RANGER-246 - Updates based on changes on Kafka side Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/115577a6 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/115577a6 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/115577a6
Branch: refs/heads/ranger-0.5 Commit: 115577a6f1afdc0cee2b029117c9796a98574755 Parents: f31274b Author: Don Bosco Durai <[email protected]> Authored: Sat May 23 21:17:12 2015 -0700 Committer: Don Bosco Durai <[email protected]> Committed: Sat May 23 21:17:12 2015 -0700 ---------------------------------------------------------------------- agents-common/scripts/enable-agent.sh | 4 + .../ranger/plugin/service/RangerBasePlugin.java | 200 +++++++---- .../service-defs/ranger-servicedef-kafka.json | 47 ++- plugin-kafka/scripts/install.properties | 3 + .../scripts/kafka-plugin-install.properties | 2 +- .../kafka/authorizer/RangerKafkaAuthorizer.java | 80 +++-- .../solr/authorizer/RangerSolrAuthorizer.java | 1 + src/main/assembly/plugin-kafka.xml | 349 ++++++++++--------- 8 files changed, 404 insertions(+), 282 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/115577a6/agents-common/scripts/enable-agent.sh ---------------------------------------------------------------------- diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index 3550e16..16efe74 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -151,6 +151,8 @@ if [ "${HCOMPONENT_NAME}" = "knox" ]; then HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/ext elif [ "${HCOMPONENT_NAME}" = "solr" ]; then HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/solr-webapp/webapp/WEB-INF/lib +elif [ "${HCOMPONENT_NAME}" = "kafka" ]; then + HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/libs fi HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/conf @@ -163,6 +165,8 @@ if [ "${HCOMPONENT_NAME}" = "solr" ]; then echo "INFO: Changing ownership of $HCOMPONENT_CONF_DIR to $install_owner" chown $install_owner:$install_owner $HCOMPONENT_CONF_DIR fi +elif [ "${HCOMPONENT_NAME}" = "kafka" ]; then + HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/config fi HCOMPONENT_ARCHIVE_CONF_DIR=${HCOMPONENT_CONF_DIR}/.archive http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/115577a6/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index a347f75..75ba6b9 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -20,16 +20,15 @@ package org.apache.ranger.plugin.service; import java.util.Collection; -import java.util.List; +import java.util.Hashtable; +import java.util.Map; -import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.admin.client.RangerAdminClient; import org.apache.ranger.admin.client.RangerAdminRESTClient; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; -import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; @@ -44,22 +43,23 @@ import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.PolicyRefresher; import org.apache.ranger.plugin.util.ServicePolicies; - public class RangerBasePlugin { private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class); - private String serviceType = null; - private String appId = null; - private String serviceName = null; - private PolicyRefresher refresher = null; - private RangerPolicyEngine policyEngine = null; + private String serviceType = null; + private String appId = null; + private String serviceName = null; + private PolicyRefresher refresher = null; + private RangerPolicyEngine policyEngine = null; private RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions(); private RangerAccessResultProcessor resultProcessor = null; + Map<String, LogHistory> logHistoryList = new Hashtable<String, RangerBasePlugin.LogHistory>(); + int logInterval = 30000; // 30 seconds public RangerBasePlugin(String serviceType, String appId) { this.serviceType = serviceType; - this.appId = appId; + this.appId = appId; } public String getServiceType() { @@ -75,7 +75,8 @@ public class RangerBasePlugin { public int getServiceDefId() { RangerServiceDef serviceDef = getServiceDef(); - return serviceDef != null && serviceDef.getId() != null ? serviceDef.getId().intValue() : -1; + return serviceDef != null && serviceDef.getId() != null ? serviceDef + .getId().intValue() : -1; } public String getAppId() { @@ -89,29 +90,50 @@ public class RangerBasePlugin { public void init() { cleanup(); - RangerConfiguration.getInstance().addResourcesForServiceType(serviceType); + RangerConfiguration.getInstance().addResourcesForServiceType( + serviceType); RangerConfiguration.getInstance().initAudit(appId); - String propertyPrefix = "ranger.plugin." + serviceType; - long pollingIntervalMs = RangerConfiguration.getInstance().getLong(propertyPrefix + ".policy.pollIntervalMs", 30 * 1000); - String cacheDir = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.cache.dir"); - - serviceName = RangerConfiguration.getInstance().get(propertyPrefix + ".service.name"); - - policyEngineOptions.evaluatorType = RangerConfiguration.getInstance().get(propertyPrefix + ".policyengine.option.evaluator.type", RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED); - policyEngineOptions.