Java Code Examples for org.apache.ranger.plugin.policyengine.RangerAccessRequest#getResource()

The following examples show how to use org.apache.ranger.plugin.policyengine.RangerAccessRequest#getResource() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: RangerSolrAuditHandler.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private boolean isAuditingNeeded(final RangerAccessResult result) {
    boolean                  ret       = true;
    RangerAccessRequest      request   = result.getAccessRequest();
    RangerAccessResourceImpl resource  = (RangerAccessResourceImpl) request.getResource();
    String resourceName                = (String) resource.getValue(RangerSolrAuthorizer.KEY_COLLECTION);
    String requestUser                 = request.getUser();
    if (resourceName != null && resourceName.equals(RANGER_AUDIT_COLLECTION) && excludeUsers.contains(requestUser)) {
       ret = false;
    }
    return ret;
}
Example 2
Source File: RangerHdfsAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up 
@Override
public void processResult(RangerAccessResult result) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerHdfsAuditHandler.logAudit(" + result + ")");
	}

	if(! isAuditEnabled && result.getIsAudited()) {
		isAuditEnabled = true;
	}

	if (auditEvent == null) {
		auditEvent = super.getAuthzEvents(result);
	}

	if (auditEvent != null) {
		RangerAccessRequest request = result.getAccessRequest();
		RangerAccessResource resource = request.getResource();
		String resourcePath = resource != null ? resource.getAsString() : null;

		// Overwrite fields in original auditEvent
		auditEvent.setEventTime(request.getAccessTime() != null ? request.getAccessTime() : new Date());
		auditEvent.setAccessType(request.getAction());
		auditEvent.setResourcePath(this.pathToBeValidated);
		auditEvent.setResultReason(resourcePath);

		auditEvent.setAccessResult((short) (result.getIsAllowed() ? 1 : 0));
		auditEvent.setPolicyId(result.getPolicyId());
		auditEvent.setPolicyVersion(result.getPolicyVersion());

		Set<String> tags = getTags(request);
		if (tags != null) {
			auditEvent.setTags(tags);
		}
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerHdfsAuditHandler.logAudit(" + result + "): " + auditEvent);
	}
}
Example 3
Source File: RangerHiveAuditHandler.java    From ranger with Apache License 2.0 5 votes vote down vote up 
AuthzAuditEvent createAuditEvent(RangerAccessResult result) {

		AuthzAuditEvent ret = null;

		RangerAccessRequest  request  = result.getAccessRequest();
		RangerAccessResource resource = request.getResource();
		String               resourcePath = resource != null ? resource.getAsString() : null;
		int                  policyType = result.getPolicyType();

		if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK && result.isMaskEnabled()) {
		    ret = createAuditEvent(result, result.getMaskType(), resourcePath);
        } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
            ret = createAuditEvent(result, ACCESS_TYPE_ROWFILTER, resourcePath);
		} else if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
			String accessType = null;

			if (request instanceof RangerHiveAccessRequest) {
				RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest) request;

				accessType = hiveRequest.getHiveAccessType().toString();

				String action = request.getAction();
				if (ACTION_TYPE_METADATA_OPERATION.equals(action)) {
					accessType = ACTION_TYPE_METADATA_OPERATION;
				}
			}

			if (StringUtils.isEmpty(accessType)) {
				accessType = request.getAccessType();
			}

			ret = createAuditEvent(result, accessType, resourcePath);
		}

		return ret;
	}
Example 4
Source File: RangerKafkaAuditHandler.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private boolean isAuditingNeeded(final RangerAccessResult result) {
    boolean ret = true;
    boolean 			    isAllowed = result.getIsAllowed();
    RangerAccessRequest request = result.getAccessRequest();
    RangerAccessResourceImpl resource = (RangerAccessResourceImpl) request.getResource();
    String resourceName 			  = (String) resource.getValue(RangerKafkaAuthorizer.KEY_CLUSTER);
    if (resourceName != null) {
        if (request.getAccessType().equalsIgnoreCase(RangerKafkaAuthorizer.ACCESS_TYPE_CREATE) && !isAllowed) {
            ret = false;
        }
    }
    return ret;
}
Example 5
Source File: RangerOptimizedPolicyEvaluator.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private boolean isOwnerMatch(RangerAccessRequest request) {
    boolean ret = false;

    if (hasResourceOwner) {
        RangerAccessResource accessedResource = request.getResource();
        String resourceOwner = accessedResource != null ? accessedResource.getOwnerUser() : null;
        String user = request.getUser();

        if (user != null && resourceOwner != null && user.equals(resourceOwner)) {
            ret = true;
        }
    }

    return ret;
}
Example 6
Source File: RangerDefaultPolicyItemEvaluator.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private boolean matchUserGroupAndOwner(RangerAccessRequest request) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerDefaultPolicyItemEvaluator.matchUserGroupAndOwner(" + request + ")");
	}

	boolean ret = false;

