http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java deleted file mode 100644 index 29f2c22..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java +++ /dev/null @@ -1,480 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.hdfs; - -import java.io.File; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Set; -import java.util.TreeSet; - -import org.apache.commons.io.FilenameUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.log4j.Level; -import org.apache.log4j.LogManager; - -import com.xasecure.authorization.hadoop.HDFSAccessVerifier; -import com.xasecure.authorization.hadoop.config.XaSecureConfiguration; -import com.xasecure.pdp.config.PolicyChangeListener; -import com.xasecure.pdp.config.PolicyRefresher; -import com.xasecure.pdp.constants.XaSecureConstants; -import com.xasecure.pdp.model.Policy; -import com.xasecure.pdp.model.PolicyContainer; -import com.xasecure.pdp.model.ResourcePath; -import com.xasecure.pdp.model.RolePermission; - -public class URLBasedAuthDB implements HDFSAccessVerifier, PolicyChangeListener { - - private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class) ; - - private static URLBasedAuthDB me = null; - - private PolicyRefresher refresher = null ; - - private PolicyContainer policyContainer = null; - - private HashMap<String,Boolean> cachedAuditFlag = new HashMap<String,Boolean>() ; // needs to be cleaned when ruleList changes - - private static final long MAX_NO_OF_AUDIT_CACHE_ENTRIES = 1000L ; - - - public static URLBasedAuthDB getInstance() { - if (me == null) { - synchronized (URLBasedAuthDB.class) { - URLBasedAuthDB temp = me; - if (temp == null) { - me = new URLBasedAuthDB(); - me.init() ; - } - } - } - return me; - } - - private URLBasedAuthDB() { - String url = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_PROP); - long refreshInMilli = XaSecureConfiguration.getInstance().getLong( - XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP , - XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT); - String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_POLICYMGR_SSL_CONFIG_FILE_PROP) ; - - String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_LAST_SAVED_POLICY_FILE_PROP) ; - - refresher = new PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ; - - String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_SAVE_FILE_PROP) ; - if (saveAsFileName != null) { - refresher.setSaveAsFileName(saveAsFileName) ; - } - - if (lastStoredFileName != null) { - refresher.setLastStoredFileName(lastStoredFileName); - } - } - - private void init() { - refresher.setPolicyChangeListener(this); - } - - @Override - public void OnPolicyChange(PolicyContainer aPolicyContainer) { - setPolicyContainer(aPolicyContainer); - } - - - @Override - public boolean isAccessGranted(String aPathName, String pathOwnerName, String access, String username, Set<String> groups) { - - PolicyContainer pc = getPolicyContainer() ; - - if (pc == null) { - return false ; - } - - for(Policy acl : pc.getAcl()) { - - if (! acl.isEnabled()) { - LOG.debug("Diabled acl found [" + acl + "]. Skipping this acl ...") ; - continue ; - } - - for(ResourcePath resource : acl.getResourceList()) { - - String path = resource.getPath() ; - - boolean rulePathMatched = false ; - - if (acl.getRecursiveInd() == 1) { - if (resource.isWildcardPath()) { - rulePathMatched = isRecursiveWildCardMatch(aPathName, path) ; - } - else { - rulePathMatched = aPathName.startsWith(path) ; - } - } - else { - if (resource.isWildcardPath()) { - rulePathMatched = FilenameUtils.wildcardMatch(aPathName, path) ; - } - else { - rulePathMatched = aPathName.equals(path) ; - } - } - - - if (rulePathMatched) { - for (RolePermission rp : acl.getPermissions()) { - if (rp.getAccess().contains(access)) { - if ( rp.getUsers().contains(username) ) { - return true ; - } - for(String ug : groups) { - if ( rp.getGroups().contains(ug)) { - return true ; - } - } - if (rp.getGroups().contains(XaSecureConstants.PUBLIC_ACCESS_ROLE)) { - return true ; - } - } - } - } - - } - } - - return false ; - - } - - public static boolean isRecursiveWildCardMatch(String pathToCheck, String wildcardPath) { - if (pathToCheck != null) { - StringBuilder sb = new StringBuilder() ; - for(String p : pathToCheck.split(File.separator) ) { - sb.append(p) ; - boolean matchFound = FilenameUtils.wildcardMatch(sb.toString(), wildcardPath) ; - if (matchFound) { - return true ; - } - sb.append(File.separator) ; - } - sb = null; - } - return false; - } - - public PolicyContainer getPolicyContainer() { - return policyContainer; - } - - private synchronized void setPolicyContainer(PolicyContainer aPolicyContainer) { - - for(Policy p : aPolicyContainer.getAcl()) { - for(RolePermission rp : p.getPermissions()) { - List<String> rpaccess = rp.getAccess() ; - if (rpaccess != null && rpaccess.size() > 0) { - List<String> temp = new ArrayList<String>() ; - for(String s : rpaccess) { - temp.add(s.toLowerCase()) ; - } - rp.setAccess(temp); - } - } - } - - this.policyContainer = aPolicyContainer ; - this.cachedAuditFlag.clear(); - } - - - - public UserPermission printPermissionInfo(UserGroupInformation ugi) { - return printPermissionInfo(ugi, null) ; - } - - public UserPermission printPermissionInfo(UserGroupInformation ugi, String aPathName) { - - String username = ugi.getShortUserName() ; - - String[] groups = ugi.getGroupNames() ; - - UserPermission up = new UserPermission(username,groups, aPathName) ; - - PolicyContainer pc = getPolicyContainer() ; - - if (pc != null) { - - for(Policy acl : pc.getAcl()) { - - for(ResourcePath resource : acl.getResourceList()) { - - String path = resource.getPath() ; - - boolean rulePathMatched = false ; - - if (acl.getRecursiveInd() == 1) { - if (resource.isWildcardPath()) { - rulePathMatched = isRecursiveWildCardMatch(aPathName, path) ; - } - else { - rulePathMatched = aPathName.startsWith(path) ; - } - } - else { - if (resource.isWildcardPath()) { - rulePathMatched = FilenameUtils.wildcardMatch(aPathName, path) ; - } - else { - rulePathMatched = aPathName.equals(path) ; - } - } - - - if (rulePathMatched) { - for (RolePermission rp : acl.getPermissions()) { - boolean isAccessGranted = false ; - if (! isAccessGranted ) { - if ( rp.getUsers().contains(username) ) { - up.add(resource, acl.getRecursiveInd(), username, null, rp.getAccess()); - isAccessGranted = true ; - } - } - if ( ! isAccessGranted ) { - for(String ug : groups) { - if ( rp.getGroups().contains(ug)) { - up.add(resource, acl.getRecursiveInd(), null, ug, rp.getAccess()); - } - } - } - if (! isAccessGranted ) { - if (rp.getGroups().contains(XaSecureConstants.PUBLIC_ACCESS_ROLE)) { - up.add(resource, acl.getRecursiveInd(), null, XaSecureConstants.PUBLIC_ACCESS_ROLE, rp.getAccess()); - } - } - } - } - } - } - } - - return up ; - } - - - class UserPermission { - - private String userName ; - private String groups ; - private String pathName ; - private HashMap<String,HashSet<String>> userPermissionMap = new HashMap<String,HashSet<String>>() ; - - public UserPermission(String userName, String[] groupList, String pathName) { - this.userName = userName ; - this.pathName = pathName ; - StringBuilder sb = new StringBuilder() ; - boolean first = true ; - TreeSet<String> gl = new TreeSet<String>() ; - for(String g : groupList) { - gl.add(g) ; - } - for(String group : gl) { - if (first) { - first = false ; - } - else { - sb.append(",") ; - } - sb.append(group) ; - } - this.groups = sb.toString() ; - } - - - public void add(ResourcePath resource, int recursiveInd, String userName, String groupName, List<String> accessList) { - - String path = resource.getPath() ; - - if (recursiveInd == 1) { - if (path.endsWith("/")) { - path = path + "**" ; - } - else { - path = path + "/" + "**" ; - } - } - - HashSet<String> permMap = userPermissionMap.get(path) ; - - if (permMap == null) { - permMap = new HashSet<String>() ; - userPermissionMap.put(path,permMap) ; - } - - for(String access : accessList) { - if (! permMap.contains(access)) { - permMap.add(access) ; - } - } - - } - - public void printUserInfo() { - System.out.println("# USER INFORMATION") ; - System.out.println("USER: " + userName ) ; - System.out.println("GROUPS: " + groups ) ; - } - - public void print() { - if (pathName != null) { - System.out.println("# PERMISSION INFORMATION FOR PATH [" + pathName + "]" + (userPermissionMap.size() == 0 ? " - NO RULES FOUND" : "")) ; - } - else { - System.out.println("# PERMISSION INFORMATION" + (userPermissionMap.size() == 0 ? " - NO RULES FOUND" : "")) ; - } - - - if (userPermissionMap.size() > 0) { - TreeSet<String> pathSet = new TreeSet<String>() ; - pathSet.addAll(userPermissionMap.keySet()) ; - StringBuilder sb = new StringBuilder(); - for(String path : pathSet) { - sb.setLength(0) ; - sb.append(String.format("%-50s", path)).append("|") ; - TreeSet<String> permSet = new TreeSet<String>() ; - permSet.addAll(userPermissionMap.get(path)) ; - boolean first = true ; - for(String perm: permSet) { - if (! first) { - sb.append(",") ; - } - else { - first = false ; - } - sb.append(perm) ; - } - System.out.println(sb.toString()) ; - } - } - - } - } - - - @Override - public boolean isAuditLogEnabled(String aPathName) { - boolean ret = false ; - - HashMap<String,Boolean> tempCachedAuditFlag = cachedAuditFlag ; - - Boolean auditResult = (tempCachedAuditFlag == null ? null : tempCachedAuditFlag.get(aPathName)) ; - - if (auditResult != null) { - ret = auditResult ; - } - else { - ret = isAuditLogEnabledByACL(aPathName) ; - if (tempCachedAuditFlag != null) { - // tempCachedAuditFlag.put(aPathName,Boolean.valueOf(ret)) ; - synchronized(tempCachedAuditFlag) { - if (tempCachedAuditFlag.size() > MAX_NO_OF_AUDIT_CACHE_ENTRIES) { - tempCachedAuditFlag.clear(); - } - tempCachedAuditFlag.put(aPathName,Boolean.valueOf(ret)) ; - } - } - } - - return ret ; - - } - - - public boolean isAuditLogEnabledByACL(String aPathName) { - - boolean ret = false ; - - PolicyContainer pc = getPolicyContainer() ; - - if (pc == null) { - return false ; - } - - for(Policy acl : pc.getAcl()) { - - for(ResourcePath resource : acl.getResourceList()) { - - String path = resource.getPath() ; - - boolean rulePathMatched = false ; - - if (acl.getRecursiveInd() == 1) { - if (resource.isWildcardPath()) { - rulePathMatched = isRecursiveWildCardMatch(aPathName, path) ; - } - else { - rulePathMatched = aPathName.startsWith(path) ; - } - } - else { - if (resource.isWildcardPath()) { - rulePathMatched = FilenameUtils.wildcardMatch(aPathName, path) ; - } - else { - rulePathMatched = aPathName.equals(path) ; - } - } - - - if (rulePathMatched) { - ret = ( acl.getAuditInd() == 1) ; - break ; - } - } - } - - return ret ; - } - - public static void main(String[] args) throws Throwable { - LogManager.getLogger(URLBasedAuthDB.class).setLevel(Level.ERROR); - URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ; - UserPermission up = null; - if (args.length == 0) { - up = authDB.printPermissionInfo(UserGroupInformation.getCurrentUser()); - up.printUserInfo() ; - up.print(); - } - else { - up = authDB.printPermissionInfo(UserGroupInformation.getCurrentUser()); - up.printUserInfo() ; - for(String path : args) { - up = authDB.printPermissionInfo(UserGroupInformation.getCurrentUser(), path); - up.print(); - System.out.println(); - } - } - System.exit(0); - } - -}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java deleted file mode 100644 index c29dd7c..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.hdfs; - -import java.util.Set; - -import com.xasecure.authorization.hadoop.HDFSAccessVerifier; - -public class XASecureAuthorizer implements HDFSAccessVerifier { - - private static URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ; - - @Override - public boolean isAccessGranted(String aPathName, String aPathOwnerName, String access, String username, Set<String> groups) { - return authDB.isAccessGranted(aPathName, aPathOwnerName, access, username, groups); - } - - @Override - public boolean isAuditLogEnabled(String aPathName) { - return authDB.isAuditLogEnabled(aPathName) ; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java deleted file mode 100644 index e64c3e9..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java +++ /dev/null @@ -1,307 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.hive; - -import java.util.ArrayList; -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.security.UserGroupInformation; - -import com.xasecure.authorization.hive.XaHiveObjectAccessInfo; -import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveAccessType; -import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveObjectType; -import com.xasecure.authorization.utils.StringUtil; - -public class HiveAuthDB { - - private static final Log LOG = LogFactory.getLog(HiveAuthDB.class); - - private ArrayList<HiveAuthRule> allRuleList = null; - private ArrayList<HiveAuthRule> tblRuleList = null; - private ArrayList<HiveAuthRule> colRuleList = null; - - public HiveAuthDB() { - this(null) ; - } - - - public HiveAuthDB(ArrayList<HiveAuthRule> aRuleList) { - - if (aRuleList == null) { - aRuleList = new ArrayList<HiveAuthRule>() ; - } - - LOG.info("Number of Rules in the PolicyContainer: " + ((aRuleList == null) ? 0 : aRuleList.size()) ) ; - - allRuleList = new ArrayList<HiveAuthRule>() ; - colRuleList = new ArrayList<HiveAuthRule>(); - tblRuleList = new ArrayList<HiveAuthRule>() ; - - allRuleList = aRuleList ; - - for (HiveAuthRule rule : aRuleList) { - if (rule.isTableRule()) { - this.tblRuleList.add(rule); - } else { - this.colRuleList.add(rule); - } - } - - } - - public boolean isAccessAllowed(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo) { - boolean ret = false; - - if(objAccessInfo.getAccessType() == HiveAccessType.NONE || objAccessInfo.getObjectType() == HiveObjectType.NONE) { - return true; - } - - String accessType = objAccessInfo.getAccessType().name(); - - switch(objAccessInfo.getObjectType()) { - case DATABASE: - ret = isAccessAllowed(ugi, accessType, objAccessInfo.getDatabase()); - break; - - case TABLE: - case INDEX: - case PARTITION: - ret = isAccessAllowed(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getTable()); - break; - - case VIEW: - ret = isAccessAllowed(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getView()); - break; - - case COLUMN: - { - String deniedColumn = findDeniedColumn(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getTable(), objAccessInfo.getColumns()); - - ret = StringUtil.isEmpty(deniedColumn); - - if(! ret) { - objAccessInfo.setDeinedObjectName(XaHiveObjectAccessInfo.getObjectName(objAccessInfo.getDatabase(), objAccessInfo.getTable(), deniedColumn)); - } - } - break; - - case FUNCTION: - ret = isUDFAccessAllowed(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getFunction()); - break; - - case URI: - // Handled in XaSecureHiveAuthorizer - break; - - case NONE: - break; - } - - return ret; - } - - public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) { - boolean ret = false; - - if( objAccessInfo.getAccessType() == HiveAccessType.NONE - || objAccessInfo.getObjectType() == HiveObjectType.NONE - || objAccessInfo.getObjectType() == HiveObjectType.URI - ) { - return false; - } - - String database = null; - String table = null; - List<String> columns = null; - boolean isUDF = false; - - switch(objAccessInfo.getObjectType()) { - case DATABASE: - database = objAccessInfo.getDatabase(); - break; - - case TABLE: - case INDEX: - case PARTITION: - database = objAccessInfo.getDatabase(); - table = objAccessInfo.getTable(); - break; - - case VIEW: - database = objAccessInfo.getDatabase(); - table = objAccessInfo.getView(); - break; - - case COLUMN: - database = objAccessInfo.getDatabase(); - table = objAccessInfo.getTable(); - columns = objAccessInfo.getColumns(); - break; - - case FUNCTION: - database = objAccessInfo.getDatabase(); - table = objAccessInfo.getFunction(); - isUDF = true; - break; - - case NONE: - case URI: - break; - } - - if(StringUtil.isEmpty(columns)) { - for (HiveAuthRule rule : allRuleList) { - if(isUDF != rule.isUdf()) { - continue; - } - - if (rule.isTableMatch(database, table)) { - ret = rule.isAudited() ; - - if (ret) { - if (LOG.isDebugEnabled()) { - LOG.debug("isAudited(database=" + database + ", table=" + table + ", columns=" + StringUtil.toString(columns) + ") => [" + ret + "] as matched for rule: " + rule); - } - - break ; - } - } - } - } else { - // is audit enabled for any one column being accessed? - for(String