Example 6 with RangerAccessResult
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerHivePlugin method getRowFilterExpression.
private String getRowFilterExpression(HiveAuthzContext context, String databaseName, String tableOrViewName) throws SemanticException {
UserGroupInformation ugi = getCurrentUserGroupInfo();
if (ugi == null) {
throw new SemanticException("user information not available");
}
if (LOG.isDebugEnabled()) {
LOG.debug("==> getRowFilterExpression(" + databaseName + ", " + tableOrViewName + ")");
}
String ret = null;
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
HiveObjectType objectType = HiveObjectType.TABLE;
String clusterName = hivePlugin.getClusterName();
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName);
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, clusterName);
RangerAccessResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);
if (isRowFilterEnabled(result)) {
ret = result.getFilterExpr();
}
} finally {
auditHandler.flushAudit();
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== getRowFilterExpression(" + databaseName + ", " + tableOrViewName + "): " + ret);
}
return ret;
}
Also used :
HiveAuthzSessionContext(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException)
Example 7 with RangerAccessResult
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerHivePlugin method addCellValueTransformerAndCheckIfTransformed.
private boolean addCellValueTransformerAndCheckIfTransformed(HiveAuthzContext context, String databaseName, String tableOrViewName, String columnName, List<String> columnTransformers) throws SemanticException {
UserGroupInformation ugi = getCurrentUserGroupInfo();
String clusterName = hivePlugin.getClusterName();
if (ugi == null) {
throw new SemanticException("user information not available");
}
if (LOG.isDebugEnabled()) {
LOG.debug("==> addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + ")");
}
boolean ret = false;
String columnTransformer = columnName;
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
HiveObjectType objectType = HiveObjectType.COLUMN;
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, clusterName);
RangerAccessResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);
ret = isDataMaskEnabled(result);
if (ret) {
String maskType = result.getMaskType();
RangerDataMaskTypeDef maskTypeDef = result.getMaskTypeDef();
String transformer = null;
if (maskTypeDef != null) {
transformer = maskTypeDef.getTransformer();
}
if (StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) {
columnTransformer = "NULL";
} else if (StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) {
String maskedValue = result.getMaskedValue();
if (maskedValue == null) {
columnTransformer = "NULL";
} else {
columnTransformer = maskedValue.replace("{col}", columnName);
}
} else if (StringUtils.isNotEmpty(transformer)) {
columnTransformer = transformer.replace("{col}", columnName);
}
/*
String maskCondition = result.getMaskCondition();
if(StringUtils.isNotEmpty(maskCondition)) {
ret = "if(" + maskCondition + ", " + ret + ", " + columnName + ")";
}
*/
}
} finally {
auditHandler.flushAudit();
}
columnTransformers.add(columnTransformer);
if (LOG.isDebugEnabled()) {
LOG.debug("<== addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + "): " + ret);
}
return ret;
}
Also used :
HiveAuthzSessionContext(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
RangerDataMaskTypeDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException)
Example 8 with RangerAccessResult
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerSqoopAccessRequest method checkPrivileges.
@Override
public void checkPrivileges(MPrincipal principal, List<MPrivilege> privileges) throws SqoopException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerSqoopAuthorizer.checkPrivileges( principal=" + principal + ", privileges=" + privileges + ")");
}
if (CollectionUtils.isEmpty(privileges)) {
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges() return because privileges is empty.");
}
return;
}
RangerSqoopPlugin plugin = sqoopPlugin;
String clusterName = sqoopPlugin.getClusterName();
if (plugin != null) {
for (MPrivilege privilege : privileges) {
RangerSqoopAccessRequest request = new RangerSqoopAccessRequest(principal, privilege, clusterName, clientIPAddress);
RangerAccessResult result = plugin.isAccessAllowed(request);
if (result != null && !result.getIsAllowed()) {
throw new SqoopException(SecurityError.AUTH_0014, "principal=" + principal + " does not have privileges for : " + privilege);
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges() success without exception.");
}
}
Also used :
MPrivilege(org.apache.sqoop.model.MPrivilege)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
SqoopException(org.apache.sqoop.common.SqoopException)
Example 9 with RangerAccessResult
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project druid by druid-io.
the class RangerDruidAccessRequest method authorize.
