Repository: incubator-ranger Updated Branches: refs/heads/stack 89f7103cc -> aa7edc1e9
RANGER-232 Knox plugin: Removed stale files, moved files out of impl/pdp into knox project Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/aa7edc1e Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/aa7edc1e Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/aa7edc1e Branch: refs/heads/stack Commit: aa7edc1e99d19934b9918487db8c399c23692459 Parents: 89f7103 Author: Alok Lal <[email protected]> Authored: Wed Feb 11 18:45:00 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Feb 11 19:11:32 2015 -0800 ---------------------------------------------------------------------- .../.settings/org.eclipse.core.resources.prefs | 2 - .../apache/ranger/pdp/knox/URLBasedAuthDB.java | 452 --------- .../RangerPDPKnoxDeploymentContributor.java | 73 -- ...gateway.deploy.ProviderDeploymentContributor | 18 - .../ranger/pdp/knox/URLBasedAuthDBTest.java | 956 ------------------- .../.settings/org.eclipse.core.resources.prefs | 1 + ...gateway.deploy.ProviderDeploymentContributor | 18 + .../RangerPDPKnoxDeploymentContributor.java | 73 ++ 8 files changed, 92 insertions(+), 1501 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/aa7edc1e/agents-impl/.settings/org.eclipse.core.resources.prefs ---------------------------------------------------------------------- diff --git a/agents-impl/.settings/org.eclipse.core.resources.prefs b/agents-impl/.settings/org.eclipse.core.resources.prefs index 839d647..e9441bb 100644 --- a/agents-impl/.settings/org.eclipse.core.resources.prefs +++ b/agents-impl/.settings/org.eclipse.core.resources.prefs @@ -1,5 +1,3 @@ eclipse.preferences.version=1 encoding//src/main/java=UTF-8 -encoding//src/main/resources=UTF-8 -encoding//src/test/java=UTF-8 encoding/<project>=UTF-8 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/aa7edc1e/agents-impl/src/main/java/org/apache/ranger/pdp/knox/URLBasedAuthDB.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/knox/URLBasedAuthDB.java b/agents-impl/src/main/java/org/apache/ranger/pdp/knox/URLBasedAuthDB.java deleted file mode 100644 index d5aa16e..0000000 --- a/agents-impl/src/main/java/org/apache/ranger/pdp/knox/URLBasedAuthDB.java +++ /dev/null @@ -1,452 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.ranger.pdp.knox; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Set; - -import org.apache.commons.io.FilenameUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; -import org.apache.ranger.pdp.config.Jersey2PolicyRefresher; -import org.apache.ranger.pdp.config.PolicyChangeListener; -import org.apache.ranger.pdp.constants.RangerConstants; -import org.apache.ranger.pdp.model.Policy; -import org.apache.ranger.pdp.model.PolicyContainer; -import org.apache.ranger.pdp.model.RolePermission; - -public class URLBasedAuthDB implements PolicyChangeListener { - - private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class) ; - - private static URLBasedAuthDB me = null; - - private Jersey2PolicyRefresher refresher = null ; - - private PolicyContainer policyContainer = null; - - private HashMap<String,Boolean> cachedAuditFlag = new HashMap<String,Boolean>() ; // needs to be cleaned when ruleList changes - - public static URLBasedAuthDB getInstance() { - if (me == null) { - synchronized (URLBasedAuthDB.class) { - URLBasedAuthDB temp = me; - if (temp == null) { - me = new URLBasedAuthDB(); - me.init() ; - } - } - } - return me; - } - - public static URLBasedAuthDB getInstanceWithBackEndMocked() { - return new URLBasedAuthDB("instanceWithBackednMocked"); - } - - private URLBasedAuthDB() { - String url = RangerConfiguration.getInstance().get(RangerConstants.RANGER_KNOX_POLICYMGR_URL_PROP); - long refreshInMilli = RangerConfiguration.getInstance().getLong( - RangerConstants.RANGER_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP , - RangerConstants.RANGER_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT); - String sslConfigFileName = RangerConfiguration.getInstance().get(RangerConstants.RANGER_KNOX_POLICYMGR_SSL_CONFIG_FILE_PROP) ; - - String lastStoredFileName = RangerConfiguration.getInstance().get(RangerConstants.RANGER_KNOX_LAST_SAVED_POLICY_FILE_PROP) ; - - refresher = new Jersey2PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ; - - String saveAsFileName = RangerConfiguration.getInstance().get(RangerConstants.RANGER_KNOX_POLICYMGR_URL_SAVE_FILE_PROP) ; - if (saveAsFileName != null) { - refresher.setSaveAsFileName(saveAsFileName) ; - } - - if (lastStoredFileName != null) { - refresher.setLastStoredFileName(lastStoredFileName); - } - } - - private URLBasedAuthDB(String mockName) { - } - - private void init() { - refresher.setPolicyChangeListener(this); - } - - - @Override - public void OnPolicyChange(PolicyContainer aPolicyContainer) { - setPolicyContainer(aPolicyContainer); - } - - - public boolean isAccessGranted(String topology, String service, String