This is an automated email from the ASF dual-hosted git repository. rmani pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new da68108bf RANGER-4400: Implemented processResults(Collection<RangerAccessResult> results) for RangerKafkaAuditHandler to prevent audit of cluster resource level topic creation while creating topic (#281) da68108bf is described below commit da68108bfa3b7a451d6c6964406148f14185f127 Author: Fateh Singh <fateh...@gmail.com> AuthorDate: Wed Sep 13 09:30:53 2023 -0700 RANGER-4400: Implemented processResults(Collection<RangerAccessResult> results) for RangerKafkaAuditHandler to prevent audit of cluster resource level topic creation while creating topic (#281) --- .../kafka/authorizer/RangerKafkaAuditHandler.java | 62 +++++++++++++++++++++- 1 file changed, 60 insertions(+), 2 deletions(-) diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuditHandler.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuditHandler.java index 57a888e9a..459e874f1 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuditHandler.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuditHandler.java @@ -28,11 +28,16 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.util.ArrayList; +import java.util.Collection; + public class RangerKafkaAuditHandler extends RangerDefaultAuditHandler { private static final Logger LOG = LoggerFactory.getLogger(RangerKafkaAuditHandler.class); private AuthzAuditEvent auditEvent = null; + private ArrayList<AuthzAuditEvent> auditEventList = new ArrayList<>(); + public RangerKafkaAuditHandler(){ } @@ -40,13 +45,53 @@ public class RangerKafkaAuditHandler extends RangerDefaultAuditHandler { public void processResult(RangerAccessResult result) { // If Cluster Resource Level Topic Creation is not Allowed we don't audit. // Subsequent call from Kafka for Topic Creation at Topic resource Level will be audited. + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuditHandler.processResult()"); + } if (!isAuditingNeeded(result)) { return; } auditEvent = super.getAuthzEvents(result); + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuditHandler.processResult()"); + } + } + @Override + public void processResults(Collection<RangerAccessResult> results) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuditHandler.processResults(" + results + ")"); + } + for(RangerAccessResult res: results){ + if (isAuditingNeeded(res)){ + AuthzAuditEvent event = super.getAuthzEvents(res); + if(event!=null){ + if(LOG.isDebugEnabled()) { + LOG.debug("Got event=" + event + " for RangerAccessResult=" + res); + } + auditEventList.add(event); + } + else{ + if(LOG.isDebugEnabled()) { + LOG.debug("No audit event for :" + res); + } + } + } + else { + if(LOG.isDebugEnabled()) { + LOG.debug("Auditing not required for :"+res); + } + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuditHandler.processResults(" + results + ")"); + } } private boolean isAuditingNeeded(final RangerAccessResult result) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuditHandler.isAuditingNeeded()"); + } boolean ret = true; boolean isAllowed = result.getIsAllowed(); RangerAccessRequest request = result.getAccessRequest(); @@ -57,18 +102,31 @@ public class RangerKafkaAuditHandler extends RangerDefaultAuditHandler { ret = false; } } + if(LOG.isDebugEnabled()) { + LOG.debug("RangerKafkaAuditHandler: isAuditingNeeded()"); + LOG.debug("request:"+request); + LOG.debug("resource:"+resource); + LOG.debug("resourceName:"+resourceName); + LOG.debug("request.getAccessType():"+request.getAccessType()); + LOG.debug("isAllowed:"+isAllowed); + LOG.debug("ret="+ret); + LOG.debug("<== RangerKafkaAuditHandler.isAuditingNeeded() = "+ret+" for result="+result); + } return ret; } public void flushAudit() { if(LOG.isDebugEnabled()) { - LOG.info("==> RangerYarnAuditHandler.flushAudit(" + "AuditEvent: " + auditEvent + ")"); + LOG.debug("==> RangerKafkaAuditHandler.flushAudit(" + "AuditEvent: " + auditEvent +" list="+ auditEventList+ ")"); } if (auditEvent != null) { super.logAuthzAudit(auditEvent); } + else if (auditEventList.size()>0){ + super.logAuthzAudits(auditEventList); + } if(LOG.isDebugEnabled()) { - LOG.info("<== RangerYarnAuditHandler.flushAudit(" + "AuditEvent: " + auditEvent + ")"); + LOG.debug("<== RangerKafkaAuditHandler.flushAudit()"); } } }