Repository: incubator-ranger Updated Branches: refs/heads/master e3f0f41d7 -> be2c12ff8
RANGER-478: Audit logs for grant/revoke updated to include IP address Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/be2c12ff Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/be2c12ff Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/be2c12ff Branch: refs/heads/master Commit: be2c12ff8332b901f02c30b95dd4ecac3a9ffdfd Parents: e3f0f41 Author: Madhan Neethiraj <[email protected]> Authored: Thu May 14 16:10:51 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu May 14 16:11:12 2015 -0700 ---------------------------------------------------------------------- .../ranger/plugin/service/RangerBasePlugin.java | 4 ++ .../ranger/plugin/util/GrantRevokeRequest.java | 73 +++++++++++++++++++- .../hbase/RangerAuthorizationCoprocessor.java | 12 +++- .../hive/authorizer/RangerHiveAuthorizer.java | 14 +++- 4 files changed, 98 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be2c12ff/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index b68e426..2a50082 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -311,6 +311,10 @@ public class RangerBasePlugin { accessRequest.setUser(request.getGrantor()); accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); accessRequest.setAction(action); + accessRequest.setClientIPAddress(request.getClientIPAddress()); + accessRequest.setClientType(request.getClientType()); + accessRequest.setRequestData(request.getRequestData()); + accessRequest.setSessionId(request.getSessionId()); // call isAccessAllowed() to determine if audit is enabled or not RangerAccessResult accessResult = policyEngine.isAccessAllowed(accessRequest, null); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be2c12ff/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java index 137f2de..04eb484 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java @@ -20,6 +20,7 @@ package org.apache.ranger.plugin.util; import java.io.Serializable; +import java.util.Date; import java.util.HashMap; import java.util.HashSet; import java.util.Map; @@ -52,13 +53,17 @@ public class GrantRevokeRequest implements Serializable { private Boolean enableAudit = Boolean.TRUE; private Boolean replaceExistingPermissions = Boolean.FALSE; private Boolean isRecursive = Boolean.FALSE; + private String clientIPAddress = null; + private String clientType = null; + private String requestData = null; + private String sessionId = null; public GrantRevokeRequest() { - this(null, null, null, null, null, null, null, null, null); + this(null, null, null, null, null, null, null, null, null, null, null, null, null); } - public GrantRevokeRequest(String grantor, Map<String, String> resource, Set<String> users, Set<String> groups, Set<String> accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions, Boolean isRecursive) { + public GrantRevokeRequest(String grantor, Map<String, String> resource, Set<String> users, Set<String> groups, Set<String> accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions, Boolean isRecursive, String clientIPAddress, String clientType, String requestData, String sessionId) { setGrantor(grantor); setResource(resource); setUsers(users); @@ -68,6 +73,10 @@ public class GrantRevokeRequest implements Serializable { setEnableAudit(enableAudit); setReplaceExistingPermissions(replaceExistingPermissions); setIsRecursive(isRecursive); + setClientIPAddress(clientIPAddress); + setClientType(clientType); + setRequestData(requestData); + setSessionId(sessionId); } /** @@ -196,6 +205,62 @@ public class GrantRevokeRequest implements Serializable { this.isRecursive = isRecursive == null ? Boolean.FALSE : isRecursive; } + /** + * @return the clientIPAddress + */ + public String getClientIPAddress() { + return clientIPAddress; + } + + /** + * @param clientIPAddress the clientIPAddress to set + */ + public void setClientIPAddress(String clientIPAddress) { + this.clientIPAddress = clientIPAddress; + } + + /** + * @return the clientType + */ + public String getClientType() { + return clientType; + } + + /** + * @param clientType the clientType to set + */ + public void setClientType(String clientType) { + this.clientType = clientType; + } + + /** + * @return the requestData + */ + public String getRequestData() { + return requestData; + } + + /** + * @param requestData the requestData to set + */ + public void setRequestData(String requestData) { + this.requestData = requestData; + } + + /** + * @return the sessionId + */ + public String getSessionId() { + return sessionId; + } + + /** + * @param sessionId the sessionId to set + */ + public void setSessionId(String sessionId) { + this.sessionId = sessionId; + } + @Override public String toString( ) { @@ -247,6 +312,10 @@ public class GrantRevokeRequest implements Serializable { sb.append("enableAudit={").append(enableAudit).append("} "); sb.append("replaceExistingPermissions={").append(replaceExistingPermissions).append("} "); sb.append("isRecursive={").append(isRecursive).append("} "); + sb.append("clientIPAddress={").append(clientIPAddress).append("} "); + sb.append("clientType={").append(clientType).append("} "); + sb.append("requestData={").append(requestData).append("} "); + sb.append("sessionId={").append(sessionId).append("} "); sb.append("}"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be2c12ff/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index d6aeddd..3a67dd9 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -37,6 +37,7 @@ import java.util.Set; import java.util.TimeZone; import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; @@ -194,8 +195,13 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess } private String getRemoteAddress() { - InetAddress remoteAddr = RpcServer.getRemoteAddress(); - String strAddr = remoteAddr != null ? remoteAddr.getHostAddress() : null; + InetAddress remoteAddr = RpcServer.getRemoteAddress(); + + if(remoteAddr == null) { + remoteAddr = RpcServer.getRemoteIp(); + } + + String strAddr = remoteAddr != null ? remoteAddr.getHostAddress() : null; return strAddr; } @@ -1166,6 +1172,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess ret.setEnableAudit(Boolean.TRUE); ret.setReplaceExistingPermissions(Boolean.TRUE); ret.setResource(mapResource); + ret.setClientIPAddress(getRemoteAddress()); if(userName.startsWith(GROUP_PREFIX)) { ret.getGroups().add(userName.substring(GROUP_PREFIX.length())); @@ -1258,6 +1265,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess ret.setEnableAudit(Boolean.TRUE); ret.setReplaceExistingPermissions(Boolean.TRUE); ret.setResource(mapResource); + ret.setClientIPAddress(getRemoteAddress()); if(userName.startsWith(GROUP_PREFIX)) { ret.getGroups().add(userName.substring(GROUP_PREFIX.length())); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be2c12ff/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 2eac928..190c241 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -47,6 +47,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; +import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.security.UserGroupInformation; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; @@ -65,7 +66,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { private static volatile RangerHivePlugin hivePlugin = null ; - public RangerHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, HiveConf hiveConf, HiveAuthenticationProvider hiveAuthenticator, @@ -874,6 +874,18 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { ret.setResource(mapResource); + SessionState ss = SessionState.get(); + if(ss != null) { + ret.setClientIPAddress(ss.getUserIpAddress()); + ret.setSessionId(ss.getSessionId()); + ret.setRequestData(ss.getCmd()); + } + + HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext(); + if(sessionContext != null) { + ret.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString()); + } + for(HivePrincipal principal : hivePrincipals) { switch(principal.getType()) { case USER:
