Repository: incubator-ranger Updated Branches: refs/heads/master 6411479b8 -> 9d29006ee
RANGER-557: Ranger Storm authorizer to be consistent with default authorizer Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9d29006e Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9d29006e Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9d29006e Branch: refs/heads/master Commit: 9d29006ee770487b84fa94c37918d99163a62053 Parents: 6411479 Author: rmani <[email protected]> Authored: Tue Jun 16 19:50:30 2015 -0700 Committer: rmani <[email protected]> Committed: Tue Jun 16 19:50:30 2015 -0700 ---------------------------------------------------------------------- .../storm/authorizer/RangerStormAuthorizer.java | 62 +++++++++++--------- 1 file changed, 35 insertions(+), 27 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9d29006e/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java ---------------------------------------------------------------------- diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java index b94988b..3687527 100644 --- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java +++ b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java @@ -21,6 +21,7 @@ import java.security.Principal; import java.util.Map; +import java.util.Set; import org.apache.hadoop.security.UserGroupInformation; import org.apache.ranger.authorization.storm.StormRangerPlugin; @@ -30,6 +31,8 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.google.common.collect.Sets; + import backtype.storm.Config; import backtype.storm.security.auth.IAuthorizer; import backtype.storm.security.auth.ReqContext; @@ -39,7 +42,9 @@ public class RangerStormAuthorizer implements IAuthorizer { private static final Logger LOG = LoggerFactory.getLogger(RangerStormAuthorizer.class); static final StormRangerPlugin plugin = new StormRangerPlugin(); - + + static final Set<String> noAuthzOperations = Sets.newHashSet(new String[] { "getNimbusConf", "getClusterInfo" }); + /** * permit() method is invoked for each incoming Thrift request. * @param context request context includes info about @@ -53,7 +58,7 @@ public class RangerStormAuthorizer implements IAuthorizer { boolean accessAllowed = false ; boolean isAuditEnabled = false; - + String topologyName = null ; try { @@ -76,39 +81,42 @@ public class RangerStormAuthorizer implements IAuthorizer { LOG.debug("TOPOLOGY CONFIG MAP is passed as null.") ; } } + + if(noAuthzOperations.contains(aOperationName)) { + accessAllowed = true; + } else { + String userName = null ; + String[] groups = null ; - String userName = null ; - String[] groups = null ; - - Principal user = aRequestContext.principal() ; + Principal user = aRequestContext.principal() ; - if (user != null) { - userName = user.getName() ; - if (userName != null) { - UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName) ; - userName = ugi.getShortUserName() ; - groups = ugi.getGroupNames() ; - if (LOG.isDebugEnabled()) { - LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]") ; + if (user != null) { + userName = user.getName() ; + if (userName != null) { + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName) ; + userName = ugi.getShortUserName() ; + groups = ugi.getGroupNames() ; + if (LOG.isDebugEnabled()) { + LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]") ; + } } - } - } - if (userName != null) { - String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() ) ; - RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName); - RangerAccessResult result = plugin.isAccessAllowed(accessRequest); - accessAllowed = result != null && result.getIsAllowed(); - isAuditEnabled = result != null && result.getIsAudited(); + if (userName != null) { + String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() ) ; + RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName); + RangerAccessResult result = plugin.isAccessAllowed(accessRequest); + accessAllowed = result != null && result.getIsAllowed(); + isAuditEnabled = result != null && result.getIsAudited(); - if (LOG.isDebugEnabled()) { - LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); + if (LOG.isDebugEnabled()) { + LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); + } + } + else { + LOG.info("NULL User found from principal [" + user + "]: Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); } - } - else { - LOG.info("NULL User found from principal [" + user + "]: Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); } } catch(Throwable t) {
