Repository: incubator-ranger Updated Branches: refs/heads/stack 3565427b2 -> 7a6412dcd
RANGER-240 Change Storm plugin to use the new service framework Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7a6412dc Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7a6412dc Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7a6412dc Branch: refs/heads/stack Commit: 7a6412dcd3e9799dd0fb9c7948fad5448664b896 Parents: 3565427 Author: Alok Lal <[email protected]> Authored: Fri Feb 6 15:37:48 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Feb 11 18:37:43 2015 -0800 ---------------------------------------------------------------------- .../service-defs/ranger-servicedef-storm.json | 23 ++- .../ranger/pdp/storm/RangerAuthorizer.java | 61 ------ .../apache/ranger/pdp/storm/StormAuthRule.java | 136 ------------- .../apache/ranger/pdp/storm/URLBasedAuthDB.java | 176 ----------------- .../apache/ranger/pdp/utils/RangerUtils.java | 49 ----- hbase-agent/src/test/resources/log4j.properties | 4 +- plugin-common/pom.xml | 81 -------- src/main/assembly/storm-agent.xml | 3 + .../conf/ranger-policymgr-ssl-changes.cfg | 23 +++ storm-agent/conf/ranger-policymgr-ssl.xml | 63 ++++++ storm-agent/conf/ranger-storm-audit-changes.cfg | 33 ++++ storm-agent/conf/ranger-storm-audit.xml | 186 ++++++++++++++++++ .../conf/ranger-storm-security-changes.cfg | 26 +++ storm-agent/conf/ranger-storm-security.xml | 67 +++++++ storm-agent/conf/xasecure-audit-changes.cfg | 34 ---- storm-agent/conf/xasecure-audit.xml | 192 ------------------- .../conf/xasecure-policymgr-ssl-changes.cfg | 23 --- storm-agent/conf/xasecure-policymgr-ssl.xml | 63 ------ .../conf/xasecure-storm-security-changes.cfg | 26 --- storm-agent/conf/xasecure-storm-security.xml | 84 -------- .../storm/RangerStormAccessVerifier.java | 26 --- .../storm/RangerStormAccessVerifierFactory.java | 68 ------- .../authorization/storm/StormRangerPlugin.java | 79 ++++++++ .../storm/authorizer/RangerStormAuthorizer.java | 87 ++------- 24 files changed, 508 insertions(+), 1105 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/agents-common/src/main/resources/service-defs/ranger-servicedef-storm.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-storm.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-storm.json index fce10c0..592eb35 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-storm.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-storm.json @@ -24,21 +24,20 @@ ], "accessTypes": [ - {"name":"topology-submit", "label":"Submit Topology"}, - {"name":"file-upload", "label":"File Upload"}, - {"name":"nimbus-conf-get", "label":"Get Nimbus Conf"}, - {"name":"cluster-conf-get", "label":"Get Cluster Conf"}, - {"name":"cluster-info-get", "label":"Get Cluster Info"}, - {"name":"file-download", "label":"File Download"}, - {"name":"topology-kill", "label":"Kill Topology"}, + {"name":"submitTopology", "label":"Submit Topology"}, + {"name":"fileUpload", "label":"File Upload"}, + {"name":"getNimbusConf", "label":"Get Nimbus Conf"}, + {"name":"getClusterInfo", "label":"Get Cluster Info"}, + {"name":"fileDownload", "label":"File Download"}, + {"name":"killTopology", "label":"Kill Topology"}, {"name":"rebalance", "label":"Rebalance"}, {"name":"activate", "label":"Activate"}, {"name":"deactivate", "label":"Deactivate"}, - {"name":"topology-conf-get", "label":"Get Topology Conf"}, - {"name":"topology-get", "label":"Get Topology"}, - {"name":"topology-user-get", "label":"Get User Topology"}, - {"name":"topology-info-get", "label":"Get Topology Info"}, - {"name":"new-credential-upload","label":"Upload New Credential"} + {"name":"getTopologyConf", "label":"Get Topology Conf"}, + {"name":"getTopology", "label":"Get Topology"}, + {"name":"getUserTopology", "label":"Get User Topology"}, + {"name":"getTopologyInfo", "label":"Get Topology Info"}, + {"name":"uploadNewCredentials","label":"Upload New Credential"} ], "policyConditions": [ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/agents-impl/src/main/java/org/apache/ranger/pdp/storm/RangerAuthorizer.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/storm/RangerAuthorizer.java b/agents-impl/src/main/java/org/apache/ranger/pdp/storm/RangerAuthorizer.java deleted file mode 100644 index f7d3b0f..0000000 --- a/agents-impl/src/main/java/org/apache/ranger/pdp/storm/RangerAuthorizer.java +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package org.apache.ranger.pdp.storm; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.ranger.authorization.storm.RangerStormAccessVerifier; - -public class RangerAuthorizer implements RangerStormAccessVerifier { - - private static final Log LOG = LogFactory.getLog(RangerAuthorizer.class) ; - - private static URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ; - - - @Override - public boolean isAccessAllowed(String aUserName, String[] aGroupName, String aOperationName, String aTopologyName) { - boolean ret = false ; - - if (authDB != null) { - ret = authDB.isAccessAllowed(aUserName, aGroupName, aOperationName, aTopologyName) ; - } - else { - LOG.error("Unable to find a URLBasedAuthDB for authorization - Found null"); - } - - return ret ; - } - - @Override - public boolean isAudited(String aTopologyName) { - boolean ret = false ; - - if (authDB != null) { - ret = authDB.isAudited(aTopologyName) ; - } - else { - LOG.error("Unable to find a URLBasedAuthDB for authorization - Found null"); - } - - return ret ; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/agents-impl/src/main/java/org/apache/ranger/pdp/storm/StormAuthRule.