http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java b/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java deleted file mode 100644 index e58ff60..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java +++ /dev/null @@ -1,565 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.xasecure.pdp.config; - -import java.io.BufferedReader; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.FileReader; -import java.io.IOException; -import java.io.InputStream; -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.SecureRandom; -import java.security.UnrecoverableKeyException; -import java.security.cert.CertificateException; - -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSession; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.ws.rs.client.Client; -import javax.ws.rs.client.ClientBuilder; -import javax.ws.rs.client.WebTarget; -import javax.ws.rs.core.Response; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.conf.Configuration; -import org.glassfish.jersey.client.ClientConfig; - -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import com.sun.jersey.client.urlconnection.HTTPSProperties; -import com.xasecure.authorization.hadoop.utils.XaSecureCredentialProvider; -import com.xasecure.pdp.config.gson.PolicyExclusionStrategy; -import com.xasecure.pdp.constants.XaSecureConstants; -import com.xasecure.pdp.model.PolicyContainer; - -public abstract class Jersey2ConfigWatcher extends Thread { - - private static final Log LOG = LogFactory.getLog(Jersey2ConfigWatcher.class); - - public static final String EXPECTED_MIME_TYPE = "application/json" ; - - // public static final String EXPECTED_MIME_TYPE = "application/octet-stream"; - - private static final String LASTUPDATED_PARAM = "epoch"; - private static final String POLICY_COUNT_PARAM = "policyCount"; - private static final String AGENT_NAME_PARAM = "agentId" ; - - private static final int MAX_AGENT_NAME_LEN = 255 ; - - private static final String XASECURE_KNOX_CREDENTIAL_PROVIDER_FILE - = "xasecure.knox.credential.provider.file"; - - private String url; - - private long intervalInMilliSeconds; - - private long lastModifiedTime = 0; - - private boolean shutdownFlag = false; - - private String lastStoredFileName = null; - - protected PolicyContainer policyContainer = null; - - private static PolicyExclusionStrategy policyExclusionStrategy = new PolicyExclusionStrategy(); - - private static XaSecureCredentialProvider xasecurecp = null; - - public abstract void doOnChange(); - - private String credentialProviderFile = null; - private String keyStoreFile = null ; - private String keyStorePassword = null; - private String trustStoreFile = null ; - private String trustStorePassword = null ; - private String keyStoreType = null ; - private String trustStoreType = null ; - private SSLContext sslContext = null ; - private HostnameVerifier hv = null ; - private String agentName = "unknown" ; - - private String sslConfigFileName = null ; - - boolean policyCacheLoadedOnce = false; - - public Jersey2ConfigWatcher(String url, long aIntervalInMilliSeconds,String sslConfigFileName,String lastStoredFileName) { - super("XaSecureConfigURLWatcher"); - setDaemon(true); - this.url = url; - intervalInMilliSeconds = aIntervalInMilliSeconds; - this.sslConfigFileName = sslConfigFileName ; - this.agentName = getAgentName(this.url) ; - this.lastStoredFileName = lastStoredFileName; - if (LOG.isInfoEnabled()) { - LOG.info("Creating PolicyRefreshser with url: " + url + - ", refreshInterval(milliSeconds): " + aIntervalInMilliSeconds + - ", sslConfigFileName: " + sslConfigFileName + - ", lastStoredFileName: " + lastStoredFileName); - } - init(); - validateAndRun(); - LOG.debug("Created new ConfigWatcher for URL [" + url + "]"); - } - - - public void init() { - if (sslConfigFileName != null) { - LOG.debug("Loading SSL Configuration from [" + sslConfigFileName - + "]"); - InputStream in = null; - try { - Configuration conf = new Configuration(); - in = getFileInputStream(sslConfigFileName); - if (in != null) { - conf.addResource(in); - } - - if (url.startsWith("https")) { - xasecurecp = XaSecureCredentialProvider.getInstance(); - - keyStoreFile = conf - .get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE); - - credentialProviderFile = conf - .get(XASECURE_KNOX_CREDENTIAL_PROVIDER_FILE); - String keyStorePasswordAlias = XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS; - - char[] v_keyStorePassword = getCredential(credentialProviderFile, - keyStorePasswordAlias); - if (v_keyStorePassword == null) { - keyStorePassword = null; - } else { - keyStorePassword = new String(v_keyStorePassword); - } - - trustStoreFile = conf - .get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE); - - //trustStoreURL = conf - // .get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL); - String trustStorePasswordAlias = XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS; - - char[] v_trustStorePassword = getCredential(credentialProviderFile, - trustStorePasswordAlias); - if (v_trustStorePassword == null) { - trustStorePassword = null; - } else { - trustStorePassword = new String(v_trustStorePassword); - } - - keyStoreType = conf - .get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE, - XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT); - trustStoreType = conf - .get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE, - XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT); - } - } catch (IOException ioe) { - LOG.error("Unable to load SSL Config FileName: [" - + sslConfigFileName + "]", ioe); - } finally { - if (in != null) { - try { - in.close(); - } catch (IOException e) { - LOG.error("Unable to close SSL Config FileName: [" - + sslConfigFileName + "]", e); - } - } - } - - LOG.debug("Keystore filename:[" + keyStoreFile + "]"); - LOG.debug("TrustStore filename:[" + trustStoreFile + "]"); - - } - } - - public String getURL() { - return url; - } - - public long getIntervalInMilliSeconds() { - return intervalInMilliSeconds; - } - - public long getLastModifiedTime() { - return lastModifiedTime; - } - - public void run() { - while (!shutdownFlag) { - validateAndRun(); - try { - Thread.sleep(intervalInMilliSeconds); - } catch (InterruptedException e) { - LOG.error("Unable to complete sleep for [" + intervalInMilliSeconds + "]", e); - } - } - } - - private void validateAndRun() { - if (isFileChanged()) { - LOG.debug("Policy has been changed from " + url + " ... RELOADING"); - try { - doOnChange(); - } catch (Exception e) { - LOG.error("Unable to complete doOnChange() method on file change [" + url + "]", e); - } - } else { - LOG.debug("No Change found in the policy from " + url); - } - } - - private boolean isFileChanged() { - boolean isChanged = false; - - - try { - - Client client = null; - Response response = null; - - try { - - int policyCount = getPolicyCount(policyContainer); - - if (url.contains("https")) { - // build SSL Client - client = buildSSLClient(); - } - - if (client == null) { - client = ClientBuilder.newClient(); - } - - WebTarget webTarget = client.target(url) - .queryParam(LASTUPDATED_PARAM, String.valueOf(lastModifiedTime)) - .queryParam(POLICY_COUNT_PARAM, String.valueOf(policyCount)) - .queryParam(AGENT_NAME_PARAM, agentName); - - response = webTarget.request().accept(EXPECTED_MIME_TYPE).get(); - - - if (response != null) { - - Boolean responsePresent = true; - int responseStatus = response.getStatus(); - - if ( fetchPolicyfromCahce(responsePresent,responseStatus,lastStoredFileName) ) { - /* If the response is other than 200 and 304 load the policy from the cache */ - isChanged = true; - - } else { - /* - * If Policy Manager is available fetch the policy from - * it - */ - if (response.getStatus() == 200) { - - String entityString = response - .readEntity(String.class); - if (LOG.isDebugEnabled()) { - LOG.debug("JSON response from server: " - + entityString); - } - - Gson gson = new GsonBuilder() - .setPrettyPrinting() - .addDeserializationExclusionStrategy( - policyExclusionStrategy).create(); - PolicyContainer newPolicyContainer = gson.fromJson( - entityString, PolicyContainer.class); - if ((newPolicyContainer.getLastUpdatedTimeInEpoc() > lastModifiedTime) - || (getPolicyCount(newPolicyContainer) != policyCount)) { - policyContainer = newPolicyContainer; - lastModifiedTime = policyContainer - .getLastUpdatedTimeInEpoc(); - isChanged = true; - if (LOG.isDebugEnabled()) { - LOG.debug("Got response: 200 with {change in lastupdatedTime}\n" - + gson.toJson(newPolicyContainer)); - } - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("Got response: 200 with {no-change in lastupdatedTime}\n" - + gson.toJson(newPolicyContainer)); - } - isChanged = false; - } - } else if (response.getStatus() == 304) { - if (LOG.isDebugEnabled()) { - LOG.debug("Got response: 304 "); - } - isChanged = false; // No Change has been there since - // our - // earlier request - } else { - LOG.error("Unable to get a valid response for isFileChanged() call for [" - + url - + "] = response code found [" - + response.getStatus() + "]"); - } - } - - } else { - LOG.error("Unable to get a valid response for isFileChanged() call for [" + url + "] - got null response."); - // force the policy update to get fresh copy - lastModifiedTime = 0; - } - - } finally { - if (response != null) { - response.close(); - } - if (client != null) { - client.close(); - } - } - } catch (Throwable t) { - - Boolean responsePresent = false; - int responseStatus = -1; - - if ( fetchPolicyfromCahce(responsePresent,responseStatus,lastStoredFileName) ) { - /* Successfully found the Policy Cache file and loaded */ - isChanged = true; - } else { - LOG.error("Unable to complete isFileChanged() call for [" + url + "]", t); - // force the policy update to get fresh copy - lastModifiedTime = 0; - LOG.error("Policy file Cache not found.."); - throw new RuntimeException("Unable to find Enterprise Policy Storage"); - } - - } finally { - if (isChanged) { - LOG.info("URL: [" + url + "], isModified: " + isChanged + ", lastModifiedTime:" + lastModifiedTime); - } else if (LOG.isDebugEnabled()) { - LOG.debug("URL: [" + url + "], isModified: " + isChanged + ", lastModifiedTime:" + lastModifiedTime); - } - } - return isChanged; - } - - public PolicyContainer getPolicyContainer() { - return policyContainer; - } - - private int getPolicyCount(PolicyContainer aPolicyContainer) { - return (aPolicyContainer == null ? 0 : (aPolicyContainer.getAcl() == null ? 0 : aPolicyContainer.getAcl().size())); - } - - - public synchronized Client buildSSLClient() { - Client client = null; - try { - - ClientConfig config = new ClientConfig(); - - if (sslContext == null) { - - KeyManager[] kmList = null; - TrustManager[] tmList = null; - - if (keyStoreFile != null && keyStorePassword != null) { - - KeyStore keyStore = KeyStore.getInstance(keyStoreType); - InputStream in = null ; - try { - in = getFileInputStream(keyStoreFile) ; - if (in == null) { - LOG.error("Unable to obtain keystore from file [" + keyStoreFile + "]"); - return client ; - } - keyStore.load(in, keyStorePassword.toCharArray()); - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(XaSecureConstants.XASECURE_SSL_KEYMANAGER_ALGO_TYPE); - keyManagerFactory.init(keyStore, keyStorePassword.toCharArray()); - kmList = keyManagerFactory.getKeyManagers(); - } - finally { - if (in != null) { - in.close(); - } - } - - } - - if (trustStoreFile != null && trustStorePassword != null) { - - KeyStore trustStore = KeyStore.getInstance(trustStoreType); - InputStream in = null ; - try { - in = getFileInputStream(trustStoreFile) ; - if (in == null) { - LOG.error("Unable to obtain keystore from file [" + trustStoreFile + "]"); - return client ; - } - trustStore.load(in, trustStorePassword.toCharArray()); - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(XaSecureConstants.XASECURE_SSL_TRUSTMANAGER_ALGO_TYPE); - trustManagerFactory.init(trustStore); - tmList = trustManagerFactory.getTrustManagers(); - } - finally { - if (in != null) { - in.close() ; - } - } - } - - sslContext = SSLContext.getInstance(XaSecureConstants.XASECURE_SSL_CONTEXT_ALGO_TYPE); - - sslContext.init(kmList, tmList, new SecureRandom()); - - hv = new HostnameVerifier() { - public boolean verify(String urlHostName, SSLSession session) { - return session.getPeerHost().equals(urlHostName); - } - }; - - } - - config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(hv, sslContext)); - - client = ClientBuilder.newClient(config); - - } catch (KeyStoreException e) { - LOG.error("Unable to obtain from KeyStore", e); - } catch (NoSuchAlgorithmException e) { - LOG.error("SSL algorithm is available in the environment", e); - } catch (CertificateException e) { - LOG.error("Unable to obtain the requested certification ", e); - } catch (FileNotFoundException e) { - LOG.error("Unable to find the necessary SSL Keystore and TrustStore Files", e); - } catch (IOException e) { - LOG.error("Unable to read the necessary SSL Keystore and TrustStore Files", e); - } catch (KeyManagementException e) { - LOG.error("Unable to initials the SSLContext", e); - } catch (UnrecoverableKeyException e) { - LOG.error("Unable to recover the key from keystore", e); - } - return client; - } - - private InputStream getFileInputStream(String fileName) throws IOException { - InputStream in = null ; - - File f = new File(fileName) ; - - if (f.exists()) { - in = new FileInputStream(f) ; - } - else { - in = ClassLoader.getSystemResourceAsStream(fileName) ; - } - return in ; - } - - public static String getAgentName(String aUrl) { - String hostName = null ; - String repoName = null ; - try { - hostName = InetAddress.getLocalHost().getHostName() ; - } catch (UnknownHostException e) { - LOG.error("ERROR: Unable to find hostname for the agent ", e); - hostName = "unknownHost" ; - } - - String[] tokens = aUrl.split("/") ; - - if ( tokens.length > 0 ) { - repoName = tokens[tokens.length-1] ; - } - else { - repoName = "unknownRepo" ; - } - - String agentName = hostName + "-" + repoName ; - - if (agentName.length() > MAX_AGENT_NAME_LEN ) { - agentName = agentName.substring(0,MAX_AGENT_NAME_LEN) ; - } - - return agentName ; - } - - private boolean fetchPolicyfromCahce( Boolean responsePresent, int responseStatus, String lastStoredFileName){ - - boolean cacheFound = false; - - if ( ( responsePresent == false ) || ( responseStatus != 200 && responseStatus != 304) ) { - - /* Policy Manager not available read the policy from the last enforced one */ - - if (policyCacheLoadedOnce) { - cacheFound = true; - return cacheFound; - } - - try { - /* read the last stored policy file and load the PolicyContainer */ - LOG.info("Policy Manager not available, using the last stored Policy File" + this.lastStoredFileName ); - LOG.debug("LastStoredFileName when policymgr was available" + this.lastStoredFileName); - - BufferedReader jsonString = new BufferedReader(new FileReader(this.lastStoredFileName)); - Gson gson = new GsonBuilder().setPrettyPrinting().addDeserializationExclusionStrategy(policyExclusionStrategy).create(); - PolicyContainer newPolicyContainer = gson.fromJson(jsonString, PolicyContainer.class); - policyContainer = newPolicyContainer; - lastModifiedTime = policyContainer.getLastUpdatedTimeInEpoc(); - if (LOG.isDebugEnabled()) { - LOG.debug("Policy Manager not available.Got response =" + responseStatus +"\n" + gson.toJson(newPolicyContainer)); - } - - cacheFound = true; - policyCacheLoadedOnce = true; - - } catch( FileNotFoundException fe ){ - - /* unable to get the last stored policy, raise warning for unavailability of policy cache file and continue...*/ - if ( this.lastStoredFileName == null ) { - LOG.info("Policy cache file not found...XAagent authorization not enabled"); - } - else { - LOG.info("Unable to access Policy cache file...XAagent authorization not enabled"); - } - } - - } - - return cacheFound; - } - - private char[] getCredential(String url, String alias) { - char[] credStr=xasecurecp.getCredentialString(url,alias); - return credStr; - } - -} -
