use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isMatch.
@Override
public boolean isMatch(RangerPolicy policy, MatchScope scope, Map<String, Object> evalContext) {
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getPoliciesNonLegacy()");
}
Map<String, RangerPolicyResource> resources = policy.getResources();
if (policy.getPolicyType() == policyType && MapUtils.isNotEmpty(resources)) {
List<RangerResourceDef> hierarchy = getMatchingHierarchy(resources.keySet());
if (CollectionUtils.isNotEmpty(hierarchy)) {
MatchType matchType = MatchType.NONE;
RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl();
accessResource.setServiceDef(serviceDef);
// Build up accessResource resourceDef by resourceDef.
// For each resourceDef,
// examine policy-values one by one.
// The first value that is acceptable, that is,
// value matches in any way, is used for that resourceDef, and
// next resourceDef is processed.
// If none of the values matches, the policy as a whole definitely will not match,
// therefore, the match is failed
// After all resourceDefs are processed, and some match is achieved at every
// level, the final matchType (which is for the entire policy) is checked against
// requested scope to determine the match-result.
// Unit tests in TestDefaultPolicyResourceForPolicy.java, TestDefaultPolicyResourceMatcher.java
// test_defaultpolicyresourcematcher_for_hdfs_policy.json, and
// test_defaultpolicyresourcematcher_for_hive_policy.json, and
// test_defaultPolicyResourceMatcher.json
boolean skipped = false;
for (RangerResourceDef resourceDef : hierarchy) {
String name = resourceDef.getName();
RangerPolicyResource policyResource = resources.get(name);
if (policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) {
ret = false;
matchType = MatchType.NONE;
if (!skipped) {
for (String value : policyResource.getValues()) {
accessResource.setValue(name, value);
matchType = getMatchType(accessResource, evalContext);
if (matchType != MatchType.NONE) {
// One value for this resourceDef matched
ret = true;
break;
}
}
} else {
break;
}
} else {
skipped = true;
}
if (!ret) {
// None of the values specified for this resourceDef matched, no point in continuing with next resourceDef
break;
}
}
ret = ret && isMatch(scope, matchType);
}
}
RangerPerfTracer.log(perf);
return ret;
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerPolicyEngineImpl method isAccessAllowed.
/*
* This API is used by ranger-admin
*/
@Override
public boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + ",accessType=" + accessType + "resource=" + resource.getAsString() + ")");
}
boolean ret = false;
for (RangerPolicyEvaluator evaluator : policyRepository.getLikelyMatchPolicyEvaluators(resource, RangerPolicy.POLICY_TYPE_ACCESS)) {
ret = evaluator.isAccessAllowed(resource, user, userGroups, accessType);
if (ret) {
break;
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerPolicyEngineImpl method updatePolicyUsageCounts.
private void updatePolicyUsageCounts(RangerAccessRequest accessRequest, RangerAccessResult accessResult) {
boolean auditCountUpdated = false;
if (accessResult.getIsAccessDetermined()) {
RangerPolicyEvaluator accessPolicy = getPolicyEvaluator(accessResult.getPolicyId());
if (accessPolicy != null) {
if (accessPolicy.getPolicy().getIsAuditEnabled()) {
updateUsageCount(accessPolicy, 2);
accessResult.setAuditPolicyId(accessResult.getPolicyId());
auditCountUpdated = true;
} else {
updateUsageCount(accessPolicy, 1);
}
}
}
if (!auditCountUpdated && accessResult.getIsAuditedDetermined()) {
long auditPolicyId = accessResult.getAuditPolicyId();
RangerPolicyEvaluator auditPolicy = auditPolicyId == -1 ? null : getPolicyEvaluator(auditPolicyId);
updateUsageCount(auditPolicy, 1);
}
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_USAGE_LOG)) {
RangerAccessRequestImpl rangerAccessRequest = (RangerAccessRequestImpl) accessRequest;
RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_USAGE_LOG, "RangerPolicyEngine.usage(accessingUser=" + rangerAccessRequest.getUser() + ",accessedResource=" + rangerAccessRequest.getResource().getAsString() + ",accessType=" + rangerAccessRequest.getAccessType() + ",evaluatedPoliciesCount=" + accessResult.getEvaluatedPoliciesCount() + ")");
RangerPerfTracer.logAlways(perf);
}
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerPolicyEngineImpl method evaluatePolicies.