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/storm/StormAuthRule.java b/agents-impl/src/main/java/org/apache/ranger/pdp/storm/StormAuthRule.java deleted file mode 100644 index f655839..0000000 --- a/agents-impl/src/main/java/org/apache/ranger/pdp/storm/StormAuthRule.java +++ /dev/null @@ -1,136 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package org.apache.ranger.pdp.storm; - -import java.util.ArrayList; -import java.util.List; - -import org.apache.commons.io.FilenameUtils; -import org.apache.ranger.authorization.utils.StringUtil; - -public class StormAuthRule { - private String topologyName ; - private List<String> accessTypeList ; - private List<String> groupList ; - private List<String> userList; - private boolean auditEnabled ; - - - public StormAuthRule(String topologyName, List<String> accessTypeList, - List<String> userList, List<String> groupList, boolean auditEnabled) { - super(); - this.topologyName = topologyName; - this.accessTypeList = accessTypeList; - if (this.accessTypeList == null) { - this.accessTypeList = new ArrayList<String>(); - } - this.userList = userList; - if (this.userList == null) { - this.userList = new ArrayList<String>(); - } - - this.groupList = groupList; - if (this.groupList == null) { - this.groupList = new ArrayList<String>(); - } - - this.auditEnabled = auditEnabled ; - } - - public String getTopologyName() { - return topologyName; - } - public void setTopologyName(String topologyName) { - this.topologyName = topologyName; - } - public List<String> getAccessTypeList() { - return accessTypeList; - } - public void setAccessTypeList(List<String> accessTypeList) { - this.accessTypeList = accessTypeList; - } - public List<String> getGroupList() { - return groupList; - } - public void setGroupList(List<String> groupList) { - this.groupList = groupList; - } - public List<String> getUserList() { - return userList; - } - public void setUserList(List<String> userList) { - this.userList = userList; - } - - public boolean isMatchedTopology(String aTopologyName) { - - boolean ret = false ; - - if (aTopologyName == null || aTopologyName.length() == 0) { - ret = "*".equals(this.topologyName) ; - } - else { - ret = (aTopologyName.equals(this.topologyName) || FilenameUtils.wildcardMatch(aTopologyName,this.topologyName)) ; - } - return ret ; - } - - public boolean isOperationAllowed(String aOperationName) { - return this.accessTypeList.contains(aOperationName); - } - - private static final String PUBLIC_GROUP_NAME = "public" ; - - public boolean isUserAllowed(String aUserName, String[] aGroupList) { - - boolean accessAllowed = false ; - - if ( this.userList.contains(aUserName) ) { - accessAllowed = true ; - } - else if (this.groupList.contains(PUBLIC_GROUP_NAME)) { - accessAllowed = true ; - } - else if (aGroupList != null ) { - for(String userGroup : aGroupList ) { - if (this.groupList.contains(userGroup) ) { - accessAllowed = true ; - break ; - } - } - } - - return accessAllowed ; - } - - public boolean getAuditEnabled() { - return this.auditEnabled ; - } - - @Override - public String toString() { - return "StormAuthRule: { topologyName: [" + topologyName + "]," + - "userList: [" + StringUtil.toString(userList) + "]" + - "groupList: [" + StringUtil.toString(groupList) + "]" + - "accessTypeList: [" + StringUtil.toString(accessTypeList) + "]" + - "auditEnabled: [" + auditEnabled + "] }"; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/agents-impl/src/main/java/org/apache/ranger/pdp/storm/URLBasedAuthDB.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/storm/URLBasedAuthDB.java b/agents-impl/src/main/java/org/apache/ranger/pdp/storm/URLBasedAuthDB.java deleted file mode 100644 index 1977fb2..0000000 --- a/agents-impl/src/main/java/org/apache/ranger/pdp/storm/URLBasedAuthDB.java +++ /dev/null @@ -1,176 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package org.apache.ranger.pdp.storm; - -import java.util.ArrayList; -import java.util.List; - -import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; -import org.apache.ranger.authorization.storm.RangerStormAccessVerifier; -import org.apache.ranger.pdp.config.PolicyChangeListener; -import org.apache.ranger.pdp.config.PolicyRefresher; -import org.apache.ranger.pdp.constants.RangerConstants; -import org.apache.ranger.pdp.model.Policy; -import org.apache.ranger.pdp.model.PolicyContainer; -import org.apache.ranger.pdp.model.RolePermission; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - - -public class URLBasedAuthDB implements PolicyChangeListener, RangerStormAccessVerifier { - - private static final Logger LOG = LoggerFactory.getLogger(URLBasedAuthDB.class) ; - - private static URLBasedAuthDB me = null; - - private PolicyRefresher refresher = null ; - - private PolicyContainer policyContainer = null; - - private List<StormAuthRule> stormAuthDB = null ; - - public static URLBasedAuthDB getInstance() { - if (me == null) { - synchronized (URLBasedAuthDB.class) { - URLBasedAuthDB temp = me; - if (temp == null) { - me = new URLBasedAuthDB(); - me.init() ; - } - } - } - return me; - } - - private URLBasedAuthDB() { - - String url = RangerConfiguration.getInstance().get(RangerConstants.RANGER_STORM_POLICYMGR_URL_PROP); - - long refreshInMilli = RangerConfiguration.getInstance().getLong( - RangerConstants.RANGER_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP , - RangerConstants.RANGER_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT); - - String lastStoredFileName = RangerConfiguration.getInstance().get(RangerConstants.RANGER_STORM_LAST_SAVED_POLICY_FILE_PROP) ; - - String sslConfigFileName = RangerConfiguration.getInstance().get(RangerConstants.RANGER_STORM_POLICYMGR_SSL_CONFIG_FILE_PROP) ; - - refresher = new PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ; - - String saveAsFileName = RangerConfiguration.getInstance().get(RangerConstants.RANGER_STORM_POLICYMGR_URL_SAVE_FILE_PROP) ; - if (saveAsFileName != null) { - refresher.setSaveAsFileName(saveAsFileName) ; - } - - if (lastStoredFileName != null) { - refresher.setLastStoredFileName(lastStoredFileName); - } - } - - - private void init() { - refresher.setPolicyChangeListener(this); - } - - - @Override - public void OnPolicyChange(PolicyContainer aPolicyContainer) { - setPolicyContainer(aPolicyContainer); - } - - - public PolicyContainer getPolicyContainer() { - return policyContainer; - } - - - - public synchronized void setPolicyContainer(PolicyContainer aPolicyContainer) { - - if (aPolicyContainer != null) { - - List<StormAuthRule> tempStormAuthDB = new ArrayList<StormAuthRule>() ; - - for(Policy p : aPolicyContainer.getAcl()) { - - if (! p.isEnabled()) { - continue; - } - - for (String topologyName : p.getTopologyList()) { - - List<RolePermission> rpList = p.getPermissions() ; - - for(RolePermission rp : rpList) { - StormAuthRule rule = new StormAuthRule(topologyName, rp.getAccess() , rp.getUsers(), rp.getGroups(), (p.getAuditInd() == 1)) ; - tempStormAuthDB.add(rule) ; - } - } - } - - this.stormAuthDB = tempStormAuthDB ; - - this.policyContainer = aPolicyContainer ; - } - } - - @Override - public boolean isAccessAllowed(String aUserName, String[] aGroupName, String aOperationName, String aTopologyName) { - - boolean accessAllowed = false ; - - List<StormAuthRule> tempStormAuthDB = this.stormAuthDB ; - - if (tempStormAuthDB != null) { - for(StormAuthRule rule : tempStormAuthDB) { - if (rule.isMatchedTopology(aTopologyName)) { - if (rule.isOperationAllowed(aOperationName)) { - if (rule.isUserAllowed(aUserName, aGroupName)) { - accessAllowed = true ; - break ; - } - } - } - } - } - - return accessAllowed ; - } - - @Override - public boolean isAudited(String aTopologyName) { - boolean auditEnabled = false ; - - List<StormAuthRule> tempStormAuthDB = stormAuthDB ; - - if (tempStormAuthDB != null) { - for(StormAuthRule rule : tempStormAuthDB) { - if (rule.isMatchedTopology(aTopologyName)) { - auditEnabled = rule.getAuditEnabled() ; - if (auditEnabled) { - break ; - } - } - } - } - - return auditEnabled ; - } - -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/agents-impl/src/main/java/org/apache/ranger/pdp/utils/RangerUtils.