org.apache.ranger.plugin.audit.RangerDefaultAuditHandler Java Examples
The following examples show how to use
org.apache.ranger.plugin.audit.RangerDefaultAuditHandler.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: RangerGaianAuthorizer.java From egeria with Apache License 2.0 | 6 votes |
|
public void init() {
logger.logDetail("==> RangerGaianPlugin.init()");
RangerBasePlugin plugin = gaianPlugin;
if (plugin == null) {
synchronized (RangerGaianPlugin.class) {
plugin = gaianPlugin;
if (plugin == null) {
plugin = new RangerGaianPlugin();
plugin.init();
plugin.setResultProcessor(new RangerDefaultAuditHandler());
gaianPlugin = plugin;
}
}
}
logger.logDetail("<== RangerGaianPlugin.init()");
}
Example #2
| Source File: StormRangerPlugin.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
synchronized public void init() {
if (!initialized) {
// mandatory call to base plugin
super.init();
// One time call to register the audit hander with the policy engine.
super.setResultProcessor(new RangerDefaultAuditHandler(getConfig()));
// this needed to set things right in the nimbus process
if (KerberosName.getRules() == null) {
KerberosName.setRules("DEFAULT");
}
initialized = true;
LOG.info("StormRangerPlugin initialized!");
}
}
Example #3
| Source File: RangerAuthorizationCoprocessor.java From ranger with Apache License 2.0 | 6 votes |
|
void requirePermission(final ObserverContext<?> ctx, final String operation, final Action action, final RegionCoprocessorEnvironment regionServerEnv, final Map<byte[], ? extends Collection<?>> familyMap)
throws AccessDeniedException {
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_HBASEAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_HBASEAUTH_REQUEST_LOG, "RangerAuthorizationCoprocessor.requirePermission(request=Operation[" + operation + "]");
}
ColumnFamilyAccessResult accessResult = evaluateAccess(ctx, operation, action, regionServerEnv, familyMap);
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler(hbasePlugin.getConfig());
if (accessResult._everythingIsAccessible) {
auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
auditHandler.logAuthzAudits(accessResult._familyLevelAccessEvents);
LOG.debug("requirePermission: exiting: all access was allowed");
return;
} else {
auditHandler.logAuthzAudit(accessResult._accessDeniedEvent);
LOG.debug("requirePermission: exiting: throwing exception as everything wasn't accessible");
throw new AccessDeniedException(accessResult._denialReason);
}
} finally {
RangerPerfTracer.log(perf);
}
}
Example #4
| Source File: RangerGaianAuthorizer.java From egeria with Apache License 2.0 | 5 votes |
|
private RangerAccessResult getRangerDataMaskResult(QueryContext queryContext, String columnName) {
GaianResourceType objectType = GaianResourceType.COLUMN;
RangerGaianResource resource = new RangerGaianResource(objectType, queryContext.getSchema(), queryContext.getTableName(), columnName);
String user = queryContext.getUser();
Set<String> groups = queryContext.getUserGroups();
RangerGaianAccessRequest request = new RangerGaianAccessRequest(resource, queryContext.getActionType(), user, groups);
return gaianPlugin.evalDataMaskPolicies(request, new RangerDefaultAuditHandler());
}
Example #5
| Source File: RangerYarnAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public void init() {
super.init();
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler(getConfig());
super.setResultProcessor(auditHandler);
}
Example #6
| Source File: RangerSqoopAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public void init() {
super.init();
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler(getConfig());
super.setResultProcessor(auditHandler);
}
Example #7
| Source File: RangerAtlasAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public void init() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerAtlasPlugin.init()");
}
RangerBasePlugin plugin = atlasPlugin;
if (plugin == null) {
synchronized (RangerAtlasPlugin.class) {
plugin = atlasPlugin;
if (plugin == null) {
plugin = new RangerAtlasPlugin();
plugin.init();
plugin.setResultProcessor(new RangerDefaultAuditHandler(plugin.getConfig()));
atlasPlugin = plugin;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerAtlasPlugin.init()");
}
}
Example #8
| Source File: RangerElasticsearchAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public void init() {
super.init();
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler(getConfig());
super.setResultProcessor(auditHandler);
}
Example #9
| Source File: RangerOzoneAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
public RangerOzoneAuthorizer() {
rangerPlugin = new RangerBasePlugin("ozone", "ozone");
rangerPlugin.init(); // this will initialize policy engine and policy refresher
auditHandler = new RangerDefaultAuditHandler();
rangerPlugin.setResultProcessor(auditHandler);
}
Example #10
| Source File: KnoxRangerPlugin.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
synchronized public void init() {
if (!initialized) {
// mandatory call to base plugin
super.init();
// One time call to register the audit hander with the policy engine.
