This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 8fe1ce8 RANGER-2571 : Need to add Knox proxy configuration support in
Ranger plugins
8fe1ce8 is described below
commit 8fe1ce872ab13c4543f6eb70cfe01bcdc36ff8f3
Author: Dhaval B.Shah <[email protected]>
AuthorDate: Thu Sep 19 20:28:23 2019 +0530
RANGER-2571 : Need to add Knox proxy configuration support in Ranger plugins
Signed-off-by: Mehul Parikh <[email protected]>
---
.../ranger/plugin/util/GrantRevokeRequest.java | 21 +++++++++++++++++++++
.../hbase/RangerAuthorizationCoprocessor.java | 7 ++++++-
.../authorization/hadoop/RangerHdfsAuthorizer.java | 2 ++
.../yarn/authorizer/RangerYarnAuthorizer.java | 9 ++++++---
4 files changed, 35 insertions(+), 4 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
index 870ec96..63f0f25 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
@@ -20,8 +20,10 @@
package org.apache.ranger.plugin.util;
import java.io.Serializable;
+import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -50,6 +52,8 @@ public class GrantRevokeRequest implements Serializable {
private Set<String> groups;
private Set<String> roles;
private Set<String> accessTypes;
+ private List<String> forwardedAddresses;
+ private String remoteIPAddress;
private Boolean delegateAdmin = Boolean.FALSE;
private Boolean enableAudit = Boolean.TRUE;
private Boolean replaceExistingPermissions = Boolean.FALSE;
@@ -137,6 +141,15 @@ public class GrantRevokeRequest implements Serializable {
public Map<String, String> getResource() {
return resource;
}
+
+ public void setForwardedAddresses(List<String> forwardedAddresses) {
+ this.forwardedAddresses = (forwardedAddresses == null) ? new
ArrayList<String>() : forwardedAddresses;
+ }
+
+ public void setRemoteIPAddress(String remoteIPAddress) {
+ this.remoteIPAddress = remoteIPAddress;
+ }
+
/**
* @param resource the resource to set
@@ -334,6 +347,14 @@ public class GrantRevokeRequest implements Serializable {
public String getClusterName() {
return clusterName;
}
+
+ public String getRemoteIPAddress() {
+ return remoteIPAddress;
+ }
+
+ public List<String> getForwardedAddresses() {
+ return forwardedAddresses;
+ }
/**
* @param clusterName the clusterName to set
diff --git
a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 5729eb2..364a415 100644
---
a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1495,6 +1495,8 @@ public class RangerAuthorizationCoprocessor implements
AccessControlService.Inte
ret.setReplaceExistingPermissions(Boolean.TRUE);
ret.setResource(mapResource);
ret.setClientIPAddress(getRemoteAddress());
+ ret.setForwardedAddresses(null);//TODO: Need to check with Knox
proxy how they handle forwarded add.
+ ret.setRemoteIPAddress(getRemoteAddress());
if(userName.startsWith(GROUP_PREFIX)) {
ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
@@ -1600,7 +1602,10 @@ public class RangerAuthorizationCoprocessor implements
AccessControlService.Inte
ret.setReplaceExistingPermissions(Boolean.TRUE);
ret.setResource(mapResource);
ret.setClientIPAddress(getRemoteAddress());
-
+ ret.setForwardedAddresses(null);//TODO: Need to check with Knox
proxy how they handle forwarded add.
+ ret.setRemoteIPAddress(getRemoteAddress());
+
+
if(userName.startsWith(GROUP_PREFIX)) {
ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
} else {
diff --git
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 7b2882c..52df2db 100644
---
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -826,6 +826,8 @@ class RangerHdfsAccessRequest extends
RangerAccessRequestImpl {
super.setAccessTime(new Date());
super.setClientIPAddress(getRemoteIp());
super.setAction(access.toString());
+ super.setForwardedAddresses(null);
+ super.setRemoteIPAddress(getRemoteIp());
if (inode != null) {
buildRequestContext(inode);
diff --git
a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
index b49fb8a..eb473c4 100644
---
a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
+++
b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
@@ -98,7 +98,8 @@ public class RangerYarnAuthorizer extends
YarnAuthorizationProvider {
AccessType accessType = accessRequest.getAccessType();
PrivilegedEntity entity = accessRequest.getEntity();
UserGroupInformation ugi = accessRequest.getUser();
-
+ List<String> forwardedAddresses =
accessRequest.getForwardedAddresses();
+ String remoteIpAddress = accessRequest.getRemoteAddress();
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerYarnAuthorizer.checkPermission(" +
accessType + ", " + toString(entity) + ", " + ugi + ")");
}
@@ -117,7 +118,7 @@ public class RangerYarnAuthorizer extends
YarnAuthorizationProvider {
perf =
RangerPerfTracer.getPerfTracer(PERF_YARNAUTH_REQUEST_LOG,
"RangerYarnAuthorizer.checkPermission(entity=" + entity + ")");
}
- RangerYarnAccessRequest request = new
RangerYarnAccessRequest(entity, getRangerAccessType(accessType),
accessType.name(), ugi);
+ RangerYarnAccessRequest request = new
RangerYarnAccessRequest(entity, getRangerAccessType(accessType),
accessType.name(), ugi, forwardedAddresses, remoteIpAddress);
auditHandler = new RangerYarnAuditHandler();
@@ -300,7 +301,7 @@ class RangerYarnResource extends RangerAccessResourceImpl {
}
class RangerYarnAccessRequest extends RangerAccessRequestImpl {
- public RangerYarnAccessRequest(PrivilegedEntity entity, String
accessType, String action, UserGroupInformation ugi) {
+ public RangerYarnAccessRequest(PrivilegedEntity entity, String
accessType, String action, UserGroupInformation ugi, List<String>
forwardedAddresses, String remoteIpAddress) {
super.setResource(new RangerYarnResource(entity));
super.setAccessType(accessType);
super.setUser(ugi.getShortUserName());
@@ -308,6 +309,8 @@ class RangerYarnAccessRequest extends
RangerAccessRequestImpl {
super.setAccessTime(new Date());
super.setClientIPAddress(getRemoteIp());
super.setAction(action);
+ super.setRemoteIPAddress(remoteIpAddress);
+ super.setForwardedAddresses(forwardedAddresses);
}
private static String getRemoteIp() {
