Search in sources :

Example 71 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerDefaultPolicyResourceMatcher method isMatch.

@Override
public boolean isMatch(RangerPolicy policy, MatchScope scope, Map<String, Object> evalContext) {
    boolean ret = false;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getPoliciesNonLegacy()");
    }
    Map<String, RangerPolicyResource> resources = policy.getResources();
    if (policy.getPolicyType() == policyType && MapUtils.isNotEmpty(resources)) {
        List<RangerResourceDef> hierarchy = getMatchingHierarchy(resources.keySet());
        if (CollectionUtils.isNotEmpty(hierarchy)) {
            MatchType matchType = MatchType.NONE;
            RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl();
            accessResource.setServiceDef(serviceDef);
            // Build up accessResource resourceDef by resourceDef.
            // For each resourceDef,
            // examine policy-values one by one.
            // The first value that is acceptable, that is,
            // value matches in any way, is used for that resourceDef, and
            // next resourceDef is processed.
            // If none of the values matches, the policy as a whole definitely will not match,
            // therefore, the match is failed
            // After all resourceDefs are processed, and some match is achieved at every
            // level, the final matchType (which is for the entire policy) is checked against
            // requested scope to determine the match-result.
            // Unit tests in TestDefaultPolicyResourceForPolicy.java, TestDefaultPolicyResourceMatcher.java
            // test_defaultpolicyresourcematcher_for_hdfs_policy.json, and
            // test_defaultpolicyresourcematcher_for_hive_policy.json, and
            // test_defaultPolicyResourceMatcher.json
            boolean skipped = false;
            for (RangerResourceDef resourceDef : hierarchy) {
                String name = resourceDef.getName();
                RangerPolicyResource policyResource = resources.get(name);
                if (policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) {
                    ret = false;
                    matchType = MatchType.NONE;
                    if (!skipped) {
                        for (String value : policyResource.getValues()) {
                            accessResource.setValue(name, value);
                            matchType = getMatchType(accessResource, evalContext);
                            if (matchType != MatchType.NONE) {
                                // One value for this resourceDef matched
                                ret = true;
                                break;
                            }
                        }
                    } else {
                        break;
                    }
                } else {
                    skipped = true;
                }
                if (!ret) {
                    // None of the values specified for this resourceDef matched, no point in continuing with next resourceDef
                    break;
                }
            }
            ret = ret && isMatch(scope, matchType);
        }
    }
    RangerPerfTracer.log(perf);
    return ret;
}
Also used : RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)

Example 72 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerPolicyEngineImpl method isAccessAllowed.

/*
	* This API is used by ranger-admin
	*/
@Override
public boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + ")");
    }
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + ",accessType=" + accessType + "resource=" + resource.getAsString() + ")");
    }
    boolean ret = false;
    for (RangerPolicyEvaluator evaluator : policyRepository.getLikelyMatchPolicyEvaluators(resource, RangerPolicy.POLICY_TYPE_ACCESS)) {
        ret = evaluator.isAccessAllowed(resource, user, userGroups, accessType);
        if (ret) {
            break;
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
    }
    return ret;
}
Also used : RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 73 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerPolicyEngineImpl method updatePolicyUsageCounts.

private void updatePolicyUsageCounts(RangerAccessRequest accessRequest, RangerAccessResult accessResult) {
    boolean auditCountUpdated = false;
    if (accessResult.getIsAccessDetermined()) {
        RangerPolicyEvaluator accessPolicy = getPolicyEvaluator(accessResult.getPolicyId());
        if (accessPolicy != null) {
            if (accessPolicy.getPolicy().getIsAuditEnabled()) {
                updateUsageCount(accessPolicy, 2);
                accessResult.setAuditPolicyId(accessResult.getPolicyId());
                auditCountUpdated = true;
            } else {
                updateUsageCount(accessPolicy, 1);
            }
        }
    }
    if (!auditCountUpdated && accessResult.getIsAuditedDetermined()) {
        long auditPolicyId = accessResult.getAuditPolicyId();
        RangerPolicyEvaluator auditPolicy = auditPolicyId == -1 ? null : getPolicyEvaluator(auditPolicyId);
        updateUsageCount(auditPolicy, 1);
    }
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_USAGE_LOG)) {
        RangerAccessRequestImpl rangerAccessRequest = (RangerAccessRequestImpl) accessRequest;
        RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_USAGE_LOG, "RangerPolicyEngine.usage(accessingUser=" + rangerAccessRequest.getUser() + ",accessedResource=" + rangerAccessRequest.getResource().getAsString() + ",accessType=" + rangerAccessRequest.getAccessType() + ",evaluatedPoliciesCount=" + accessResult.getEvaluatedPoliciesCount() + ")");
        RangerPerfTracer.logAlways(perf);
    }
}
Also used : RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 74 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerPolicyEngineImpl method evaluatePolicies.