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/utils/RangerUtils.java b/agents-impl/src/main/java/org/apache/ranger/pdp/utils/RangerUtils.java deleted file mode 100644 index 27e7dee..0000000 --- a/agents-impl/src/main/java/org/apache/ranger/pdp/utils/RangerUtils.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.pdp.utils; - -import java.io.File; -import java.net.URL; - -public class RangerUtils { - - public static String getFilePathFromClassPath(String aFileName) { - String pathName = null; - - File lf = new File(aFileName) ; - - if (lf.exists()) { - pathName = lf.getAbsolutePath(); - } - else { - URL lurl = RangerUtils.class.getResource(aFileName); - if (lurl == null) { - if (!aFileName.startsWith("/")) { - lurl = RangerUtils.class.getResource("/" + aFileName); - } - } - if (lurl != null) { - pathName = lurl.getFile(); - } - } - return pathName; - - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/hbase-agent/src/test/resources/log4j.properties ---------------------------------------------------------------------- diff --git a/hbase-agent/src/test/resources/log4j.properties b/hbase-agent/src/test/resources/log4j.properties index 71a8957..a43ef33 100644 --- a/hbase-agent/src/test/resources/log4j.properties +++ b/hbase-agent/src/test/resources/log4j.properties @@ -1,5 +1,5 @@ # Define some default values that can be overridden by system properties -ranger.root.logger=DEBUG,console +ranger.root.logger=WARN,console # Define the root logger to the system property "hbase.root.logger". log4j.rootLogger=${ranger.root.logger} @@ -13,4 +13,4 @@ log4j.threshold=ALL log4j.appender.console=org.apache.log4j.ConsoleAppender log4j.appender.console.target=System.err log4j.appender.console.layout=org.apache.log4j.PatternLayout -log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %m%n \ No newline at end of file +log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %m%n http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/plugin-common/pom.xml ---------------------------------------------------------------------- diff --git a/plugin-common/pom.xml b/plugin-common/pom.xml deleted file mode 100644 index dc2a914..0000000 --- a/plugin-common/pom.xml +++ /dev/null @@ -1,81 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.apache.ranger</groupId> - <artifactId>ranger</artifactId> - <version>0.4.0</version> - </parent> - <artifactId>plugin-common</artifactId> - <name>ranger-plugin-common</name> - <description>Ranger Plugin Common Library</description> - <dependencies> - <dependency> - <groupId>org.codehaus.jackson</groupId> - <artifactId>jackson-core-asl</artifactId> - <version>${codehaus.jackson.version}</version> - </dependency> - <dependency> - <groupId>org.codehaus.jackson</groupId> - <artifactId>jackson-mapper-asl</artifactId> - <version>${codehaus.jackson.version}</version> - </dependency> - <dependency> - <groupId>log4j</groupId> - <artifactId>log4j</artifactId> - <version>${log4j.version}</version> - </dependency> - <dependency> - <groupId>commons-logging</groupId> - <artifactId>commons-logging</artifactId> - <version>${commons.logging.version}</version> - </dependency> - <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-common</artifactId> - <version>${hadoop-common.version}</version> - </dependency> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - </dependency> - <dependency> - <groupId>security_plugins.ranger-plugins-audit</groupId> - <artifactId>ranger-plugins-audit</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>security_plugins.ranger-plugins-common</groupId> - <artifactId>ranger-plugins-common</artifactId> - <version>${project.version}</version> - </dependency> - </dependencies> - <build> - <plugins> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-surefire-plugin</artifactId> - <configuration> - <skipTests>true</skipTests> - </configuration> - </plugin> - </plugins> - </build> - -</project> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/src/main/assembly/storm-agent.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/storm-agent.xml b/src/main/assembly/storm-agent.xml index a3afaef..cadf780 100644 --- a/src/main/assembly/storm-agent.xml +++ b/src/main/assembly/storm-agent.xml @@ -45,6 +45,9 @@ <include>com.sun.jersey:jersey-bundle</include> <include>commons-logging:commons-logging:jar:${commons.logging.version}</include> <include>com.google.guava:guava:jar:${guava.version}</include> + <include>org.codehaus.jackson:jackson-jaxrs:jar:${codehaus.jackson.version}</include> + <include>org.codehaus.jackson:jackson-core-asl:jar:${codehaus.jackson.version}</include> + <include>org.codehaus.jackson:jackson-mapper-asl:jar:${codehaus.jackson.version}</include> </includes> </dependencySet> <dependencySet> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/ranger-policymgr-ssl-changes.cfg ---------------------------------------------------------------------- diff --git a/storm-agent/conf/ranger-policymgr-ssl-changes.cfg b/storm-agent/conf/ranger-policymgr-ssl-changes.cfg new file mode 100644 index 0000000..6bf4265 --- /dev/null +++ b/storm-agent/conf/ranger-policymgr-ssl-changes.cfg @@ -0,0 +1,23 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SSL Params +# +xasecure.policymgr.clientssl.keystore %SSL_KEYSTORE_FILE_PATH% mod create-if-not-exists +xasecure.policymgr.clientssl.keystore.password %SSL_KEYSTORE_PASSWORD% mod create-if-not-exists +xasecure.policymgr.clientssl.keystore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists +xasecure.policymgr.clientssl.truststore %SSL_TRUSTSTORE_FILE_PATH% mod create-if-not-exists +xasecure.policymgr.clientssl.truststore.password %SSL_TRUSTSTORE_PASSWORD% mod create-if-not-exists +xasecure.policymgr.clientssl.truststore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/ranger-policymgr-ssl.xml ---------------------------------------------------------------------- diff --git a/storm-agent/conf/ranger-policymgr-ssl.xml b/storm-agent/conf/ranger-policymgr-ssl.xml new file mode 100644 index 0000000..964aac7 --- /dev/null +++ b/storm-agent/conf/ranger-policymgr-ssl.xml @@ -0,0 +1,63 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <!-- The following properties are used for 2-way SSL client server validation --> + <property> + <name>xasecure.policymgr.clientssl.keystore</name> + <value>hadoopdev-clientcert.jks</value> + <description> + Java Keystore files + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.keystore.password</name> + <value>none</value> + <description> + password for keystore + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore</name> + <value>cacerts-xasecure.jks</value> + <description> + java truststore file + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore.password</name> + <value>none</value> + <description> + java truststore password + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.keystore.credential.file</name> + <value>jceks://file/tmp/keystore-hadoopdev-ssl.jceks</value> + <description> + java keystore credential file + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore.credential.file</name> + <value>jceks://file/tmp/truststore-hadoopdev-ssl.jceks</value> + <description> + java truststore credential file + </description> + </property> +</configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/ranger-storm-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/storm-agent/conf/ranger-storm-audit-changes.cfg b/storm-agent/conf/ranger-storm-audit-changes.cfg new file mode 100644 index 0000000..4f2c5a2 --- /dev/null +++ b/storm-agent/conf/ranger-storm-audit-changes.cfg @@ -0,0 +1,33 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists +xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists + +xasecure.audit.hdfs.is.enabled %XAAUDIT.HDFS.IS_ENABLED% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.directory %XAAUDIT.HDFS.DESTINATION_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.file %XAAUDIT.HDFS.DESTINTATION_FILE% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.flush.interval.seconds %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.rollover.interval.seconds %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.directory %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.file %XAAUDIT.HDFS.LOCAL_BUFFER_FILE% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.archive.directory %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.local.archive.max.file.count %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/ranger-storm-audit.xml ---------------------------------------------------------------------- diff --git a/storm-agent/conf/ranger-storm-audit.xml b/storm-agent/conf/ranger-storm-audit.xml new file mode 100644 index 0000000..9aa8a89 --- /dev/null +++ b/storm-agent/conf/ranger-storm-audit.xml @@ -0,0 +1,186 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>xasecure.audit.is.enabled</name> + <value>true</value> + </property> + + <!-- DB audit provider configuration --> + <property> + <name>xasecure.audit.db.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.db.is.async</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.db.async.max.queue.size</name> + <value>10240</value> + </property> + + <property> + <name>xasecure.audit.db.async.max.flush.interval.ms</name> + <value>30000</value> + </property> + + <property> + <name>xasecure.audit.db.batch.size</name> + <value>100</value> + </property> + + <!-- Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA --> + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name> + <value>jdbc:mysql://localhost:3306/ranger_audit</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name> + <value>rangerlogger</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name> + <value>none</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name> + <value>com.mysql.jdbc.Driver</value> + </property> + + <property> + <name>xasecure.audit.credential.provider.file</name> + <value>jceks://file/etc/ranger/stormdev/auditcred.jceks</value> + </property> + + + + <!-- HDFS audit provider configuration --> + <property> + <name>xasecure.audit.hdfs.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.hdfs.is.async</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.hdfs.async.max.queue.size</name> + <value>1048576</value> + </property> + + <property> + <name>xasecure.audit.hdfs.async.max.flush.interval.ms</name> + <value>30000</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.encoding</name> + <value></value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.directory</name> + <value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.file</name> + <value>%hostname%-audit.log</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name> + <value>900</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name> + <value>86400</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name> + <value>60</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.directory</name> + <value>/var/log/storm/audit</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.file</name> + <value>%time:yyyyMMdd-HHmm.ss%.log</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name> + <value>8192</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name> + <value>60</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name> + <value>600</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.archive.directory</name> + <value>/var/log/storm/audit/archive</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.archive.max.file.count</name> + <value>10</value> + </property> + + + <!-- Log4j audit provider configuration --> + <property> + <name>xasecure.audit.log4j.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.log4j.is.async</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.log4j.async.max.queue.size</name> + <value>10240</value> + </property> + + <property> + <name>xasecure.audit.log4j.async.max.flush.interval.ms</name> + <value>30000</value> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/ranger-storm-security-changes.cfg ---------------------------------------------------------------------- diff --git a/storm-agent/conf/ranger-storm-security-changes.cfg b/storm-agent/conf/ranger-storm-security-changes.cfg new file mode 100644 index 0000000..9d3ca13 --- /dev/null +++ b/storm-agent/conf/ranger-storm-security-changes.cfg @@ -0,0 +1,26 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Change the original policy parameter to work with policy manager based. +# +# +ranger.plugin.storm.service.name %REPOSITORY_NAME% mod create-if-not-exists + +ranger.plugin.storm.