Repository: incubator-ranger Updated Branches: refs/heads/stack 447658578 -> 2e486daa4
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java index d8f2556..58c1102 100644 --- a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java +++ b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java @@ -66,9 +66,6 @@ public class RangerFSPermissionChecker { access2ActionListMapper.put(FsAction.EXECUTE, Sets.newHashSet(EXECUTE_ACCCESS_TYPE)); } - private static final boolean addHadoopAuth = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_PROP, RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_DEFAULT) ; - - private static RangerHdfsPlugin rangerPlugin = null; private static ThreadLocal<RangerHdfsAuditHandler> currentAuditHandler = new ThreadLocal<RangerHdfsAuditHandler>(); @@ -85,7 +82,7 @@ public class RangerFSPermissionChecker { boolean accessGranted = AuthorizeAccessForUser(path, pathOwner, access, user, groups); - if (!accessGranted && !addHadoopAuth ) { + if (!accessGranted && !RangerHdfsPlugin.isHadoopAuthEnabled()) { String inodeInfo = (inode.isDirectory() ? "directory" : "file") + "=" + "\"" + path + "\"" ; throw new RangerAccessControlException("Permission denied: principal{user=" + user + ",groups: " + groups + "}, access=" + access + ", " + inodeInfo ) ; } @@ -175,12 +172,20 @@ public class RangerFSPermissionChecker { } class RangerHdfsPlugin extends RangerBasePlugin { + private static boolean hadoopAuthEnabled = false; + public RangerHdfsPlugin() { - super("hdfs"); + super("hdfs", "hdfs"); } public void init() { super.init(); + + RangerHdfsPlugin.hadoopAuthEnabled = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_PROP, RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_DEFAULT); + } + + public static boolean isHadoopAuthEnabled() { + return RangerHdfsPlugin.hadoopAuthEnabled; } } @@ -265,8 +270,6 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler { excludeUsers.add(excludeUser) ; } } - - RangerConfiguration.getInstance().initAudit("hdfs"); } public RangerHdfsAuditHandler(String pathToBeValidated) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/ranger-hive-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/hive-agent/conf/ranger-hive-audit-changes.cfg b/hive-agent/conf/ranger-hive-audit-changes.cfg new file mode 100644 index 0000000..83a1dff --- /dev/null +++ b/hive-agent/conf/ranger-hive-audit-changes.cfg @@ -0,0 +1,34 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists +xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists +xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists + +xasecure.audit.hdfs.is.enabled %XAAUDIT.HDFS.IS_ENABLED% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.directory %XAAUDIT.HDFS.DESTINATION_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.file %XAAUDIT.HDFS.DESTINTATION_FILE% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.flush.interval.seconds %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.rollover.interval.seconds %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.directory %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.file %XAAUDIT.HDFS.LOCAL_BUFFER_FILE% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.archive.directory %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.local.archive.max.file.count %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/ranger-hive-audit.xml ---------------------------------------------------------------------- diff --git a/hive-agent/conf/ranger-hive-audit.xml b/hive-agent/conf/ranger-hive-audit.xml new file mode 100644 index 0000000..047cd96 --- /dev/null +++ b/hive-agent/conf/ranger-hive-audit.xml @@ -0,0 +1,191 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>xasecure.audit.is.enabled</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.repository.name</name> + <value>hivedev</value> + </property> + + + <!-- DB audit provider configuration --> + <property> + <name>xasecure.audit.db.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.db.is.async</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.db.async.max.queue.size</name> + <value>10240</value> + </property> + + <property> + <name>xasecure.audit.db.async.max.flush.interval.ms</name> + <value>30000</value> + </property> + + <property> + <name>xasecure.audit.db.batch.size</name> + <value>100</value> + </property> + + <!-- Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA --> + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name> + <value>jdbc:mysql://localhost:3306/ranger_audit</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name> + <value>rangerlogger</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name> + <value>none</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name> + <value>com.mysql.jdbc.Driver</value> + </property> + + <property> + <name>xasecure.audit.credential.provider.file</name> + <value>jceks://file/etc/ranger/hivedev/auditcred.jceks</value> + </property> + + + <!-- HDFS audit provider configuration --> + <property> + <name>xasecure.audit.hdfs.