http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/model/RolePermission.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/model/RolePermission.java b/agents-impl/src/main/java/com/xasecure/pdp/model/RolePermission.java deleted file mode 100644 index 53dfe6e..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/model/RolePermission.java +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.model; - -import java.util.ArrayList; -import java.util.List; - -public class RolePermission { - - private List<String> users ; - private List<String> groups ; - private List<String> access ; - private List<String> ipAddress ; - - public RolePermission() { - users = new ArrayList<String>() ; - groups = new ArrayList<String>() ; - access = new ArrayList<String>() ; - } - - - public List<String> getUsers() { - return users; - } - - public void setUsers(List<String> users) { - this.users = users; - } - - public List<String> getGroups() { - return groups; - } - - public void setGroups(List<String> groups) { - this.groups = groups; - } - - public List<String> getAccess() { - return this.access; - } - - public List<String> getIpAddress() { - return this.ipAddress; - } - - public void setIpAddress(List<String> ipAddress) { - this.ipAddress = ipAddress ; - } - - public void setAccess(List<String> access) { - this.access = access ; - } - -}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java b/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java deleted file mode 100644 index d7ec72d..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java +++ /dev/null @@ -1,137 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.storm; - -import java.util.ArrayList; -import java.util.List; - -import org.apache.commons.io.FilenameUtils; - -import com.xasecure.authorization.utils.StringUtil; - -public class StormAuthRule { - private String topologyName ; - private List<String> accessTypeList ; - private List<String> groupList ; - private List<String> userList; - private boolean auditEnabled ; - - - public StormAuthRule(String topologyName, List<String> accessTypeList, - List<String> userList, List<String> groupList, boolean auditEnabled) { - super(); - this.topologyName = topologyName; - this.accessTypeList = accessTypeList; - if (this.accessTypeList == null) { - this.accessTypeList = new ArrayList<String>(); - } - this.userList = userList; - if (this.userList == null) { - this.userList = new ArrayList<String>(); - } - - this.groupList = groupList; - if (this.groupList == null) { - this.groupList = new ArrayList<String>(); - } - - this.auditEnabled = auditEnabled ; - } - - public String getTopologyName() { - return topologyName; - } - public void setTopologyName(String topologyName) { - this.topologyName = topologyName; - } - public List<String> getAccessTypeList() { - return accessTypeList; - } - public void setAccessTypeList(List<String> accessTypeList) { - this.accessTypeList = accessTypeList; - } - public List<String> getGroupList() { - return groupList; - } - public void setGroupList(List<String> groupList) { - this.groupList = groupList; - } - public List<String> getUserList() { - return userList; - } - public void setUserList(List<String> userList) { - this.userList = userList; - } - - public boolean isMatchedTopology(String aTopologyName) { - - boolean ret = false ; - - if (aTopologyName == null || aTopologyName.length() == 0) { - ret = "*".equals(this.topologyName) ; - } - else { - ret = (aTopologyName.equals(this.topologyName) || FilenameUtils.wildcardMatch(aTopologyName,this.topologyName)) ; - } - return ret ; - } - - public boolean isOperationAllowed(String aOperationName) { - return this.accessTypeList.contains(aOperationName); - } - - private static final String PUBLIC_GROUP_NAME = "public" ; - - public boolean isUserAllowed(String aUserName, String[] aGroupList) { - - boolean accessAllowed = false ; - - if ( this.userList.contains(aUserName) ) { - accessAllowed = true ; - } - else if (this.groupList.contains(PUBLIC_GROUP_NAME)) { - accessAllowed = true ; - } - else if (aGroupList != null ) { - for(String userGroup : aGroupList ) { - if (this.groupList.contains(userGroup) ) { - accessAllowed = true ; - break ; - } - } - } - - return accessAllowed ; - } - - public boolean getAuditEnabled() { - return this.auditEnabled ; - } - - @Override - public String toString() { - return "StormAuthRule: { topologyName: [" + topologyName + "]," + - "userList: [" + StringUtil.toString(userList) + "]" + - "groupList: [" + StringUtil.toString(groupList) + "]" + - "accessTypeList: [" + StringUtil.toString(accessTypeList) + "]" + - "auditEnabled: [" + auditEnabled + "] }"; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java deleted file mode 100644 index 3cb2916..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java +++ /dev/null @@ -1,177 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.storm; - -import java.util.ArrayList; -import java.util.List; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.xasecure.authorization.hadoop.config.XaSecureConfiguration; -import com.xasecure.authorization.storm.XaStormAccessVerifier; -import com.xasecure.pdp.config.PolicyChangeListener; -import com.xasecure.pdp.config.PolicyRefresher; -import com.xasecure.pdp.constants.XaSecureConstants; -import com.xasecure.pdp.model.Policy; -import com.xasecure.pdp.model.PolicyContainer; -import com.xasecure.pdp.model.RolePermission; - - -public class URLBasedAuthDB implements PolicyChangeListener, XaStormAccessVerifier { - - private static final Logger LOG = LoggerFactory.getLogger(URLBasedAuthDB.class) ; - - private static URLBasedAuthDB me = null; - - private PolicyRefresher refresher = null ; - - private PolicyContainer policyContainer = null; - - private List<StormAuthRule> stormAuthDB = null ; - - public static URLBasedAuthDB getInstance() { - if (me == null) { - synchronized (URLBasedAuthDB.class) { - URLBasedAuthDB temp = me; - if (temp == null) { - me = new URLBasedAuthDB(); - me.init() ; - } - } - } - return me; - } - - private URLBasedAuthDB() { - - String url = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_STORM_POLICYMGR_URL_PROP); - - long refreshInMilli = XaSecureConfiguration.getInstance().getLong( - XaSecureConstants.XASECURE_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP , - XaSecureConstants.XASECURE_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT); - - String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_STORM_LAST_SAVED_POLICY_FILE_PROP) ; - - String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_STORM_POLICYMGR_SSL_CONFIG_FILE_PROP) ; - - refresher = new PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ; - - String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_STORM_POLICYMGR_URL_SAVE_FILE_PROP) ; - if (saveAsFileName != null) { - refresher.setSaveAsFileName(saveAsFileName) ; - } - - if (lastStoredFileName != null) { - refresher.setLastStoredFileName(lastStoredFileName); - } - } - - - private void init() { - refresher.setPolicyChangeListener(this); - } - - - @Override - public void OnPolicyChange(PolicyContainer aPolicyContainer) { - setPolicyContainer(aPolicyContainer); - } - - - public PolicyContainer getPolicyContainer() { - return policyContainer; - } - - - - public synchronized void setPolicyContainer(PolicyContainer aPolicyContainer) { - - if (aPolicyContainer != null) { - - List<StormAuthRule> tempStormAuthDB = new ArrayList<StormAuthRule>() ; - - for(Policy p : aPolicyContainer.getAcl()) { - - if (! p.isEnabled()) { - continue; - } - - for (String topologyName : p.getTopologyList()) { - - List<RolePermission> rpList = p.getPermissions() ; - - for(RolePermission rp : rpList) { - StormAuthRule rule = new StormAuthRule(topologyName, rp.getAccess() , rp.getUsers(), rp.getGroups(), (p.getAuditInd() == 1)) ; - tempStormAuthDB.add(rule) ; - } - } - } - - this.stormAuthDB = tempStormAuthDB ; - - this.policyContainer = aPolicyContainer ; - } - } - - @Override - public boolean isAccessAllowed(String aUserName, String[] aGroupName, String aOperationName, String aTopologyName) { - - boolean accessAllowed = false ; - - List<StormAuthRule> tempStormAuthDB = this.stormAuthDB ; - - if (tempStormAuthDB != null) { - for(StormAuthRule rule : tempStormAuthDB) { - if (rule.isMatchedTopology(aTopologyName)) { - if (rule.isOperationAllowed(aOperationName)) { - if (rule.isUserAllowed(aUserName, aGroupName)) { - accessAllowed = true ; - break ; - } - } - } - } - } - - return accessAllowed ; - } - - @Override - public boolean isAudited(String aTopologyName) { - boolean auditEnabled = false ; - - List<StormAuthRule> tempStormAuthDB = stormAuthDB ; - - if (tempStormAuthDB != null) { - for(StormAuthRule rule : tempStormAuthDB) { - if (rule.isMatchedTopology(aTopologyName)) { - auditEnabled = rule.getAuditEnabled() ; - if (auditEnabled) { - break ; - } - } - } - } - - return auditEnabled ; - } - -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/storm/XASecureAuthorizer.