This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch RANGER-5038_master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 8b648a240eacc64d985a215ede01a31b00460ed8 Author: Pradeep AgrawaL <[email protected]> AuthorDate: Mon Dec 30 13:32:54 2024 +0530 RANGER-5038: checkstyle compliance updates - elasticsearch module --- plugin-elasticsearch/pom.xml | 2 + .../RangerElasticsearchAuditHandler.java | 66 +-- .../authorizer/RangerElasticsearchAuthorizer.java | 196 ++++----- .../elasticsearch/RangerServiceElasticsearch.java | 160 ++++--- .../elasticsearch/client/ElasticsearchClient.java | 467 ++++++++++----------- .../client/ElasticsearchResourceMgr.java | 146 ++++--- .../elasticsearch/privilege/IndexPrivilege.java | 51 ++- .../privilege/IndexPrivilegeUtils.java | 135 +++--- 8 files changed, 579 insertions(+), 644 deletions(-) diff --git a/plugin-elasticsearch/pom.xml b/plugin-elasticsearch/pom.xml index e079c1a58..f84794e60 100644 --- a/plugin-elasticsearch/pom.xml +++ b/plugin-elasticsearch/pom.xml @@ -28,6 +28,8 @@ <name>Elasticsearch Security Plugin</name> <description>Elasticsearch Security Plugin</description> <properties> + <checkstyle.failOnViolation>true</checkstyle.failOnViolation> + <checkstyle.skip>false</checkstyle.skip> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> </properties> <dependencies> diff --git a/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuditHandler.java b/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuditHandler.java index 37ac800ae..0bf1da39c 100644 --- a/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuditHandler.java +++ b/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuditHandler.java @@ -29,41 +29,41 @@ import java.util.Arrays; import java.util.List; public class RangerElasticsearchAuditHandler extends RangerMultiResourceAuditHandler { - private static final String PROP_ES_PLUGIN_AUDIT_EXCLUDED_USERS = "ranger.elasticsearch.plugin.audit.excluded.users"; - private static final String PROP_ES_PLUGIN_AUDIT_INDEX = "xasecure.audit.destination.elasticsearch.index"; + private static final String PROP_ES_PLUGIN_AUDIT_EXCLUDED_USERS = "ranger.elasticsearch.plugin.audit.excluded.users"; + private static final String PROP_ES_PLUGIN_AUDIT_INDEX = "xasecure.audit.destination.elasticsearch.index"; - private String indexName = "ranger_audits"; - private String esUser = "elasticsearch"; - private List<String> excludeUsers = null; - private AuthzAuditEvent auditEvent = null; + private String indexName = "ranger_audits"; + private String esUser = "elasticsearch"; + private List<String> excludeUsers; + private AuthzAuditEvent auditEvent; - public RangerElasticsearchAuditHandler(Configuration config) { - String excludeUserList = config.get(PROP_ES_PLUGIN_AUDIT_EXCLUDED_USERS, esUser); - excludeUsers = Arrays.asList(excludeUserList.split(",")); - indexName = config.get(PROP_ES_PLUGIN_AUDIT_INDEX, indexName); - } + public RangerElasticsearchAuditHandler(Configuration config) { + String excludeUserList = config.get(PROP_ES_PLUGIN_AUDIT_EXCLUDED_USERS, esUser); + excludeUsers = Arrays.asList(excludeUserList.split(",")); + indexName = config.get(PROP_ES_PLUGIN_AUDIT_INDEX, indexName); + } - @Override - public void processResult(RangerAccessResult result) { - // We don't audit "allowed" operation for user "elasticsearch" on index "ranger_audits" to avoid recursive - // logging due to updated of ranger_audits index by elasticsearch plugin's audit creation. - if (!isAuditingNeeded(result)) { - return; - } - auditEvent = super.getAuthzEvents(result); - super.logAuthzAudit(auditEvent); - } + @Override + public void processResult(RangerAccessResult result) { + // We don't audit "allowed" operation for user "elasticsearch" on index "ranger_audits" to avoid recursive + // logging due to updated of ranger_audits index by elasticsearch plugin's audit creation. + if (!isAuditingNeeded(result)) { + return; + } + auditEvent = super.getAuthzEvents(result); + super.logAuthzAudit(auditEvent); + } - private boolean isAuditingNeeded(final RangerAccessResult result) { - boolean ret = true; - boolean isAllowed = result.getIsAllowed(); - RangerAccessRequest request = result.getAccessRequest(); - RangerAccessResourceImpl resource = (RangerAccessResourceImpl) request.getResource(); - String resourceName = (String) resource.getValue("index"); - String requestUser = request.getUser(); - if (resourceName != null && resourceName.equals(indexName) && excludeUsers.contains(requestUser) && isAllowed) { - ret = false; - } - return ret; - } + private boolean isAuditingNeeded(final RangerAccessResult result) { + boolean ret = true; + boolean isAllowed = result.getIsAllowed(); + RangerAccessRequest request = result.getAccessRequest(); + RangerAccessResourceImpl resource = (RangerAccessResourceImpl) request.getResource(); + String resourceName = (String) resource.getValue("index"); + String requestUser = request.getUser(); + if (resourceName != null && resourceName.equals(indexName) && excludeUsers.contains(requestUser) && isAllowed) { + ret = false; + } + return ret; + } } diff --git a/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java b/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java index 75977eda1..8b5794b1a 100644 --- a/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java +++ b/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java @@ -17,10 +17,6 @@ package org.apache.ranger.authorization.elasticsearch.authorizer; -import java.util.ArrayList; -import java.util.Date; -import java.util.List; - import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.thirdparty.com.google.common.collect.Sets; @@ -34,116 +30,88 @@ import org.apache.ranger.services.elasticsearch.privilege.IndexPrivilegeUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.util.ArrayList; +import java.util.Date; +import java.util.List; public class RangerElasticsearchAuthorizer implements RangerElasticsearchAccessControl { - - private static final Logger LOG = LoggerFactory.getLogger(RangerElasticsearchAuthorizer.class); - - private static volatile RangerElasticsearchInnerPlugin elasticsearchPlugin = null; - - public