Search in sources :

Example 1 with RangerAccessResult

use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.

the class RangerPDPKnoxFilter method doFilter.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    String sourceUrl = (String) request.getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
    String topologyName = getTopologyName(sourceUrl);
    String serviceName = getServiceName();
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_KNOXAUTH_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_KNOXAUTH_REQUEST_LOG, "RangerPDPKnoxFilter.doFilter(url=" + sourceUrl + ", topologyName=" + topologyName + ")");
    }
    Subject subject = Subject.getSubject(AccessController.getContext());
    Principal primaryPrincipal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
    String primaryUser = primaryPrincipal.getName();
    String impersonatedUser = null;
    Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
    if (impersonations != null && impersonations.length > 0) {
        impersonatedUser = ((Principal) impersonations[0]).getName();
    }
    String user = (impersonatedUser != null) ? impersonatedUser : primaryUser;
    if (LOG.isDebugEnabled()) {
        LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user);
    }
    Object[] groupObjects = subject.getPrincipals(GroupPrincipal.class).toArray();
    Set<String> groups = new HashSet<String>();
    for (Object obj : groupObjects) {
        groups.add(((Principal) obj).getName());
    }
    String clientIp = request.getRemoteAddr();
    String clusterName = plugin.getClusterName();
    if (LOG.isDebugEnabled()) {
        LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user + ", groups: " + groups + ", clientIp: " + clientIp + ", clusterName: " + clusterName);
    }
    RangerAccessRequest accessRequest = new KnoxRangerPlugin.RequestBuilder().service(serviceName).topology(topologyName).user(user).groups(groups).clientIp(clientIp).clusterName(clusterName).build();
    boolean accessAllowed = false;
    if (plugin != null) {
        RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
        accessAllowed = result != null && result.getIsAllowed();
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("Access allowed: " + accessAllowed);
    }
    RangerPerfTracer.log(perf);
    if (accessAllowed) {
        chain.doFilter(request, response);
    } else {
        sendForbidden((HttpServletResponse) response);
    }
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) Subject(javax.security.auth.Subject) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) Principal(java.security.Principal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) HashSet(java.util.HashSet)

Example 2 with RangerAccessResult

use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.

the class RangerAtlasAuthorizer method checkAccess.

private boolean checkAccess(RangerAccessRequestImpl request, RangerAtlasAuditHandler auditHandler) {
    boolean ret = false;
    RangerBasePlugin plugin = atlasPlugin;
    if (plugin != null) {
        RangerAccessResult result = plugin.isAccessAllowed(request, auditHandler);
        ret = result != null && result.getIsAllowed();
    } else {
        LOG.warn("RangerAtlasPlugin not initialized. Access blocked!!!");
    }
    return ret;
}
Also used : RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin)

Example 3 with RangerAccessResult

use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.

the class RangerBasePlugin method auditGrantRevoke.

private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) {
    if (request != null && resultProcessor != null) {
        RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl();
        accessRequest.setResource(new RangerAccessResourceImpl(StringUtil.toStringObjectMap(request.getResource())));
        accessRequest.setUser(request.getGrantor());
        accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
        accessRequest.setAction(action);
        accessRequest.setClientIPAddress(request.getClientIPAddress());
        accessRequest.setClientType(request.getClientType());
        accessRequest.setRequestData(request.getRequestData());
        accessRequest.setSessionId(request.getSessionId());
        accessRequest.setClusterName(request.getClusterName());
        // call isAccessAllowed() to determine if audit is enabled or not
        RangerAccessResult accessResult = isAccessAllowed(accessRequest, null);
        if (accessResult != null && accessResult.getIsAudited()) {
            accessRequest.setAccessType(action);
            accessResult.setIsAllowed(isSuccess);
            if (!isSuccess) {
                accessResult.setPolicyId(-1);
            }
            resultProcessor.processResult(accessResult);
        }
    }
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)

Example 4 with RangerAccessResult

use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.

the class RangerKMSAccessRequest method hasAccess.

public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName, String clientIp) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + " , " + keyName + ")");
    }
    boolean ret = false;
    RangerKMSPlugin plugin = kmsPlugin;
    String rangerAccessType = getRangerAccessType(type);
    AccessControlList blacklist = blacklistedAcls.get(type);
    ret = (blacklist == null) || !blacklist.isUserInList(ugi);
    if (!ret) {
        LOG.debug("Operation " + rangerAccessType + " blocked in the blacklist for user " + ugi.getUserName());
    }
    String clusterName = kmsPlugin.getClusterName();
    if (plugin != null && ret) {
        RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi, clientIp, clusterName);
        RangerAccessResult result = plugin.isAccessAllowed(request);
        ret = result == null ? false : result.getIsAllowed();
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerkmsAuthorizer.hasAccess(" + type + ", " + ugi + " , " + keyName + "): " + ret);
    }
    return ret;
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)

Example 5 with RangerAccessResult

use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.

the class RangerHiveAuditHandler method createAuditEvents.

List<AuthzAuditEvent> createAuditEvents(Collection<RangerAccessResult> results) {
    Map<Long, AuthzAuditEvent> auditEvents = new HashMap<Long, AuthzAuditEvent>();
    Iterator<RangerAccessResult> iterator = results.iterator();
    AuthzAuditEvent deniedAuditEvent = null;
    while (iterator.hasNext() && deniedAuditEvent == null) {
        RangerAccessResult result = iterator.next();
        if (result.getIsAudited()) {
            if (!result.getIsAllowed()) {
                deniedAuditEvent = createAuditEvent(result);
            } else {
                long policyId = result.getPolicyId();
                if (auditEvents.containsKey(policyId)) {
                    // add this result to existing event by updating column values
                    AuthzAuditEvent auditEvent = auditEvents.get(policyId);
                    RangerHiveAccessRequest request = (RangerHiveAccessRequest) result.getAccessRequest();
                    RangerHiveResource resource = (RangerHiveResource) request.getResource();
                    String resourcePath = auditEvent.getResourcePath() + "," + resource.getColumn();
                    auditEvent.setResourcePath(resourcePath);
                    Set<String> tags = getTags(request);
                    if (tags != null) {
                        auditEvent.getTags().addAll(tags);
                    }
                } else {
                    // new event as this approval was due to a different policy.
                    AuthzAuditEvent auditEvent = createAuditEvent(result);
                    if (auditEvent != null) {
                        auditEvents.put(policyId, auditEvent);
                    }
                }
            }
        }
    }
    List<AuthzAuditEvent> result;
    if (deniedAuditEvent == null) {
        result = new ArrayList<>(auditEvents.values());
    } else {
        result = Lists.newArrayList(deniedAuditEvent);
    }
    return result;
}
Also used : RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) AuthzAuditEvent(org.apache.ranger.audit.model.AuthzAuditEvent)

Aggregations

RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)20 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)6 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)6 RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)5 HiveAuthzSessionContext (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext)4 RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)4 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)4 Principal (java.security.Principal)2 Date (java.util.Date)2 SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)2 HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)2 AuthzAuditEvent (org.apache.ranger.audit.model.AuthzAuditEvent)2 RangerBasePlugin (org.apache.ranger.plugin.service.RangerBasePlugin)2 ArrayList (java.util.ArrayList)1 HashSet (java.util.HashSet)1 Subject (javax.security.auth.Subject)1 IAE (org.apache.druid.java.util.common.IAE)1 Access (org.apache.druid.server.security.Access)1 FsAction (org.apache.hadoop.fs.permission.FsAction)1 HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)1