colName : columns) { - for (HiveAuthRule rule : allRuleList) { - if(isUDF != rule.isUdf()) { - continue; - } - - ret = rule.isMatched(database, table, colName) && rule.isAudited(); - - if (ret) { - if (LOG.isDebugEnabled()) { - LOG.debug("isAudited(database=" + database + ", table=" + table + ", columns=" + StringUtil.toString(columns) + ") => [" + ret + "] as matched for rule: " + rule); - } - - break ; - } - } - - if(ret) { - break; - } - } - } - - return ret ; - } - - private boolean isAccessAllowed(UserGroupInformation ugi, String accessType, String database) { - boolean ret = false; - - for (HiveAuthRule rule : allRuleList) { - ret = rule.isMatched(database, ugi.getShortUserName(), ugi.getGroupNames(), accessType); - - if(ret) { - if (LOG.isDebugEnabled()) { - LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ") => [" + ret + "] as matched for rule: " + rule); - } - - break; - } - } - - return ret; - } - - private boolean isAccessAllowed(UserGroupInformation ugi, String accessType, String database, String tableOrView) { - boolean ret = false; - - for (HiveAuthRule rule : tblRuleList) { - ret = rule.isMatched(database, tableOrView, ugi.getShortUserName(), ugi.getGroupNames(), accessType); - - if(ret) { - if (LOG.isDebugEnabled()) { - LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", tableOrView=" + tableOrView + ") => [" + ret + "] as matched for rule: " + rule); - } - - break; - } - } - - return ret; - } - - private String findDeniedColumn(UserGroupInformation ugi, String accessType, String database, String tableOrView, List<String> columns) { - String deinedColumn = null; - - boolean isAllowed = isAccessAllowed(ugi, accessType, database, tableOrView); // check if access is allowed at the table level - - if(!isAllowed && !StringUtil.isEmpty(columns)) { - for(String column : columns) { - for (HiveAuthRule rule : colRuleList) { - isAllowed = rule.isMatched(database, tableOrView, column, ugi.getShortUserName(), ugi.getGroupNames(), accessType); - - if(isAllowed) { - if (LOG.isDebugEnabled()) { - LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", tableOrView=" + tableOrView + ", column=" + column + ") => [" + isAllowed + "] as matched for rule: " + rule); - } - - break; - } - } - - if(!isAllowed) { - deinedColumn = column; - - if (LOG.isDebugEnabled()) { - LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", tableOrView=" + tableOrView + ", column=" + column + ") => [" + isAllowed + "]"); - } - break; - } - } - } - - return deinedColumn; - } - - private boolean isUDFAccessAllowed(UserGroupInformation ugi, String accessType, String database, String udfName) { - boolean ret = false; - - for (HiveAuthRule rule : tblRuleList) { - if(! rule.isUdf()) { - continue; - } - - ret = rule.isMatched(database, udfName, ugi.getShortUserName(), ugi.getGroupNames(), accessType); - - if(ret) { - if (LOG.isDebugEnabled()) { - LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", udfName=" + udfName + ") => [" + ret + "] as matched for rule: " + rule); - } - - break; - } - } - - return ret; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java deleted file mode 100644 index 984b680..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java +++ /dev/null @@ -1,223 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.hive; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveAccessType; -import com.xasecure.authorization.hive.constants.XaSecureHiveConstants; -import com.xasecure.authorization.utils.StringUtil; - - -public class HiveAuthRule { - - private static final Log LOG = LogFactory.getLog(HiveAuthRule.class) ; - - public static final String WILDCARD_OBJECT = ".*" ; - - private String databaseName; - private String tableName; - private String columnName; - private String accessType; - private String group; - private String user; - private boolean tableRule = false; - private boolean allGranted = false; - private boolean udf = false; - private boolean tableExcluded = false; - private boolean columnExcluded = false; - private boolean audited = false; - private boolean encrypted = false; - - public HiveAuthRule(String dbName, String tableName, String colName, String permission, String user, String group) { - this(false, dbName,tableName,colName,permission,user,group, false, false) ; - } - - public HiveAuthRule(boolean udfInd, String dbName, String tableName, String colName, String permission, String user, String group, boolean tableExclusionFlag, boolean columnExclusionFlag) { - this.udf = udfInd ; - this.databaseName = StringUtil.toLower(dbName); - this.tableName = StringUtil.toLower(tableName); - this.columnName = StringUtil.toLower(colName); - this.accessType = permission ; - this.user = user; - this.group = group ; - this.tableExcluded = tableExclusionFlag ; - this.columnExcluded = columnExclusionFlag ; - - this.allGranted = StringUtil.equalsIgnoreCase(HiveAccessType.ALL.name(), accessType); - - tableRule = StringUtil.isEmpty(columnName) || WILDCARD_OBJECT.matches(columnName) ; - } - - @Override - public String toString() { - return "db:" + databaseName + ", table: " + tableName + ", columnName: " + columnName + ", accessType: " + accessType + ",user: " + user + ", group: " + group + ",isTable:" + tableRule + ",audited:" + audited + ",encrypted:" + encrypted ; - } - - public boolean isMatched(String user, String[] groups, String accessType) { - String dbName = null; - String tblName = null; - String colName = null; - - return isMatched(dbName, tblName, colName, user, groups, accessType) ; - } - - public boolean isMatched(String dbName, String user, String[] groups, String accessType) { - String tblName = null; - String colName = null; - - return isMatched(dbName, tblName, colName, user, groups, accessType) ; - } - - public boolean isMatched(String dbName, String tblName, String user, String[] groups, String accessType) { - String colName = null; - - return isMatched(dbName, tblName, colName, user, groups, accessType) ; - } - - public boolean isMatched(String dbName, String tblName, String colName, String user, String[] groups, String accessType) { - boolean ret = isMatched(dbName, tblName, colName); - - if(ret) { - // does accessType match? - ret = StringUtil.equalsIgnoreCase(accessType, this.accessType); - - if(! ret && !StringUtil.equalsIgnoreCase(accessType, HiveAccessType.ADMIN.name())) { - ret = this.isAllGranted() || StringUtil.equalsIgnoreCase(accessType, "USE"); - } - - if(ret) { - // does user/group match? - ret = StringUtil.equals(user, this.user) || - StringUtil.equals(XaSecureHiveConstants.PUBLIC_ACCESS_ROLE, this.group) || - StringUtil.contains(groups, this.group); - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("isMatched(db=" + dbName + ", table=" + tblName + ", col=" + colName + ", user=" + user + ", groups=" + StringUtil.toString(groups) + ", accessType=" + accessType + ") => rule[" + this.databaseName + ":" + this.tableName + ":" + this.columnName + ":" + this.user + ":" + this.group + ":" + this.accessType + "] returns [" + ret + "]"); - } - - return ret ; - } - - public boolean isMatched(String dbName, String tblName, String colName) { - boolean ret = isTableMatch(dbName, tblName); - - if (ret) { - colName = StringUtil.toLower(colName); - - if (colName != null) { - ret = colName.matches(this.columnName); - - if (columnExcluded) { - ret = (! ret) ; - } - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("isMatched(db=" + dbName + ", table=" + tblName + ", col=" + colName + ") => rule[" + this.databaseName + ":" + this.tableName + ":" + this.columnName + "] returns [" + ret + "]"); - } - - return ret ; - } - - public boolean isTableMatch(String dbName, String tblName) { - boolean ret = isDBMatch(dbName); - - if(ret) { - tblName = StringUtil.toLower(tblName); - - if(tblName != null) { - ret = tblName.matches(this.tableName); - - if(tableExcluded) { - ret = !ret; - } - } - } - - return ret; - } - - public boolean isDBMatch(String dbName) { - boolean ret = false; - - dbName = StringUtil.toLower(dbName); - - ret = dbName == null || dbName.matches(this.databaseName); - - return ret; - } - - public String getDbName() { - return databaseName; - } - - public String getTableName() { - return tableName; - } - - public String getColumnName() { - return columnName; - } - - public String getAccessType() { - return accessType; - } - - public String getUser() { - return user; - } - - public String getGroup() { - return group; - } - - public boolean isTableRule() { - return tableRule; - } - - public boolean isAllGranted() { - return allGranted ; - } - - public boolean isUdf() { - return udf; - } - - public boolean isAudited() { - return audited; - } - - public void setAudited(boolean audited) { - this.audited = audited; - } - - public boolean isEncrypted() { - return encrypted; - } - - public void setEncrypted(boolean encrypted) { - this.encrypted = encrypted; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java deleted file mode 100644 index 3fd845e..