access, String userName, Set<String> groups, - String requestIp) { - - boolean accessGranted = false; - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating access for topology: " + topology + - ", service: " + service + - ", access: " + access + - ", requestingIp: " +requestIp + - ", requestingUser: " + userName + - ", requestingUserGroups: " + groups); - } - PolicyContainer policyContainer = getPolicyContainer() ; - - if (policyContainer == null) { - LOG.warn("Denying access: policyContainer is null") ; - return false ; - } - - for(Policy policy : policyContainer.getAcl()) { - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating policy: " + policy.toString() ) ; - } - - if (!policy.isEnabled()) { - if (LOG.isDebugEnabled()) { - LOG.debug("Skipping policy: " + policy + ", policy disabled") ; - } - continue; // jump to next policy - } - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating topology match for policyTopologyList: " + policy.getTopologyList() + - ", requestTopology: " + topology) ; - } - - boolean topologyMatched = false; - - List<String> topologyList = policy.getTopologyList(); - if (topologyList == null || topologyList.isEmpty()) { - LOG.debug("Denying access: policy topologyList is empty") ; - continue; // jump to next policy - } - - if (topologyList.contains("*") || topologyList.contains(topology)) { - topologyMatched = true; - LOG.debug("Policy topologyList matches requested topology"); - } - - if (!topologyMatched) { - for (String policyTopology : topologyList) { - if (FilenameUtils.wildcardMatch(topology, policyTopology)) { - topologyMatched = true; - LOG.debug("Policy topologyList matches requested topology"); - break; // break out of topologyList - } - } - } - if (!topologyMatched) { - LOG.debug("Denying access: policy topologyList does not match requested topology") ; - continue; // jump to next policy - } else { - LOG.debug("policy topologyList matches requested topology"); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating service match for policyServiceList: " + policy.getServiceList() + - ", requestService: " + service) ; - } - - boolean serviceMatched = false; - - List<String> serviceList = policy.getServiceList(); - if (serviceList == null || serviceList.isEmpty()) { - LOG.debug("Denying access: policy serviceList is empty") ; - continue; // jump to next policy - } - - if (serviceList.contains("*") || serviceList.contains(service)) { - serviceMatched = true; - LOG.debug("Policy serviceList matches requested service"); - } - - if (!serviceMatched) { - for (String policyService : serviceList) { - if (FilenameUtils.wildcardMatch(service, policyService)) { - serviceMatched = true; - LOG.debug("Policy serviceList matches requested service"); - break; // break out of serviceList - } - } - } - if (!serviceMatched) { - LOG.debug("Denying access: policy serviceList does not match requested service") ; - continue; // jump to next policy - } else { - LOG.debug("Policy serviceList matches requested service"); - } - - LOG.debug("Checking accessType, IP, User, Group based permission"); - if ( policy.getPermissions() == null - || policy.getPermissions().isEmpty()) { - LOG.debug("Policy not applicable, no user or group based permission"); - } - - for (RolePermission rp : policy.getPermissions()) { - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating RolePermission: " + rp); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("Checking accessTypeMatch for rolePermissionAccesType: " - + rp.getAccess() + ", requestAccessType: " + access); - } - - if (rp.getAccess().contains(access)) { - - LOG.debug("RolePermission accessType matches request accessType"); - - boolean ipMatched = false; - List<String> ipList = rp.getIpAddress(); - if (LOG.isDebugEnabled()) { - LOG.debug("Checking ipMatch for rolePermissionIpList: " + ipList + - ", requestIP: " + requestIp); - } - - if (ipList == null || ipList.isEmpty()) { - LOG.debug("RolePermission does not require IP Matching"); - ipMatched = true; - } else if ( ipList.contains("*") ) { - LOG.debug("RolePermission allows any IP: *"); - ipMatched = true; - } else { - for (String ip : ipList) { - if (ipMatches(ip, requestIp)) { - LOG.debug("RolePermission IP matches request IP"); - ipMatched = true; - break;// break out of ipList - } - } - } - - if (!ipMatched) { - // ip not matched, jump to next RolePermission check - LOG.debug("Request IP does not match RolePermission"); - continue; // jump to next rolePermission - } else { - LOG.debug("Request IP matches RolePermission"); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("Checking userMatch for rolePermissionUsers: " - + rp.getUsers() + ", requestUser: " + userName); - } - - if ( rp.getUsers() != null && rp.getUsers().contains(userName) ) { - LOG.debug("Request user matches RolePermission"); - return true ; - } - LOG.debug("RolePermission does not permit request by request user, would check by