Repository: ranger Updated Branches: refs/heads/master da29d1929 -> 3c18a99c2
RANGER-2143: updated Atlas authorizer with addtion of scrubSearchResults() method Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/3c18a99c Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/3c18a99c Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/3c18a99c Branch: refs/heads/master Commit: 3c18a99c2ca5b0a5302d0b646438be2990ee6c34 Parents: da29d19 Author: Madhan Neethiraj <[email protected]> Authored: Thu Jun 28 00:31:15 2018 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Fri Jun 29 00:21:28 2018 -0700 ---------------------------------------------------------------------- .../atlas/authorizer/RangerAtlasAuthorizer.java | 199 ++++++++++++------- .../services/atlas/RangerServiceAtlas.java | 11 +- pom.xml | 2 +- .../atlas/authorizer/RangerAtlasAuthorizer.java | 20 ++ 4 files changed, 158 insertions(+), 74 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/3c18a99c/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java index 8d56f14..aa815b2 100644 --- a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java +++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java @@ -23,10 +23,15 @@ package org.apache.ranger.authorization.atlas.authorizer; import org.apache.atlas.authorize.AtlasAdminAccessRequest; import org.apache.atlas.authorize.AtlasAuthorizationException; import org.apache.atlas.authorize.AtlasEntityAccessRequest; +import org.apache.atlas.authorize.AtlasSearchResultScrubRequest; import org.apache.atlas.authorize.AtlasTypeAccessRequest; import org.apache.atlas.authorize.AtlasAuthorizer; import org.apache.atlas.authorize.AtlasPrivilege; +import org.apache.atlas.model.discovery.AtlasSearchResult; +import org.apache.atlas.model.instance.AtlasEntityHeader; import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.MapUtils; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.audit.model.AuthzAuditEvent; @@ -37,8 +42,8 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.service.RangerBasePlugin; import org.apache.ranger.plugin.util.RangerPerfTracer; +import org.apache.ranger.services.atlas.RangerServiceAtlas; -import static org.apache.atlas.authorize.AtlasPrivilege.ENTITY_READ_CLASSIFICATION; import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_CATEGORY; import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_NAME; import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_TYPE; @@ -130,7 +135,7 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer { LOG.debug("==> isAccessAllowed(" + request + ")"); } - boolean ret = false; + boolean ret = true; RangerPerfTracer perf = null; RangerAtlasAuditHandler auditHandler = null; @@ -144,81 +149,15 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer { auditHandler = new RangerAtlasAuditHandler(request, getServiceDef()); } - final String action = request.getAction() != null ? request.getAction().getType() : null; - final Set<String> entityTypes = request.getEntityTypeAndAllSuperTypes(); - final String entityId = request.getEntityId(); - final String classification = request.getClassification() != null ? request.getClassification().getTypeName() : null; - final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(); - - rangerRequest.setAccessType(action); - rangerRequest.setAction(action); - rangerRequest.setUser(request.getUser()); - rangerRequest.setUserGroups(request.getUserGroups()); - rangerRequest.setClientIPAddress(request.getClientIPAddress()); - rangerRequest.setAccessTime(request.getAccessTime()); - rangerRequest.setClusterName(getClusterName()); - - final Set<String> classificationsToAuthorize; - - if (classification != null) { - if (request.getEntityClassifications() == null) { - classificationsToAuthorize = Collections.singleton(classification); - } else { - classificationsToAuthorize = new HashSet<>(request.getEntityClassifications()); - - classificationsToAuthorize.add(classification); - } - } else { - classificationsToAuthorize = request.getEntityClassifications(); - } - - // authorize entity access, without considering authorization on entities classification - RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(); - - rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes); - rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, Collections.