RangerElasticsearchAuthorizer() { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerElasticsearchAuthorizer.RangerElasticsearchAuthorizer()"); - } - - this.init(); - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerElasticsearchAuthorizer.RangerElasticsearchAuthorizer()"); - } - } - - public void init() { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerElasticsearchAuthorizer.init()"); - } - - RangerElasticsearchInnerPlugin plugin = elasticsearchPlugin; - - if (plugin == null) { - synchronized (RangerElasticsearchAuthorizer.class) { - plugin = elasticsearchPlugin; - - if (plugin == null) { - plugin = new RangerElasticsearchInnerPlugin(); - plugin.init(); - elasticsearchPlugin = plugin; - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerElasticsearchAuthorizer.init()"); - } - } - - @Override - public boolean checkPermission(String user, List<String> groups, String index, String action, - String clientIPAddress) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerElasticsearchAuthorizer.checkPermission( user=" + user + ", groups=" + groups - + ", index=" + index + ", action=" + action + ", clientIPAddress=" + clientIPAddress + ")"); - } - - boolean ret = false; - - if (elasticsearchPlugin != null) { - if (null == groups) { - groups = new ArrayList <>(MiscUtil.getGroupsForRequestUser(user)); - } - String privilege = IndexPrivilegeUtils.getPrivilegeFromAction(action); - RangerElasticsearchAccessRequest request = new RangerElasticsearchAccessRequest(user, groups, index, - privilege, clientIPAddress); - - RangerAccessResult result = elasticsearchPlugin.isAccessAllowed(request); - if (result != null && result.getIsAllowed()) { - ret = true; - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerElasticsearchAuthorizer.checkPermission(): result=" + ret); - } - - return ret; - } -} - -class RangerElasticsearchInnerPlugin extends RangerBasePlugin { - public RangerElasticsearchInnerPlugin() { - super("elasticsearch", "elasticsearch"); - } - - @Override - public void init() { - super.init(); - - RangerElasticsearchAuditHandler auditHandler = new RangerElasticsearchAuditHandler(getConfig()); - - super.setResultProcessor(auditHandler); - } -} - -class RangerElasticsearchResource extends RangerAccessResourceImpl { - public RangerElasticsearchResource(String index) { - if (StringUtils.isEmpty(index)) { - index = "*"; - } - setValue(ElasticsearchResourceMgr.INDEX, index); - } -} - -class RangerElasticsearchAccessRequest extends RangerAccessRequestImpl { - public RangerElasticsearchAccessRequest(String user, List<String> groups, String index, String privilege, - String clientIPAddress) { - super.setUser(user); - if (CollectionUtils.isNotEmpty(groups)) { - super.setUserGroups(Sets.newHashSet(groups)); - } - super.setResource(new RangerElasticsearchResource(index)); - super.setAccessType(privilege); - super.setAction(privilege); - super.setClientIPAddress(clientIPAddress); - super.setAccessTime(new Date()); - } + private static final Logger LOG = LoggerFactory.getLogger(RangerElasticsearchAuthorizer.class); + private static volatile RangerElasticsearchInnerPlugin elasticsearchPlugin; + + public RangerElasticsearchAuthorizer() { + LOG.debug("==> RangerElasticsearchAuthorizer.RangerElasticsearchAuthorizer()"); + this.init(); + LOG.debug("<== RangerElasticsearchAuthorizer.RangerElasticsearchAuthorizer()"); + } + + public void init() { + LOG.debug("==> RangerElasticsearchAuthorizer.init()"); + RangerElasticsearchInnerPlugin plugin = elasticsearchPlugin; + if (plugin == null) { + synchronized (RangerElasticsearchAuthorizer.class) { + plugin = elasticsearchPlugin; + if (plugin == null) { + plugin = new RangerElasticsearchInnerPlugin(); + plugin.init(); + elasticsearchPlugin = plugin; + } + } + } + LOG.debug("<== RangerElasticsearchAuthorizer.init()"); + } + + @Override + public boolean checkPermission(String user, List<String> groups, String index, String action, String clientIPAddress) { + LOG.debug("==> RangerElasticsearchAuthorizer.checkPermission( user=" + user + ", groups=" + groups + ", index=" + index + ", action=" + action + ", clientIPAddress=" + clientIPAddress + ")"); + boolean ret = false; + if (elasticsearchPlugin != null) { + if (null == groups) { + groups = new ArrayList<>(MiscUtil.getGroupsForRequestUser(user)); + } + String privilege = IndexPrivilegeUtils.getPrivilegeFromAction(action); + RangerElasticsearchAccessRequest request = new RangerElasticsearchAccessRequest(user, groups, index, privilege, clientIPAddress); + RangerAccessResult result = elasticsearchPlugin.isAccessAllowed(request); + if (result != null && result.getIsAllowed()) { + ret = true; + } + } + LOG.debug("<== RangerElasticsearchAuthorizer.checkPermission(): result=" + ret); + return ret; + } + + class RangerElasticsearchInnerPlugin extends RangerBasePlugin { + public RangerElasticsearchInnerPlugin() { + super("elasticsearch", "elasticsearch"); + } + + @Override + public void init() { + super.init(); + RangerElasticsearchAuditHandler auditHandler = new RangerElasticsearchAuditHandler(getConfig()); + super.setResultProcessor(auditHandler); + } + } + + class RangerElasticsearchResource extends RangerAccessResourceImpl { + public RangerElasticsearchResource(String index) { + if (StringUtils.isEmpty(index)) { + index = "*"; + } + setValue(ElasticsearchResourceMgr.INDEX, index); + } + } + + class RangerElasticsearchAccessRequest extends RangerAccessRequestImpl { + public RangerElasticsearchAccessRequest(String user, List<String> groups, String index, String privilege, String clientIPAddress) { + super.setUser(user); + if (CollectionUtils.isNotEmpty(groups)) { + super.setUserGroups(Sets.newHashSet(groups)); + } + super.setResource(new RangerElasticsearchResource(index)); + super.setAccessType(privilege); + super.setAction(privilege); + super.setClientIPAddress(clientIPAddress); + super.setAccessTime(new Date()); + } + } } diff --git a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java index ceb9d579e..dcc1e32a2 100644 --- a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java +++ b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java @@ -17,104 +17,102 @@ package