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", true); - policyEngineOptions.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", false); - policyEngineOptions.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", false); - + String propertyPrefix = "ranger.plugin." + serviceType; + long pollingIntervalMs = RangerConfiguration.getInstance().getLong( + propertyPrefix + ".policy.pollIntervalMs", 30 * 1000); + String cacheDir = RangerConfiguration.getInstance().get( + propertyPrefix + ".policy.cache.dir"); + + serviceName = RangerConfiguration.getInstance().get( + propertyPrefix + ".service.name"); + + policyEngineOptions.evaluatorType = RangerConfiguration.getInstance() + .get(propertyPrefix + ".policyengine.option.evaluator.type", + RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED); + policyEngineOptions.cacheAuditResults = RangerConfiguration + .getInstance().getBoolean( + propertyPrefix + + ".policyengine.option.cache.audit.results", + true); + policyEngineOptions.disableContextEnrichers = RangerConfiguration + .getInstance() + .getBoolean( + propertyPrefix + + ".policyengine.option.disable.context.enrichers", + false); + policyEngineOptions.disableCustomConditions = RangerConfiguration + .getInstance() + .getBoolean( + propertyPrefix + + ".policyengine.option.disable.custom.conditions", + false); RangerAdminClient admin = createAdminClient(propertyPrefix); - refresher = new PolicyRefresher(this, serviceType, appId, serviceName, admin, pollingIntervalMs, cacheDir); + refresher = new PolicyRefresher(this, serviceType, appId, serviceName, + admin, pollingIntervalMs, cacheDir); refresher.startRefresher(); } public void setPolicies(ServicePolicies policies) { - RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(policies, policyEngineOptions); + RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(policies, + policyEngineOptions); this.policyEngine = policyEngine; } @@ -119,11 +141,11 @@ public class RangerBasePlugin { public void cleanup() { PolicyRefresher refresher = this.refresher; - this.serviceName = null; + this.serviceName = null; this.policyEngine = null; - this.refresher = null; + this.refresher = null; - if(refresher != null) { + if (refresher != null) { refresher.stopRefresher(); } } @@ -140,14 +162,16 @@ public class RangerBasePlugin { return isAccessAllowed(request, resultProcessor); } - public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests) { + public Collection<RangerAccessResult> isAccessAllowed( + Collection<RangerAccessRequest> requests) { return isAccessAllowed(requests, resultProcessor); } - public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) { + public RangerAccessResult isAccessAllowed(RangerAccessRequest request, + RangerAccessResultProcessor resultProcessor) { RangerPolicyEngine policyEngine = this.policyEngine; - if(policyEngine != null) { + if (policyEngine != null) { policyEngine.enrichContext(request); return policyEngine.isAccessAllowed(request, resultProcessor); @@ -156,10 +180,12 @@ public class RangerBasePlugin { return null; } - public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAccessResultProcessor resultProcessor) { + public Collection<RangerAccessResult> isAccessAllowed( + Collection<RangerAccessRequest> requests, + RangerAccessResultProcessor resultProcessor) { RangerPolicyEngine policyEngine = this.policyEngine; - if(policyEngine != null) { + if (policyEngine != null) { policyEngine.enrichContext(requests); return policyEngine.isAccessAllowed(requests, resultProcessor); @@ -171,24 +197,26 @@ public class RangerBasePlugin { public RangerAccessResult createAccessResult(RangerAccessRequest request) { RangerPolicyEngine policyEngine = this.policyEngine; - if(policyEngine != null) { + if (policyEngine != null) { return policyEngine.createAccessResult(request); } return null; } - public void grantAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception { - if(LOG.isDebugEnabled()) { + public void grantAccess(GrantRevokeRequest request, + RangerAccessResultProcessor