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2PolicyRefresher.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2PolicyRefresher.java b/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2PolicyRefresher.java deleted file mode 100644 index 1a1fe79..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2PolicyRefresher.java +++ /dev/null @@ -1,207 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.config; - -import java.io.File; -import java.io.FileWriter; -import java.io.IOException; -import java.io.PrintWriter; -import java.text.SimpleDateFormat; -import java.util.Date; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import com.xasecure.pdp.config.gson.PolicyExclusionStrategy; -import com.xasecure.pdp.model.PolicyContainer; - -public class Jersey2PolicyRefresher { - - private static final Log LOG = LogFactory.getLog(Jersey2PolicyRefresher.class); - - private String url ; - private long refreshInterval ; - - private Jersey2ConfigWatcher watcherDaemon = null; - - protected PolicyContainer policyContainer = null ; - - private PolicyChangeListener policyChangeListener = null ; - - private String saveAsFileName = null ; - - private String sslConfigFileName = null ; - - private String lastStoredFileName = null; - - private PolicyExclusionStrategy policyExclusionStrategy = new PolicyExclusionStrategy() ; - - public Jersey2PolicyRefresher(String url, long refreshInterval, String sslConfigFileName, String lastStoredFileName) { - if (LOG.isInfoEnabled()) { - LOG.info("Creating PolicyRefreshser with url: " + url + - ", refreshInterval: " + refreshInterval + - ", sslConfigFileName: " + sslConfigFileName + - ", lastStoredFileName: " + lastStoredFileName); - } - this.url = url ; - this.refreshInterval = refreshInterval ; - this.sslConfigFileName = sslConfigFileName ; - this.lastStoredFileName = lastStoredFileName; - checkFileWatchDogThread(); - } - - public PolicyChangeListener getPolicyChangeListener() { - return policyChangeListener; - } - - public synchronized void setPolicyChangeListener(PolicyChangeListener policyChangeListener) { - this.policyChangeListener = policyChangeListener; - if (this.policyContainer != null) { - savePolicyToFile() ; - notifyPolicyChange() ; - } - } - - private void setPolicyContainer(PolicyContainer aPolicyContainer) { - this.policyContainer = aPolicyContainer ; - } - - public PolicyContainer getPolicyContainer() { - return policyContainer ; - } - - public String getSaveAsFileName() { - return saveAsFileName; - } - - public void setSaveAsFileName(String saveAsFileName) { - this.saveAsFileName = saveAsFileName; - } - - public String getSslConfigFileName() { - return sslConfigFileName; - } - - public String getLastStoredFileName() { - return lastStoredFileName; - } - - public void setLastStoredFileName(String lastStoredFileName) { - this.lastStoredFileName = lastStoredFileName; - } - - public void setSslConfigFileName(String sslConfigFileName) { - this.sslConfigFileName = sslConfigFileName; - } - - - private synchronized void checkFileWatchDogThread() { - if (watcherDaemon == null) { - try { - if (LOG.isDebugEnabled()) { - LOG.debug("Starting WatchDog for the Path [" + url + "] ...."); - } - watcherDaemon = new Jersey2ConfigWatcher(url, refreshInterval,sslConfigFileName,this.getLastStoredFileName()) { - public void doOnChange() { - PolicyContainer newPolicyContainer = getPolicyContainer() ; - setPolicyContainer(newPolicyContainer) ; - savePolicyToFile() ; - notifyPolicyChange(); - }; - }; - watcherDaemon.start(); - if (LOG.isDebugEnabled()) { - LOG.debug("Completed kick-off of FileWatchDog for the Path [" + url + "] interval in millisecond:" + refreshInterval); - } - } catch (Throwable t) { - LOG.error("Unable to start the FileWatchDog for path [" + url + "]", t); - } - } - } - - private void notifyPolicyChange() { - if (policyChangeListener != null) { - try { - policyChangeListener.OnPolicyChange(policyContainer); - } - catch(Throwable t) { - LOG.error("Error during notification of policy changes to listener [" + policyChangeListener + "]", t) ; - } - finally { - LOG.debug("Completed notification of policy changes to listener [" + policyChangeListener + "]") ; - } - } - } - - - private void savePolicyToFile() { - - LOG.debug("savePolicyToFile() is called with [" + saveAsFileName + "] - START") ; - String fileName = null; - if (saveAsFileName != null) { - String currentDateTime = new SimpleDateFormat("yyyyMMddHHmmss").format(new Date()) ; - fileName = saveAsFileName + "." + currentDateTime ; - File saveFile = new File(fileName) ; - Gson gson = new GsonBuilder().setPrettyPrinting().setExclusionStrategies(policyExclusionStrategy).create() ; - String policyAsJson = gson.toJson(policyContainer) ; - PrintWriter writer = null ; - try { - writer = new PrintWriter(new FileWriter(saveFile)) ; - writer.println(policyAsJson) ; - } - catch(IOException ioe) { - LOG.error("Unable to save policy into file: [" + saveFile.getAbsolutePath() + "]", ioe); - } - finally { - if (writer != null) { - writer.close(); - } - } - - if (lastStoredFileName != null) { - File lastSaveFileName = new File(lastStoredFileName); - - try { - writer = new PrintWriter(new FileWriter(lastSaveFileName)); - writer.println(policyAsJson); - - } - catch(IOException ioe){ - LOG.error("Unable to save the policy into Last Stored Policy File [" + lastSaveFileName.getAbsolutePath() + "]", ioe ); - } - finally { - //make the policy file cache to be 600 permission when it gets created and updated - lastSaveFileName.setReadable(false,false); - lastSaveFileName.setReadable(true,true); - if (writer != null) { - writer.close(); - } - } - - } - } - - LOG.debug("savePolicyToFile() is called with [" + fileName + "] - END") ; - - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/config/PolicyChangeListener.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/config/PolicyChangeListener.java b/agents-impl/src/main/java/com/xasecure/pdp/config/PolicyChangeListener.java deleted file mode 100644 index e6ce2aa..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/config/PolicyChangeListener.java +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.config; - -import com.xasecure.pdp.model.PolicyContainer; - -public interface PolicyChangeListener { - public void OnPolicyChange(PolicyContainer aPolicyContainer) ; -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/config/PolicyRefresher.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/config/PolicyRefresher.java b/agents-impl/src/main/java/com/xasecure/pdp/config/PolicyRefresher.java deleted file mode 100644 index b2e33ff..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/config/PolicyRefresher.java +++ /dev/null @@ -1,229 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.config; - -import java.io.File; -import java.io.FileWriter; -import java.io.IOException; -import java.io.PrintWriter; -import java.text.SimpleDateFormat; -import java.util.Date; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import com.xasecure.pdp.config.gson.PolicyExclusionStrategy; -import com.xasecure.pdp.model.PolicyContainer; - -public class PolicyRefresher { - - private static final Log LOG = LogFactory.getLog(PolicyRefresher.class); - - private String url ; - private long refreshInterval ; - - private ConfigWatcher watcherDaemon = null; - - protected PolicyContainer policyContainer = null ; - - private PolicyChangeListener policyChangeListener = null ; - - private String saveAsFileName = null ; - - private String sslConfigFileName = null ; - - private String lastStoredFileName = null; - - private PolicyExclusionStrategy policyExclusionStrategy = new PolicyExclusionStrategy() ; - - public PolicyRefresher(String url, long refreshInterval, String sslConfigFileName, String lastStoredFileName) { - if (LOG.isInfoEnabled()) { - LOG.info("Creating PolicyRefreshser with url: " + url + - ", refreshInterval: " + refreshInterval + - ", sslConfigFileName: " + sslConfigFileName + - ", lastStoredFileName: " + lastStoredFileName); - } - this.url = url ; - this.refreshInterval = refreshInterval ; - this.sslConfigFileName = sslConfigFileName ; - this.lastStoredFileName = lastStoredFileName; - checkFileWatchDogThread(); - } - - public PolicyChangeListener getPolicyChangeListener() { - return policyChangeListener; - } - - public synchronized void setPolicyChangeListener(PolicyChangeListener policyChangeListener) { - this.policyChangeListener = policyChangeListener; - if (this.policyContainer != null) { - savePolicyToFile() ; - savePolicyToCacheFile(); - notifyPolicyChange() ; - } - } - - public void setPolicyContainer(PolicyContainer aPolicyContainer) { - this.policyContainer = aPolicyContainer ; - } - - public PolicyContainer getPolicyContainer() { - return