Search in sources :

Example 16 with RangerAccessResourceImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.

the class ServiceREST method secureGrantAccess.

@POST
@Path("/secure/services/grant/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + ")");
    }
    RESTResponse ret = new RESTResponse();
    RangerPerfTracer perf = null;
    boolean isAllowed = false;
    boolean isKeyAdmin = bizUtil.isKeyAdmin();
    bizUtil.blockAuditorRoleUser();
    if (grantRequest != null) {
        if (serviceUtil.isValidService(serviceName, request)) {
            try {
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
                    perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")");
                }
                validateGrantRevokeRequest(grantRequest);
                String userName = grantRequest.getGrantor();
                Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
                boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
                XXService xService = daoManager.getXXService().findByName(serviceName);
                XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
                RangerService rangerService = svcStore.getServiceByName(serviceName);
                if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
                    if (isKeyAdmin) {
                        isAllowed = true;
                    } else {
                        isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
                    }
                } else {
                    if (isAdmin) {
                        isAllowed = true;
                    } else {
                        isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
                    }
                }
                if (isAllowed) {
                    RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
                    if (policy != null) {
                        boolean policyUpdated = false;
                        policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest);
                        if (policyUpdated) {
                            svcStore.updatePolicy(policy);
                        } else {
                            LOG.error("processSecureGrantRequest processing failed");
                            throw new Exception("processSecureGrantRequest processing failed");
                        }
                    } else {
                        policy = new RangerPolicy();
                        policy.setService(serviceName);
                        // TODO: better policy name
                        policy.setName("grant-" + System.currentTimeMillis());
                        policy.setDescription("created by grant");
                        policy.setIsAuditEnabled(grantRequest.getEnableAudit());
                        policy.setCreatedBy(userName);
                        Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
                        Set<String> resourceNames = resource.getKeys();
                        if (!CollectionUtils.isEmpty(resourceNames)) {
                            for (String resourceName : resourceNames) {
                                RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
                                policyResource.setIsRecursive(grantRequest.getIsRecursive());
                                policyResources.put(resourceName, policyResource);
                            }
                        }
                        policy.setResources(policyResources);
                        RangerPolicyItem policyItem = new RangerPolicyItem();
                        policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
                        policyItem.getUsers().addAll(grantRequest.getUsers());
                        policyItem.getGroups().addAll(grantRequest.getGroups());
                        for (String accessType : grantRequest.getAccessTypes()) {
                            policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
                        }
                        policy.getPolicyItems().add(policyItem);
                        svcStore.createPolicy(policy);
                    }
                } else {
                    LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed as User doesn't have permission to grant Policy");
                    throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access");
                }
            } catch (WebApplicationException excp) {
                throw excp;
            } catch (Throwable excp) {
                LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
                throw restErrorUtil.createRESTException(excp.getMessage());
            } finally {
                RangerPerfTracer.log(perf);
            }
            ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
    }
    return ret;
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) VXString(org.apache.ranger.view.VXString) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) RangerService(org.apache.ranger.plugin.model.RangerService) XXService(org.apache.ranger.entity.XXService) RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Example 17 with RangerAccessResourceImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.

the class RangerAtlasAuthorizer method isAccessAllowed.

@Override
public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> isAccessAllowed(" + request + ")");
    }
    boolean ret = false;
    RangerPerfTracer perf = null;
    RangerAtlasAuditHandler auditHandler = new RangerAtlasAuditHandler(request, getServiceDef());
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
        }
        final String action = request.getAction() != null ? request.getAction().getType() : null;
        final Set<String> entityTypes = request.getEntityTypeAndAllSuperTypes();
        final String entityId = request.getEntityId();
        final String classification = request.getClassification() != null ? request.getClassification().getTypeName() : null;
        RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
        rangerRequest.setAccessType(action);
        rangerRequest.setAction(action);
        rangerRequest.setUser(request.getUser());
        rangerRequest.setUserGroups(request.getUserGroups());
        rangerRequest.setClientIPAddress(request.getClientIPAddress());
        rangerRequest.setAccessTime(request.getAccessTime());
        rangerRequest.setClusterName(getClusterName());
        final Set<String> classificationsToAuthorize;
        if (classification != null) {
            if (request.getEntityClassifications() == null) {
                classificationsToAuthorize = Collections.singleton(classification);
            } else {
                classificationsToAuthorize = new HashSet<>(request.getEntityClassifications());
                classificationsToAuthorize.add(classification);
            }
        } else {
            classificationsToAuthorize = request.getEntityClassifications();
        }
        if (CollectionUtils.isNotEmpty(classificationsToAuthorize)) {
            // check authorization for each classification
            for (String classificationToAuthorize : classificationsToAuthorize) {
                RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
                rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes);
                rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize));
                rangerResource.setValue(RESOURCE_ENTITY_ID, entityId);
                rangerRequest.setResource(rangerResource);
                ret = checkAccess(rangerRequest, auditHandler);
                if (!ret) {
                    break;
                }
            }
        } else {
            // no classifications to authorize
            RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
            rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes);
            rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, Collections.<String>emptySet());
            rangerResource.setValue(RESOURCE_ENTITY_ID, entityId);
            rangerRequest.setResource(rangerResource);
            ret = checkAccess(rangerRequest, auditHandler);
        }
    } finally {
        auditHandler.flushAudit();
        RangerPerfTracer.log(perf);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
    }
    return ret;
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 18 with RangerAccessResourceImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.

the class RangerAtlasAuthorizer method isAccessAllowed.