@Override
public RangerAccessResult evaluatePolicies(RangerAccessRequest request, int policyType, RangerAccessResultProcessor resultProcessor) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyEngineImpl.evaluatePolicies(" + request + ", policyType=" + policyType + ")");
    }
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
        String requestHashCode = Integer.toHexString(System.identityHashCode(request)) + "_" + Integer.toString(policyType);
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.evaluatePolicies(requestHashCode=" + requestHashCode + ")");
        LOG.info("RangerPolicyEngineImpl.evaluatePolicies(" + requestHashCode + ", " + request + ")");
    }
    RangerAccessResult ret = evaluatePoliciesNoAudit(request, policyType);
    updatePolicyUsageCounts(request, ret);
    if (resultProcessor != null) {
        RangerPerfTracer perfAuditTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_AUDIT_LOG)) {
            String requestHashCode = Integer.toHexString(System.identityHashCode(request)) + "_" + Integer.toString(policyType);
            perfAuditTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_AUDIT_LOG, "RangerPolicyEngine.processAudit(requestHashCode=" + requestHashCode + ")");
        }
        resultProcessor.processResult(ret);
        RangerPerfTracer.log(perfAuditTracer);
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyEngineImpl.evaluatePolicies(" + request + ", policyType=" + policyType + "): " + ret);
    }
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Example 75 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerStormAuthorizer method permit.

/**
 * permit() method is invoked for each incoming Thrift request.
 * @param aRequestContext request context includes info about
 * @param aOperationName operation name
 * @param aTopologyConfigMap configuration of targeted topology
 * @return true if the request is authorized, false if reject
 */
@Override
public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTopologyConfigMap) {
    boolean accessAllowed = false;
    boolean isAuditEnabled = false;
    String topologyName = null;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_STORMAUTH_REQUEST_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_STORMAUTH_REQUEST_LOG, "RangerStormAuthorizer.permit()");
        }
        topologyName = (aTopologyConfigMap == null ? "" : (String) aTopologyConfigMap.get(Config.TOPOLOGY_NAME));
        if (LOG.isDebugEnabled()) {
            LOG.debug("[req " + aRequestContext.requestID() + "] Access " + " from: [" + aRequestContext.remoteAddress() + "]" + " user: [" + aRequestContext.principal() + "]," + " op:   [" + aOperationName + "]," + "topology: [" + topologyName + "]");
            if (aTopologyConfigMap != null) {
                for (Object keyObj : aTopologyConfigMap.keySet()) {
                    Object valObj = aTopologyConfigMap.get(keyObj);
                    LOG.debug("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]");
                }
            } else {
                LOG.debug("TOPOLOGY CONFIG MAP is passed as null.");
            }
        }
        if (noAuthzOperations.contains(aOperationName)) {
            accessAllowed = true;
        } else if (plugin == null) {
            LOG.info("Ranger plugin not initialized yet! Skipping authorization;  allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
        } else {
            String userName = null;
            String[] groups = null;
            Principal user = aRequestContext.principal();
            if (user != null) {
                userName = user.getName();
                if (userName != null) {
                    UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
                    userName = ugi.getShortUserName();
                    groups = ugi.getGroupNames();
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]");
                    }
                }
            }
            if (userName != null) {
                String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress());
                String clusterName = plugin.getClusterName();
                RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName, clusterName);
                RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
                accessAllowed = result != null && result.getIsAllowed();
                isAuditEnabled = result != null && result.getIsAudited();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
                }
            } else {
                LOG.info("NULL User found from principal [" + user + "]: Skipping authorization;  allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
            }
        }
    } catch (Throwable t) {
        LOG.error("RangerStormAuthorizer found this exception", t);
    } finally {
        RangerPerfTracer.log(perf);
        if (LOG.isDebugEnabled()) {
            LOG.debug("[req " + aRequestContext.requestID() + "] Access " + " from: [" + aRequestContext.remoteAddress() + "]" + " user: [" + aRequestContext.principal() + "]," + " op:   [" + aOperationName + "]," + "topology: [" + topologyName + "] => returns [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
        }
    }
    return accessAllowed;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest) Principal(java.security.Principal) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)75 WebApplicationException (javax.ws.rs.WebApplicationException)36 Path (javax.ws.rs.Path)33 Produces (javax.ws.rs.Produces)33 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)21 VXString (org.apache.ranger.view.VXString)18 GET (javax.ws.rs.GET)17 PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)16 RangerService (org.apache.ranger.plugin.model.RangerService)11 POST (javax.ws.rs.POST)10 ArrayList (java.util.ArrayList)9 XXServiceDef (org.apache.ranger.entity.XXServiceDef)9 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)9 SearchFilter (org.apache.ranger.plugin.util.SearchFilter)9 JsonSyntaxException (com.google.gson.JsonSyntaxException)8 IOException (java.io.IOException)8 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)7 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)7 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)6 XXService (org.apache.ranger.entity.XXService)5