Repository: incubator-ranger Updated Branches: refs/heads/ranger-rmani [created] ebe83454b
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/ranger-storm-plugin-shim/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java ---------------------------------------------------------------------- diff --git a/ranger-storm-plugin-shim/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java b/ranger-storm-plugin-shim/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java new file mode 100644 index 0000000..bce7d4a --- /dev/null +++ b/ranger-storm-plugin-shim/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java @@ -0,0 +1,138 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.storm.authorizer; + + + +import java.util.Map; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; + +import backtype.storm.security.auth.IAuthorizer; +import backtype.storm.security.auth.ReqContext; + +public class RangerStormAuthorizer implements IAuthorizer { + private static final Logger LOG = LoggerFactory.getLogger(RangerStormAuthorizer.class); + + private static final String RANGER_PLUGIN_TYPE = "storm"; + private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-storm-plugin"}; + private static final String RANGER_STORM_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.storm.authorizer.RangerStormAuthorizerImpl"; + + private IAuthorizer rangerStormAuthorizerImpl = null; + private static RangerPluginClassLoader rangerPluginClassLoader = null; + + public RangerStormAuthorizer() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerStormAuthorizer.RangerStormAuthorizer()"); + } + + this.init(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerStormAuthorizer.RangerStormAuthorizer()"); + } + } + + public void init(){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerStormAuthorizer.init()"); + } + + try { + + rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); + + @SuppressWarnings("unchecked") + Class<IAuthorizer> cls = (Class<IAuthorizer>) Class.forName(RANGER_STORM_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + + activatePluginClassLoader(); + + rangerStormAuthorizerImpl = cls.newInstance(); + } catch (Exception e) { + // check what need to be done + LOG.error("Error Enabling RangerHdfsPluing", e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerStormAuthorizer.init()"); + } + } + + @Override + public void prepare(Map storm_conf) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerStormAuthorizer.prepare()"); + } + + try { + activatePluginClassLoader(); + + rangerStormAuthorizerImpl.prepare(storm_conf); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerStormAuthorizer.prepare()"); + } + + } + + @Override + public boolean permit(ReqContext context, String operation, Map topology_conf) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerStormAuthorizer.permit()"); + } + + boolean ret = false; + + try { + activatePluginClassLoader(); + + ret = rangerStormAuthorizerImpl.permit(context, operation, topology_conf); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerStormAuthorizer.permit()"); + } + + return ret; + } + + + private void activatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.activate(); + } + } + + private void deactivatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.deactivate(); + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/ranger-yarn-plugin-shim/pom.xml ---------------------------------------------------------------------- diff --git a/ranger-yarn-plugin-shim/pom.xml b/ranger-yarn-plugin-shim/pom.xml new file mode 100644 index 0000000..d461ca5 --- /dev/null +++ b/ranger-yarn-plugin-shim/pom.xml @@ -0,0 +1,66 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <modelVersion>4.0.0</modelVersion> + <groupId>security_plugins.ranger-yarn-plugin-shim</groupId> + <artifactId>ranger-yarn-plugin-shim</artifactId> + <name>YARN Security Plugin Shim</name> + <description>YARN Security Plugin Shim</description> + <packaging>jar</packaging> + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + </properties> + <parent> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger</artifactId> + <version>0.5.0</version> + <relativePath>..