resultProcessor) throws Exception { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.grantAccess(" + request + ")"); } - PolicyRefresher refresher = this.refresher; - RangerAdminClient admin = refresher == null ? null : refresher.getRangerAdminClient(); - boolean isSuccess = false; + PolicyRefresher refresher = this.refresher; + RangerAdminClient admin = refresher == null ? null : refresher + .getRangerAdminClient(); + boolean isSuccess = false; try { - if(admin == null) { + if (admin == null) { throw new Exception("ranger-admin client is null"); } @@ -199,22 +227,24 @@ public class RangerBasePlugin { auditGrantRevoke(request, "grant", isSuccess, resultProcessor); } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.grantAccess(" + request + ")"); } } - public void revokeAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception { - if(LOG.isDebugEnabled()) { + public void revokeAccess(GrantRevokeRequest request, + RangerAccessResultProcessor resultProcessor) throws Exception { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.revokeAccess(" + request + ")"); } - PolicyRefresher refresher = this.refresher; - RangerAdminClient admin = refresher == null ? null : refresher.getRangerAdminClient(); - boolean isSuccess = false; + PolicyRefresher refresher = this.refresher; + RangerAdminClient admin = refresher == null ? null : refresher + .getRangerAdminClient(); + boolean isSuccess = false; try { - if(admin == null) { + if (admin == null) { throw new Exception("ranger-admin client is null"); } @@ -225,59 +255,72 @@ public class RangerBasePlugin { auditGrantRevoke(request, "revoke", isSuccess, resultProcessor); } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.revokeAccess(" + request + ")"); } } - private RangerAdminClient createAdminClient(String propertyPrefix) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.createAdminClient(" + propertyPrefix + ")"); + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerAdminRESTClient.createAdminClient(" + + propertyPrefix + ")"); } RangerAdminClient ret = null; String propertyName = propertyPrefix + ".policy.source.impl"; - String policySourceImpl = RangerConfiguration.getInstance().get(propertyName); + String policySourceImpl = RangerConfiguration.getInstance().get( + propertyName); - if(StringUtils.isEmpty(policySourceImpl)) { + if (StringUtils.isEmpty(policySourceImpl)) { if (LOG.isDebugEnabled()) { - LOG.debug(String.format("Value for property[%s] was null or empty. Unxpected! Will use policy source of type[%s]", propertyName, RangerAdminRESTClient.class.getName())); + LOG.debug(String + .format("Value for property[%s] was null or empty. Unxpected! Will use policy source of type[%s]", + propertyName, + RangerAdminRESTClient.class.getName())); } } else { if (LOG.isDebugEnabled()) { - LOG.debug(String.format("Value for property[%s] was [%s].", propertyName, policySourceImpl)); + LOG.debug(String.format("Value for property[%s] was [%s].", + propertyName, policySourceImpl)); } try { @SuppressWarnings("unchecked") - Class<RangerAdminClient> adminClass = (Class<RangerAdminClient>)Class.forName(policySourceImpl); - + Class<RangerAdminClient> adminClass = (Class<RangerAdminClient>) Class + .forName(policySourceImpl); + ret = adminClass.newInstance(); } catch (Exception excp) { - LOG.error("failed to instantiate policy source of type '" + policySourceImpl + "'. Will use policy source of type '" + RangerAdminRESTClient.class.getName() + "'", excp); + LOG.error("failed to instantiate policy source of type '" + + policySourceImpl + + "'. Will use policy source of type '" + + RangerAdminRESTClient.class.getName() + "'", excp); } } - if(ret == null) { + if (ret == null) { ret = new RangerAdminRESTClient(); } ret.init(serviceName, appId, propertyPrefix); - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.createAdminClient(" + propertyPrefix + "): policySourceImpl=" + policySourceImpl + ", client=" + ret); + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerAdminRESTClient.createAdminClient(" + + propertyPrefix + "): policySourceImpl=" + + policySourceImpl + ", client=" + ret); } return ret; } - private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) { + private void auditGrantRevoke(GrantRevokeRequest request, String action, + boolean isSuccess, RangerAccessResultProcessor resultProcessor) { RangerPolicyEngine policyEngine = this.policyEngine; - if(request != null && resultProcessor != null && policyEngine != null) { + if (request != null && resultProcessor != null && policyEngine != null) { RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl(); - - accessRequest.setResource(new RangerAccessResourceImpl(request.getResource())); + + accessRequest.setResource(new RangerAccessResourceImpl(request + .getResource())); accessRequest.setUser(request.getGrantor()); accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); accessRequest.setAction(action); @@ -287,13 +330,14 @@ public class RangerBasePlugin { accessRequest.setSessionId(request.getSessionId()); // call isAccessAllowed() to determine if audit is enabled or not - RangerAccessResult accessResult = policyEngine.isAccessAllowed(accessRequest, null); + RangerAccessResult accessResult = policyEngine.isAccessAllowed( + accessRequest, null); - if(accessResult != null && accessResult.getIsAudited()) { + if (accessResult != null && accessResult.getIsAudited()) { accessRequest.setAccessType(action); accessResult.setIsAllowed(isSuccess); - if(! isSuccess) { + if (!isSuccess) { accessResult.setPolicyId(-1); } @@ -301,4 +345,24 @@ public class RangerBasePlugin { } } } + + public boolean logErrorMessage(String message) { + LogHistory log = logHistoryList.get(message); + if (log == null) { + log = new LogHistory(); + log.message = message; + log.lastLogTime = 0; + } + if ((System.currentTimeMillis() - log.lastLogTime) > logInterval) { + log.lastLogTime = System.currentTimeMillis(); + LOG.error(message); + return true; + } + return false; + } + + class LogHistory { + long lastLogTime; + String message; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/115577a6/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json index d19b10c..2d4142d 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json @@ -28,58 +28,49 @@ ], "accessTypes":[ { - "itemId": 1, + "itemId":1, "name":"publish", "label":"Publish" }, { - "itemId": 2, + "itemId":2, "name":"consume", "label":"Consume" }, { - "itemId": 3, - "name":"create", - "label":"Create" - }, - { - "itemId": 4, - "name":"delete", - "label":"Delete" - }, - { - "itemId": 5, + "itemId":5, "name":"configure", "label":"Configure" }, { - "itemId": 6, + "itemId":6, "name":"describe", "label":"Describe" }, { - "itemId": 7, + "itemId":7, "name":"kafka_admin", "label":"Kafka Admin" } + ], "configs":[ { - "itemId": 1, + "itemId":1, "name":"username", "type":"string", "mandatory":true, "label":"Username" }, { - "itemId": 2, + "itemId":2, "name":"password", "type":"password", "mandatory":true, "label":"Password" }, { - "itemId": 3, + "itemId":3, "name":"zookeeper.connect", "type":"string", "mandatory":true, @@ -87,7 +78,7 @@ "label":"Zookeeper Connect String" }, { - "itemId": 4, + "itemId":4, "name":"commonNameForCertificate", "type":"string", "mandatory":false, @@ -103,16 +94,18 @@ ], "policyConditions":[ { - "itemId": 1, - "name": "ip-range", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", - "evaluatorOptions": { }, + "itemId":1, + "name":"ip-range", + "evaluator":"org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", + "evaluatorOptions":{ + + }, "validationRegEx":"", - "validationMessage": "", + "validationMessage":"", "uiHint":"", - "label": "IP Address Range", - "description": "IP Address Range" + "label":"IP Address Range", + "description":"IP Address Range" } ] -} +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/115577a6/plugin-kafka/scripts/install.properties ---------------------------------------------------------------------- diff --git a/plugin-kafka/scripts/install.properties b/plugin-kafka/scripts/install.properties index 4e8cbf9..1e2854e 100644 --- a/plugin-kafka/scripts/install.properties +++ b/plugin-kafka/scripts/install.properties @@ -13,6 +13,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +# Location of component folder +COMPONENT_INSTALL_DIR_NAME=../kafka + # # Location of Policy Manager URL # http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/115577a6/plugin-kafka/scripts/kafka-plugin-install.properties ---------------------------------------------------------------------- diff --git a/plugin-kafka/scripts/kafka-plugin-install.properties b/plugin-kafka/scripts/kafka-plugin-install.properties index f4df857..4f64c62 100644 --- a/plugin-kafka/scripts/kafka-plugin-install.properties +++ b/plugin-kafka/scripts/kafka-plugin-install.properties @@ -20,4 +20,4 @@ # This location should be relative to the parent of the directory containing # the plugin installation files. # -COMPONENT_INSTALL_DIR_NAME=kafka +#COMPONENT_INSTALL_DIR_NAME=kafka http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/115577a6/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index 