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.hdfs.is.async</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.hdfs.async.max.queue.size</name> + <value>1048576</value> + </property> + + <property> + <name>xasecure.audit.hdfs.async.max.flush.interval.ms</name> + <value>30000</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.encoding</name> + <value></value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.directory</name> + <value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.file</name> + <value>%hostname%-audit.log</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name> + <value>900</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name> + <value>86400</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name> + <value>60</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.directory</name> + <value>/var/log/hive/audit/%app-type%</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.file</name> + <value>%time:yyyyMMdd-HHmm.ss%.log</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name> + <value>8192</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name> + <value>60</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name> + <value>600</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.archive.directory</name> + <value>/var/log/hive/audit/archive/%app-type%</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.archive.max.file.count</name> + <value>10</value> + </property> + + + <!-- Log4j audit provider configuration --> + <property> + <name>xasecure.audit.log4j.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.log4j.is.async</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.log4j.async.max.queue.size</name> + <value>10240</value> + </property> + + <property> + <name>xasecure.audit.log4j.async.max.flush.interval.ms</name> + <value>30000</value> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/ranger-hive-security-changes.cfg ---------------------------------------------------------------------- diff --git a/hive-agent/conf/ranger-hive-security-changes.cfg b/hive-agent/conf/ranger-hive-security-changes.cfg new file mode 100644 index 0000000..399f424 --- /dev/null +++ b/hive-agent/conf/ranger-hive-security-changes.cfg @@ -0,0 +1,28 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Change the original policy parameter to work with policy manager based. +# +# +ranger.plugin.hive.service.name %REPOSITORY_NAME% mod create-if-not-exists + +ranger.plugin.hive.service.store.class org.apache.ranger.plugin.store.rest.ServiceRESTStore mod create-if-not-exists +ranger.plugin.hive.service.store.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists +ranger.plugin.hive.service.store.pollIntervalMs 30000 mod create-if-not-exists + +ranger.service.store.rest.url %POLICY_MGR_URL% mod create-if-not-exists +ranger.service.store.rest.ssl.config.file /etc/hive/conf/ranger-policymgr-ssl.xml mod create-if-not-exists + +xasecure.hive.update.xapolicies.on.grant.revoke %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/ranger-hive-security.xml ---------------------------------------------------------------------- diff --git a/hive-agent/conf/ranger-hive-security.xml b/hive-agent/conf/ranger-hive-security.xml new file mode 100644 index 0000000..86526c6 --- /dev/null +++ b/hive-agent/conf/ranger-hive-security.xml @@ -0,0 +1,73 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>ranger.plugin.hive.service.name</name> + <value>hivedev</value> + <description> + Name of the Ranger service containing policies for this YARN instance + </description> + </property> + + <property> + <name>ranger.plugin.hive.service.store.class</name> + <value>org.apache.ranger.plugin.store.rest.ServiceRESTStore</value> + <description> + Service storage implementation class to use to retrieve policies + </description> + </property> + + <property> + <name>ranger.plugin.hive.service.store.pollIntervalMs</name> + <value>30000</value> + <description> + How often to poll for changes in policies? + </description> + </property> + + <property> + <name>ranger.plugin.hive.service.store.cache.dir</name> + <value>/etc/ranger/hivedev/policycache</value> + <description> + Directory where Ranger policies are cached after successful retrieval from the store + </description> + </property> + + <!-- The following properties are used only when Ranger Admin REST interface is used to retrieve the policies --> + <property> + <name>ranger.service.store.rest.url</name> + <value>http://policymanagerhost:port</value> + <description> + URL to Ranger Admin + </description> + </property> + + <property> + <name>ranger.service.store.rest.ssl.config.file</name> + <value>/etc/hive/conf/ranger-policymgr-ssl.xml</value> + <description>Path to the file containing SSL details to contact Ranger Admin</description> + </property> + + + <property> + <name>xasecure.hive.update.xapolicies.on.grant.revoke</name> + <value>true</value> + <description>Should Hive plugin update Ranger policies for updates to permissions done using GRANT/REVOKE?</description> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/xasecure-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/hive-agent/conf/xasecure-audit-changes.cfg b/hive-agent/conf/xasecure-audit-changes.cfg deleted file mode 100644 index 83a1dff..0000000 --- a/hive-agent/conf/xasecure-audit-changes.cfg +++ /dev/null @@ -1,34 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists -xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists -xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists - -xasecure.audit.hdfs.is.enabled %XAAUDIT.HDFS.IS_ENABLED% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.directory %XAAUDIT.HDFS.DESTINATION_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.file %XAAUDIT.HDFS.DESTINTATION_FILE% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.flush.interval.seconds %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.rollover.interval.seconds %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.directory %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.file %XAAUDIT.HDFS.LOCAL_BUFFER_FILE% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.archive.directory %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.local.archive.max.file.count %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/xasecure-audit.xml ---------------------------------------------------------------------- diff --git a/hive-agent/conf/xasecure-audit.xml b/hive-agent/conf/xasecure-audit.xml deleted file mode 100644 index 047cd96..0000000 --- a/hive-agent/conf/xasecure-audit.xml +++ /dev/null @@ -1,191 +0,0 @@ -<?xml version="1.0"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> -<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> - <property> - <name>xasecure.audit.is.enabled</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.repository.name</name> - <value>hivedev</value> - </property> - - - <!-- DB audit provider configuration --> - <property> - <name>xasecure.audit.db.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.db.is.async</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.db.async.max.queue.size</name> - <value>10240</value> - </property> - - <property> - <name>xasecure.audit.db.async.max.flush.interval.ms</name> - <value>30000</value> - </property> - - <property> - <name>xasecure.audit.db.batch.size</name> - <value>100</value> - </property> - - <!-- Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA --> - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name> - <value>jdbc:mysql://localhost:3306/ranger_audit</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name> - <value>rangerlogger</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name> - <value>none</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name> - <value>com.mysql.jdbc.Driver</value> - </property> - - <property> - <name>xasecure.audit.credential.provider.file</name> - <value>jceks://file/etc/ranger/hivedev/auditcred.jceks</value> - </property> - - - <!-- HDFS audit provider configuration --> - <property> - <name>xasecure.audit.hdfs.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.hdfs.is.async</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.hdfs.async.max.queue.size</name> - <value>1048576</value> - </property> - - <property> - <name>xasecure.audit.hdfs.async.max.flush.interval.ms</name> - <value>30000</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.encoding</name> - <value></value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.directory</name> - <value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.file</name> - <value>%hostname%-audit.log</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name> - <value>900</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name> - <value>86400</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name> - <value>60</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.directory</name> - <value>/var/log/hive/audit/%app-type%</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.file</name> - <value>%time:yyyyMMdd-HHmm.ss%.log</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name> - <value>8192</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name> - <value>60</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name> - <value>600</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.archive.directory</name> - <value>/var/log/hive/audit/archive/%app-type%</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.archive.max.file.count</name> - <value>10</value> - </property> - - - <!-- Log4j audit provider configuration --> - <property> - <name>xasecure.audit.log4j.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.log4j.is.async</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.log4j.async.max.queue.size</name> - <value>10240</value> - </property> - - <property> - <name>xasecure.audit.log4j.async.max.flush.interval.ms</name> - <value>30000</value> - </property> -</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/xasecure-hive-security-changes.cfg ---------------------------------------------------------------------- diff --git a/hive-agent/conf/xasecure-hive-security-changes.cfg b/hive-agent/conf/xasecure-hive-security-changes.cfg deleted file mode 100644 index 75fbdea..0000000 --- a/hive-agent/conf/xasecure-hive-security-changes.cfg +++ /dev/null @@ -1,27 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Change the original policy parameter to work with policy manager based. -# -# -hive.authorization.verifier.classname org.apache.ranger.pdp.hive.RangerAuthorizer mod create-if-not-exists -xasecure.hive.policymgr.url %POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME% mod create-if-not-exists -xasecure.hive.policymgr.url.saveAsFile /tmp/hive_%REPOSITORY_NAME%_json mod create-if-not-exists -xasecure.hive.policymgr.url.laststoredfile %POLICY_CACHE_FILE_PATH%/hive_%REPOSITORY_NAME%_json mod create-if-not-exists -xasecure.hive.policymgr.url.reloadIntervalInMillis 30000 mod create-if-not-exists -xasecure.hive.policymgr.ssl.config /etc/hive/conf/xasecure-policymgr-ssl.xml mod create-if-not-exists -xasecure.hive.update.xapolicies.on.grant.revoke %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% mod create-if-not-exists -xasecure.policymgr.url %POLICY_MGR_URL% mod create-if-not-exists -xasecure.policymgr.sslconfig.filename /etc/hive/conf/xasecure-policymgr-ssl.xml mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/xasecure-hive-security.xml ---------------------------------------------------------------------- diff --git a/hive-agent/conf/xasecure-hive-security.xml b/hive-agent/conf/xasecure-hive-security.xml deleted file mode 100644 index ebc0b92..0000000 --- a/hive-agent/conf/xasecure-hive-security.xml +++ /dev/null @@ -1,84 +0,0 @@ -<?xml version="1.0"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> -<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> - - - <!