Java Code Examples for org.apache.ranger.audit.model.AuthzAuditEvent#setResourceType()

The following examples show how to use org.apache.ranger.audit.model.AuthzAuditEvent#setResourceType() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: RangerAuthorizer.java    From nifi-registry with Apache License 2.0 6 votes vote down vote up
@Override
public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) {
    final RangerAccessResult rangerResult;
    synchronized (resultLookup) {
        rangerResult = resultLookup.remove(request);
    }

    if (rangerResult != null && rangerResult.getIsAudited()) {
        AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult);

        // update the event with the originally requested resource
        event.setResourceType(RANGER_NIFI_REG_RESOURCE_NAME);
        event.setResourcePath(request.getRequestedResource().getIdentifier());

        defaultAuditHandler.logAuthzAudit(event);
    }
}
 
Example 2
Source File: RangerHiveAuditHandler.java    From ranger with Apache License 2.0 6 votes vote down vote up
public void logAuditEventForDfs(String userName, String dfsCommand, boolean accessGranted, int repositoryType, String repositoryName) {
AuthzAuditEvent auditEvent = new AuthzAuditEvent();

auditEvent.setAclEnforcer(moduleName);
auditEvent.setResourceType("@dfs"); // to be consistent with earlier release
auditEvent.setAccessType("DFS");
auditEvent.setAction("DFS");
auditEvent.setUser(userName);
auditEvent.setAccessResult((short)(accessGranted ? 1 : 0));
auditEvent.setEventTime(new Date());
auditEvent.setRepositoryType(repositoryType);
auditEvent.setRepositoryName(repositoryName);
auditEvent.setRequestData(dfsCommand);

auditEvent.setResourcePath(dfsCommand);

if(LOG.isDebugEnabled()){
	LOG.debug("Logging DFS event " + auditEvent.toString());
}

addAuthzAuditEvent(auditEvent);
  }
 
Example 3
Source File: RangerNiFiAuthorizer.java    From nifi with Apache License 2.0 6 votes vote down vote up
@Override
public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) {
    final RangerAccessResult rangerResult;
    synchronized (resultLookup) {
        rangerResult = resultLookup.remove(request);
    }

    if (rangerResult != null && rangerResult.getIsAudited()) {
        AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult);

        // update the event with the originally requested resource
        event.setResourceType(RANGER_NIFI_RESOURCE_NAME);
        event.setResourcePath(request.getRequestedResource().getIdentifier());

        defaultAuditHandler.logAuthzAudit(event);
    }
}
 
Example 4
Source File: RangerHiveAuditHandler.java    From ranger with Apache License 2.0 4 votes vote down vote up
AuthzAuditEvent createAuditEvent(RangerAccessResult result, String accessType, String resourcePath) {
	RangerAccessRequest  request      = result.getAccessRequest();
	RangerAccessResource resource     = request.getResource();
	String               resourceType = resource != null ? resource.getLeafName() : null;

	AuthzAuditEvent auditEvent = super.getAuthzEvents(result);

	auditEvent.setAccessType(accessType);
	auditEvent.setResourcePath(resourcePath);
	auditEvent.setResourceType("@" + resourceType); // to be consistent with earlier release

	if (request instanceof RangerHiveAccessRequest && resource instanceof RangerHiveResource) {
		RangerHiveAccessRequest hiveAccessRequest = (RangerHiveAccessRequest) request;
		RangerHiveResource hiveResource = (RangerHiveResource) resource;
		HiveAccessType hiveAccessType = hiveAccessRequest.getHiveAccessType();

		if (hiveAccessType == HiveAccessType.USE && hiveResource.getObjectType() == HiveObjectType.DATABASE && StringUtils.isBlank(hiveResource.getDatabase())) {
			// this should happen only for SHOWDATABASES
			auditEvent.setTags(null);
		}

		if (hiveAccessType == HiveAccessType.REPLADMIN ) {
			// In case of REPL commands Audit should show what REPL Command instead of REPLADMIN access type
			String context = request.getRequestData();
				String replAccessType = getReplCmd(context);
				auditEvent.setAccessType(replAccessType);
		}

		if (hiveAccessType == HiveAccessType.SERVICEADMIN) {
			String hiveOperationType = request.getAction();
			String commandStr = request.getRequestData();
			if (HiveOperationType.KILL_QUERY.name().equalsIgnoreCase(hiveOperationType)) {
				String queryId = getServiceAdminQueryId(commandStr);
				if (!StringUtils.isEmpty(queryId)) {
					auditEvent.setRequestData(queryId);
				}
				commandStr = getServiceAdminCmd(commandStr);
				if (StringUtils.isEmpty(commandStr)) {
					commandStr = hiveAccessType.name();
				}
			}
			auditEvent.setAccessType(commandStr);
		}

