Example 16 with RangerAccessRequest
use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.
the class RangerIpMatcherTest method createRequest.
RangerAccessRequest createRequest(String requestIp) {
RangerAccessRequest request = mock(RangerAccessRequest.class);
when(request.getClientIPAddress()).thenReturn(requestIp);
return request;
}
Also used :
RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)
Example 17 with RangerAccessRequest
use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.
the class RangerScriptConditionEvaluator method isMatched.
@Override
public boolean isMatched(RangerAccessRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerScriptConditionEvaluator.isMatched()");
}
boolean result = true;
if (scriptEngine != null) {
String script = getScript();
if (StringUtils.isNotBlank(script)) {
RangerAccessRequest readOnlyRequest = request.getReadOnlyCopy();
RangerScriptExecutionContext context = new RangerScriptExecutionContext(readOnlyRequest);
RangerTagForEval currentTag = context.getCurrentTag();
Map<String, String> tagAttribs = currentTag != null ? currentTag.getAttributes() : Collections.<String, String>emptyMap();
Bindings bindings = scriptEngine.createBindings();
bindings.put("ctx", context);
bindings.put("tag", currentTag);
bindings.put("tagAttr", tagAttribs);
if (LOG.isDebugEnabled()) {
LOG.debug("RangerScriptConditionEvaluator.isMatched(): script={" + script + "}");
}
try {
Object ret = scriptEngine.eval(script, bindings);
if (ret == null) {
ret = context.getResult();
}
if (ret instanceof Boolean) {
result = (Boolean) ret;
}
} catch (NullPointerException nullp) {
LOG.error("RangerScriptConditionEvaluator.isMatched(): eval called with NULL argument(s)");
} catch (ScriptException exception) {
LOG.error("RangerScriptConditionEvaluator.isMatched(): failed to evaluate script," + " exception=" + exception);
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerScriptConditionEvaluator.isMatched(), result=" + result);
}
return result;
}
Also used :
ScriptException(javax.script.ScriptException)
RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval)
RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)
Bindings(javax.script.Bindings)
Example 18 with RangerAccessRequest
use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.
the class RangerStormAuthorizer method permit.
/**
* permit() method is invoked for each incoming Thrift request.
* @param aRequestContext request context includes info about
* @param aOperationName operation name
* @param aTopologyConfigMap configuration of targeted topology
* @return true if the request is authorized, false if reject
*/
@Override
public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTopologyConfigMap) {
boolean accessAllowed = false;
boolean isAuditEnabled = false;
String topologyName = null;
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_STORMAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_STORMAUTH_REQUEST_LOG, "RangerStormAuthorizer.permit()");
}
topologyName = (aTopologyConfigMap == null ? "" : (String) aTopologyConfigMap.get(Config.TOPOLOGY_NAME));
if (LOG.isDebugEnabled()) {
LOG.debug("[req " + aRequestContext.requestID() + "] Access " + " from: [" + aRequestContext.remoteAddress() + "]" + " user: [" + aRequestContext.principal() + "]," + " op: [" + aOperationName + "]," + "topology: [" + topologyName + "]");
if (aTopologyConfigMap != null) {
for (Object keyObj : aTopologyConfigMap.keySet()) {
Object valObj = aTopologyConfigMap.get(keyObj);
LOG.debug("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]");
}
} else {
LOG.debug("TOPOLOGY CONFIG MAP is passed as null.");
}
}
if (noAuthzOperations.contains(aOperationName)) {
accessAllowed = true;
} else if (plugin == null) {
LOG.info("Ranger plugin not initialized yet! Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
} else {
String userName = null;
String[] groups = null;
Principal user = aRequestContext.principal();
if (user != null) {
userName = user.getName();
if (userName != null) {
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
userName = ugi.getShortUserName();
groups = ugi.getGroupNames();
if (LOG.isDebugEnabled()) {
LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]");
}
}
}
if (userName != null) {
String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress());
String clusterName = plugin.getClusterName();
RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName, clusterName);
RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
accessAllowed = result != null && result.getIsAllowed();
isAuditEnabled = result != null && result.getIsAudited();
if (LOG.isDebugEnabled()) {
LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
}
} else {
LOG.info("NULL User found from principal [" + user + "]: Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
}
}
} catch (Throwable t) {
LOG.error("RangerStormAuthorizer found this exception", t);
} finally {
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("[req " + aRequestContext.requestID() + "] Access " + " from: [" + aRequestContext.remoteAddress() + "]" + " user: [" + aRequestContext.principal() + "]," + " op: [" + aOperationName + "]," + "topology: [" + topologyName + "] => returns [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
}
}
return accessAllowed;
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)
Principal(java.security.Principal)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Aggregations
RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)18
RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)5
Test (org.junit.Test)5
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)3
RangerAccessResource (org.apache.ranger.plugin.policyengine.RangerAccessResource)3
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)3
Principal (java.security.Principal)2
Calendar (java.util.Calendar)2
Date (java.util.Date)2
GregorianCalendar (java.util.GregorianCalendar)2
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2
AuthzAuditEvent (org.apache.ranger.audit.model.AuthzAuditEvent)2
RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)2
RangerPolicyEngineImpl (org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl)2
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)2
Gson (com.google.gson.Gson)1
ArrayList (java.util.ArrayList)1
HashMap (java.util.HashMap)1
HashSet (java.util.HashSet)1
CountDownLatch (java.util.concurrent.CountDownLatch)1