-- The following property is used to select appropriate XASecure Authorizer Module (filebased, policymanager based) --> - <property> - <name>hive.authorization.verifier.classname</name> - <value>org.apache.ranger.pdp.hive.RangerAuthorizer</value> - <description> - Class Name of the authorization Module - </description> - </property> - - - <!-- The following properties are used only when PolicyManager is used as - main storage for all policy --> - <property> - <name>xasecure.hive.policymgr.url</name> - <value>http://policymanagerhost:port/service/assets/dev-hive</value> - <description> - Location where XASecure Role Based Authorization Info is - located. - </description> - </property> - <property> - <name>xasecure.hive.policymgr.url.saveAsFile</name> - <value>/tmp/xasecure-hive-policy.json</value> - <description> - Location where XASecure Role Based Authorization Info is - saved after successful retrieval from policymanager - </description> - </property> - <property> - <name>xasecure.hive.policymgr.url.laststoredfile</name> - <value>/home/hive/last_xasecure-hive-policy.json</value> - <description> - Location and file where last XASecure Role Based Authorization Info - is saved after successful retrieval from policymanager. - </description> - </property> - <property> - <name>xasecure.hive.policymgr.url.reloadIntervalInMillis</name> - <value>30000</value> - <description> - How often do we need to verify the changes tothe - authorization url, - to reload to memory (reloaded only if there are - changes) - </description> - </property> - <property> - <name>xasecure.policymgr.url</name> - <value>http://policymanagerhost:port</value> - <description>Base URL for XASecure PolicyManager</description> - </property> - <property> - <name>xasecure.policymgr.sslconfig.filename</name> - <value>/etc/hive/conf/xasecure-policymgr-ssl.xml</value> - <description>Path to the file containing SSL details to contact XASecure PolicyManager</description> - </property> - <property> - <name>xasecure.hive.update.xapolicies.on.grant.revoke</name> - <value>true</value> - <description>Should Hive agent update XASecure policies for updates to permissions done using GRANT/REVOKE?</description> - </property> - -</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index b3d8055..980c56c 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -78,27 +78,23 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { if(hivePlugin == null) { synchronized(RangerHiveAuthorizer.class) { if(hivePlugin == null) { - RangerHivePlugin temp = new RangerHivePlugin(); - temp.init(); - - if(!RangerConfiguration.getInstance().isAuditInitDone()) { - if(sessionContext != null) { - String appType = "unknown"; - - switch(sessionContext.getClientType()) { - case HIVECLI: - appType = "hiveCLI"; - break; - - case HIVESERVER2: - appType = "hiveServer2"; - break; - } - - RangerConfiguration.getInstance().initAudit(appType); + String appType = "unknown"; + + if(sessionContext != null) { + switch(sessionContext.getClientType()) { + case HIVECLI: + appType = "hiveCLI"; + break; + + case HIVESERVER2: + appType = "hiveServer2"; + break; } } + RangerHivePlugin temp = new RangerHivePlugin(appType); + temp.init(); + hivePlugin = temp; } } @@ -834,8 +830,8 @@ enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUN enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, ALL, ADMIN }; class RangerHivePlugin extends RangerBasePlugin { - public RangerHivePlugin() { - super("hive"); + public RangerHivePlugin(String appType) { + super("hive", appType); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index a98f8e4..e4ee9d0 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -645,9 +645,9 @@ public class ServiceREST { } @GET - @Path("/policies/service/name/{name}/{lastKnownVersion}") + @Path("/policies/download/{serviceName}/{lastKnownVersion}") @Produces({ "application/json", "application/xml" }) - public ServicePolicies getServicePoliciesIfUpdated(@PathParam("name") String serviceName, @PathParam("lastKnownVersion") Long lastKnownVersion) throws Exception { + public ServicePolicies getServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName, @PathParam("lastKnownVersion") Long lastKnownVersion) throws Exception { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ")"); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/security-admin/src/main/resources/conf.dist/security-applicationContext.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml index 5a210db..3214591 100644 --- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml +++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml @@ -56,6 +56,7 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd";> <security:http pattern="/loadInit.html" security="none" /> <security:http pattern="/service/documents/result/**" security="none" /> <security:http pattern="/service/assets/policyList/*" security="none"/> + <security:http pattern="/service/plugins/policies/download/*/*" security="none"/> <security:http pattern="/service/assets/resources/grant" security="none"/> <security:http pattern="/service/assets/resources/revoke" security="none"/> <security:http pattern="/service/users/default" security="none"/>