org.apache.ranger.services.elasticsearch; -import java.util.ArrayList; -import java.util.Collections; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - import org.apache.commons.lang.StringUtils; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; -import org.slf4j.Logger; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.services.elasticsearch.client.ElasticsearchResourceMgr; +import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class RangerServiceElasticsearch extends RangerBaseService { - - private static final Logger LOG = LoggerFactory.getLogger(RangerServiceElasticsearch.class); - public static final String ACCESS_TYPE_READ = "read"; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; - public RangerServiceElasticsearch() { - super(); - } +public class RangerServiceElasticsearch extends RangerBaseService { + private static final Logger LOG = LoggerFactory.getLogger(RangerServiceElasticsearch.class); + public static final String ACCESS_TYPE_READ = "read"; - @Override - public void init(RangerServiceDef serviceDef, RangerService service) { - super.init(serviceDef, service); - } + private RangerServiceElasticsearch() { + super(); + } - @Override - public List<RangerPolicy> getDefaultRangerPolicies() throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerServiceElasticsearch.getDefaultRangerPolicies()"); - } + @Override + public void init(RangerServiceDef serviceDef, RangerService service) { + super.init(serviceDef, service); + } - List<RangerPolicy> ret = super.getDefaultRangerPolicies(); - for (RangerPolicy defaultPolicy : ret) { - if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) { - List<RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicyItemAccess>(); - accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ)); - RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); - policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); - policyItemForLookupUser.setAccesses(accessListForLookupUser); - policyItemForLookupUser.setDelegateAdmin(false); - defaultPolicy.addPolicyItem(policyItemForLookupUser); - } - } + @Override + public Map<String, Object> validateConfig() throws Exception { + Map<String, Object> ret = new HashMap<String, Object>(); + String serviceName = getServiceName(); + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerServiceElasticsearch.validateConfig() service: " + serviceName); + } + if (configs != null) { + try { + ret = ElasticsearchResourceMgr.validateConfig(serviceName, configs); + } catch (Exception e) { + LOG.error("<== RangerServiceElasticsearch.validateConfig() error: " + e); + throw e; + } + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerServiceElasticsearch.validateConfig() result: " + ret); + } + return ret; + } - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerServiceElasticsearch.getDefaultRangerPolicies()"); - } - return ret; - } + @Override + public List<String> lookupResource(ResourceLookupContext context) throws Exception { + List<String> ret = new ArrayList<String>(); + String serviceName = getServiceName(); + Map<String, String> configs = getConfigs(); + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerServiceElasticsearch.lookupResource() context: " + context); + } + if (context != null) { + try { + ret = ElasticsearchResourceMgr.getElasticsearchResources(serviceName, configs, context); + } catch (Exception e) { + LOG.error("<==RangerServiceElasticsearch.lookupResource() error: " + e); + throw e; + } + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerServiceElasticsearch.lookupResource() result: " + ret); + } + return ret; + } - @Override - public Map<String, Object> validateConfig() throws Exception { - Map<String, Object> ret = new HashMap<String, Object>(); - String serviceName = getServiceName(); - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerServiceElasticsearch.validateConfig() service: " + serviceName); - } - if (configs != null) { - try { - ret = ElasticsearchResourceMgr.validateConfig(serviceName, configs); - } catch (Exception e) { - LOG.error("<== RangerServiceElasticsearch.validateConfig() error: " + e); - throw e; - } - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerServiceElasticsearch.validateConfig() result: " + ret); - } - return ret; - } + @Override + public List<RangerPolicy> getDefaultRangerPolicies() throws Exception { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerServiceElasticsearch.getDefaultRangerPolicies()"); + } - @Override - public List<String> lookupResource(ResourceLookupContext context) throws Exception { + List<RangerPolicy> ret = super.getDefaultRangerPolicies(); + for (RangerPolicy defaultPolicy : ret) { + if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) { + List<RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicyItemAccess>(); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ)); + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(accessListForLookupUser); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.addPolicyItem(policyItemForLookupUser); + } + } - List<String> ret = new ArrayList<String>(); - String serviceName = getServiceName(); - Map<String, String> configs = getConfigs(); - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerServiceElasticsearch.lookupResource() context: " + context); - } - if (context != null) { - try { - ret = ElasticsearchResourceMgr.getElasticsearchResources(serviceName, configs, context); - } catch (Exception e) { - LOG.error("<==RangerServiceElasticsearch.lookupResource() error: " + e); - throw e; - } - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerServiceElasticsearch.lookupResource() result: " + ret); - } - return ret; - } + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerServiceElasticsearch.getDefaultRangerPolicies()"); + } + return ret; + } } diff --git a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchClient.java b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchClient.java index 627be6e65..7bd5f44f3 100644 --- a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchClient.java +++ b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchClient.java @@ -19,18 +19,11 @@ package org.apache.ranger.services.elasticsearch.client; -import