use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class ServiceREST method secureGrantAccess.
@POST
@Path("/secure/services/grant/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + ")");
}
RESTResponse ret = new RESTResponse();
RangerPerfTracer perf = null;
boolean isAllowed = false;
boolean isKeyAdmin = bizUtil.isKeyAdmin();
bizUtil.blockAuditorRoleUser();
if (grantRequest != null) {
if (serviceUtil.isValidService(serviceName, request)) {
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")");
}
validateGrantRevokeRequest(grantRequest);
String userName = grantRequest.getGrantor();
Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
XXService xService = daoManager.getXXService().findByName(serviceName);
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
RangerService rangerService = svcStore.getServiceByName(serviceName);
if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
if (isKeyAdmin) {
isAllowed = true;
} else {
isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
}
} else {
if (isAdmin) {
isAllowed = true;
} else {
isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
}
}
if (isAllowed) {
RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
if (policy != null) {
boolean policyUpdated = false;
policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest);
if (policyUpdated) {
svcStore.updatePolicy(policy);
} else {
LOG.error("processSecureGrantRequest processing failed");
throw new Exception("processSecureGrantRequest processing failed");
}
} else {
policy = new RangerPolicy();
policy.setService(serviceName);
// TODO: better policy name
policy.setName("grant-" + System.currentTimeMillis());
policy.setDescription("created by grant");
policy.setIsAuditEnabled(grantRequest.getEnableAudit());
policy.setCreatedBy(userName);
Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
Set<String> resourceNames = resource.getKeys();
if (!CollectionUtils.isEmpty(resourceNames)) {
for (String resourceName : resourceNames) {
RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
policyResource.setIsRecursive(grantRequest.getIsRecursive());
policyResources.put(resourceName, policyResource);
}
}
policy.setResources(policyResources);
RangerPolicyItem policyItem = new RangerPolicyItem();
policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
policyItem.getUsers().addAll(grantRequest.getUsers());
policyItem.getGroups().addAll(grantRequest.getGroups());
for (String accessType : grantRequest.getAccessTypes()) {
policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
}
policy.getPolicyItems().add(policyItem);
svcStore.createPolicy(policy);
}
} else {
LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed as User doesn't have permission to grant Policy");
throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access");
}
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class RangerAtlasAuthorizer method isAccessAllowed.
@Override
public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> isAccessAllowed(" + request + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
RangerAtlasAuditHandler auditHandler = new RangerAtlasAuditHandler(request, getServiceDef());
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
}
final String action = request.getAction() != null ? request.getAction().getType() : null;
final Set<String> entityTypes = request.getEntityTypeAndAllSuperTypes();
final String entityId = request.getEntityId();
final String classification = request.getClassification() != null ? request.getClassification().getTypeName() : null;
RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
rangerRequest.setAccessType(action);
rangerRequest.setAction(action);
rangerRequest.setUser(request.getUser());
rangerRequest.setUserGroups(request.getUserGroups());
rangerRequest.setClientIPAddress(request.getClientIPAddress());
rangerRequest.setAccessTime(request.getAccessTime());
rangerRequest.setClusterName(getClusterName());
final Set<String> classificationsToAuthorize;
if (classification != null) {
if (request.getEntityClassifications() == null) {
classificationsToAuthorize = Collections.singleton(classification);
} else {
classificationsToAuthorize = new HashSet<>(request.getEntityClassifications());
classificationsToAuthorize.add(classification);
}
} else {
classificationsToAuthorize = request.getEntityClassifications();
}
if (CollectionUtils.isNotEmpty(classificationsToAuthorize)) {
// check authorization for each classification
for (String classificationToAuthorize : classificationsToAuthorize) {
RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes);
rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize));
rangerResource.setValue(RESOURCE_ENTITY_ID, entityId);
rangerRequest.setResource(rangerResource);
ret = checkAccess(rangerRequest, auditHandler);
if (!ret) {
break;
}
}
} else {
// no classifications to authorize
RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes);
rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, Collections.<String>emptySet());
rangerResource.setValue(RESOURCE_ENTITY_ID, entityId);
rangerRequest.setResource(rangerResource);
ret = checkAccess(rangerRequest, auditHandler);
}
} finally {
auditHandler.flushAudit();
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class RangerAtlasAuthorizer method isAccessAllowed.
