Repository: incubator-ranger Updated Branches: refs/heads/master 10f5fd607 -> 931315383
RANGER-373: fixed Hive plugin audit handler to handle audits from Grant/Revoke Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/93131538 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/93131538 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/93131538 Branch: refs/heads/master Commit: 9313153838c1cdf0249c1908cf80ca45f719ade7 Parents: 10f5fd6 Author: Madhan Neethiraj <[email protected]> Authored: Mon Apr 6 09:51:09 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Apr 6 19:52:51 2015 -0700 ---------------------------------------------------------------------- .../ranger/plugin/service/RangerBasePlugin.java | 6 ++++ .../hive/authorizer/RangerHiveAuditHandler.java | 33 ++++++++++++++------ 2 files changed, 30 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/93131538/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 3b9c309..5c37c7b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -333,11 +333,17 @@ public class RangerBasePlugin { accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); accessRequest.setAction(action); + // call isAccessAllowed() to determine if audit is enabled or not RangerAccessResult accessResult = policyEngine.isAccessAllowed(accessRequest, null); if(accessResult != null && accessResult.getIsAudited()) { + accessRequest.setAccessType(action); accessResult.setIsAllowed(isSuccess); + if(! isSuccess) { + accessResult.setPolicyId(-1); + } + auditHandler.logAudit(accessResult); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/93131538/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index 4d2d40f..2cb73b8 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -26,12 +26,15 @@ import java.util.Iterator; import java.util.List; import java.util.Map; +import org.apache.commons.lang.StringUtils; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.ranger.audit.model.AuthzAuditEvent; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import com.google.common.collect.Lists; @@ -47,14 +50,15 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { } AuthzAuditEvent createAuditEvent(RangerAccessResult result, String accessType, String resourcePath) { - RangerHiveAccessRequest request = (RangerHiveAccessRequest)result.getAccessRequest(); - RangerHiveResource resource = (RangerHiveResource)request.getResource(); + RangerAccessRequest request = result.getAccessRequest(); + RangerAccessResource resource = request.getResource(); + String resourceType = resource != null ? resource.getLeafName(result.getServiceDef()) : null; AuthzAuditEvent auditEvent = new AuthzAuditEvent(); auditEvent.setAclEnforcer(RangerModuleName); auditEvent.setSessionId(request.getSessionId()); - auditEvent.setResourceType("@" + StringUtil.toLower(resource.getObjectType().name())); // to be consistent with earlier release - auditEvent.setAccessType(request.getHiveAccessType().toString()); + auditEvent.setResourceType("@" + resourceType); // to be consistent with earlier release + auditEvent.setAccessType(accessType); auditEvent.setAction(request.getAction()); auditEvent.setUser(request.getUser()); auditEvent.setAccessResult((short)(result.getIsAllowed() ? 1 : 0)); @@ -65,17 +69,28 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { auditEvent.setRepositoryType(result.getServiceType()); auditEvent.setRepositoryName(result.getServiceName()) ; auditEvent.setRequestData(request.getRequestData()); - auditEvent.setResourcePath(resource != null ? resource.getAsString(result.getServiceDef()) : null); - + auditEvent.setResourcePath(resourcePath); + return auditEvent; } AuthzAuditEvent createAuditEvent(RangerAccessResult result) { + RangerAccessRequest request = result.getAccessRequest(); + RangerAccessResource resource = request.getResource(); + + String accessType = null; + if(request instanceof RangerHiveAccessRequest) { + RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest)request; + + accessType = hiveRequest.getHiveAccessType().toString(); + } + + if(StringUtils.isEmpty(accessType)) { + accessType = request.getAccessType(); + } - RangerHiveAccessRequest request = (RangerHiveAccessRequest)result.getAccessRequest(); - RangerHiveResource resource = (RangerHiveResource)request.getResource(); - String accessType = request.getHiveAccessType().toString(); String resourcePath = resource != null ? resource.getAsString(result.getServiceDef()) : null; + return createAuditEvent(result, accessType, resourcePath); }