</relativePath> + </parent> + <dependencies> + <dependency> + <groupId>security_plugins.ranger-plugins-common</groupId> + <artifactId>ranger-plugins-common</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>security_plugins.ranger-plugins-audit</groupId> + <artifactId>ranger-plugins-audit</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>credentialbuilder</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-yarn-common</artifactId> + <version>${hadoop.version}</version> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-yarn-api</artifactId> + <version>${hadoop.version}</version> + </dependency> + <dependency> + <groupId>security_plugins.ranger-plugin-classloader</groupId> + <artifactId>ranger-plugin-classloader</artifactId> + <version>${project.version}</version> + </dependency> + </dependencies> +</project> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/ranger-yarn-plugin-shim/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java ---------------------------------------------------------------------- diff --git a/ranger-yarn-plugin-shim/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/ranger-yarn-plugin-shim/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java new file mode 100644 index 0000000..d9612b4 --- /dev/null +++ b/ranger-yarn-plugin-shim/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java @@ -0,0 +1,205 @@ + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.yarn.authorizer; + +import java.util.Map; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authorize.AccessControlList; +import org.apache.hadoop.yarn.security.AccessType; +import org.apache.hadoop.yarn.security.PrivilegedEntity; +import org.apache.hadoop.yarn.security.YarnAuthorizationProvider; +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; + + + +public class RangerYarnAuthorizer extends YarnAuthorizationProvider { + private static final Log LOG = LogFactory.getLog(RangerYarnAuthorizer.class); + + private static final String RANGER_PLUGIN_TYPE = "yarn"; + private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-yarn-plugin"}; + private static final String RANGER_YARN_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizerImpl"; + + private YarnAuthorizationProvider yarnAuthorizationProviderImpl = null; + private static RangerPluginClassLoader rangerPluginClassLoader = null; + + public RangerYarnAuthorizer() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.RangerYarnAuthorizer()"); + } + + this.init(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.RangerYarnAuthorizer()"); + } + } + + public void init(){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.init()"); + } + + try { + + rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); + + @SuppressWarnings("unchecked") + Class<YarnAuthorizationProvider> cls = (Class<YarnAuthorizationProvider>) Class.forName(RANGER_YARN_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + + activatePluginClassLoader(); + + yarnAuthorizationProviderImpl = cls.newInstance(); + } catch (Exception e) { + // check what need to be done + LOG.error("Error Enabling RangerYarnPluing", e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.init()"); + } + } + + @Override + public void init(Configuration conf) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.init()"); + } + + try { + activatePluginClassLoader(); + + yarnAuthorizationProviderImpl.init(conf); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.start()"); + } + } + + @Override + public boolean checkPermission(AccessType accessType, PrivilegedEntity target, UserGroupInformation user) { + + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.checkPermission()"); + } + + try { + activatePluginClassLoader(); + + ret = yarnAuthorizationProviderImpl.checkPermission(accessType, target, user); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.checkPermission()"); + } + + return ret; + } + + @Override + public void setPermission(PrivilegedEntity target, Map<AccessType, AccessControlList> acls, UserGroupInformation ugi) { + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.setPermission()"); + } + + try { + activatePluginClassLoader(); + + yarnAuthorizationProviderImpl.setPermission(target, acls, ugi); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.setPermission()"); + } + } + + @Override + public void setAdmins(AccessControlList acls, UserGroupInformation ugi) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.setAdmins()"); + } + + try { + activatePluginClassLoader(); + + yarnAuthorizationProviderImpl.setAdmins(acls, ugi); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.setAdmins()"); + } + } + + @Override + public boolean isAdmin(UserGroupInformation ugi) { + + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.setAdmins()"); + } + + try { + activatePluginClassLoader(); + + ret = yarnAuthorizationProviderImpl.isAdmin(ugi); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.setAdmins()"); + } + + return ret; + } + + private void activatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.activate(); + } + } + + private void deactivatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.deactivate(); + } + } + + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/src/main/assembly/hbase-agent.