RANGER-510 : Client IP not getting populated for KMS in audit Signed-off-by: Velmurugan Periasamy <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/dda7a165 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/dda7a165 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/dda7a165 Branch: refs/heads/tag-policy Commit: dda7a165c5a7c80d13023c91a095a373a6dd3e70 Parents: f0a8931 Author: Gautam Borad <[email protected]> Authored: Fri May 29 12:11:11 2015 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Fri May 29 10:16:55 2015 -0400 ---------------------------------------------------------------------- .../hadoop/crypto/key/kms/server/KMS.java | 68 ++++++++++---------- .../hadoop/crypto/key/kms/server/KMSACLs.java | 6 +- .../kms/server/KeyAuthorizationKeyProvider.java | 5 +- .../crypto/key/kms/server/TestKMSACLs.java | 11 ++-- .../kms/authorizer/RangerKmsAuthorizer.java | 30 +++------ 5 files changed, 57 insertions(+), 63 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java index 5575eab..404b710 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java @@ -30,6 +30,7 @@ import org.apache.hadoop.crypto.key.kms.KMSClientProvider; import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type; import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation; +import javax.servlet.http.HttpServletRequest; import javax.ws.rs.Consumes; import javax.ws.rs.DELETE; import javax.ws.rs.DefaultValue; @@ -39,6 +40,7 @@ import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.QueryParam; +import javax.ws.rs.core.Context; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -74,13 +76,13 @@ public class KMS { } private void assertAccess(Type aclType, UserGroupInformation ugi, - KMSOp operation) throws AccessControlException { - KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, null); + KMSOp operation, String clientIp) throws AccessControlException { + KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, null, clientIp); } private void assertAccess(Type aclType, UserGroupInformation ugi, - KMSOp operation, String key) throws AccessControlException { - KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, key); + KMSOp operation, String key, String clientIp) throws AccessControlException { + KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, key, clientIp); } private static KeyProvider.KeyVersion removeKeyMaterial( @@ -99,12 +101,12 @@ public class KMS { @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) @SuppressWarnings("unchecked") - public Response createKey(Map jsonKey) throws Exception { + public Response createKey(Map jsonKey, @Context HttpServletRequest request) throws Exception { KMSWebApp.getAdminCallsMeter().mark(); UserGroupInformation user = HttpUserGroupInformation.get(); final String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD); - KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD); - assertAccess(Type.CREATE, user, KMSOp.CREATE_KEY, name); + KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD); + assertAccess(Type.CREATE, user, KMSOp.CREATE_KEY, name, request.getRemoteAddr()); String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD); final String material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD); int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD)) @@ -115,7 +117,7 @@ public class KMS { jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD); if (material != null) { assertAccess(Type.SET_KEY_MATERIAL, user, - KMSOp.CREATE_KEY, name); + KMSOp.CREATE_KEY, name, request.getRemoteAddr()); } final KeyProvider.Options options = new KeyProvider.Options( KMSWebApp.getConfiguration()); @@ -144,7 +146,7 @@ public class KMS { kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" + (material != null) + " Description:" + description); - if (!KMSWebApp.getACLs().hasAccess(Type.GET, user)) { + if (!KMSWebApp.getACLs().hasAccess(Type.GET, user, request.getRemoteAddr())) { keyVersion = removeKeyMaterial(keyVersion); } Map json = KMSServerJSONUtils.toJSON(keyVersion); @@ -158,11 +160,11 @@ public class KMS { @DELETE @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}") - public Response deleteKey(@PathParam("name") final String name) + public Response deleteKey(@PathParam("name") final String name, @Context HttpServletRequest request) throws Exception { KMSWebApp.getAdminCallsMeter().mark(); UserGroupInformation user = HttpUserGroupInformation.get(); - assertAccess(Type.DELETE, user, KMSOp.DELETE_KEY, name); + assertAccess(Type.DELETE, user, KMSOp.DELETE_KEY, name, request.getRemoteAddr()); KMSClientProvider.checkNotEmpty(name, "name"); user.doAs(new PrivilegedExceptionAction<Void>() { @@ -184,16 +186,16 @@ public class KMS { @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) public Response rolloverKey(@PathParam("name") final String