@Override
public RangerAccessResult evaluatePolicies(RangerAccessRequest request, int policyType, RangerAccessResultProcessor resultProcessor) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.evaluatePolicies(" + request + ", policyType=" + policyType + ")");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
String requestHashCode = Integer.toHexString(System.identityHashCode(request)) + "_" + Integer.toString(policyType);
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.evaluatePolicies(requestHashCode=" + requestHashCode + ")");
LOG.info("RangerPolicyEngineImpl.evaluatePolicies(" + requestHashCode + ", " + request + ")");
}
RangerAccessResult ret = evaluatePoliciesNoAudit(request, policyType);
updatePolicyUsageCounts(request, ret);
if (resultProcessor != null) {
RangerPerfTracer perfAuditTracer = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_AUDIT_LOG)) {
String requestHashCode = Integer.toHexString(System.identityHashCode(request)) + "_" + Integer.toString(policyType);
perfAuditTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_AUDIT_LOG, "RangerPolicyEngine.processAudit(requestHashCode=" + requestHashCode + ")");
}
resultProcessor.processResult(ret);
RangerPerfTracer.log(perfAuditTracer);
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.evaluatePolicies(" + request + ", policyType=" + policyType + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerStormAuthorizer method permit.
/**
* permit() method is invoked for each incoming Thrift request.
* @param aRequestContext request context includes info about
* @param aOperationName operation name
* @param aTopologyConfigMap configuration of targeted topology
* @return true if the request is authorized, false if reject
*/
@Override
public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTopologyConfigMap) {
boolean accessAllowed = false;
boolean isAuditEnabled = false;
String topologyName = null;
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_STORMAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_STORMAUTH_REQUEST_LOG, "RangerStormAuthorizer.permit()");
}
topologyName = (aTopologyConfigMap == null ? "" : (String) aTopologyConfigMap.get(Config.TOPOLOGY_NAME));
if (LOG.isDebugEnabled()) {
LOG.debug("[req " + aRequestContext.requestID() + "] Access " + " from: [" + aRequestContext.remoteAddress() + "]" + " user: [" + aRequestContext.principal() + "]," + " op: [" + aOperationName + "]," + "topology: [" + topologyName + "]");
if (aTopologyConfigMap != null) {
for (Object keyObj : aTopologyConfigMap.keySet()) {
Object valObj = aTopologyConfigMap.get(keyObj);
LOG.debug("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]");
}
} else {
LOG.debug("TOPOLOGY CONFIG MAP is passed as null.");
}
}
if (noAuthzOperations.contains(aOperationName)) {
accessAllowed = true;
} else if (plugin == null) {
LOG.info("Ranger plugin not initialized yet! Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
} else {
String userName = null;
String[] groups = null;
Principal user = aRequestContext.principal();
if (user != null) {
userName = user.getName();
if (userName != null) {
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
userName = ugi.getShortUserName();
groups = ugi.getGroupNames();
if (LOG.isDebugEnabled()) {
LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]");
}
}
}
if (userName != null) {
String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress());
String clusterName = plugin.getClusterName();
RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName, clusterName);
RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
accessAllowed = result != null && result.getIsAllowed();
isAuditEnabled = result != null && result.getIsAudited();
if (LOG.isDebugEnabled()) {
LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
}
} else {
LOG.info("NULL User found from principal [" + user + "]: Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
}
}
} catch (Throwable t) {
LOG.error("RangerStormAuthorizer found this exception", t);
} finally {
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("[req " + aRequestContext.requestID() + "] Access " + " from: [" + aRequestContext.remoteAddress() + "]" + " user: [" + aRequestContext.principal() + "]," + " op: [" + aOperationName + "]," + "topology: [" + topologyName + "] => returns [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
}
}
return accessAllowed;
}
Aggregations