super.setResultProcessor(new RangerDefaultAuditHandler(getConfig()));
initialized = true;
}
}
Example #11
| Source File: RangerKylinAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public void init() {
super.init();
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler(getConfig());
super.setResultProcessor(auditHandler);
}
Example #12
| Source File: RangerKmsAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public void init() {
super.init();
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler(getConfig());
super.setResultProcessor(auditHandler);
}
Example #13
| Source File: RangerAuthorizationCoprocessor.java From ranger with Apache License 2.0 | 5 votes |
|
Filter authorizeAccess(ObserverContext<?> ctx, String operation, Action action, final RegionCoprocessorEnvironment env, final Map<byte[], NavigableSet<byte[]>> familyMap) throws AccessDeniedException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> authorizeAccess");
}
RangerPerfTracer perf = null;
try {
perf = RangerPerfTracer.getPerfTracer(PERF_HBASEAUTH_REQUEST_LOG, "RangerAuthorizationCoprocessor.authorizeAccess(request=Operation[" + operation + "]");
ColumnFamilyAccessResult accessResult = evaluateAccess(ctx, operation, action, env, familyMap);
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler(hbasePlugin.getConfig());
if (accessResult._everythingIsAccessible) {
auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
auditHandler.logAuthzAudits(accessResult._familyLevelAccessEvents);
LOG.debug("authorizeAccess: exiting: No filter returned since all access was allowed");
return null; // no filter needed since we are good to go.
} else if (accessResult._somethingIsAccessible) {
// NOTE: audit logging is split beween logging here (in scope of preOp/preGet) and logging in the filter component for those that couldn't be determined
auditHandler.logAuthzAudits(accessResult._accessAllowedEvents);
LOG.debug("authorizeAccess: exiting: Filter returned since some access was allowed");
return accessResult._filter;
} else {
// If we are here then it means nothing was accessible! So let's log one denial (in our case, the last denial) and throw an exception
auditHandler.logAuthzAudit(accessResult._accessDeniedEvent);
LOG.debug("authorizeAccess: exiting: Throwing exception since nothing was accessible");
throw new AccessDeniedException(accessResult._denialReason);
}
} finally {
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== authorizeAccess");
}
}
}
Example #14
| Source File: RangerNiFiAuthorizer.java From localization_nifi with Apache License 2.0 | 4 votes |
|
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
try {
if (nifiPlugin == null) {
logger.info("RangerNiFiAuthorizer(): initializing base plugin");
final PropertyValue securityConfigValue = configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue);
final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue);
final String rangerKerberosEnabledValue = getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString());
rangerKerberosEnabled = rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false;
if (rangerKerberosEnabled) {
// configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled()
final Configuration securityConf = new Configuration();
securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
UserGroupInformation.setConfiguration(securityConf);
// login with the nifi principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which
// will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab();
final String nifiPrincipal = nifiProperties.getKerberosServicePrincipal();
final String nifiKeytab = nifiProperties.getKerberosServiceKeytabLocation();
if (StringUtils.isBlank(nifiPrincipal) || StringUtils.isBlank(nifiKeytab)) {
throw new AuthorizerCreationException("Principal and Keytab must be provided when Kerberos is enabled");
}
UserGroupInformation.loginUserFromKeytab(nifiPrincipal.trim(), nifiKeytab.trim());
}
final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE);
final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID);
nifiPlugin = createRangerBasePlugin(serviceType, appId);
nifiPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler();
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
} else {
logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
}
} catch (Throwable t) {
throw new AuthorizerCreationException("Error creating RangerBasePlugin", t);
