Search in sources :

Example 1 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerPDPKnoxFilter method doFilter.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    String sourceUrl = (String) request.getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
    String topologyName = getTopologyName(sourceUrl);
    String serviceName = getServiceName();
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_KNOXAUTH_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_KNOXAUTH_REQUEST_LOG, "RangerPDPKnoxFilter.doFilter(url=" + sourceUrl + ", topologyName=" + topologyName + ")");
    }
    Subject subject = Subject.getSubject(AccessController.getContext());
    Principal primaryPrincipal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
    String primaryUser = primaryPrincipal.getName();
    String impersonatedUser = null;
    Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
    if (impersonations != null && impersonations.length > 0) {
        impersonatedUser = ((Principal) impersonations[0]).getName();
    }
    String user = (impersonatedUser != null) ? impersonatedUser : primaryUser;
    if (LOG.isDebugEnabled()) {
        LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user);
    }
    Object[] groupObjects = subject.getPrincipals(GroupPrincipal.class).toArray();
    Set<String> groups = new HashSet<String>();
    for (Object obj : groupObjects) {
        groups.add(((Principal) obj).getName());
    }
    String clientIp = request.getRemoteAddr();
    String clusterName = plugin.getClusterName();
    if (LOG.isDebugEnabled()) {
        LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user + ", groups: " + groups + ", clientIp: " + clientIp + ", clusterName: " + clusterName);
    }
    RangerAccessRequest accessRequest = new KnoxRangerPlugin.RequestBuilder().service(serviceName).topology(topologyName).user(user).groups(groups).clientIp(clientIp).clusterName(clusterName).build();
    boolean accessAllowed = false;
    if (plugin != null) {
        RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
        accessAllowed = result != null && result.getIsAllowed();
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("Access allowed: " + accessAllowed);
    }
    RangerPerfTracer.log(perf);
    if (accessAllowed) {
        chain.doFilter(request, response);
    } else {
        sendForbidden((HttpServletResponse) response);
    }
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) Subject(javax.security.auth.Subject) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) Principal(java.security.Principal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) HashSet(java.util.HashSet)

Example 2 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerAtlasAuthorizer method isAccessAllowed.

@Override
public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> isAccessAllowed(" + request + ")");
    }
    final boolean ret;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
        }
        String action = request.getAction() != null ? request.getAction().getType() : null;
        RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(Collections.singletonMap(RESOURCE_SERVICE, "*"));
        RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
        rangerRequest.setClientIPAddress(request.getClientIPAddress());
        rangerRequest.setAccessTime(request.getAccessTime());
        rangerRequest.setAction(action);
        rangerRequest.setClusterName(getClusterName());
        ret = checkAccess(rangerRequest);
    } finally {
        RangerPerfTracer.log(perf);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
    }
    return ret;
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 3 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerPolicyEngineImpl method isAccessAllowed.

/*
	 * This API is used by test-code
	 */
@Override
public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
    }
    boolean ret = false;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + "," + userGroups + ",accessType=" + accessType + ")");
    }
    for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
        ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType);
        if (ret) {
            break;
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
    }
    return ret;
}
Also used : RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 4 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerDefaultPolicyEvaluator method init.

@Override
public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyEvaluator.init()");
    }
    StringBuilder perfTagBuffer = new StringBuilder();
    if (policy != null) {
        perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName());
    }
    perfTag = perfTagBuffer.toString();
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerPolicyEvaluator.init(" + perfTag + ")");
    }
    super.init(policy, serviceDef, options);
    preprocessPolicy(policy, serviceDef);
    resourceMatcher = new RangerDefaultPolicyResourceMatcher();
    resourceMatcher.setServiceDef(serviceDef);
    resourceMatcher.setPolicy(policy);
    resourceMatcher.setServiceDefHelper(options.getServiceDefHelper());
    resourceMatcher.init();
    if (policy != null) {
        validityScheduleEvaluators = createValidityScheduleEvaluators(policy);
        allowEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
        denyEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
        allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
        denyExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
        dataMaskEvaluators = createDataMaskPolicyItemEvaluators(policy, serviceDef, options, policy.getDataMaskPolicyItems());
        rowFilterEvaluators = createRowFilterPolicyItemEvaluators(policy, serviceDef, options, policy.getRowFilterPolicyItems());
    } else {
        validityScheduleEvaluators = Collections.<RangerValidityScheduleEvaluator>emptyList();
        allowEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
        denyEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
        allowExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
        denyExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
        dataMaskEvaluators = Collections.<RangerDataMaskPolicyItemEvaluator>emptyList();
        rowFilterEvaluators = Collections.<RangerRowFilterPolicyItemEvaluator>emptyList();
    }
    RangerPolicyItemEvaluator.EvalOrderComparator comparator = new RangerPolicyItemEvaluator.EvalOrderComparator();
    Collections.sort(allowEvaluators, comparator);
    Collections.sort(denyEvaluators, comparator);
    Collections.sort(allowExceptionEvaluators, comparator);
    Collections.sort(denyExceptionEvaluators, comparator);
    /* dataMask, rowFilter policyItems must be evaulated in the order given in the policy; hence no sort
		Collections.sort(dataMaskEvaluators);
		Collections.sort(rowFilterEvaluators);
		*/
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
    }
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerDefaultPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)

Example 5 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerDefaultPolicyItemEvaluator method isMatch.

@Override
public boolean isMatch(RangerAccessRequest request) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyItemEvaluator.isMatch(" + request + ")");
    }
    boolean ret = false;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYITEM_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICYITEM_REQUEST_LOG, "RangerPolicyItemEvaluator.isMatch(resource=" + request.getResource().getAsString() + ")");
    }
    if (policyItem != null) {
        if (matchUserGroupAndOwner(request)) {
            if (request.isAccessTypeDelegatedAdmin()) {
                // used only in grant/revoke scenario
                if (policyItem.getDelegateAdmin()) {
                    ret = true;
                }
            } else if (CollectionUtils.isNotEmpty(policyItem.getAccesses())) {
                boolean isAccessTypeMatched = false;
                if (request.isAccessTypeAny()) {
                    if (getPolicyItemType() == POLICY_ITEM_TYPE_DENY || getPolicyItemType() == POLICY_ITEM_TYPE_DENY_EXCEPTIONS) {
                        if (hasAllPerms) {
                            isAccessTypeMatched = true;
                        }
                    } else {
                        for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) {
                            if (access.getIsAllowed()) {
                                isAccessTypeMatched = true;
                                break;
                            }
                        }
                    }
                } else {
                    for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) {
                        if (access.getIsAllowed() && StringUtils.equalsIgnoreCase(access.getType(), request.getAccessType())) {
                            isAccessTypeMatched = true;
                            break;
                        }
                    }
                }
                if (isAccessTypeMatched) {
                    if (matchCustomConditions(request)) {
                        ret = true;
                    }
                }
            }
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyItemEvaluator.isMatch(" + request + "): " + ret);
    }
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)

Aggregations

RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)75 WebApplicationException (javax.ws.rs.WebApplicationException)36 Path (javax.ws.rs.Path)33 Produces (javax.ws.rs.Produces)33 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)21 VXString (org.apache.ranger.view.VXString)18 GET (javax.ws.rs.GET)17 PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)16 RangerService (org.apache.ranger.plugin.model.RangerService)11 POST (javax.ws.rs.POST)10 ArrayList (java.util.ArrayList)9 XXServiceDef (org.apache.ranger.entity.XXServiceDef)9 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)9 SearchFilter (org.apache.ranger.plugin.util.SearchFilter)9 JsonSyntaxException (com.google.gson.JsonSyntaxException)8 IOException (java.io.IOException)8 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)7 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)7 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)6 XXService (org.apache.ranger.entity.XXService)5