groups"); - - if (LOG.isDebugEnabled()) { - LOG.debug("Checking groupMatch for rolePermissionGroups: " - + rp.getGroups() + ", requestGroups: " + groups); - } - - for(String ug : groups) { - if ( rp.getGroups() != null && rp.getGroups().contains(ug)) { - LOG.debug("Request userGroups matches RolePermission"); - return true ; - } - } - LOG.debug("RolePermission does not permit request by request user groups"); - - if (rp.getGroups().contains(RangerConstants.PUBLIC_ACCESS_ROLE)) { - LOG.debug("RolePermission applies to public group"); - return true ; - } - - LOG.debug("RolePermission does not permit by users, groups or public group"); - } else { - LOG.debug("rolePermissionAccessType does not match requestAccessType"); - } - } - } - LOG.debug("No matching policy permission found, denying access"); - return accessGranted; - } - - public boolean isAuditEnabled(String topology, String service) { - - boolean auditEnabled = false; - - if (LOG.isDebugEnabled()) { - LOG.debug("Checcking whether audit is enabled for topology: " + topology + - ", service: " + service ); - } - - PolicyContainer policyContainer = getPolicyContainer() ; - if (policyContainer == null) { - LOG.warn("PolicyContainer is null") ; - return false ; - } - - for(Policy policy : policyContainer.getAcl()) { - - if (LOG.isDebugEnabled()) { - LOG.debug("Evaluating policy: " + policy) ; - } - - if (!policy.isEnabled()) { - if (LOG.isDebugEnabled()) { - LOG.debug("Skipping policy: " + policy + ", policy disabled") ; - } - continue; // jump to next policy - } - - if (policy.getAuditInd() == 0) { - if (LOG.isDebugEnabled()) { - LOG.debug("Skipping policy: " + policy + ", policy audit disabled") ; - } - continue; // jump to next policy - } - - boolean topologyMatched = false; - - List<String> topologyList = policy.getTopologyList(); - if (topologyList == null || topologyList.isEmpty()) { - LOG.debug("Policy not applicable: policy topologyList is empty") ; - continue; // jump to next policy - } - - if (topologyList.contains("*") || topologyList.contains(topology)) { - topologyMatched = true; - LOG.debug("Policy topologyList matches requested topology"); - } - - if (!topologyMatched) { - for (String policyTopology : topologyList) { - if (FilenameUtils.wildcardMatch(topology, policyTopology)) { - topologyMatched = true; - LOG.debug("Policy topologyList matches requested topology"); - break; // break out of topologyList check - } - } - } - if (!topologyMatched) { - LOG.debug("Policy not applicable: polocy topologyList does not match requested topology") ; - continue; // jump to next policy - } else { - LOG.debug("Policy topologyList matches requested topology"); - } - - boolean serviceMatched = false; - - List<String> serviceList = policy.getServiceList(); - if (serviceList == null || serviceList.isEmpty()) { - LOG.debug("Policy not applicable: serviceList is empty") ; - continue; // jump to next policy - } - - if (serviceList.contains("*") || serviceList.contains(service)) { - serviceMatched = true; - LOG.debug("Policy serviceList matches requested service"); - } - - if (!serviceMatched) { - for (String policyService : serviceList) { - if (FilenameUtils.wildcardMatch(service, policyService)) { - serviceMatched = true; - LOG.debug("Policy serviceList matches requested service"); - break; // break out of serviceList check - } - } - } - if (!serviceMatched) { - LOG.debug("Policy not applicable: policy serviceList does not match requested service") ; - continue; // jump to next policy - } else { - LOG.debug("Policy serviceList matches requested service"); - } - auditEnabled = true;; - break; // break out of policyList check - } - return auditEnabled; - } - - public PolicyContainer getPolicyContainer() { - return policyContainer; - } - - - synchronized void setPolicyContainer(PolicyContainer aPolicyContainer) { - - for(Policy p : aPolicyContainer.getAcl()) { - for(RolePermission rp : p.getPermissions()) { - // lowercase accesType value stings - List<String> rpaccess = rp.getAccess() ; - if (rpaccess != null && rpaccess.size() > 0) { - List<String> temp = new ArrayList<String>() ; - for(String s : rpaccess) { - temp.add(s.toLowerCase()) ; - } - rp.setAccess(temp); - } - } - } - - this.policyContainer = aPolicyContainer ; - this.cachedAuditFlag.clear(); - } - - - private boolean ipMatches(String policyIp, String requestIp) { - if (policyIp == null) { - return false; - } - policyIp = policyIp.trim(); - if (policyIp.isEmpty()) { - return false; - } - boolean ipMatched = false; - boolean wildEnd = false; - if (policyIp.contains(".")) { - while (policyIp.endsWith(".*")) { - wildEnd = true; - policyIp = policyIp.substring(0, policyIp.lastIndexOf(".