Search in sources :

Example 61 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerPolicyEngineImpl method preProcess.

@Override
public void preProcess(RangerAccessRequest request) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyEngineImpl.preProcess(" + request + ")");
    }
    setResourceServiceDef(request);
    if (request instanceof RangerAccessRequestImpl) {
        ((RangerAccessRequestImpl) request).extractAndSetClientIPAddress(useForwardedIPAddress, trustedProxyAddresses);
    }
    RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), request.getUser());
    List<RangerContextEnricher> enrichers = allContextEnrichers;
    if (!CollectionUtils.isEmpty(enrichers)) {
        for (RangerContextEnricher enricher : enrichers) {
            RangerPerfTracer perf = null;
            if (RangerPerfTracer.isPerfTraceEnabled(PERF_CONTEXTENRICHER_REQUEST_LOG)) {
                perf = RangerPerfTracer.getPerfTracer(PERF_CONTEXTENRICHER_REQUEST_LOG, "RangerContextEnricher.enrich(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ", enricherName=" + enricher.getName() + ")");
            }
            enricher.enrich(request);
            RangerPerfTracer.log(perf);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyEngineImpl.preProcess(" + request + ")");
    }
}
Also used : RangerContextEnricher(org.apache.ranger.plugin.contextenricher.RangerContextEnricher) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 62 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerPolicyRepository method buildContextEnricher.

private RangerContextEnricher buildContextEnricher(RangerServiceDef.RangerContextEnricherDef enricherDef) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyRepository.buildContextEnricher(" + enricherDef + ")");
    }
    RangerContextEnricher ret = null;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_CONTEXTENRICHER_INIT_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_CONTEXTENRICHER_INIT_LOG, "RangerContextEnricher.init(appId=" + appId + ",name=" + enricherDef.getName() + ")");
    }
    String name = enricherDef != null ? enricherDef.getName() : null;
    String clsName = enricherDef != null ? enricherDef.getEnricher() : null;
    if (!StringUtils.isEmpty(clsName)) {
        try {
            @SuppressWarnings("unchecked") Class<RangerContextEnricher> enricherClass = (Class<RangerContextEnricher>) Class.forName(clsName);
            ret = enricherClass.newInstance();
        } catch (Exception excp) {
            LOG.error("failed to instantiate context enricher '" + clsName + "' for '" + name + "'", excp);
        }
    }
    if (ret != null) {
        ret.setEnricherDef(enricherDef);
        ret.setServiceName(componentServiceName);
        ret.setServiceDef(componentServiceDef);
        ret.setAppId(appId);
        ret.init();
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyRepository.buildContextEnricher(" + enricherDef + "): " + ret);
    }
    return ret;
}
Also used : RangerContextEnricher(org.apache.ranger.plugin.contextenricher.RangerContextEnricher) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 63 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerDefaultPolicyEvaluator method evaluate.

@Override
public void evaluate(RangerAccessRequest request, RangerAccessResult result) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
    }
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.evaluate(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + "," + perfTag + ")");
    }
    if (request != null && result != null) {
        if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) {
            RangerPolicyResourceMatcher.MatchType matchType;
            final boolean isMatched;
            if (RangerTagAccessRequest.class.isInstance(request)) {
                matchType = ((RangerTagAccessRequest) request).getMatchType();
                if (matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT && !request.isAccessTypeAny() && request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Setting matchType from DESCENDANT to SELF, so that any DENY policy-items will take effect.");
                    }
                    matchType = RangerPolicyResourceMatcher.MatchType.SELF;
                }
                isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
            } else {
                matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
                if (request.isAccessTypeAny()) {
                    isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
                } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                    isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT;
                } else {
                    isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR;
                }
            }
            if (isMatched) {
                if (!result.getIsAuditedDetermined()) {
                    if (isAuditEnabled()) {
                        result.setIsAudited(true);
                        result.setAuditPolicyId(getPolicy().getId());
                    }
                }
                if (!result.getIsAccessDetermined()) {
                    if (hasMatchablePolicyItem(request)) {
                        evaluatePolicyItems(request, matchType, result);
                    }
                }
            }
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
    }
}
Also used : RangerPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 64 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerDefaultPolicyEvaluator method isMatch.

@Override
public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + resource + ", " + evalContext + ")");
    }
    boolean ret = false;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isMatch(resource=" + resource.getAsString() + "," + evalContext + "," + perfTag + ")");
    }
    if (resourceMatcher != null) {
        ret = resourceMatcher.isMatch(resource, evalContext);
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + resource + ", " + evalContext + "): " + ret);
    }
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 65 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerDefaultPolicyEvaluator method isAccessAllowed.

protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")");
    }
    boolean ret = false;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isAccessAllowed(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + "," + perfTag + ")");
    }
    RangerPolicyItemEvaluator item = this.getDeterminingPolicyItem(user, userGroups, accessType);
    if (item != null && item.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
        ret = true;
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret);
    }
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Aggregations

RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)75 WebApplicationException (javax.ws.rs.WebApplicationException)36 Path (javax.ws.rs.Path)33 Produces (javax.ws.rs.Produces)33 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)21 VXString (org.apache.ranger.view.VXString)18 GET (javax.ws.rs.GET)17 PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)16 RangerService (org.apache.ranger.plugin.model.RangerService)11 POST (javax.ws.rs.POST)10 ArrayList (java.util.ArrayList)9 XXServiceDef (org.apache.ranger.entity.XXServiceDef)9 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)9 SearchFilter (org.apache.ranger.plugin.util.SearchFilter)9 JsonSyntaxException (com.google.gson.JsonSyntaxException)8 IOException (java.io.IOException)8 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)7 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)7 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)6 XXService (org.apache.ranger.entity.XXService)5