java.lang.reflect.Type; -import java.security.PrivilegedAction; -import java.util.ArrayList; -import java.util.Collections; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import javax.security.auth.Subject; -import javax.ws.rs.core.MediaType; - +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.google.gson.reflect.TypeToken; +import com.sun.jersey.api.client.Client; +import com.sun.jersey.api.client.ClientResponse; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.ArrayUtils; @@ -41,239 +34,223 @@ import org.apache.ranger.plugin.client.HadoopException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import com.google.gson.reflect.TypeToken; -import com.sun.jersey.api.client.Client; -import com.sun.jersey.api.client.ClientResponse; +import javax.security.auth.Subject; +import javax.ws.rs.core.MediaType; -public class ElasticsearchClient extends BaseClient { +import java.lang.reflect.Type; +import java.security.PrivilegedAction; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; - private static final Logger LOG = LoggerFactory.getLogger(ElasticsearchClient.class); - - private static final String ELASTICSEARCH_INDEX_API_ENDPOINT = "/_all"; - - private String elasticsearchUrl; - - private String userName; - - public ElasticsearchClient(String serviceName, Map<String, String> configs) { - - super(serviceName, configs, "elasticsearch-client"); - this.elasticsearchUrl = configs.get("elasticsearch.url"); - this.userName = configs.get("username"); - - if (StringUtils.isEmpty(this.elasticsearchUrl)) { - LOG.error("No value found for configuration 'elasticsearch.url'. Elasticsearch resource lookup will fail."); - } - - if (StringUtils.isEmpty(this.userName)) { - LOG.error("No value found for configuration 'username'. Elasticsearch resource lookup will fail."); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("Elasticsearch client is build with url: [" + this.elasticsearchUrl + "], user: [" + this.userName - + "]."); - } - } - - public List<String> getIndexList(final String indexMatching, final List<String> existingIndices) { - if (LOG.isDebugEnabled()) { - LOG.debug("Get elasticsearch index list for indexMatching: " + indexMatching + ", existingIndices: " - + existingIndices); - } - Subject subj = getLoginSubject(); - if (subj == null) { - return Collections.emptyList(); - } - - List<String> ret = Subject.doAs(subj, new PrivilegedAction<List<String>>() { - - @Override - public List<String> run() { - - String indexApi = null; - if (StringUtils.isNotEmpty(indexMatching)) { - indexApi = '/' + indexMatching; - if (!indexApi.endsWith("*")) { - indexApi += "*"; - } - } else { - indexApi = ELASTICSEARCH_INDEX_API_ENDPOINT; - } - ClientResponse response = getClientResponse(elasticsearchUrl, indexApi, userName); - - Map<String, Object> index2detailMap = getElasticsearchResourceResponse(response, - new TypeToken<HashMap<String, Object>>() { - }.getType()); - if (MapUtils.isEmpty(index2detailMap)) { - return Collections.emptyList(); - } - - Set<String> indexResponses = index2detailMap.keySet(); - if (CollectionUtils.isEmpty(indexResponses)) { - return Collections.emptyList(); - } - - return filterResourceFromResponse(indexMatching, existingIndices, new ArrayList<>(indexResponses)); - } - }); - - if (LOG.isDebugEnabled()) { - LOG.debug("Get elasticsearch index list result: " + ret); - } - return ret; - } - - private static ClientResponse getClientResponse(String elasticsearchUrl, String elasticsearchApi, String userName) { - String[] elasticsearchUrls = elasticsearchUrl.trim().split("[,;]"); - if (ArrayUtils.isEmpty(elasticsearchUrls)) { - return null; - } - - ClientResponse response = null; - Client client = Client.create(); - for (String currentUrl : elasticsearchUrls) { - if (StringUtils.isBlank(currentUrl)) { - continue; - } - - String url = currentUrl.trim() + elasticsearchApi; - try { - response = getClientResponse(url, client, userName); - - if (response != null) { - if (response.getStatus() == HttpStatus.SC_OK) { - break; - } else { - response.close(); - } - } - } catch (Throwable t) { - String msgDesc = "Exception while getting elasticsearch response, elasticsearchUrl: " + url; - LOG.error(msgDesc, t); - } - } - client.destroy(); - - return response; - } - - private static ClientResponse getClientResponse(String url, Client client, String userName) { - if (LOG.isDebugEnabled()) { - LOG.debug("getClientResponse():calling " + url); - } - - ClientResponse response = client.resource(url).accept(MediaType.APPLICATION_JSON). - header("userName", userName).get(ClientResponse.class); - - if (response != null) { - if (LOG.isDebugEnabled()) { - LOG.debug("getClientResponse():response.getStatus()= " + response.getStatus()); - } - if (response.getStatus() != HttpStatus.SC_OK) { - LOG.warn("getClientResponse():response.getStatus()= " + response.getStatus() + " for URL " + url - + ", failed to get elasticsearch resource list, response= " + response.getEntity(String.class)); - } - } - return response; - } - - private <T> T getElasticsearchResourceResponse(ClientResponse response, Type type) { - T resource = null; - try { - if (response != null && response.getStatus() == HttpStatus.SC_OK) { - String jsonString = response.getEntity(String.class); - Gson gson = new GsonBuilder().setPrettyPrinting().create(); - - resource = gson.fromJson(jsonString, type); - } else { - String msgDesc = "Unable to get a valid response for " + "expected mime type : [" - + MediaType.APPLICATION_JSON + "], elasticsearchUrl: " + elasticsearchUrl - + " - got null response."; - LOG.error(msgDesc); - HadoopException hdpException = new HadoopException(msgDesc); - hdpException.generateResponseDataMap(false, msgDesc, msgDesc + DEFAULT_ERROR_MESSAGE, null, null); - throw hdpException; - } - } catch (HadoopException he) { - throw he; - } catch (Throwable t) { - String msgDesc = "Exception while getting elasticsearch resource response, elasticsearchUrl: " - + elasticsearchUrl; - HadoopException hdpException = new HadoopException(msgDesc, t); - - LOG.error(msgDesc, t); - - hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + DEFAULT_ERROR_MESSAGE, null, - null); - throw