655f1b9..0d0cffc 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -30,6 +30,7 @@ import kafka.security.auth.ResourceType; import kafka.server.KafkaConfig; import kafka.network.RequestChannel.Session; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.authorization.utils.StringUtil; @@ -50,15 +51,17 @@ public class RangerKafkaAuthorizer implements Authorizer { public static final String KEY_CLUSTER = "cluster"; public static final String KEY_CONSUMER_GROUP = "consumer_group"; - public static final String ACCESS_TYPE_READ = "read"; - public static final String ACCESS_TYPE_WRITE = "write"; + public static final String ACCESS_TYPE_READ = "consume"; + public static final String ACCESS_TYPE_WRITE = "publish"; public static final String ACCESS_TYPE_CREATE = "create"; public static final String ACCESS_TYPE_DELETE = "delete"; - public static final String ACCESS_TYPE_ALTER = "alter"; + public static final String ACCESS_TYPE_CONFIGURE = "configure"; public static final String ACCESS_TYPE_DESCRIBE = "describe"; public static final String ACCESS_TYPE_KAFKA_ADMIN = "kafka_admin"; private static volatile RangerBasePlugin rangerPlugin = null; + long lastLogTime = 0; + int errorLogFreq = 30000; // Log after every 30 seconds public RangerKafkaAuthorizer() { if (rangerPlugin == null) { @@ -79,20 +82,33 @@ public class RangerKafkaAuthorizer implements Authorizer { rangerPlugin.setResultProcessor(auditHandler); } - // TODO: Fix this after Session is fixed - // @Override + @Override public boolean authorize(Session session, Operation operation, Resource resource) { String userName = null; + if (session.principal() != null) { + userName = session.principal().getName(); + userName = StringUtils.substringBefore(userName, "/"); + userName = StringUtils.substringBefore(userName, "@"); + } java.util.Set<String> userGroups = getGroupsForUser(userName); - String ip = null; + String ip = session.host(); + Date eventTime = StringUtil.getUTCDate(); String accessType = mapToRangerAccessType(operation); + boolean validationFailed = false; + String validationStr = ""; + if (accessType == null) { - logger.fatal("Unsupported access type. session=" + session - + ", operation=" + operation + ", resource=" + resource); - return false; + if (rangerPlugin + .logErrorMessage("Unsupported access type. operation=" + + operation)) { + logger.fatal("Unsupported access type. session=" + session + + ", operation=" + operation + ", resource=" + resource); + } + validationFailed = true; + validationStr += "Unsupported access type. operation=" + operation; } String action = accessType; @@ -103,25 +119,49 @@ public class RangerKafkaAuthorizer implements Authorizer { rangerRequest.setAccessTime(eventTime); RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(); + rangerRequest.setResource(rangerResource); + rangerRequest.setAccessType(accessType); + rangerRequest.setAction(action); + rangerRequest.setRequestData(resource.name()); if (resource.resourceType().equals(ResourceType.TOPIC)) { rangerResource.setValue(KEY_TOPIC, resource.name()); } else if (resource.resourceType().equals(ResourceType.CLUSTER)) { - rangerResource.setValue(KEY_CLUSTER, resource.name()); + // CLUSTER should go as null + // rangerResource.setValue(KEY_CLUSTER, resource.name()); } else if (resource.resourceType().equals(ResourceType.CONSUMER_GROUP)) { rangerResource.setValue(KEY_CONSUMER_GROUP, resource.name()); } else { logger.fatal("Unsupported resourceType=" + resource.resourceType()); - return false; + validationFailed = true; } - rangerRequest.setResource(rangerResource); - rangerRequest.setAccessType(accessType); - rangerRequest.setAction(action); - rangerRequest.setRequestData(resource.name()); + boolean returnValue = true; + if (validationFailed) { + rangerPlugin.logErrorMessage(validationStr + ", request=" + + rangerRequest); + returnValue = false; + } else { - RangerAccessResult result = rangerPlugin.isAccessAllowed(rangerRequest); - return result.getIsAllowed(); + try { + RangerAccessResult result = rangerPlugin + .isAccessAllowed(rangerRequest); + if (result == null) { + logger.error("Ranger Plugin returned null. Returning false"); + returnValue = false; + } else { + returnValue = result.getIsAllowed(); + } + } catch (Throwable t) { + logger.error("Error while calling isAccessAllowed(). request=" + + rangerRequest, t); + } + } + if (logger.isDebugEnabled()) { + logger.debug("rangerRequest=" + rangerRequest + ", return=" + + returnValue); + } + return returnValue; } /* @@ -210,12 +250,8 @@ public class RangerKafkaAuthorizer