@Override
public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> isAccessAllowed(" + request + ")");
    }
    final boolean ret;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
        }
        final String typeName = request.getTypeDef() != null ? request.getTypeDef().getName() : null;
        final String typeCategory = request.getTypeDef() != null && request.getTypeDef().getCategory() != null ? request.getTypeDef().getCategory().name() : null;
        final String action = request.getAction() != null ? request.getAction().getType() : null;
        RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
        rangerResource.setValue(RESOURCE_TYPE_NAME, typeName);
        rangerResource.setValue(RESOURCE_TYPE_CATEGORY, typeCategory);
        RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
        rangerRequest.setClientIPAddress(request.getClientIPAddress());
        rangerRequest.setAccessTime(request.getAccessTime());
        rangerRequest.setClusterName(getClusterName());
        rangerRequest.setAction(action);
        ret = checkAccess(rangerRequest);
    } finally {
        RangerPerfTracer.log(perf);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
    }
    return ret;
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 19 with RangerAccessResourceImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.

the class RangerKafkaAuthorizer method authorize.

@Override
public boolean authorize(Session session, Operation operation, Resource resource) {
    if (rangerPlugin == null) {
        MiscUtil.logErrorMessageByInterval(logger, "Authorizer is still not initialized");
        return false;
    }
    // TODO: If resource type is consumer group, then allow it by default
    if (resource.resourceType().equals(Group$.MODULE$)) {
        if (logger.isDebugEnabled()) {
            logger.debug("If resource type is consumer group, then we allow it by default!  Returning true");
        }
        return true;
    }
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_KAFKAAUTH_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_KAFKAAUTH_REQUEST_LOG, "RangerKafkaAuthorizer.authorize(resource=" + resource + ")");
    }
    String userName = null;
    if (session.principal() != null) {
        userName = session.principal().getName();
    }
    java.util.Set<String> userGroups = MiscUtil.getGroupsForRequestUser(userName);
    String ip = session.clientAddress().getHostAddress();
    // skip leading slash
    if (StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') {
        ip = ip.substring(1);
    }
    Date eventTime = new Date();
    String accessType = mapToRangerAccessType(operation);
    boolean validationFailed = false;
    String validationStr = "";
    if (accessType == null) {
        if (MiscUtil.logErrorMessageByInterval(logger, "Unsupported access type. operation=" + operation)) {
            logger.fatal("Unsupported access type. session=" + session + ", operation=" + operation + ", resource=" + resource);
        }
        validationFailed = true;
        validationStr += "Unsupported access type. operation=" + operation;
    }
    String action = accessType;
    String clusterName = rangerPlugin.getClusterName();
    RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
    rangerRequest.setUser(userName);
    rangerRequest.setUserGroups(userGroups);
    rangerRequest.setClientIPAddress(ip);
    rangerRequest.setAccessTime(eventTime);
    RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
    rangerRequest.setResource(rangerResource);
    rangerRequest.setAccessType(accessType);
    rangerRequest.setAction(action);
    rangerRequest.setRequestData(resource.name());
    rangerRequest.setClusterName(clusterName);
    if (resource.resourceType().equals(Topic$.MODULE$)) {
        rangerResource.setValue(KEY_TOPIC, resource.name());
    } else if (resource.resourceType().equals(Cluster$.MODULE$)) {
    // NOPMD
    // CLUSTER should go as null
    // rangerResource.setValue(KEY_CLUSTER, resource.name());
    } else if (resource.resourceType().equals(Group$.MODULE$)) {
        rangerResource.setValue(KEY_CONSUMER_GROUP, resource.name());
    } else {
        logger.fatal("Unsupported resourceType=" + resource.resourceType());
        validationFailed = true;
    }
    boolean returnValue = false;
    if (validationFailed) {
        MiscUtil.logErrorMessageByInterval(logger, validationStr + ", request=" + rangerRequest);
    } else {
        try {
            RangerAccessResult result = rangerPlugin.isAccessAllowed(rangerRequest);
            if (result == null) {
                logger.error("Ranger Plugin returned null. Returning false");
            } else {
                returnValue = result.getIsAllowed();
            }
        } catch (Throwable t) {
            logger.error("Error while calling isAccessAllowed(). request=" + rangerRequest, t);
        }
    }
    RangerPerfTracer.log(perf);
    if (logger.isDebugEnabled()) {
        logger.debug("rangerRequest=" + rangerRequest + ", return=" + returnValue);
    }
    return returnValue;
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) Date(java.util.Date)

Example 20 with RangerAccessResourceImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.

the class RangerAuthorizer method authorize.

public boolean authorize(String fileName, String accessType, String user, Set<String> userGroups) {
    RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    // "path" must be a value resource name in servicedef JSON
    resource.setValue("path", fileName);
    RangerAccessRequest request = new RangerAccessRequestImpl(resource, accessType, user, userGroups);
    RangerAccessResult result = plugin.isAccessAllowed(request);
    return result != null && result.getIsAllowed();
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)

Aggregations

RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)22 RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)16 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)9 HashMap (java.util.HashMap)8 JsonSyntaxException (com.google.gson.JsonSyntaxException)5 IOException (java.io.IOException)5 Path (javax.ws.rs.Path)5 Produces (javax.ws.rs.Produces)5 WebApplicationException (javax.ws.rs.WebApplicationException)5 AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)5 AuthorizationResult (org.apache.nifi.authorization.AuthorizationResult)5 RequestAction (org.apache.nifi.authorization.RequestAction)5 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)5 VXString (org.apache.ranger.view.VXString)5 POST (javax.ws.rs.POST)4 RESTResponse (org.apache.ranger.admin.client.datatype.RESTResponse)4 RangerAccessResource (org.apache.ranger.plugin.policyengine.RangerAccessResource)4 RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)4 Test (org.junit.Test)4 LinkedHashMap (java.util.LinkedHashMap)3