policyContainer ; - } - - public String getSaveAsFileName() { - return saveAsFileName; - } - - public void setSaveAsFileName(String saveAsFileName) { - this.saveAsFileName = saveAsFileName; - } - - public String getSslConfigFileName() { - return sslConfigFileName; - } - - public String getLastStoredFileName() { - return lastStoredFileName; - } - - public void setLastStoredFileName(String lastStoredFileName) { - this.lastStoredFileName = lastStoredFileName; - } - - public void setSslConfigFileName(String sslConfigFileName) { - this.sslConfigFileName = sslConfigFileName; - } - - - private synchronized void checkFileWatchDogThread() { - if (watcherDaemon == null) { - try { - if (LOG.isDebugEnabled()) { - LOG.debug("Starting WatchDog for the Path [" + url + "] ...."); - } - watcherDaemon = new ConfigWatcher(url, refreshInterval,sslConfigFileName,this.getLastStoredFileName()) { - public void doOnChange() { - PolicyContainer newPolicyContainer = getPolicyContainer() ; - setPolicyContainer(newPolicyContainer) ; - savePolicyToFile() ; - savePolicyToCacheFile(); - notifyPolicyChange(); - }; - }; - watcherDaemon.start(); - if (LOG.isDebugEnabled()) { - LOG.debug("Completed kick-off of FileWatchDog for the Path [" + url + "] interval in millisecond:" + refreshInterval); - } - } catch (Throwable t) { - LOG.error("Unable to start the FileWatchDog for path [" + url + "]", t); - } - } - } - - private void notifyPolicyChange() { - if (policyChangeListener != null) { - try { - policyChangeListener.OnPolicyChange(policyContainer); - } - catch(Throwable t) { - LOG.error("Error during notification of policy changes to listener [" + policyChangeListener + "]", t) ; - } - finally { - LOG.debug("Completed notification of policy changes to listener [" + policyChangeListener + "]") ; - } - } - } - - - private void savePolicyToFile() { - if (watcherDaemon != null && !watcherDaemon.iscacheModfied()) { - // Do not Save the file if the policy is not modified. - return; - } - LOG.debug("savePolicyToFile() is called with [" + saveAsFileName + "] - START") ; - String fileName = null; - if (saveAsFileName != null) { - String currentDateTime = new SimpleDateFormat("yyyyMMddHHmmss").format(new Date()) ; - fileName = saveAsFileName + "." + currentDateTime ; - File saveFile = new File(fileName) ; - Gson gson = new GsonBuilder().setPrettyPrinting().setExclusionStrategies(policyExclusionStrategy).create() ; - String policyAsJson = gson.toJson(policyContainer) ; - PrintWriter writer = null ; - try { - writer = new PrintWriter(new FileWriter(saveFile)) ; - writer.println(policyAsJson) ; - } - catch(IOException ioe) { - LOG.warn("Unable to save policy into file: [" + saveFile.getAbsolutePath() + "]"); - } - finally { - if (writer != null) { - writer.close(); - } - } - LOG.debug("savePolicyToFile() is called with [" + fileName + "] - END") ; - } - } - - private void savePolicyToCacheFile() { - - if (watcherDaemon != null && !watcherDaemon.iscacheModfied()) { - // Don't Save the file if the policy is not modified. - return; - } - - LOG.debug("savePolicyToCacheFile() is called with [" + lastStoredFileName + "] - START") ; - - if (lastStoredFileName != null) { - - File lastSaveFile = new File(lastStoredFileName) ; - Gson gson = new GsonBuilder().setPrettyPrinting().setExclusionStrategies(policyExclusionStrategy).create() ; - String policyAsJson = gson.toJson(policyContainer) ; - PrintWriter writer = null ; - - try { - writer = new PrintWriter(new FileWriter(lastSaveFile)); - writer.println(policyAsJson); - - } - catch(IOException ioe){ - LOG.warn("Unable to save the policy into Last Stored Policy File [" + lastSaveFile.getAbsolutePath() + "]"); - } - finally { - //make the policy file cache to be 600 permission when it gets created and updated - lastSaveFile.setReadable(false,false); - lastSaveFile.setWritable(false,false); - lastSaveFile.setReadable(true,true); - lastSaveFile.setWritable(true,true); - if (writer != null) { - writer.close(); - } - } - - } - - LOG.debug("savePolicyToCacheFile() is called with [" + lastStoredFileName + "] - END") ; - - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/config/gson/ExcludeSerialization.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/config/gson/ExcludeSerialization.java b/agents-impl/src/main/java/com/xasecure/pdp/config/gson/ExcludeSerialization.java deleted file mode 100644 index 29c6646..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/config/gson/ExcludeSerialization.java +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.config.gson; - -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -@Retention(RetentionPolicy.RUNTIME) -@Target({ElementType.FIELD}) - -public @interface ExcludeSerialization { - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/config/gson/PolicyExclusionStrategy.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/config/gson/PolicyExclusionStrategy.java b/agents-impl/src/main/java/com/xasecure/pdp/config/gson/PolicyExclusionStrategy.java deleted file mode 100644 index fa1ee70..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/config/gson/PolicyExclusionStrategy.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.config.gson; - -import com.google.gson.ExclusionStrategy; -import com.google.gson.FieldAttributes; - -public class PolicyExclusionStrategy implements ExclusionStrategy { - - @Override - public boolean shouldSkipClass(Class<?> objectClass) { - return (objectClass.getAnnotation(ExcludeSerialization.class) != null) ; - } - - @Override - public boolean shouldSkipField(FieldAttributes aFieldAttributes) { - return (aFieldAttributes.getAnnotation(ExcludeSerialization.class) != null) ; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/constants/XaSecureConstants.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/constants/XaSecureConstants.java b/agents-impl/src/main/java/com/xasecure/pdp/constants/XaSecureConstants.java deleted file mode 100644 index db2552c..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/constants/XaSecureConstants.java +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.constants; - -public class XaSecureConstants { - public static final String PUBLIC_ACCESS_ROLE = "public" ; - - public static final String XASECURE_HBASE_POLICYMGR_URL_PROP = "xasecure.hbase.policymgr.url"; - public static final String XASECURE_HBASE_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.hbase.policymgr.url.saveAsFile"; - public static final String XASECURE_HBASE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.hbase.policymgr.url.reloadIntervalInMillis"; - public static final String XASECURE_HBASE_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.hbase.policymgr.ssl.config"; - public static final long XASECURE_HBASE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ; - public static final String XASECURE_HBASE_LAST_SAVED_POLICY_FILE_PROP = "xasecure.hbase.policymgr.url.laststoredfile"; - - public static final String XASECURE_HDFS_POLICYMGR_URL_PROP = "xasecure.hdfs.policymgr.url"; - public static final String XASECURE_HDFS_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.hdfs.policymgr.url.saveAsFile"; - public static final String XASECURE_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.hdfs.policymgr.url.reloadIntervalInMillis"; - public static final String XASECURE_HDFS_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.hdfs.policymgr.ssl.config"; - public static final long XASECURE_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ; - public static final String XASECURE_HDFS_LAST_SAVED_POLICY_FILE_PROP = "xasecure.hdfs.policymgr.url.laststoredfile"; - - - public static final String XASECURE_KNOX_POLICYMGR_URL_PROP = "xasecure.knox.policymgr.url"; - public static final String XASECURE_KNOX_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.knox.policymgr.url.saveAsFile"; - public static final String XASECURE_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.knox.policymgr.url.reloadIntervalInMillis"; - public static final String XASECURE_KNOX_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.knox.policymgr.ssl.config"; - public static final long XASECURE_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ; - public static final String