[ranger] branch master updated: RANGER-2564:Avoid recursive audit log in Solr Plugin by user solr when plugin is enabled for ranger_audits collection

rmani Wed, 11 Sep 2019 14:00:57 -0700

This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git



The following commit(s) were added to refs/heads/master by this push:
     new 35bf9fc  RANGER-2564:Avoid recursive audit log in Solr Plugin by user 
solr when plugin is enabled for ranger_audits collection
35bf9fc is described below

commit 35bf9fc966d9993607eb23a98a98610e8765bee4
Author: rmani <[email protected]>
AuthorDate: Wed Sep 11 13:58:14 2019 -0700

    RANGER-2564:Avoid recursive audit log in Solr Plugin by user solr when 
plugin is enabled for ranger_audits collection
---
 .../audit/RangerMultiResourceAuditHandler.java     | 13 +++--
 .../solr/authorizer/RangerSolrAuditHandler.java    | 68 ++++++++++++++++++++++
 .../solr/authorizer/RangerSolrAuthorizer.java      |  7 ++-
 3 files changed, 80 insertions(+), 8 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerMultiResourceAuditHandler.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerMultiResourceAuditHandler.java
index c8ba6dd..d7e6376 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerMultiResourceAuditHandler.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerMultiResourceAuditHandler.java
@@ -22,13 +22,13 @@ package org.apache.ranger.plugin.audit;
 import java.util.ArrayList;
 import java.util.Collection;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.audit.model.AuthzAuditEvent;
 
-/**
- * This class should be generated per request and flushed at the end of the
- * request
- */
 public class RangerMultiResourceAuditHandler extends RangerDefaultAuditHandler 
{
+       private static final Log LOG = 
LogFactory.getLog(RangerMultiResourceAuditHandler.class);
+
        Collection<AuthzAuditEvent> auditEvents = new ArrayList<>();
 
        public RangerMultiResourceAuditHandler() {
@@ -64,7 +64,10 @@ public class RangerMultiResourceAuditHandler extends 
RangerDefaultAuditHandler {
                                super.logAuthzAudit(auditEvent);
                        }
                } catch (Throwable t) {
-
+                       LOG.error("Error occured while writing audit log... ", 
t);
+               } finally {
+                       // reset auditEvents once audits are logged
+                       auditEvents = new ArrayList<>();
                }
        }
 }
diff --git 
a/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuditHandler.java
 
b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuditHandler.java
new file mode 100644
index 0000000..c6e7beb
--- /dev/null
+++ 
b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuditHandler.java
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.authorization.solr.authorizer;
+
+import org.apache.ranger.audit.model.AuthzAuditEvent;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.audit.RangerMultiResourceAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+
+import java.util.Arrays;
+import java.util.List;
+
+public class RangerSolrAuditHandler extends RangerMultiResourceAuditHandler {
+    private static final String PROP_SOLR_PLUGIN_AUDIT_EXCLUDED_USERS = 
"ranger.solr.plugin.audit.excluded.users";
+    private static final String RANGER_AUDIT_COLLECTION               = 
"ranger_audits";
+
+    private String          solrUser     = "solr";
+    private List<String>    excludeUsers = null;
+    private AuthzAuditEvent auditEvent   = null;
+
+
+    public RangerSolrAuditHandler(){
+        String excludeUserList = 
RangerConfiguration.getInstance().get(PROP_SOLR_PLUGIN_AUDIT_EXCLUDED_USERS, 
solrUser);
+        excludeUsers           = Arrays.asList(excludeUserList.split(","));
+    }
+
+    @Override
+    public void processResult(RangerAccessResult result) {
+        // We don't audit "allowed" operation for user "solr" on collection 
"ranger_audits" to avoid recursive
+        // loging due to updated of ranger_audits collection by solr plugin's 
audit creation.
+        if (!isAuditingNeeded(result)) {
+            return;
+        }
+         auditEvent = super.getAuthzEvents(result);
+         super.logAuthzAudit(auditEvent);
+    }
+
+    private boolean isAuditingNeeded(final RangerAccessResult result) {
+        boolean                  ret       = true;
+        boolean                  isAllowed = result.getIsAllowed();
+        RangerAccessRequest      request   = result.getAccessRequest();
+        RangerAccessResourceImpl resource  = (RangerAccessResourceImpl) 
request.getResource();
+        String resourceName                = (String) 
resource.getValue(RangerSolrAuthorizer.KEY_COLLECTION);
+        String requestUser                 = request.getUser();
+        if (resourceName != null && 
resourceName.equals(RANGER_AUDIT_COLLECTION) && 
excludeUsers.contains(requestUser) && isAllowed) {
+           ret = false;
+        }
+        return ret;
+    }
+}
diff --git 
a/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
 
b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
index 5fcd45d..48d4fb7 100644
--- 
a/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
+++ 
b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
@@ -33,7 +33,6 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.audit.provider.MiscUtil;
 import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
-import org.apache.ranger.plugin.audit.RangerMultiResourceAuditHandler;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
@@ -64,6 +63,8 @@ public class RangerSolrAuthorizer implements 
AuthorizationPlugin {
 
        private static volatile RangerBasePlugin solrPlugin = null;
 
+       private RangerSolrAuditHandler auditHandler = null;
+
        boolean useProxyIP = false;
        String proxyIPHeader = "HTTP_X_FORWARDED_FOR";
        String solrAppName = "Client";
@@ -94,6 +95,8 @@ public class RangerSolrAuthorizer implements 
AuthorizationPlugin {
                                }
                        }
                        solrPlugin.init();
+                       auditHandler = new RangerSolrAuditHandler();
+                       solrPlugin.setResultProcessor(auditHandler);
                } catch (Throwable t) {
                        logger.fatal("Error creating and initializing 
RangerBasePlugin()");
                }
@@ -170,8 +173,6 @@ public class RangerSolrAuthorizer implements 
AuthorizationPlugin {
                                logAuthorizationConext(context);
                        }
 
-                       RangerMultiResourceAuditHandler auditHandler = new 
RangerMultiResourceAuditHandler();
-
                        RangerPerfTracer perf = null;
 
                        
if(RangerPerfTracer.isPerfTraceEnabled(PERF_SOLRAUTH_REQUEST_LOG)) {

[ranger] branch master updated: RANGER-2564:Avoid recursive audit log in Solr Plugin by user solr when plugin is enabled for ranger_audits collection

Reply via email to