*")); - } - if (wildEnd) { - policyIp = policyIp + "."; - } - } else if (policyIp.contains(":")) { - while (policyIp.endsWith(":*")) { - wildEnd = true; - policyIp = policyIp.substring(0, policyIp.lastIndexOf(":*")); - } - if (wildEnd) { - policyIp = policyIp + ":"; - } - } - if (wildEnd && requestIp.toLowerCase().startsWith(policyIp.toLowerCase())) { - ipMatched = true; - } else if (policyIp.equalsIgnoreCase(requestIp)) { - ipMatched = true; - } - return ipMatched; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/aa7edc1e/agents-impl/src/main/java/org/apache/ranger/pdp/knox/deploy/RangerPDPKnoxDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/knox/deploy/RangerPDPKnoxDeploymentContributor.java b/agents-impl/src/main/java/org/apache/ranger/pdp/knox/deploy/RangerPDPKnoxDeploymentContributor.java deleted file mode 100644 index a5286f1..0000000 --- a/agents-impl/src/main/java/org/apache/ranger/pdp/knox/deploy/RangerPDPKnoxDeploymentContributor.java +++ /dev/null @@ -1,73 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.ranger.pdp.knox.deploy; - -import java.util.ArrayList; -import java.util.List; -import java.util.Map; -import java.util.Map.Entry; - -import org.apache.hadoop.gateway.deploy.DeploymentContext; -import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase; -import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor; -import org.apache.hadoop.gateway.descriptor.ResourceDescriptor; -import org.apache.hadoop.gateway.topology.Provider; -import org.apache.hadoop.gateway.topology.Service; - -public class RangerPDPKnoxDeploymentContributor extends ProviderDeploymentContributorBase { - - private static final String FILTER_CLASSNAME = "org.apache.ranger.authorization.knox.RangerPDPKnoxFilter"; - - @Override - public String getRole() { - return "authorization"; - } - - @Override - public String getName() { - return "XASecurePDPKnox"; - } - - @Override - public void initializeContribution(DeploymentContext context) { - super.initializeContribution(context); - } - - @Override - public void contributeProvider( DeploymentContext context, Provider provider ) { - } - - @Override - public void contributeFilter( DeploymentContext context, Provider provider, Service service, - ResourceDescriptor resource, List<FilterParamDescriptor> params ) { - if (params == null) { - params = new ArrayList<FilterParamDescriptor>(); - } - // add resource role to params so that we can determine the acls to enforce at runtime - params.add( resource.createFilterParam().name( "resource.role" ).value(resource.role() ) ); - - // blindly add all the provider params as filter init params - // this will include any {resource.role}-ACLS parameters to be enforced - such as NAMENODE-ACLS - Map<String, String> providerParams = provider.getParams(); - for(Entry<String, String> entry : providerParams.entrySet()) { - params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) ); - } - - resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params ); - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/aa7edc1e/agents-impl/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/agents-impl/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor deleted file mode 100644 index 6db0bdc..0000000 --- a/agents-impl/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor +++ /dev/null @@ -1,18 +0,0 @@ -########################################################################## -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -########################################################################## -org.apache.ranger.pdp.knox.deploy.RangerPDPKnoxDeploymentContributor http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/aa7edc1e/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java b/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java deleted file mode 100644 index 3e0724d..0000000 --- a/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java +++ /dev/null @@ -1,956 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.ranger.pdp.knox; - -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import org.apache.ranger.pdp.knox.URLBasedAuthDB; -import org.apache.ranger.pdp.model.Policy; -import org.apache.ranger.pdp.model.PolicyContainer; -import org.apache.ranger.pdp.model.RolePermission; -import org.junit.Assert; -import org.junit.Test; - -public class URLBasedAuthDBTest { - - @Test - public void testPolicyEnabled() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - true, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testPolicyEnabled allowed: " + allowed); - Assert.assertTrue("Access denied while policy is enabled", allowed); - } - - @Test - public void testPolicyNotEnabled() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - false, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testPolicyNotEnabled allowed: " + allowed); - Assert.assertFalse("Access allowed while policy is disabled", allowed); - } - - @Test - public void testPolicyEnabledAuditOnTmSm() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - true, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "xa", - "WEBHDFS" - ); - System.out.println("testPolicyEnabledAuditOnTmSm: " + auditEnabled); - Assert.assertTrue("Audit not ebabled while policy is matched", auditEnabled); - } - - @Test - public void testPolicyEnabledAuditOnTnmSm() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - true, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "yxa", - "WEBHDFS" - ); - System.out.println("testPolicyEnabledAuditOnTnmSm auditEnabled: " + auditEnabled); - Assert.assertFalse("Audit ebabled with a non matching topology", auditEnabled); - } - - @Test - public void testPolicyEnabledAuditOnTmSnm() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - true, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "xa", - "yWEBHDFS" - ); - System.out.println("testPolicyEnabledAuditOnTmSnm auditEnabled: " + auditEnabled); - Assert.assertFalse("Audit ebabled with a non matching service", auditEnabled); - } - - @Test - public void testPolicyEnabledAuditOff() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - true, // policyEnabled - false); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "xa", - "WEBHDFS" - ); - System.out.println("testPolicyEnabledAuditOff auditEnabled: " + auditEnabled); - Assert.assertFalse("Audit ebabled with policy disabling audit", auditEnabled); - } - - @Test - public void testPolicyNotEnabledAuditOn() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - false, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "xa", - "WEBHDFS" - ); - System.out.println("testPolicyNotEnabledAuditOn auditEnabled: " + auditEnabled); - Assert.assertFalse("Audit ebabled with policy not enabled", auditEnabled); - } - - @Test - public void testPolicyNotEnabledAuditOff() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - false, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "xa", - "WEBHDFS" - ); - System.out.println("testPolicyNotEnabledAuditOff auditEnabled: " + auditEnabled); - Assert.assertFalse("Audit ebabled with policy not enabled and audit off", auditEnabled); - } - - @Test - public void testSimpleTopologyAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testSimpleTopologyAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for a simple allow policy", allowed); - - } - - @Test - public void testSimpleTopologyAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "ya", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testSimpleTopologyAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allwed for a simple deny policy", allowed); - - } - - @Test - public void testWildTopologyAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "x*", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testWildTopologyAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for a matching wild topology policy", allowed); - - } - - @Test - public void testWildTopologyAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "x*", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "ya", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testWildTopologyAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for non matching wild topology policy", allowed); - - } - - @Test - public void testSimpleServiceAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testSimpleServiceAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for a policy matching service", allowed); - - } - - @Test - public void testSimpleServiceAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "yWEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testSimpleServiceAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for a policy with no matching service", allowed); - - } - - @Test - public void testWildServiceAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEB*", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testWildServiceAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for policy with matching wild service", allowed); - - } - - @Test - public void testWildServiceAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEB*", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "yWEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testWildServiceAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for a policy with a non matching wild service", allowed); - - } - - @Test - public void testAccessTypeAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testAccessTypeAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for a policy with matching accessTyoe", allowed); - - } - - @Test - public void testAccessTypeAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "yallow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testAccessTypeAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for a non matching accessType", allowed); - - } - - @Test - public void testUserAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testUserAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for matching user", allowed); - - } - - @Test - public void testUserAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("yguest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "yallow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testUserAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for a non matching user", allowed); - - } - - @Test - public void testGroupAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - null, - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "sam", - asSet("sales"), - "127.127.127.127"); - System.out.println("testGroupAccessAllowe allowed: " + allowed); - Assert.assertTrue("Access denied for a matching user group", allowed); - - } - - @Test - public void testGroupAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - null, - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "yallow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testGroupAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for a non matching user group", allowed); - - } - - - - @Test - public void testSimpleIP4Allowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.134.135")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.133.134.135"); - System.out.println("testSimpleIP4Allowed allowed: " + allowed); - Assert.assertTrue("Access denied for a matching IP4 request ip", allowed); - - } - - @Test - public void testSimpleIP4Denied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.134.135")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.133.134.136"); - System.out.println("testSimpleIP4Denied allowed: " + allowed); - Assert.assertFalse("Access allowed for a non matching IP4 request ip", allowed); - - } - - @Test - public void testWildIP4Allowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.134.*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.133.134.135"); - System.out.println("testWildIP4Allowed allowed: " + allowed); - Assert.assertTrue("Access denied for a request ip matching wild IP4", allowed); - - } - - @Test - public void testWildIP4Denied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.134.*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.133.234.136"); - System.out.println("testWildIP4Denied allowed: " + allowed); - Assert.assertFalse("Access allowed for a request ip not matching wild IP4", allowed); - - } - - @Test - public void testWilderIP4Allowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.*.*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.133.234.235"); - System.out.println("testWilderIP4Allowed: " + allowed); - Assert.assertTrue("Access denied for a request ip matching wilder IP4", allowed); - - } - - @Test - public void testWilderIP4Denied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.*.*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.233.234.136"); - System.out.println("testWilderIP4Denied allowed: " + allowed); - Assert.assertFalse("Access allowed for a request ip not matching wilder IP4", allowed); - - } - - @Test - public void testWildIP6Allowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132:133:134:*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132:133:134:135"); - System.out.println("testWildIP6Allowed allowed: " + allowed); - Assert.assertTrue("Access denied for a request ip matching wild IP6", allowed); - - } - - @Test - public void testWildIP6AllowedMixedCase() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132:133:Db8:*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132:133:dB8:135"); - System.out.println("testWildIP6AllowedMixedCase: " + allowed); - Assert.assertTrue("Access denied for a request ip matching wild IP6 with mixed case", allowed); - - } - - @Test - public void testWildIP6Denied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132:133:134:*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132:133:234:136"); - System.out.println("testWildIP6Denied allowed: " + allowed); - Assert.assertFalse("Access allowed for a request ip not matching wild IP6", allowed); - - } - - @Test - public void testWilderIP6Allowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132:133:*:*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132:133:234:235"); - System.out.println("testWilderIP6Allowed allowed: " + allowed); - Assert.assertTrue("Access denied for a request ip matching wilder IP6", allowed); - - } - - @Test - public void testWilderIP6Denied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132:133:*:*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132:233:234:136"); - System.out.println("testWilderIP6Denied allowed: " + allowed); - Assert.assertFalse("Access allowed for a request ip not matching wilder IP6", allowed); - - } - - private static PolicyContainer buildPolicyContainer(String topologies, - String services, List<String> accessTypes, List<String> users, - List<String> groups, List<String> ipAddresses) { - return buildPolicyContainer( topologies, services, accessTypes, - users, groups, ipAddresses, true, true); - - } - - private static PolicyContainer buildPolicyContainer(String topologies, - String services, List<String> accessTypes, List<String> users, - List<String> groups, List<String> ipAddresses, - boolean policyEnabled, boolean auditEnabled) { - - PolicyContainer policyContainer = new PolicyContainer(); - policyContainer.setRepositoryName("knoxdev"); - - List<Policy> policies = new ArrayList<Policy>(); - - Policy policy = new Policy(); - policy.setTopologies(topologies); - policy.setServices(services); - policy.setPolicyStatus(policyEnabled ? "Enabled" : "NotEnabled"); - policy.setAuditInd(auditEnabled ? 