This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 2427de8  RANGER-3294:AccessResult attribute with isAudited as false 
not filtered in Ranger Audit Filter
2427de8 is described below

commit 2427de8feb5bb9eeedbfbf9cb418e59077052c3a
Author: Ramesh Mani <[email protected]>
AuthorDate: Tue Jun 1 13:40:44 2021 -0700

    RANGER-3294:AccessResult attribute with isAudited as false not filtered in 
Ranger Audit Filter
---
 .../hadoop/config/RangerPluginConfig.java          | 10 +++++++
 .../policyengine/RangerPolicyEngineImpl.java       |  8 +++++
 .../ranger/plugin/service/RangerBasePlugin.java    |  5 ++++
 .../authorization/hadoop/RangerHdfsAuthorizer.java |  4 ++-
 .../ranger/services/hdfs/HDFSRangerTest.java       | 35 +++++++++++-----------
 .../services/hdfs/RangerHdfsAuthorizerTest.java    |  6 +++-
 .../resources/hdfs_version_3.0/hdfs-policies.json  |  2 +-
 .../src/test/resources/ranger-hdfs-security.xml    |  8 +++++
 .../yarn/authorizer/RangerYarnAuthorizer.java      |  8 +++--
 9 files changed, 62 insertions(+), 24 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
 
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
index 7b34f77..3e35709 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
@@ -47,6 +47,7 @@ public class RangerPluginConfig extends RangerConfiguration {
     private final boolean                   useForwardedIPAddress;
     private final String[]                  trustedProxyAddresses;
     private final String                    propertyPrefix;
+    private       boolean                   isFallbackSupported;
     private       Set<String>               auditExcludedUsers  = 
Collections.emptySet();
     private       Set<String>               auditExcludedGroups = 
Collections.emptySet();
     private       Set<String>               auditExcludedRoles  = 
Collections.emptySet();
@@ -128,6 +129,7 @@ public class RangerPluginConfig extends RangerConfiguration 
{
         this.clusterType    = sourcePluginConfig.getClusterType();
         this.useForwardedIPAddress = 
sourcePluginConfig.isUseForwardedIPAddress();
         this.trustedProxyAddresses = 
sourcePluginConfig.getTrustedProxyAddresses();
+        this.isFallbackSupported   = 
sourcePluginConfig.getIsFallbackSupported();
 
         this.policyEngineOptions = sourcePluginConfig.getPolicyEngineOptions();
 
@@ -165,6 +167,14 @@ public class RangerPluginConfig extends 
RangerConfiguration {
         return propertyPrefix;
     }
 
+    public boolean getIsFallbackSupported() {
+        return isFallbackSupported;
+    }
+
+    public void setIsFallbackSupported(boolean isFallbackSupported) {
+        this.isFallbackSupported = isFallbackSupported;
+    }
+
     public RangerPolicyEngineOptions getPolicyEngineOptions() {
         return policyEngineOptions;
     }
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index ecfc9ad..5ffd38f 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -713,6 +713,10 @@ public class RangerPolicyEngineImpl implements 
RangerPolicyEngine {
                                } else if (isAllowedByTags) {
                                        ret.setIsAllowed(true);
                                }
+                               if (!ret.getIsAllowed() &&
+                                               !getIsFallbackSupported()) {
+                                       ret.setIsAccessDetermined(true);
+                               }
                        }
 
                        if (ret.getIsAllowed()) {
@@ -1175,6 +1179,10 @@ public class RangerPolicyEngineImpl implements 
RangerPolicyEngine {
                }
        }
 
+       private boolean getIsFallbackSupported() {
+               return 
policyEngine.getPluginContext().getConfig().getIsFallbackSupported();
+       }
+
        private static class ServiceConfig {
                private final Set<String> auditExcludedUsers;
                private final Set<String> auditExcludedGroups;
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 4d7fb6c..115a576 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -89,6 +89,7 @@ public class RangerBasePlugin {
 
                setSuperUsersAndGroups(superUsers, superGroups);
                setAuditExcludedUsersGroupsRoles(auditExcludeUsers, 
auditExcludeGroups, auditExcludeRoles);
+               
setIsFallbackSupported(pluginConfig.getBoolean(pluginConfig.getPropertyPrefix() 
+ ".is.fallback.supported", false));
 
                RangerScriptExecutionContext.init(pluginConfig);
 
@@ -166,6 +167,10 @@ public class RangerBasePlugin {
                pluginConfig.setSuperUsersGroups(users, groups);
        }
 