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.hive; - - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.hive.ql.metadata.AuthorizationException; -import org.apache.hadoop.security.UserGroupInformation; - -import com.xasecure.authorization.hive.XaHiveAccessVerifier; -import com.xasecure.authorization.hive.XaHiveObjectAccessInfo; - -public class HiveAuthorizationProviderBase implements XaHiveAccessVerifier { - - private static final Log LOG = LogFactory.getLog(HiveAuthorizationProviderBase.class); - - protected HiveAuthDB authDB = new HiveAuthDB() ; - - - public HiveAuthDB getAuthDB() { - return authDB ; - } - - @Override - public boolean isAccessAllowed(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo) { - HiveAuthDB ldb = authDB ; - - if (ldb == null) { - throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ; - } - - boolean ret = ldb.isAccessAllowed(ugi, objAccessInfo); - - return ret; - } - - @Override - public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) { - HiveAuthDB ldb = authDB ; - - if (ldb == null) { - throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ; - } - - return ldb.isAudited(objAccessInfo) ; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java deleted file mode 100644 index fc07c6e..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java +++ /dev/null @@ -1,222 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.pdp.hive; - -import java.util.ArrayList; -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import com.xasecure.authorization.hadoop.config.XaSecureConfiguration; -import com.xasecure.pdp.config.PolicyChangeListener; -import com.xasecure.pdp.config.PolicyRefresher; -import com.xasecure.pdp.constants.XaSecureConstants; -import com.xasecure.pdp.model.Policy; -import com.xasecure.pdp.model.PolicyContainer; -import com.xasecure.pdp.model.RolePermission; - -public class URLBasedAuthDB extends HiveAuthorizationProviderBase implements PolicyChangeListener { - - private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class) ; - - private static URLBasedAuthDB me = null ; - - private PolicyContainer policyContainer = null ; - - private PolicyRefresher refresher = null ; - - - public static URLBasedAuthDB getInstance() { - if (me == null) { - synchronized(URLBasedAuthDB.class) { - URLBasedAuthDB temp = me ; - if (temp == null) { - me = new URLBasedAuthDB() ; - me.init() ; - } - } - } - return me ; - } - - private URLBasedAuthDB() { - String url = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_PROP); - long refreshInMilli = XaSecureConfiguration.getInstance().getLong( - XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP , - XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT); - - String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_LAST_SAVED_POLICY_FILE_PROP) ; - - String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_POLICYMGR_SSL_CONFIG_FILE_PROP) ; - refresher = new PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ; - - String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_SAVE_FILE_PROP) ; - if (saveAsFileName != null) { - refresher.setSaveAsFileName(saveAsFileName) ; - } - - if (lastStoredFileName != null) { - refresher.setLastStoredFileName(lastStoredFileName); - } - - } - - private void init() { - refresher.setPolicyChangeListener(this); - } - - public PolicyContainer getPolicyContainer() { - return policyContainer; - } - - @Override - public void OnPolicyChange(PolicyContainer policyContainer) { - - LOG.debug("OnPolicyChange() has been called with new PolicyContainer .....") ; - - try { - - ArrayList<HiveAuthRule> ruleListTemp = new ArrayList<HiveAuthRule>(); - - this.policyContainer = policyContainer; - - if (LOG.isDebugEnabled()) { - LOG.debug("Number of acl found (before isEnabled check): " + ( policyContainer.getAcl() == null ? 0 : policyContainer.getAcl().size() ) ); - } - - for(Policy acl : policyContainer.getAcl()) { - - if (! acl.isEnabled()) { - LOG.debug("Diabled acl found [" + acl + "]. Skipping this acl ...") ; - continue ; - } - - if (LOG.isDebugEnabled()) { - LOG.debug("Number of database found in acl [" + acl + "] " + ( acl.getDatabaseList() == null ? 0 : acl.getDatabaseList().size() ) ); - LOG.debug("Number of Tables found in acl [" + acl + "] " + ( acl.getTableList() == null ? 0 : acl.getTableList().size() ) ); - LOG.debug("Number of Columns found in acl [" + acl + "] " + ( acl.getColumnList()== null ? 0 : acl.getColumnList().size() ) ); - } - - boolean isUDF = false ; - - List<String> dbList = new ArrayList<String>() ; - String dbs = replaceFileBasedRegEx(acl.getDatabases()) ; - dbList.add(getRegExFormatted(dbs)) ; - - List<String> tableList = new ArrayList<String>() ; - String udfs = acl.getUdfs() ; - if (udfs != null) { - isUDF = true ; - dbList.clear(); - dbList.add(HiveAuthRule.WILDCARD_OBJECT) ; - tableList.clear(); - udfs = replaceFileBasedRegEx(udfs) ; - tableList.add(getRegExFormatted(udfs)) ; - } - else { - String tables = replaceFileBasedRegEx(acl.getTables()) ; - tableList.add(getRegExFormatted(tables)) ; - } - - List<String> columnList = new ArrayList<String>() ; - String columns = replaceFileBasedRegEx(acl.getColumns()) ; - columnList.add(getRegExFormatted(columns)) ; - - - boolean isAudited = (acl.getAuditInd() == 1) ; - - boolean isEncrypted = (acl.getEncryptInd() == 1) ; - - for(String db : dbList) { - - for(String table : tableList) { - - for(String col : columnList) { - - for(RolePermission rp : acl.getPermissions()) { - for (String accessLevel : rp.getAccess() ) { - for (String group : rp.getGroups()) { - HiveAuthRule rule = new HiveAuthRule(isUDF, db, table, col, accessLevel.toLowerCase(), null, group, acl.isTableSelectionExcluded(), acl.isColumnSelectionExcluded()); - rule.setAudited(isAudited); - rule.setEncrypted(isEncrypted); - LOG.debug("Adding rule [" + rule + "] to the authdb."); - ruleListTemp.add(rule); - } - for (String user : rp.getUsers()) { - HiveAuthRule rule = new HiveAuthRule(isUDF, db, table, col, accessLevel.toLowerCase(), user, null,acl.isTableSelectionExcluded(), acl.isColumnSelectionExcluded()); - rule.setAudited(isAudited); - rule.setEncrypted(isEncrypted); - LOG.debug("Adding rule [" + rule + "] to the authdb."); - ruleListTemp.add(rule); - } - } - } - - - } - } - } - } - HiveAuthDB authDBTemp = new HiveAuthDB(ruleListTemp); - authDB = authDBTemp; - } - catch(Throwable t) { - LOG.error("OnPolicyChange has failed with an exception", t); - } - } - - public static String getRegExFormatted(String userEnteredStr) { - - if (userEnteredStr == null || userEnteredStr.trim().length() == 0) { - return HiveAuthRule.WILDCARD_OBJECT ; - } - - StringBuilder sb = new StringBuilder() ; - - for(String s : userEnteredStr.split(",")) { - if (sb.length() == 0) { - sb.append("(") ; - } - else { - sb.append("|") ; - } - sb.append(s.trim()) ; - } - - if (sb.length() > 0) { - sb.append(")") ; - } - - return sb.toString() ; - } - - - public static String replaceFileBasedRegEx(String userEnteredStr) { - if (userEnteredStr != null) { - userEnteredStr = userEnteredStr.replaceAll("\\.", "\\.") - .replaceAll("\\?", "\\.") - .replaceAll("\\*", ".*") ; - } - return userEnteredStr ; - } - - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java deleted file mode 100644 index 2eca90f..