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) Subject(javax.security.auth.Subject) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) Principal(java.security.Principal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) HashSet(java.util.HashSet)

Example 2 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerIpMatcherTest method test_extractIp.

@Test
public void test_extractIp() {
    RangerIpMatcher matcher = new RangerIpMatcher();
    Assert.assertNull(matcher.extractIp(null));
    RangerAccessRequest request = mock(RangerAccessRequest.class);
    when(request.getClientIPAddress()).thenReturn(null);
    Assert.assertNull(matcher.extractIp(request));
    // note ip address is merely a string.  It can be any string.
    when(request.getClientIPAddress()).thenReturn("anIp");
    Assert.assertEquals("anIp", matcher.extractIp(request));
}
Also used : RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest) Test(org.junit.Test)

Example 3 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerTimeOfDayMatcherTest method test_end2end_happyPath.

@Test
public void test_end2end_happyPath() {
    RangerPolicyItemCondition itemCondition = mock(RangerPolicyItemCondition.class);
    when(itemCondition.getValues()).thenReturn(Arrays.asList("2:45a.m. -7:00 AM", "  9:15AM- 5:30P.M. ", "11pm-2am"));
    RangerTimeOfDayMatcher matcher = new RangerTimeOfDayMatcher();
    matcher.setConditionDef(null);
    matcher.setPolicyItemCondition(itemCondition);
    matcher.init();
    Object[][] input = new Object[][] { { 1, 0, true }, { 2, 0, true }, { 2, 1, false }, { 2, 44, false }, { 2, 45, true }, { 3, 0, true }, { 7, 0, true }, { 7, 01, false }, { 8, 0, false }, { 9, 15, true }, { 10, 0, true }, { 17, 0, true }, { 17, 30, true }, { 17, 31, false }, { 18, 0, false }, { 22, 59, false }, { 23, 0, true } };
    RangerAccessRequest request = mock(RangerAccessRequest.class);
    for (Object[] data : input) {
        int hour = (int) data[0];
        int minute = (int) data[1];
        Calendar c = new GregorianCalendar(2015, Calendar.APRIL, 1, hour, minute);
        Date aDate = c.getTime();
        when(request.getAccessTime()).thenReturn(aDate);
        boolean matchExpected = (boolean) data[2];
        if (matchExpected) {
            Assert.assertTrue("" + hour, matcher.isMatched(request));
        } else {
            Assert.assertFalse("" + hour, matcher.isMatched(request));
        }
    }
}
Also used : GregorianCalendar(java.util.GregorianCalendar) Calendar(java.util.Calendar) GregorianCalendar(java.util.GregorianCalendar) RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition) RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest) Date(java.util.Date) Test(org.junit.Test)

Example 4 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerTimeOfDayMatcherTest method test_end2end_happyPath_12_oClock.

@Test
public void test_end2end_happyPath_12_oClock() {
    RangerPolicyItemCondition itemCondition = mock(RangerPolicyItemCondition.class);
    when(itemCondition.getValues()).thenReturn(Arrays.asList("12am-1am", "11am-12pm", "12pm-1pm", "11pm-12am"));
    RangerTimeOfDayMatcher matcher = new RangerTimeOfDayMatcher();
    matcher.setConditionDef(null);
    matcher.setPolicyItemCondition(itemCondition);
    matcher.init();
    Object[][] input = new Object[][] { { 0, 00, true }, { 0, 01, true }, { 1, 00, true }, { 1, 01, false }, { 10, 59, false }, { 11, 00, true }, { 11, 59, true }, { 12, 00, true }, { 12, 01, true }, { 12, 59, true }, { 13, 00, true }, { 13, 01, false }, { 22, 59, false }, { 23, 0, true }, { 23, 59, true } };
    RangerAccessRequest request = mock(RangerAccessRequest.class);
    for (Object[] data : input) {
        int hour = (int) data[0];
        int minute = (int) data[1];
        Calendar c = new GregorianCalendar(2015, Calendar.APRIL, 1, hour, minute);
        Date aDate = c.getTime();
        when(request.getAccessTime()).thenReturn(aDate);
        boolean matchExpected = (boolean) data[2];
        if (matchExpected) {
            Assert.assertTrue("" + hour, matcher.isMatched(request));
        } else {
            Assert.assertFalse("" + hour, matcher.isMatched(request));
        }
    }
}
Also used : GregorianCalendar(java.util.GregorianCalendar) Calendar(java.util.Calendar) GregorianCalendar(java.util.GregorianCalendar) RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition) RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest) Date(java.util.Date) Test(org.junit.Test)

Example 5 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerHdfsAuditHandler method processResult.

@Override
public void processResult(RangerAccessResult result) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerHdfsAuditHandler.logAudit(" + result + ")");
    }
    if (!isAuditEnabled && result.getIsAudited()) {
        isAuditEnabled = true;
    }
    if (auditEvent == null) {
        auditEvent = super.getAuthzEvents(result);
    }
    if (auditEvent != null) {
        RangerAccessRequest request = result.getAccessRequest();
        RangerAccessResource resource = request.getResource();
        String resourcePath = resource != null ? resource.getAsString() : null;
        // Overwrite fields in original auditEvent
        auditEvent.setEventTime(request.getAccessTime());
        auditEvent.setAccessType(request.getAction());
        auditEvent.setResourcePath(this.pathToBeValidated);
        auditEvent.setResultReason(resourcePath);
        auditEvent.setAccessResult((short) (result.getIsAllowed() ? 1 : 0));
        auditEvent.setPolicyId(result.getPolicyId());
        Set<String> tags = getTags(request);
        if (tags != null) {
            auditEvent.setTags(tags);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerHdfsAuditHandler.logAudit(" + result + "): " + auditEvent);
    }
}
Also used : RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest) RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource)

Aggregations

RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)18 RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)5 Test (org.junit.Test)5 RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)3 RangerAccessResource (org.apache.ranger.plugin.policyengine.RangerAccessResource)3 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)3 Principal (java.security.Principal)2 Calendar (java.util.Calendar)2 Date (java.util.Date)2 GregorianCalendar (java.util.GregorianCalendar)2 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2 AuthzAuditEvent (org.apache.ranger.audit.model.AuthzAuditEvent)2 RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)2 RangerPolicyEngineImpl (org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl)2 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)2 Gson (com.google.gson.Gson)1 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1 HashSet (java.util.HashSet)1 CountDownLatch (java.util.concurrent.CountDownLatch)1