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists + +ranger.plugin.storm.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists +ranger.plugin.storm.policy.rest.ssl.config.file /etc/storm/conf/ranger-policymgr-ssl.xml mod create-if-not-exists +ranger.plugin.storm.policy.pollIntervalMs 30000 mod create-if-not-exists +ranger.plugin.storm.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/ranger-storm-security.xml ---------------------------------------------------------------------- diff --git a/storm-agent/conf/ranger-storm-security.xml b/storm-agent/conf/ranger-storm-security.xml new file mode 100644 index 0000000..9126fc9 --- /dev/null +++ b/storm-agent/conf/ranger-storm-security.xml @@ -0,0 +1,67 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>ranger.plugin.storm.service.name</name> + <value>stormdev</value> + <description> + Name of the Ranger service containing policies for this YARN instance + </description> + </property> + + <property> + <name>ranger.plugin.storm.policy.source.impl</name> + <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> + <description> + Class to retrieve policies from the source + </description> + </property> + + <property> + <name>ranger.plugin.storm.policy.rest.url</name> + <value>http://policymanagerhost:port</value> + <description> + URL to Ranger Admin + </description> + </property> + + <property> + <name>ranger.plugin.storm.policy.rest.ssl.config.file</name> + <value>/etc/storm/conf/ranger-policymgr-ssl.xml</value> + <description> + Path to the file containing SSL details to contact Ranger Admin + </description> + </property> + + <property> + <name>ranger.plugin.storm.policy.pollIntervalMs</name> + <value>30000</value> + <description> + How often to poll for changes in policies? + </description> + </property> + + <property> + <name>ranger.plugin.storm.policy.cache.dir</name> + <value>/etc/ranger/stormdev/policycache</value> + <description> + Directory where Ranger policies are cached after successful retrieval from the source + </description> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/xasecure-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/storm-agent/conf/xasecure-audit-changes.cfg b/storm-agent/conf/xasecure-audit-changes.cfg deleted file mode 100644 index fe8bab7..0000000 --- a/storm-agent/conf/xasecure-audit-changes.cfg +++ /dev/null @@ -1,34 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists -xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists -xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists - -xasecure.audit.hdfs.is.enabled %XAAUDIT.HDFS.IS_ENABLED% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.directory %XAAUDIT.HDFS.DESTINATION_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.file %XAAUDIT.HDFS.DESTINTATION_FILE% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.flush.interval.seconds %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.rollover.interval.seconds %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.directory %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.file %XAAUDIT.HDFS.LOCAL_BUFFER_FILE% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.archive.directory %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.local.archive.max.file.count %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/xasecure-audit.xml ---------------------------------------------------------------------- diff --git a/storm-agent/conf/xasecure-audit.xml b/storm-agent/conf/xasecure-audit.xml deleted file mode 100644 index 5fbbbbe..0000000 --- a/storm-agent/conf/xasecure-audit.xml +++ /dev/null @@ -1,192 +0,0 @@ -<?xml version="1.0"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> -<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> - <property> - <name>xasecure.audit.is.enabled</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.repository.name</name> - <value>stormdev</value> - </property> - - - <!-- DB audit provider configuration --> - <property> - <name>xasecure.audit.db.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.db.is.async</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.db.async.max.queue.size</name> - <value>10240</value> - </property> - - <property> - <name>xasecure.audit.db.async.max.flush.interval.ms</name> - <value>30000</value> - </property> - - <property> - <name>xasecure.audit.db.batch.size</name> - <value>100</value> - </property> - - <!-- Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA --> - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name> - <value>jdbc:mysql://localhost:3306/ranger_audit</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name> - <value>rangerlogger</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name> - <value>none</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name> - <value>com.mysql.jdbc.Driver</value> - </property> - - <property> - <name>xasecure.audit.credential.provider.file</name> - <value>jceks://file/etc/ranger/stormdev/auditcred.jceks</value> - </property> - - - - <!-- HDFS audit provider configuration --> - <property> - <name>xasecure.audit.hdfs.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.hdfs.is.async</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.hdfs.async.max.queue.size</name> - <value>1048576</value> - </property> - - <property> - <name>xasecure.audit.hdfs.async.max.flush.interval.ms</name> - <value>30000</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.encoding</name> - <value></value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.directory</name> - <value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.file</name> - <value>%hostname%-audit.log</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name> - <value>900</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name> - <value>86400</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name> - <value>60</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.directory</name> - <value>/var/log/storm/audit</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.file</name> - <value>%time:yyyyMMdd-HHmm.ss%.log</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name> - <value>8192</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name> - <value>60</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name> - <value>600</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.archive.directory</name> - <value>/var/log/storm/audit/archive</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.archive.max.file.count</name> - <value>10</value> - </property> - - - <!