XASECURE_KNOX_LAST_SAVED_POLICY_FILE_PROP = "xasecure.knox.policymgr.url.laststoredfile"; - - - public static final String XASECURE_HIVE_POLICYMGR_URL_PROP = "xasecure.hive.policymgr.url"; - public static final String XASECURE_HIVE_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.hive.policymgr.url.saveAsFile"; - public static final String XASECURE_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.hive.policymgr.url.reloadIntervalInMillis"; - public static final String XASECURE_HIVE_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.hive.policymgr.ssl.config"; - public static final long XASECURE_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ; - public static final String XASECURE_HIVE_LAST_SAVED_POLICY_FILE_PROP = "xasecure.hive.policymgr.url.laststoredfile"; - - - // xasecure 2-way ssl configuration - - public static final String XASECURE_POLICYMGR_CLIENT_KEY_FILE = "xasecure.policymgr.clientssl.keystore"; - public static final String XASECURE_POLICYMGR_CLIENT_KEY_FILE_PASSWORD = "xasecure.policymgr.clientssl.keystore.password"; - public static final String XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE = "xasecure.policymgr.clientssl.keystore.type"; - public static final String XASECURE_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL = "xasecure.policymgr.clientssl.keystore.credential.file"; - public static final String XASECURE_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS = "sslKeyStore"; - - public static final String XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT = "jks"; - - public static final String XASECURE_POLICYMGR_TRUSTSTORE_FILE = "xasecure.policymgr.clientssl.truststore"; - public static final String XASECURE_POLICYMGR_TRUSTSTORE_FILE_PASSWORD = "xasecure.policymgr.clientssl.truststore.password"; - public static final String XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE = "xasecure.policymgr.clientssl.truststore.type"; - public static final String XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL = "xasecure.policymgr.clientssl.truststore.credential.file"; - public static final String XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS = "sslTrustStore"; - - public static final String XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT = "jks"; - - - public static final String XASECURE_SSL_KEYMANAGER_ALGO_TYPE = "SunX509" ; - public static final String XASECURE_SSL_TRUSTMANAGER_ALGO_TYPE = "SunX509" ; - public static final String XASECURE_SSL_CONTEXT_ALGO_TYPE = "SSL" ; - - - - public static final String XASECURE_STORM_POLICYMGR_URL_PROP = "xasecure.storm.policymgr.url"; - public static final String XASECURE_STORM_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.storm.policymgr.url.saveAsFile"; - public static final String XASECURE_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.storm.policymgr.url.reloadIntervalInMillis"; - public static final String XASECURE_STORM_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.storm.policymgr.ssl.config"; - public static final long XASECURE_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ; - public static final String XASECURE_STORM_LAST_SAVED_POLICY_FILE_PROP = "xasecure.storm.policymgr.url.laststoredfile"; - - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hbase/HBaseAuthDB.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hbase/HBaseAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hbase/HBaseAuthDB.java deleted file mode 100644 index 1a039cb..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hbase/HBaseAuthDB.java +++ /dev/null @@ -1,489 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.hbase; - -import java.util.ArrayList; -import java.util.Arrays; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; - -import org.apache.commons.io.FilenameUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.Permission.Action; -import org.apache.hadoop.hbase.security.access.UserPermission; -import org.apache.hadoop.hbase.util.Bytes; -import org.apache.hadoop.util.StringUtils; - -import com.xasecure.authorization.hbase.HBaseAccessController; -import com.xasecure.pdp.constants.XaSecureConstants; - -public class HBaseAuthDB implements HBaseAccessController { - - private static final long MAX_CACHE_AUDIT_ENTRIES = 1000L ; - private static final long MAX_CACHE_ENCRYPT_ENTRIES = 1000L ; - - private static final Log LOG = LogFactory.getLog(HBaseAuthDB.class) ; - - private ArrayList<HBaseAuthRules> ruleList = null; - private ArrayList<HBaseAuthRules> globalList = null; - private ArrayList<HBaseAuthRules> tableList = null; - - private ArrayList<String> auditList = null ; - private HashMap<byte[],Boolean> cachedAuditTable = new HashMap<byte[],Boolean>() ; - - private ArrayList<String> encryptList = null ; - - private HashSet<String> encryptTableList = null ; - private HashMap<byte[],Boolean> cachedEncryptedTable = new HashMap<byte[],Boolean>() ; - - - public HBaseAuthDB(ArrayList<HBaseAuthRules> ruleList, ArrayList<String> auditList, ArrayList<String> encryptList) { - - if (LOG.isDebugEnabled()) { - LOG.debug("+Creating HBaseAuthDB is creating with ruleList [" + (ruleList == null ? 0 : ruleList.size()) + "]" ); - } - - this.auditList = auditList; - this.encryptList = encryptList; - - - this.ruleList = new ArrayList<HBaseAuthRules>() ; - this.globalList = new ArrayList<HBaseAuthRules>() ; - this.tableList = new ArrayList<HBaseAuthRules>() ; - - for(HBaseAuthRules rule : ruleList ) { - if (rule.isGlobalRule()) { - this.globalList.add(rule) ; - if (LOG.isDebugEnabled()) { - LOG.debug("RULE:[" + rule + "] is being added as GLOBAL Policy"); - } - } - else if (rule.isTableRule()) { - this.tableList.add(rule) ; - if (LOG.isDebugEnabled()) { - LOG.debug("RULE:[" + rule + "] is being added as Table Policy"); - } - } - else { - this.ruleList.add(rule) ; - if (LOG.isDebugEnabled()) { - LOG.debug("RULE:[" + rule + "] is being added as non-global, non-table Policy"); - } - } - } - - this.encryptTableList = new HashSet<String>() ; - - if (encryptList != null && encryptList.size() > 0) { - for(String encryptKey : encryptList) { - String[] objKeys = encryptKey.split("/") ; - String tableName = objKeys[0] ; - if (! encryptTableList.contains(tableName)) { - encryptTableList.add(tableName) ; - if (LOG.isDebugEnabled()) { - LOG.debug("EncryptionList:[" + tableName + "] is being added encrypted table."); - } - } - } - } - - - } - - - public boolean isAccessAllowed(User user, Action accessAction) { - - - String access = accessAction.toString().toLowerCase() ; - - if (user == null) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(GLOBAL," + access + ") => [FALSE] as user passed for check was null."); - } - return false ; - } - - - String username = user.getShortName() ; - - String[] groups = user.getGroupNames() ; - - if (LOG.isDebugEnabled()) { - LOG.debug("Init of Global access Verification - [" + access + "] for user [" + username + "], groups: [" + Arrays.toString(groups) + "]"); - } - - for (HBaseAuthRules rule : globalList) { - - if (rule.getAccessType().equals(access)) { - - String authorizedUser = rule.getUser() ; - String authorizedGroup = rule.getGroup(); - - if (authorizedGroup != null) { - if (XaSecureConstants.PUBLIC_ACCESS_ROLE.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(GLOBAL," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true ; - } - - for (String group : groups) { - if (group.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(GLOBAL," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - - if (authorizedUser != null) { - if (username.equals(authorizedUser)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(GLOBAL," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(GLOBAL," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [FALSE] as it did not match any rules."); - } - - return false; - } - - public boolean isAccessAllowed(User user, byte[] tableName, Action accessAction) { - - - if ( isAccessAllowed(user,accessAction)) { // Check Global Action - return true ; - } - - String tableNameStr = Bytes.toString(tableName) ; - - String access = accessAction.toString().toLowerCase() ; - - if (user == null) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + tableNameStr + "," + access + ") => [FALSE] as user passed for check was null."); - } - return false ; - } - - String username = user.getShortName() ; - - String[] groups = user.getGroupNames() ; - - if (LOG.isDebugEnabled()) { - LOG.debug("Init of Table access Verification - [" + access + "] for user [" + username + "], groups: [" + Arrays.toString(groups) + "], tableName: [" + tableNameStr + "]"); - } - - for (HBaseAuthRules rule : tableList) { - - if (rule.isTableNameMatched(tableNameStr)) { - if (rule.getAccessType().equals(access)) { - - String authorizedUser = rule.getUser() ; - - String authorizedGroup = rule.getGroup(); - - if (authorizedGroup != null) { - if (XaSecureConstants.PUBLIC_ACCESS_ROLE.