+       public void setIsFallbackSupported(boolean isFallbackSupported) {
+               pluginConfig.setIsFallbackSupported(isFallbackSupported);
+       }
+
        public RangerServiceDef getServiceDef() {
                RangerPolicyEngine policyEngine = this.policyEngine;
 
diff --git 
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
 
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 539d4c1..7d92427 100644
--- 
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ 
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -834,7 +834,9 @@ class RangerHdfsPlugin extends RangerBasePlugin {
 
                RangerHdfsPlugin.fileNameExtensionSeparator = 
config.get(RangerHdfsAuthorizer.RANGER_FILENAME_EXTENSION_SEPARATOR_PROP, 
RangerHdfsAuthorizer.DEFAULT_FILENAME_EXTENSION_SEPARATOR);
 
-               this.hadoopAuthEnabled            = 
config.getBoolean(RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_PROP, 
RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_DEFAULT);
+               this.hadoopAuthEnabled = 
config.getBoolean(RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_PROP, 
RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_DEFAULT);
+               config.setIsFallbackSupported(this.hadoopAuthEnabled);
+
                this.optimizeSubAccessAuthEnabled = 
config.getBoolean(RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_PROP,
 RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_DEFAULT);
                this.randomizedWildcardPathName   = 
RangerPathResourceMatcher.WILDCARD_ASTERISK + random + 
RangerPathResourceMatcher.WILDCARD_ASTERISK;
                this.hadoopModuleName             = 
config.get(RangerHadoopConstants.AUDITLOG_HADOOP_MODULE_ACL_NAME_PROP , 
RangerHadoopConstants.DEFAULT_HADOOP_MODULE_ACL_NAME);
diff --git 
a/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/HDFSRangerTest.java 
b/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/HDFSRangerTest.java
index c5fe8a3..2c41465 100644
--- 
a/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/HDFSRangerTest.java
+++ 
b/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/HDFSRangerTest.java
@@ -34,10 +34,9 @@ import org.apache.hadoop.fs.RemoteIterator;
 import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.hadoop.ipc.RemoteException;
+import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer;
-import 
org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException;
 import org.junit.Assert;
 
 /**
@@ -142,9 +141,9 @@ public class HDFSRangerTest {
                 try {
                     fs.append(file);
                     Assert.fail("Failure expected on an incorrect permission");
-                } catch (RemoteException ex) {
+                } catch (AccessControlException ex) {
                     // expected
-                    
Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+                    
Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
                 }
 
                 fs.close();
@@ -224,9 +223,9 @@ public class HDFSRangerTest {
                     RemoteIterator<LocatedFileStatus> iter = 
fs.listFiles(file.getParent(), false);
                     Assert.assertTrue(iter.hasNext());
                     Assert.fail("Failure expected on an incorrect permission");
-                } catch (RemoteException ex) {
+                } catch (AccessControlException ex) {
                     // expected
-                    
Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+                    
Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
                 }
 
                 fs.close();
@@ -310,9 +309,9 @@ public class HDFSRangerTest {
                 try {
                     fs.open(file);
                     Assert.fail("Failure expected on an incorrect permission");
-                } catch (RemoteException ex) {
+                } catch (AccessControlException ex) {
                     // expected
-                    
Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+                    
Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
                 }
 
                 fs.close();
@@ -334,9 +333,9 @@ public class HDFSRangerTest {
                 try {
                     fs.open(file);
                     Assert.fail("Failure expected on an incorrect permission");
-                } catch (RemoteException ex) {
+                } catch (AccessControlException ex) {
                     // expected
-                    
Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+                    
Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
                 }
 
                 fs.close();
@@ -438,9 +437,9 @@ public class HDFSRangerTest {
                 try {
                     fs.open(file);
                     Assert.fail("Failure expected on an incorrect permission");
-                } catch (RemoteException ex) {
+                } catch (AccessControlException ex) {
                     // expected
-                    
Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+                    
Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
                 }
 
                 fs.close();
@@ -477,9 +476,9 @@ public class HDFSRangerTest {
                 try {
                     fs.open(file);
                     Assert.fail("Failure expected on an incorrect permission");
-                } catch (RemoteException ex) {
+                } catch (AccessControlException ex) {
                     // expected
-                    
Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+                    
Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
                 }
 