-- Log4j audit provider configuration --> - <property> - <name>xasecure.audit.log4j.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.log4j.is.async</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.log4j.async.max.queue.size</name> - <value>10240</value> - </property> - - <property> - <name>xasecure.audit.log4j.async.max.flush.interval.ms</name> - <value>30000</value> - </property> -</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/xasecure-policymgr-ssl-changes.cfg ---------------------------------------------------------------------- diff --git a/storm-agent/conf/xasecure-policymgr-ssl-changes.cfg b/storm-agent/conf/xasecure-policymgr-ssl-changes.cfg deleted file mode 100644 index 6bf4265..0000000 --- a/storm-agent/conf/xasecure-policymgr-ssl-changes.cfg +++ /dev/null @@ -1,23 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SSL Params -# -xasecure.policymgr.clientssl.keystore %SSL_KEYSTORE_FILE_PATH% mod create-if-not-exists -xasecure.policymgr.clientssl.keystore.password %SSL_KEYSTORE_PASSWORD% mod create-if-not-exists -xasecure.policymgr.clientssl.keystore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists -xasecure.policymgr.clientssl.truststore %SSL_TRUSTSTORE_FILE_PATH% mod create-if-not-exists -xasecure.policymgr.clientssl.truststore.password %SSL_TRUSTSTORE_PASSWORD% mod create-if-not-exists -xasecure.policymgr.clientssl.truststore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/xasecure-policymgr-ssl.xml ---------------------------------------------------------------------- diff --git a/storm-agent/conf/xasecure-policymgr-ssl.xml b/storm-agent/conf/xasecure-policymgr-ssl.xml deleted file mode 100644 index 964aac7..0000000 --- a/storm-agent/conf/xasecure-policymgr-ssl.xml +++ /dev/null @@ -1,63 +0,0 @@ -<?xml version="1.0"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> -<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> - <!-- The following properties are used for 2-way SSL client server validation --> - <property> - <name>xasecure.policymgr.clientssl.keystore</name> - <value>hadoopdev-clientcert.jks</value> - <description> - Java Keystore files - </description> - </property> - <property> - <name>xasecure.policymgr.clientssl.keystore.password</name> - <value>none</value> - <description> - password for keystore - </description> - </property> - <property> - <name>xasecure.policymgr.clientssl.truststore</name> - <value>cacerts-xasecure.jks</value> - <description> - java truststore file - </description> - </property> - <property> - <name>xasecure.policymgr.clientssl.truststore.password</name> - <value>none</value> - <description> - java truststore password - </description> - </property> - <property> - <name>xasecure.policymgr.clientssl.keystore.credential.file</name> - <value>jceks://file/tmp/keystore-hadoopdev-ssl.jceks</value> - <description> - java keystore credential file - </description> - </property> - <property> - <name>xasecure.policymgr.clientssl.truststore.credential.file</name> - <value>jceks://file/tmp/truststore-hadoopdev-ssl.jceks</value> - <description> - java truststore credential file - </description> - </property> -</configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/xasecure-storm-security-changes.cfg ---------------------------------------------------------------------- diff --git a/storm-agent/conf/xasecure-storm-security-changes.cfg b/storm-agent/conf/xasecure-storm-security-changes.cfg deleted file mode 100644 index 6af6de3..0000000 --- a/storm-agent/conf/xasecure-storm-security-changes.cfg +++ /dev/null @@ -1,26 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Change the original policy parameter to work with policy manager based. -# -# -storm.authorization.verifier.classname org.apache.ranger.pdp.storm.RangerAuthorizer mod create-if-not-exists -xasecure.storm.policymgr.url %POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME% mod create-if-not-exists -xasecure.storm.policymgr.url.saveAsFile /tmp/storm%REPOSITORY_NAME%_json mod create-if-not-exists -xasecure.storm.policymgr.url.laststoredfile %POLICY_CACHE_FILE_PATH%/storm%REPOSITORY_NAME%_json mod create-if-not-exists -xasecure.storm.policymgr.url.reloadIntervalInMillis 30000 mod create-if-not-exists -xasecure.storm.policymgr.ssl.config /etc/storm/conf/xasecure-policymgr-ssl.xml mod create-if-not-exists -xasecure.policymgr.url %POLICY_MGR_URL% mod create-if-not-exists -xasecure.policymgr.sslconfig.filename /etc/storm/conf/xasecure-policymgr-ssl.xml mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/conf/xasecure-storm-security.xml ---------------------------------------------------------------------- diff --git a/storm-agent/conf/xasecure-storm-security.xml b/storm-agent/conf/xasecure-storm-security.xml deleted file mode 100644 index 302901f..0000000 --- a/storm-agent/conf/xasecure-storm-security.xml +++ /dev/null @@ -1,84 +0,0 @@ -<?xml version="1.0"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> -<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> - - - <!-- The following property is used to select appropriate XASecure Authorizer Module (filebased, policymanager based) --> - <property> - <name>storm.authorization.verifier.classname</name> - <value>org.apache.ranger.pdp.storm.RangerAuthorizer</value> - <description> - Class Name of the authorization Module - </description> - </property> - - - <!