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/hbase-agent.xml b/src/main/assembly/hbase-agent.xml index 0f22066..0ffc65c 100644 --- a/src/main/assembly/hbase-agent.xml +++ b/src/main/assembly/hbase-agent.xml @@ -28,21 +28,34 @@ <binaries> <includeDependencies>false</includeDependencies> <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <outputDirectory>/lib</outputDirectory> + </binaries> + <includes> + <include>security_plugins.ranger-hbase-plugin-shim:ranger-hbase-plugin-shim</include> + <include>security_plugins.ranger-plugin-classloader:ranger-plugin-classloader</include> + </includes> + </moduleSet> + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <unpack>false</unpack> <directoryMode>755</directoryMode> <fileMode>644</fileMode> <dependencySets> <dependencySet> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>/lib/ranger-hbase-plugin-impl</outputDirectory> <includes> <include>com.google.code.gson:gson*</include> <include>org.eclipse.persistence:eclipselink</include> - <include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include> - <include>org.noggit:noggit:jar:${noggit.version}</include> + <include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include> + <include>org.noggit:noggit:jar:${noggit.version}</include> </includes> <unpack>false</unpack> </dependencySet> </dependencySets> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>/lib/ranger-hbase-plugin-impl</outputDirectory> </binaries> <includes> <include>org.apache.ranger:ranger_solrj</include> @@ -55,7 +68,7 @@ </moduleSet> <moduleSet> <binaries> - <includeDependencies>false</includeDependencies> + <includeDependencies>true</includeDependencies> <dependencySets> <dependencySet> <outputDirectory>/install/lib</outputDirectory> @@ -67,7 +80,7 @@ <include>commons-io:commons-io:jar:${commons.io.version}</include> <include>commons-lang:commons-lang</include> <include>commons-logging:commons-logging:jar:${commons.logging.version}</include> - <include>com.google.guava:guava:jar:${guava.version}</include> + <include>com.google.guava:guava:jar:${google.guava.version}</include> <include>org.hamcrest:hamcrest-all</include> <include>junit:junit</include> <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/src/main/assembly/hdfs-agent.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/hdfs-agent.xml b/src/main/assembly/hdfs-agent.xml index 2c18001..deec461 100644 --- a/src/main/assembly/hdfs-agent.xml +++ b/src/main/assembly/hdfs-agent.xml @@ -24,39 +24,24 @@ <baseDirectory>${project.name}-${project.version}-hdfs-plugin</baseDirectory> <includeBaseDirectory>true</includeBaseDirectory> <moduleSets> + <moduleSet> <binaries> <includeDependencies>false</includeDependencies> <unpack>false</unpack> <directoryMode>755</directoryMode> <fileMode>644</fileMode> - <dependencySets> - <dependencySet> - <outputDirectory>/lib</outputDirectory> - <includes> - <include>com.google.code.gson:gson*</include> - <include>org.eclipse.persistence:javax.persistence</include> - <include>org.eclipse.persistence:eclipselink</include> - <include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include> - <include>org.noggit:noggit:jar:${noggit.version}</include> - </includes> - <unpack>false</unpack> - </dependencySet> - </dependencySets> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>/lib</outputDirectory> </binaries> <includes> - <include>org.apache.ranger:ranger_solrj</include> - <include>security_plugins.ranger-plugins-audit:ranger-plugins-audit</include> - <include>security_plugins.ranger-plugins-cred:ranger-plugins-cred</include> - <include>security_plugins.ranger-plugins-impl:ranger-plugins-impl</include> - <include>security_plugins.ranger-plugins-common:ranger-plugins-common</include> - <include>security_plugins.ranger-hdfs-plugin:ranger-hdfs-plugin</include> - </includes> + <include>security_plugins.ranger-hdfs-plugin-shim:ranger-hdfs-plugin-shim</include> + <include>security_plugins.ranger-plugin-classloader:ranger-plugin-classloader</include> + </includes> </moduleSet> + <moduleSet> <binaries> - <includeDependencies>false</includeDependencies> + <includeDependencies>true</includeDependencies> <dependencySets> <dependencySet> <outputDirectory>/install/lib</outputDirectory> @@ -68,9 +53,9 @@ <include>commons-io:commons-io:jar:${commons.io.version}</include> <include>commons-lang:commons-lang</include> <include>commons-logging:commons-logging:jar:${commons.logging.version}</include> - <include>com.google.guava:guava:jar:${guava.version}</include> + <include>com.google.guava:guava:jar:${google.guava.version}</include> <include>org.hamcrest:hamcrest-all</include> - <include>junit:junit</include> + <include>junit:junit:${junit.version}</include> <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include> <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include> <include>org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version}</include> @@ -85,6 +70,38 @@ <include>org.apache.ranger:credentialbuilder</include> </includes> </moduleSet> + + <moduleSet> + <binaries> + <includeDependencies>true</includeDependencies> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <dependencySets> + <dependencySet> + <outputDirectory>/lib/ranger-hdfs-plugin-impl</outputDirectory> + <includes> + <include>com.google.code.gson:gson*</include> + <include>org.eclipse.persistence:javax.persistence</include> + <include>org.eclipse.persistence:eclipselink</include> + <include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include> + <include>org.noggit:noggit:jar:${noggit.version}</include> + </includes> + <unpack>false</unpack> + </dependencySet> + </dependencySets> + <outputDirectory>/lib/ranger-hdfs-plugin-impl</outputDirectory> + </binaries> + <includes> + <include>org.apache.ranger:ranger_solrj</include> + <include>security_plugins.ranger-plugins-audit:ranger-plugins-audit</include> + <include>security_plugins.ranger-plugins-cred:ranger-plugins-cred</include> + <include>security_plugins.ranger-plugins-impl:ranger-plugins-impl</include> + <include>security_plugins.ranger-plugins-common:ranger-plugins-common</include> + <include>security_plugins.ranger-hdfs-plugin:ranger-hdfs-plugin</include> + </includes> + </moduleSet> + </moduleSets> <fileSets> <!-- conf.templates for enable --> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/src/main/assembly/hive-agent.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/hive-agent.xml b/src/main/assembly/hive-agent.xml index d21c6b8..9122547 100644 --- a/src/main/assembly/hive-agent.xml +++ b/src/main/assembly/hive-agent.xml @@ -24,6 +24,19 @@ <baseDirectory>${project.name}-${project.version}-hive-plugin</baseDirectory> <includeBaseDirectory>true</includeBaseDirectory> <moduleSets> + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <outputDirectory>/lib</outputDirectory> + </binaries> + <includes> + <include>security_plugins.ranger-hive-plugin-shim:ranger-hive-plugin-shim</include> + <include>security_plugins.ranger-plugin-classloader:ranger-plugin-classloader</include> + </includes> + </moduleSet> <moduleSet> <binaries> <includeDependencies>false</includeDependencies> @@ -32,18 +45,18 @@ <fileMode>644</fileMode> <dependencySets> <dependencySet> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>/lib/ranger-hive-plugin-impl</outputDirectory> <includes> <include>com.google.code.gson:gson*</include> <include>org.eclipse.persistence:eclipselink</include> <include>org.eclipse.persistence:javax.persistence</include> - <include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include> - <include>org.noggit:noggit:jar:${noggit.version}</include> + <include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include> + <include>org.noggit:noggit:jar:${noggit.version}</include> </includes> <unpack>false</unpack> </dependencySet> </dependencySets> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>/lib/ranger-hive-plugin-impl</outputDirectory> </binaries> <includes> <include>org.apache.ranger:ranger_solrj</include> @@ -56,7 +69,7 @@ </moduleSet> <moduleSet> <binaries> - <includeDependencies>false</includeDependencies> + <includeDependencies>true</includeDependencies> <dependencySets> <dependencySet> <outputDirectory>/install/lib</outputDirectory> @@ -68,7 +81,7 @@ <include>commons-io:commons-io:jar:${commons.io.version}</include> <include>commons-lang:commons-lang</include> <include>commons-logging:commons-logging:jar:${commons.logging.version}</include> - <include>com.google.guava:guava:jar:${guava.version}</include> + <include>com.google.guava:guava:jar:${google.guava.version}</include> <include>org.hamcrest:hamcrest-all</include> <include>junit:junit</include> <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/src/main/assembly/knox-agent.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/knox-agent.xml b/src/main/assembly/knox-agent.xml index 4806343..dc73f69 100644 --- a/src/main/assembly/knox-agent.xml +++ b/src/main/assembly/knox-agent.xml @@ -24,6 +24,21 @@ <baseDirectory>${project.name}-${project.version}-knox-plugin</baseDirectory> <includeBaseDirectory>true</includeBaseDirectory> <moduleSets> + + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <outputDirectory>/lib</outputDirectory> + </binaries> + <includes> + <include>security_plugins.ranger-knox-plugin-shim:ranger-knox-plugin-shim</include> + <include>security_plugins.ranger-plugin-classloader:ranger-plugin-classloader</include> + </includes> + </moduleSet> + <moduleSet> <binaries> <includeDependencies>false</includeDependencies> @@ -32,10 +47,10 @@ <fileMode>644</fileMode> <dependencySets> <dependencySet> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>/lib/ranger-knox-plugin-impl</outputDirectory> <includes> <include>commons-configuration:commons-configuration</include> - <include>com.google.code.gson:gson*</include> + <include>com.google.code.gson:gson*</include> <include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include> <include>org.noggit:noggit:jar:${noggit.version}</include> <include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include> @@ -45,7 +60,7 @@ <unpack>false</unpack> </dependencySet> </dependencySets> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>/lib/ranger-knox-plugin-impl</outputDirectory> </binaries> <includes> <include>org.apache.ranger:ranger_solrj</include> @@ -72,7 +87,7 @@ <include>commons-io:commons-io:jar:${commons.io.version}</include> <include>commons-lang:commons-lang</include> <include>commons-logging:commons-logging:jar:${commons.logging.version}</include> - <include>com.google.guava:guava:jar:${guava.version}</include> + <include>com.google.guava:guava:jar:${google.guava.version}</include> <include>org.hamcrest:hamcrest-all</include> <include>junit:junit</include> <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/src/main/assembly/plugin-kafka.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/plugin-kafka.xml b/src/main/assembly/plugin-kafka.xml index 3727bde..31498e5 100644 --- a/src/main/assembly/plugin-kafka.xml +++ b/src/main/assembly/plugin-kafka.xml @@ -20,14 +20,28 @@ <includeBaseDirectory>true</includeBaseDirectory> <moduleSets> <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <outputDirectory>/lib</outputDirectory> + </binaries> + <includes> + <include>security_plugins.ranger-kafka-plugin-shim:ranger-kafka-plugin-shim</include> + <include>security_plugins.ranger-plugin-classloader:ranger-plugin-classloader</include> + </includes> + </moduleSet> + + <moduleSet> <binaries> - <includeDependencies>false</includeDependencies> + <includeDependencies>true</includeDependencies> <unpack>false</unpack> <directoryMode>755</directoryMode> <fileMode>644</fileMode> <dependencySets> <dependencySet> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>lib/ranger-kafka-plugin-impl</outputDirectory> <unpack>false</unpack> <includes> <include>commons-configuration:commons-configuration:jar:${commons.configuration.version} @@ -38,6 +52,7 @@ </include> <include>org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version} </include> + <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include> <include>com.google.code.gson:gson</include> <include>org.eclipse.persistence:eclipselink</include> <include>org.eclipse.persistence:javax.persistence</include> @@ -47,7 +62,7 @@ </include> <include>commons-lang:commons-lang</include> <include>commons-io:commons-io</include> - <include>com.google.guava:guava:jar:${guava.version}</include> + <include>com.google.guava:guava:jar:${google.guava.version}</include> <include>org.apache.httpcomponents:httpclient:jar:${httpcomponent.httpclient.version} </include> <include>org.apache.httpcomponents:httpcore:jar:${httpcomponent.httpcore.version} @@ -59,7 +74,6 @@ <include>org.codehaus.jackson:jackson-jaxrs</include> <include>org.codehaus.jackson:jackson-mapper-asl</include> <include>org.codehaus.jackson:jackson-xc</include> - </includes> </dependencySet> <dependencySet> @@ -77,7 +91,7 @@ <include>commons-lang:commons-lang:jar:${commons.lang.version} </include> <include>commons-logging:commons-logging</include> - <include>com.google.guava:guava:jar:${guava.version}</include> + <include>com.google.guava:guava:jar:${google.guava.version}</include> <include>org.hamcrest:hamcrest-all</include> <include>junit:junit</include> <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include> @@ -91,20 +105,14 @@ </includes> </dependencySet> </dependencySets> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>lib/ranger-kafka-plugin-impl</outputDirectory> </binaries> <includes> + <include>security_plugins.ranger-kafka-plugin:ranger-kafka-plugin</include> <include>org.apache.ranger:ranger_solrj</include> - <include>security_plugins.ranger-plugins-audit:ranger-plugins-audit - </include> - <include>security_plugins.ranger-plugins-cred:ranger-plugins-cred - </include> - <include>security_plugins.ranger-plugins-impl:ranger-plugins-impl - </include> - <include>security_plugins.ranger-plugins-common:ranger-plugins-common - </include> - <include>security_plugins.ranger-kafka-plugin:ranger-kafka-plugin - </include> + <include>security_plugins.ranger-plugins-audit:ranger-plugins-audit</include> + <include>security_plugins.ranger-plugins-cred:ranger-plugins-cred</include> + <include>security_plugins.ranger-plugins-common:ranger-plugins-common</include> </includes> </moduleSet> <moduleSet> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/src/main/assembly/plugin-yarn.