Repository: incubator-ranger Updated Branches: refs/heads/stack 84382d387 -> 55c260923
RANGER-203: AccessRequest object added to AccessResult object. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/55c26092 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/55c26092 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/55c26092 Branch: refs/heads/stack Commit: 55c260923b571ae29c7d92641fe8ac59b73a1b9d Parents: 84382d3 Author: Madhan Neethiraj <[email protected]> Authored: Wed Jan 21 19:21:43 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Jan 21 19:21:43 2015 -0800 ---------------------------------------------------------------------- .../ranger/plugin/audit/RangerAuditHandler.java | 7 ++- .../plugin/audit/RangerDefaultAuditHandler.java | 53 ++++++++++---------- .../plugin/policyengine/RangerAccessResult.java | 19 +++++-- .../plugin/policyengine/RangerPolicyEngine.java | 7 +-- .../policyengine/RangerPolicyEngineImpl.java | 17 ++++--- .../ranger/plugin/service/RangerBasePlugin.java | 14 +++--- .../plugin/service/RangerBaseService.java | 4 +- .../ranger/plugin/util/PolicyRefresher.java | 6 +++ 8 files changed, 72 insertions(+), 55 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/55c26092/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java index 53edc18..45a63c2 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java @@ -19,14 +19,13 @@ package org.apache.ranger.plugin.audit; -import java.util.List; +import java.util.Collection; -import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; public interface RangerAuditHandler { - void logAudit(RangerAccessRequest request, RangerAccessResult result); + void logAudit(RangerAccessResult result); - void logAudit(List<RangerAccessRequest> requests, List<RangerAccessResult> results); + void logAudit(Collection<RangerAccessResult> results); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/55c26092/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java index bf55276..82732e7 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java @@ -46,43 +46,45 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { } @Override - public void logAudit(RangerAccessRequest request, RangerAccessResult result) { + public void logAudit(RangerAccessResult result) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + request + ", " + result + ")"); + LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + result + ")"); } - Collection<AuthzAuditEvent> events = getAuditEvents(request, result); + Collection<AuthzAuditEvent> events = getAuthzEvents(result); - logAudit(events); + logAuthzAudits(events); if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + request + ", " + result + ")"); + LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + result + ")"); } } @Override - public void logAudit(List<RangerAccessRequest> requests, List<RangerAccessResult> results) { + public void logAudit(Collection<RangerAccessResult> results) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + requests + ", " + results + ")"); + LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + results + ")"); } - Collection<AuthzAuditEvent> events = getAuditEvents(requests, results); + Collection<AuthzAuditEvent> events = getAuthzEvents(results); - logAudit(events); + logAuthzAudits(events); if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + requests + ", " + results + ")"); + LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + results + ")"); } } - public Collection<AuthzAuditEvent> getAuditEvents(RangerAccessRequest request, RangerAccessResult result) { + public Collection<AuthzAuditEvent> getAuthzEvents(RangerAccessResult result) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.getAuditEvents(" + request + ", " + result + ")"); + LOG.debug("==> RangerDefaultAuditHandler.getAuthzEvents(" + result + ")"); } List<AuthzAuditEvent> ret = null; + RangerAccessRequest request = result != null ? result.getAccessRequest() : null; + if(request != null && result != null) { RangerServiceDef serviceDef = result.getServiceDef(); int serviceType = (serviceDef != null && serviceDef.getId() != null) ? serviceDef.getId().intValue() : -1; @@ -105,6 +107,7 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { event.setRepositoryType(serviceType); event.setResourceType(resourceType); event.setResourcePath(resourcePath); + event.setRequestData(request.getRequestData()); event.setEventTime(request.getAccessTime()); event.setUser(request.getUser()); event.setAccessType(request.getAction()); @@ -126,25 +129,23 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.getAuditEvents(" + request + ", " + result + "): " + ret); + LOG.debug("<== RangerDefaultAuditHandler.getAuthzEvents(" + result + "): " + ret); } return ret; } - public Collection<AuthzAuditEvent> getAuditEvents(List<RangerAccessRequest> requests, List<RangerAccessResult> results) { + public Collection<AuthzAuditEvent> getAuthzEvents(Collection<RangerAccessResult> results) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.getAuditEvents(" + requests + ", " + results + ")"); + LOG.debug("==> RangerDefaultAuditHandler.getAuthzEvents(" + results + ")"); } List<AuthzAuditEvent> ret = null; - if(requests != null && results != null) { - int count = Math.min(requests.size(), results.size()); - + if(results != null) { // TODO: optimize the number of audit logs created - for(int i = 0; i < count; i++) { - Collection<AuthzAuditEvent> events = getAuditEvents(requests.get(i), results.get(i)); + for(RangerAccessResult result : results) { + Collection<AuthzAuditEvent> events = getAuthzEvents(result); if(events == null) { continue; @@ -159,7 +160,7 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.getAuditEvents(" + requests + ", " + results + "): " + ret); + LOG.debug("<== RangerDefaultAuditHandler.getAuthzEvents(" + results + "): " + ret); } return ret; @@ -167,7 +168,7 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { public void logAuthzAudit(AuthzAuditEvent auditEvent) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + auditEvent + ")"); + LOG.debug("==> RangerDefaultAuditHandler.logAuthzAudit(" + auditEvent + ")"); } if(auditEvent != null) { @@ -175,13 +176,13 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + auditEvent + ")"); + LOG.debug("<== RangerDefaultAuditHandler.logAuthzAudit(" + auditEvent + ")"); } } - public void logAudit(Collection<AuthzAuditEvent> auditEvents) { + public void logAuthzAudits(Collection<AuthzAuditEvent> auditEvents) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + auditEvents + ")"); + LOG.debug("==> RangerDefaultAuditHandler.logAuthzAudits(" + auditEvents + ")"); } if(auditEvents != null) { @@ -191,7 +192,7 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + auditEvents + ")"); + LOG.debug("<== RangerDefaultAuditHandler.logAuthzAudits(" + auditEvents + ")"); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/55c26092/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index ae75fe7..934864e 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -29,17 +29,19 @@ import org.apache.ranger.plugin.model.RangerServiceDef; public class RangerAccessResult { public enum Result { ALLOWED, DENIED, PARTIALLY_ALLOWED }; - private String serviceName = null; - private RangerServiceDef serviceDef = null; + private String serviceName = null; + private RangerServiceDef serviceDef = null; + private RangerAccessRequest request = null; private Map<String, ResultDetail> accessTypeResults = null; - public RangerAccessResult(String serviceName, RangerServiceDef serviceDef) { - this(serviceName, serviceDef, null); + public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, RangerAccessRequest request) { + this(serviceName, serviceDef, request, null); } - public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, Map<String, ResultDetail> accessTypeResults) { + public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, RangerAccessRequest request, Map<String, ResultDetail> accessTypeResults) { this.serviceName = serviceName; this.serviceDef = serviceDef; + this.request = request; setAccessTypeResults(accessTypeResults); } @@ -59,6 +61,13 @@ public class RangerAccessResult { } /** + * @return the request + */ + public RangerAccessRequest getAccessRequest() { + return request; + } + + /** * @return the accessTypeResults */ public Map<String, ResultDetail> getAccessTypeResults() { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/55c26092/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 435ffaa..bd58e48 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -19,6 +19,7 @@ package org.apache.ranger.plugin.policyengine; +import java.util.Collection; import java.util.List; import org.apache.ranger.plugin.audit.RangerAuditHandler; @@ -36,13 +37,13 @@ public interface RangerPolicyEngine { RangerAuditHandler getDefaultAuditHandler(); - RangerAccessResult createAccessResult(); + RangerAccessResult createAccessResult(RangerAccessRequest request); RangerAccessResult isAccessAllowed(RangerAccessRequest request); - List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests); + Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests); RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAuditHandler auditHandler); - List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests, RangerAuditHandler