use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class RangerAtlasAuthorizer method isAccessAllowed.
@Override
public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> isAccessAllowed(" + request + ")");
}
final boolean ret;
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
}
String action = request.getAction() != null ? request.getAction().getType() : null;
RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(Collections.singletonMap(RESOURCE_SERVICE, "*"));
RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
rangerRequest.setClientIPAddress(request.getClientIPAddress());
rangerRequest.setAccessTime(request.getAccessTime());
rangerRequest.setAction(action);
rangerRequest.setClusterName(getClusterName());
ret = checkAccess(rangerRequest);
} finally {
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class AuthorizationSession method buildRequest.
AuthorizationSession buildRequest() {
verifyBuildable();
// session can be reused so reset its state
zapAuthorizationState();
// TODO get this via a factory instead
RangerAccessResourceImpl resource = new RangerHBaseResource();
// policy engine should deal sensibly with null/empty values, if any
if (isNameSpaceOperation() && StringUtils.isNotBlank(_otherInformation)) {
resource.setValue(RangerHBaseResource.KEY_TABLE, _otherInformation + RangerHBaseResource.NAMESPACE_SEPARATOR);
} else {
resource.setValue(RangerHBaseResource.KEY_TABLE, _table);
}
resource.setValue(RangerHBaseResource.KEY_COLUMN_FAMILY, _columnFamily);
resource.setValue(RangerHBaseResource.KEY_COLUMN, _column);
String user = _userUtils.getUserAsString(_user);
RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, _access, user, _groups);
request.setAction(_operation);
request.setRequestData(_otherInformation);
request.setClientIPAddress(_remoteAddress);
request.setResourceMatchingScope(_resourceMatchingScope);
request.setClusterName(_clusterName);
_request = request;
if (LOG.isDebugEnabled()) {
LOG.debug("Built request: " + request.toString());
}
return this;
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class RangerBasePlugin method auditGrantRevoke.
private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) {
if (request != null && resultProcessor != null) {
RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl();
accessRequest.setResource(new RangerAccessResourceImpl(StringUtil.toStringObjectMap(request.getResource())));
accessRequest.setUser(request.getGrantor());
accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
accessRequest.setAction(action);
accessRequest.setClientIPAddress(request.getClientIPAddress());
accessRequest.setClientType(request.getClientType());
accessRequest.setRequestData(request.getRequestData());
accessRequest.setSessionId(request.getSessionId());
accessRequest.setClusterName(request.getClusterName());
// call isAccessAllowed() to determine if audit is enabled or not
RangerAccessResult accessResult = isAccessAllowed(accessRequest, null);
if (accessResult != null && accessResult.getIsAudited()) {
accessRequest.setAccessType(action);
accessResult.setIsAllowed(isSuccess);
if (!isSuccess) {
accessResult.setPolicyId(-1);
}
resultProcessor.processResult(accessResult);
}
}
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class ServiceREST method getPoliciesForResource.
@GET
@Path("/policies/{serviceDefName}/for-resource")
@Produces({ "application/json", "application/xml" })
public List<RangerPolicy> getPoliciesForResource(@PathParam("serviceDefName") String serviceDefName, @DefaultValue("") @QueryParam("serviceName") String serviceName, @Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ")");
}
List<RangerPolicy> ret = new ArrayList<>();
List<RangerService> services = new ArrayList<>();
Map<String, Object> resource = new HashMap<>();
String validationMessage = validateResourcePoliciesRequest(serviceDefName, serviceName, request, services, resource);
if (StringUtils.isNotEmpty(validationMessage)) {
LOG.error("Invalid request: [" + validationMessage + "]");
throw restErrorUtil.createRESTException(validationMessage, MessageEnums.INVALID_INPUT_DATA);
} else {
RangerService service = services.get(0);
if (LOG.isDebugEnabled()) {
LOG.debug("getServicePolicies with service-name=" + service.getName());
}
RangerPolicyEngine engine = null;
try {
engine = getPolicySearchPolicyEngine(service.getName());
} catch (Exception e) {
LOG.error("Cannot initialize Policy-Engine", e);
throw restErrorUtil.createRESTException("Cannot initialize Policy Engine", MessageEnums.ERROR_SYSTEM);
}
if (engine != null) {
ret = engine.getMatchingPolicies(new RangerAccessResourceImpl(resource));
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ") : " + ret.toString());
}
return ret;
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class ServiceREST method grantAccess.
@POST
@Path("/services/grant/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + ")");
}
RESTResponse ret = new RESTResponse();
RangerPerfTracer perf = null;
if (grantRequest != null) {
if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")");
}
validateGrantRevokeRequest(grantRequest);
String userName = grantRequest.getGrantor();
Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
VXUser vxUser = xUserService.getXUserByUserName(userName);
if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) {
VXResponse vXResponse = new VXResponse();
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("Operation" + " denied. LoggedInUser=" + vxUser.getId() + " ,isn't permitted to perform the action.");
throw restErrorUtil.generateRESTException(vXResponse);
}
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
if (!isAdmin) {
throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access");
}
RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
if (policy != null) {
boolean policyUpdated = false;
policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest);
if (policyUpdated) {
svcStore.updatePolicy(policy);
} else {
LOG.error("processGrantRequest processing failed");
throw new Exception("processGrantRequest processing failed");
}
} else {
policy = new RangerPolicy();
policy.setService(serviceName);
// TODO: better policy name
policy.setName("grant-" + System.currentTimeMillis());
policy.setDescription("created by grant");
policy.setIsAuditEnabled(grantRequest.getEnableAudit());
policy.setCreatedBy(userName);
Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
Set<String> resourceNames = resource.getKeys();
if (!CollectionUtils.isEmpty(resourceNames)) {
for (String resourceName : resourceNames) {
RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
policyResource.setIsRecursive(grantRequest.getIsRecursive());
policyResources.put(resourceName, policyResource);
}
}
policy.setResources(policyResources);
RangerPolicyItem policyItem = new RangerPolicyItem();
policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
policyItem.getUsers().addAll(grantRequest.getUsers());
policyItem.getGroups().addAll(grantRequest.getGroups());
for (String accessType : grantRequest.getAccessTypes()) {
policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
}
policy.getPolicyItems().add(policyItem);
svcStore.createPolicy(policy);
}
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
}
return ret;
}
Aggregations