name, - Map jsonMaterial) throws Exception { + Map jsonMaterial, @Context HttpServletRequest request) throws Exception { KMSWebApp.getAdminCallsMeter().mark(); UserGroupInformation user = HttpUserGroupInformation.get(); - assertAccess(Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name); + assertAccess(Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name, request.getRemoteAddr()); KMSClientProvider.checkNotEmpty(name, "name"); final String material = (String) jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD); if (material != null) { assertAccess(Type.SET_KEY_MATERIAL, user, - KMSOp.ROLL_NEW_VERSION, name); + KMSOp.ROLL_NEW_VERSION, name, request.getRemoteAddr()); } KeyProvider.KeyVersion keyVersion = user.doAs( @@ -212,7 +214,7 @@ public class KMS { kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" + (material != null) + " NewVersion:" + keyVersion.getVersionName()); - if (!KMSWebApp.getACLs().hasAccess(Type.GET, user)) { + if (!KMSWebApp.getACLs().hasAccess(Type.GET, user, request.getRemoteAddr())) { keyVersion = removeKeyMaterial(keyVersion); } Map json = KMSServerJSONUtils.toJSON(keyVersion); @@ -223,12 +225,12 @@ public class KMS { @Path(KMSRESTConstants.KEYS_METADATA_RESOURCE) @Produces(MediaType.APPLICATION_JSON) public Response getKeysMetadata(@QueryParam(KMSRESTConstants.KEY) - List<String> keyNamesList) throws Exception { + List<String> keyNamesList, @Context HttpServletRequest request) throws Exception { KMSWebApp.getAdminCallsMeter().mark(); UserGroupInformation user = HttpUserGroupInformation.get(); final String[] keyNames = keyNamesList.toArray( new String[keyNamesList.size()]); - assertAccess(Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA); + assertAccess(Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA, request.getRemoteAddr()); KeyProvider.Metadata[] keysMeta = user.doAs( new PrivilegedExceptionAction<KeyProvider.Metadata[]>() { @@ -247,10 +249,10 @@ public class KMS { @GET @Path(KMSRESTConstants.KEYS_NAMES_RESOURCE) @Produces(MediaType.APPLICATION_JSON) - public Response getKeyNames() throws Exception { + public Response getKeyNames(@Context HttpServletRequest request) throws Exception { KMSWebApp.getAdminCallsMeter().mark(); UserGroupInformation user = HttpUserGroupInformation.get(); - assertAccess(Type.GET_KEYS, user, KMSOp.GET_KEYS); + assertAccess(Type.GET_KEYS, user, KMSOp.GET_KEYS, request.getRemoteAddr()); List<String> json = user.doAs( new PrivilegedExceptionAction<List<String>>() { @@ -267,21 +269,21 @@ public class KMS { @GET @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}") - public Response getKey(@PathParam("name") String name) + public Response getKey(@PathParam("name") String name, @Context HttpServletRequest request) throws Exception { - return getMetadata(name); + return getMetadata(name, request); } @GET @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + KMSRESTConstants.METADATA_SUB_RESOURCE) @Produces(MediaType.APPLICATION_JSON) - public Response getMetadata(@PathParam("name") final String name) + public Response getMetadata(@PathParam("name") final String name, @Context HttpServletRequest request) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(name, "name"); KMSWebApp.getAdminCallsMeter().mark(); - assertAccess(Type.GET_METADATA, user, KMSOp.GET_METADATA, name); + assertAccess(Type.GET_METADATA, user, KMSOp.GET_METADATA, name, request.getRemoteAddr()); KeyProvider.Metadata metadata = user.doAs( new PrivilegedExceptionAction<KeyProvider.Metadata>() { @@ -301,12 +303,12 @@ public class KMS { @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE) @Produces(MediaType.APPLICATION_JSON) - public Response getCurrentVersion(@PathParam("name") final String name) + public Response getCurrentVersion(@PathParam("name") final String name, @Context HttpServletRequest request) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(name, "name"); KMSWebApp.getKeyCallsMeter().mark(); - assertAccess(Type.GET, user, KMSOp.GET_CURRENT_KEY, name); + assertAccess(Type.GET, user, KMSOp.GET_CURRENT_KEY, name, request.getRemoteAddr()); KeyVersion keyVersion = user.doAs( new PrivilegedExceptionAction<KeyVersion>() { @@ -329,11 +331,11 @@ public class KMS { @Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}") @Produces(MediaType.APPLICATION_JSON) public Response getKeyVersion( - @PathParam("versionName") final String versionName) throws Exception { + @PathParam("versionName") final String versionName, @Context HttpServletRequest request) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(versionName, "versionName"); KMSWebApp.getKeyCallsMeter().mark(); - assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSION); + assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSION, request.getRemoteAddr()); KeyVersion keyVersion = user.doAs( new