auditHandler); + Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAuditHandler auditHandler); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/55c26092/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index abac54f..ee05351 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -20,6 +20,7 @@ package org.apache.ranger.plugin.policyengine; import java.util.ArrayList; +import java.util.Collection; import java.util.List; import org.apache.commons.collections.CollectionUtils; @@ -105,8 +106,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } @Override - public RangerAccessResult createAccessResult() { - return new RangerAccessResult(serviceName, serviceDef); + public RangerAccessResult createAccessResult(RangerAccessRequest request) { + return new RangerAccessResult(serviceName, serviceDef, request); } @Override @@ -115,7 +116,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } @Override - public List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests) { + public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests) { return isAccessAllowed(requests, defaultAuditHandler); } @@ -128,7 +129,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerAccessResult ret = isAccessAllowedNoAudit(request); if(auditHandler != null) { - auditHandler.logAudit(request, ret); + auditHandler.logAudit(ret); } if(LOG.isDebugEnabled()) { @@ -139,12 +140,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } @Override - public List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests, RangerAuditHandler auditHandler) { + public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAuditHandler auditHandler) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + requests + ")"); } - List<RangerAccessResult> ret = new ArrayList<RangerAccessResult>(); + Collection<RangerAccessResult> ret = new ArrayList<RangerAccessResult>(); if(requests != null) { for(RangerAccessRequest request : requests) { @@ -155,7 +156,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } if(auditHandler != null) { - auditHandler.logAudit(requests, ret); + auditHandler.logAudit(ret); } if(LOG.isDebugEnabled()) { @@ -170,7 +171,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")"); } - RangerAccessResult ret = createAccessResult(); + RangerAccessResult ret = createAccessResult(request); if(request != null) { if(CollectionUtils.isEmpty(request.getAccessTypes())) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/55c26092/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 6deea8f..16e3cac 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -27,7 +27,7 @@ import org.apache.ranger.plugin.store.ServiceStoreFactory; import org.apache.ranger.plugin.util.PolicyRefresher; -public abstract class RangerBasePlugin { +public class RangerBasePlugin { private boolean initDone = false; private PolicyRefresher refresher = null; @@ -48,7 +48,7 @@ public abstract class RangerBasePlugin { serviceName = policyDownloadUrl.substring(idx) + 1; } } - + if(StringUtils.isEmpty(serviceName)) { serviceName = RangerConfiguration.getInstance().get("ranger.plugin.service.name", "hbasedev"); } @@ -56,9 +56,9 @@ public abstract class RangerBasePlugin { ServiceStore serviceStore = ServiceStoreFactory.instance().getServiceStore(); refresher = new PolicyRefresher(policyEngine, serviceName, serviceStore); - - refresher.start(); - + + refresher.startRefresher(); + initDone = true; } } @@ -66,10 +66,10 @@ public abstract class RangerBasePlugin { return initDone; } - + public void cleanup() { PolicyRefresher refresher = this.refresher; - + if(refresher != null) { refresher.stopRefresher(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/55c26092/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java b/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java index b234b46..8eeb439 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java @@ -49,7 +49,7 @@ public abstract class RangerBaseService { return service; } - public abstract void validateConfig(); + public abstract void validateConfig() throws Exception; - public abstract List<String> lookupResource(ResourceLookupContext context); + public abstract List<String> lookupResource(ResourceLookupContext context) throws Exception; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/55c26092/plugin-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java index 146d151..e2eb69e 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java @@ -68,6 +68,12 @@ public class PolicyRefresher extends Thread { this.pollingIntervalMilliSeconds = pollingIntervalMilliSeconds; } + public void startRefresher() { + shutdownFlag = false; + + super.start(); + } + public void stopRefresher() { shutdownFlag = true; }