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/storm/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/storm/XASecureAuthorizer.java deleted file mode 100644 index 82a9c8d..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/storm/XASecureAuthorizer.java +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.storm; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import com.xasecure.authorization.storm.XaStormAccessVerifier; - -public class XASecureAuthorizer implements XaStormAccessVerifier { - - private static final Log LOG = LogFactory.getLog(XASecureAuthorizer.class) ; - - private static URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ; - - - @Override - public boolean isAccessAllowed(String aUserName, String[] aGroupName, String aOperationName, String aTopologyName) { - boolean ret = false ; - - if (authDB != null) { - ret = authDB.isAccessAllowed(aUserName, aGroupName, aOperationName, aTopologyName) ; - } - else { - LOG.error("Unable to find a URLBasedAuthDB for authorization - Found null"); - } - - return ret ; - } - - @Override - public boolean isAudited(String aTopologyName) { - boolean ret = false ; - - if (authDB != null) { - ret = authDB.isAudited(aTopologyName) ; - } - else { - LOG.error("Unable to find a URLBasedAuthDB for authorization - Found null"); - } - - return ret ; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/utils/XaSecureUtils.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/utils/XaSecureUtils.java b/agents-impl/src/main/java/com/xasecure/pdp/utils/XaSecureUtils.java deleted file mode 100644 index 93c257e..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/utils/XaSecureUtils.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.utils; - -import java.io.File; -import java.net.URL; - -public class XaSecureUtils { - - public static String getFilePathFromClassPath(String aFileName) { - String pathName = null; - - File lf = new File(aFileName) ; - - if (lf.exists()) { - pathName = lf.getAbsolutePath(); - } - else { - URL lurl = XaSecureUtils.class.getResource(aFileName); - if (lurl == null) { - if (!aFileName.startsWith("/")) { - lurl = XaSecureUtils.class.getResource("/" + aFileName); - } - } - if (lurl != null) { - pathName = lurl.getFile(); - } - } - return pathName; - - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/ConfigWatcher.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/ConfigWatcher.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/ConfigWatcher.java new file mode 100644 index 0000000..63b6733 --- /dev/null +++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/ConfigWatcher.java @@ -0,0 +1,543 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ranger.pdp.config; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileReader; +import java.io.IOException; +import java.io.InputStream; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateException; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.conf.Configuration; +import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; +import org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider; +import org.apache.ranger.pdp.config.gson.PolicyExclusionStrategy; +import org.apache.ranger.pdp.constants.RangerConstants; +import org.apache.ranger.pdp.model.PolicyContainer; + +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.sun.jersey.api.client.Client; +import com.sun.jersey.api.client.ClientResponse; +import com.sun.jersey.api.client.WebResource; +import com.sun.jersey.api.client.config.ClientConfig; +import com.sun.jersey.api.client.config.DefaultClientConfig; +import com.sun.jersey.client.urlconnection.HTTPSProperties; + +public abstract class ConfigWatcher extends Thread { + + private static final Log LOG = LogFactory.getLog(ConfigWatcher.class); + + public static final String EXPECTED_MIME_TYPE = "application/json" ; + + // public static final String EXPECTED_MIME_TYPE = "application/octet-stream"; + + private static final String LASTUPDATED_PARAM = "epoch"; + private static final String POLICY_COUNT_PARAM = "policyCount"; + private static final String AGENT_NAME_PARAM = "agentId" ; + + private static final int MAX_AGENT_NAME_LEN = 255 ; + + + private String url; + + private long intervalInMilliSeconds; + + private long lastModifiedTime = 0; + + private boolean shutdownFlag = false; + + private String lastStoredFileName = null; + + protected PolicyContainer policyContainer = null; + + private static PolicyExclusionStrategy policyExclusionStrategy = new PolicyExclusionStrategy(); + + private static RangerCredentialProvider rangerCp = null; + + + public abstract void doOnChange(); + + private String keyStoreFile = null ; + private String keyStoreFilepwd = null; + private String keyStoreURL = null; + private String keyStoreAlias = null; + private String trustStoreFile = null ; + private String trustStoreFilepwd = null ; + private String trustStoreURL = null; + private String trustStoreAlias = null; + private String keyStoreType = null ; + private String trustStoreType = null ; + private SSLContext sslContext = null ; + private HostnameVerifier hv = null ; + private String agentName = "unknown" ; + + private String sslConfigFileName = null ; + + public boolean policyCacheLoadedOnce = false; + + public boolean cacheModfied = false; + + public ConfigWatcher(String url, long aIntervalInMilliSeconds,String sslConfigFileName,String lastStoredFileName) { + super("RangerConfigURLWatcher"); + setDaemon(true); + this.url = url; + intervalInMilliSeconds = aIntervalInMilliSeconds; + this.sslConfigFileName = sslConfigFileName ; + this.agentName = getAgentName(this.url) ; + this.lastStoredFileName = lastStoredFileName; + if (LOG.isInfoEnabled()) { + LOG.info("Creating PolicyRefreshser with url: " + url + + ", refreshInterval(milliSeconds): " + aIntervalInMilliSeconds + + ", sslConfigFileName: " + sslConfigFileName + + ", lastStoredFileName: " + lastStoredFileName); + } + init(); + validateAndRun(); + LOG.debug("Created new ConfigWatcher for URL [" + url + "]"); + } + + + public void init() { + if (sslConfigFileName != null) { + LOG.debug("Loading SSL Configuration from [" + sslConfigFileName + "]"); + InputStream in = null ; + try { + Configuration conf = new Configuration() ; + in = getFileInputStream(sslConfigFileName) ; + if (in != null) { + conf.addResource(in); + } + + rangerCp = RangerCredentialProvider.getInstance(); + + keyStoreFile = conf.get(RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE); + + keyStoreURL=conf.get(RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL); + keyStoreAlias=RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS; + + char[] v_keyStoreFilePwd = getCredential(keyStoreURL,keyStoreAlias); + if ( v_keyStoreFilePwd == null ) { + keyStoreFilepwd = null; + } else { + keyStoreFilepwd = new String(v_keyStoreFilePwd); + } + + trustStoreFile = conf.get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE); + + trustStoreURL=conf.get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL); + trustStoreAlias=RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS; + + char[] v_TrustStoreFilePwd = getCredential(trustStoreURL,trustStoreAlias); + if ( v_TrustStoreFilePwd == null ) { + trustStoreFilepwd = null; + } else { + trustStoreFilepwd = new String(v_TrustStoreFilePwd); + } + + + keyStoreType = conf.get(RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE, RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT); + trustStoreType = conf.get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE, RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT); + } + catch(IOException ioe) { + LOG.error("Unable to load SSL Config FileName: [" + sslConfigFileName + "]", ioe); + } + finally { + if (in != null) { + try { + in.close() ; + } catch (IOException e) { + LOG.error("Unable to close SSL Config FileName: [" + sslConfigFileName + "]", e) ; + } + } + } + + LOG.debug("Keystore filename:[" + keyStoreFile + "]"); + LOG.debug("TrustStore filename:[" + trustStoreFile + "]"); + + } + } + + public String getURL() { + return url; + } + + public long getIntervalInMilliSeconds() { + return intervalInMilliSeconds; + } + + public long getLastModifiedTime() { + return lastModifiedTime; + } + + public void run() { + while (!shutdownFlag) { + validateAndRun(); + try { + Thread.sleep(intervalInMilliSeconds); + } catch (InterruptedException e) { + LOG.error("Unable to complete sleep for [" + intervalInMilliSeconds + "]", e); + } + } + } + + private void validateAndRun() { + if (isFileChanged()) { + LOG.debug("Policy has been changed from " + url + " ... RELOADING"); + try { + doOnChange(); + } catch (Exception e) { + LOG.error("Unable to complete doOnChange() method on file change [" + url + "]", e); + } + } else { + LOG.debug("No Change found in the policy from " + url); + } + } + + public boolean iscacheModfied() { + return cacheModfied; + } + + private boolean isFileChanged() { + boolean isChanged = false; + + cacheModfied = false; + try { + + Client client = null; + ClientResponse response = null; + + try { + + int policyCount = getPolicyCount(policyContainer); + + if (url.contains("https")) { + // build SSL Client + client = buildSSLClient(); + } + + if (client == null) { + client = Client.create(); + } + + WebResource webResource = client.resource(url) + .queryParam(LASTUPDATED_PARAM, String.valueOf(lastModifiedTime)) + .queryParam(POLICY_COUNT_PARAM, String.valueOf(policyCount)) + .queryParam(AGENT_NAME_PARAM, agentName); + + response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class); + + + if (response != null) { + + boolean responsePresent = true; + int responseStatus = response.getStatus(); + + if ( fetchPolicyfromCahce(responsePresent,responseStatus,lastStoredFileName) ) { + /* If the response is other than 200 and 304 load the policy from the cache */ + isChanged = true; + + } else { + /* If Policy Manager is available fetch the policy from it */ + if (response.getStatus() == 200) { + String jsonString = response.getEntity(String.class); + Gson gson = new GsonBuilder().setPrettyPrinting().addDeserializationExclusionStrategy(policyExclusionStrategy).create(); + PolicyContainer newPolicyContainer = gson.fromJson(jsonString, PolicyContainer.class); + if ((newPolicyContainer.getLastUpdatedTimeInEpoc() > lastModifiedTime) || (getPolicyCount(newPolicyContainer) != policyCount)) { + policyContainer = newPolicyContainer; + lastModifiedTime = policyContainer.getLastUpdatedTimeInEpoc(); + isChanged = true; + policyCacheLoadedOnce = false; + cacheModfied = true; + if (LOG.isDebugEnabled()) { + LOG.debug("Got response: 200 with {change in lastupdatedTime}\n" + gson.toJson(newPolicyContainer)); + } + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("Got response: 200 with {no-change in lastupdatedTime}\n" + gson.toJson(newPolicyContainer)); + } + isChanged = false; + } + } else if (response.getStatus() == 304) { + if (LOG.isDebugEnabled()) { + LOG.debug("Got response: 304 "); + } + isChanged = false; // No Change has been there since our + // earlier request + } else { + LOG.error("Unable to get a valid response for isFileChanged() call for [" + url + "] = response code found [" + response.getStatus() + "]"); + } + } + + } else { + LOG.error("Unable to get a valid response for isFileChanged() call for [" + url + "] - got null response."); + // force the policy update to get fresh copy + lastModifiedTime = 0; + } + + } finally { + if (response != null) { + response.close(); + } + if (client != null) { + client.destroy(); + } + } + } catch (Throwable t) { + + boolean responsePresent = false; + int responseStatus = -1; + if (LOG.isDebugEnabled()) { + LOG.debug("Policy Manager Failed",t); + } + if ( fetchPolicyfromCahce(responsePresent,responseStatus,lastStoredFileName) ) { + /* Successfully found the Policy Cache file and loaded */ + isChanged = false; + } else { + LOG.error("Unable to complete isFileChanged() call for [" + url + "]", t); + // force the policy update to get fresh copy + lastModifiedTime = 0; + LOG.error("Policy file Cache not found.."); + throw new RuntimeException("Unable to find Enterprise Policy Storage"); + } + + } finally { + if (isChanged) { + LOG.info("URL: [" + url + "], isModified: " + isChanged + ", lastModifiedTime:" + lastModifiedTime); + } else if (LOG.isDebugEnabled()) { + LOG.debug("URL: [" + url + "], isModified: " + isChanged + ", lastModifiedTime:" + lastModifiedTime); + } + } + return isChanged; + } + + public PolicyContainer getPolicyContainer() { + return policyContainer; + } + + private int getPolicyCount(PolicyContainer aPolicyContainer) { + return (aPolicyContainer == null ? 0 : (aPolicyContainer.getAcl() == null ? 0 : aPolicyContainer.getAcl().size())); + } + + + public synchronized Client buildSSLClient() { + Client client = null; + try { + + ClientConfig config = new DefaultClientConfig(); + + if (sslContext == null) { + + KeyManager[] kmList = null; + TrustManager[] tmList = null; + + if (keyStoreFile != null && keyStoreFilepwd != null) { + + KeyStore keyStore = KeyStore.getInstance(keyStoreType); + InputStream in = null ; + try { + in = getFileInputStream(keyStoreFile) ; + if (in == null) { + LOG.error("Unable to obtain keystore from file [" + keyStoreFile + "]"); + return client ; + } + keyStore.load(in, keyStoreFilepwd.toCharArray()); + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(RangerConstants.RANGER_SSL_KEYMANAGER_ALGO_TYPE); + keyManagerFactory.init(keyStore, keyStoreFilepwd.toCharArray()); + kmList = keyManagerFactory.getKeyManagers(); + } + finally { + if (in != null) { + in.close(); + } + } + + } + + if (trustStoreFile != null && trustStoreFilepwd != null) { + + KeyStore trustStore = KeyStore.getInstance(trustStoreType); + InputStream in = null ; + try { + in = getFileInputStream(trustStoreFile) ; + if (in == null) { + LOG.error("Unable to obtain keystore from file [" + trustStoreFile + "]"); + return client ; + } + trustStore.load(in, trustStoreFilepwd.toCharArray()); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(RangerConstants.RANGER_SSL_TRUSTMANAGER_ALGO_TYPE); + trustManagerFactory.init(trustStore); + tmList = trustManagerFactory.getTrustManagers(); + } + finally { + if (in != null) { + in.close() ; + } + } + } + + sslContext = SSLContext.getInstance(RangerConstants.RANGER_SSL_CONTEXT_ALGO_TYPE); + + sslContext.init(kmList, tmList, new SecureRandom()); + + hv = new HostnameVerifier() { + public boolean verify(String urlHostName, SSLSession session) { + return session.getPeerHost().equals(urlHostName); + } + }; + + } + + config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(hv, sslContext)); + + client = Client.create(config); + + } catch (KeyStoreException e) { + LOG.error("Unable to obtain from KeyStore", e); + } catch (NoSuchAlgorithmException e) { + LOG.error("SSL algorithm is available in the environment", e); + } catch (CertificateException e) { + LOG.error("Unable to obtain the requested certification ", e); + } catch (FileNotFoundException e) { + LOG.error("Unable to find the necessary SSL Keystore and TrustStore Files", e); + } catch (IOException e) { + LOG.error("Unable to read the necessary SSL Keystore and TrustStore Files", e); + } catch (KeyManagementException e) { + LOG.error("Unable to initials the SSLContext", e); + } catch (UnrecoverableKeyException e) { + LOG.error("Unable to recover the key from keystore", e); + } + return client; + } + + private InputStream getFileInputStream(String fileName) throws IOException { + InputStream in = null ; + + File f = new File(fileName) ; + + if (f.exists()) { + in = new FileInputStream(f) ; + } + else { + in = ClassLoader.getSystemResourceAsStream(fileName) ; + } + return in ; + } + + public static String getAgentName(String aUrl) { + String hostName = null ; + String repoName = null ; + try { + hostName = InetAddress.getLocalHost().getHostName() ; + } catch (UnknownHostException e) { + LOG.error("ERROR: Unable to find hostname for the agent ", e); + hostName = "unknownHost" ; + } + + String[] tokens = aUrl.split("/") ; + + if ( tokens.length > 0 ) { + repoName = tokens[tokens.length-1] ; + } + else { + repoName = "unknownRepo" ; + } + + String agentName = hostName + "-" + repoName ; + + if (agentName.length() > MAX_AGENT_NAME_LEN ) { + agentName = agentName.substring(0,MAX_AGENT_NAME_LEN) ; + } + + return agentName ; + } + + private boolean fetchPolicyfromCahce( boolean responsePresent, int responseStatus, String lastStoredFileName){ + + boolean cacheFound = false; + + if ( ( responsePresent == false ) || ( responseStatus != 200 && responseStatus != 304) ) { + + /* Policy Manager not available read the policy from the last enforced one */ + + if (policyCacheLoadedOnce) { + cacheFound = true; + return cacheFound; + } + + try { + /* read the last stored policy file and load the PolicyContainer */ + LOG.info("Policy Manager not available, using the last stored Policy File" + this.lastStoredFileName ); + LOG.debug("LastStoredFileName when policymgr was available" + this.lastStoredFileName); + + BufferedReader jsonString = new BufferedReader(new FileReader(this.lastStoredFileName)); + Gson gson = new GsonBuilder().setPrettyPrinting().addDeserializationExclusionStrategy(policyExclusionStrategy).create(); + PolicyContainer newPolicyContainer = gson.fromJson(jsonString, PolicyContainer.class); + policyContainer = newPolicyContainer; + lastModifiedTime = policyContainer.getLastUpdatedTimeInEpoc(); + if (LOG.isDebugEnabled()) { + LOG.debug("Policy Manager not available.Got response =" + responseStatus +"\n" + gson.toJson(newPolicyContainer)); + } + + cacheFound = true; + policyCacheLoadedOnce = true; + + } catch( FileNotFoundException fe ){ + + /* unable to get the last stored policy, raise warning for unavailability of policy cache file and continue...*/ + if ( this.lastStoredFileName == null ) { + LOG.info("Policy cache file not found...XAagent authorization not enabled"); + } + else { + LOG.info("Unable to access Policy cache file...XAagent authorization not enabled"); + } + } + + } + + return cacheFound; + } + + private char[] getCredential(String url, String alias) { + char[] credStr=rangerCp.getCredentialString(url,alias); + return credStr; + } +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2ConfigWatcher.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2ConfigWatcher.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2ConfigWatcher.java new file mode 100644 index 0000000..4fcb489 --- /dev/null +++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2ConfigWatcher.java @@ -0,0 +1,565 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ranger.pdp.config; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileReader; +import java.io.IOException; +import java.io.InputStream; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateException; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.ws.rs.client.Client; +import javax.ws.rs.client.ClientBuilder; +import javax.ws.rs.client.WebTarget; +import javax.ws.rs.core.Response; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.conf.Configuration; +import org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider; +import org.apache.ranger.pdp.config.gson.PolicyExclusionStrategy; +import org.apache.ranger.pdp.constants.RangerConstants; +import org.apache.ranger.pdp.model.PolicyContainer; +import org.glassfish.jersey.client.ClientConfig; + +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.sun.jersey.client.urlconnection.HTTPSProperties; + +public abstract class Jersey2ConfigWatcher extends Thread { + + private static final Log LOG = LogFactory.getLog(Jersey2ConfigWatcher.class); + + public static final String EXPECTED_MIME_TYPE = "application/json" ; + + // public static final String EXPECTED_MIME_TYPE = "application/octet-stream"; + + private static final String LASTUPDATED_PARAM = "epoch"; + private static final String POLICY_COUNT_PARAM = "policyCount"; + private static final String AGENT_NAME_PARAM = "agentId" ; + + private static final int MAX_AGENT_NAME_LEN = 255 ; + + private static final String RANGER_KNOX_CREDENTIAL_PROVIDER_FILE + = "xasecure.knox.credential.provider.file"; + + private String url; + + private long intervalInMilliSeconds; + + private long lastModifiedTime = 0; + + private boolean shutdownFlag = false; + + private String lastStoredFileName = null; + + protected PolicyContainer policyContainer = null; + + private static PolicyExclusionStrategy policyExclusionStrategy = new PolicyExclusionStrategy(); + + private static RangerCredentialProvider rangerCp = null; + + public abstract void doOnChange(); + + private String credentialProviderFile = null; + private String keyStoreFile = null ; + private String keyStorePassword = null; + private String trustStoreFile = null ; + private String trustStorePassword = null ; + private String keyStoreType = null ; + private String trustStoreType = null ; + private SSLContext sslContext = null ; + private HostnameVerifier hv = null ; + private String agentName = "unknown" ; + + private String sslConfigFileName = null ; + + boolean policyCacheLoadedOnce = false; + + public Jersey2ConfigWatcher(String url, long aIntervalInMilliSeconds,String sslConfigFileName,String lastStoredFileName) { + super("RangerConfigURLWatcher"); + setDaemon(true); + this.url = url; + intervalInMilliSeconds = aIntervalInMilliSeconds; + this.sslConfigFileName = sslConfigFileName ; + this.agentName = getAgentName(this.url) ; + this.lastStoredFileName = lastStoredFileName; + if (LOG.isInfoEnabled()) { + LOG.info("Creating PolicyRefreshser with url: " + url + + ", refreshInterval(milliSeconds): " + aIntervalInMilliSeconds + + ", sslConfigFileName: " + sslConfigFileName + + ", lastStoredFileName: " + lastStoredFileName); + } + init(); + validateAndRun(); + LOG.debug("Created new ConfigWatcher for URL [" + url + "]"); + } + + + public void init() { + if (sslConfigFileName != null) { + LOG.debug("Loading SSL Configuration from [" + sslConfigFileName + + "]"); + InputStream in = null; + try { + Configuration conf = new Configuration(); + in = getFileInputStream(sslConfigFileName); + if (in != null) { + conf.addResource(in); + } + + if (url.startsWith("https")) { + rangerCp = RangerCredentialProvider.getInstance(); + + keyStoreFile = conf + .get(RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE); + + credentialProviderFile = conf + .get(RANGER_KNOX_CREDENTIAL_PROVIDER_FILE); + String keyStorePasswordAlias = RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS; + + char[] v_keyStorePassword = getCredential(credentialProviderFile, + keyStorePasswordAlias); + if (v_keyStorePassword == null) { + keyStorePassword = null; + } else { + keyStorePassword = new String(v_keyStorePassword); + } + + trustStoreFile = conf + .get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE); + + //trustStoreURL = conf + // .get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL); + String trustStorePasswordAlias = RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS; + + char[] v_trustStorePassword = getCredential(credentialProviderFile, + trustStorePasswordAlias); + if (v_trustStorePassword == null) { + trustStorePassword = null; + } else { + trustStorePassword = new String(v_trustStorePassword); + } + + keyStoreType = conf + .get(RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE, + RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT); + trustStoreType = conf + .get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE, + RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT); + } + } catch (IOException ioe) { + LOG.error("Unable to load SSL Config FileName: [" + + sslConfigFileName + "]", ioe); + } finally { + if (in != null) { + try { + in.close(); + } catch (IOException e) { + LOG.error("Unable to close SSL Config FileName: [" + + sslConfigFileName + "]", e); + } + } + } + + LOG.debug("Keystore filename:[" + keyStoreFile + "]"); + LOG.debug("TrustStore filename:[" + trustStoreFile + "]"); + + } + } + + public String getURL() { + return url; + } + + public long getIntervalInMilliSeconds() { + return intervalInMilliSeconds; + } + + public long getLastModifiedTime() { + return lastModifiedTime; + } + + public void run() { + while (!shutdownFlag) { + validateAndRun(); + try { + Thread.sleep(intervalInMilliSeconds); + } catch (InterruptedException e) { + LOG.error("Unable to complete sleep for [" + intervalInMilliSeconds + "]", e); + } + } + } + + private void validateAndRun() { + if (isFileChanged()) { + LOG.debug("Policy has been changed from " + url + " ... RELOADING"); + try { + doOnChange(); + } catch (Exception e) { + LOG.error("Unable to complete doOnChange() method on file change [" + url + "]", e); + } + } else { + LOG.debug("No Change found in the policy from " + url); + } + } + + private boolean isFileChanged() { + boolean isChanged = false; + + + try { + + Client client = null; + Response response = null; + + try { + + int policyCount = getPolicyCount(policyContainer); + + if (url.contains("https")) { + // build SSL Client + client = buildSSLClient(); + } + + if (client == null) { + client = ClientBuilder.newClient(); + } + + WebTarget webTarget = client.target(url) + .queryParam(LASTUPDATED_PARAM, String.valueOf(lastModifiedTime)) + .queryParam(POLICY_COUNT_PARAM, String.valueOf(policyCount)) + .queryParam(AGENT_NAME_PARAM, agentName); + + response = webTarget.request().accept(EXPECTED_MIME_TYPE).get(); + + + if (response != null) { + + Boolean responsePresent = true; + int responseStatus = response.getStatus(); + + if ( fetchPolicyfromCahce(responsePresent,responseStatus,lastStoredFileName) ) { + /* If the response is other than 200 and 304 load the policy from the cache */ + isChanged = true; + + } else { + /* + * If Policy Manager is available fetch the policy from + * it + */ + if (response.getStatus() == 200) { + + String entityString = response + .readEntity(String.class); + if (LOG.isDebugEnabled()) { + LOG.debug("JSON response from server: " + + entityString); + } + + Gson gson = new GsonBuilder() + .setPrettyPrinting() + .addDeserializationExclusionStrategy( + policyExclusionStrategy).create(); + PolicyContainer newPolicyContainer = gson.fromJson( + entityString, PolicyContainer.class); + if ((newPolicyContainer.getLastUpdatedTimeInEpoc() > lastModifiedTime) + || (getPolicyCount(newPolicyContainer) != policyCount)) { + policyContainer = newPolicyContainer; + lastModifiedTime = policyContainer + .getLastUpdatedTimeInEpoc(); + isChanged = true; + if (LOG.isDebugEnabled()) { + LOG.debug("Got response: 200 with {change in lastupdatedTime}\n" + + gson.toJson(newPolicyContainer)); + } + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("Got response: 200 with {no-change in lastupdatedTime}\n" + + gson.toJson(newPolicyContainer)); + } + isChanged = false; + } + } else if (response.getStatus() == 304) { + if (LOG.isDebugEnabled()) { + LOG.debug("Got response: 304 "); + } + isChanged = false; // No Change has been there since + // our + // earlier request + } else { + LOG.error("Unable to get a valid response for isFileChanged() call for [" + + url + + "] = response code found [" + + response.getStatus() + "]"); + } + } + + } else { + LOG.error("Unable to get a valid response for isFileChanged() call for [" + url + "] - got null response."); + // force the policy update to get fresh copy + lastModifiedTime = 0; + } + + } finally { + if (response != null) { + response.close(); + } + if (client != null) { + client.close(); + } + } + } catch (Throwable t) { + + Boolean responsePresent = false; + int responseStatus = -1; + + if ( fetchPolicyfromCahce(responsePresent,responseStatus,lastStoredFileName) ) { + /* Successfully found the Policy Cache file and loaded */ + isChanged = true; + } else { + LOG.error("Unable to complete isFileChanged() call for [" + url + "]", t); + // force the policy update to get fresh copy + lastModifiedTime = 0; + LOG.error("Policy file Cache not found.."); + throw new RuntimeException("Unable to find Enterprise Policy Storage"); + } + + } finally { + if (isChanged) { + LOG.info("URL: [" + url + "], isModified: " + isChanged + ", lastModifiedTime:" + lastModifiedTime); + } else if (LOG.isDebugEnabled()) { + LOG.debug("URL: [" + url + "], isModified: " + isChanged + ", lastModifiedTime:" + lastModifiedTime); + } + } + return isChanged; + } + + public PolicyContainer getPolicyContainer() { + return policyContainer; + } + + private int getPolicyCount(PolicyContainer aPolicyContainer) { + return (aPolicyContainer == null ? 0 : (aPolicyContainer.getAcl() == null ? 0 : aPolicyContainer.getAcl().size())); + } + + + public synchronized Client buildSSLClient() { + Client client = null; + try { + + ClientConfig config = new ClientConfig(); + + if (sslContext == null) { + + KeyManager[] kmList = null; + TrustManager[] tmList = null; + + if (keyStoreFile != null && keyStorePassword != null) { + + KeyStore keyStore = KeyStore.getInstance(keyStoreType); + InputStream in = null ; + try { + in = getFileInputStream(keyStoreFile) ; + if (in == null) { + LOG.error("Unable to obtain keystore from file [" + keyStoreFile + "]"); + return client ; + } + keyStore.load(in, keyStorePassword.toCharArray()); + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(RangerConstants.RANGER_SSL_KEYMANAGER_ALGO_TYPE); + keyManagerFactory.init(keyStore, keyStorePassword.toCharArray()); + kmList = keyManagerFactory.getKeyManagers(); + } + finally { + if (in != null) { + in.close(); + } + } + + } + + if (trustStoreFile != null && trustStorePassword != null) { + + KeyStore trustStore = KeyStore.getInstance(trustStoreType); + InputStream in = null ; + try { + in = getFileInputStream(trustStoreFile) ; + if (in == null) { + LOG.error("Unable to obtain keystore from file [" + trustStoreFile + "]"); + return client ; + } + trustStore.load(in, trustStorePassword.toCharArray()); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(RangerConstants.RANGER_SSL_TRUSTMANAGER_ALGO_TYPE); + trustManagerFactory.init(trustStore); + tmList = trustManagerFactory.getTrustManagers(); + } + finally { + if (in != null) { + in.close() ; + } + } + } + + sslContext = SSLContext.getInstance(RangerConstants.RANGER_SSL_CONTEXT_ALGO_TYPE); + + sslContext.init(kmList, tmList, new SecureRandom()); + + hv = new HostnameVerifier() { + public boolean verify(String urlHostName, SSLSession session) { + return