                 fs.close();
@@ -501,9 +500,9 @@ public class HDFSRangerTest {
                 try {
                     fs.open(file);
                     Assert.fail("Failure expected on an incorrect permission");
-                } catch (RemoteException ex) {
+                } catch (AccessControlException ex) {
                     // expected
-                    
Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+                    
Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
                 }
 
                 fs.close();
@@ -525,9 +524,9 @@ public class HDFSRangerTest {
                 try {
                     fs.open(file);
                     Assert.fail("Failure expected on an incorrect permission");
-                } catch (RemoteException ex) {
+                } catch (AccessControlException ex) {
                     // expected
-                    
Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+                    
Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
                 }
 
                 fs.close();
diff --git 
a/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
 
b/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
index e96ea5c..66ba071 100644
--- 
a/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
+++ 
b/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
@@ -197,6 +197,10 @@ public class RangerHdfsAuthorizerTest {
                         "                <name>hdfs.version</name>\n" +
                         "                <value>hdfs_version_3.0</value>\n" +
                         "        </property>\n" +
+                        "        <property>\n" +
+                        "                
<name>xasecure.add-hadoop-authorization</name>\n" +
+                        "                <value>true</value>\n" +
+                        "        </property>\n" +
                         "</configuration>\n");
             }
 
@@ -206,7 +210,7 @@ public class RangerHdfsAuthorizerTest {
             Assert.fail("Cannot create hdfs-version-site file:[" + 
exception.getMessage() + "]");
         }
 
-        AccessControlEnforcer accessControlEnforcer = 
Mockito.mock(AccessControlEnforcer.class);
+        AccessControlEnforcer accessControlEnforcer = null;
         rangerControlEnforcer = 
authorizer.getExternalAccessControlEnforcer(accessControlEnforcer);
     }
 
diff --git a/hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json 
b/hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json
index a3fd968..ba36c8c 100644
--- a/hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json
+++ b/hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json
@@ -240,7 +240,7 @@
             "/tmp/tmpdir4", "/tmp/tmpdir5"
           ],
           "isExcludes": false,
-          "isRecursive": false
+          "isRecursive": true
         }
       },
       "policyItems": [],
diff --git a/hdfs-agent/src/test/resources/ranger-hdfs-security.xml 
b/hdfs-agent/src/test/resources/ranger-hdfs-security.xml
index 2c7f22f..f59e939 100644
--- a/hdfs-agent/src/test/resources/ranger-hdfs-security.xml
+++ b/hdfs-agent/src/test/resources/ranger-hdfs-security.xml
@@ -50,4 +50,12 @@
                </description>
        </property>
 
+       <property>
+               <name>xasecure.add-hadoop-authorization</name>
+               <value>true</value>
+               <description>
+                       Enable fallback to Hadoop Acl
+               </description>
+       </property>
+
 </configuration>
diff --git 
a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
 
b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
index 1f96582..36fb7c0 100644
--- 
a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
+++ 
b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
@@ -36,6 +36,7 @@ import org.apache.hadoop.security.authorize.AccessControlList;
 import org.apache.hadoop.yarn.security.*;
 import org.apache.hadoop.yarn.security.PrivilegedEntity.EntityType;
 import org.apache.ranger.audit.model.AuthzAuditEvent;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
 import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
 import org.apache.ranger.authorization.utils.StringUtil;
 import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
@@ -86,9 +87,10 @@ public class RangerYarnAuthorizer extends 
YarnAuthorizationProvider {
                        }
                }
 
-               this.yarnAuthEnabled = 
yarnPlugin.getConfig().getBoolean(RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_PROP,
 RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_DEFAULT);
-               this.yarnModuleName  = 
yarnPlugin.getConfig().get(RangerHadoopConstants.AUDITLOG_YARN_MODULE_ACL_NAME_PROP
 , RangerHadoopConstants.DEFAULT_YARN_MODULE_ACL_NAME);
-
+               RangerPluginConfig    pluginConfig = yarnPlugin.getConfig();
+               this.yarnAuthEnabled               = 
pluginConfig.getBoolean(RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_PROP, 
RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_DEFAULT);
+               this.yarnModuleName                = 
pluginConfig.get(RangerHadoopConstants.AUDITLOG_YARN_MODULE_ACL_NAME_PROP, 
RangerHadoopConstants.DEFAULT_YARN_MODULE_ACL_NAME);
+               pluginConfig.setIsFallbackSupported(this.yarnAuthEnabled);
 
                if(LOG.isDebugEnabled()) {
                        LOG.debug("<== RangerYarnAuthorizer.init()");

Reply via email to