@Override
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
if (authenticationResult == null) {
throw new IAE("authenticationResult is null where it should never be.");
}
Set<String> userGroups = null;
if (useUgi) {
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(authenticationResult.getIdentity());
String[] groups = ugi != null ? ugi.getGroupNames() : null;
if (groups != null && groups.length > 0) {
userGroups = new HashSet<>(Arrays.asList(groups));
}
}
RangerDruidResource rangerDruidResource = new RangerDruidResource(resource);
RangerDruidAccessRequest request = new RangerDruidAccessRequest(rangerDruidResource, authenticationResult.getIdentity(), userGroups, action);
RangerAccessResult result = rangerPlugin.isAccessAllowed(request);
if (log.isDebugEnabled()) {
log.debug("==> authorize: %s, allowed: %s", request.toString(), result != null ? result.getIsAllowed() : null);
}
if (result != null && result.getIsAllowed()) {
return new Access(true);
}
return new Access(false);
}
Also used :
Access(org.apache.druid.server.security.Access)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
IAE(org.apache.druid.java.util.common.IAE)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 10 with RangerAccessResult
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project nifi by apache.
the class RangerNiFiAuthorizer method authorize.
@Override
public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
final String identity = request.getIdentity();
final Set<String> userGroups = request.getGroups();
final String resourceIdentifier = request.getResource().getIdentifier();
// and the request is to retrieve the resources, then allow it through
if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity) && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
return AuthorizationResult.approved();
}
final String clientIp;
if (request.getUserContext() != null) {
clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
} else {
clientIp = null;
}
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
rangerRequest.setResource(resource);
rangerRequest.setAction(request.getAction().name());
rangerRequest.setAccessType(request.getAction().name());
rangerRequest.setUser(identity);
rangerRequest.setUserGroups(userGroups);
rangerRequest.setAccessTime(new Date());
if (!StringUtils.isBlank(clientIp)) {
rangerRequest.setClientIPAddress(clientIp);
}
final RangerAccessResult result = nifiPlugin.isAccessAllowed(rangerRequest);
// store the result for auditing purposes later if appropriate
if (request.isAccessAttempt()) {
synchronized (resultLookup) {
resultLookup.put(request, result);
}
}
if (result != null && result.getIsAllowed()) {
// return approved
return AuthorizationResult.approved();
} else {
// if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
// given resource, or if it was because a policy exists but not for the given user or action
final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier(), request.getAction());
if (doesPolicyExist) {
final String reason = result == null ? null : result.getReason();
if (reason != null) {
logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
}
// a policy does exist for the resource so we were really denied access here
return AuthorizationResult.denied(request.getExplanationSupplier().get());
} else {
// a policy doesn't exist so return resource not found so NiFi can work back up the resource hierarchy
return AuthorizationResult.resourceNotFound();
}
}
}
Also used :
RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
Date(java.util.Date)
Aggregations
RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)20
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)6
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)6
RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)5
HiveAuthzSessionContext (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext)4
RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)4
RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)4
Principal (java.security.Principal)2
Date (java.util.Date)2
SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)2
HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)2
AuthzAuditEvent (org.apache.ranger.audit.model.AuthzAuditEvent)2
RangerBasePlugin (org.apache.ranger.plugin.service.RangerBasePlugin)2
ArrayList (java.util.ArrayList)1
HashSet (java.util.HashSet)1
Subject (javax.security.auth.Subject)1
IAE (org.apache.druid.java.util.common.IAE)1
Access (org.apache.druid.server.security.Access)1
FsAction (org.apache.hadoop.fs.permission.FsAction)1
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)1
