Repository: incubator-ranger Updated Branches: refs/heads/master cedd97aa9 -> 4d1abc89c
RANGER-306: updated base ranger plugin to generate audit logs for grant and revoke Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/4d1abc89 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/4d1abc89 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/4d1abc89 Branch: refs/heads/master Commit: 4d1abc89cca52e8dad3b2f98bc722439184a29d3 Parents: cedd97a Author: Madhan Neethiraj <[email protected]> Authored: Wed Mar 11 19:42:27 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Mar 11 19:42:27 2015 -0700 ---------------------------------------------------------------------- .../ranger/plugin/service/RangerBasePlugin.java | 65 ++++++++++++++++++-- .../hbase/RangerAuthorizationCoprocessor.java | 55 +++++++---------- 2 files changed, 82 insertions(+), 38 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d1abc89/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 77e63fa..33060e4 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -33,9 +33,11 @@ import org.apache.ranger.plugin.audit.RangerAuditHandler; import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; +import org.apache.ranger.plugin.policyengine.RangerResourceImpl; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.PolicyRefresher; @@ -196,25 +198,55 @@ public class RangerBasePlugin { } public void grantAccess(GrantRevokeRequest request, RangerAuditHandler auditHandler) throws Exception { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAdminRESTClient.grantAccess(" + request + ")"); + } + PolicyRefresher refresher = this.refresher; RangerAdminClient admin = refresher == null ? null : refresher.getRangerAdminClient(); + boolean isSuccess = false; - if(admin == null) { - throw new Exception("ranger-admin client is null"); + try { + if(admin == null) { + throw new Exception("ranger-admin client is null"); + } + + admin.grantAccess(request); + + isSuccess = true; + } finally { + auditGrantRevoke(request, "grant", isSuccess, auditHandler); } - admin.grantAccess(request); + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAdminRESTClient.grantAccess(" + request + ")"); + } } public void revokeAccess(GrantRevokeRequest request, RangerAuditHandler auditHandler) throws Exception { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAdminRESTClient.revokeAccess(" + request + ")"); + } + PolicyRefresher refresher = this.refresher; RangerAdminClient admin = refresher == null ? null : refresher.getRangerAdminClient(); + boolean isSuccess = false; + + try { + if(admin == null) { + throw new Exception("ranger-admin client is null"); + } - if(admin == null) { - throw new Exception("ranger-admin client is null"); + admin.revokeAccess(request); + + isSuccess = true; + } finally { + auditGrantRevoke(request, "revoke", isSuccess, auditHandler); } - admin.revokeAccess(request); + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAdminRESTClient.revokeAccess(" + request + ")"); + } } @@ -289,4 +321,25 @@ public class RangerBasePlugin { } } } + + private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAuditHandler auditHandler) { + RangerPolicyEngine policyEngine = this.policyEngine; + + if(request != null && auditHandler != null && policyEngine != null) { + RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl(); + + accessRequest.setResource(new RangerResourceImpl(request.getResource())); + accessRequest.setUser(request.getGrantor()); + accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); + accessRequest.setAction(action); + + RangerAccessResult accessResult = policyEngine.isAccessAllowed(accessRequest, null); + + if(accessResult != null && accessResult.getIsAudited()) { + accessResult.setIsAllowed(isSuccess); + + auditHandler.logAudit(accessResult); + } + } + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d1abc89/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index 4e768b6..e3ad68d 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -90,11 +90,12 @@ import org.apache.hadoop.hbase.security.access.TablePermission; import org.apache.hadoop.hbase.security.access.UserPermission; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.Pair; -import org.apache.ranger.admin.client.RangerAdminClient; +import org.apache.hadoop.security.AccessControlException; import org.apache.ranger.audit.model.AuthzAuditEvent; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; import org.apache.ranger.authorization.utils.StringUtil; +import org.apache.ranger.plugin.audit.RangerAuditHandler; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; import org.apache.ranger.plugin.service.RangerBasePlugin; import org.apache.ranger.plugin.util.GrantRevokeRequest; @@ -881,7 +882,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess } else if (env instanceof RegionCoprocessorEnvironment) { regionEnv = (RegionCoprocessorEnvironment) env; coprocessorType = REGIONAL_COPROCESSOR_TYPE; - appType = "hbseRegional"; + appType = "hbaseRegional"; } if (superUserList == null) { @@ -1008,29 +1009,24 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess RangerHBasePlugin plugin = hbasePlugin; if(plugin != null) { - plugin.grantAccess(grData, _factory.getAuditHandler()); + RangerAuditHandler auditHandler = new RangerDefaultAuditHandler(); + + plugin.grantAccess(grData, auditHandler); isSuccess = true; } + } catch(AccessControlException excp) { + LOG.warn("grant() failed", excp); + + ResponseConverter.setControllerException(controller, new AccessDeniedException(excp)); } catch(IOException excp) { LOG.warn("grant() failed", excp); - + ResponseConverter.setControllerException(controller, excp); } catch (Exception excp) { LOG.warn("grant() failed", excp); - + ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage())); - } finally { -// byte[] tableName = grData == null ? null : StringUtil.getBytes(grData.getTables()); - - // TODO - Auditing of grant-revoke to be sorted out. -// if(accessController.isAudited(tableName)) { -// byte[] colFamily = grData == null ? null : StringUtil.getBytes(grData.getColumnFamilies()); -// byte[] qualifier = grData == null ? null : StringUtil.getBytes(grData.getColumns()); -// -// // Note: failed return from REST call will be logged as 'DENIED' -// auditEvent("grant", tableName, colFamily, qualifier, null, null, getActiveUser(), isSuccess ? accessGrantedFlag : accessDeniedFlag); -// } } } @@ -1045,36 +1041,31 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess if(UpdateRangerPoliciesOnGrantRevoke) { GrantRevokeRequest grData = null; - + try { grData = createRevokeData(request); - + RangerHBasePlugin plugin = hbasePlugin; if(plugin != null) { - plugin.revokeAccess(grData, _factory.getAuditHandler()); + RangerAuditHandler auditHandler = new RangerDefaultAuditHandler(); + + plugin.revokeAccess(grData, auditHandler); isSuccess = true; } + } catch(AccessControlException excp) { + LOG.warn("revoke() failed", excp); + + ResponseConverter.setControllerException(controller, new AccessDeniedException(excp)); } catch(IOException excp) { LOG.warn("revoke() failed", excp); - + ResponseConverter.setControllerException(controller, excp); } catch (Exception excp) { LOG.warn("revoke() failed", excp); - + ResponseConverter.setControllerException(controller, new CoprocessorException(excp.getMessage())); - } finally { -// byte[] tableName = grData == null ? null : StringUtil.getBytes(grData.getTables()); - - // TODO Audit of grant revoke to be sorted out -// if(accessController.isAudited(tableName)) { -// byte[] colFamily = grData == null ? null : StringUtil.getBytes(grData.getColumnFamilies()); -// byte[] qualifier = grData == null ? null : StringUtil.getBytes(grData.getColumns()); -// -// // Note: failed return from REST call will be logged as 'DENIED' -// auditEvent("revoke", tableName, colFamily, qualifier, null, null, getActiveUser(), isSuccess ? accessGrantedFlag : accessDeniedFlag); -// } } }