1 : 0); - - List<RolePermission> rolePermissions = new ArrayList<RolePermission>(); - - RolePermission rolePermission = new RolePermission(); - - rolePermissions.add(rolePermission); - rolePermission.setAccess(accessTypes); - rolePermission.setUsers(users); - rolePermission.setGroups(groups); - rolePermission.setIpAddress(ipAddresses); - - policy.setPermissions(rolePermissions); - - policies.add(policy); - - policyContainer.setAcl(policies); - - return policyContainer; - } - - private static Set<String> asSet(String... a) { - Set<String> vals = new HashSet<String>(); - for (String s : a) { - vals.add(s); - } - return vals; - } - - private static List<String> asList(String... a) { - List<String> vals = new ArrayList<String>(); - for (String s : a) { - vals.add(s); - } - return vals; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/aa7edc1e/knox-agent/.settings/org.eclipse.core.resources.prefs ---------------------------------------------------------------------- diff --git a/knox-agent/.settings/org.eclipse.core.resources.prefs b/knox-agent/.settings/org.eclipse.core.resources.prefs index e9441bb..d4a56c4 100644 --- a/knox-agent/.settings/org.eclipse.core.resources.prefs +++ b/knox-agent/.settings/org.eclipse.core.resources.prefs @@ -1,3 +1,4 @@ eclipse.preferences.version=1 encoding//src/main/java=UTF-8 encoding/<project>=UTF-8 +encoding/resources=UTF-8 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/aa7edc1e/knox-agent/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor ---------------------------------------------------------------------- diff --git a/knox-agent/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/knox-agent/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor new file mode 100644 index 0000000..c0c4576 --- /dev/null +++ b/knox-agent/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor @@ -0,0 +1,18 @@ +########################################################################## +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +########################################################################## +org.apache.ranger.authorization.knox.deploy.RangerPDPKnoxDeploymentContributor http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/aa7edc1e/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java new file mode 100644 index 0000000..6272f4a --- /dev/null +++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java @@ -0,0 +1,73 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.ranger.authorization.knox.deploy; + +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.Map.Entry; + +import org.apache.hadoop.gateway.deploy.DeploymentContext; +import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase; +import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor; +import org.apache.hadoop.gateway.descriptor.ResourceDescriptor; +import org.apache.hadoop.gateway.topology.Provider; +import org.apache.hadoop.gateway.topology.Service; + +public class RangerPDPKnoxDeploymentContributor extends ProviderDeploymentContributorBase { + + private static final String FILTER_CLASSNAME = "org.apache.ranger.authorization.knox.RangerPDPKnoxFilter"; + + @Override + public String getRole() { + return "authorization"; + } + + @Override + public String getName() { + return "XASecurePDPKnox"; + } + + @Override + public void initializeContribution(DeploymentContext context) { + super.initializeContribution(context); + } + + @Override + public void contributeProvider( DeploymentContext context, Provider provider ) { + } + + @Override + public void contributeFilter( DeploymentContext context, Provider provider, Service service, + ResourceDescriptor resource, List<FilterParamDescriptor> params ) { + if (params == null) { + params = new ArrayList<FilterParamDescriptor>(); + } + // add resource role to params so that we can determine the acls to enforce at runtime + params.add( resource.createFilterParam().name( "resource.role" ).value(resource.role() ) ); + + // blindly add all the provider params as filter init params + // this will include any {resource.role}-ACLS parameters to be enforced - such as NAMENODE-ACLS + Map<String, String> providerParams = provider.getParams(); + for(Entry<String, String> entry : providerParams.entrySet()) { + params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) ); + } + + resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params ); + } +}
