use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerPolicyEngineImpl method preProcess.
@Override
public void preProcess(RangerAccessRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.preProcess(" + request + ")");
}
setResourceServiceDef(request);
if (request instanceof RangerAccessRequestImpl) {
((RangerAccessRequestImpl) request).extractAndSetClientIPAddress(useForwardedIPAddress, trustedProxyAddresses);
}
RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), request.getUser());
List<RangerContextEnricher> enrichers = allContextEnrichers;
if (!CollectionUtils.isEmpty(enrichers)) {
for (RangerContextEnricher enricher : enrichers) {
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_CONTEXTENRICHER_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_CONTEXTENRICHER_REQUEST_LOG, "RangerContextEnricher.enrich(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ", enricherName=" + enricher.getName() + ")");
}
enricher.enrich(request);
RangerPerfTracer.log(perf);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.preProcess(" + request + ")");
}
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerPolicyRepository method buildContextEnricher.
private RangerContextEnricher buildContextEnricher(RangerServiceDef.RangerContextEnricherDef enricherDef) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.buildContextEnricher(" + enricherDef + ")");
}
RangerContextEnricher ret = null;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_CONTEXTENRICHER_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_CONTEXTENRICHER_INIT_LOG, "RangerContextEnricher.init(appId=" + appId + ",name=" + enricherDef.getName() + ")");
}
String name = enricherDef != null ? enricherDef.getName() : null;
String clsName = enricherDef != null ? enricherDef.getEnricher() : null;
if (!StringUtils.isEmpty(clsName)) {
try {
@SuppressWarnings("unchecked") Class<RangerContextEnricher> enricherClass = (Class<RangerContextEnricher>) Class.forName(clsName);
ret = enricherClass.newInstance();
} catch (Exception excp) {
LOG.error("failed to instantiate context enricher '" + clsName + "' for '" + name + "'", excp);
}
}
if (ret != null) {
ret.setEnricherDef(enricherDef);
ret.setServiceName(componentServiceName);
ret.setServiceDef(componentServiceDef);
ret.setAppId(appId);
ret.init();
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.buildContextEnricher(" + enricherDef + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyEvaluator method evaluate.
@Override
public void evaluate(RangerAccessRequest request, RangerAccessResult result) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.evaluate(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + "," + perfTag + ")");
}
if (request != null && result != null) {
if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) {
RangerPolicyResourceMatcher.MatchType matchType;
final boolean isMatched;
if (RangerTagAccessRequest.class.isInstance(request)) {
matchType = ((RangerTagAccessRequest) request).getMatchType();
if (matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT && !request.isAccessTypeAny() && request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
if (LOG.isDebugEnabled()) {
LOG.debug("Setting matchType from DESCENDANT to SELF, so that any DENY policy-items will take effect.");
}
matchType = RangerPolicyResourceMatcher.MatchType.SELF;
}
isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
} else {
matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
if (request.isAccessTypeAny()) {
isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
} else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT;
} else {
isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR;
}
}
if (isMatched) {
if (!result.getIsAuditedDetermined()) {
if (isAuditEnabled()) {
result.setIsAudited(true);
result.setAuditPolicyId(getPolicy().getId());
}
}
if (!result.getIsAccessDetermined()) {
if (hasMatchablePolicyItem(request)) {
evaluatePolicyItems(request, matchType, result);
}
}
}
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
}
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyEvaluator method isMatch.
@Override
public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + resource + ", " + evalContext + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isMatch(resource=" + resource.getAsString() + "," + evalContext + "," + perfTag + ")");
}
if (resourceMatcher != null) {
ret = resourceMatcher.isMatch(resource, evalContext);
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + resource + ", " + evalContext + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyEvaluator method isAccessAllowed.
protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isAccessAllowed(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + "," + perfTag + ")");
}
RangerPolicyItemEvaluator item = this.getDeterminingPolicyItem(user, userGroups, accessType);
if (item != null && item.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
ret = true;
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
return ret;
}
Aggregations