implements Authorizer { return ACCESS_TYPE_READ; } else if (operation.equals(Operation.WRITE)) { return ACCESS_TYPE_WRITE; - } else if (operation.equals(Operation.CREATE)) { - return ACCESS_TYPE_CREATE; - } else if (operation.equals(Operation.DELETE)) { - return ACCESS_TYPE_DELETE; } else if (operation.equals(Operation.ALTER)) { - return ACCESS_TYPE_ALTER; + return ACCESS_TYPE_CONFIGURE; } else if (operation.equals(Operation.DESCRIBE)) { return ACCESS_TYPE_DESCRIBE; } else if (operation.equals(Operation.CLUSTER_ACTION)) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/115577a6/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java index 673f652..8e0ada8 100644 --- a/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java +++ b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java @@ -223,6 +223,7 @@ public class RangerSolrAuthorizer implements AuthorizationPlugin { String userName = null; if (principal != null) { userName = principal.getName(); + userName = StringUtils.substringBefore(userName, "/"); userName = StringUtils.substringBefore(userName, "@"); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/115577a6/src/main/assembly/plugin-kafka.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/plugin-kafka.xml b/src/main/assembly/plugin-kafka.xml index aa66e08..77c4e65 100644 --- a/src/main/assembly/plugin-kafka.xml +++ b/src/main/assembly/plugin-kafka.xml @@ -1,167 +1,188 @@ <?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> +<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor + license agreements. See the NOTICE file distributed with this work for additional + information regarding copyright ownership. The ASF licenses this file to + You under the Apache License, Version 2.0 (the "License"); you may not use + this file except in compliance with the License. You may obtain a copy of + the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required + by applicable law or agreed to in writing, software distributed under the + License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS + OF ANY KIND, either express or implied. See the License for the specific + language governing permissions and limitations under the License. --> <assembly> - <id>kafka-plugin</id> - <formats> - <format>tar.gz</format> - <format>zip</format> - </formats> - <baseDirectory>${project.name}-${project.version}-kafka-plugin</baseDirectory> - <includeBaseDirectory>true</includeBaseDirectory> - <moduleSets> - <moduleSet> - <binaries> - <includeDependencies>false</includeDependencies> - <unpack>false</unpack> - <directoryMode>755</directoryMode> - <fileMode>644</fileMode> - <dependencySets> - <dependencySet> - <outputDirectory>/lib</outputDirectory> - <unpack>false</unpack> - <includes> - <include>commons-configuration:commons-configuration:jar:${commons.configuration.version}</include> - <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include> - <include>org.apache.hadoop:hadoop-common-plus:jar:${hadoop-common.version}</include> - <include>com.google.code.gson:gson</include> - <include>org.eclipse.persistence:eclipselink</include> - <include>org.eclipse.persistence:javax.persistence</include> - <include>commons-collections:commons-collections</include> - <include>com.sun.jersey:jersey-bundle</include> - <include>commons-logging:commons-logging:jar:${commons.logging.version}</include> - <include>com.google.guava:guava:jar:${guava.version}</include> - <include>org.apache.httpcomponents:httpclient:jar:${httpcomponent.httpclient.version}</include> - <include>org.apache.httpcomponents:httpcore:jar:${httpcomponent.httpcore.version}</include> - <include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include> - <include>org.noggit:noggit:jar:${noggit.version}</include> - </includes> - </dependencySet> - <dependencySet> - <outputDirectory>/install/lib</outputDirectory> - <unpack>false</unpack> - <directoryMode>755</directoryMode> - <fileMode>644</fileMode> - <includes> - <include>commons-cli:commons-cli</include> - <include>commons-collections:commons-collections</include> - <include>commons-configuration:commons-configuration:jar:${commons.configuration.version}</include> - <include>commons-io:commons-io:jar:${commons.io.version}</include> - <include>commons-lang:commons-lang:jar:${commons.lang.version}</include> - <include>commons-logging:commons-logging</include> - <include>com.google.guava:guava:jar:${guava.version}</include> - <include>org.hamcrest:hamcrest-all</include> - <include>junit:junit</include> - <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