Search in sources :

Example 1 with RangerAccessResourceImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.

the class RangerAtlasAuthorizer method isAccessAllowed.

@Override
public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> isAccessAllowed(" + request + ")");
    }
    final boolean ret;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
        }
        String action = request.getAction() != null ? request.getAction().getType() : null;
        RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(Collections.singletonMap(RESOURCE_SERVICE, "*"));
        RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
        rangerRequest.setClientIPAddress(request.getClientIPAddress());
        rangerRequest.setAccessTime(request.getAccessTime());
        rangerRequest.setAction(action);
        rangerRequest.setClusterName(getClusterName());
        ret = checkAccess(rangerRequest);
    } finally {
        RangerPerfTracer.log(perf);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
    }
    return ret;
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 2 with RangerAccessResourceImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.

the class AuthorizationSession method buildRequest.

AuthorizationSession buildRequest() {
    verifyBuildable();
    // session can be reused so reset its state
    zapAuthorizationState();
    // TODO get this via a factory instead
    RangerAccessResourceImpl resource = new RangerHBaseResource();
    // policy engine should deal sensibly with null/empty values, if any
    if (isNameSpaceOperation() && StringUtils.isNotBlank(_otherInformation)) {
        resource.setValue(RangerHBaseResource.KEY_TABLE, _otherInformation + RangerHBaseResource.NAMESPACE_SEPARATOR);
    } else {
        resource.setValue(RangerHBaseResource.KEY_TABLE, _table);
    }
    resource.setValue(RangerHBaseResource.KEY_COLUMN_FAMILY, _columnFamily);
    resource.setValue(RangerHBaseResource.KEY_COLUMN, _column);
    String user = _userUtils.getUserAsString(_user);
    RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, _access, user, _groups);
    request.setAction(_operation);
    request.setRequestData(_otherInformation);
    request.setClientIPAddress(_remoteAddress);
    request.setResourceMatchingScope(_resourceMatchingScope);
    request.setClusterName(_clusterName);
    _request = request;
    if (LOG.isDebugEnabled()) {
        LOG.debug("Built request: " + request.toString());
    }
    return this;
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)

Example 3 with RangerAccessResourceImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.

the class RangerBasePlugin method auditGrantRevoke.

private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) {
    if (request != null && resultProcessor != null) {
        RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl();
        accessRequest.setResource(new RangerAccessResourceImpl(StringUtil.toStringObjectMap(request.getResource())));
        accessRequest.setUser(request.getGrantor());
        accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
        accessRequest.setAction(action);
        accessRequest.setClientIPAddress(request.getClientIPAddress());
        accessRequest.setClientType(request.getClientType());
        accessRequest.setRequestData(request.getRequestData());
        accessRequest.setSessionId(request.getSessionId());
        accessRequest.setClusterName(request.getClusterName());
        // call isAccessAllowed() to determine if audit is enabled or not
        RangerAccessResult accessResult = isAccessAllowed(accessRequest, null);
        if (accessResult != null && accessResult.getIsAudited()) {
            accessRequest.setAccessType(action);
            accessResult.setIsAllowed(isSuccess);
            if (!isSuccess) {
                accessResult.setPolicyId(-1);
            }
            resultProcessor.processResult(accessResult);
        }
    }
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)

Example 4 with RangerAccessResourceImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.

the class ServiceREST method getPoliciesForResource.

@GET
@Path("/policies/{serviceDefName}/for-resource")
@Produces({ "application/json", "application/xml" })
public List<RangerPolicy> getPoliciesForResource(@PathParam("serviceDefName") String serviceDefName, @DefaultValue("") @QueryParam("serviceName") String serviceName, @Context HttpServletRequest request) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ")");
    }
    List<RangerPolicy> ret = new ArrayList<>();
    List<RangerService> services = new ArrayList<>();
    Map<String, Object> resource = new HashMap<>();
    String validationMessage = validateResourcePoliciesRequest(serviceDefName, serviceName, request, services, resource);
    if (StringUtils.isNotEmpty(validationMessage)) {
        LOG.error("Invalid request: [" + validationMessage + "]");
        throw restErrorUtil.createRESTException(validationMessage, MessageEnums.INVALID_INPUT_DATA);
    } else {
        RangerService service = services.get(0);
        if (LOG.isDebugEnabled()) {
            LOG.debug("getServicePolicies with service-name=" + service.getName());
        }
        RangerPolicyEngine engine = null;
        try {
            engine = getPolicySearchPolicyEngine(service.getName());
        } catch (Exception e) {
            LOG.error("Cannot initialize Policy-Engine", e);
            throw restErrorUtil.createRESTException("Cannot initialize Policy Engine", MessageEnums.ERROR_SYSTEM);
        }
        if (engine != null) {
            ret = engine.getMatchingPolicies(new RangerAccessResourceImpl(resource));
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ") : " + ret.toString());
    }
    return ret;
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine) RangerService(org.apache.ranger.plugin.model.RangerService) VXString(org.apache.ranger.view.VXString) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET)