}
}
Example #15
| Source File: RangerAuthorizer.java From nifi-registry with Apache License 2.0 | 4 votes |
|
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException {
final String userGroupProviderKey = configurationContext.getProperty(USER_GROUP_PROVIDER).getValue();
if (StringUtils.isEmpty(userGroupProviderKey)) {
throw new SecurityProviderCreationException(USER_GROUP_PROVIDER + " must be specified.");
}
userGroupProvider = userGroupProviderLookup.getUserGroupProvider(userGroupProviderKey);
// ensure the desired access policy provider has a user group provider
if (userGroupProvider == null) {
throw new SecurityProviderCreationException(String.format("Unable to locate configured User Group Provider: %s", userGroupProviderKey));
}
try {
if (rangerPlugin == null) {
logger.info("initializing base plugin");
final PropertyValue securityConfigValue = configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue);
final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue);
boolean rangerKerberosEnabled = Boolean.valueOf(getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString()));
if (rangerKerberosEnabled) {
// configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled()
final Configuration securityConf = new Configuration();
securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
UserGroupInformation.setConfiguration(securityConf);
// login with the nifi registry principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which
// will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab();
final String registryPrincipal = registryProperties.getKerberosServicePrincipal();
final String registryKeytab = registryProperties.getKerberosServiceKeytabLocation();
if (StringUtils.isBlank(registryPrincipal) || StringUtils.isBlank(registryKeytab)) {
throw new SecurityProviderCreationException("Principal and Keytab must be provided when Kerberos is enabled");
}
UserGroupInformation.loginUserFromKeytab(registryPrincipal.trim(), registryKeytab.trim());
}
final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE);
final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID);
rangerPlugin = createRangerBasePlugin(serviceType, appId);
rangerPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler();
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
} else {
logger.info("base plugin already initialized");
}
} catch (Throwable t) {
throw new SecurityProviderCreationException("Error creating RangerBasePlugin", t);
}
}
Example #16
| Source File: RangerNiFiAuthorizer.java From nifi with Apache License 2.0 | 4 votes |
|
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
try {
if (nifiPlugin == null) {
logger.info("RangerNiFiAuthorizer(): initializing base plugin");
final PropertyValue securityConfigValue = configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue);
final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue);
final String rangerKerberosEnabledValue = getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString());
rangerKerberosEnabled = rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false;
if (rangerKerberosEnabled) {
// configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled()
final Configuration securityConf = new Configuration();
securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
UserGroupInformation.setConfiguration(securityConf);
// login with the nifi principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which
// will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab();
final String nifiPrincipal = nifiProperties.getKerberosServicePrincipal();
final String nifiKeytab = nifiProperties.getKerberosServiceKeytabLocation();
if (StringUtils.isBlank(nifiPrincipal) || StringUtils.isBlank(nifiKeytab)) {
throw new AuthorizerCreationException("Principal and Keytab must be provided when Kerberos is enabled");
}
UserGroupInformation.loginUserFromKeytab(nifiPrincipal.trim(), nifiKeytab.trim());
}
final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE);
final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID);
nifiPlugin = createRangerBasePlugin(serviceType, appId);
nifiPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler();
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
} else {
logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
}
} catch (Throwable t) {
throw new AuthorizerCreationException("Error creating RangerBasePlugin", t);
}
}