<String>emptySet()); - rangerResource.setValue(RESOURCE_ENTITY_ID, entityId); - - rangerRequest.setResource(rangerResource); - - ret = checkAccess(rangerRequest, auditHandler); - - - if (ret && CollectionUtils.isNotEmpty(classificationsToAuthorize)) { - final AtlasPrivilege classificationPrivilege = ENTITY_READ_CLASSIFICATION; - - rangerRequest.setAccessType(classificationPrivilege.getType()); - rangerRequest.setAction(rangerRequest.getAccessType()); - - // check authorization for each classification - for (String classificationToAuthorize : classificationsToAuthorize) { - rangerResource = new RangerAccessResourceImpl(); - - rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes); - rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize)); - rangerResource.setValue(RESOURCE_ENTITY_ID, entityId); - - rangerRequest.setResource(rangerResource); - - ret = checkAccess(rangerRequest, auditHandler); - - if (!ret) { - break; - } - } - } - + ret = isAccessAllowed(request, auditHandler); } finally { - if(auditHandler!=null) { - auditHandler.flushAudit(); - } - RangerPerfTracer.log(perf); } if (LOG.isDebugEnabled()) { LOG.debug("<== isAccessAllowed(" + request + "): " + ret); } + return ret; } @@ -264,6 +203,49 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer { return ret; } + @Override + public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException { + if (LOG.isDebugEnabled()) { + LOG.debug("==> scrubSearchResults(" + request + ")"); + } + + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.scrubSearchResults(" + request + ")"); + } + + final AtlasSearchResult result = request.getSearchResult(); + + if (CollectionUtils.isNotEmpty(result.getEntities())) { + for (AtlasEntityHeader entity : result.getEntities()) { + checkAccessAndScrub(entity, request); + } + } + + if (CollectionUtils.isNotEmpty(result.getFullTextResult())) { + for (AtlasSearchResult.AtlasFullTextResult fullTextResult : result.getFullTextResult()) { + if (fullTextResult != null) { + checkAccessAndScrub(fullTextResult.getEntity(), request); + } + } + } + + if (MapUtils.isNotEmpty(result.getReferredEntities())) { + for (AtlasEntityHeader entity : result.getReferredEntities().values()) { + checkAccessAndScrub(entity, request); + } + } + } finally { + RangerPerfTracer.log(perf); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== scrubSearchResults(): " + request); + } + } + private String getClusterName() { RangerBasePlugin plugin = atlasPlugin; @@ -276,6 +258,71 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer { return plugin != null ? plugin.getServiceDef() : null; } + private boolean isAccessAllowed(AtlasEntityAccessRequest request, RangerAtlasAuditHandler auditHandler) throws AtlasAuthorizationException { + if (LOG.isDebugEnabled()) { + LOG.debug("==> isAccessAllowed(" + request + ")"); + } + + boolean ret = true; + + try { + final String action = request.getAction() != null ? request.getAction().getType() : null; + final Set<String> entityTypes = request.getEntityTypeAndAllSuperTypes(); + final String entityId = request.getEntityId(); + final String classification = request.getClassification() != null ? request.getClassification().getTypeName() : null; + final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(); + final RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(); + + rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes); + rangerResource.setValue(RESOURCE_ENTITY_ID, entityId); + + rangerRequest.setAccessType(action); + rangerRequest.setAction(action); + rangerRequest.setUser(request.getUser()); + rangerRequest.setUserGroups(request.getUserGroups()); + rangerRequest.setClientIPAddress(request.getClientIPAddress()); + rangerRequest.setAccessTime(request.getAccessTime()); + rangerRequest.setClusterName(getClusterName()); + rangerRequest.setResource(rangerResource); + + if (StringUtils.isNotEmpty(classification)) { + rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classification)); + + ret = checkAccess(rangerRequest, auditHandler); + } + + if (ret) { + if (CollectionUtils.isNotEmpty(request.getEntityClassifications())) { + // check authorization for each classification + for (String classificationToAuthorize : request.getEntityClassifications()) { + rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize)); + + ret = checkAccess(rangerRequest, auditHandler); + + if (!ret) { + break; + } + } + } else { + rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, RangerServiceAtlas.ENTITY_NOT_CLASSIFIED); + + ret = checkAccess(rangerRequest, auditHandler); + } + } + + } finally { + if(auditHandler != null) { + auditHandler.flushAudit(); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== isAccessAllowed(" + request + "): " + ret); + } + + return ret; + } + private boolean checkAccess(RangerAccessRequestImpl request) { boolean ret = false; RangerBasePlugin plugin = atlasPlugin; @@ -306,6 +353,18 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer { return ret; } + private void checkAccessAndScrub(AtlasEntityHeader entity, AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException { + if (entity != null && request != null) { + final AtlasEntityAccessRequest entityAccessRequest = new AtlasEntityAccessRequest(request.getTypeRegistry(), AtlasPrivilege.ENTITY_READ, entity, request.getUser(), request.getUserGroups()); + + entityAccessRequest.setClientIPAddress(request.getClientIPAddress()); + + if (!isAccessAllowed(entityAccessRequest, null)) { + scrubEntityHeader(entity); + } + } + } + class RangerAtlasPlugin extends RangerBasePlugin { RangerAtlasPlugin() { super("atlas", "atlas"); http://git-wip-us.apache.org/repos/asf/ranger/blob/3c18a99c/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java ---------------------------------------------------------------------- diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java index aba4b8c..d4c196e 100644 --- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java +++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java @@ -60,6 +60,7 @@ public class RangerServiceAtlas extends RangerBaseService { public static final String CONFIG_REST_ADDRESS = "atlas.rest.address"; public static final String CONFIG_USERNAME = "username"; public static final String CONFIG_PASSWORD = "password"; + public static final String ENTITY_NOT_CLASSIFIED = "_NOT_CLASSIFIED"; private static final String TYPE_ENTITY = "entity"; private static final String TYPE_CLASSIFICATION = "classification"; @@ -501,12 +502,16 @@ public class RangerServiceAtlas extends RangerBaseService { } void addIfStartsWithAndNotExcluded(List<String> list, List<String> values, String prefix, List<String> excludeList) { - if (values == null || list == null) { + if (list == null) { return; } - for (String value : values) { - addIfStartsWithAndNotExcluded(list, value, prefix, excludeList); + if (values == null) { + addIfStartsWithAndNotExcluded(list, ENTITY_NOT_CLASSIFIED, prefix, excludeList); + } else { + for (String value : values) { + addIfStartsWithAndNotExcluded(list, value, prefix, excludeList); + } } } http://git-wip-us.apache.org/repos/asf/ranger/blob/3c18a99c/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 0795210..f18e6bc 100644 --- a/pom.xml +++ b/pom.xml @@ -127,7 +127,7 @@ <apacheds.version>2.0.0-M22</apacheds.version> <asm.all.version>3.2</asm.all.version> <aspectj.version>1.8.2</aspectj.version> - <atlas.version>1.0.0</atlas.version> + <atlas.version>2.0.0-SNAPSHOT</atlas.version> <atlas.guava.version>14.0</atlas.guava.version> <atlas.gson.version>2.5</atlas.gson.version> <atlas.jackson.version>2.9.2</atlas.jackson.version> http://git-wip-us.apache.org/repos/asf/ranger/blob/3c18a99c/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java ---------------------------------------------------------------------- diff --git a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java index 9302bdd..609dddb 100644 --- a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java +++ b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java @@ -21,6 +21,7 @@ package org.apache.ranger.authorization.atlas.authorizer; import org.apache.atlas.authorize.AtlasAdminAccessRequest; import org.apache.atlas.authorize.AtlasEntityAccessRequest; +import org.apache.atlas.authorize.AtlasSearchResultScrubRequest; import org.apache.atlas.authorize.AtlasTypeAccessRequest; import org.apache.atlas.authorize.AtlasAuthorizationException; import org.apache.atlas.authorize.AtlasAuthorizer; @@ -175,6 +176,25 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer { return ret; } + @Override + public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException { + if (isDebugEnabled) { + LOG.debug("==> scrubSearchResults(" + request + ")"); + } + + try { + activatePluginClassLoader(); + + rangerAtlasAuthorizerImpl.scrubSearchResults(request); + } finally { + deactivatePluginClassLoader(); + } + + if (isDebugEnabled) { + LOG.debug("<== scrubSearchResults(): " + request); + } + } + private void activatePluginClassLoader() { if(rangerPluginClassLoader != null) { rangerPluginClassLoader.activate();