PrivilegedExceptionAction<KeyVersion>() { @@ -360,7 +362,7 @@ public class KMS { @PathParam("name") final String name, @QueryParam(KMSRESTConstants.EEK_OP) String edekOp, @DefaultValue("1") - @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys) + @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys, @Context HttpServletRequest request) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(name, "name"); @@ -368,7 +370,7 @@ public class KMS { Object retJSON; if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) { - assertAccess(Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name); + assertAccess(Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name, request.getRemoteAddr()); final List<EncryptedKeyVersion> retEdeks = new LinkedList<EncryptedKeyVersion>(); @@ -412,7 +414,7 @@ public class KMS { public Response decryptEncryptedKey( @PathParam("versionName") final String versionName, @QueryParam(KMSRESTConstants.EEK_OP) String eekOp, - Map jsonPayload) + Map jsonPayload, @Context HttpServletRequest request) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(versionName, "versionName"); @@ -425,7 +427,7 @@ public class KMS { (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD); Object retJSON; if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) { - assertAccess(Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName); + assertAccess(Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName, request.getRemoteAddr()); KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD); final byte[] iv = Base64.decodeBase64(ivStr); KMSClientProvider.checkNotNull(encMaterialStr, @@ -461,12 +463,12 @@ public class KMS { @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + KMSRESTConstants.VERSIONS_SUB_RESOURCE) @Produces(MediaType.APPLICATION_JSON) - public Response getKeyVersions(@PathParam("name") final String name) + public Response getKeyVersions(@PathParam("name") final String name, @Context HttpServletRequest request) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(name, "name"); KMSWebApp.getKeyCallsMeter().mark(); - assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSIONS, name); + assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSIONS, name, request.getRemoteAddr()); List<KeyVersion> ret = user.doAs( new PrivilegedExceptionAction<List<KeyVersion>>() { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java index dc09709..ff2f6d9 100755 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java @@ -195,7 +195,7 @@ public class KMSACLs implements Runnable, KeyACLs { * @return true is user has access */ @Override - public boolean hasAccess(Type type, UserGroupInformation ugi) { + public boolean hasAccess(Type type, UserGroupInformation ugi, String clientIp) { boolean access = acls.get(type).isUserAllowed(ugi); if (access) { AccessControlList blacklist = blacklistedAcls.get(type); @@ -206,9 +206,9 @@ public class KMSACLs implements Runnable, KeyACLs { @Override public void assertAccess(Type aclType, - UserGroupInformation ugi, KMSOp operation, String key) + UserGroupInformation ugi, KMSOp operation, String key, String clientIp) throws AccessControlException { - if (!KMSWebApp.getACLs().hasAccess(aclType, ugi)) { + if (!KMSWebApp.getACLs().hasAccess(aclType, ugi, clientIp)) { KMSWebApp.getUnauthorizedCallsMeter().mark(); KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key); throw new AuthorizationException(String.format( http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java index 1e43dac..201ecbb 100755 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java @@ -27,6 +27,7 @@ import java.util.Map; import org.apache.hadoop.crypto.key.KeyProvider; import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension; import org.apache.hadoop.crypto.key.kms.server.KMS.KMSOp; +import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type; import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AuthorizationException; @@ -86,10 +87,10 @@ public class KeyAuthorizationKeyProvider extends KeyProviderCryptoExtension { public void stopReloader(); - public boolean hasAccess(KMSACLsType.Type aclType, UserGroupInformation ugi); + public boolean hasAccess(KMSACLsType.Type aclType, UserGroupInformation ugi, String clientIp); public void assertAccess(KMSACLsType.Type aclType, UserGroupInformation ugi, - KMSOp operation, String key) throws AccessControlException; + KMSOp operation, String key, String clientIp) throws AccessControlException; } private final KeyProviderCryptoExtension provider; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java ---------------------------------------------------------------------- diff --git a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java index 12945d7..2e1cacc 100644 --- a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java +++ b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java @@ -25,17 +25,19 @@ import org.junit.Test; public class TestKMSACLs { + String ipAddress = "192.168.90.1"; + @Test public void testDefaults() { KMSACLs acls = new KMSACLs(new Configuration(false)); for (Type type : Type.values()) { Assert.assertTrue(acls.hasAccess(type, - UserGroupInformation.createRemoteUser("foo"))); + UserGroupInformation.createRemoteUser("foo"), ipAddress)); } } @Test - public void testCustom() { + public void testCustom() { Configuration conf = new Configuration(false); for (Type type : Type.values()) { conf.set(type.getAclConfigKey(), type.toString() + " "); @@ -43,10 +45,9 @@ public class TestKMSACLs { KMSACLs acls = new KMSACLs(conf); for (Type type : Type.values()) { Assert.assertTrue(acls.hasAccess(type, - UserGroupInformation.createRemoteUser(type.toString()))); + UserGroupInformation.createRemoteUser(type.toString()), ipAddress)); Assert.assertFalse(acls.hasAccess(type, - UserGroupInformation.createRemoteUser("foo"))); + UserGroupInformation.createRemoteUser("foo"), ipAddress)); } } - } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java index eb2081d..3407a1d 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java +++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java @@ -20,6 +20,7 @@ package org.apache.ranger.authorization.kms.authorizer; import java.net.InetAddress; +import java.net.UnknownHostException; import java.util.HashMap; import java.util.Map; import java.util.concurrent.Executors; @@ -138,11 +139,10 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { * @return true is user has access */ @Override - public boolean hasAccess(Type type, UserGroupInformation ugi) { + public boolean hasAccess(Type type, UserGroupInformation ugi, String clientIp) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + ")"); } - boolean ret = false; RangerKMSPlugin plugin = kmsPlugin; String rangerAccessType = getRangerAccessType(type); @@ -153,7 +153,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { } if(plugin != null && ret) { - RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi); + RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi, clientIp); RangerAccessResult result = plugin.isAccessAllowed(request); ret = result == null ? false : result.getIsAllowed(); } @@ -165,11 +165,10 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { return ret; } - public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName) { + public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName, String clientIp) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + " , "+keyName+")"); } - boolean ret = false; RangerKMSPlugin plugin = kmsPlugin; String rangerAccessType = getRangerAccessType(type); @@ -180,7 +179,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { } if(plugin != null && ret) { - RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi); + RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi, clientIp); RangerAccessResult result = plugin.isAccessAllowed(request); ret = result == null ? false : result.getIsAllowed(); } @@ -193,13 +192,13 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { } @Override - public void assertAccess(Type aclType, UserGroupInformation ugi, KMSOp operation, String key) + public void assertAccess(Type aclType, UserGroupInformation ugi, KMSOp operation, String key, String clientIp) throws AccessControlException { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerKmsAuthorizer.assertAccess(" + key + ", " + ugi +", " + aclType + ")"); } key = (key == null)?"":key; - if (!hasAccess(aclType, ugi, key)) { + if (!hasAccess(aclType, ugi, key, clientIp)) { KMSWebApp.getUnauthorizedCallsMeter().mark(); KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key); throw new AuthorizationException(String.format( @@ -217,7 +216,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { if(LOG.isDebugEnabled()) { LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")"); } - + return true; } @@ -331,22 +330,13 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { } class RangerKMSAccessRequest extends RangerAccessRequestImpl { - public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi) { + public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi, String clientIp) { super.setResource(new RangerKMSResource(keyName)); super.setAccessType(accessType); super.setUser(ugi.getShortUserName()); super.setUserGroups(Sets.newHashSet(ugi.getGroupNames())); super.setAccessTime(StringUtil.getUTCDate()); - super.setClientIPAddress(getRemoteIp()); + super.setClientIPAddress(clientIp); super.setAction(accessType); } - - private static String getRemoteIp() { - String ret = null ; - InetAddress ip = Server.getRemoteIp() ; - if (ip != null) { - ret = ip.getHostAddress(); - } - return ret ; - } }