Example 5 with RangerAccessResourceImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.

the class ServiceREST method grantAccess.

@POST
@Path("/services/grant/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + ")");
    }
    RESTResponse ret = new RESTResponse();
    RangerPerfTracer perf = null;
    if (grantRequest != null) {
        if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
            try {
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
                    perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")");
                }
                validateGrantRevokeRequest(grantRequest);
                String userName = grantRequest.getGrantor();
                Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
                VXUser vxUser = xUserService.getXUserByUserName(userName);
                if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) {
                    VXResponse vXResponse = new VXResponse();
                    vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
                    vXResponse.setMsgDesc("Operation" + " denied. LoggedInUser=" + vxUser.getId() + " ,isn't permitted to perform the action.");
                    throw restErrorUtil.generateRESTException(vXResponse);
                }
                boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
                if (!isAdmin) {
                    throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access");
                }
                RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
                if (policy != null) {
                    boolean policyUpdated = false;
                    policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest);
                    if (policyUpdated) {
                        svcStore.updatePolicy(policy);
                    } else {
                        LOG.error("processGrantRequest processing failed");
                        throw new Exception("processGrantRequest processing failed");
                    }
                } else {
                    policy = new RangerPolicy();
                    policy.setService(serviceName);
                    // TODO: better policy name
                    policy.setName("grant-" + System.currentTimeMillis());
                    policy.setDescription("created by grant");
                    policy.setIsAuditEnabled(grantRequest.getEnableAudit());
                    policy.setCreatedBy(userName);
                    Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
                    Set<String> resourceNames = resource.getKeys();
                    if (!CollectionUtils.isEmpty(resourceNames)) {
                        for (String resourceName : resourceNames) {
                            RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
                            policyResource.setIsRecursive(grantRequest.getIsRecursive());
                            policyResources.put(resourceName, policyResource);
                        }
                    }
                    policy.setResources(policyResources);
                    RangerPolicyItem policyItem = new RangerPolicyItem();
                    policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
                    policyItem.getUsers().addAll(grantRequest.getUsers());
                    policyItem.getGroups().addAll(grantRequest.getGroups());
                    for (String accessType : grantRequest.getAccessTypes()) {
                        policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
                    }
                    policy.getPolicyItems().add(policyItem);
                    svcStore.createPolicy(policy);
                }
            } catch (WebApplicationException excp) {
                throw excp;
            } catch (Throwable excp) {
                LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
                throw restErrorUtil.createRESTException(excp.getMessage());
            } finally {
                RangerPerfTracer.log(perf);
            }
            ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
    }
    return ret;
}
Also used : VXResponse(org.apache.ranger.view.VXResponse) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) VXString(org.apache.ranger.view.VXString) VXUser(org.apache.ranger.view.VXUser) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Aggregations

RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)22 RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)16 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)9 HashMap (java.util.HashMap)8 JsonSyntaxException (com.google.gson.JsonSyntaxException)5 IOException (java.io.IOException)5 Path (javax.ws.rs.Path)5 Produces (javax.ws.rs.Produces)5 WebApplicationException (javax.ws.rs.WebApplicationException)5 AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)5 AuthorizationResult (org.apache.nifi.authorization.AuthorizationResult)5 RequestAction (org.apache.nifi.authorization.RequestAction)5 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)5 VXString (org.apache.ranger.view.VXString)5 POST (javax.ws.rs.POST)4 RESTResponse (org.apache.ranger.admin.client.datatype.RESTResponse)4 RangerAccessResource (org.apache.ranger.plugin.policyengine.RangerAccessResource)4 RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)4 Test (org.junit.Test)4 LinkedHashMap (java.util.LinkedHashMap)3