incubator-ranger git commit: RANGER-404: Fix for missed audit-log in HDFS plugin when mkdir fails

Fri, 17 Apr 2015 00:16:04 -0700 

Repository: incubator-ranger
Updated Branches:
  refs/heads/master 6f888a61f -> b3e31fadd


RANGER-404: Fix for missed audit-log in HDFS plugin when mkdir fails


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b3e31fad
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b3e31fad
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b3e31fad

Branch: refs/heads/master
Commit: b3e31fadd9fc35a4867d5bbbde0320ed791e0d1d
Parents: 6f888a6
Author: Madhan Neethiraj <[email protected]>
Authored: Thu Apr 16 16:53:10 2015 -0700
Committer: Madhan Neethiraj <[email protected]>
Committed: Thu Apr 16 21:01:41 2015 -0700

----------------------------------------------------------------------
 .../hadoop/RangerHdfsAuthorizer.java            | 52 ++++++++++++++++----
 1 file changed, 43 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b3e31fad/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git 
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
 
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 61a95d2..55d8f73 100644
--- 
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ 
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -286,7 +286,21 @@ public class RangerHdfsAuthorizer extends 
INodeAttributeProvider {
                                                accessGranted = true;
                                        } finally {
                                                if(auditHandler != null) {
-                                                       
auditHandler.logHadoopEvent(path, access, accessGranted);
+                                                       FsAction action = 
access;
+
+                                                       if(action == null) {
+                                                               if(parentAccess 
!= null) {
+                                                                       action 
= parentAccess;
+                                                               } else 
if(ancestorAccess != null) {
+                                                                       action 
= ancestorAccess;
+                                                               } else 
if(subAccess != null) {
+                                                                       action 
= subAccess;
+                                                               } else {
+                                                                       action 
= FsAction.NONE;
+                                                               }
+                                                       }
+
+                                                       
auditHandler.logHadoopEvent(path, action, accessGranted);
                                                }
                                        }
                                }
@@ -436,6 +450,10 @@ class RangerHdfsAuditHandler extends 
RangerDefaultAuditHandler {
 
        @Override
        public void logAudit(RangerAccessResult result) {
+               if(LOG.isDebugEnabled()) {
+                       LOG.debug("==> RangerHdfsAuditHandler.logAudit(" + 
result + ")");
+               }
+
                if(! isAuditEnabled && result.getIsAudited()) {
                        isAuditEnabled = true;
                }
@@ -457,30 +475,46 @@ class RangerHdfsAuditHandler extends 
RangerDefaultAuditHandler {
                auditEvent.setRepositoryType(result.getServiceType());
                auditEvent.setRepositoryName(result.getServiceName());
                auditEvent.setResultReason(resourcePath);
+
+               if(LOG.isDebugEnabled()) {
+                       LOG.debug("<== RangerHdfsAuditHandler.logAudit(" + 
result + "): " + auditEvent);
+               }
        }
 
        public void logHadoopEvent(String path, FsAction action, boolean 
accessGranted) {
+               if(LOG.isDebugEnabled()) {
+                       LOG.debug("==> RangerHdfsAuditHandler.logHadoopEvent(" 
+ path + ", " + action + ", " + accessGranted + ")");
+               }
+
                auditEvent.setResultReason(path);
                auditEvent.setAccessResult((short) (accessGranted ? 1 : 0));
                auditEvent.setAccessType(action == null ? null : 
action.toString());
                auditEvent.setAclEnforcer(HadoopModuleName);
                auditEvent.setPolicyId(-1);
+
+               if(LOG.isDebugEnabled()) {
+                       LOG.debug("<== RangerHdfsAuditHandler.logHadoopEvent(" 
+ path + ", " + action + ", " + accessGranted + "): " + auditEvent);
+               }
        }
 
        public void flushAudit() {
-               if(! isAuditEnabled || 
StringUtils.isEmpty(auditEvent.getAccessType())) {
-                       return;
+               if(LOG.isDebugEnabled()) {
+                       LOG.debug("==> RangerHdfsAuditHandler.flushAudit(" + 
isAuditEnabled + ", " + auditEvent + ")");
                }
 
-               String username = auditEvent.getUser();
+               if(isAuditEnabled && 
!StringUtils.isEmpty(auditEvent.getAccessType())) {
+                       String username = auditEvent.getUser();
 
-               boolean skipLog = (username != null && excludeUsers != null && 
excludeUsers.contains(username)) ;
-               
-               if (skipLog) {
-                       return ;
+                       boolean skipLog = (username != null && excludeUsers != 
null && excludeUsers.contains(username)) ;
+
+                       if (! skipLog) {
+                               super.logAuthzAudit(auditEvent);
+                       }
                }
 
-               super.logAuthzAudit(auditEvent);
+               if(LOG.isDebugEnabled()) {
+                       LOG.debug("<== RangerHdfsAuditHandler.flushAudit(" + 
isAuditEnabled + ", " + auditEvent + ")");
+               }
        }
 }

Reply via email to