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.hive; - -import org.apache.hadoop.hive.ql.metadata.AuthorizationException; -import org.apache.hadoop.security.UserGroupInformation; - -import com.xasecure.authorization.hive.XaHiveAccessVerifier; -import com.xasecure.authorization.hive.XaHiveObjectAccessInfo; - -public class XASecureAuthorizer implements XaHiveAccessVerifier { - - private XaHiveAccessVerifier authDB = URLBasedAuthDB.getInstance() ; - - - @Override - public boolean isAccessAllowed(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo) { - if (authDB == null) { - throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ; - } - return authDB.isAccessAllowed(ugi, objAccessInfo); - } - - @Override - public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) { - if (authDB == null) { - throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ; - } - return authDB.isAudited(objAccessInfo) ; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java deleted file mode 100644 index fb147b3..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java +++ /dev/null @@ -1,453 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.xasecure.pdp.knox; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Set; - -import org.apache.commons.io.FilenameUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import com.xasecure.authorization.hadoop.config.XaSecureConfiguration; -import com.xasecure.pdp.config.Jersey2PolicyRefresher; -import com.xasecure.pdp.config.PolicyChangeListener; -import com.xasecure.pdp.constants.XaSecureConstants; -import com.xasecure.pdp.model.Policy; -import com.xasecure.pdp.model.PolicyContainer; -import com.xasecure.pdp.model.RolePermission; - -public class URLBasedAuthDB implements PolicyChangeListener { - - private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class) ; - - private static URLBasedAuthDB me = null; - - private Jersey2PolicyRefresher refresher = null ; - - private PolicyContainer policyContainer = null; - - private HashMap<String,Boolean> cachedAuditFlag = new HashMap<String,Boolean>() ; // needs to be cleaned when ruleList changes - - public static URLBasedAuthDB getInstance() { - if (me == null) { - synchronized (URLBasedAuthDB.class) { - URLBasedAuthDB temp = me; - if (temp == null) { - me = new URLBasedAuthDB(); - me.init() ; - } - } - } - return me; - } - - public static URLBasedAuthDB getInstanceWithBackEndMocked() { - return new URLBasedAuthDB("instanceWithBackednMocked"); - } - - private URLBasedAuthDB() { - String url = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_PROP); - long refreshInMilli = XaSecureConfiguration.getInstance().getLong( - XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP , - XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT); - String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_POLICYMGR_SSL_CONFIG_FILE_PROP) ; - - String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_LAST_SAVED_POLICY_FILE_PROP) ; - - refresher = new Jersey2PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ; - - String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_SAVE_FILE_PROP) ; - if (saveAsFileName != null) { - refresher.setSaveAsFileName(saveAsFileName) ; - } - - if (lastStoredFileName != null) { - refresher.setLastStoredFileName(lastStoredFileName); - } - } - - private URLBasedAuthDB(String mockName) { - } - - private void init() { - refresher.setPolicyChangeListener(this); - } - - - @Override - public void OnPolicyChange(PolicyContainer aPolicyContainer) { - setPolicyContainer(aPolicyContainer); - } - - - public boolean isAccessGranted(String topology, String service, String access, String userName, Set<String> groups, - String requestIp) { - - boolean accessGranted = false; - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating access for topology: " + topology + - ", service: " + service + - ", access: " + access + - ", requestingIp: " +requestIp + - ", requestingUser: " + userName + - ", requestingUserGroups: " + groups); - } - PolicyContainer policyContainer = getPolicyContainer() ; - - if (policyContainer == null) { - LOG.warn("Denying access: policyContainer is null") ; - return false ; - } - - for(Policy policy : policyContainer.getAcl()) { - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating policy: " + policy.toString() ) ; - } - - if (!policy.isEnabled()) { - if (LOG.isDebugEnabled()) { - LOG.debug("Skipping policy: " + policy + ", policy disabled") ; - } - continue; // jump to next policy - } - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating topology match for policyTopologyList: " + policy.getTopologyList() + - ", requestTopology: " + topology) ; - } - - boolean topologyMatched = false; - - List<String> topologyList = policy.getTopologyList(); - if (topologyList == null || topologyList.isEmpty()) { - LOG.debug("Denying access: policy topologyList is empty") ; - continue; // jump to next policy - } - - if (topologyList.contains("*") || topologyList.contains(topology)) { - topologyMatched = true; - LOG.debug("Policy topologyList matches requested topology"); - } - - if (!topologyMatched) { - for (String policyTopology : topologyList) { - if (FilenameUtils.wildcardMatch(topology, policyTopology)) { - topologyMatched = true; - LOG.debug("Policy topologyList matches requested topology"); - break; // break out of topologyList - } - } - } - if (!topologyMatched) { - LOG.debug("Denying access: policy topologyList does not match requested topology") ; - continue; // jump to next policy - } else { - LOG.debug("policy topologyList matches requested topology"); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating service match for policyServiceList: " + policy.getServiceList() + - ", requestService: " + service) ; - } - - boolean serviceMatched = false; - - List<String> serviceList = policy.getServiceList(); - if (serviceList == null || serviceList.isEmpty()) { - LOG.debug("Denying access: policy serviceList is empty") ; - continue; // jump to next policy - } - - if (serviceList.contains("*") || serviceList.contains(service)) { - serviceMatched = true; - LOG.debug("Policy serviceList matches requested service"); - } - - if (!serviceMatched) { - for (String policyService : serviceList) { - if (FilenameUtils.wildcardMatch(service, policyService)) { - serviceMatched = true; - LOG.debug("Policy serviceList matches requested service"); - break; // break out of serviceList - } - } - } - if (!serviceMatched) { - LOG.debug("Denying access: policy serviceList does not match requested service") ; - continue; // jump to next policy - } else { - LOG.debug("Policy serviceList matches requested service"); - } - - LOG.debug("Checking accessType, IP, User, Group based permission"); - if ( policy.getPermissions() == null - || policy.getPermissions().isEmpty()) { - LOG.debug("Policy not applicable, no user or group based permission"); - } - - for (RolePermission rp : policy.getPermissions()) { - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating RolePermission: " + rp); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("Checking accessTypeMatch for rolePermissionAccesType: " - + rp.getAccess() + ", requestAccessType: " + access); - } - - if (rp.getAccess().contains(access)) { - - LOG.debug("RolePermission accessType matches request accessType"); - - boolean ipMatched = false; - List<String> ipList = rp.getIpAddress(); - if (LOG.isDebugEnabled()) { - LOG.debug("Checking ipMatch for rolePermissionIpList: " + ipList + - ", requestIP: " + requestIp); - } - - if (ipList == null || ipList.isEmpty()) { - LOG.debug("RolePermission does not require IP Matching"); - ipMatched = true; - } else if ( ipList.contains("*") ) { - LOG.debug("RolePermission allows any IP: *"); - ipMatched = true; - } else { - for (String ip : ipList) { - if (ipMatches(ip, requestIp)) { - LOG.debug("RolePermission IP matches request IP"); - ipMatched = true; - break;// break out of ipList - } - } - } - - if (!ipMatched) { - // ip not matched, jump to next RolePermission check - LOG.debug("Request IP does not match RolePermission"); - continue; // jump to next rolePermission - } else { - LOG.debug("Request IP matches RolePermission"); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("Checking userMatch for rolePermissionUsers: " - + rp.getUsers() + ", requestUser: " + userName); - } - - if ( rp.getUsers() != null && rp.getUsers().contains(userName) ) { - LOG.debug("Request user matches RolePermission"); - return true ; - } - LOG.debug("RolePermission