include> - <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include> - <include>org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version}</include> - <include>security_plugins.ranger-plugins-cred:ranger-plugins-cred</include> - <include>org.apache.ranger:credentialbuilder</include> - </includes> - </dependencySet> - </dependencySets> - <outputDirectory>/lib</outputDirectory> - </binaries> - <includes> - <include>org.apache.ranger:ranger_solrj</include> - <include>security_plugins.ranger-plugins-audit:ranger-plugins-audit</include> - <include>security_plugins.ranger-plugins-cred:ranger-plugins-cred</include> - <include>security_plugins.ranger-plugins-impl:ranger-plugins-impl</include> - <include>security_plugins.ranger-plugins-common:ranger-plugins-common</include> - <include>security_plugins.ranger-kafka-plugin:ranger-kafka-plugin</include> - </includes> - </moduleSet> - <moduleSet> - <binaries> - <includeDependencies>false</includeDependencies> - <outputDirectory>/install/lib</outputDirectory> - <unpack>false</unpack> - </binaries> - <includes> - <include>security_plugins.ranger-plugins-installer:ranger-plugins-installer</include> - <include>org.apache.ranger:credentialbuilder</include> - </includes> - </moduleSet> - </moduleSets> - <fileSets> - <!-- conf.templates for enable --> - <fileSet> - <outputDirectory>/install/conf.templates/enable</outputDirectory> - <directory>plugin-kafka/conf</directory> - <excludes> - <exclude>*.sh</exclude> - </excludes> - <fileMode>700</fileMode> - </fileSet> - <fileSet> - <outputDirectory>/install/conf.templates/disable</outputDirectory> - <directory>plugin-kafka/disable-conf</directory> - <fileMode>700</fileMode> - </fileSet> - <fileSet> - <outputDirectory>/install/conf.templates/default</outputDirectory> - <directory>plugin-kafka/template</directory> - <fileMode>700</fileMode> - </fileSet> - <!-- version file --> - <fileSet> - <outputDirectory>/</outputDirectory> - <directory>${project.build.outputDirectory}</directory> - <includes> - <include>version</include> - </includes> - <fileMode>444</fileMode> - </fileSet> - </fileSets> - <!-- enable/disable script for Plugin --> - <files> - <file> - <source>agents-common/scripts/enable-agent.sh</source> - <outputDirectory>/</outputDirectory> - <destName>enable-kafka-plugin.sh</destName> - <fileMode>755</fileMode> - </file> - <file> - <source>agents-common/scripts/enable-agent.sh</source> - <outputDirectory>/</outputDirectory> - <destName>disable-kafka-plugin.sh</destName> - <fileMode>755</fileMode> - </file> - <file> - <source>security-admin/scripts/ranger_credential_helper.py</source> - <outputDirectory>/</outputDirectory> - <fileMode>755</fileMode> - </file> - <file> - <source>security-admin/scripts/ranger_credential_helper.py</source> - <outputDirectory>/</outputDirectory> - <fileMode>755</fileMode> - </file> - <file> - <source>plugin-kafka/scripts/install.properties</source> - <outputDirectory>/</outputDirectory> - <destName>install.properties</destName> - <fileMode>755</fileMode> - </file> - <file> - <source>plugin-kafka/scripts/kafka-plugin-install.properties</source> - <outputDirectory>/</outputDirectory> - <destName>kafka-plugin-install.properties</destName> - <fileMode>755</fileMode> - </file> - </files> + <id>kafka-plugin</id> + <formats> + <format>tar.gz</format> + <format>zip</format> + </formats> + <baseDirectory>${project.name}-${project.version}-kafka-plugin + </baseDirectory> + <includeBaseDirectory>true</includeBaseDirectory> + <moduleSets> + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <dependencySets> + <dependencySet> + <outputDirectory>/lib</outputDirectory> + <unpack>false</unpack> + <includes> + <include>commons-configuration:commons-configuration:jar:${commons.configuration.version} + </include> + <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version} + </include> + <include>org.apache.hadoop:hadoop-common-plus:jar:${hadoop-common.version} + </include> + <include>com.google.code.gson:gson</include> + <include>org.eclipse.persistence:eclipselink</include> + <include>org.eclipse.persistence:javax.persistence</include> + <include>commons-collections:commons-collections</include> + <include>com.sun.jersey:jersey-bundle</include> + <include>commons-logging:commons-logging:jar:${commons.logging.version} + </include> + <include>commons-lang:commons-lang</include> + <include>commons-io:commons-io</include> + <include>com.google.guava:guava:jar:${guava.version}</include> + <include>org.apache.httpcomponents:httpclient:jar:${httpcomponent.httpclient.