-- The following properties are used only when PolicyManager is used as - main storage for all policy --> - <property> - <name>xasecure.storm.policymgr.url</name> - <value>http://policymanagerhost:port/service/assets/dev-storm</value> - <description> - Location where XASecure Role Based Authorization Info is - located. - </description> - </property> - - <property> - <name>xasecure.storm.policymgr.url.saveAsFile</name> - <value>/tmp/xasecure-storm-policy.json</value> - <description> - Location where XASecure Role Based Authorization Info is - saved after successful retrieval from policymanager - </description> - </property> - - <property> - <name>xasecure.storm.policymgr.url.laststoredfile</name> - <value>/home/storm/last_xasecure-storm-policy.json</value> - <description> - Location and file where last XASecure Role Based Authorization Info - is saved after successful retrieval from policymanager. - </description> - </property> - - <property> - <name>xasecure.storm.policymgr.url.reloadIntervalInMillis</name> - <value>30000</value> - <description> - How often do we need to verify the changes tothe - authorization url, - to reload to memory (reloaded only if there are - changes) - </description> - </property> - - <property> - <name>xasecure.policymgr.url</name> - <value>http://policymanagerhost:port</value> - <description>Base URL for XASecure PolicyManager</description> - </property> - - <property> - <name>xasecure.policymgr.sslconfig.filename</name> - <value>/etc/storm/conf/xasecure-policymgr-ssl.xml</value> - <description>Path to the file containing SSL details to contact XASecure PolicyManager</description> - </property> - -</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/src/main/java/org/apache/ranger/authorization/storm/RangerStormAccessVerifier.java ---------------------------------------------------------------------- diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/RangerStormAccessVerifier.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/RangerStormAccessVerifier.java deleted file mode 100644 index 6305b92..0000000 --- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/RangerStormAccessVerifier.java +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package org.apache.ranger.authorization.storm; - -public interface RangerStormAccessVerifier { - public boolean isAccessAllowed(String userName, String[] groups, String operation, String aTopologyName) ; - public boolean isAudited(String aTopologyName) ; - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/src/main/java/org/apache/ranger/authorization/storm/RangerStormAccessVerifierFactory.java ---------------------------------------------------------------------- diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/RangerStormAccessVerifierFactory.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/RangerStormAccessVerifierFactory.java deleted file mode 100644 index de97b78..0000000 --- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/RangerStormAccessVerifierFactory.java +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package org.apache.ranger.authorization.storm; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; -import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; - -public class RangerStormAccessVerifierFactory { - - private static final Log LOG = LogFactory.getLog(RangerStormAccessVerifierFactory.class) ; - - private static RangerStormAccessVerifier stormAccessVerififer = null ; - - public static RangerStormAccessVerifier getInstance() { - if (stormAccessVerififer == null) { - synchronized(RangerStormAccessVerifierFactory.class) { - RangerStormAccessVerifier temp = stormAccessVerififer ; - if (temp == null) { - String stormAccessVerifierClassName = RangerConfiguration.getInstance().get(RangerHadoopConstants.STORM_ACCESS_VERIFIER_CLASS_NAME_PROP, - RangerHadoopConstants.STORM_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE ) ; - - if (stormAccessVerifierClassName != null) { - LOG.info("Storm Access Verification class [" + stormAccessVerifierClassName + "] - Being build"); - try { - stormAccessVerififer = (RangerStormAccessVerifier) (Class.forName(stormAccessVerifierClassName).newInstance()) ; - LOG.info("Created a new instance of class: [" + stormAccessVerifierClassName + "] for Storm Access verification."); - } catch (InstantiationException e) { - LOG.error("Unable to create StormAccess Verifier: [" + stormAccessVerifierClassName + "]", e); - } catch (IllegalAccessException e) { - LOG.error("Unable to create StormAccess Verifier: [" + stormAccessVerifierClassName + "]", e); - } catch (ClassNotFoundException e) { - LOG.error("Unable to create StormAccess Verifier: [" + stormAccessVerifierClassName + "]", e); - } catch (Throwable t) { - LOG.error("Unable to create StormAccess Verifier: [" + stormAccessVerifierClassName + "]", t); - } - finally { - LOG.info("Created a new instance of class: [" + stormAccessVerifierClassName + "] for StormAccess verification. (" + stormAccessVerififer + ")"); - } - } - } - else { - LOG.error("Unable to obtain StormAccess verifier [" + RangerHadoopConstants.STORM_ACCESS_VERIFIER_CLASS_NAME_PROP + "]"); - } - } - } - return stormAccessVerififer ; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java ---------------------------------------------------------------------- diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java new file mode 100644 index 0000000..db5e0af --- /dev/null +++ b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java @@ -0,0 +1,79 @@ +package org.apache.ranger.authorization.storm; + +import java.util.Set; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.security.authentication.util.KerberosName; +import org.apache.ranger.authorization.storm.StormRangerPlugin.StormConstants.PluginConfiguration; +import org.apache.ranger.authorization.storm.StormRangerPlugin.StormConstants.ResourceName; +import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; +import org.apache.ranger.plugin.policyengine.RangerResourceImpl; +import org.apache.ranger.plugin.service.RangerBasePlugin; + +import com.google.common.collect.Sets; + +public class StormRangerPlugin extends RangerBasePlugin { + + private static final Log LOG = LogFactory.getLog(StormRangerPlugin.class); + boolean initialized = false; + + public StormRangerPlugin() { + super(PluginConfiguration.ServiceType, PluginConfiguration.AuditApplicationType); + } + + // this method isn't expected to be invoked often. Per knox design this would be invoked ONCE right after the authorizer servlet is loaded + @Override + synchronized public void init() { + if (!initialized) { + // mandatory call to base plugin + super.init(); + // One time call to register the audit hander with the policy engine. + super.setDefaultAuditHandler(new RangerDefaultAuditHandler()); + // this needed to set things right in the nimbus process + if (KerberosName.getRules() == null) { + KerberosName.setRules("DEFAULT") ; + } + initialized = true; + LOG.info("StormRangerPlugin initialized!"); + } + } + + public