use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerHBasePlugin method authorizeAccess.
Filter authorizeAccess(String operation, Action action, final RegionCoprocessorEnvironment env, final Map<byte[], NavigableSet<byte[]>> familyMap) throws AccessDeniedException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> authorizeAccess");
}
RangerPerfTracer perf = null;
try {
perf = RangerPerfTracer.getPerfTracer(PERF_HBASEAUTH_REQUEST_LOG, "RangerAuthorizationCoprocessor.authorizeAccess(request=Operation[" + operation + "]");
ColumnFamilyAccessResult accessResult = evaluateAccess(operation, action, env, familyMap);
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
if (accessResult._everythingIsAccessible) {
auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
auditHandler.logAuthzAudits(accessResult._familyLevelAccessEvents);
LOG.debug("authorizeAccess: exiting: No filter returned since all access was allowed");
// no filter needed since we are good to go.
return null;
} else if (accessResult._somethingIsAccessible) {
// NOTE: audit logging is split beween logging here (in scope of preOp/preGet) and logging in the filter component for those that couldn't be determined
auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
LOG.debug("authorizeAccess: exiting: Filter returned since some access was allowed");
return accessResult._filter;
} else {
// If we are here then it means nothing was accessible! So let's log one denial (in our case, the last denial) and throw an exception
auditHandler.logAuthzAudit(accessResult._accessDeniedEvent);
LOG.debug("authorizeAccess: exiting: Throwing exception since nothing was accessible");
throw new AccessDeniedException(accessResult._denialReason);
}
} finally {
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== authorizeAccess");
}
}
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerHBasePlugin method requirePermission.
void requirePermission(final String operation, final Action action, final RegionCoprocessorEnvironment regionServerEnv, final Map<byte[], ? extends Collection<?>> familyMap) throws AccessDeniedException {
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_HBASEAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_HBASEAUTH_REQUEST_LOG, "RangerAuthorizationCoprocessor.requirePermission(request=Operation[" + operation + "]");
}
ColumnFamilyAccessResult accessResult = evaluateAccess(operation, action, regionServerEnv, familyMap);
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
if (accessResult._everythingIsAccessible) {
auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
auditHandler.logAuthzAudits(accessResult._familyLevelAccessEvents);
LOG.debug("requirePermission: exiting: all access was allowed");
return;
} else {
auditHandler.logAuthzAudit(accessResult._accessDeniedEvent);
LOG.debug("requirePermission: exiting: throwing exception as everything wasn't accessible");
throw new AccessDeniedException(accessResult._denialReason);
}
} finally {
RangerPerfTracer.log(perf);
}
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerPolicyEngineImpl method isAccessAllowed.
/*
* This API is used by ranger-admin
*/
@Override
public boolean isAccessAllowed(RangerPolicy policy, String user, Set<String> userGroups, String accessType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + "," + userGroups + ",accessType=" + accessType + ")");
}
for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
ret = evaluator.isAccessAllowed(policy, user, userGroups, accessType);
if (ret) {
break;
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerPolicyEngineImpl method reorderPolicyEvaluators.
@Override
public void reorderPolicyEvaluators() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> reorderEvaluators()");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REBALANCE_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REBALANCE_LOG, "RangerPolicyEngine.reorderEvaluators()");
}
if (MapUtils.isNotEmpty(policyEvaluatorsMap)) {
for (Map.Entry<Long, RangerPolicyEvaluator> entry : policyEvaluatorsMap.entrySet()) {
entry.getValue().setUsageCountImmutable();
}
}
if (tagPolicyRepository != null) {
tagPolicyRepository.reorderPolicyEvaluators();
}
if (policyRepository != null) {
policyRepository.reorderPolicyEvaluators();
}
if (MapUtils.isNotEmpty(policyEvaluatorsMap)) {
for (Map.Entry<Long, RangerPolicyEvaluator> entry : policyEvaluatorsMap.entrySet()) {
entry.getValue().resetUsageCount();
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== reorderEvaluators()");
}
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerPolicyEngineImpl method cleanup.
@Override
public void cleanup() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.cleanup()");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cleanUp(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
}
preCleanup();
if (CollectionUtils.isNotEmpty(allContextEnrichers)) {
for (RangerContextEnricher contextEnricher : allContextEnrichers) {
contextEnricher.cleanup();
}
}
this.allContextEnrichers = null;
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.cleanup()");
}
}
Aggregations