version} + </include> + <include>org.apache.httpcomponents:httpcore:jar:${httpcomponent.httpcore.version} + </include> + <include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} + </include> + <include>org.noggit:noggit:jar:${noggit.version}</include> + <include>org.codehaus.jackson:jackson-core-asl</include> + <include>org.codehaus.jackson:jackson-jaxrs</include> + <include>org.codehaus.jackson:jackson-mapper-asl</include> + <include>org.codehaus.jackson:jackson-xc</include> + + </includes> + </dependencySet> + <dependencySet> + <outputDirectory>/install/lib</outputDirectory> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <includes> + <include>commons-cli:commons-cli</include> + <include>commons-collections:commons-collections</include> + <include>commons-configuration:commons-configuration:jar:${commons.configuration.version} + </include> + <include>commons-io:commons-io:jar:${commons.io.version} + </include> + <include>commons-lang:commons-lang:jar:${commons.lang.version} + </include> + <include>commons-logging:commons-logging</include> + <include>com.google.guava:guava:jar:${guava.version}</include> + <include>org.hamcrest:hamcrest-all</include> + <include>junit:junit</include> + <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include> + <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version} + </include> + <include>org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version} + </include> + <include>security_plugins.ranger-plugins-cred:ranger-plugins-cred + </include> + <include>org.apache.ranger:credentialbuilder</include> + </includes> + </dependencySet> + </dependencySets> + <outputDirectory>/lib</outputDirectory> + </binaries> + <includes> + <include>org.apache.ranger:ranger_solrj</include> + <include>security_plugins.ranger-plugins-audit:ranger-plugins-audit + </include> + <include>security_plugins.ranger-plugins-cred:ranger-plugins-cred + </include> + <include>security_plugins.ranger-plugins-impl:ranger-plugins-impl + </include> + <include>security_plugins.ranger-plugins-common:ranger-plugins-common + </include> + <include>security_plugins.ranger-kafka-plugin:ranger-kafka-plugin + </include> + </includes> + </moduleSet> + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <outputDirectory>/install/lib</outputDirectory> + <unpack>false</unpack> + </binaries> + <includes> + <include>security_plugins.ranger-plugins-installer:ranger-plugins-installer + </include> + <include>org.apache.ranger:credentialbuilder</include> + </includes> + </moduleSet> + </moduleSets> + <fileSets> + <!-- conf.templates for enable --> + <fileSet> + <outputDirectory>/install/conf.templates/enable</outputDirectory> + <directory>plugin-kafka/conf</directory> + <excludes> + <exclude>*.sh</exclude> + </excludes> + <fileMode>700</fileMode> + </fileSet> + <fileSet> + <outputDirectory>/install/conf.templates/disable</outputDirectory> + <directory>plugin-kafka/disable-conf</directory> + <fileMode>700</fileMode> + </fileSet> + <fileSet> + <outputDirectory>/install/conf.templates/default</outputDirectory> + <directory>plugin-kafka/template</directory> + <fileMode>700</fileMode> + </fileSet> + <!-- version file --> + <fileSet> + <outputDirectory>/</outputDirectory> + <directory>${project.build.outputDirectory}</directory> + <includes> + <include>version</include> + </includes> + <fileMode>444</fileMode> + </fileSet> + </fileSets> + <!-- enable/disable script for Plugin --> + <files> + <file> + <source>agents-common/scripts/enable-agent.sh</source> + <outputDirectory>/</outputDirectory> + <destName>enable-kafka-plugin.sh</destName> + <fileMode>755</fileMode> + </file> + <file> + <source>agents-common/scripts/enable-agent.sh</source> + <outputDirectory>/</outputDirectory> + <destName>disable-kafka-plugin.sh</destName> + <fileMode>755</fileMode> + </file> + <file> + <source>security-admin/scripts/ranger_credential_helper.py</source> + <outputDirectory>/</outputDirectory> + <fileMode>755</fileMode> + </file> + <file> + <source>security-admin/scripts/ranger_credential_helper.py</source> + <outputDirectory>/</outputDirectory> + <fileMode>755</fileMode> + </file> + <file> + <source>plugin-kafka/scripts/install.properties</source> + <outputDirectory>/</outputDirectory> + <destName>install.properties</destName> + <fileMode>755</fileMode> + </file> + <file> + <source>plugin-kafka/scripts/kafka-plugin-install.properties</source> + <outputDirectory>/</outputDirectory> + <destName>kafka-plugin-install.properties</destName> + <fileMode>755</fileMode> + </file> + </files> </assembly>
