Repository: incubator-atlas Updated Branches: refs/heads/master b86e8591a -> d6e40806f
ATLAS-1671: fix for missing client IP in Ranger audit log for Atlas authorizations Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/d6e40806 Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/d6e40806 Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/d6e40806 Branch: refs/heads/master Commit: d6e40806f8133db38996d93ac0da3161c39865fa Parents: b86e859 Author: nixonrodrigues <[email protected]> Authored: Fri Mar 17 14:58:05 2017 +0530 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Mar 20 10:27:29 2017 -0700 ---------------------------------------------------------------------- .../atlas/authorize/AtlasAccessRequest.java | 6 +-- .../simple/AtlasAuthorizationUtils.java | 43 +++++++++++++------- .../simple/SimpleAtlasAuthorizerTest.java | 8 ++-- .../atlas/web/resources/AdminResource.java | 11 ++--- .../org/apache/atlas/web/util/Servlets.java | 17 -------- 5 files changed, 42 insertions(+), 43 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/d6e40806/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java index 377aca7..9b405cc 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java @@ -40,11 +40,11 @@ public class AtlasAccessRequest { public AtlasAccessRequest(HttpServletRequest request, String user, Set<String> userGroups) { this(AtlasAuthorizationUtils.getAtlasResourceType(request.getServletPath()), "*", AtlasAuthorizationUtils - .getAtlasAction(request.getMethod()), user, userGroups); + .getAtlasAction(request.getMethod()), user, userGroups,AtlasAuthorizationUtils.getRequestIpAddress(request)); } public AtlasAccessRequest(Set<AtlasResourceTypes> resourceType, String resource, AtlasActionTypes action, - String user, Set<String> userGroups) { + String user, Set<String> userGroups, String clientIPAddress) { if (isDebugEnabled) { LOG.debug("==> AtlasAccessRequestImpl-- Initializing AtlasAccessRequest"); } @@ -56,7 +56,7 @@ public class AtlasAccessRequest { // set remaining fields to default value setAccessTime(null); - setClientIPAddress(null); + setClientIPAddress(clientIPAddress); } public Set<AtlasResourceTypes> getResourceTypes() { http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/d6e40806/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java index 1b4661e..e907bf5 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java @@ -18,6 +18,7 @@ package org.apache.atlas.authorize.simple; +import javax.servlet.http.HttpServletRequest; import org.apache.atlas.AtlasClient; import org.apache.atlas.authorize.AtlasActionTypes; import org.apache.atlas.authorize.AtlasResourceTypes; @@ -27,7 +28,8 @@ import org.apache.atlas.authorize.AtlasAccessRequest; import org.apache.atlas.authorize.AtlasAuthorizerFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; - +import java.net.InetAddress; +import java.net.UnknownHostException; import java.util.HashSet; import java.util.Objects; import java.util.Set; @@ -53,7 +55,7 @@ public class AtlasAuthorizationUtils { String[] split = contextPath.split("/", 3); String api = split[0]; - if(Pattern.matches("v\\d", api)) { + if (Pattern.matches("v\\d", api)) { api = split[1]; } @@ -98,16 +100,16 @@ public class AtlasAuthorizationUtils { * @param contextPath * @return set of AtlasResourceTypes types api mapped with AtlasResourceTypes.TYPE eg :- /api/atlas/types/* * - * gremlin discovery,admin,graph apis are mapped with AtlasResourceTypes.OPERATION eg :-/api/atlas/admin/* - * /api/atlas/discovery/search/gremlin /api/atlas/graph/* + * gremlin discovery,admin,graph apis are mapped with AtlasResourceTypes.OPERATION eg :-/api/atlas/admin/* + * /api/atlas/discovery/search/gremlin /api/atlas/graph/* + * + * entities,lineage and discovery apis are mapped with AtlasResourceTypes.ENTITY eg :- /api/atlas/lineage/hive/table/* + * /api/atlas/entities/{guid}* /api/atlas/discovery/* * - * entities,lineage and discovery apis are mapped with AtlasResourceTypes.ENTITY eg :- /api/atlas/lineage/hive/table/* - * /api/atlas/entities/{guid}* /api/atlas/discovery/* - * - * taxonomy API are also mapped to AtlasResourceTypes.TAXONOMY & AtlasResourceTypes.ENTITY and its terms APIs have - * added AtlasResourceTypes.TERM associations. + * taxonomy API are also mapped to AtlasResourceTypes.TAXONOMY & AtlasResourceTypes.ENTITY and its terms APIs have + * added AtlasResourceTypes.TERM associations. * - * unprotected types are mapped with AtlasResourceTypes.UNKNOWN, access to these are allowed. + * unprotected types are mapped with AtlasResourceTypes.UNKNOWN, access to these are allowed. */ public static Set<AtlasResourceTypes> getAtlasResourceType(String contextPath) { Set<AtlasResourceTypes> resourceTypes = new HashSet<>(); @@ -123,7 +125,7 @@ public class AtlasAuthorizationUtils { || api.startsWith("graph")) { resourceTypes.add(AtlasResourceTypes.OPERATION); } else if (api.startsWith("entities") || api.startsWith("lineage") || - api.startsWith("discovery") || api.startsWith("entity") || api.startsWith("search")) { + api.startsWith("discovery") || api.startsWith("entity") || api.startsWith("search")) { resourceTypes.add(AtlasResourceTypes.ENTITY); } else if (api.startsWith("taxonomies")) { resourceTypes.add(AtlasResourceTypes.TAXONOMY); @@ -134,7 +136,7 @@ public class AtlasAuthorizationUtils { } } else { LOG.error("Unable to find Atlas Resource corresponding to : {}\nSetting {}" - , api, AtlasResourceTypes.UNKNOWN.name()); + , api, AtlasResourceTypes.UNKNOWN.name()); resourceTypes.add(AtlasResourceTypes.UNKNOWN); } @@ -144,13 +146,13 @@ public class AtlasAuthorizationUtils { return resourceTypes; } - public static boolean isAccessAllowed(AtlasResourceTypes resourcetype, AtlasActionTypes actionType, String userName, Set<String> groups) { + public static boolean isAccessAllowed(AtlasResourceTypes resourcetype, AtlasActionTypes actionType, String userName, Set<String> groups, HttpServletRequest request) { AtlasAuthorizer authorizer = null; boolean isaccessAllowed = false; Set<AtlasResourceTypes> resourceTypes = new HashSet<>(); resourceTypes.add(resourcetype); - AtlasAccessRequest atlasRequest = new AtlasAccessRequest(resourceTypes, "*", actionType, userName, groups); + AtlasAccessRequest atlasRequest = new AtlasAccessRequest(resourceTypes, "*", actionType, userName, groups, AtlasAuthorizationUtils.getRequestIpAddress(request)); try { authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer(); if (authorizer != null) { @@ -162,4 +164,17 @@ public class AtlasAuthorizationUtils { return isaccessAllowed; } + + public static String getRequestIpAddress(HttpServletRequest httpServletRequest) { + try { + InetAddress inetAddr = InetAddress.getByName(httpServletRequest.getRemoteAddr()); + + String ip = inetAddr.getHostAddress(); + + return ip; + } catch (UnknownHostException ex) { + LOG.error("Error occured when retrieving IP address", ex); + return ""; + } + } } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/d6e40806/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java ---------------------------------------------------------------------- diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java index a3fc489..b36c9c7 100644 --- a/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java +++ b/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java @@ -60,7 +60,7 @@ public class SimpleAtlasAuthorizerTest { userGroups.add("grp3"); try { AtlasAccessRequest request = new AtlasAccessRequest(resourceType, - resource, action, user, userGroups); + resource, action, user, userGroups,"127.0.0.1"); SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory .getAtlasAuthorizer(); @@ -103,7 +103,7 @@ public class SimpleAtlasAuthorizerTest { Set<String> userGroups = new HashSet<>(); userGroups.add("grp1"); AtlasAccessRequest request = new AtlasAccessRequest(resourceType, - resource, action, user, userGroups); + resource, action, user, userGroups,"127.0.0.1"); try { SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory .getAtlasAuthorizer(); @@ -146,7 +146,7 @@ public class SimpleAtlasAuthorizerTest { Set<String> userGroups = new HashSet<>(); userGroups.add("grp1"); AtlasAccessRequest request = new AtlasAccessRequest(resourceType, - resource, action, user, userGroups); + resource, action, user, userGroups,"127.0.0.1"); try { SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory .getAtlasAuthorizer(); @@ -188,7 +188,7 @@ public class SimpleAtlasAuthorizerTest { Set<String> userGroups = new HashSet<>(); userGroups.add("grp3"); AtlasAccessRequest request = new AtlasAccessRequest(resourceType, - resource, action, user, userGroups); + resource, action, user, userGroups,"127.0.0.1"); try { SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory .getAtlasAuthorizer(); http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/d6e40806/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java b/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java index 0dfdeb2..097589f 100755 --- a/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java +++ b/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java @@ -244,10 +244,11 @@ public class AdminResource { for (GrantedAuthority c : authorities) { groups.add(c.getAuthority()); } + isEntityUpdateAccessAllowed = AtlasAuthorizationUtils.isAccessAllowed(AtlasResourceTypes.ENTITY, - AtlasActionTypes.UPDATE, userName, groups); + AtlasActionTypes.UPDATE, userName, groups, httpServletRequest); isEntityCreateAccessAllowed = AtlasAuthorizationUtils.isAccessAllowed(AtlasResourceTypes.ENTITY, - AtlasActionTypes.CREATE, userName, groups); + AtlasActionTypes.CREATE, userName, groups, httpServletRequest); } JSONObject responseData = new JSONObject(); @@ -313,7 +314,7 @@ public class AdminResource { AtlasExportResult result = exportService.run(exportSink, request, Servlets.getUserName(httpServletRequest), Servlets.getHostName(httpServletRequest), - Servlets.getRequestIpAddress(httpServletRequest)); + AtlasAuthorizationUtils.getRequestIpAddress(httpServletRequest)); exportSink.close(); @@ -364,7 +365,7 @@ public class AdminResource { result = importService.run(zipSource, request, Servlets.getUserName(httpServletRequest), Servlets.getHostName(httpServletRequest), - Servlets.getRequestIpAddress(httpServletRequest)); + AtlasAuthorizationUtils.getRequestIpAddress(httpServletRequest)); } catch (Exception excp) { LOG.error("importData(binary) failed", excp); @@ -398,7 +399,7 @@ public class AdminResource { result = importService.run(request, Servlets.getUserName(httpServletRequest), Servlets.getHostName(httpServletRequest), - Servlets.getRequestIpAddress(httpServletRequest)); + AtlasAuthorizationUtils.getRequestIpAddress(httpServletRequest)); } catch (Exception excp) { LOG.error("importFile() failed", excp); http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/d6e40806/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java b/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java index 926c509..4a92763 100755 --- a/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java +++ b/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java @@ -26,7 +26,6 @@ import org.apache.commons.collections.MapUtils; import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.StringEscapeUtils; import org.apache.commons.lang3.StringUtils; -import org.apache.hadoop.security.UserGroupInformation; import org.apache.http.NameValuePair; import org.apache.http.client.utils.URLEncodedUtils; import org.codehaus.jettison.json.JSONException; @@ -38,10 +37,7 @@ import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import java.io.IOException; -import java.io.PrintWriter; import java.io.StringWriter; -import java.net.InetAddress; -import java.net.UnknownHostException; import java.nio.charset.Charset; import java.util.HashMap; import java.util.List; @@ -184,19 +180,6 @@ public final class Servlets { return StringEscapeUtils.escapeJson(inputStr); } - public static String getRequestIpAddress(HttpServletRequest httpServletRequest) { - try { - InetAddress inetAddr = InetAddress.getByName(httpServletRequest.getRemoteAddr()); - - String ip = inetAddr.getHostAddress(); - - return ip; - } catch(UnknownHostException ex) { - LOG.error("Error occured when retrieving IP address", ex); - return ""; - } - } - public static String getHostName(HttpServletRequest httpServletRequest) { return httpServletRequest.getLocalName(); }