does not permit request by request user, would check by groups"); - - if (LOG.isDebugEnabled()) { - LOG.debug("Checking groupMatch for rolePermissionGroups: " - + rp.getGroups() + ", requestGroups: " + groups); - } - - for(String ug : groups) { - if ( rp.getGroups() != null && rp.getGroups().contains(ug)) { - LOG.debug("Request userGroups matches RolePermission"); - return true ; - } - } - LOG.debug("RolePermission does not permit request by request user groups"); - - if (rp.getGroups().contains(XaSecureConstants.PUBLIC_ACCESS_ROLE)) { - LOG.debug("RolePermission applies to public group"); - return true ; - } - - LOG.debug("RolePermission does not permit by users, groups or public group"); - } else { - LOG.debug("rolePermissionAccessType does not match requestAccessType"); - } - } - } - LOG.debug("No matching policy permission found, denying access"); - return accessGranted; - } - - public boolean isAuditEnabled(String topology, String service) { - - boolean auditEnabled = false; - - if (LOG.isDebugEnabled()) { - LOG.debug("Checcking whether audit is enabled for topology: " + topology + - ", service: " + service ); - } - - PolicyContainer policyContainer = getPolicyContainer() ; - if (policyContainer == null) { - LOG.warn("PolicyContainer is null") ; - return false ; - } - - for(Policy policy : policyContainer.getAcl()) { - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating policy: " + policy) ; - } - - if (!policy.isEnabled()) { - if (LOG.isDebugEnabled()) { - LOG.debug("Skipping policy: " + policy + ", policy disabled") ; - } - continue; // jump to next policy - } - - if (policy.getAuditInd() == 0) { - if (LOG.isDebugEnabled()) { - LOG.debug("Skipping policy: " + policy + ", policy audit disabled") ; - } - continue; // jump to next policy - } - - boolean topologyMatched = false; - - List<String> topologyList = policy.getTopologyList(); - if (topologyList == null || topologyList.isEmpty()) { - LOG.debug("Policy not applicable: policy topologyList is empty") ; - continue; // jump to next policy - } - - if (topologyList.contains("*") || topologyList.contains(topology)) { - topologyMatched = true; - LOG.debug("Policy topologyList matches requested topology"); - } - - if (!topologyMatched) { - for (String policyTopology : topologyList) { - if (FilenameUtils.wildcardMatch(topology, policyTopology)) { - topologyMatched = true; - LOG.debug("Policy topologyList matches requested topology"); - break; // break out of topologyList check - } - } - } - if (!topologyMatched) { - LOG.debug("Policy not applicable: polocy topologyList does not match requested topology") ; - continue; // jump to next policy - } else { - LOG.debug("Policy topologyList matches requested topology"); - } - - boolean serviceMatched = false; - - List<String> serviceList = policy.getServiceList(); - if (serviceList == null || serviceList.isEmpty()) { - LOG.debug("Policy not applicable: serviceList is empty") ; - continue; // jump to next policy - } - - if (serviceList.contains("*") || serviceList.contains(service)) { - serviceMatched = true; - LOG.debug("Policy serviceList matches requested service"); - } - - if (!serviceMatched) { - for (String policyService : serviceList) { - if (FilenameUtils.wildcardMatch(service, policyService)) { - serviceMatched = true; - LOG.debug("Policy serviceList matches requested service"); - break; // break out of serviceList check - } - } - } - if (!serviceMatched) { - LOG.debug("Policy not applicable: policy serviceList does not match requested service") ; - continue; // jump to next policy - } else { - LOG.debug("Policy serviceList matches requested service"); - } - auditEnabled = true;; - break; // break out of policyList check - } - return auditEnabled; - } - - public PolicyContainer getPolicyContainer() { - return policyContainer; - } - - - synchronized void setPolicyContainer(PolicyContainer aPolicyContainer) { - - for(Policy p : aPolicyContainer.getAcl()) { - for(RolePermission rp : p.getPermissions()) { - // lowercase accesType value stings - List<String> rpaccess = rp.getAccess() ; - if (rpaccess != null && rpaccess.size() > 0) { - List<String> temp = new ArrayList<String>() ; - for(String s : rpaccess) { - temp.add(s.toLowerCase()) ; - } - rp.setAccess(temp); - } - } - } - - this.policyContainer = aPolicyContainer ; - this.cachedAuditFlag.clear(); - } - - - private boolean ipMatches(String policyIp, String requestIp) { - if (policyIp == null) { - return false; - } - policyIp = policyIp.trim(); - if (policyIp.isEmpty()) { - return false; - } - boolean ipMatched = false; - boolean wildEnd = false; - if (policyIp.contains(".")) { - while (policyIp.endsWith(".*")) { - wildEnd = true; - policyIp = policyIp.substring(0, policyIp.lastIndexOf(".*")); - } - if (wildEnd) { - policyIp = policyIp + "."; - } - } else if (policyIp.contains(":")) { - while (policyIp.endsWith(":*")) { - wildEnd = true; - policyIp = policyIp.substring(0, policyIp.lastIndexOf(":*")); - } - if (wildEnd) { - policyIp = policyIp + ":"; - } - } - if (wildEnd && requestIp.toLowerCase().startsWith(policyIp.toLowerCase())) { - ipMatched = true; - } else if (policyIp.equalsIgnoreCase(requestIp)) { - ipMatched = true; - } - return ipMatched; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java deleted file mode 100644 index d3d2500..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java +++ /dev/null @@ -1,65 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.xasecure.pdp.knox; - -import java.util.Set; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import com.xasecure.authorization.knox.KnoxAccessVerifier; - -public class XASecureAuthorizer implements KnoxAccessVerifier { - - private static final Log LOG = LogFactory.getLog(XASecureAuthorizer.class) ; - - private static URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ; - - public XASecureAuthorizer() { - } - - @Override - public boolean isAccessAllowed(String topologyName, String serviceName, String accessType, - String userName, Set<String> groups, String requestIp) { - boolean accessAllowed = authDB.isAccessGranted(topologyName, serviceName, accessType, userName, groups, - requestIp); - if (LOG.isDebugEnabled()) { - LOG.debug("Computed access permission for topology: " + topologyName + - ", service: " + serviceName + - ", access: " + accessType + - ", requestingIp: " +requestIp + - ", requestingUser: " + userName + - ", requestingUserGroups: " + groups + - ", permitted: " + accessAllowed); - } - return accessAllowed; - } - - @Override - public boolean isAuditEnabled(String topologyName, String serviceName) { - boolean auditEnabled = authDB.isAuditEnabled(topologyName, serviceName); - if (LOG.isDebugEnabled()) { - LOG.debug("Computed audit enabled for topology: " + topologyName + - ", service: " + serviceName + - ", auditLogEnabled: " + auditEnabled); - } - return auditEnabled; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java deleted file mode 100644 index c851a11..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java +++ /dev/null @@ -1,73 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.xasecure.pdp.knox.deploy; - -import java.util.ArrayList; -import java.util.List; -import java.util.Map; -import java.util.Map.Entry; - -import org.apache.hadoop.gateway.deploy.DeploymentContext; -import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase; -import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor; -import org.apache.hadoop.gateway.descriptor.ResourceDescriptor; -import org.apache.hadoop.gateway.topology.Provider; -import org.apache.hadoop.gateway.topology.Service; - -public class XASecurePDPKnoxDeploymentContributor extends ProviderDeploymentContributorBase { - - private static final String FILTER_CLASSNAME = "com.xasecure.pdp.knox.filter.XASecurePDPKnoxFilter"; - - @Override - public String getRole() { - return "authorization"; - } - - @Override - public String getName() { - return "XASecurePDPKnox"; - } - - @Override - public void initializeContribution(DeploymentContext context) { - super.initializeContribution(context); - } - - @Override - public void contributeProvider( DeploymentContext context, Provider provider ) { - } - - @Override - public void contributeFilter( DeploymentContext context, Provider provider, Service service, - ResourceDescriptor resource, List<FilterParamDescriptor> params ) { - if (params == null) { - params = new ArrayList<FilterParamDescriptor>(); - } - // add resource role to params so that we can determine the acls to enforce at runtime - params.add( resource.createFilterParam().name( "resource.role" ).value(resource.role() ) ); - - // blindly add all the provider params as filter init params - // this will include any {resource.role}-ACLS parameters to be enforced - such as NAMENODE-ACLS - Map<String, String> providerParams = provider.getParams(); - for(Entry<String, String> entry : providerParams.entrySet()) { - params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) ); - } - - resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params ); - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java deleted file mode 100644 index dfa68b5..