Search in sources :

Example 16 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerIpMatcherTest method createRequest.

RangerAccessRequest createRequest(String requestIp) {
    RangerAccessRequest request = mock(RangerAccessRequest.class);
    when(request.getClientIPAddress()).thenReturn(requestIp);
    return request;
}
Also used : RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)

Example 17 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerScriptConditionEvaluator method isMatched.

@Override
public boolean isMatched(RangerAccessRequest request) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerScriptConditionEvaluator.isMatched()");
    }
    boolean result = true;
    if (scriptEngine != null) {
        String script = getScript();
        if (StringUtils.isNotBlank(script)) {
            RangerAccessRequest readOnlyRequest = request.getReadOnlyCopy();
            RangerScriptExecutionContext context = new RangerScriptExecutionContext(readOnlyRequest);
            RangerTagForEval currentTag = context.getCurrentTag();
            Map<String, String> tagAttribs = currentTag != null ? currentTag.getAttributes() : Collections.<String, String>emptyMap();
            Bindings bindings = scriptEngine.createBindings();
            bindings.put("ctx", context);
            bindings.put("tag", currentTag);
            bindings.put("tagAttr", tagAttribs);
            if (LOG.isDebugEnabled()) {
                LOG.debug("RangerScriptConditionEvaluator.isMatched(): script={" + script + "}");
            }
            try {
                Object ret = scriptEngine.eval(script, bindings);
                if (ret == null) {
                    ret = context.getResult();
                }
                if (ret instanceof Boolean) {
                    result = (Boolean) ret;
                }
            } catch (NullPointerException nullp) {
                LOG.error("RangerScriptConditionEvaluator.isMatched(): eval called with NULL argument(s)");
            } catch (ScriptException exception) {
                LOG.error("RangerScriptConditionEvaluator.isMatched(): failed to evaluate script," + " exception=" + exception);
            }
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerScriptConditionEvaluator.isMatched(), result=" + result);
    }
    return result;
}
Also used : ScriptException(javax.script.ScriptException) RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval) RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest) Bindings(javax.script.Bindings)

Example 18 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerStormAuthorizer method permit.

/**
 * permit() method is invoked for each incoming Thrift request.
 * @param aRequestContext request context includes info about
 * @param aOperationName operation name
 * @param aTopologyConfigMap configuration of targeted topology
 * @return true if the request is authorized, false if reject
 */
@Override
public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTopologyConfigMap) {
    boolean accessAllowed = false;
    boolean isAuditEnabled = false;
    String topologyName = null;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_STORMAUTH_REQUEST_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_STORMAUTH_REQUEST_LOG, "RangerStormAuthorizer.permit()");
        }
        topologyName = (aTopologyConfigMap == null ? "" : (String) aTopologyConfigMap.get(Config.TOPOLOGY_NAME));
        if (LOG.isDebugEnabled()) {
            LOG.debug("[req " + aRequestContext.requestID() + "] Access " + " from: [" + aRequestContext.remoteAddress() + "]" + " user: [" + aRequestContext.principal() + "]," + " op:   [" + aOperationName + "]," + "topology: [" + topologyName + "]");
            if (aTopologyConfigMap != null) {
                for (Object keyObj : aTopologyConfigMap.keySet()) {
                    Object valObj = aTopologyConfigMap.get(keyObj);
                    LOG.debug("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]");
                }
            } else {
                LOG.debug("TOPOLOGY CONFIG MAP is passed as null.");
            }
        }
        if (noAuthzOperations.contains(aOperationName)) {
            accessAllowed = true;
        } else if (plugin == null) {
            LOG.info("Ranger plugin not initialized yet! Skipping authorization;  allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
        } else {
            String userName = null;
            String[] groups = null;
            Principal user = aRequestContext.principal();
            if (user != null) {
                userName = user.getName();
                if (userName != null) {
                    UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
                    userName = ugi.getShortUserName();
                    groups = ugi.getGroupNames();
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]");
                    }
                }
            }
            if (userName != null) {
                String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress());
                String clusterName = plugin.getClusterName();
                RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName, clusterName);
                RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
                accessAllowed = result != null && result.getIsAllowed();
                isAuditEnabled = result != null && result.getIsAudited();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
                }
            } else {
                LOG.info("NULL User found from principal [" + user + "]: Skipping authorization;  allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
            }
        }
    } catch (Throwable t) {
        LOG.error("RangerStormAuthorizer found this exception", t);
    } finally {
        RangerPerfTracer.log(perf);
        if (LOG.isDebugEnabled()) {
            LOG.debug("[req " + aRequestContext.requestID() + "] Access " + " from: [" + aRequestContext.remoteAddress() + "]" + " user: [" + aRequestContext.principal() + "]," + " op:   [" + aOperationName + "]," + "topology: [" + topologyName + "] => returns [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
        }
    }
    return accessAllowed;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest) Principal(java.security.Principal) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)18 RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)5 Test (org.junit.Test)5 RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)3 RangerAccessResource (org.apache.ranger.plugin.policyengine.RangerAccessResource)3 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)3 Principal (java.security.Principal)2 Calendar (java.util.Calendar)2 Date (java.util.Date)2 GregorianCalendar (java.util.GregorianCalendar)2 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2 AuthzAuditEvent (org.apache.ranger.audit.model.AuthzAuditEvent)2 RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)2 RangerPolicyEngineImpl (org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl)2 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)2 Gson (com.google.gson.Gson)1 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1 HashSet (java.util.HashSet)1 CountDownLatch (java.util.concurrent.CountDownLatch)1