org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor Java Examples

public void revokeAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerBasePlugin.revokeAccess(" + request + ")");
	}

	boolean isSuccess = false;

	try {
		RangerPolicyEngine policyEngine = this.policyEngine;

		if (policyEngine != null) {
			request.setZoneName(policyEngine.getUniquelyMatchedZoneName(request));
		}

		getAdminClient().revokeAccess(request);

		isSuccess = true;
	} finally {
		auditGrantRevoke(request, "revoke", isSuccess, resultProcessor);
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerBasePlugin.revokeAccess(" + request + ")");
	}
}
 

public void grantAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerBasePlugin.grantAccess(" + request + ")");
	}

	boolean isSuccess = false;

	try {
		RangerPolicyEngine policyEngine = this.policyEngine;

		if (policyEngine != null) {
			request.setZoneName(policyEngine.getUniquelyMatchedZoneName(request));
		}

		getAdminClient().grantAccess(request);

		isSuccess = true;
	} finally {
		auditGrantRevoke(request, "grant", isSuccess, resultProcessor);
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerBasePlugin.grantAccess(" + request + ")");
	}
}
 

public void dropRole(String execUser, String roleName, RangerAccessResultProcessor resultProcessor) throws Exception {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerBasePlugin.dropRole(" + roleName + ")");
	}

	getAdminClient().dropRole(execUser, roleName);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerBasePlugin.dropRole(" + roleName + ")");
	}
}
 

private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) {
	if(request != null && resultProcessor != null) {
		RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl();

		accessRequest.setResource(new RangerAccessResourceImpl(StringUtil.toStringObjectMap(request.getResource())));
		accessRequest.setUser(request.getGrantor());
		accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
		accessRequest.setAction(action);
		accessRequest.setClientIPAddress(request.getClientIPAddress());
		accessRequest.setClientType(request.getClientType());
		accessRequest.setRequestData(request.getRequestData());
		accessRequest.setSessionId(request.getSessionId());

		// call isAccessAllowed() to determine if audit is enabled or not
		RangerAccessResult accessResult = isAccessAllowed(accessRequest, null);

		if(accessResult != null && accessResult.getIsAudited()) {
			accessRequest.setAccessType(action);
			accessResult.setIsAllowed(isSuccess);

			if(! isSuccess) {
				accessResult.setPolicyId(-1);
			}

			resultProcessor.processResult(accessResult);
		}
	}
}
 

public void revokeRole(GrantRevokeRoleRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerBasePlugin.revokeRole(" + request + ")");
	}

	getAdminClient().revokeRole(request);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerBasePlugin.revokeRole(" + request + ")");
	}
}
 

public void grantRole(GrantRevokeRoleRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerBasePlugin.grantRole(" + request + ")");
	}

	getAdminClient().grantRole(request);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerBasePlugin.grantRole(" + request + ")");
	}
}
 

public RangerRole getRole(String execUser, String roleName, RangerAccessResultProcessor resultProcessor) throws Exception {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerBasePlugin.getPrincipalsForRole(" + roleName + ")");
	}

	final RangerRole ret = getAdminClient().getRole(execUser, roleName);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerBasePlugin.getPrincipalsForRole(" + roleName + ")");
	}
	return ret;
}
 

public List<String> getAllRoles(String execUser, RangerAccessResultProcessor resultProcessor) throws Exception {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerBasePlugin.getAllRoles()");
	}

	final List<String> ret = getAdminClient().getAllRoles(execUser);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerBasePlugin.getAllRoles()");
	}
	return ret;
}
 

public List<String> getUserRoles(String execUser, RangerAccessResultProcessor resultProcessor) throws Exception {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerBasePlugin.getUserRoleNames(" + execUser + ")");
	}

	final List<String> ret = getAdminClient().getUserRoles(execUser);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerBasePlugin.getUserRoleNames(" + execUser + ")");
	}
	return ret;
}
 

public RangerRole createRole(RangerRole request, RangerAccessResultProcessor resultProcessor) throws Exception {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerBasePlugin.createRole(" + request + ")");
	}

	RangerRole ret = getAdminClient().createRole(request);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerBasePlugin.createRole(" + request + ")");
	}
	return ret;
}
 

public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
	RangerPolicyEngine policyEngine = this.policyEngine;

	if(policyEngine != null) {
		return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, resultProcessor);
	}

	return null;
}
 

public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
	RangerPolicyEngine policyEngine = this.policyEngine;

	if(policyEngine != null) {
		return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, resultProcessor);
	}

	return null;
}
 

public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAccessResultProcessor resultProcessor) {
	RangerPolicyEngine policyEngine = this.policyEngine;

	if(policyEngine != null) {
		return policyEngine.evaluatePolicies(requests, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
	}

	return null;
}
 

public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
	RangerPolicyEngine policyEngine = this.policyEngine;

	if(policyEngine != null) {
		return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
	}

	return null;
}
 

@Override
public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
    final String identity = request.getIdentity();
    final String resourceIdentifier = request.getResource().getIdentifier();

    // if a ranger admin identity was provided, and it equals the identity making the request,
    // and the request is to retrieve the resources, then allow it through
    if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
            && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
        return AuthorizationResult.approved();
    }

    final String clientIp;
    if (request.getUserContext() != null) {
        clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
    } else {
        clientIp = null;
    }

    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);

    final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
    rangerRequest.setResource(resource);
    rangerRequest.setAction(request.getAction().name());
    rangerRequest.setAccessType(request.getAction().name());
    rangerRequest.setUser(identity);
    rangerRequest.setAccessTime(new Date());

    if (!StringUtils.isBlank(clientIp)) {
        rangerRequest.setClientIPAddress(clientIp);
    }

    // for a direct access request use the default audit handler so we generate audit logs
    // for non-direct access provide a null result processor so no audit logs get generated
    final RangerAccessResultProcessor resultProcessor = request.isAccessAttempt() ?  defaultAuditHandler : null;

    final RangerAccessResult result = nifiPlugin.isAccessAllowed(rangerRequest, resultProcessor);

    if (result != null && result.getIsAllowed()) {
        return AuthorizationResult.approved();
    } else {
        // if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
        // given resource, or if it was because a policy exists but not for the given user or action
        final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier());

        if (doesPolicyExist) {
            final String reason = result == null ? null : result.getReason();
            if (reason != null) {
                logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
            }

            // a policy does exist for the resource so we were really denied access here
            return AuthorizationResult.denied(request.getExplanationSupplier().get());
        } else {
            // a policy doesn't exist so return resource not found so NiFi can work back up the resource hierarchy
            return AuthorizationResult.resourceNotFound();
        }
    }
}
 

public RangerAccessResultProcessor getResultProcessor() {
	return this.resultProcessor;
}
 

public void setResultProcessor(RangerAccessResultProcessor resultProcessor) {
	this.resultProcessor = resultProcessor;
}