		String action = request.getAction();
		if (hiveResource.getObjectType() == HiveObjectType.GLOBAL && isRoleOperation(action)) {
			auditEvent.setAccessType(action);
		}
	}

	return auditEvent;
}
 
Example 5
Source File: RangerDefaultAuditHandler.java    From ranger with Apache License 2.0 4 votes vote down vote up
public AuthzAuditEvent getAuthzEvents(RangerAccessResult result) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerDefaultAuditHandler.getAuthzEvents(" + result + ")");
	}

	AuthzAuditEvent ret = null;

	RangerAccessRequest request = result != null ? result.getAccessRequest() : null;

	if(request != null && result != null && result.getIsAudited()) {
		//RangerServiceDef     serviceDef   = result.getServiceDef();
		RangerAccessResource resource     = request.getResource();
		String               resourceType = resource == null ? null : resource.getLeafName();
		String               resourcePath = resource == null ? null : resource.getAsString();

		ret = createAuthzAuditEvent();

		ret.setRepositoryName(result.getServiceName());
		ret.setRepositoryType(result.getServiceType());
		ret.setResourceType(resourceType);
		ret.setResourcePath(resourcePath);
		ret.setRequestData(request.getRequestData());
		ret.setEventTime(request.getAccessTime() != null ? request.getAccessTime() : new Date());
		ret.setUser(request.getUser());
		ret.setAction(request.getAccessType());
		ret.setAccessResult((short) (result.getIsAllowed() ? 1 : 0));
		ret.setPolicyId(result.getPolicyId());
		ret.setAccessType(request.getAction());
		ret.setClientIP(request.getClientIPAddress());
		ret.setClientType(request.getClientType());
		ret.setSessionId(request.getSessionId());
		ret.setAclEnforcer(moduleName);
		Set<String> tags = getTags(request);
		if (tags != null) {
			ret.setTags(tags);
		}
		ret.setAdditionalInfo(getAdditionalInfo(request));
		ret.setClusterName(request.getClusterName());
		ret.setZoneName(result.getZoneName());
		ret.setAgentHostname(restUtils.getAgentHostname());
		ret.setPolicyVersion(result.getPolicyVersion());

		populateDefaults(ret);

		result.setAuditLogId(ret.getEventId());
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerDefaultAuditHandler.getAuthzEvents(" + result + "): " + ret);
	}

	return ret;
}
 
Example 6
Source File: TestEvents.java    From ranger with Apache License 2.0 4 votes vote down vote up
private static AuditEventBase getTestEvent(int idx) {
    AuthzAuditEvent event = new AuthzAuditEvent();

    event.setClientIP("127.0.0.1");
    event.setAccessResult((short)(idx % 2 > 0 ? 1 : 0));
    event.setAclEnforcer("ranger-acl");

    switch(idx % 5) {
        case 0:
            event.setRepositoryName("hdfsdev");
            event.setRepositoryType(EnumRepositoryType.HDFS);
            event.setResourcePath("/tmp/test-audit.log");
            event.setResourceType("file");
            event.setAccessType("read");
            if(idx % 2 > 0) {
                event.setAclEnforcer("hadoop-acl");
            }
        break;
        case 1:
            event.setRepositoryName("hbasedev");
            event.setRepositoryType(EnumRepositoryType.HBASE);
            event.setResourcePath("test_table/test_cf/test_col");
            event.setResourceType("column");
            event.setAccessType("read");
        break;
        case 2:
            event.setRepositoryName("hivedev");
            event.setRepositoryType(EnumRepositoryType.HIVE);
            event.setResourcePath("test_database/test_table/test_col");
            event.setResourceType("column");
            event.setAccessType("select");
        break;
        case 3:
            event.setRepositoryName("knoxdev");
            event.setRepositoryType(EnumRepositoryType.KNOX);
            event.setResourcePath("topologies/ranger-admin");
            event.setResourceType("service");
            event.setAccessType("get");
        break;
        case 4:
            event.setRepositoryName("stormdev");
            event.setRepositoryType(EnumRepositoryType.STORM);
            event.setResourcePath("topologies/read-finance-stream");
            event.setResourceType("topology");
            event.setAccessType("submit");
        break;
    }
    event.setEventTime(new Date());
    event.setResultReason(Integer.toString(idx));

    return event;
}