Repository: incubator-ranger Updated Branches: refs/heads/stack 1e8dc41a8 -> 615e2c52e
RANGER-203: updated RangerBasePlugin with policy-engine methods, to make it easier for the plugins to use. Fix in HDFS plugin. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/615e2c52 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/615e2c52 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/615e2c52 Branch: refs/heads/stack Commit: 615e2c52ea0835152a57da7732960af3ba43bec5 Parents: 1e8dc41 Author: Madhan Neethiraj <[email protected]> Authored: Fri Jan 23 01:22:20 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Fri Jan 23 01:22:20 2015 -0800 ---------------------------------------------------------------------- .../ranger/audit/model/AuditEventBase.java | 4 - .../audit/provider/AuditProviderFactory.java | 2 - .../namenode/RangerFSPermissionChecker.java | 12 +- .../agent/HadoopAuthClassTransformer.java | 9 +- .../ranger/plugin/service/RangerBasePlugin.java | 150 +++++++++++++++---- 5 files changed, 126 insertions(+), 51 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/615e2c52/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java ---------------------------------------------------------------------- diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java index f5753f0..82fcab8 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java @@ -19,12 +19,8 @@ package org.apache.ranger.audit.model; -import java.util.Date; - import org.apache.ranger.audit.dao.DaoManager; -import com.google.gson.annotations.SerializedName; - public abstract class AuditEventBase { protected AuditEventBase() { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/615e2c52/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java ---------------------------------------------------------------------- diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java index 8decfc2..fb5e8b5 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java @@ -19,9 +19,7 @@ package org.apache.ranger.audit.provider; import java.util.ArrayList; -import java.util.HashMap; import java.util.List; -import java.util.Map; import java.util.Properties; import org.apache.commons.logging.Log; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/615e2c52/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java index 9cf57a9..a4339af 100644 --- a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java +++ b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java @@ -47,8 +47,6 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; import org.apache.ranger.plugin.policyengine.RangerResource; import org.apache.ranger.plugin.service.RangerBasePlugin; @@ -108,12 +106,12 @@ public class RangerFSPermissionChecker { } } - if (rangerPlugin != null && rangerPlugin.getPolicyEngine() != null) { + if (rangerPlugin != null) { RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(aPathName, aPathOwnerName, access, user, groups); - RangerAccessResult result = rangerPlugin.getPolicyEngine().isAccessAllowed(request, getCurrentAuditHandler()); + RangerAccessResult result = rangerPlugin.isAccessAllowed(request, getCurrentAuditHandler()); - accessGranted = result.getResult() == RangerAccessResult.Result.ALLOWED; + accessGranted = (result != null && result.getResult() == RangerAccessResult.Result.ALLOWED); } } @@ -159,9 +157,7 @@ class RangerHdfsPlugin extends RangerBasePlugin { } public void init() { - RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(); - - super.init(policyEngine); + super.init(); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/615e2c52/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/agent/HadoopAuthClassTransformer.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/agent/HadoopAuthClassTransformer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/agent/HadoopAuthClassTransformer.java index 35d3981..1f21053 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/agent/HadoopAuthClassTransformer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/agent/HadoopAuthClassTransformer.java @@ -109,15 +109,16 @@ public class HadoopAuthClassTransformer implements ClassFileTransformer { } if (checkMethod != null) { + checkMethod.insertAfter("org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.logHadoopEvent($1,true) ;"); + CtClass throwable = ClassPool.getDefault().get("java.lang.Throwable"); + checkMethod.addCatch("{ org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.logHadoopEvent($1,false) ; throw $e; }", throwable); + if (snapShotClass == null && (!withIntParamInMiddle)) { checkMethod.insertBefore("{ if ( org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.check(ugi,$1,$2) ) { return ; } }"); } else { checkMethod.insertBefore("{ if ( org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.check(ugi,$1,$3) ) { return ; } }"); } - checkMethod.insertAfter("org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.logHadoopEvent($1,true) ;"); - CtClass throwable = ClassPool.getDefault().get("java.lang.Throwable"); - checkMethod.addCatch("{ org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.logHadoopEvent($1,false) ; throw $e; }", throwable); System.out.println("Injection of code is successfull ...."); } @@ -141,10 +142,10 @@ public class HadoopAuthClassTransformer implements ClassFileTransformer { CtMethod checkMethod = curClass.getDeclaredMethod("checkPermission"); if (checkMethod != null) { - checkMethod.insertBefore("org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.checkPermissionPre($1) ;"); checkMethod.insertAfter("org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.checkPermissionPost($1) ;"); CtClass throwable = ClassPool.getDefault().get("org.apache.hadoop.security.AccessControlException"); checkMethod.addCatch("{ org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.checkPermissionPost($1); throw $e; }", throwable); + checkMethod.insertBefore("org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.checkPermissionPre($1) ;"); injected_cm = true ; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/615e2c52/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index dae02fc..8b312af 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -19,72 +19,156 @@ package org.apache.ranger.plugin.service; +import java.util.Collection; + import org.apache.commons.lang.StringUtils; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; +import org.apache.ranger.plugin.audit.RangerAuditHandler; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; import org.apache.ranger.plugin.store.ServiceStore; import org.apache.ranger.plugin.store.ServiceStoreFactory; import org.apache.ranger.plugin.util.PolicyRefresher; public class RangerBasePlugin { - private boolean initDone = false; - private String serviceType = null; - private PolicyRefresher refresher = null; + private String serviceType = null; + private String serviceName = null; + private RangerPolicyEngine policyEngine = null; + private PolicyRefresher refresher = null; + - public RangerBasePlugin(String serviceType) { this.serviceType = serviceType; } - public RangerPolicyEngine getPolicyEngine() { - return refresher == null ? null : refresher.getPolicyEngine(); + public String getServiceType() { + return serviceType; } public String getServiceName() { - return refresher == null ? null : refresher.getServiceName(); + return serviceName; } - public boolean init(RangerPolicyEngine policyEngine) { - if(!initDone) { - synchronized(this) { - if(! initDone) { - String serviceName = null; - - // get the serviceName from download URL: http://ranger-admin-host:port/service/assets/policyList/serviceName - String policyDownloadUrl = RangerConfiguration.getInstance().get("xasecure." + serviceType + ".policymgr.url"); - - if(! StringUtils.isEmpty(policyDownloadUrl)) { - int idx = policyDownloadUrl.lastIndexOf('/'); - - if(idx != -1) { - serviceName = policyDownloadUrl.substring(idx + 1); - } - } + public RangerPolicyEngine getPolicyEngine() { + return policyEngine; + } - if(StringUtils.isEmpty(serviceName)) { - serviceName = RangerConfiguration.getInstance().get("ranger.plugin." + serviceType + ".service.name"); - } + public void init() { + RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(); + + init(policyEngine); + } - ServiceStore serviceStore = ServiceStoreFactory.instance().getServiceStore(); + public synchronized void init(RangerPolicyEngine policyEngine) { + cleanup(); - refresher = new PolicyRefresher(policyEngine, serviceName, serviceStore); + // get the serviceName from download URL: http://ranger-admin-host:port/service/assets/policyList/serviceName + String policyDownloadUrl = RangerConfiguration.getInstance().get("xasecure." + serviceType + ".policymgr.url"); - refresher.startRefresher(); + if(! StringUtils.isEmpty(policyDownloadUrl)) { + int idx = policyDownloadUrl.lastIndexOf('/'); - initDone = true; - } + if(idx != -1) { + serviceName = policyDownloadUrl.substring(idx + 1); } } - return initDone; + if(StringUtils.isEmpty(serviceName)) { + serviceName = RangerConfiguration.getInstance().get("ranger.plugin." + serviceType + ".service.name"); + } + + ServiceStore serviceStore = ServiceStoreFactory.instance().getServiceStore(); + + refresher = new PolicyRefresher(policyEngine, serviceName, serviceStore); + refresher.startRefresher(); + this.policyEngine = policyEngine; } - public void cleanup() { + public synchronized void cleanup() { PolicyRefresher refresher = this.refresher; + this.serviceName = null; + this.policyEngine = null; + this.refresher = null; + if(refresher != null) { refresher.stopRefresher(); } } + + public void setDefaultAuditHandler(RangerAuditHandler auditHandler) { + RangerPolicyEngine policyEngine = this.policyEngine; + + if(policyEngine != null) { + policyEngine.setDefaultAuditHandler(auditHandler); + } + } + + public RangerAuditHandler getDefaultAuditHandler() { + RangerPolicyEngine policyEngine = this.policyEngine; + + if(policyEngine != null) { + return policyEngine.getDefaultAuditHandler(); + } + + return null; + } + + + public RangerAccessResult createAccessResult(RangerAccessRequest request) { + RangerPolicyEngine policyEngine = this.policyEngine; + + if(policyEngine != null) { + return policyEngine.createAccessResult(request); + } + + return null; + } + + + public RangerAccessResult isAccessAllowed(RangerAccessRequest request) { + RangerPolicyEngine policyEngine = this.policyEngine; + + if(policyEngine != null) { + return policyEngine.isAccessAllowed(request); + } + + return null; + } + + + public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests) { + RangerPolicyEngine policyEngine = this.policyEngine; + + if(policyEngine != null) { + return policyEngine.isAccessAllowed(requests); + } + + return null; + } + + + public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAuditHandler auditHandler) { + RangerPolicyEngine policyEngine = this.policyEngine; + + if(policyEngine != null) { + return policyEngine.isAccessAllowed(request, auditHandler); + } + + return null; + } + + + public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAuditHandler auditHandler) { + RangerPolicyEngine policyEngine = this.policyEngine; + + if(policyEngine != null) { + return policyEngine.isAccessAllowed(requests, auditHandler); + } + + return null; + } }