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + tableNameStr + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true ; - } - - for (String group : groups) { - if (group.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + tableNameStr + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - if (authorizedUser != null && username.equals(authorizedUser)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + tableNameStr + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + tableNameStr + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [FALSE] as it did not match any rules."); - } - - return false; - } - - - - - - - public boolean isAccessAllowed(User user, byte[] tableName, byte[] columnFamily, byte[] qualifier, Action accessAction) { - - String FQColName = getFullyQualifiedColumnName(tableName, columnFamily, qualifier) ; - - String access = accessAction.toString().toLowerCase() ; - - if (LOG.isDebugEnabled()) { - LOG.debug("isAccessAllowed on HBaseAuthDB: for FQColName [" + FQColName + "]"); - } - - - if (user == null) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + FQColName + "," + access + ") => [FALSE] as as user passed for check was null."); - } - return false ; - } - - - if (isAccessAllowed(user, accessAction)) { // Check Global Action - return true ; - } - - if (isAccessAllowed(user,tableName, accessAction)) { // Check Table Action - return true; - } - - - String username = user.getShortName() ; - - String[] groups = user.getGroupNames() ; - - if (LOG.isDebugEnabled()) { - LOG.debug("Init of Table access Verification - [" + access + "] for user [" + username + "], groups: [" + Arrays.toString(groups) + "], FQColumnFamily: [" + FQColName + "]"); - } - - for (HBaseAuthRules rule : ruleList) { - - if (rule.isMatched(FQColName)) { - if (LOG.isDebugEnabled()) { - LOG.debug("Rule [" + rule + "] matched [" + FQColName + "]"); - } - if (rule.getAccessType().equals(access)) { - if (LOG.isDebugEnabled()) { - LOG.debug("Access [" + rule.getAccessType() + "] matched [" + access + "]"); - } - String authorizedUser = rule.getUser() ; - - String authorizedGroup = rule.getGroup(); - - if (authorizedGroup != null) { - if (XaSecureConstants.PUBLIC_ACCESS_ROLE.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + FQColName + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true ; - } - for (String group : groups) { - if (group.equals(authorizedGroup)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + FQColName + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - - if (authorizedUser != null) { - if (username.equals(authorizedUser)) { - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + FQColName + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [TRUE] as matched for rule: " + rule); - } - return true; - } - } - } - else { - if (LOG.isDebugEnabled()) { - LOG.debug("Access [" + rule.getAccessType() + "] DID NOT match [" + access + "]"); - } - } - } - else { - if (LOG.isDebugEnabled()) { - LOG.debug("Rule [" + rule + "] not matched [" + FQColName + "]"); - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("rulecheck(" + FQColName + "," + access + "," + username + "," + StringUtils.arrayToString(groups) + ") => [FALSE] as it did not match any rules."); - } - - return false; - - } - - public boolean isEncrypted(byte[] tableName, byte[] columnFamily, byte[] qualifier) { - String colName = getFullyQualifiedColumnName(tableName, columnFamily, qualifier) ; - for(String encryptable : encryptList) { - if (FilenameUtils.wildcardMatch(colName,encryptable)) { - return true ; - } - } - return false; - } - - public boolean isAudited(byte[] tableName) { - Boolean ret = cachedAuditTable.get(tableName) ; - if (ret == null) { - ret = isAuditedFromTableList(tableName) ; - synchronized(cachedAuditTable) { - if (cachedAuditTable.size() > MAX_CACHE_AUDIT_ENTRIES) { - cachedAuditTable.clear(); - } - cachedAuditTable.put(tableName,ret) ; - } - } - return ret.booleanValue(); - } - - private boolean isAuditedFromTableList(byte[] tableName) { - boolean ret = false ; - String tableNameStr = Bytes.toString(tableName) ; - for(String auditable : auditList) { - if (FilenameUtils.wildcardMatch(tableNameStr,auditable)) { - ret = true ; - break ; - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("isAudited(" + tableNameStr + "):" + ret) ; - } - - return ret; - } - - - public boolean isTableHasEncryptedColumn(byte[] tableName) { - Boolean ret = cachedEncryptedTable.get(tableName) ; - if (ret == null) { - ret = isTableHasEncryptedColumnFromTableList(tableName) ; - synchronized(cachedEncryptedTable) { - if (cachedEncryptedTable.size() > MAX_CACHE_ENCRYPT_ENTRIES) { - cachedEncryptedTable.clear(); - } - cachedEncryptedTable.put(tableName, ret) ; - } - } - return ret.booleanValue() ; - } - - - private boolean isTableHasEncryptedColumnFromTableList(byte[] tableName) - { - boolean ret = false ; - - String tableNameStr = Bytes.toString(tableName) ; - - for(String encryptTable : encryptTableList) { - ret = FilenameUtils.wildcardMatch(tableNameStr, encryptTable) ; - if (ret) { - break ; - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("isTableHasEncryptedColumn(" + tableNameStr + "):" + ret); - } - - return ret ; - } - - - - public static String getFullyQualifiedColumnName(byte[] tableName, byte[] columnFamily, byte[] qualifier) { - StringBuilder sb = new StringBuilder() ; - - sb.append(((tableName != null && tableName.length > 0) ? Bytes.toString(tableName) : "*")) - .append("/") - .append(((columnFamily != null && columnFamily.length > 0) ? Bytes.toString(columnFamily) : "*")) - .append("/") - .append(((qualifier != null && qualifier.length > 0) ? Bytes.toString(qualifier) : "*")) ; - - return sb.toString() ; - } - - public List<UserPermission> getUserPermissions(User user) { - List<UserPermission> ret = new ArrayList<UserPermission>() ; - - if (user != null) { - ArrayList<ArrayList<HBaseAuthRules>> allList = new ArrayList<ArrayList<HBaseAuthRules>>(); - allList.add(globalList) ; - allList.add(tableList) ; - allList.add(ruleList) ; - for(ArrayList<HBaseAuthRules> rList : allList) { - for(HBaseAuthRules rule : rList) { - UserPermission perm = rule.getUserPermission(user) ; - if (perm != null) { - ret.add(perm) ; - } - } - } - } - - return ret ; - } - - public List<UserPermission> getUserPermissions(User user, byte[] tableName) { - - String tableNameStr = Bytes.toString(tableName) ; - - List<UserPermission> ret = new ArrayList<UserPermission>() ; - - if (user != null) { - ArrayList<ArrayList<HBaseAuthRules>> allList = new ArrayList<ArrayList<HBaseAuthRules>>(); - allList.add(globalList) ; - allList.add(tableList) ; - allList.add(ruleList) ; - for(ArrayList<HBaseAuthRules> rList : allList) { - for(HBaseAuthRules rule : rList) { - if (rule.isTableNameMatched(tableNameStr)) { - UserPermission perm = rule.getUserPermission(user) ; - if (perm != null) { - ret.add(perm) ; - } - } - } - } - } - - return ret ; - } - - - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hbase/HBaseAuthRules.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hbase/HBaseAuthRules.java b/agents-impl/src/main/java/com/xasecure/pdp/hbase/HBaseAuthRules.java deleted file mode 100644 index 4a6ca53..