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/plugin-yarn.xml b/src/main/assembly/plugin-yarn.xml index a791bba..6f8e33b 100644 --- a/src/main/assembly/plugin-yarn.xml +++ b/src/main/assembly/plugin-yarn.xml @@ -24,6 +24,20 @@ <baseDirectory>${project.name}-${project.version}-yarn-plugin</baseDirectory> <includeBaseDirectory>true</includeBaseDirectory> <moduleSets> + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <outputDirectory>/lib</outputDirectory> + </binaries> + <includes> + <include>security_plugins.ranger-yarn-plugin-shim:ranger-yarn-plugin-shim</include> + <include>security_plugins.ranger-plugin-classloader:ranger-plugin-classloader</include> + </includes> + </moduleSet> + <moduleSet> <binaries> <includeDependencies>false</includeDependencies> @@ -32,7 +46,7 @@ <fileMode>644</fileMode> <dependencySets> <dependencySet> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>/lib/ranger-yarn-plugin-impl</outputDirectory> <unpack>false</unpack> <includes> <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include> @@ -54,8 +68,8 @@ <include>commons-configuration:commons-configuration:jar:${commons.configuration.version}</include> <include>commons-io:commons-io:jar:${commons.io.version}</include> <include>commons-lang:commons-lang:jar:${commons.lang.version}</include> - <include>commons-logging:commons-logging</include> - <include>com.google.guava:guava:jar:${guava.version}</include> + <include>commons-logging:commons-logging:jar:${commons.logging.version}</include> + <include>com.google.guava:guava:jar:${google.guava.version}</include> <include>org.hamcrest:hamcrest-all</include> <include>junit:junit</include> <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include> @@ -66,7 +80,7 @@ </includes> </dependencySet> </dependencySets> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>/lib/ranger-yarn-plugin-impl</outputDirectory> </binaries> <includes> <include>org.apache.ranger:ranger_solrj</include> @@ -79,7 +93,7 @@ </moduleSet> <moduleSet> <binaries> - <includeDependencies>false</includeDependencies> + <includeDependencies>true</includeDependencies> <outputDirectory>/install/lib</outputDirectory> <unpack>false</unpack> </binaries> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/src/main/assembly/storm-agent.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/storm-agent.xml b/src/main/assembly/storm-agent.xml index 12ec052..a5f4b2c 100644 --- a/src/main/assembly/storm-agent.xml +++ b/src/main/assembly/storm-agent.xml @@ -30,9 +30,22 @@ <unpack>false</unpack> <directoryMode>755</directoryMode> <fileMode>644</fileMode> + <outputDirectory>/lib</outputDirectory> + </binaries> + <includes> + <include>security_plugins.ranger-storm-plugin-shim:ranger-storm-plugin-shim</include> + <include>security_plugins.ranger-plugin-classloader:ranger-plugin-classloader</include> + </includes> + </moduleSet> + <moduleSet> + <binaries> + <includeDependencies>true</includeDependencies> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> <dependencySets> <dependencySet> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>lib/ranger-storm-plugin-impl</outputDirectory> <unpack>false</unpack> <includes> <include>commons-configuration:commons-configuration:jar:${commons.configuration.version}</include> @@ -44,7 +57,7 @@ <include>commons-collections:commons-collections</include> <include>com.sun.jersey:jersey-bundle</include> <include>commons-logging:commons-logging:jar:${commons.logging.version}</include> - <include>com.google.guava:guava:jar:${guava.version}</include> + <include>com.google.guava:guava:jar:${google.guava.version}</include> <include>org.codehaus.jackson:jackson-jaxrs:jar:${codehaus.jackson.version}</include> <include>org.codehaus.jackson:jackson-core-asl:jar:${codehaus.jackson.storm.version}</include> <include>org.codehaus.jackson:jackson-mapper-asl:jar:${codehaus.jackson.storm.version}</include> @@ -55,7 +68,7 @@ <include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include> <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include> <include>org.apache.htrace:htrace-core:jar:${htrace-core.version}</include> - <include>commons-cli:commons-cli:jar:${commons.cli.version}</include> + <include>commons-cli:commons-cli:jar:${commons.cli.version}</include> <include>commons-lang:commons-lang:jar:${commons.lang.version}</include> <include>commons-io:commons-io:jar:${commons.io.version}</include> </includes> @@ -72,7 +85,7 @@ <include>commons-io:commons-io:jar:${commons.io.version}</include> <include>commons-lang:commons-lang:jar:${commons.lang.version}</include> <include>commons-logging:commons-logging</include> - <include>com.google.guava:guava:jar:${guava.version}</include> + <include>com.google.guava:guava:jar:${google.guava.version}</include> <include>org.hamcrest:hamcrest-all</include> <include>junit:junit</include> <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include> @@ -83,7 +96,7 @@ </includes> </dependencySet> </dependencySets> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>lib/ranger-storm-plugin-impl</outputDirectory> </binaries> <includes> <include>org.apache.ranger:ranger_solrj</include> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java ---------------------------------------------------------------------- diff --git a/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java b/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java deleted file mode 100644 index 723dd79..0000000 --- a/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package com.xasecure.authorization.storm.authorizer; - -import org.apache.ranger.authorization.storm.authorizer.RangerStormAuthorizer; - -/** - * This class exists only to provide for seamless upgrade/downgrade capabilities. Class name is in storm conf which must allow for seamles upgrade and downgrade. - * Thus when class names were changed XaSecure* -> Ranger* this shell class serves to allow for seamles upgrade as well as downgrade. - * - * This class is final because if one needs to customize coprocessor it is expected that RangerStormAuthorizer would be modified/extended as that is - * the "real" authorizer! This class, hence, should NEVER be more than an EMPTY shell! - */ -final public class XaSecureStormAuthorizer extends RangerStormAuthorizer { -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java ---------------------------------------------------------------------- diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java deleted file mode 100644 index 3687527..0000000 --- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java +++ /dev/null @@ -1,148 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package org.apache.ranger.authorization.storm.authorizer; - -import java.security.Principal; -import java.util.Map; -import java.util.Set; - -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.ranger.authorization.storm.StormRangerPlugin; -import org.apache.ranger.authorization.utils.StringUtil; -import org.apache.ranger.plugin.policyengine.RangerAccessRequest; -import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.collect.Sets; - -import backtype.storm.Config; -import backtype.storm.security.auth.IAuthorizer; -import backtype.storm.security.auth.ReqContext; - -public class RangerStormAuthorizer implements IAuthorizer { - - private static final Logger LOG = LoggerFactory.getLogger(RangerStormAuthorizer.class); - - static final StormRangerPlugin plugin = new StormRangerPlugin(); - - static final Set<String> noAuthzOperations = Sets.newHashSet(new String[] { "getNimbusConf", "getClusterInfo" }); - - /** - * permit() method is invoked for each incoming Thrift request. - * @param context request context includes info about - * @param operation operation name - * @param topology_storm configuration of targeted topology - * @return true if the request is authorized, false if reject - */ - - @Override - public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTopologyConfigMap) { - - boolean accessAllowed = false ; - boolean isAuditEnabled = false; - - String topologyName = null ; - - try { - topologyName = (aTopologyConfigMap == null ? "" : (String)aTopologyConfigMap.get(Config.TOPOLOGY_NAME)) ; - - if (LOG.isDebugEnabled()) { - LOG.debug("[req "+ aRequestContext.requestID()+ "] Access " - + " from: [" + aRequestContext.remoteAddress() + "]" - + " user: [" + aRequestContext.principal() + "]," - + " op: [" + aOperationName + "]," - + "topology: [" + topologyName + "]") ; - - if (aTopologyConfigMap != null) { - for(Object keyObj : aTopologyConfigMap.keySet()) { - Object valObj = aTopologyConfigMap.get(keyObj) ; - LOG.debug("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]"); - } - } - else { - LOG.debug("TOPOLOGY CONFIG MAP is passed as null.") ; - } - } - - if(noAuthzOperations.contains(aOperationName)) { - accessAllowed = true; - } else { - String userName = null ; - String[] groups = null ; - - Principal user = aRequestContext.principal() ; - - if (user != null) { - userName = user.getName() ; - if (userName != null) { - UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName) ; - userName = ugi.getShortUserName() ; - groups = ugi.getGroupNames() ; - if (LOG.isDebugEnabled()) { - LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]") ; - } - } - } - - - if (userName != null) { - String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() ) ; - RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName); - RangerAccessResult result = plugin.isAccessAllowed(accessRequest); - accessAllowed = result != null && result.getIsAllowed(); - isAuditEnabled = result != null && result.getIsAudited(); - - if (LOG.isDebugEnabled()) { - LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); - } - } - else { - LOG.info("NULL User found from principal [" + user + "]: Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); - } - } - } - catch(Throwable t) { - LOG.error("RangerStormAuthorizer found this exception", t); - } - finally { - if (LOG.isDebugEnabled()) { - LOG.debug("[req "+ aRequestContext.requestID()+ "] Access " - + " from: [" + aRequestContext.remoteAddress() + "]" - + " user: [" + aRequestContext.principal() + "]," - + " op: [" + aOperationName + "]," - + "topology: [" + topologyName + "] => returns [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled) ; - } - } - - return accessAllowed ; - } - - /** - * Invoked once immediately after construction - * @param conf Storm configuration - */ - - @Override - public void prepare(Map aStormConfigMap) { - plugin.init(); - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebe83454/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizerImpl.java ---------------------------------------------------------------------- diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizerImpl.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizerImpl.java new file mode 100644 index 0000000..2cf4c00 --- /dev/null +++ b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizerImpl.java @@ -0,0 +1,148 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.authorization.storm.authorizer; + +import java.security.Principal; +import java.util.Map; +import java.util.Set; + +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.ranger.authorization.storm.StormRangerPlugin; +import org.apache.ranger.authorization.utils.StringUtil; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.collect.Sets; + +import backtype.storm.Config; +import backtype.storm.security.auth.IAuthorizer; +import backtype.storm.security.auth.ReqContext; + +public class RangerStormAuthorizerImpl implements IAuthorizer { + + private static final Logger LOG = LoggerFactory.getLogger(RangerStormAuthorizerImpl.class); + + static final StormRangerPlugin plugin = new StormRangerPlugin(); + + static final Set<String> noAuthzOperations = Sets.newHashSet(new String[] { "getNimbusConf", "getClusterInfo" }); + + /** + * permit() method is invoked for each incoming Thrift request. + * @param context request context includes info about + * @param operation operation name + * @param topology_storm configuration of targeted topology + * @return true if the request is authorized, false if reject + */ + + @Override + public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTopologyConfigMap) { + + boolean accessAllowed = false ; + boolean isAuditEnabled = false; + + String topologyName = null ; + + try { + topologyName = (aTopologyConfigMap == null ? "" : (String)aTopologyConfigMap.get(Config.TOPOLOGY_NAME)) ; + + if (LOG.isDebugEnabled()) { + LOG.debug("[req "+ aRequestContext.requestID()+ "] Access " + + " from: [" + aRequestContext.remoteAddress() + "]" + + " user: [" + aRequestContext.principal() + "]," + + " op: [" + aOperationName + "]," + + "topology: [" + topologyName + "]") ; + + if (aTopologyConfigMap != null) { + for(Object keyObj : aTopologyConfigMap.keySet()) { + Object valObj = aTopologyConfigMap.get(keyObj) ; + LOG.debug("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]"); + } + } + else { + LOG.debug("TOPOLOGY CONFIG MAP is passed as null.") ; + } + } + + if(noAuthzOperations.contains(aOperationName)) { + accessAllowed = true; + } else { + String userName = null ; + String[] groups = null ; + + Principal user = aRequestContext.principal() ; + + if (user != null) { + userName = user.getName() ; + if (userName != null) { + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName) ; + userName = ugi.getShortUserName() ; + groups = ugi.getGroupNames() ; + if (LOG.isDebugEnabled()) { + LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]") ; + } + } + } + + + if (userName != null) { + String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() ) ; + RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName); + RangerAccessResult result = plugin.isAccessAllowed(accessRequest); + accessAllowed = result != null && result.getIsAllowed(); + isAuditEnabled = result != null && result.getIsAudited(); + + if (LOG.isDebugEnabled()) { + LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); + } + } + else { + LOG.info("NULL User found from principal [" + user + "]: Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); + } + } + } + catch(Throwable t) { + LOG.error("RangerStormAuthorizer found this exception", t); + } + finally { + if (LOG.isDebugEnabled()) { + LOG.debug("[req "+ aRequestContext.requestID()+ "] Access " + + " from: [" + aRequestContext.remoteAddress() + "]" + + " user: [" + aRequestContext.principal() + "]," + + " op: [" + aOperationName + "]," + + "topology: [" + topologyName + "] => returns [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled) ; + } + } + + return accessAllowed ; + } + + /** + * Invoked once immediately after construction + * @param conf Storm configuration + */ + + @Override + public void prepare(Map aStormConfigMap) { + plugin.init(); + } + +}