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java +++ /dev/null @@ -1,215 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.xasecure.pdp.knox.filter; - -import java.io.IOException; -import java.security.AccessController; -import java.security.Principal; -import java.util.HashSet; -import java.util.Set; - -import javax.security.auth.Subject; -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletResponse; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.gateway.filter.AbstractGatewayFilter; -import org.apache.hadoop.gateway.security.GroupPrincipal; -import org.apache.hadoop.gateway.security.ImpersonatedPrincipal; -import org.apache.hadoop.gateway.security.PrimaryPrincipal; - -import com.xasecure.audit.model.EnumRepositoryType; -import com.xasecure.audit.model.KnoxAuditEvent; -import com.xasecure.audit.provider.AuditProvider; -import com.xasecure.audit.provider.AuditProviderFactory; -import com.xasecure.authorization.hadoop.config.XaSecureConfiguration; -import com.xasecure.authorization.hadoop.constants.XaSecureHadoopConstants; -import com.xasecure.authorization.knox.KnoxAccessVerifier; -import com.xasecure.authorization.knox.KnoxAccessVerifierFactory; -import com.xasecure.authorization.utils.StringUtil; - -public class XASecurePDPKnoxFilter implements Filter { - - private static final Log LOG = LogFactory.getLog(XASecurePDPKnoxFilter.class); - private static final String ACL_ENFORCER = "xasecure-acl"; - private static final String PERM_ALLOW = "allow"; - private String resourceRole = null; - private KnoxAccessVerifier knoxAccessVerifier; - - - AuditProvider auditProvider = AuditProviderFactory.getAuditProvider(); - private final String REPOSITORY_NAME = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_REPOSITORY_NAME_PROP); - - static { - XaSecureConfiguration.getInstance().initAudit(AuditProviderFactory.ApplicationType.Knox); - } - - @Override - public void init(FilterConfig filterConfig) throws ServletException { - resourceRole = getInitParameter(filterConfig, "resource.role"); - knoxAccessVerifier = KnoxAccessVerifierFactory.getInstance(); - } - - private String getInitParameter(FilterConfig filterConfig, String paramName) { - return filterConfig.getInitParameter(paramName.toLowerCase()); - } - - public void destroy() { - } - - public void doFilter(ServletRequest request, ServletResponse response, - FilterChain chain) throws IOException, ServletException { - - String sourceUrl = (String) request - .getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME); - String topologyName = getTopologyName(sourceUrl); - String serviceName = getServiceName(); - - Subject subject = Subject.getSubject(AccessController.getContext()); - - Principal primaryPrincipal = (Principal) subject.getPrincipals( - PrimaryPrincipal.class).toArray()[0]; - String primaryUser = primaryPrincipal.getName(); - - String impersonatedUser = null; - Object[] impersonations = subject.getPrincipals( - ImpersonatedPrincipal.class).toArray(); - if (impersonations != null && impersonations.length > 0) { - impersonatedUser = ((Principal) impersonations[0]).getName(); - } - - String user = (impersonatedUser != null) ? impersonatedUser - : primaryUser; - if (LOG.isDebugEnabled()) { - LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " - + impersonatedUser + ", effectiveUser: " + user); - } - - Object[] groupObjects = subject.getPrincipals(GroupPrincipal.class) - .toArray(); - Set<String> groups = new HashSet<String>(); - for (Object obj : groupObjects) { - groups.add(((Principal) obj).getName()); - } - - String clientIp = request.getRemoteAddr(); - - if (LOG.isDebugEnabled()) { - LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " - + impersonatedUser + ", effectiveUser: " + user + - ", groups: " + groups + ", clientIp: " + clientIp); - } - boolean accessAllowed = knoxAccessVerifier.isAccessAllowed( - topologyName, serviceName, PERM_ALLOW, user, groups, clientIp); - - if (LOG.isDebugEnabled()) { - LOG.debug("Access allowed: " + accessAllowed); - } - if (accessAllowed) { - chain.doFilter(request, response); - if (knoxAccessVerifier.isAuditEnabled(topologyName, serviceName)) { - LOG.debug("Audit is enabled"); - logAuditEvent(user, clientIp, topologyName, serviceName, - "allow", true); - } else { - LOG.debug("Audit is not enabled"); - } - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("Access is denied"); - } - if (knoxAccessVerifier.isAuditEnabled(topologyName, serviceName)) { - LOG.debug("Audit is enabled"); - logAuditEvent(user, clientIp, topologyName, serviceName, - "allow", false); - } else { - LOG.debug("Audit is not enabled"); - } - sendForbidden((HttpServletResponse) response); - } - } - - private void sendForbidden(HttpServletResponse res) { - sendErrorCode(res, 403); - } - - private void sendErrorCode(HttpServletResponse res, int code) { - try { - res.sendError(code); - } catch (IOException e) { - LOG.error("Error while redireting:", e); - } - } - - private String getTopologyName(String requestUrl) { - if (requestUrl == null) { - return null; - } - String url = requestUrl.trim(); - String[] tokens = url.split("/"); - if (tokens.length > 2) { - return tokens[2]; - } else { - return null; - } - } - - private String getServiceName() { - return resourceRole; - } - - private void logAuditEvent(String userName, String clientIp, - String topology, String service, - String accessType, boolean accessGranted) { - - KnoxAuditEvent auditEvent = new KnoxAuditEvent(); - - auditEvent.setUser(userName == null ? - XaSecureHadoopConstants.AUDITLOG_EMPTY_STRING : userName); - auditEvent.setResourcePath("/" + topology + "/" + service); - auditEvent.setResourceType("service"); - auditEvent.setAccessType(accessType); - auditEvent.setClientIP(clientIp); - auditEvent.setEventTime(StringUtil.getUTCDate()); - auditEvent.setAccessResult((short) (accessGranted ? 1 : 0)); - auditEvent.setResultReason(null); - auditEvent.setRepositoryType(EnumRepositoryType.KNOX); - auditEvent.setRepositoryName(REPOSITORY_NAME); - auditEvent.setAclEnforcer(ACL_ENFORCER); - - try { - LOG.debug("logEvent [" + auditEvent + "] - START"); - - AuditProvider ap = AuditProviderFactory.getAuditProvider(); - ap.log(auditEvent); - - LOG.debug("logEvent [" + auditEvent + "] - END"); - } catch (Throwable t) { - LOG.error("ERROR logEvent [" + auditEvent + "]", t); - } - } - - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/model/Policy.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/model/Policy.java b/agents-impl/src/main/java/com/xasecure/pdp/model/Policy.java deleted file mode 100644 index a2bace7..