hdpException; - - } finally { - if (response != null) { - response.close(); - } - } - return resource; - } - - private static List<String> filterResourceFromResponse(String resourceMatching, List<String> existingResources, - List<String> resourceResponses) { - List<String> resources = new ArrayList<String>(); - for (String resourceResponse : resourceResponses) { - if (CollectionUtils.isNotEmpty(existingResources) && existingResources.contains(resourceResponse)) { - continue; - } - if (StringUtils.isEmpty(resourceMatching) || resourceMatching.startsWith("*") - || resourceResponse.toLowerCase().startsWith(resourceMatching.toLowerCase())) { - if (LOG.isDebugEnabled()) { - LOG.debug("filterResourceFromResponse(): Adding elasticsearch resource " + resourceResponse); - } - resources.add(resourceResponse); - } - } - return resources; - } - - public static Map<String, Object> connectionTest(String serviceName, Map<String, String> configs) { - ElasticsearchClient elasticsearchClient = getElasticsearchClient(serviceName, configs); - List<String> indexList = elasticsearchClient.getIndexList(null, null); - - boolean connectivityStatus = false; - if (CollectionUtils.isNotEmpty(indexList)) { - if (LOG.isDebugEnabled()) { - LOG.debug("ConnectionTest list size " + indexList.size() + " elasticsearch indices."); - } - connectivityStatus = true; - } - - Map<String, Object> responseData = new HashMap<String, Object>(); - if (connectivityStatus) { - String successMsg = "ConnectionTest Successful."; - BaseClient.generateResponseDataMap(connectivityStatus, successMsg, successMsg, null, null, responseData); - } else { - String failureMsg = "Unable to retrieve any elasticsearch indices using given parameters."; - BaseClient.generateResponseDataMap(connectivityStatus, failureMsg, failureMsg + DEFAULT_ERROR_MESSAGE, null, - null, responseData); - } - - return responseData; - } - - public static ElasticsearchClient getElasticsearchClient(String serviceName, Map<String, String> configs) { - ElasticsearchClient elasticsearchClient = null; - if (LOG.isDebugEnabled()) { - LOG.debug("Getting elasticsearchClient for datasource: " + serviceName); - } - if (MapUtils.isEmpty(configs)) { - String msgDesc = "Could not connect elasticsearch as connection configMap is empty."; - LOG.error(msgDesc); - HadoopException hdpException = new HadoopException(msgDesc); - hdpException.generateResponseDataMap(false, msgDesc, msgDesc + DEFAULT_ERROR_MESSAGE, null, null); - throw hdpException; - } else { - elasticsearchClient = new ElasticsearchClient(serviceName, configs); - } - return elasticsearchClient; - } +public class ElasticsearchClient extends BaseClient { + private static final Logger LOG = LoggerFactory.getLogger(ElasticsearchClient.class); + private static final String ELASTICSEARCH_INDEX_API_ENDPOINT = "/_all"; + private String elasticsearchUrl; + private String userName; + + public ElasticsearchClient(String serviceName, Map<String, String> configs) { + super(serviceName, configs, "elasticsearch-client"); + this.elasticsearchUrl = configs.get("elasticsearch.url"); + this.userName = configs.get("username"); + + if (StringUtils.isEmpty(this.elasticsearchUrl)) { + LOG.error("No value found for configuration 'elasticsearch.url'. Elasticsearch resource lookup will fail."); + } + + if (StringUtils.isEmpty(this.userName)) { + LOG.error("No value found for configuration 'username'. Elasticsearch resource lookup will fail."); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("Elasticsearch client is build with url: [" + this.elasticsearchUrl + "], user: [" + this.userName + "]."); + } + } + + public static Map<String, Object> connectionTest(String serviceName, Map<String, String> configs) { + ElasticsearchClient elasticsearchClient = getElasticsearchClient(serviceName, configs); + List<String> indexList = elasticsearchClient.getIndexList(null, null); + + boolean connectivityStatus = false; + if (CollectionUtils.isNotEmpty(indexList)) { + if (LOG.isDebugEnabled()) { + LOG.debug("ConnectionTest list size " + indexList.size() + " elasticsearch indices."); + } + connectivityStatus = true; + } + + Map<String, Object> responseData = new HashMap<String, Object>(); + if (connectivityStatus) { + String successMsg = "ConnectionTest Successful."; + BaseClient.generateResponseDataMap(connectivityStatus, successMsg, successMsg, null, null, responseData); + } else { + String failureMsg = "Unable to retrieve any elasticsearch indices using given parameters."; + BaseClient.generateResponseDataMap(connectivityStatus, failureMsg, failureMsg + DEFAULT_ERROR_MESSAGE, null, null, responseData); + } + + return responseData; + } + + public static ElasticsearchClient getElasticsearchClient(String serviceName, Map<String, String> configs) { + ElasticsearchClient elasticsearchClient = null; + if (LOG.isDebugEnabled()) { + LOG.debug("Getting elasticsearchClient for datasource: " + serviceName); + } + if (MapUtils.isEmpty(configs)) { + String msgDesc = "Could not connect elasticsearch as connection configMap is empty."; + LOG.error(msgDesc); + HadoopException hdpException = new HadoopException(msgDesc); + hdpException.generateResponseDataMap(false, msgDesc, msgDesc + DEFAULT_ERROR_MESSAGE, null, null); + throw hdpException; + } else { + elasticsearchClient = new ElasticsearchClient(serviceName, configs); + } + return elasticsearchClient; + } + + public List<String> getIndexList(final String indexMatching, final List<String> existingIndices) { + if (LOG.isDebugEnabled()) { + LOG.debug("Get elasticsearch index list for indexMatching: " + indexMatching + ", existingIndices: " + existingIndices); + } + Subject subj = getLoginSubject(); + if (subj == null) { + return Collections.emptyList(); + } + + List<String> ret = Subject.doAs(subj, new PrivilegedAction<List<String>>() { + @Override + public List<String> run() { + String indexApi = null; + if (StringUtils.isNotEmpty(indexMatching)) { + indexApi = '/' + indexMatching; + if (!indexApi.endsWith("*")) { + indexApi += "*"; + } + } else { + indexApi = ELASTICSEARCH_INDEX_API_ENDPOINT; + } + ClientResponse response = getClientResponse(elasticsearchUrl, indexApi, userName); + + Map<String, Object> index2detailMap = getElasticsearchResourceResponse(response, new TypeToken<HashMap<String, Object>>() {}.getType()); + if (MapUtils.isEmpty(index2detailMap)) { + return Collections.emptyList(); + } + + Set<String> indexResponses = index2detailMap.keySet(); + if (CollectionUtils.isEmpty(indexResponses)) { + return Collections.emptyList(); + } + + return filterResourceFromResponse(indexMatching, existingIndices, new ArrayList<>(indexResponses)); + } + }); + + if (LOG.isDebugEnabled()) { + LOG.debug("Get elasticsearch index list result: " + ret); + } + return ret; + } + + private static ClientResponse getClientResponse(String elasticsearchUrl, String elasticsearchApi, String userName) { + String[] elasticsearchUrls = elasticsearchUrl.trim().split("[,;]"); + if (ArrayUtils.isEmpty(elasticsearchUrls)) { + return null; + } + + ClientResponse response = null; + Client client = Client.create(); + for (String currentUrl : elasticsearchUrls) { + if (StringUtils.isBlank(currentUrl)) { + continue; + } + + String url = currentUrl.trim() + elasticsearchApi; + try { + response = getClientResponse(url, client, userName); + + if (response != null) { + if (response.getStatus() == HttpStatus.SC_OK) { + break; + } else { + response.close(); + } + } + } catch (Throwable t) { + String msgDesc = "Exception while getting elasticsearch response, elasticsearchUrl: " + url; + LOG.error(msgDesc, t); + } + } + client.destroy(); + + return response; + } + + private static ClientResponse getClientResponse(String url, Client client, String userName) { + if (LOG.isDebugEnabled()) { + LOG.debug("getClientResponse():calling " + url); + } + + ClientResponse response = client.resource(url).accept(MediaType.APPLICATION_JSON).header("userName", userName).get(ClientResponse.class); + + if (response != null) { + if (LOG.isDebugEnabled()) { + LOG.debug("getClientResponse():response.getStatus()= " + response.getStatus()); + } + if (response.getStatus() != HttpStatus.SC_OK) { + LOG.warn("getClientResponse():response.getStatus()= " + response.getStatus() + " for URL " + url + ", failed to get elasticsearch resource list, response= " + response.getEntity(String.class)); + } + } + return response; + } + + private <T> T getElasticsearchResourceResponse(ClientResponse response, Type type) { + T resource = null; + try { + if (response != null && response.getStatus() == HttpStatus.SC_OK) { + String jsonString = response.getEntity(String.class); + Gson gson = new GsonBuilder().setPrettyPrinting().create(); + resource = gson.fromJson(jsonString, type); + } else { + String msgDesc = "Unable to get a valid response for " + "expected mime type : [" + MediaType.APPLICATION_JSON + "], elasticsearchUrl: " + elasticsearchUrl + " - got null response."; + LOG.error(msgDesc); + HadoopException hdpException = new HadoopException(msgDesc); + hdpException.generateResponseDataMap(false, msgDesc, msgDesc + DEFAULT_ERROR_MESSAGE, null, null); + throw hdpException; + } + } catch (HadoopException he) { + throw he; + } catch (Throwable t) { + String msgDesc = "Exception while getting elasticsearch resource response, elasticsearchUrl: " + elasticsearchUrl; + HadoopException hdpException = new HadoopException(msgDesc, t); + + LOG.error(msgDesc, t); + + hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + DEFAULT_ERROR_MESSAGE, null, null); + throw hdpException; + } finally { + if (response != null) { + response.close(); + } + } + return resource; + } + + private static List<String> filterResourceFromResponse(String resourceMatching, List<String> existingResources, List<String> resourceResponses) { + List<String> resources = new ArrayList<String>(); + for (String resourceResponse : resourceResponses) { + if (CollectionUtils.isNotEmpty(existingResources) && existingResources.contains(resourceResponse)) { + continue; + } + if (StringUtils.isEmpty(resourceMatching) || resourceMatching.startsWith("*") || resourceResponse.toLowerCase().startsWith(resourceMatching.toLowerCase())) { + if (LOG.isDebugEnabled()) { + LOG.debug("filterResourceFromResponse(): Adding elasticsearch resource " + resourceResponse); + } + resources.add(resourceResponse); + } + } + return resources; + } } diff --git a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchResourceMgr.java b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchResourceMgr.java index 8ad29712f..647b1da3a 100644 --- a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchResourceMgr.java +++ b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchResourceMgr.java @@ -19,85 +19,83 @@ package org.apache.ranger.services.elasticsearch.client; -import java.util.List; -import java.util.Map; - import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.StringUtils; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class ElasticsearchResourceMgr { - - public static final String INDEX = "index"; - - private static final Logger LOG = LoggerFactory.getLogger(ElasticsearchResourceMgr.class); - - public static Map<String, Object> validateConfig(String serviceName, Map<String, String> configs) throws Exception { - Map<String, Object> ret = null; - - if (LOG.isDebugEnabled()) { - LOG.debug("==> ElasticsearchResourceMgr.validateConfig() serviceName: " + serviceName + ", configs: " - + configs); - } - - try { - ret = ElasticsearchClient.connectionTest(serviceName, configs); - } catch (Exception e) { - LOG.error("<== ElasticsearchResourceMgr.validateConfig() error: " + e); - throw e; - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ElasticsearchResourceMgr.validateConfig() result: " + ret); - } - return ret; - } - - public static List<String> getElasticsearchResources(String serviceName, Map<String, String> configs, - ResourceLookupContext context) { - String userInput = context.getUserInput(); - String resource = context.getResourceName(); - Map<String, List<String>> resourceMap = context.getResources(); - if (LOG.isDebugEnabled()) { - LOG.debug("==> ElasticsearchResourceMgr.getElasticsearchResources() userInput: " + userInput - + ", resource: " + resource + ", resourceMap: " + resourceMap); - } - - if (MapUtils.isEmpty(configs)) { - LOG.error("Connection