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hbase/HBaseAuthRules.java +++ /dev/null @@ -1,135 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.hbase; - -import org.apache.commons.io.FilenameUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.hbase.TableName; -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.Permission; -import org.apache.hadoop.hbase.security.access.UserPermission; - -import com.xasecure.pdp.constants.XaSecureConstants; - -public class HBaseAuthRules { - private String tableName ; - private String columnGroupName; - private String columnName ; - private String accessType ; - private String group ; - private String user ; - private String fullyQualifiedColumnName ; - - private static final Log LOG = LogFactory.getLog(HBaseAuthRules.class) ; - - public HBaseAuthRules(String tableName, String columnGroupName, String columnName, String accessType, String user, String group) { - this.tableName = tableName; - this.columnGroupName = columnGroupName; - this.columnName = columnName; - if (accessType != null) { - this.accessType = accessType.toLowerCase() ; - } - this.user = user ; - this.group = group; - this.fullyQualifiedColumnName = tableName + "/" + columnGroupName + "/" + columnName ; - } - - public String getTableName() { - return tableName; - } - public String getColumnGroupName() { - return columnGroupName; - } - public String getColumnName() { - return columnName; - } - public String getAccessType() { - return accessType; - } - public String getGroup() { - return group; - } - - public String getUser() { - return user; - } - - @Override - public String toString() { - return "table: " + tableName + ", columnGroup:" + columnGroupName + ", columnName: " + columnName + ", accessType: " + accessType + ", user:" + user + ", group: " + group ; - } - - public boolean isMatched(String FQColName) { - return FQColName.equals(fullyQualifiedColumnName) || FilenameUtils.wildcardMatch(FQColName,fullyQualifiedColumnName) ; - } - - public boolean isGlobalRule() { - return ("*".equals(tableName) && "*".equals(columnGroupName) && "*".equals(columnName)) ; - } - - public boolean isTableRule() { - return ( ("*".equals(columnGroupName) && "*".equals(columnName)) || ("admin".equals(accessType) || "control".equals(accessType)) ) ; - } - - public boolean isTableNameMatched(String tableNameStr) { - boolean ret = (tableNameStr == null) || (tableNameStr.equals(tableName)) || FilenameUtils.wildcardMatch(tableNameStr,tableName) ; - if (LOG.isDebugEnabled()) { - LOG.debug("TableMatched returns (" + tableNameStr + ", rule:" + tableName + ") returns: " + ret ); - } - return ret ; - } - - public UserPermission getUserPermission(User aUser) { - - if (user == null) { - return null ; - } - - Permission.Action action = null ; - - try { - action = Permission.Action.valueOf(accessType.toUpperCase()) ; - } catch (Throwable e) { - return null ; - } - - if (XaSecureConstants.PUBLIC_ACCESS_ROLE.equals(group)) { - return new UserPermission("public".getBytes(), TableName.valueOf ( tableName ) , columnGroupName.getBytes(), columnName.getBytes(), action) ; - } - - if (user != null) { - if (aUser.getShortName().equals(user)) { - return new UserPermission(("user:(" + aUser.getShortName() + ")").getBytes(), TableName.valueOf( tableName ) , columnGroupName.getBytes(), columnName.getBytes(), action) ; - } - } - - if (group != null) { - for (String ugroups : aUser.getGroupNames()) { - if (ugroups.equals(group)) { - return new UserPermission(("group:(" + ugroups + ")").getBytes(), TableName.valueOf( tableName ) , columnGroupName.getBytes(), columnName.getBytes(), action) ; - } - } - } - - return null; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hbase/URLBasedAuthDB.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hbase/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hbase/URLBasedAuthDB.java deleted file mode 100644 index 9e599b8..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hbase/URLBasedAuthDB.java +++ /dev/null @@ -1,234 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.hbase; - -import java.util.ArrayList; -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.Permission.Action; -import org.apache.hadoop.hbase.security.access.UserPermission; - -import com.xasecure.authorization.hadoop.config.XaSecureConfiguration; -import com.xasecure.authorization.hbase.HBaseAccessController; -import com.xasecure.pdp.config.PolicyChangeListener; -import com.xasecure.pdp.config.PolicyRefresher; -import com.xasecure.pdp.constants.XaSecureConstants; -import com.xasecure.pdp.model.Policy; -import com.xasecure.pdp.model.PolicyContainer; -import com.xasecure.pdp.model.RolePermission; - -public class URLBasedAuthDB implements HBaseAccessController, PolicyChangeListener { - - private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class); - - private HBaseAuthDB authDB = null; - - private static URLBasedAuthDB me = null ; - - private PolicyRefresher refresher = null ; - - public static URLBasedAuthDB getInstance() { - if (me == null) { - synchronized(URLBasedAuthDB.class) { - URLBasedAuthDB temp = me ; - if (temp == null) { - me = new URLBasedAuthDB() ; - me.init() ; - } - } - } - return me ; - } - - - private URLBasedAuthDB() { - String url = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HBASE_POLICYMGR_URL_PROP); - long refreshInMilli = XaSecureConfiguration.getInstance().getLong( - XaSecureConstants.XASECURE_HBASE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP, - XaSecureConstants.XASECURE_HBASE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT); - - String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HBASE_LAST_SAVED_POLICY_FILE_PROP) ; - - String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HBASE_POLICYMGR_SSL_CONFIG_FILE_PROP) ; - refresher = new PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ; - - String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HBASE_POLICYMGR_URL_SAVE_FILE_PROP) ; - if (saveAsFileName != null) { - refresher.setSaveAsFileName(saveAsFileName) ; - } - - if (lastStoredFileName != null) { - refresher.setLastStoredFileName(lastStoredFileName); - } - } - - private void init() { - refresher.setPolicyChangeListener(this); - } - - public boolean isAccessAllowed(User user, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, accessAction); - } else { - return false; - } - } - - public boolean isAccessAllowed(User user, byte[] tableName, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, tableName, accessAction); - } else { - return false; - } - } - - - public boolean isAccessAllowed(User user, byte[] tableName, byte[] columnFamily, byte[] qualifier, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, tableName, columnFamily, qualifier, accessAction); - } else { - return false; - } - } - - public boolean isEncrypted(byte[] tableName, byte[] columnFamily, byte[] qualifier) { - if (authDB != null) { - return authDB.isEncrypted(tableName, columnFamily, qualifier); - } else { - return false; - } - } - - public boolean isTableHasEncryptedColumn(byte[] tableName) { - if (authDB != null) { - return authDB.isTableHasEncryptedColumn(tableName); - } else { - return false; - } - } - - - public boolean isAudited(byte[] tableName) { - if (authDB != null) { - return authDB.isAudited(tableName); - } else { - return false; - } - } - - public List<UserPermission> getUserPermissions(User aUser) { - if (authDB != null) { - return authDB.getUserPermissions(aUser) ; - } else { - return null; - } - } - - public List<UserPermission> getUserPermissions(User aUser, byte[] aTableName) { - if (authDB != null) { - return authDB.getUserPermissions(aUser, aTableName) ; - } else { - return null; - } - } - - @Override - public void OnPolicyChange(PolicyContainer aPolicyContainer) { - - if (aPolicyContainer == null) { - return ; - } - - ArrayList<HBaseAuthRules> ruleListTemp = new ArrayList<HBaseAuthRules>(); - - HBaseAuthRules globalRule = new HBaseAuthRules(".META.", "*", "*", "read", null, XaSecureConstants.PUBLIC_ACCESS_ROLE) ; - ruleListTemp.add(globalRule) ; - globalRule = new HBaseAuthRules("-ROOT-", "*", "*", "read", null, XaSecureConstants.PUBLIC_ACCESS_ROLE) ; - ruleListTemp.add(globalRule) ; - - ArrayList<String> auditListTemp = new ArrayList<String>(); - - ArrayList<String> encryptList = new ArrayList<String>(); - - for(Policy acl : aPolicyContainer.getAcl()) { - - if (! acl.isEnabled()) { - LOG.debug("Diabled acl found [" + acl + "]. Skipping this acl ...") ; - continue ; - } - - for(String table : acl.getTableList()) { - for(String colfamily : acl.getColumnFamilyList()) { - for(String col : acl.getColumnList()) { - if (table == null || table.isEmpty()) { - table = "*" ; - } - if (colfamily == null || colfamily.isEmpty()) { - colfamily = "*" ; - } - if (col == null || col.isEmpty()) { - col = "*" ; - } - - if (acl.getAuditInd() == 1) { - if (!auditListTemp.contains(table)) { - LOG.debug("Adding [" + table + "] to audit list"); - auditListTemp.add(table); - } - } - - if (acl.getEncryptInd() == 1) { - String fqn = table + "/" + colfamily + "/" + col ; - if (!encryptList.contains(fqn)) { - LOG.debug("Adding [" + fqn + "] to encrypt list"); - encryptList.add(fqn); - } - } - - for(RolePermission rp : acl.getPermissions()) { - for (String accessLevel : rp.getAccess() ) { - if (rp.getGroups() != null && rp.getGroups().size() > 0) { - for (String group : rp.getGroups()) { - HBaseAuthRules rule = new HBaseAuthRules(table, colfamily, col, accessLevel, null, group); - LOG.debug("Adding (group) rule: [" + rule + "]") ; - ruleListTemp.add(rule); - } - } - if (rp.getUsers() != null && rp.getUsers().size() > 0) { - for (String user : rp.getUsers()) { - HBaseAuthRules rule = new HBaseAuthRules(table, colfamily, col, accessLevel, user, null); - LOG.debug("Adding (user) rule: [" + rule + "]") ; - ruleListTemp.add(rule); - } - } - } - } - } - } - } - } - HBaseAuthDB authDBTemp = new HBaseAuthDB(ruleListTemp, auditListTemp, encryptList); - authDB = authDBTemp; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hbase/XASecureAuthorizer.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hbase/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/hbase/XASecureAuthorizer.java deleted file mode 100644 index d066070..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hbase/XASecureAuthorizer.java +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.hbase; - -import java.util.List; - -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.Permission.Action; -import org.apache.hadoop.hbase.security.access.UserPermission; - -import com.xasecure.authorization.hbase.HBaseAccessController; - -public class XASecureAuthorizer implements HBaseAccessController { - - private HBaseAccessController authDB = URLBasedAuthDB.getInstance(); - - @Override - public boolean isAccessAllowed(User user, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, accessAction); - } else { - return false; - } - } - - @Override - public boolean isAccessAllowed(User user, byte[] tableName, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, tableName, accessAction); - } else { - return false; - } - } - - - @Override - public boolean isAccessAllowed(User user, byte[] tableName, byte[] columnFamily, byte[] qualifier, Action accessAction) { - if (authDB != null) { - return authDB.isAccessAllowed(user, tableName, columnFamily, qualifier, accessAction); - } else { - return false; - } - } - - @Override - public boolean isEncrypted(byte[] tableName, byte[] columnFamily, byte[] qualifier) { - if (authDB != null) { - return authDB.isEncrypted(tableName, columnFamily, qualifier); - } else { - return false; - } - } - - @Override - public boolean isTableHasEncryptedColumn(byte[] tableName) { - if (authDB != null) { - return authDB.isTableHasEncryptedColumn(tableName); - } else { - return false; - } - } - - - @Override - public boolean isAudited(byte[] tableName) { - if (authDB != null) { - return authDB.isAudited(tableName); - } else { - return false; - } - } - - @Override - public List<UserPermission> getUserPermissions(User aUser) { - if (authDB != null) { - return authDB.getUserPermissions(aUser) ; - } else { - return null; - } - } - - @Override - public List<UserPermission> getUserPermissions(User aUser, byte[] aTableName) { - if (authDB != null) { - return authDB.getUserPermissions(aUser, aTableName) ; - } else { - return null; - } - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hdfs/AdminPolicyChecker.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/AdminPolicyChecker.java b/agents-impl/src/main/java/com/xasecure/pdp/hdfs/AdminPolicyChecker.java deleted file mode 100644 index 327c404..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/AdminPolicyChecker.java +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.hdfs; - -import java.util.ArrayList; -import java.util.List; -import java.util.Random; - -import org.apache.commons.io.FilenameUtils; - -public class AdminPolicyChecker { - - private static final String PATH_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrst0123456789-_." ; - private static char[] PATH_CHAR_SET = PATH_CHARS.toCharArray() ; - private static int PATH_CHAR_SET_LEN = PATH_CHAR_SET.length ; - - - public static List<String> adminUserList = new ArrayList<String>() ; // "[email protected]" - public static List<String> adminGroupList = new ArrayList<String>() ; - - static { - adminUserList.add("[email protected]") ; - adminGroupList.add("policymgradmin") ; - } - - - public void checkAdminAccessForResource(String selectedResourcePath, boolean isRecursiveFlag, String username) { - - if (adminUserList.contains(username)) { - return ; - } - - List<String> groups = getUserGroupsForUser(username) ; - - if (adminGroupList.contains(groups)) { - - } - - checkAdminAccessForResource(new Path(selectedResourcePath, isRecursiveFlag), username) ; - } - - private void checkAdminAccessForResource(Path resourcePath, String username) { - - List<Path> adminPathList = getAdminPathFromDB(username) ; - - if (!adminPathList.isEmpty()) { - for(Path adminPath : adminPathList ) { - if (adminPath.isMatched(resourcePath)) { - return ; - } - } - } - - throw new SecurityException("User [" + username + "] does not have admin privileges on path [" + resourcePath + "]") ; - - } - - class Path { - String fullPath ; - boolean recursiveFlag ; - - Path(String fullPath, boolean recursiveFlag) { - this.fullPath = fullPath; - this.recursiveFlag = recursiveFlag; - } - - public boolean isMatched(Path resourcePath) { - // Since it is a Regular Expression Compared with Regular Expression - // We will expand the resourcepath to a normalized form and see if it matches with the fullpath using a WildCardMatch - // THIS IS JUST A WORK-AROUND. Need more permanent solution - 11/19/2013 - - String expandedPath = repaceMetaChars(resourcePath) ; - - if (recursiveFlag) { - return URLBasedAuthDB.isRecursiveWildCardMatch(expandedPath, fullPath) ; - } - else { - return FilenameUtils.wildcardMatch(expandedPath, fullPath) ; - } - } - - private String repaceMetaChars(Path regEx) { - - String expandedPath = regEx.fullPath ; - - if (expandedPath.contains("*")) { - String replacement = getRandomString(5,60) ; - expandedPath.replaceAll("\\*", replacement) ; - } - - if (expandedPath.contains("?")) { - String replacement = getRandomString(1,1) ; - expandedPath.replaceAll("\\?", replacement) ; - } - - if (regEx.recursiveFlag) { - int level = getRandomInt(3,10) ; - if (! expandedPath.endsWith("/")) { - expandedPath = expandedPath + "/" ; - } - expandedPath = expandedPath + getRandomString(5,60) ; - - for(int i = 1 ; i < level ; i++) { - expandedPath = expandedPath + "/" + getRandomString(5,60) ; - } - } - return expandedPath ; - } - - - private Random random = new Random() ; - - private String getRandomString(int minLen, int maxLen) { - StringBuilder sb = new StringBuilder() ; - int len = getRandomInt(minLen,maxLen) ; - for(int i = 0 ; i < len ; i++) { - int charIdx = random.nextInt(PATH_CHAR_SET_LEN) ; - sb.append( PATH_CHAR_SET[charIdx] ) ; - } - return null; - } - - private int getRandomInt(int min, int max) { - if (min == max) { - return min ; - } - else { - int interval = max - min ; - return ((random.nextInt() % interval) + min) ; - } - } - - } - - - private List<Path> getAdminPathFromDB(String username) { - - List<Path> ret = new ArrayList<Path>() ; - - // - // TODO: database work to get ACL .... - // - - // Get all policy acl where the user has ADMIN permission + - // Get all policy acl where group associated with user has ADMIN permission - // For each of the acl - // For path in acl.getResourcePath().splitBy(",") - // ret.add(new Path(path, acl.recursiveFlag)) ; - - return ret; - } - - - private List<String> getUserGroupsForUser(String username) { - List<String> groupList = new ArrayList<String>() ; - - // - // TODO: database work to get List of groups .... - // - - return groupList ; - } - - - -}