session.getPeerHost().equals(urlHostName); + } + }; + + } + + config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(hv, sslContext)); + + client = ClientBuilder.newClient(config); + + } catch (KeyStoreException e) { + LOG.error("Unable to obtain from KeyStore", e); + } catch (NoSuchAlgorithmException e) { + LOG.error("SSL algorithm is available in the environment", e); + } catch (CertificateException e) { + LOG.error("Unable to obtain the requested certification ", e); + } catch (FileNotFoundException e) { + LOG.error("Unable to find the necessary SSL Keystore and TrustStore Files", e); + } catch (IOException e) { + LOG.error("Unable to read the necessary SSL Keystore and TrustStore Files", e); + } catch (KeyManagementException e) { + LOG.error("Unable to initials the SSLContext", e); + } catch (UnrecoverableKeyException e) { + LOG.error("Unable to recover the key from keystore", e); + } + return client; + } + + private InputStream getFileInputStream(String fileName) throws IOException { + InputStream in = null ; + + File f = new File(fileName) ; + + if (f.exists()) { + in = new FileInputStream(f) ; + } + else { + in = ClassLoader.getSystemResourceAsStream(fileName) ; + } + return in ; + } + + public static String getAgentName(String aUrl) { + String hostName = null ; + String repoName = null ; + try { + hostName = InetAddress.getLocalHost().getHostName() ; + } catch (UnknownHostException e) { + LOG.error("ERROR: Unable to find hostname for the agent ", e); + hostName = "unknownHost" ; + } + + String[] tokens = aUrl.split("/") ; + + if ( tokens.length > 0 ) { + repoName = tokens[tokens.length-1] ; + } + else { + repoName = "unknownRepo" ; + } + + String agentName = hostName + "-" + repoName ; + + if (agentName.length() > MAX_AGENT_NAME_LEN ) { + agentName = agentName.substring(0,MAX_AGENT_NAME_LEN) ; + } + + return agentName ; + } + + private boolean fetchPolicyfromCahce( Boolean responsePresent, int responseStatus, String lastStoredFileName){ + + boolean cacheFound = false; + + if ( ( responsePresent == false ) || ( responseStatus != 200 && responseStatus != 304) ) { + + /* Policy Manager not available read the policy from the last enforced one */ + + if (policyCacheLoadedOnce) { + cacheFound = true; + return cacheFound; + } + + try { + /* read the last stored policy file and load the PolicyContainer */ + LOG.info("Policy Manager not available, using the last stored Policy File" + this.lastStoredFileName ); + LOG.debug("LastStoredFileName when policymgr was available" + this.lastStoredFileName); + + BufferedReader jsonString = new BufferedReader(new FileReader(this.lastStoredFileName)); + Gson gson = new GsonBuilder().setPrettyPrinting().addDeserializationExclusionStrategy(policyExclusionStrategy).create(); + PolicyContainer newPolicyContainer = gson.fromJson(jsonString, PolicyContainer.class); + policyContainer = newPolicyContainer; + lastModifiedTime = policyContainer.getLastUpdatedTimeInEpoc(); + if (LOG.isDebugEnabled()) { + LOG.debug("Policy Manager not available.Got response =" + responseStatus +"\n" + gson.toJson(newPolicyContainer)); + } + + cacheFound = true; + policyCacheLoadedOnce = true; + + } catch( FileNotFoundException fe ){ + + /* unable to get the last stored policy, raise warning for unavailability of policy cache file and continue...*/ + if ( this.lastStoredFileName == null ) { + LOG.info("Policy cache file not found...XAagent authorization not enabled"); + } + else { + LOG.info("Unable to access Policy cache file...XAagent authorization not enabled"); + } + } + + } + + return cacheFound; + } + + private char[] getCredential(String url, String alias) { + char[] credStr=rangerCp.getCredentialString(url,alias); + return credStr; + } + +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2PolicyRefresher.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2PolicyRefresher.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2PolicyRefresher.java new file mode 100644 index 0000000..112b89a --- /dev/null +++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2PolicyRefresher.java @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.pdp.config; + +import java.io.File; +import java.io.FileWriter; +import java.io.IOException; +import java.io.PrintWriter; +import java.text.SimpleDateFormat; +import java.util.Date; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.pdp.config.gson.PolicyExclusionStrategy; +import org.apache.ranger.pdp.model.PolicyContainer; + +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; + +public class Jersey2PolicyRefresher { + + private static final Log LOG = LogFactory.getLog(Jersey2PolicyRefresher.class); + + private String url ; + private long refreshInterval ; + + private Jersey2ConfigWatcher watcherDaemon = null; + + protected PolicyContainer policyContainer = null ; + + private PolicyChangeListener policyChangeListener = null ; + + private String saveAsFileName = null ; + + private String sslConfigFileName = null ; + + private String lastStoredFileName = null; + + private PolicyExclusionStrategy policyExclusionStrategy = new PolicyExclusionStrategy() ; + + public Jersey2PolicyRefresher(String url, long refreshInterval, String sslConfigFileName, String lastStoredFileName) { + if (LOG.isInfoEnabled()) { + LOG.info("Creating PolicyRefreshser with url: " + url + + ", refreshInterval: " + refreshInterval + + ", sslConfigFileName: " + sslConfigFileName + + ", lastStoredFileName: " + lastStoredFileName); + } + this.url = url ; + this.refreshInterval = refreshInterval ; + this.sslConfigFileName = sslConfigFileName ; + this.lastStoredFileName = lastStoredFileName; + checkFileWatchDogThread(); + } + + public PolicyChangeListener getPolicyChangeListener() { + return policyChangeListener; + } + + public synchronized void setPolicyChangeListener(PolicyChangeListener policyChangeListener) { + this.policyChangeListener = policyChangeListener; + if (this.policyContainer != null) { + savePolicyToFile() ; + notifyPolicyChange() ; + } + } + + private void setPolicyContainer(PolicyContainer aPolicyContainer) { + this.policyContainer = aPolicyContainer ; + } + + public PolicyContainer getPolicyContainer() { + return policyContainer ; + } + + public String getSaveAsFileName() { + return saveAsFileName; + } + + public void setSaveAsFileName(String saveAsFileName) { + this.saveAsFileName = saveAsFileName; + } + + public String getSslConfigFileName() { + return sslConfigFileName; + } + + public String getLastStoredFileName() { + return lastStoredFileName; + } + + public void setLastStoredFileName(String lastStoredFileName) { + this.lastStoredFileName = lastStoredFileName; + } + + public void setSslConfigFileName(String sslConfigFileName) { + this.sslConfigFileName = sslConfigFileName; + } + + + private synchronized void checkFileWatchDogThread() { + if (watcherDaemon == null) { + try { + if (LOG.isDebugEnabled()) { + LOG.debug("Starting WatchDog for the Path [" + url + "] ...."); + } + watcherDaemon = new Jersey2ConfigWatcher(url, refreshInterval,sslConfigFileName,this.getLastStoredFileName()) { + public void doOnChange() { + PolicyContainer newPolicyContainer = getPolicyContainer() ; + setPolicyContainer(newPolicyContainer) ; + savePolicyToFile() ; + notifyPolicyChange(); + }; + }; + watcherDaemon.start(); + if (LOG.isDebugEnabled()) { + LOG.debug("Completed kick-off of FileWatchDog for the Path [" + url + "] interval in millisecond:" + refreshInterval); + } + } catch (Throwable t) { + LOG.error("Unable to start the FileWatchDog for path [" + url + "]", t); + } + } + } + + private void notifyPolicyChange() { + if (policyChangeListener != null) { + try { + policyChangeListener.OnPolicyChange(policyContainer); + } + catch(Throwable t) { + LOG.error("Error during notification of policy changes to listener [" + policyChangeListener + "]", t) ; + } + finally { + LOG.debug("Completed notification of policy changes to