config is empty!"); - return null; - } - - if (StringUtils.isEmpty(userInput)) { - LOG.warn("User input is empty, set default value : *"); - userInput = "*"; - } - - final ElasticsearchClient elasticsearchClient = ElasticsearchClient.getElasticsearchClient(serviceName, configs); - if (elasticsearchClient == null) { - LOG.error("Failed to getElasticsearchResources!"); - return null; - } - - List<String> resultList = null; - - if (StringUtils.isNotEmpty(resource)) { - switch (resource) { - case INDEX: - List<String> existingConnectors = resourceMap.get(INDEX); - resultList = elasticsearchClient.getIndexList(userInput, existingConnectors); - break; - default: - break; - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ElasticsearchResourceMgr.getElasticsearchResources() result: " + resultList); - } - return resultList; - } +import java.util.List; +import java.util.Map; +public class ElasticsearchResourceMgr { + private static final Logger LOG = LoggerFactory.getLogger(ElasticsearchResourceMgr.class); + public static final String INDEX = "index"; + + private ElasticsearchResourceMgr() { + // to block instantiation + } + + public static Map<String, Object> validateConfig(String serviceName, Map<String, String> configs) throws Exception { + Map<String, Object> ret = null; + + if (LOG.isDebugEnabled()) { + LOG.debug("==> ElasticsearchResourceMgr.validateConfig() serviceName: " + serviceName + ", configs: " + configs); + } + + try { + ret = ElasticsearchClient.connectionTest(serviceName, configs); + } catch (Exception e) { + LOG.error("<== ElasticsearchResourceMgr.validateConfig() error: " + e); + throw e; + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ElasticsearchResourceMgr.validateConfig() result: " + ret); + } + return ret; + } + + public static List<String> getElasticsearchResources(String serviceName, Map<String, String> configs, ResourceLookupContext context) { + String userInput = context.getUserInput(); + String resource = context.getResourceName(); + Map<String, List<String>> resourceMap = context.getResources(); + if (LOG.isDebugEnabled()) { + LOG.debug("==> ElasticsearchResourceMgr.getElasticsearchResources() userInput: " + userInput + ", resource: " + resource + ", resourceMap: " + resourceMap); + } + + if (MapUtils.isEmpty(configs)) { + LOG.error("Connection config is empty!"); + return null; + } + + if (StringUtils.isEmpty(userInput)) { + LOG.warn("User input is empty, set default value : *"); + userInput = "*"; + } + + final ElasticsearchClient elasticsearchClient = ElasticsearchClient.getElasticsearchClient(serviceName, configs); + if (elasticsearchClient == null) { + LOG.error("Failed to getElasticsearchResources!"); + return null; + } + + List<String> resultList = null; + + if (StringUtils.isNotEmpty(resource)) { + switch (resource) { + case INDEX: + List<String> existingConnectors = resourceMap.get(INDEX); + resultList = elasticsearchClient.getIndexList(userInput, existingConnectors); + break; + default: + break; + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ElasticsearchResourceMgr.getElasticsearchResources() result: " + resultList); + } + return resultList; + } } diff --git a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilege.java b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilege.java index 4691a5119..7af57f41b 100644 --- a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilege.java +++ b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilege.java @@ -14,42 +14,39 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - package org.apache.ranger.services.elasticsearch.privilege; import java.util.List; public class IndexPrivilege { + private String privilege; - private String privilege; - - private List<String> actions; - - public IndexPrivilege(String privilege, List<String> actions) { - super(); - this.privilege = privilege; - this.actions = actions; - } + private List<String> actions; - public String getPrivilege() { - return privilege; - } + public IndexPrivilege(String privilege, List<String> actions) { + super(); + this.privilege = privilege; + this.actions = actions; + } - public void setPrivilege(String privilege) { - this.privilege = privilege; - } + public String getPrivilege() { + return privilege; + } - public List<String> getActions() { - return actions; - } + public void setPrivilege(String privilege) { + this.privilege = privilege; + } - public void setActions(List<String> actions) { - this.actions = actions; - } + public List<String> getActions() { + return actions; + } - @Override - public String toString() { - return "IndexPrivilege [privilege=" + privilege + ", actions=" + actions + "]"; - } + public void setActions(List<String> actions) { + this.actions = actions; + } -} \ No newline at end of file + @Override + public String toString() { + return "IndexPrivilege [privilege=" + privilege + ", actions=" + actions + "]"; + } +} diff --git a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilegeUtils.java b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilegeUtils.java index 16e666a61..61a455a25 100644 --- a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilegeUtils.java +++ b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilegeUtils.java @@ -17,86 +17,81 @@ package org.apache.ranger.services.elasticsearch.privilege; +import org.apache.commons.lang.StringUtils; + import java.util.Arrays; import java.util.LinkedList; import java.util.List; -import org.apache.commons.lang.StringUtils; - public class IndexPrivilegeUtils { - // These privileges have priority, should be matched in order - private static final List<IndexPrivilege> privileges = new LinkedList<>(); - - // External Privileges for users - public static final String ALL = "all"; - public static final String MONITOR = "monitor"; - public static final String MANAGE = "manage"; - public static final String VIEW_INDEX_METADATA = "view_index_metadata"; - public static final String READ = "read"; - public static final String READ_CROSS_CLUSTER = "read_cross_cluster"; - public static final String INDEX = "index"; - public static final String CREATE = "create"; - public static final String DELETE = "delete"; - public