	String user = request.getUser();
	Set<String> userGroups = request.getUserGroups();

	RangerAccessResource accessedResource = request.getResource();
	String resourceOwner = accessedResource != null ? accessedResource.getOwnerUser() : null;

	if (!ret) {
		Set<String> roles = null;
		if (CollectionUtils.isNotEmpty(policyItem.getRoles())) {
			roles = RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext());
		}
		ret = matchUserGroupAndOwner(user, userGroups, roles, resourceOwner);
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerDefaultPolicyItemEvaluator.matchUserGroupAndOwner(" + request + "): " + ret);
	}

	return ret;
}
Example 7
Source File: RangerDefaultRequestProcessor.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private void setResourceServiceDef(RangerAccessRequest request) {
    RangerAccessResource resource = request.getResource();

    if (resource.getServiceDef() == null) {
        if (resource instanceof RangerMutableResource) {
            RangerMutableResource mutable = (RangerMutableResource) resource;
            mutable.setServiceDef(policyEngine.getServiceDef());
        }
    }
}
Example 8
Source File: HbaseAuditHandlerImpl.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private void resetResourceForAudit(RangerAccessRequest request) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> HbaseAuditHandlerImpl.resetResourceForAudit(" + request + ")");
	}
	if (request != null && request.getResource() instanceof RangerHBaseResource) {
		RangerHBaseResource hbaseResource = (RangerHBaseResource) request.getResource();
		hbaseResource.resetValue(RangerHBaseResource.KEY_TABLE);
	}
	if(LOG.isDebugEnabled()) {
		LOG.debug("<== HbaseAuditHandlerImpl.resetResourceForAudit(" + request + ")");
	}
}
Example 9
Source File: RangerHiveAuditHandler.java    From ranger with Apache License 2.0 4 votes vote down vote up 
AuthzAuditEvent createAuditEvent(RangerAccessResult result, String accessType, String resourcePath) {
	RangerAccessRequest  request      = result.getAccessRequest();
	RangerAccessResource resource     = request.getResource();
	String               resourceType = resource != null ? resource.getLeafName() : null;

	AuthzAuditEvent auditEvent = super.getAuthzEvents(result);

	auditEvent.setAccessType(accessType);
	auditEvent.setResourcePath(resourcePath);
	auditEvent.setResourceType("@" + resourceType); // to be consistent with earlier release

	if (request instanceof RangerHiveAccessRequest && resource instanceof RangerHiveResource) {
		RangerHiveAccessRequest hiveAccessRequest = (RangerHiveAccessRequest) request;
		RangerHiveResource hiveResource = (RangerHiveResource) resource;
		HiveAccessType hiveAccessType = hiveAccessRequest.getHiveAccessType();

		if (hiveAccessType == HiveAccessType.USE && hiveResource.getObjectType() == HiveObjectType.DATABASE && StringUtils.isBlank(hiveResource.getDatabase())) {
			// this should happen only for SHOWDATABASES
			auditEvent.setTags(null);
		}

		if (hiveAccessType == HiveAccessType.REPLADMIN ) {
			// In case of REPL commands Audit should show what REPL Command instead of REPLADMIN access type
			String context = request.getRequestData();
				String replAccessType = getReplCmd(context);
				auditEvent.setAccessType(replAccessType);
		}

		if (hiveAccessType == HiveAccessType.SERVICEADMIN) {
			String hiveOperationType = request.getAction();
			String commandStr = request.getRequestData();
			if (HiveOperationType.KILL_QUERY.name().equalsIgnoreCase(hiveOperationType)) {
				String queryId = getServiceAdminQueryId(commandStr);
				if (!StringUtils.isEmpty(queryId)) {
					auditEvent.setRequestData(queryId);
				}
				commandStr = getServiceAdminCmd(commandStr);
				if (StringUtils.isEmpty(commandStr)) {
					commandStr = hiveAccessType.name();
				}
			}
			auditEvent.setAccessType(commandStr);
		}