listener [" + policyChangeListener + "]") ; + } + } + } + + + private void savePolicyToFile() { + + LOG.debug("savePolicyToFile() is called with [" + saveAsFileName + "] - START") ; + String fileName = null; + if (saveAsFileName != null) { + String currentDateTime = new SimpleDateFormat("yyyyMMddHHmmss").format(new Date()) ; + fileName = saveAsFileName + "." + currentDateTime ; + File saveFile = new File(fileName) ; + Gson gson = new GsonBuilder().setPrettyPrinting().setExclusionStrategies(policyExclusionStrategy).create() ; + String policyAsJson = gson.toJson(policyContainer) ; + PrintWriter writer = null ; + try { + writer = new PrintWriter(new FileWriter(saveFile)) ; + writer.println(policyAsJson) ; + } + catch(IOException ioe) { + LOG.error("Unable to save policy into file: [" + saveFile.getAbsolutePath() + "]", ioe); + } + finally { + if (writer != null) { + writer.close(); + } + } + + if (lastStoredFileName != null) { + File lastSaveFileName = new File(lastStoredFileName); + + try { + writer = new PrintWriter(new FileWriter(lastSaveFileName)); + writer.println(policyAsJson); + + } + catch(IOException ioe){ + LOG.error("Unable to save the policy into Last Stored Policy File [" + lastSaveFileName.getAbsolutePath() + "]", ioe ); + } + finally { + //make the policy file cache to be 600 permission when it gets created and updated + lastSaveFileName.setReadable(false,false); + lastSaveFileName.setReadable(true,true); + if (writer != null) { + writer.close(); + } + } + + } + } + + LOG.debug("savePolicyToFile() is called with [" + fileName + "] - END") ; + + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyChangeListener.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyChangeListener.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyChangeListener.java new file mode 100644 index 0000000..a403e54 --- /dev/null +++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyChangeListener.java @@ -0,0 +1,26 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.pdp.config; + +import org.apache.ranger.pdp.model.PolicyContainer; + +public interface PolicyChangeListener { + public void OnPolicyChange(PolicyContainer aPolicyContainer) ; +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyRefresher.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyRefresher.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyRefresher.java new file mode 100644 index 0000000..eed7c8d --- /dev/null +++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyRefresher.java @@ -0,0 +1,229 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.pdp.config; + +import java.io.File; +import java.io.FileWriter; +import java.io.IOException; +import java.io.PrintWriter; +import java.text.SimpleDateFormat; +import java.util.Date; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.pdp.config.gson.PolicyExclusionStrategy; +import org.apache.ranger.pdp.model.PolicyContainer; + +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; + +public class PolicyRefresher { + + private static final Log LOG = LogFactory.getLog(PolicyRefresher.class); + + private String url ; + private long refreshInterval ; + + private ConfigWatcher watcherDaemon = null; + + protected PolicyContainer policyContainer = null ; + + private PolicyChangeListener policyChangeListener = null ; + + private String saveAsFileName = null ; + + private String sslConfigFileName = null ; + + private String lastStoredFileName = null; + + private PolicyExclusionStrategy policyExclusionStrategy = new PolicyExclusionStrategy() ; + + public PolicyRefresher(String url, long refreshInterval, String sslConfigFileName, String lastStoredFileName) { + if (LOG.isInfoEnabled()) { + LOG.info("Creating PolicyRefreshser with url: " + url + + ", refreshInterval: " + refreshInterval + + ", sslConfigFileName: " + sslConfigFileName + + ", lastStoredFileName: " + lastStoredFileName); + } + this.url = url ; + this.refreshInterval = refreshInterval ; + this.sslConfigFileName = sslConfigFileName ; + this.lastStoredFileName = lastStoredFileName; + checkFileWatchDogThread(); + } + + public PolicyChangeListener getPolicyChangeListener() { + return policyChangeListener; + } + + public synchronized void setPolicyChangeListener(PolicyChangeListener policyChangeListener) { + this.policyChangeListener = policyChangeListener; + if (this.policyContainer != null) { + savePolicyToFile() ; + savePolicyToCacheFile(); + notifyPolicyChange() ; + } + } + + public void setPolicyContainer(PolicyContainer aPolicyContainer) { + this.policyContainer = aPolicyContainer ; + } + + public PolicyContainer getPolicyContainer() { + return policyContainer ; + } + + public String getSaveAsFileName() { + return saveAsFileName; + } + + public void setSaveAsFileName(String saveAsFileName) { + this.saveAsFileName = saveAsFileName; + } + + public String getSslConfigFileName() { + return sslConfigFileName; + } + + public String getLastStoredFileName() { + return lastStoredFileName; + } + + public void setLastStoredFileName(String lastStoredFileName) { + this.lastStoredFileName = lastStoredFileName; + } + + public void setSslConfigFileName(String sslConfigFileName) { + this.sslConfigFileName = sslConfigFileName; + } + + + private synchronized void checkFileWatchDogThread() { + if (watcherDaemon == null) { + try { + if (LOG.isDebugEnabled()) { + LOG.debug("Starting WatchDog for the Path [" + url + "] ...."); + } + watcherDaemon = new ConfigWatcher(url, refreshInterval,sslConfigFileName,this.getLastStoredFileName()) { + public void doOnChange() { + PolicyContainer newPolicyContainer = getPolicyContainer() ; + setPolicyContainer(newPolicyContainer) ; + savePolicyToFile() ; + savePolicyToCacheFile(); + notifyPolicyChange(); + }; + }; + watcherDaemon.start(); + if (LOG.isDebugEnabled()) { + LOG.debug("Completed kick-off of FileWatchDog for the Path [" + url + "] interval in millisecond:" + refreshInterval); + } + } catch (Throwable t) { + LOG.error("Unable to start the FileWatchDog for path [" + url + "]", t); + } + } + } + + private void notifyPolicyChange() { + if (policyChangeListener != null) { + try { + policyChangeListener.OnPolicyChange(policyContainer); + } + catch(Throwable t) { + LOG.error("Error during notification of policy changes to listener [" + policyChangeListener + "]", t) ; + } + finally { + LOG.debug("Completed notification of policy changes to listener [" + policyChangeListener + "]") ; + } + } + } + + + private void savePolicyToFile() { + if (watcherDaemon != null && !watcherDaemon.iscacheModfied()) { + // Do not Save the file if the policy is not modified. + return; + } + LOG.debug("savePolicyToFile() is called with [" + saveAsFileName + "] - START") ; + String fileName = null; + if (saveAsFileName != null) { + String currentDateTime = new SimpleDateFormat("yyyyMMddHHmmss").format(new Date()) ; + fileName = saveAsFileName + "." + currentDateTime ; + File saveFile = new File(fileName) ; + Gson gson = new GsonBuilder().setPrettyPrinting().setExclusionStrategies(policyExclusionStrategy).create() ; + String policyAsJson = gson.toJson(policyContainer) ; + PrintWriter writer = null ; + try { + writer = new PrintWriter(new FileWriter(saveFile)) ; + writer.println(policyAsJson) ; + } + catch(IOException ioe) { + LOG.warn("Unable to save policy into file: [" + saveFile.getAbsolutePath() + "]"); + } + finally { + if (writer != null) { + writer.close(); + } + } + LOG.debug("savePolicyToFile() is called with [" + fileName + "] - END") ; + } + } + + private void savePolicyToCacheFile() { + + if (watcherDaemon != null && !watcherDaemon.iscacheModfied()) { + // Don't Save the file if the policy is not modified. + return; + } + + LOG.debug("savePolicyToCacheFile() is called with [" + lastStoredFileName + "] - START") ; + + if (lastStoredFileName != null) { + + File lastSaveFile = new File(lastStoredFileName) ; + Gson gson = new GsonBuilder().setPrettyPrinting().setExclusionStrategies(policyExclusionStrategy).create() ; + String policyAsJson = gson.toJson(policyContainer) ; + PrintWriter writer = null ; + + try { + writer = new PrintWriter(new FileWriter(lastSaveFile)); + writer.println(policyAsJson); + + } + catch(IOException ioe){ + LOG.warn("Unable to save the policy into Last Stored Policy File [" + lastSaveFile.getAbsolutePath() + "]"); + } + finally { + //make the policy file cache to be 600 permission when it gets created and updated + lastSaveFile.setReadable(false,false); + lastSaveFile.setWritable(false,false); + lastSaveFile.setReadable(true,true); + lastSaveFile.setWritable(true,true); + if (writer != null) { + writer.close(); + } + } + + } + + LOG.debug("savePolicyToCacheFile() is called with [" + lastStoredFileName + "] - END") ; + + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/ExcludeSerialization.