static final String WRITE = "write"; - public static final String DELETE_INDEX = "delete_index"; - public static final String CREATE_INDEX = "create_index"; - - // Internal Privileges for Ranger authentication - public static final String INDICES_PUT = "indices_put"; - public static final String INDICES_SEARCH_SHARDS = "indices_search_shards"; - public static final String INDICES_BULK = "indices_bulk"; - public static final String INDICES_INDEX = "indices_index"; - - static { - // First Priority - privileges.add(new IndexPrivilege(VIEW_INDEX_METADATA, - Arrays.asList("indices:admin/aliases/get", "indices:admin/aliases/exists", "indices:admin/get", - "indices:admin/exists", "indices:admin/mappings/fields/get", "indices:admin/mappings/get", - "indices:admin/types/exists", "indices:admin/validate/query", "indices:monitor/settings/get"))); - privileges.add(new IndexPrivilege(READ, Arrays.asList("indices:data/read/"))); - privileges.add( - new IndexPrivilege(READ_CROSS_CLUSTER, Arrays.asList("internal:transport/proxy/indices:data/read/"))); - privileges.add(new IndexPrivilege(INDEX, Arrays.asList("indices:data/write/update"))); - - privileges.add(new IndexPrivilege(DELETE, Arrays.asList("indices:data/write/delete"))); - privileges.add(new IndexPrivilege(DELETE_INDEX, Arrays.asList("indices:admin/delete"))); - privileges.add(new IndexPrivilege(CREATE_INDEX, Arrays.asList("indices:admin/create"))); + // External Privileges for users + public static final String ALL = "all"; + public static final String MONITOR = "monitor"; + public static final String MANAGE = "manage"; + public static final String VIEW_INDEX_METADATA = "view_index_metadata"; + public static final String READ = "read"; + public static final String READ_CROSS_CLUSTER = "read_cross_cluster"; + public static final String INDEX = "index"; + public static final String CREATE = "create"; + public static final String DELETE = "delete"; + public static final String WRITE = "write"; + public static final String DELETE_INDEX = "delete_index"; + public static final String CREATE_INDEX = "create_index"; + // Internal Privileges for Ranger authentication + public static final String INDICES_PUT = "indices_put"; + public static final String INDICES_SEARCH_SHARDS = "indices_search_shards"; + public static final String INDICES_BULK = "indices_bulk"; + public static final String INDICES_INDEX = "indices_index"; + // These privileges have priority, should be matched in order + private static final List<IndexPrivilege> privileges = new LinkedList<>(); - privileges.add(new IndexPrivilege(INDICES_PUT, Arrays.asList("indices:admin/mapping/put"))); - privileges.add(new IndexPrivilege(INDICES_SEARCH_SHARDS, Arrays.asList("indices:admin/shards/search_shards"))); - privileges.add(new IndexPrivilege(INDICES_BULK, Arrays.asList("indices:data/write/bulk"))); - privileges.add(new IndexPrivilege(INDICES_INDEX, Arrays.asList("indices:data/write/index"))); + static { + // First Priority + privileges.add(new IndexPrivilege(VIEW_INDEX_METADATA, Arrays.asList("indices:admin/aliases/get", "indices:admin/aliases/exists", "indices:admin/get", "indices:admin/exists", "indices:admin/mappings/fields/get", "indices:admin/mappings/get", "indices:admin/types/exists", "indices:admin/validate/query", "indices:monitor/settings/get"))); + privileges.add(new IndexPrivilege(READ, Arrays.asList("indices:data/read/"))); + privileges.add(new IndexPrivilege(READ_CROSS_CLUSTER, Arrays.asList("internal:transport/proxy/indices:data/read/"))); + privileges.add(new IndexPrivilege(INDEX, Arrays.asList("indices:data/write/update"))); - // Second Priority - privileges.add(new IndexPrivilege(MONITOR, Arrays.asList("indices:monitor/"))); - privileges.add(new IndexPrivilege(MANAGE, Arrays.asList("indices:admin/"))); - privileges.add(new IndexPrivilege(WRITE, Arrays.asList("indices:data/write/"))); + privileges.add(new IndexPrivilege(DELETE, Arrays.asList("indices:data/write/delete"))); + privileges.add(new IndexPrivilege(DELETE_INDEX, Arrays.asList("indices:admin/delete"))); + privileges.add(new IndexPrivilege(CREATE_INDEX, Arrays.asList("indices:admin/create"))); - // Last Priority - privileges.add( - new IndexPrivilege(ALL, Arrays.asList("indices:", "internal:transport/proxy/indices:", "cluster:"))); + privileges.add(new IndexPrivilege(INDICES_PUT, Arrays.asList("indices:admin/mapping/put"))); + privileges.add(new IndexPrivilege(INDICES_SEARCH_SHARDS, Arrays.asList("indices:admin/shards/search_shards"))); + privileges.add(new IndexPrivilege(INDICES_BULK, Arrays.asList("indices:data/write/bulk"))); + privileges.add(new IndexPrivilege(INDICES_INDEX, Arrays.asList("indices:data/write/index"))); - } + // Second Priority + privileges.add(new IndexPrivilege(MONITOR, Arrays.asList("indices:monitor/"))); + privileges.add(new IndexPrivilege(MANAGE, Arrays.asList("indices:admin/"))); + privileges.add(new IndexPrivilege(WRITE, Arrays.asList("indices:data/write/"))); - /** - * If action is empty or not matched, set default privilege "all". - * @param action - * @return privilege - */ - public static String getPrivilegeFromAction(String action) { - if (StringUtils.isEmpty(action)) { - return ALL; - } + // Last Priority + privileges.add(new IndexPrivilege(ALL, Arrays.asList("indices:", "internal:transport/proxy/indices:", "cluster:"))); + } - for (IndexPrivilege privilege : privileges) { - // Get the privilege of matched action rule in order - for (String actionRule : privilege.getActions()) { - if (action.startsWith(actionRule)) { - return privilege.getPrivilege(); - } - } - } + private IndexPrivilegeUtils() { + // to block instantiation + } - return ALL; - } + /** + * If action is empty or not matched, set default privilege "all". + * + * @param action + * @return privilege + */ + public static String getPrivilegeFromAction(String action) { + if (StringUtils.isEmpty(action)) { + return ALL; + } + for (IndexPrivilege privilege : privileges) { + // Get the privilege of matched action rule in order + for (String actionRule : privilege.getActions()) { + if (action.startsWith(actionRule)) { + return privilege.getPrivilege(); + } + } + } + return ALL; + } }