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/model/Policy.java +++ /dev/null @@ -1,325 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.model; - -import java.util.ArrayList; -import java.util.List; - -import com.google.gson.annotations.SerializedName; -import com.xasecure.pdp.config.gson.ExcludeSerialization; - -public class Policy { - - public static final String RESOURCE_SPLITER = "," ; - public static final String POLICY_ENABLED_STATUS = "Enabled" ; - public static final String SELECTION_TYPE_INCLUSIVE = "Inclusion" ; - public static final String SELECTION_TYPE_EXCLUSIVE = "Exclusion" ; - - // - // Only for HDFS policies - // - private String resource ; - @SerializedName("isRecursive") - private int recursiveInd; - - // Only for Knox Policies - // - - @SerializedName("topology_name") - private String topologies ; - - @SerializedName("service_name") - private String services ; - - - // - // Only for Hive Policies - // - - @SerializedName("database_name") - private String databases ; - - @SerializedName("table_name") - private String tables ; - - @SerializedName("udf_name") - private String udfs ; - - @SerializedName("column_name") - private String columns ; - - @SerializedName("column_families") - private String columnfamilies ; - - // - // Neede for all Policies - // - @SerializedName("permission") - private List<RolePermission> permissions ; - - @SerializedName("audit") - private int auditInd ; - - @SerializedName("encrypt") - private int encryptInd ; - - @SerializedName("policyStatus") - private String policyStatus; - - @SerializedName("tablePolicyType") - private String tableSelectionType ; - - @SerializedName("columnPolicyType") - private String columnSelectionType ; - - // Derived fields for PolicyAnalysis - @ExcludeSerialization - private List<ResourcePath> resourceList ; - @ExcludeSerialization - private List<String> databaseList ; - @ExcludeSerialization - private List<String> tableList ; - @ExcludeSerialization - private List<String> udfList ; - @ExcludeSerialization - private List<String> columnList ; - @ExcludeSerialization - private List<String> columnFamilyList ; - @ExcludeSerialization - private List<String> topologyList ; - @ExcludeSerialization - private List<String> serviceList ; - - public Policy() { - permissions = new ArrayList<RolePermission>() ; - } - - - public String getResource() { - return resource; - } - - public void setResource(String resource) { - this.resource = resource; - } - - public String getDatabases() { - return databases; - } - - public void setDatabases(String databases) { - this.databases = databases; - } - - public String getTables() { - return tables; - } - - public void setTables(String tables) { - this.tables = tables; - } - - public String gettopologies() { - return topologies; - } - - public void setTopologies(String topologies) { - this.topologies = topologies; - } - - public String getServices() { - return services; - } - - public void setServices(String services) { - this.services = services; - } - public String getUdfs() { - return udfs; - } - - public void setUdfs(String udfs) { - this.udfs = udfs; - } - - - public String getColumns() { - return columns; - } - public void setColumns(String columns) { - this.columns = columns; - } - public String getColumnfamilies() { - return columnfamilies; - } - public void setColumnfamilies(String columnfamilies) { - this.columnfamilies = columnfamilies; - } - - public List<RolePermission> getPermissions() { - return permissions; - } - public void setPermissions(List<RolePermission> permissions) { - this.permissions = permissions; - } - - public int getRecursiveInd() { - return recursiveInd; - } - public void setRecursiveInd(int recursiveInd) { - this.recursiveInd = recursiveInd; - } - - public int getAuditInd() { - return auditInd; - } - - - public void setAuditInd(int auditInd) { - this.auditInd = auditInd; - } - - - public int getEncryptInd() { - return encryptInd; - } - - - public void setEncryptInd(int encryptInd) { - this.encryptInd = encryptInd; - } - - public String getPolicyStatus() { - return policyStatus; - } - - - public void setPolicyStatus(String policyStatus) { - this.policyStatus = policyStatus; - } - - public String getTableSelectionType() { - return tableSelectionType; - } - - - public void setTableSelectionType(String tableSelectionType) { - this.tableSelectionType = tableSelectionType; - } - - - public String getColumnSelectionType() { - return columnSelectionType; - } - - - public void setColumnSelectionType(String columnSelectionType) { - this.columnSelectionType = columnSelectionType; - } - - public boolean isTableSelectionExcluded() { - return (this.tableSelectionType != null && SELECTION_TYPE_EXCLUSIVE.equalsIgnoreCase(this.tableSelectionType)) ; - } - - public boolean isColumnSelectionExcluded() { - return (this.columnSelectionType != null && SELECTION_TYPE_EXCLUSIVE.equalsIgnoreCase(this.columnSelectionType)) ; - } - - - // An older version of policy manager would show policyStatus as NULL (considered that as Enabled) - public boolean isEnabled() { - return (this.policyStatus == null || POLICY_ENABLED_STATUS.equalsIgnoreCase(this.policyStatus)) ; - } - - public List<ResourcePath> getResourceList() { - if (this.resourceList == null) { - this.resourceList = getResourceList(resource) ; - } - return this.resourceList; - } - public List<String> getDatabaseList() { - if (this.databaseList == null) { - this.databaseList = getList(this.databases) ; - } - return this.databaseList; - } - public List<String> getTableList() { - if (this.tableList == null) { - this.tableList = getList(this.tables) ; - } - return this.tableList; - } - public List<String> getColumnList() { - if (this.columnList == null) { - this.columnList = getList(this.columns) ; - } - return this.columnList; - } - public List<String> getColumnFamilyList() { - if (this.columnFamilyList == null) { - this.columnFamilyList = getList(this.columnfamilies) ; - } - return this.columnFamilyList; - } - public List<String> getUDFList() { - if (this.udfList == null && this.udfList != null) { - this.udfList = getList(this.udfs) ; - } - return this.udfList; - } - - public List<String> getTopologyList() { - if (this.topologyList == null) { - this.topologyList = getList(this.topologies) ; - } - return this.topologyList; - } - - public List<String> getServiceList() { - if (this.serviceList == null) { - this.serviceList = getList(this.services) ; - } - return this.serviceList; - } - - - private List<String> getList(String resource) { - List<String> ret = new ArrayList<String>() ; - if (resource == null || resource.trim().isEmpty()) { - resource = "*" ; - } - for(String r : resource.split(RESOURCE_SPLITER)) { - ret.add(r) ; - } - - return ret; - } - - private List<ResourcePath> getResourceList(String resource) { - List<ResourcePath> ret = new ArrayList<ResourcePath>() ; - if (resource != null && ! resource.isEmpty()) { - for(String path : resource.split(RESOURCE_SPLITER)) { - ret.add(new ResourcePath(path)) ; - } - } - return ret ; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/model/PolicyContainer.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/model/PolicyContainer.java b/agents-impl/src/main/java/com/xasecure/pdp/model/PolicyContainer.java deleted file mode 100644 index 1675d34..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/model/PolicyContainer.java +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.model; - -import java.util.List; - -import com.google.gson.annotations.SerializedName; - -public class PolicyContainer { - - @SerializedName("repository_name") - private String repositoryName ; - - @SerializedName("last_updated") - private long lastUpdatedTimeInEpoc ; - - @SerializedName("acl") - private List<Policy> acl; - - public String getRepositoryName() { - return repositoryName; - } - public void setRepositoryName(String repositoryName) { - this.repositoryName = repositoryName; - } - public long getLastUpdatedTimeInEpoc() { - return lastUpdatedTimeInEpoc; - } - public void setLastUpdatedTimeInEpoc(long lastUpdatedTimeInEpoc) { - this.lastUpdatedTimeInEpoc = lastUpdatedTimeInEpoc; - } - public List<Policy> getAcl() { - return acl; - } - public void setAcl(List<Policy> acl) { - this.acl = acl; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/model/ResourcePath.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/model/ResourcePath.java b/agents-impl/src/main/java/com/xasecure/pdp/model/ResourcePath.java deleted file mode 100644 index ff6a754..0000000 --- a/agents-impl/src/main/java/com/xasecure/pdp/model/ResourcePath.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.pdp.model; - -public class ResourcePath { - - String path ; - boolean wildcardPath ; - - public ResourcePath(String path) { - this.path = path ; - if (this.path.contains("*") || this.path.contains("?")) { - this.wildcardPath = true ; - } - } - - public String getPath() { - return path; - } - - public boolean isWildcardPath() { - return wildcardPath; - } - - -}
