Search in sources :

Example 1 with PolicyRefresher

use of org.apache.ranger.plugin.util.PolicyRefresher in project ranger by apache.

the class RangerBasePlugin method init.

public void init() {
    cleanup();
    RangerConfiguration configuration = RangerConfiguration.getInstance();
    configuration.addResourcesForServiceType(serviceType);
    configuration.initAudit(appId);
    String propertyPrefix = "ranger.plugin." + serviceType;
    long pollingIntervalMs = configuration.getLong(propertyPrefix + ".policy.pollIntervalMs", 30 * 1000);
    String cacheDir = configuration.get(propertyPrefix + ".policy.cache.dir");
    serviceName = configuration.get(propertyPrefix + ".service.name");
    clusterName = RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.name", "");
    useForwardedIPAddress = configuration.getBoolean(propertyPrefix + ".use.x-forwarded-for.ipaddress", false);
    String trustedProxyAddressString = configuration.get(propertyPrefix + ".trusted.proxy.ipaddresses");
    trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, RANGER_TRUSTED_PROXY_IPADDRESSES_SEPARATOR_CHAR);
    if (trustedProxyAddresses != null) {
        for (int i = 0; i < trustedProxyAddresses.length; i++) {
            trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug(propertyPrefix + ".use.x-forwarded-for.ipaddress:" + useForwardedIPAddress);
        LOG.debug(propertyPrefix + ".trusted.proxy.ipaddresses:[" + StringUtils.join(trustedProxyAddresses, ", ") + "]");
    }
    if (useForwardedIPAddress && StringUtils.isBlank(trustedProxyAddressString)) {
        LOG.warn("Property " + propertyPrefix + ".use.x-forwarded-for.ipaddress" + " is set to true, and Property " + propertyPrefix + ".trusted.proxy.ipaddresses" + " is not set");
        LOG.warn("Ranger plugin will trust RemoteIPAddress and treat first X-Forwarded-Address in the access-request as the clientIPAddress");
    }
    policyEngineOptions.configureForPlugin(configuration, propertyPrefix);
    LOG.info(policyEngineOptions);
    RangerAdminClient admin = createAdminClient(serviceName, appId, propertyPrefix);
    refresher = new PolicyRefresher(this, serviceType, appId, serviceName, admin, pollingIntervalMs, cacheDir);
    refresher.setDaemon(true);
    refresher.startRefresher();
    long policyReorderIntervalMs = configuration.getLong(propertyPrefix + ".policy.policyReorderInterval", 60 * 1000);
    if (policyReorderIntervalMs >= 0 && policyReorderIntervalMs < 15 * 1000) {
        policyReorderIntervalMs = 15 * 1000;
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug(propertyPrefix + ".policy.policyReorderInterval:" + policyReorderIntervalMs);
    }
    if (policyEngineOptions.disableTrieLookupPrefilter && policyReorderIntervalMs > 0) {
        policyEngineRefreshTimer = new Timer("PolicyEngineRefreshTimer", true);
        try {
            policyEngineRefreshTimer.schedule(new PolicyEngineRefresher(this), policyReorderIntervalMs, policyReorderIntervalMs);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Scheduled PolicyEngineRefresher to reorder policies based on number of evaluations in and every " + policyReorderIntervalMs + " milliseconds");
            }
        } catch (IllegalStateException exception) {
            LOG.error("Error scheduling policyEngineRefresher:", exception);
            LOG.error("*** PolicyEngine will NOT be reorderd based on number of evaluations every " + policyReorderIntervalMs + " milliseconds ***");
            policyEngineRefreshTimer = null;
        }
    } else {
        LOG.info("Policies will NOT be reordered based on number of evaluations");
    }
}
Also used : RangerAdminClient(org.apache.ranger.admin.client.RangerAdminClient) PolicyRefresher(org.apache.ranger.plugin.util.PolicyRefresher) Timer(java.util.Timer) RangerConfiguration(org.apache.ranger.authorization.hadoop.config.RangerConfiguration)

Example 2 with PolicyRefresher

use of org.apache.ranger.plugin.util.PolicyRefresher in project ranger by apache.

the class RangerBasePlugin method cleanup.

public void cleanup() {
    PolicyRefresher refresher = this.refresher;
    RangerPolicyEngine policyEngine = this.policyEngine;
    Timer policyEngineRefreshTimer = this.policyEngineRefreshTimer;
    this.serviceName = null;
    this.policyEngine = null;
    this.refresher = null;
    this.policyEngineRefreshTimer = null;
    if (refresher != null) {
        refresher.stopRefresher();
    }
    if (policyEngineRefreshTimer != null) {
        policyEngineRefreshTimer.cancel();
    }
    if (policyEngine != null) {
        policyEngine.cleanup();
    }
}
Also used : PolicyRefresher(org.apache.ranger.plugin.util.PolicyRefresher) Timer(java.util.Timer) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)

Example 3 with PolicyRefresher

use of org.apache.ranger.plugin.util.PolicyRefresher in project ranger by apache.

the class RangerBasePlugin method revokeAccess.

public void revokeAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerBasePlugin.revokeAccess(" + request + ")");
    }
    PolicyRefresher refresher = this.refresher;
    RangerAdminClient admin = refresher == null ? null : refresher.getRangerAdminClient();
    boolean isSuccess = false;
    try {
        if (admin == null) {
            throw new Exception("ranger-admin client is null");
        }
        admin.revokeAccess(request);
        isSuccess = true;
    } finally {
        auditGrantRevoke(request, "revoke", isSuccess, resultProcessor);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerBasePlugin.revokeAccess(" + request + ")");
    }
}
Also used : RangerAdminClient(org.apache.ranger.admin.client.RangerAdminClient) PolicyRefresher(org.apache.ranger.plugin.util.PolicyRefresher)

Example 4 with PolicyRefresher

use of org.apache.ranger.plugin.util.PolicyRefresher in project ranger by apache.

the class RangerBasePlugin method grantAccess.

public void grantAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerBasePlugin.grantAccess(" + request + ")");
    }
    PolicyRefresher refresher = this.refresher;
    RangerAdminClient admin = refresher == null ? null : refresher.getRangerAdminClient();
    boolean isSuccess = false;
    try {
        if (admin == null) {
            throw new Exception("ranger-admin client is null");
        }
        admin.grantAccess(request);
        isSuccess = true;
    } finally {
        auditGrantRevoke(request, "grant", isSuccess, resultProcessor);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerBasePlugin.grantAccess(" + request + ")");
    }
}
Also used : RangerAdminClient(org.apache.ranger.admin.client.RangerAdminClient) PolicyRefresher(org.apache.ranger.plugin.util.PolicyRefresher)

Aggregations

PolicyRefresher (org.apache.ranger.plugin.util.PolicyRefresher)4 RangerAdminClient (org.apache.ranger.admin.client.RangerAdminClient)3 Timer (java.util.Timer)2 RangerConfiguration (org.apache.ranger.authorization.hadoop.config.RangerConfiguration)1 RangerPolicyEngine (org.apache.ranger.plugin.policyengine.RangerPolicyEngine)1