http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7758ed1c/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java index de43975..b584f8c 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java @@ -29,7 +29,6 @@ import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; @@ -40,7 +39,6 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObje import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; import org.apache.hadoop.hive.ql.security.authorization.plugin.SettableConfigUpdater; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.ranger.authorization.hive.RangerHiveAccessContext; import org.apache.ranger.authorization.utils.StringUtil; public abstract class RangerHiveAuthorizerBase implements HiveAuthorizer { @@ -94,10 +92,6 @@ public abstract class RangerHiveAuthorizerBase implements HiveAuthorizer { public UserGroupInformation getCurrentUserGroupInfo() { return mUgi; } - - public RangerHiveAccessContext getAccessContext(HiveAuthzContext context) { - return new RangerHiveAccessContext(context, mSessionContext); - } @Override public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7758ed1c/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java new file mode 100644 index 0000000..82e256e --- /dev/null +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java @@ -0,0 +1,185 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.hive.authorizer; + +import java.util.Set; + +import org.apache.commons.lang.ObjectUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.ranger.plugin.policyengine.RangerResource; + +import com.google.common.collect.Sets; + + +public class RangerHiveResource implements RangerResource { + private static final String KEY_DATABASE = "database"; + private static final String KEY_TABLE = "table"; + private static final String KEY_UDF = "udf"; + private static final String KEY_COLUMN = "column"; + + private static final Set<String> KEYS_DATABASE = Sets.newHashSet(KEY_DATABASE); + private static final Set<String> KEYS_TABLE = Sets.newHashSet(KEY_DATABASE, KEY_TABLE); + private static final Set<String> KEYS_UDF = Sets.newHashSet(KEY_DATABASE, KEY_UDF); + private static final Set<String> KEYS_COLUMN = Sets.newHashSet(KEY_DATABASE, KEY_TABLE, KEY_COLUMN); + + private HiveObjectType objectType = null; + private String database = null; + private String tableOrUdf = null; + private String column = null; + private Set<String> keys = null; + + + public RangerHiveResource(HiveObjectType objectType, String database) { + this(objectType, database, null, null); + } + + public RangerHiveResource(HiveObjectType objectType, String database, String tableOrUdf) { + this(objectType, database, tableOrUdf, null); + } + + public RangerHiveResource(HiveObjectType objectType, String database, String tableOrUdf, String column) { + this.objectType = objectType; + this.database = database; + this.tableOrUdf = tableOrUdf; + this.column = column; + + switch(objectType) { + case DATABASE: + keys = KEYS_DATABASE; + break; + + case FUNCTION: + keys = KEYS_UDF; + break; + + case COLUMN: + keys = KEYS_COLUMN; + break; + + case TABLE: + case VIEW: + case INDEX: + case PARTITION: + keys = KEYS_TABLE; + break; + + case NONE: + case URI: + default: + keys = null; + break; + } + } + + @Override + public String getOwnerUser() { + return null; // no owner information available + } + + @Override + public boolean exists(String name) { + return !StringUtils.isEmpty(getValue(name)); + } + + @Override + public String getValue(String name) { + if(StringUtils.equalsIgnoreCase(name, KEY_DATABASE)) { + return database; + } else if(objectType == HiveObjectType.FUNCTION) { + if(StringUtils.equalsIgnoreCase(name, KEY_UDF)) { + return tableOrUdf; + } + } else if(StringUtils.equalsIgnoreCase(name, KEY_TABLE)) { + return tableOrUdf; + } else if(StringUtils.equalsIgnoreCase(name, KEY_COLUMN)) { + return column; + } + + return null; + } + + public Set<String> getKeys() { + return keys; + } + + @Override + public boolean equals(Object obj) { + if(obj == null || !(obj instanceof RangerHiveResource)) { + return false; + } + + if(this == obj) { + return true; + } + + RangerHiveResource other = (RangerHiveResource) obj; + + return ObjectUtils.equals(objectType, other.objectType) && + ObjectUtils.equals(database, other.database) && + ObjectUtils.equals(tableOrUdf, other.tableOrUdf) && + ObjectUtils.equals(column, other.column); + } + + @Override + public int hashCode() { + int ret = 7; + + ret = 31 * ret + ObjectUtils.hashCode(objectType); + ret = 31 * ret + ObjectUtils.hashCode(database); + ret = 31 * ret + ObjectUtils.hashCode(tableOrUdf); + ret = 31 * ret + ObjectUtils.hashCode(column); + + return ret; + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + + toString(sb); + + return sb.toString(); + } + + public StringBuilder toString(StringBuilder sb) { + sb.append("objectType={").append(objectType).append("} "); + sb.append("database={").append(database).append("} "); + sb.append("tableOrUdf={").append(tableOrUdf).append("} "); + sb.append("column={").append(column).append("} "); + + return sb; + } + + public HiveObjectType getObjectType() { + return objectType; + } + + public String getDatabase() { + return database; + } + + public String getTableOrUdf() { + return tableOrUdf; + } + + public String getColumn() { + return column; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7758ed1c/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java index 9c6f7cd..afc03b2 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java @@ -87,8 +87,6 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { if(request != null && result != null && result.getIsAudited()) { RangerServiceDef serviceDef = result.getServiceDef(); - int serviceType = (serviceDef != null && serviceDef.getId() != null) ? serviceDef.getId().intValue() : -1; - String serviceName = result.getServiceName(); String resourceType = getResourceName(request.getResource(), serviceDef); String resourcePath = getResourceValueAsString(request.getResource(), serviceDef); @@ -99,8 +97,8 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { AuthzAuditEvent event = createAuthzAuditEvent(); - event.setRepositoryName(serviceName); - event.setRepositoryType(serviceType); + event.setRepositoryName(result.getServiceName()); + event.setRepositoryType(result.getServiceType()); event.setResourceType(resourceType); event.setResourcePath(resourcePath); event.setRequestData(request.getRequestData()); @@ -108,6 +106,7 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { event.setUser(request.getUser()); event.setAccessType(request.getAction()); event.setAccessResult((short)(accessResult.isAllowed() ? 1 : 0)); + event.setPolicyId(result.getPolicyId()); event.setAclEnforcer("ranger-acl"); // TODO: review event.setAction(accessType); event.setClientIP(request.getClientIPAddress()); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7758ed1c/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index 5f07402..b64a441 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -20,8 +20,11 @@ package org.apache.ranger.plugin.policyengine; import java.util.HashMap; +import java.util.HashSet; import java.util.Map; +import java.util.Set; +import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.StringUtils; import org.apache.ranger.plugin.model.RangerServiceDef; @@ -163,6 +166,40 @@ public class RangerAccessResult { return ret; } + public int getServiceType() { + int ret = -1; + + if(serviceDef != null && serviceDef.getId() != null) { + ret = serviceDef.getId().intValue(); + } + + return ret; + } + + public long getPolicyId() { + long ret = -1; + + if(! MapUtils.isEmpty(accessTypeResults)) { + ResultDetail detail = accessTypeResults.values().iterator().next(); + + ret = detail.getPolicyId(); + } + + return ret; + } + + public Set<Long> getPolicyIds() { + Set<Long> ret = new HashSet<Long>(); + + if(! MapUtils.isEmpty(accessTypeResults)) { + for(ResultDetail detail : accessTypeResults.values()) { + ret.add(detail.getPolicyId()); + } + } + + return ret; + } + @Override public String toString( ) { StringBuilder sb = new StringBuilder();