@Override
public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> isAccessAllowed(" + request + ")");
}
final boolean ret;
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
}
final String typeName = request.getTypeDef() != null ? request.getTypeDef().getName() : null;
final String typeCategory = request.getTypeDef() != null && request.getTypeDef().getCategory() != null ? request.getTypeDef().getCategory().name() : null;
final String action = request.getAction() != null ? request.getAction().getType() : null;
RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
rangerResource.setValue(RESOURCE_TYPE_NAME, typeName);
rangerResource.setValue(RESOURCE_TYPE_CATEGORY, typeCategory);
RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
rangerRequest.setClientIPAddress(request.getClientIPAddress());
rangerRequest.setAccessTime(request.getAccessTime());
rangerRequest.setClusterName(getClusterName());
rangerRequest.setAction(action);
ret = checkAccess(rangerRequest);
} finally {
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class RangerKafkaAuthorizer method authorize.
@Override
public boolean authorize(Session session, Operation operation, Resource resource) {
if (rangerPlugin == null) {
MiscUtil.logErrorMessageByInterval(logger, "Authorizer is still not initialized");
return false;
}
// TODO: If resource type is consumer group, then allow it by default
if (resource.resourceType().equals(Group$.MODULE$)) {
if (logger.isDebugEnabled()) {
logger.debug("If resource type is consumer group, then we allow it by default! Returning true");
}
return true;
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_KAFKAAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_KAFKAAUTH_REQUEST_LOG, "RangerKafkaAuthorizer.authorize(resource=" + resource + ")");
}
String userName = null;
if (session.principal() != null) {
userName = session.principal().getName();
}
java.util.Set<String> userGroups = MiscUtil.getGroupsForRequestUser(userName);
String ip = session.clientAddress().getHostAddress();
// skip leading slash
if (StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') {
ip = ip.substring(1);
}
Date eventTime = new Date();
String accessType = mapToRangerAccessType(operation);
boolean validationFailed = false;
String validationStr = "";
if (accessType == null) {
if (MiscUtil.logErrorMessageByInterval(logger, "Unsupported access type. operation=" + operation)) {
logger.fatal("Unsupported access type. session=" + session + ", operation=" + operation + ", resource=" + resource);
}
validationFailed = true;
validationStr += "Unsupported access type. operation=" + operation;
}
String action = accessType;
String clusterName = rangerPlugin.getClusterName();
RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
rangerRequest.setUser(userName);
rangerRequest.setUserGroups(userGroups);
rangerRequest.setClientIPAddress(ip);
rangerRequest.setAccessTime(eventTime);
RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
rangerRequest.setResource(rangerResource);
rangerRequest.setAccessType(accessType);
rangerRequest.setAction(action);
rangerRequest.setRequestData(resource.name());
rangerRequest.setClusterName(clusterName);
if (resource.resourceType().equals(Topic$.MODULE$)) {
rangerResource.setValue(KEY_TOPIC, resource.name());
} else if (resource.resourceType().equals(Cluster$.MODULE$)) {
// NOPMD
// CLUSTER should go as null
// rangerResource.setValue(KEY_CLUSTER, resource.name());
} else if (resource.resourceType().equals(Group$.MODULE$)) {
rangerResource.setValue(KEY_CONSUMER_GROUP, resource.name());
} else {
logger.fatal("Unsupported resourceType=" + resource.resourceType());
validationFailed = true;
}
boolean returnValue = false;
if (validationFailed) {
MiscUtil.logErrorMessageByInterval(logger, validationStr + ", request=" + rangerRequest);
} else {
try {
RangerAccessResult result = rangerPlugin.isAccessAllowed(rangerRequest);
if (result == null) {
logger.error("Ranger Plugin returned null. Returning false");
} else {
returnValue = result.getIsAllowed();
}
} catch (Throwable t) {
logger.error("Error while calling isAccessAllowed(). request=" + rangerRequest, t);
}
}
RangerPerfTracer.log(perf);
if (logger.isDebugEnabled()) {
logger.debug("rangerRequest=" + rangerRequest + ", return=" + returnValue);
}
return returnValue;
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class RangerAuthorizer method authorize.
public boolean authorize(String fileName, String accessType, String user, Set<String> userGroups) {
RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
// "path" must be a value resource name in servicedef JSON
resource.setValue("path", fileName);
RangerAccessRequest request = new RangerAccessRequestImpl(resource, accessType, user, userGroups);
RangerAccessResult result = plugin.isAccessAllowed(request);
return result != null && result.getIsAllowed();
}
Aggregations