Java Code Examples for org.apache.ranger.plugin.policyengine.RangerAccessResult#getAccessRequest()

The following examples show how to use org.apache.ranger.plugin.policyengine.RangerAccessResult#getAccessRequest() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: RangerSolrAuditHandler.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private boolean isAuditingNeeded(final RangerAccessResult result) {
    boolean                  ret       = true;
    RangerAccessRequest      request   = result.getAccessRequest();
    RangerAccessResourceImpl resource  = (RangerAccessResourceImpl) request.getResource();
    String resourceName                = (String) resource.getValue(RangerSolrAuthorizer.KEY_COLLECTION);
    String requestUser                 = request.getUser();
    if (resourceName != null && resourceName.equals(RANGER_AUDIT_COLLECTION) && excludeUsers.contains(requestUser)) {
       ret = false;
    }
    return ret;
}
Example 2
Source File: RangerHdfsAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up 
@Override
public void processResult(RangerAccessResult result) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerHdfsAuditHandler.logAudit(" + result + ")");
	}

	if(! isAuditEnabled && result.getIsAudited()) {
		isAuditEnabled = true;
	}

	if (auditEvent == null) {
		auditEvent = super.getAuthzEvents(result);
	}

	if (auditEvent != null) {
		RangerAccessRequest request = result.getAccessRequest();
		RangerAccessResource resource = request.getResource();
		String resourcePath = resource != null ? resource.getAsString() : null;

		// Overwrite fields in original auditEvent
		auditEvent.setEventTime(request.getAccessTime() != null ? request.getAccessTime() : new Date());
		auditEvent.setAccessType(request.getAction());
		auditEvent.setResourcePath(this.pathToBeValidated);
		auditEvent.setResultReason(resourcePath);

		auditEvent.setAccessResult((short) (result.getIsAllowed() ? 1 : 0));
		auditEvent.setPolicyId(result.getPolicyId());
		auditEvent.setPolicyVersion(result.getPolicyVersion());

		Set<String> tags = getTags(request);
		if (tags != null) {
			auditEvent.setTags(tags);
		}
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerHdfsAuditHandler.logAudit(" + result + "): " + auditEvent);
	}
}
Example 3
Source File: RangerHiveAuditHandler.java    From ranger with Apache License 2.0 5 votes vote down vote up 
AuthzAuditEvent createAuditEvent(RangerAccessResult result) {

		AuthzAuditEvent ret = null;

		RangerAccessRequest  request  = result.getAccessRequest();
		RangerAccessResource resource = request.getResource();
		String               resourcePath = resource != null ? resource.getAsString() : null;
		int                  policyType = result.getPolicyType();

		if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK && result.isMaskEnabled()) {
		    ret = createAuditEvent(result, result.getMaskType(), resourcePath);
        } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
            ret = createAuditEvent(result, ACCESS_TYPE_ROWFILTER, resourcePath);
		} else if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
			String accessType = null;

			if (request instanceof RangerHiveAccessRequest) {
				RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest) request;

				accessType = hiveRequest.getHiveAccessType().toString();

				String action = request.getAction();
				if (ACTION_TYPE_METADATA_OPERATION.equals(action)) {
					accessType = ACTION_TYPE_METADATA_OPERATION;
				}
			}

			if (StringUtils.isEmpty(accessType)) {
				accessType = request.getAccessType();
			}

			ret = createAuditEvent(result, accessType, resourcePath);
		}

		return ret;
	}
Example 4
Source File: RangerHiveAuditHandler.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private boolean skipFilterOperationAuditing(RangerAccessResult result) {
	boolean ret = false;
	RangerAccessRequest accessRequest = result.getAccessRequest();
	if (accessRequest != null) {
		String action = accessRequest.getAction();
		if (ACTION_TYPE_METADATA_OPERATION.equals(action) && !result.getIsAllowed()) {
			ret = true;
		}
	}
	return ret;
}
Example 5
Source File: RangerKafkaAuditHandler.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private boolean isAuditingNeeded(final RangerAccessResult result) {
    boolean ret = true;
    boolean 			    isAllowed = result.getIsAllowed();
    RangerAccessRequest request = result.getAccessRequest();
    RangerAccessResourceImpl resource = (RangerAccessResourceImpl) request.getResource();
    String resourceName 			  = (String) resource.getValue(RangerKafkaAuthorizer.KEY_CLUSTER);
    if (resourceName != null) {
        if (request.getAccessType().equalsIgnoreCase(RangerKafkaAuthorizer.ACCESS_TYPE_CREATE) && !isAllowed) {
            ret = false;
        }
    }
    return ret;
}
Example 6
Source File: RangerHiveAuditHandler.java    From ranger with Apache License 2.0 4 votes vote down vote up 
AuthzAuditEvent createAuditEvent(RangerAccessResult result, String accessType, String resourcePath) {
	RangerAccessRequest  request      = result.getAccessRequest();
	RangerAccessResource resource     = request.getResource();
	String               resourceType = resource != null ? resource.getLeafName() : null;

	AuthzAuditEvent auditEvent = super.getAuthzEvents(result);

	auditEvent.setAccessType(accessType);
	auditEvent.setResourcePath(resourcePath);
	auditEvent.setResourceType("@" + resourceType); // to be consistent with earlier release

	if (request instanceof RangerHiveAccessRequest && resource instanceof RangerHiveResource) {
		RangerHiveAccessRequest hiveAccessRequest = (RangerHiveAccessRequest) request;
		RangerHiveResource hiveResource = (RangerHiveResource) resource;
		HiveAccessType hiveAccessType = hiveAccessRequest.getHiveAccessType();

		if (hiveAccessType == HiveAccessType.USE && hiveResource.getObjectType() == HiveObjectType.DATABASE && StringUtils.isBlank(hiveResource.getDatabase())) {
			// this should happen only for SHOWDATABASES
			auditEvent.setTags(null);
		}

		if (hiveAccessType == HiveAccessType.REPLADMIN ) {
			// In case of REPL commands Audit should show what REPL Command instead of REPLADMIN access type
			String context = request.getRequestData();
				String replAccessType = getReplCmd(context);
				auditEvent.setAccessType(replAccessType);
		}

		if (hiveAccessType == HiveAccessType.SERVICEADMIN) {
			String hiveOperationType = request.getAction();
			String commandStr = request.getRequestData();
			if (HiveOperationType.KILL_QUERY.name().equalsIgnoreCase(hiveOperationType)) {
				String queryId = getServiceAdminQueryId(commandStr);
				if (!StringUtils.isEmpty(queryId)) {
					auditEvent.setRequestData(queryId);
				}
				commandStr = getServiceAdminCmd(commandStr);
				if (StringUtils.isEmpty(commandStr)) {
					commandStr = hiveAccessType.name();
				}
			}
			auditEvent.setAccessType(commandStr);
		}

		String action = request.getAction();
		if (hiveResource.getObjectType() == HiveObjectType.GLOBAL && isRoleOperation(action)) {
			auditEvent.setAccessType(action);
		}
	}

	return auditEvent;
}