RangerAccessRequest buildAccessRequest(String _user, String[] _groups, String _clientIp, String _topology, String _operation) { + + RangerAccessRequestImpl request = new RangerAccessRequestImpl(); + request.setUser(_user); + if (_groups != null && _groups.length > 0) { + Set<String> groups = Sets.newHashSet(_groups); + request.setUserGroups(groups); + } + request.setAccessType(_operation); + request.setClientIPAddress(_clientIp); + // build resource and connect stuff into request + RangerResourceImpl resource = new RangerResourceImpl(); + resource.setValue(ResourceName.Topology, _topology); + request.setResource(resource); + + if (LOG.isDebugEnabled()) { + LOG.debug("Returning request: " + request.toString()); + } + + return request; + } + + static public class StormConstants { + // Plugin parameters + static class PluginConfiguration { + static final String ServiceType = "storm"; + static final String AuditApplicationType = "storm"; + } + + // must match the corresponding string used in service definition file + static class ResourceName { + static final String Topology = "topology"; + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a6412dc/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java ---------------------------------------------------------------------- diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java index 726e5fb..eb15b69 100644 --- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java +++ b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java @@ -23,14 +23,10 @@ import java.security.Principal; import java.util.Map; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.ranger.audit.model.EnumRepositoryType; -import org.apache.ranger.audit.model.AuthzAuditEvent; -import org.apache.ranger.audit.provider.AuditProviderFactory; -import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; -import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; -import org.apache.ranger.authorization.storm.RangerStormAccessVerifier; -import org.apache.ranger.authorization.storm.RangerStormAccessVerifierFactory; +import org.apache.ranger.authorization.storm.StormRangerPlugin; import org.apache.ranger.authorization.utils.StringUtil; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -42,17 +38,8 @@ public class RangerStormAuthorizer implements IAuthorizer { private static final Logger LOG = LoggerFactory.getLogger(RangerStormAuthorizer.class); - private static final String RangerModuleName = RangerConfiguration.getInstance().get(RangerHadoopConstants.AUDITLOG_RANGER_MODULE_ACL_NAME_PROP , RangerHadoopConstants.DEFAULT_RANGER_MODULE_ACL_NAME) ; + static final StormRangerPlugin plugin = new StormRangerPlugin(); - private static final String repositoryName = RangerConfiguration.getInstance().get(RangerHadoopConstants.AUDITLOG_REPOSITORY_NAME_PROP); - - private RangerStormAccessVerifier rangerVerifier = RangerStormAccessVerifierFactory.getInstance() ; - - static { - RangerConfiguration.getInstance().initAudit("storm"); - } - - /** * permit() method is invoked for each incoming Thrift request. * @param context request context includes info about @@ -65,6 +52,7 @@ public class RangerStormAuthorizer implements IAuthorizer { public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTopologyConfigMap) { boolean accessAllowed = false ; + boolean isAuditEnabled = false; String topologyName = null ; @@ -109,64 +97,18 @@ public class RangerStormAuthorizer implements IAuthorizer { if (userName != null) { - accessAllowed = rangerVerifier.isAccessAllowed(userName, groups, aOperationName, topologyName) ; + String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() ) ; + RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName); + RangerAccessResult result = plugin.isAccessAllowed(accessRequest); + accessAllowed = result.getIsAllowed(); + isAuditEnabled = result.getIsAudited(); + if (LOG.isDebugEnabled()) { - LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + rangerVerifier.getClass().getName() + "], allowedFlag => [" + accessAllowed + "]"); + LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); } } else { - LOG.info("NULL User found from principal [" + user + "]: Skipping authorization; allowedFlag => [" + accessAllowed + "]"); - } - - boolean isAuditEnabled = rangerVerifier.isAudited(topologyName) ; - - if (LOG.isDebugEnabled()) { - LOG.debug("User found from principal [" + userName + "] and verifying using [" + rangerVerifier + "], Audit Enabled:" + isAuditEnabled); - } - - if (isAuditEnabled) { - - AuthzAuditEvent auditEvent = new AuthzAuditEvent() ; - - String sessionId = null ; - String clientIp = null ; - - if (aRequestContext != null) { - sessionId = String.valueOf(aRequestContext.requestID()) ; - clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() ) ; - } - - try { - auditEvent.setAclEnforcer(RangerModuleName); - auditEvent.setSessionId(sessionId); - auditEvent.setResourceType("@ TOPOLOGY"); - auditEvent.setAccessType(aOperationName) ; - auditEvent.setAction(aOperationName); - auditEvent.setUser(userName); - auditEvent.setAccessResult((short)(accessAllowed ? 1 : 0)); - auditEvent.setClientIP(clientIp); - auditEvent.setClientType("Strom REST"); - auditEvent.setEventTime(StringUtil.getUTCDate()); - auditEvent.setRepositoryType(EnumRepositoryType.STORM); - auditEvent.setRepositoryName(repositoryName) ; - auditEvent.setRequestData(""); - - auditEvent.setResourcePath(topologyName); - - if(LOG.isDebugEnabled()) { - LOG.debug("logAuditEvent [" + auditEvent + "] - START"); - } - - AuditProviderFactory.getAuditProvider().log(auditEvent); - - if(LOG.isDebugEnabled()) { - LOG.debug("logAuditEvent [" + auditEvent + "] - END"); - } - } - catch(Throwable t) { - LOG.error("ERROR logEvent [" + auditEvent + "]", t); - } - + LOG.info("NULL User found from principal [" + user + "]: Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); } } catch(Throwable t) { @@ -178,7 +120,7 @@ public class RangerStormAuthorizer implements IAuthorizer { + " from: [" + aRequestContext.remoteAddress() + "]" + " user: [" + aRequestContext.principal() + "]," + " op: [" + aOperationName + "]," - + "topology: [" + topologyName + "] => returns [" + accessAllowed + "]") ; + + "topology: [" + topologyName + "] => returns [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled) ; } } @@ -192,6 +134,7 @@ public class RangerStormAuthorizer implements IAuthorizer { @Override public void prepare(Map aStormConfigMap) { + plugin.init(); } }
