Search in sources :

Example 56 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerHBasePlugin method authorizeAccess.

Filter authorizeAccess(String operation, Action action, final RegionCoprocessorEnvironment env, final Map<byte[], NavigableSet<byte[]>> familyMap) throws AccessDeniedException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> authorizeAccess");
    }
    RangerPerfTracer perf = null;
    try {
        perf = RangerPerfTracer.getPerfTracer(PERF_HBASEAUTH_REQUEST_LOG, "RangerAuthorizationCoprocessor.authorizeAccess(request=Operation[" + operation + "]");
        ColumnFamilyAccessResult accessResult = evaluateAccess(operation, action, env, familyMap);
        RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
        if (accessResult._everythingIsAccessible) {
            auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
            auditHandler.logAuthzAudits(accessResult._familyLevelAccessEvents);
            LOG.debug("authorizeAccess: exiting: No filter returned since all access was allowed");
            // no filter needed since we are good to go.
            return null;
        } else if (accessResult._somethingIsAccessible) {
            // NOTE: audit logging is split beween logging here (in scope of preOp/preGet) and logging in the filter component for those that couldn't be determined
            auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
            LOG.debug("authorizeAccess: exiting: Filter returned since some access was allowed");
            return accessResult._filter;
        } else {
            // If we are here then it means nothing was accessible!  So let's log one denial (in our case, the last denial) and throw an exception
            auditHandler.logAuthzAudit(accessResult._accessDeniedEvent);
            LOG.debug("authorizeAccess: exiting: Throwing exception since nothing was accessible");
            throw new AccessDeniedException(accessResult._denialReason);
        }
    } finally {
        RangerPerfTracer.log(perf);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== authorizeAccess");
        }
    }
}
Also used : AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)

Example 57 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerHBasePlugin method requirePermission.

void requirePermission(final String operation, final Action action, final RegionCoprocessorEnvironment regionServerEnv, final Map<byte[], ? extends Collection<?>> familyMap) throws AccessDeniedException {
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_HBASEAUTH_REQUEST_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_HBASEAUTH_REQUEST_LOG, "RangerAuthorizationCoprocessor.requirePermission(request=Operation[" + operation + "]");
        }
        ColumnFamilyAccessResult accessResult = evaluateAccess(operation, action, regionServerEnv, familyMap);
        RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
        if (accessResult._everythingIsAccessible) {
            auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
            auditHandler.logAuthzAudits(accessResult._familyLevelAccessEvents);
            LOG.debug("requirePermission: exiting: all access was allowed");
            return;
        } else {
            auditHandler.logAuthzAudit(accessResult._accessDeniedEvent);
            LOG.debug("requirePermission: exiting: throwing exception as everything wasn't accessible");
            throw new AccessDeniedException(accessResult._denialReason);
        }
    } finally {
        RangerPerfTracer.log(perf);
    }
}
Also used : AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)

Example 58 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerPolicyEngineImpl method isAccessAllowed.

/*
	 * This API is used by ranger-admin
	 */
@Override
public boolean isAccessAllowed(RangerPolicy policy, String user, Set<String> userGroups, String accessType) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + accessType + ")");
    }
    boolean ret = false;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + "," + userGroups + ",accessType=" + accessType + ")");
    }
    for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
        ret = evaluator.isAccessAllowed(policy, user, userGroups, accessType);
        if (ret) {
            break;
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
    }
    return ret;
}
Also used : RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 59 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerPolicyEngineImpl method reorderPolicyEvaluators.

@Override
public void reorderPolicyEvaluators() {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> reorderEvaluators()");
    }
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REBALANCE_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REBALANCE_LOG, "RangerPolicyEngine.reorderEvaluators()");
    }
    if (MapUtils.isNotEmpty(policyEvaluatorsMap)) {
        for (Map.Entry<Long, RangerPolicyEvaluator> entry : policyEvaluatorsMap.entrySet()) {
            entry.getValue().setUsageCountImmutable();
        }
    }
    if (tagPolicyRepository != null) {
        tagPolicyRepository.reorderPolicyEvaluators();
    }
    if (policyRepository != null) {
        policyRepository.reorderPolicyEvaluators();
    }
    if (MapUtils.isNotEmpty(policyEvaluatorsMap)) {
        for (Map.Entry<Long, RangerPolicyEvaluator> entry : policyEvaluatorsMap.entrySet()) {
            entry.getValue().resetUsageCount();
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== reorderEvaluators()");
    }
}
Also used : RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) HashMap(java.util.HashMap) Map(java.util.Map)

Example 60 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerPolicyEngineImpl method cleanup.

@Override
public void cleanup() {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyEngineImpl.cleanup()");
    }
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cleanUp(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
    }
    preCleanup();
    if (CollectionUtils.isNotEmpty(allContextEnrichers)) {
        for (RangerContextEnricher contextEnricher : allContextEnrichers) {
            contextEnricher.cleanup();
        }
    }
    this.allContextEnrichers = null;
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyEngineImpl.cleanup()");
    }
}
Also used : RangerContextEnricher(org.apache.ranger.plugin.contextenricher.RangerContextEnricher) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Aggregations

RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)75 WebApplicationException (javax.ws.rs.WebApplicationException)36 Path (javax.ws.rs.Path)33 Produces (javax.ws.rs.Produces)33 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)21 VXString (org.apache.ranger.view.VXString)18 GET (javax.ws.rs.GET)17 PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)16 RangerService (org.apache.ranger.plugin.model.RangerService)11 POST (javax.ws.rs.POST)10 ArrayList (java.util.ArrayList)9 XXServiceDef (org.apache.ranger.entity.XXServiceDef)9 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)9 SearchFilter (org.apache.ranger.plugin.util.SearchFilter)9 JsonSyntaxException (com.google.gson.JsonSyntaxException)8 IOException (java.io.IOException)8 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)7 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)7 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)6 XXService (org.apache.ranger.entity.XXService)5