Example 1 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerPDPKnoxFilter method doFilter.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String sourceUrl = (String) request.getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
String topologyName = getTopologyName(sourceUrl);
String serviceName = getServiceName();
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_KNOXAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_KNOXAUTH_REQUEST_LOG, "RangerPDPKnoxFilter.doFilter(url=" + sourceUrl + ", topologyName=" + topologyName + ")");
}
Subject subject = Subject.getSubject(AccessController.getContext());
Principal primaryPrincipal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
String primaryUser = primaryPrincipal.getName();
String impersonatedUser = null;
Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
if (impersonations != null && impersonations.length > 0) {
impersonatedUser = ((Principal) impersonations[0]).getName();
}
String user = (impersonatedUser != null) ? impersonatedUser : primaryUser;
if (LOG.isDebugEnabled()) {
LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user);
}
Object[] groupObjects = subject.getPrincipals(GroupPrincipal.class).toArray();
Set<String> groups = new HashSet<String>();
for (Object obj : groupObjects) {
groups.add(((Principal) obj).getName());
}
String clientIp = request.getRemoteAddr();
String clusterName = plugin.getClusterName();
if (LOG.isDebugEnabled()) {
LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user + ", groups: " + groups + ", clientIp: " + clientIp + ", clusterName: " + clusterName);
}
RangerAccessRequest accessRequest = new KnoxRangerPlugin.RequestBuilder().service(serviceName).topology(topologyName).user(user).groups(groups).clientIp(clientIp).clusterName(clusterName).build();
boolean accessAllowed = false;
if (plugin != null) {
RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
accessAllowed = result != null && result.getIsAllowed();
}
if (LOG.isDebugEnabled()) {
LOG.debug("Access allowed: " + accessAllowed);
}
RangerPerfTracer.log(perf);
if (accessAllowed) {
chain.doFilter(request, response);
} else {
sendForbidden((HttpServletResponse) response);
}
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
Subject(javax.security.auth.Subject)
GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)
GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
Principal(java.security.Principal)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
HashSet(java.util.HashSet)
Example 2 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerAtlasAuthorizer method isAccessAllowed.
@Override
public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> isAccessAllowed(" + request + ")");
}
final boolean ret;
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
}
String action = request.getAction() != null ? request.getAction().getType() : null;
RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(Collections.singletonMap(RESOURCE_SERVICE, "*"));
RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
rangerRequest.setClientIPAddress(request.getClientIPAddress());
rangerRequest.setAccessTime(request.getAccessTime());
rangerRequest.setAction(action);
rangerRequest.setClusterName(getClusterName());
ret = checkAccess(rangerRequest);
} finally {
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
}
return ret;
}
Also used :
RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
Example 3 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerPolicyEngineImpl method isAccessAllowed.
/*
* This API is used by test-code
*/
@Override
public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + "," + userGroups + ",accessType=" + accessType + ")");
}
for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType);
if (ret) {
break;
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
return ret;
}
Also used :
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
Example 4 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyEvaluator method init.
@Override
public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.init()");
}
StringBuilder perfTagBuffer = new StringBuilder();
if (policy != null) {
perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName());
}
perfTag = perfTagBuffer.toString();
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerPolicyEvaluator.init(" + perfTag + ")");
}
super.init(policy, serviceDef, options);
preprocessPolicy(policy, serviceDef);
resourceMatcher = new RangerDefaultPolicyResourceMatcher();
resourceMatcher.setServiceDef(serviceDef);
resourceMatcher.setPolicy(policy);
resourceMatcher.setServiceDefHelper(options.getServiceDefHelper());
resourceMatcher.init();
if (policy != null) {
validityScheduleEvaluators = createValidityScheduleEvaluators(policy);
allowEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
denyEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
denyExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
dataMaskEvaluators = createDataMaskPolicyItemEvaluators(policy, serviceDef, options, policy.getDataMaskPolicyItems());
rowFilterEvaluators = createRowFilterPolicyItemEvaluators(policy, serviceDef, options, policy.getRowFilterPolicyItems());
} else {
validityScheduleEvaluators = Collections.<RangerValidityScheduleEvaluator>emptyList();
allowEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
denyEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
allowExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
denyExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
dataMaskEvaluators = Collections.<RangerDataMaskPolicyItemEvaluator>emptyList();
rowFilterEvaluators = Collections.<RangerRowFilterPolicyItemEvaluator>emptyList();
}
RangerPolicyItemEvaluator.EvalOrderComparator comparator = new RangerPolicyItemEvaluator.EvalOrderComparator();
Collections.sort(allowEvaluators, comparator);
Collections.sort(denyEvaluators, comparator);
Collections.sort(allowExceptionEvaluators, comparator);
Collections.sort(denyExceptionEvaluators, comparator);
/* dataMask, rowFilter policyItems must be evaulated in the order given in the policy; hence no sort
Collections.sort(dataMaskEvaluators);
Collections.sort(rowFilterEvaluators);
*/
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
}
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerDefaultPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)
Example 5 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyItemEvaluator method isMatch.
@Override
public boolean isMatch(RangerAccessRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyItemEvaluator.isMatch(" + request + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYITEM_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYITEM_REQUEST_LOG, "RangerPolicyItemEvaluator.isMatch(resource=" + request.getResource().getAsString() + ")");
}
if (policyItem != null) {
if (matchUserGroupAndOwner(request)) {
if (request.isAccessTypeDelegatedAdmin()) {
// used only in grant/revoke scenario
if (policyItem.getDelegateAdmin()) {
ret = true;
}
} else if (CollectionUtils.isNotEmpty(policyItem.getAccesses())) {
boolean isAccessTypeMatched = false;
if (request.isAccessTypeAny()) {
if (getPolicyItemType() == POLICY_ITEM_TYPE_DENY || getPolicyItemType() == POLICY_ITEM_TYPE_DENY_EXCEPTIONS) {
if (hasAllPerms) {
isAccessTypeMatched = true;
}
} else {
for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) {
if (access.getIsAllowed()) {
isAccessTypeMatched = true;
break;
}
}
}
} else {
for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) {
if (access.getIsAllowed() && StringUtils.equalsIgnoreCase(access.getType(), request.getAccessType())) {
isAccessTypeMatched = true;
break;
}
}
}
if (isAccessTypeMatched) {
if (matchCustomConditions(request)) {
ret = true;
}
}
}
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyItemEvaluator.isMatch(" + request + "): " + ret);
}
return ret;
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
Aggregations
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)75
WebApplicationException (javax.ws.rs.WebApplicationException)36
Path (javax.ws.rs.Path)33
Produces (javax.ws.rs.Produces)33
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)21
VXString (org.apache.ranger.view.VXString)18
GET (javax.ws.rs.GET)17
PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)16
RangerService (org.apache.ranger.plugin.model.RangerService)11
POST (javax.ws.rs.POST)10
ArrayList (java.util.ArrayList)9
XXServiceDef (org.apache.ranger.entity.XXServiceDef)9
RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)9
SearchFilter (org.apache.ranger.plugin.util.SearchFilter)9
JsonSyntaxException (com.google.gson.JsonSyntaxException)8
IOException (java.io.IOException)8
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)7
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)7
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)6
XXService (org.apache.ranger.entity.XXService)5
