Example 1 with PolicyRefresher
use of org.apache.ranger.plugin.util.PolicyRefresher in project ranger by apache.
the class RangerBasePlugin method init.
public void init() {
cleanup();
RangerConfiguration configuration = RangerConfiguration.getInstance();
configuration.addResourcesForServiceType(serviceType);
configuration.initAudit(appId);
String propertyPrefix = "ranger.plugin." + serviceType;
long pollingIntervalMs = configuration.getLong(propertyPrefix + ".policy.pollIntervalMs", 30 * 1000);
String cacheDir = configuration.get(propertyPrefix + ".policy.cache.dir");
serviceName = configuration.get(propertyPrefix + ".service.name");
clusterName = RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.name", "");
useForwardedIPAddress = configuration.getBoolean(propertyPrefix + ".use.x-forwarded-for.ipaddress", false);
String trustedProxyAddressString = configuration.get(propertyPrefix + ".trusted.proxy.ipaddresses");
trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, RANGER_TRUSTED_PROXY_IPADDRESSES_SEPARATOR_CHAR);
if (trustedProxyAddresses != null) {
for (int i = 0; i < trustedProxyAddresses.length; i++) {
trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(propertyPrefix + ".use.x-forwarded-for.ipaddress:" + useForwardedIPAddress);
LOG.debug(propertyPrefix + ".trusted.proxy.ipaddresses:[" + StringUtils.join(trustedProxyAddresses, ", ") + "]");
}
if (useForwardedIPAddress && StringUtils.isBlank(trustedProxyAddressString)) {
LOG.warn("Property " + propertyPrefix + ".use.x-forwarded-for.ipaddress" + " is set to true, and Property " + propertyPrefix + ".trusted.proxy.ipaddresses" + " is not set");
LOG.warn("Ranger plugin will trust RemoteIPAddress and treat first X-Forwarded-Address in the access-request as the clientIPAddress");
}
policyEngineOptions.configureForPlugin(configuration, propertyPrefix);
LOG.info(policyEngineOptions);
RangerAdminClient admin = createAdminClient(serviceName, appId, propertyPrefix);
refresher = new PolicyRefresher(this, serviceType, appId, serviceName, admin, pollingIntervalMs, cacheDir);
refresher.setDaemon(true);
refresher.startRefresher();
long policyReorderIntervalMs = configuration.getLong(propertyPrefix + ".policy.policyReorderInterval", 60 * 1000);
if (policyReorderIntervalMs >= 0 && policyReorderIntervalMs < 15 * 1000) {
policyReorderIntervalMs = 15 * 1000;
}
if (LOG.isDebugEnabled()) {
LOG.debug(propertyPrefix + ".policy.policyReorderInterval:" + policyReorderIntervalMs);
}
if (policyEngineOptions.disableTrieLookupPrefilter && policyReorderIntervalMs > 0) {
policyEngineRefreshTimer = new Timer("PolicyEngineRefreshTimer", true);
try {
policyEngineRefreshTimer.schedule(new PolicyEngineRefresher(this), policyReorderIntervalMs, policyReorderIntervalMs);
if (LOG.isDebugEnabled()) {
LOG.debug("Scheduled PolicyEngineRefresher to reorder policies based on number of evaluations in and every " + policyReorderIntervalMs + " milliseconds");
}
} catch (IllegalStateException exception) {
LOG.error("Error scheduling policyEngineRefresher:", exception);
LOG.error("*** PolicyEngine will NOT be reorderd based on number of evaluations every " + policyReorderIntervalMs + " milliseconds ***");
policyEngineRefreshTimer = null;
}
} else {
LOG.info("Policies will NOT be reordered based on number of evaluations");
}
}
Also used :
RangerAdminClient(org.apache.ranger.admin.client.RangerAdminClient)
PolicyRefresher(org.apache.ranger.plugin.util.PolicyRefresher)
Timer(java.util.Timer)
RangerConfiguration(org.apache.ranger.authorization.hadoop.config.RangerConfiguration)
Example 2 with PolicyRefresher
use of org.apache.ranger.plugin.util.PolicyRefresher in project ranger by apache.
the class RangerBasePlugin method cleanup.
public void cleanup() {
PolicyRefresher refresher = this.refresher;
RangerPolicyEngine policyEngine = this.policyEngine;
Timer policyEngineRefreshTimer = this.policyEngineRefreshTimer;
this.serviceName = null;
this.policyEngine = null;
this.refresher = null;
this.policyEngineRefreshTimer = null;
if (refresher != null) {
refresher.stopRefresher();
}
if (policyEngineRefreshTimer != null) {
policyEngineRefreshTimer.cancel();
}
if (policyEngine != null) {
policyEngine.cleanup();
}
}
Also used :
PolicyRefresher(org.apache.ranger.plugin.util.PolicyRefresher)
Timer(java.util.Timer)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
Example 3 with PolicyRefresher
use of org.apache.ranger.plugin.util.PolicyRefresher in project ranger by apache.
the class RangerBasePlugin method revokeAccess.
public void revokeAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.revokeAccess(" + request + ")");
}
PolicyRefresher refresher = this.refresher;
RangerAdminClient admin = refresher == null ? null : refresher.getRangerAdminClient();
boolean isSuccess = false;
try {
if (admin == null) {
throw new Exception("ranger-admin client is null");
}
admin.revokeAccess(request);
isSuccess = true;
} finally {
auditGrantRevoke(request, "revoke", isSuccess, resultProcessor);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.revokeAccess(" + request + ")");
}
}
Also used :
RangerAdminClient(org.apache.ranger.admin.client.RangerAdminClient)
PolicyRefresher(org.apache.ranger.plugin.util.PolicyRefresher)
Example 4 with PolicyRefresher
use of org.apache.ranger.plugin.util.PolicyRefresher in project ranger by apache.
the class RangerBasePlugin method grantAccess.
public void grantAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.grantAccess(" + request + ")");
}
PolicyRefresher refresher = this.refresher;
RangerAdminClient admin = refresher == null ? null : refresher.getRangerAdminClient();
boolean isSuccess = false;
try {
if (admin == null) {
throw new Exception("ranger-admin client is null");
}
admin.grantAccess(request);
isSuccess = true;
} finally {
auditGrantRevoke(request, "grant", isSuccess, resultProcessor);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.grantAccess(" + request + ")");
}
}
Also used :
RangerAdminClient(org.apache.ranger.admin.client.RangerAdminClient)
PolicyRefresher(org.apache.ranger.plugin.util.PolicyRefresher)
Aggregations
PolicyRefresher (org.apache.ranger.plugin.util.PolicyRefresher)4
RangerAdminClient (org.apache.ranger.admin.client.RangerAdminClient)3
Timer (java.util.Timer)2
RangerConfiguration (org.apache.ranger.authorization.hadoop.config.RangerConfiguration)1
RangerPolicyEngine (org.apache.ranger.plugin.policyengine.RangerPolicyEngine)1