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/ExcludeSerialization.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/ExcludeSerialization.java new file mode 100644 index 0000000..cbb460e --- /dev/null +++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/ExcludeSerialization.java @@ -0,0 +1,32 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.pdp.config.gson; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target({ElementType.FIELD}) + +public @interface ExcludeSerialization { + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/PolicyExclusionStrategy.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/PolicyExclusionStrategy.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/PolicyExclusionStrategy.java new file mode 100644 index 0000000..ad3a354 --- /dev/null +++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/PolicyExclusionStrategy.java @@ -0,0 +1,37 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.pdp.config.gson; + +import com.google.gson.ExclusionStrategy; +import com.google.gson.FieldAttributes; + +public class PolicyExclusionStrategy implements ExclusionStrategy { + + @Override + public boolean shouldSkipClass(Class<?> objectClass) { + return (objectClass.getAnnotation(ExcludeSerialization.class) != null) ; + } + + @Override + public boolean shouldSkipField(FieldAttributes aFieldAttributes) { + return (aFieldAttributes.getAnnotation(ExcludeSerialization.class) != null) ; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/constants/RangerConstants.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/constants/RangerConstants.java b/agents-impl/src/main/java/org/apache/ranger/pdp/constants/RangerConstants.java new file mode 100644 index 0000000..466e00f --- /dev/null +++ b/agents-impl/src/main/java/org/apache/ranger/pdp/constants/RangerConstants.java @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.pdp.constants; + +public class RangerConstants { + public static final String PUBLIC_ACCESS_ROLE = "public" ; + + public static final String RANGER_HBASE_POLICYMGR_URL_PROP = "xasecure.hbase.policymgr.url"; + public static final String RANGER_HBASE_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.hbase.policymgr.url.saveAsFile"; + public static final String RANGER_HBASE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.hbase.policymgr.url.reloadIntervalInMillis"; + public static final String RANGER_HBASE_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.hbase.policymgr.ssl.config"; + public static final long RANGER_HBASE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ; + public static final String RANGER_HBASE_LAST_SAVED_POLICY_FILE_PROP = "xasecure.hbase.policymgr.url.laststoredfile"; + + public static final String RANGER_HDFS_POLICYMGR_URL_PROP = "xasecure.hdfs.policymgr.url"; + public static final String RANGER_HDFS_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.hdfs.policymgr.url.saveAsFile"; + public static final String RANGER_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.hdfs.policymgr.url.reloadIntervalInMillis"; + public static final String RANGER_HDFS_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.hdfs.policymgr.ssl.config"; + public static final long RANGER_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ; + public static final String RANGER_HDFS_LAST_SAVED_POLICY_FILE_PROP = "xasecure.hdfs.policymgr.url.laststoredfile"; + + + public static final String RANGER_KNOX_POLICYMGR_URL_PROP = "xasecure.knox.policymgr.url"; + public static final String RANGER_KNOX_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.knox.policymgr.url.saveAsFile"; + public static final String RANGER_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.knox.policymgr.url.reloadIntervalInMillis"; + public static final String RANGER_KNOX_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.knox.policymgr.ssl.config"; + public static final long RANGER_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ; + public static final String RANGER_KNOX_LAST_SAVED_POLICY_FILE_PROP = "xasecure.knox.policymgr.url.laststoredfile"; + + + public static final String RANGER_HIVE_POLICYMGR_URL_PROP = "xasecure.hive.policymgr.url"; + public static final String RANGER_HIVE_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.hive.policymgr.url.saveAsFile"; + public static final String RANGER_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.hive.policymgr.url.reloadIntervalInMillis"; + public static final String RANGER_HIVE_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.hive.policymgr.ssl.config"; + public static final long RANGER_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ; + public static final String RANGER_HIVE_LAST_SAVED_POLICY_FILE_PROP = "xasecure.hive.policymgr.url.laststoredfile"; + + + // xasecure 2-way ssl configuration + + public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE = "xasecure.policymgr.clientssl.keystore"; + public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE_PASSWORD = "xasecure.policymgr.clientssl.keystore.password"; + public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE = "xasecure.policymgr.clientssl.keystore.type"; + public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL = "xasecure.policymgr.clientssl.keystore.credential.file"; + public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS = "sslKeyStore"; + + public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT = "jks"; + + public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE = "xasecure.policymgr.clientssl.truststore"; + public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE_PASSWORD = "xasecure.policymgr.clientssl.truststore.password"; + public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE = "xasecure.policymgr.clientssl.truststore.type"; + public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL = "xasecure.policymgr.clientssl.truststore.credential.file"; + public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS = "sslTrustStore"; + + public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT = "jks"; + + + public static final String RANGER_SSL_KEYMANAGER_ALGO_TYPE = "SunX509" ; + public static final String RANGER_SSL_TRUSTMANAGER_ALGO_TYPE = "SunX509" ; + public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "SSL" ; + + + + public static final String RANGER_STORM_POLICYMGR_URL_PROP = "xasecure.storm.policymgr.url"; + public static final String RANGER_STORM_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.storm.policymgr.url.saveAsFile"; + public static final String RANGER_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.storm.policymgr.url.reloadIntervalInMillis"; + public static final String RANGER_STORM_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.storm.policymgr.ssl.config"; + public static final long RANGER_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ; + public static final String RANGER_STORM_LAST_SAVED_POLICY_FILE_PROP = "xasecure.storm.policymgr.url.laststoredfile"; + + +}
