Repository: incubator-ranger Updated Branches: refs/heads/master 214f51eff -> 20baa3f88
RANGER-426 : Fix Ranger KMS policy not matching the right resource name Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/20baa3f8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/20baa3f8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/20baa3f8 Branch: refs/heads/master Commit: 20baa3f8886defa60411d30152977428b4de8b5f Parents: 214f51e Author: Gautam Borad <[email protected]> Authored: Fri Apr 24 17:20:06 2015 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Fri Apr 24 13:45:23 2015 -0400 ---------------------------------------------------------------------- .../service-defs/ranger-servicedef-kms.json | 4 +- .../kms/authorizer/RangerKmsAuthorizer.java | 55 ++++-- .../ranger/services/kms/client/KMSClient.java | 175 +++++++++---------- security-admin/scripts/db_setup.py | 2 +- .../main/webapp/scripts/views/kms/KmsKeyForm.js | 1 - 5 files changed, 127 insertions(+), 110 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/20baa3f8/agents-common/src/main/resources/service-defs/ranger-servicedef-kms.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-kms.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-kms.json index f4174d8..e0a723b 100755 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-kms.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-kms.json @@ -9,9 +9,9 @@ "name": "keyname", "type": "string", "level": 1, - "mandatory": false, + "mandatory": true, "lookupSupported": true, - "recursiveSupported": true, + "recursiveSupported": false, "label": "Key Name", "description": "Key Name" } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/20baa3f8/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java index d945201..1ba462a 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java +++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java @@ -1,4 +1,3 @@ - /* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file @@ -46,6 +45,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.service.RangerBasePlugin; +import org.mortbay.log.Log; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -153,7 +153,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { } if(plugin != null && ret) { - RangerKMSAccessRequest request = new RangerKMSAccessRequest(rangerAccessType, ugi); + RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi); RangerAccessResult result = plugin.isAccessAllowed(request); ret = result == null ? false : result.getIsAllowed(); } @@ -164,18 +164,49 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { return ret; } + + public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + " , "+keyName+")"); + } + + boolean ret = false; + RangerKMSPlugin plugin = kmsPlugin; + String rangerAccessType = getRangerAccessType(type); + AccessControlList blacklist = blacklistedAcls.get(type); + ret = (blacklist == null) || !blacklist.isUserInList(ugi); + if(!ret){ + LOG.debug("Operation "+rangerAccessType+" blocked in the blacklist for user "+ugi.getUserName()); + } + + if(plugin != null && ret) { + RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi); + RangerAccessResult result = plugin.isAccessAllowed(request); + ret = result == null ? false : result.getIsAllowed(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerkmsAuthorizer.hasAccess(" + type + ", " + ugi + " , "+keyName+ "): " + ret); + } + + return ret; + } @Override public void assertAccess(Type aclType, UserGroupInformation ugi, KMSOp operation, String key) throws AccessControlException { - if (!KMSWebApp.getACLs().hasAccess(aclType, ugi)) { - KMSWebApp.getUnauthorizedCallsMeter().mark(); - KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key); - throw new AuthorizationException(String.format( - (key != null) ? UNAUTHORIZED_MSG_WITH_KEY + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKmsAuthorizer.assertAccess(" + key + ", " + ugi +", " + aclType + ")"); + } + key = (key == null)?"":key; + if (!hasAccess(aclType, ugi, key)) { + KMSWebApp.getUnauthorizedCallsMeter().mark(); + KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key); + throw new AuthorizationException(String.format( + (key != null) ? UNAUTHORIZED_MSG_WITH_KEY : UNAUTHORIZED_MSG_WITHOUT_KEY, - ugi.getShortUserName(), operation, key)); - } + ugi.getShortUserName(), operation, key)); + } } @Override @@ -300,13 +331,13 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { } class RangerKMSAccessRequest extends RangerAccessRequestImpl { - public