Repository: incubator-hawq Updated Branches: refs/heads/master 55d9e8574 -> ee79ec2fc
HAWQ-1353. Added SOLR properties to RPS audit config Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/ee79ec2f Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/ee79ec2f Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/ee79ec2f Branch: refs/heads/master Commit: ee79ec2fc70dc1bb33939180659597d7c9d151cb Parents: 55d9e85 Author: Alexander Denissov <[email protected]> Authored: Thu Feb 23 10:54:48 2017 -0800 Committer: Alexander Denissov <[email protected]> Committed: Wed Mar 1 16:47:35 2017 -0800 ---------------------------------------------------------------------- ranger-plugin/conf/ranger-hawq-audit.xml | 43 +++++++++++++++++++- ranger-plugin/pom.xml | 6 +++ .../authorization/RangerHawqAuthorizer.java | 19 +++++---- 3 files changed, 57 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/ee79ec2f/ranger-plugin/conf/ranger-hawq-audit.xml ---------------------------------------------------------------------- diff --git a/ranger-plugin/conf/ranger-hawq-audit.xml b/ranger-plugin/conf/ranger-hawq-audit.xml index 01fe5ab..981f249 100644 --- a/ranger-plugin/conf/ranger-hawq-audit.xml +++ b/ranger-plugin/conf/ranger-hawq-audit.xml @@ -1,4 +1,5 @@ <?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with @@ -15,9 +16,12 @@ See the License for the specific language governing permissions and limitations under the License. --> -<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> + <configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + + <!-- ********************************* --> <!-- HDFS audit provider configuration --> + <!-- ********************************* --> <property> <name>xasecure.audit.destination.hdfs</name> <value>false</value> @@ -30,11 +34,46 @@ <property> <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name> - <value>/tmp/audit/hdfs/spool</value> + <value>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/logs/spool/audit/hdfs</value> + </property> + + + <!-- ********************************* --> + <!-- SOLR audit provider configuration --> + <!-- ********************************* --> + <property> + <name>xasecure.audit.destination.solr</name> + <value>false</value> + </property> + + <!-- if not using zookeepers but direct url instead, then leave this property empty or set it to NONE --> + <property> + <name>xasecure.audit.destination.solr.zookeepers</name> + <value>zkhost1:2181,zkhost2:2181/infra-solr</value> + </property> + + <!-- if not using zookeepers but direct url instead, then leave this property empty or set it to NONE --> + <property> + <name>xasecure.audit.destination.solr.collection</name> + <value>ranger_audits</value> + </property> + + <!-- if not using direct url and using zookeeper instead, then leave this property empty or set it to NONE. --> + <!-- example value: http://solrHost1:6083/solr/ranger_audits,http://solrHost2:6083/solr/ranger_audits --> + <property> + <name>xasecure.audit.destination.solr.urls</name> + <value></value> + </property> + + <property> + <name>xasecure.audit.destination.solr.batch.filespool.dir</name> + <value>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/logs/spool/audit/solr</value> </property> + <!-- ********************************** --> <!-- Log4j audit provider configuration --> + <!-- ********************************** --> <property> <name>xasecure.audit.destination.log4j</name> <value>true</value> http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/ee79ec2f/ranger-plugin/pom.xml ---------------------------------------------------------------------- diff --git a/ranger-plugin/pom.xml b/ranger-plugin/pom.xml index 5d88707..8943e2a 100644 --- a/ranger-plugin/pom.xml +++ b/ranger-plugin/pom.xml @@ -248,6 +248,12 @@ <artifactId>guava</artifactId> <version>11.0.2</version> </dependency> + <!-- SolrJ client for auditing to Solr requires httpcore 4.2+ --> + <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpcore</artifactId> + <version>4.4.4</version> + </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/ee79ec2f/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java ---------------------------------------------------------------------- diff --git a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java index 0d97e21..0458bae 100644 --- a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java +++ b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java @@ -37,10 +37,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.service.RangerBasePlugin; -import java.util.Collections; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; +import java.util.*; import static org.apache.hawq.ranger.authorization.Utils.HAWQ; @@ -93,7 +90,7 @@ public class RangerHawqAuthorizer implements HawqAuthorizer { // iterate over resource requests, augment processed ones with the decision and add to the response for (ResourceAccess resourceAccess : request.getAccess()) { - boolean accessAllowed = authorizeResource(resourceAccess, request.getUser()); + boolean accessAllowed = authorizeResource(resourceAccess, request.getUser(), request.getClientIp(), request.getContext()); resourceAccess.setAllowed(accessAllowed); access.add(resourceAccess); } @@ -108,7 +105,7 @@ public class RangerHawqAuthorizer implements HawqAuthorizer { * @param user user requesting authorization * @return true if access is authorized, false otherwise */ - private boolean authorizeResource(ResourceAccess resourceAccess, String user) { + private boolean authorizeResource(ResourceAccess resourceAccess, String user, String clientIp, String context) { if (LOG.isDebugEnabled()) { LOG.debug(String.format("Request: access for user=%s to resource=%s with privileges=%s", @@ -126,7 +123,7 @@ public class RangerHawqAuthorizer implements HawqAuthorizer { for (HawqPrivilege privilege : resourceAccess.getPrivileges()) { // TODO not clear how we will get user groups -- Kerberos case ? Set<String> userGroups = Collections.emptySet(); - boolean privilegeAuthorized = authorizeResourcePrivilege(rangerResource, privilege.name(), user, userGroups); + boolean privilegeAuthorized = authorizeResourcePrivilege(rangerResource, privilege.name(), user, userGroups, clientIp, context); // ALL model of evaluation -- all privileges must be authorized for access to be allowed if (!privilegeAuthorized) { accessAllowed = false; @@ -151,7 +148,7 @@ public class RangerHawqAuthorizer implements HawqAuthorizer { * @param userGroups groups a user belongs to * @return true if access is authorized, false otherwise */ - private boolean authorizeResourcePrivilege(RangerAccessResource rangerResource, String accessType, String user, Set<String> userGroups) { + private boolean authorizeResourcePrivilege(RangerAccessResource rangerResource, String accessType, String user, Set<String> userGroups, String clientIp, String context) { Map<String, String> resourceMap = rangerResource.getAsMap(); String database = resourceMap.get(HawqResource.database.name()); @@ -167,7 +164,11 @@ public class RangerHawqAuthorizer implements HawqAuthorizer { LOG.debug("accessType mapped to: usage-schema"); } - RangerAccessRequest rangerRequest = new RangerAccessRequestImpl(rangerResource, accessType, user, userGroups); + RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, accessType, user, userGroups); + rangerRequest.setAccessTime(new Date()); + rangerRequest.setAction(accessType); + rangerRequest.setClientIPAddress(clientIp); + rangerRequest.setRequestData(context); RangerAccessResult result = rangerPlugin.isAccessAllowed(rangerRequest); boolean accessAllowed = result != null && result.getIsAllowed();