		String action = request.getAction();
		if (hiveResource.getObjectType() == HiveObjectType.GLOBAL && isRoleOperation(action)) {
			auditEvent.setAccessType(action);
		}
	}

	return auditEvent;
}
Example 10
Source File: RangerDefaultRequestProcessor.java    From ranger with Apache License 2.0 4 votes vote down vote up 
@Override
public void preProcess(RangerAccessRequest request) {

    setResourceServiceDef(request);
    if (request instanceof RangerAccessRequestImpl) {
        RangerAccessRequestImpl reqImpl = (RangerAccessRequestImpl) request;

        if (reqImpl.getClientIPAddress() == null) {
            reqImpl.extractAndSetClientIPAddress(policyEngine.getUseForwardedIPAddress(), policyEngine.getTrustedProxyAddresses());
        }

        if(policyEngine.getPluginContext() != null) {
            if (reqImpl.getClusterName() == null) {
                reqImpl.setClusterName(policyEngine.getPluginContext().getClusterName());
            }

            if (reqImpl.getClusterType() == null) {
                reqImpl.setClusterType(policyEngine.getPluginContext().getClusterType());
            }
        }
    }

    RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), request.getUser());

    String owner = request.getResource() != null ? request.getResource().getOwnerUser() : null;

    if (StringUtils.isNotEmpty(owner)) {
        RangerAccessRequestUtil.setOwnerInContext(request.getContext(), owner);
    }

    Set<String> roles = request.getUserRoles();
    if (CollectionUtils.isEmpty(roles)) {
        roles = policyEngine.getPluginContext().getAuthContext().getRolesForUserAndGroups(request.getUser(), request.getUserGroups());
    }

    if (CollectionUtils.isNotEmpty(roles)) {
        RangerAccessRequestUtil.setCurrentUserRolesInContext(request.getContext(), roles);
    }

    enrich(request);
}
Example 11
Source File: RangerTagEnricher.java    From ranger with Apache License 2.0 4 votes vote down vote up 
private Set<RangerTagForEval> findMatchingTags(final RangerAccessRequest request, EnrichedServiceTags dataStore) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerTagEnricher.findMatchingTags(" + request + ")");
	}

	// To minimize chance for race condition between Tag-Refresher thread and access-evaluation thread
	final EnrichedServiceTags enrichedServiceTags = dataStore != null ? dataStore : this.enrichedServiceTags;

	Set<RangerTagForEval> ret = null;

	RangerAccessResource resource = request.getResource();

	if ((resource == null || resource.getKeys() == null || resource.getKeys().isEmpty()) && request.isAccessTypeAny()) {
		ret = enrichedServiceTags.getTagsForEmptyResourceAndAnyAccess();
	} else {

		final List<RangerServiceResourceMatcher> serviceResourceMatchers = getEvaluators(resource, enrichedServiceTags);

		if (CollectionUtils.isNotEmpty(serviceResourceMatchers)) {

			for (RangerServiceResourceMatcher resourceMatcher : serviceResourceMatchers) {

				final RangerPolicyResourceMatcher.MatchType matchType = resourceMatcher.getMatchType(resource, request.getContext());

				final boolean isMatched;

				if (request.isAccessTypeAny()) {
					isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
				} else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
					isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
				} else {
					isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR;
				}

				if (isMatched) {
					if (ret == null) {
						ret = new HashSet<>();
					}
					ret.addAll(getTagsForServiceResource(enrichedServiceTags.getServiceTags(), resourceMatcher.getServiceResource(), matchType));
				}

			}
		}
	}

	if (CollectionUtils.isEmpty(ret)) {
		if (LOG.isDebugEnabled()) {
			LOG.debug("RangerTagEnricher.findMatchingTags(" + resource + ") - No tags Found ");
		}
	} else {
		if (LOG.isDebugEnabled()) {
			LOG.debug("RangerTagEnricher.findMatchingTags(" + resource + ") - " + ret.size() + " tags Found ");
		}
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerTagEnricher.findMatchingTags(" + request + ")");
	}

	return ret;
}