RangerKMSAccessRequest(String accessType, UserGroupInformation ugi) { - super.setResource(new RangerKMSResource("kms")); + public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi) { + super.setResource(new RangerKMSResource(keyName)); super.setAccessType(accessType); super.setUser(ugi.getShortUserName()); super.setUserGroups(Sets.newHashSet(ugi.getGroupNames())); super.setAccessTime(StringUtil.getUTCDate()); - super.setClientIPAddress(getRemoteIp()); + super.setClientIPAddress(getRemoteIp()); super.setAction(accessType); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/20baa3f8/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java index 6c69196..60e9bd3 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java +++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java @@ -23,8 +23,6 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; -import java.util.concurrent.Callable; -import java.util.concurrent.TimeUnit; import java.util.regex.Pattern; import org.apache.log4j.Logger; @@ -72,93 +70,87 @@ public class KMSClient { LOG.debug("Getting Kms Key list for keyNameMatching : " + keyNameMatching); } final String errMsg = errMessage; - - Callable<List<String>> kmsKeyListGetter = new Callable<List<String>>() { - @Override - public List<String> call() { - - List<String> lret = new ArrayList<String>(); - String keyLists = KMS_LIST_API_ENDPOINT.replaceAll(Pattern.quote("${userName}"), username); - String uri = provider + (provider.endsWith("/") ? keyLists : ("/" + keyLists)); - - Client client = null ; - ClientResponse response = null ; + List<String> lret = new ArrayList<String>(); + String keyLists = KMS_LIST_API_ENDPOINT.replaceAll(Pattern.quote("${userName}"), username); + String uri = provider + (provider.endsWith("/") ? keyLists : ("/" + keyLists)); + Client client = null ; + ClientResponse response = null ; - try { - client = Client.create() ; - - WebResource webResource = client.resource(uri); - - response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class); - - if (LOG.isDebugEnabled()) { - LOG.debug("getKeyList():calling " + uri); - } - - if (response != null) { - if (LOG.isDebugEnabled()) { - LOG.debug("getKeyList():response.getStatus()= " + response.getStatus()); - } - if (response.getStatus() == 200) { - String jsonString = response.getEntity(String.class); - Gson gson = new GsonBuilder().setPrettyPrinting().create(); - @SuppressWarnings("unchecked") - List<String> keys = gson.fromJson(jsonString, List.class) ; - if (keys != null) { - for ( String key : keys) { - if ( existingKeyList != null && existingKeyList.contains(key)) { - continue; - } - if (keyNameMatching == null || keyNameMatching.isEmpty() || key.startsWith(keyNameMatching)) { - if (LOG.isDebugEnabled()) { - LOG.debug("getKeyList():Adding kmsKey " + key); - } - lret.add(key) ; - } + try { + client = Client.create() ; + + WebResource webResource = client.resource(uri); + + response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class); + + if (LOG.isDebugEnabled()) { + LOG.debug("getKeyList():calling " + uri); + } + + if (response != null) { + if (LOG.isDebugEnabled()) { + LOG.debug("getKeyList():response.getStatus()= " + response.getStatus()); + } + if (response.getStatus() == 200) { + String jsonString = response.getEntity(String.class); + Gson gson = new GsonBuilder().setPrettyPrinting().create(); + @SuppressWarnings("unchecked") + List<String> keys = gson.fromJson(jsonString, List.class) ; + if (keys != null) { + for ( String key : keys) { + if ( existingKeyList != null && existingKeyList.contains(key)) { + continue; + } + if (keyNameMatching == null || keyNameMatching.isEmpty() || key.startsWith(keyNameMatching)) { + if (LOG.isDebugEnabled()) { + LOG.debug("getKeyList():Adding kmsKey " + key); + } + lret.add(key) ; } - } - }else if (response.getStatus() == 401) { - LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list"); - return lret; - }else if (response.getStatus() == 403) { - LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list"); - return lret; - }else { - LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list"); - String jsonString = response.getEntity(String.class); - LOG.info(jsonString); - lret = null; - } - }else { - String msgDesc = "Unable to get a valid response for " - + "expected mime type : [" + EXPECTED_MIME_TYPE - + "] URL : " + uri + " - got null response."; - LOG.error(msgDesc); - HadoopException hdpException = new HadoopException(msgDesc); - hdpException.generateResponseDataMap(false, msgDesc, msgDesc + errMsg, null, null); - throw hdpException; - } - } catch (HadoopException he) { - throw he; - }catch (Throwable t) { - String msgDesc = "Exception while getting Kms Key List. URL : " + uri; - HadoopException hdpException = new HadoopException(msgDesc, t); - LOG.error(msgDesc, t); - hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null); - throw hdpException; - } finally { - if (response != null) { - response.close(); - } - - if (client != null) { - client.destroy(); - } + } + } + }else if (response.getStatus() == 401) { + LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list"); + return lret; + }else if (response.getStatus() == 403) { + LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list"); + return lret; + }else { + LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list"); + String jsonString = response.getEntity(String.class); + LOG.info(jsonString); + lret = null; } - return lret ; + }else { + String msgDesc = "Unable to get a valid response for " + + "expected mime type : [" + EXPECTED_MIME_TYPE + + "] URL : " + uri + " - got null response."; + LOG.error(msgDesc); + HadoopException hdpException = new HadoopException(msgDesc); + hdpException.generateResponseDataMap(false, msgDesc, msgDesc + errMsg, null, null); + lret = null; + throw hdpException; + } + } catch (HadoopException he) { + lret = null; + throw he; + }catch (Throwable t) { + String msgDesc = "Exception while getting Kms Key List. URL : " + uri; + HadoopException hdpException = new HadoopException(msgDesc, t); + LOG.error(msgDesc, t); + hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null); + lret = null; + throw hdpException; + } finally { + if (response != null) { + response.close(); } - } ; - return null; + + if (client != null) { + client.destroy(); + } + } + return lret ; } public static HashMap<String, Object> testConnection(String serviceName, Map<String, String> configs) { @@ -170,11 +162,9 @@ public class KMSClient { KMSClient kmsClient = getKmsClient(serviceName, configs); strList = getKmsKey(kmsClient, "", null); - if (strList != null) { connectivityStatus = true; } - if (connectivityStatus) { String successMsg = "TestConnection Successful"; BaseClient.generateResponseDataMap(connectivityStatus, successMsg, @@ -230,7 +220,7 @@ public class KMSClient { } if (keyName != null) { - String finalkmsKeyName = (keyName == null) ? "": keyName.trim(); + String finalkmsKeyName = keyName.trim(); resultList = kmsClient.getKeyList(finalkmsKeyName,existingKeyName); if (resultList != null) { if (LOG.isDebugEnabled()) { @@ -239,19 +229,16 @@ public class KMSClient { } } } catch (HadoopException he) { + resultList = null; throw he; } catch (Exception e) { String msgDesc = "Unable to get a valid response from the provider"; LOG.error(msgDesc, e); HadoopException hdpException = new HadoopException(msgDesc); hdpException.generateResponseDataMap(false, msgDesc, msgDesc + errMsg, null, null); + resultList = null; throw hdpException; } return resultList; - } - - public static <T> T timedTask(Callable<T> callableObj, long timeout, - TimeUnit timeUnit) throws Exception { - return callableObj.call(); - } + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/20baa3f8/security-admin/scripts/db_setup.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 3e40505..16a5ff3 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -953,7 +953,7 @@ class SqlServerConf(BaseDB): query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c \;" %(version,db_user,xa_db_host,db_user,xa_db_host) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', now(), '%s@%s', now(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) ret = subprocess.call(query) if ret == 0: log("[I] java patch "+ className +" applied", "info") http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/20baa3f8/security-admin/src/main/webapp/scripts/views/kms/KmsKeyForm.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/kms/KmsKeyForm.js b/security-admin/src/main/webapp/scripts/views/kms/KmsKeyForm.js old mode 100644 new mode 100755 index f6ed100..25b2691 --- a/security-admin/src/main/webapp/scripts/views/kms/KmsKeyForm.js +++ b/security-admin/src/main/webapp/scripts/views/kms/KmsKeyForm.js @@ -84,7 +84,6 @@ define(function(require){ if(this.model.has('versions')){ this.fields.cipher.$el.show(); this.fields.length.$el.show(); - this.fields.material.$el.show(); this.fields.description.editor.$el.attr('disabled',true); } },
