Repository: incubator-ranger Updated Branches: refs/heads/master ce45eff83 -> 2f6483721
RANGER-1034:Ranger KMS plugin should not add dependent libraries in Ranger KMS classpath Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/2f648372 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/2f648372 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/2f648372 Branch: refs/heads/master Commit: 2f648372129ae7486fa562550099830b0c49f922 Parents: ce45eff Author: rmani <[email protected]> Authored: Tue Jun 14 22:41:09 2016 -0700 Committer: rmani <[email protected]> Committed: Tue Jun 14 22:41:09 2016 -0700 ---------------------------------------------------------------------- kms/pom.xml | 5 + pom.xml | 2 + ranger-kms-plugin-shim/.gitignore | 1 + ranger-kms-plugin-shim/pom.xml | 65 +++++ .../kms/authorizer/RangerKmsAuthorizer.java | 244 +++++++++++++++++++ src/main/assembly/kms.xml | 22 +- src/main/assembly/plugin-kms.xml | 17 +- 7 files changed, 350 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2f648372/kms/pom.xml ---------------------------------------------------------------------- diff --git a/kms/pom.xml b/kms/pom.xml index 9c9a606..ccfa1ff 100644 --- a/kms/pom.xml +++ b/kms/pom.xml @@ -220,6 +220,11 @@ <artifactId>httpclient</artifactId> <version>${httpcomponents.httpclient.version}</version> </dependency> + <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpclient</artifactId> + <version>${kms.httpcomponents.httpclient.version}</version> + </dependency> <!-- change for version variable --> <dependency> <groupId>javax.activation</groupId> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2f648372/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 9f04e96..c931db4 100644 --- a/pom.xml +++ b/pom.xml @@ -105,6 +105,7 @@ <module>ranger-kafka-plugin-shim</module> <module>ranger-solr-plugin-shim</module> <module>ranger-atlas-plugin-shim</module> + <module>ranger-kms-plugin-shim</module> <module>ranger-hive-utils</module> <module>ranger-examples</module> <module>ranger-tools</module> @@ -187,6 +188,7 @@ <jsr305.version>1.3.9</jsr305.version> <junit.version>4.12</junit.version> <kafka.version>0.10.0.0</kafka.version> + <kms.httpcomponents.httpclient.version>4.3.6</kms.httpcomponents.httpclient.version> <knox.gateway.version>0.6.0</knox.gateway.version> <local.lib.dir>${project.basedir}/../lib/local</local.lib.dir> <log4j.version>1.2.17</log4j.version> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2f648372/ranger-kms-plugin-shim/.gitignore ---------------------------------------------------------------------- diff --git a/ranger-kms-plugin-shim/.gitignore b/ranger-kms-plugin-shim/.gitignore new file mode 100644 index 0000000..b83d222 --- /dev/null +++ b/ranger-kms-plugin-shim/.gitignore @@ -0,0 +1 @@ +/target/ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2f648372/ranger-kms-plugin-shim/pom.xml ---------------------------------------------------------------------- diff --git a/ranger-kms-plugin-shim/pom.xml b/ranger-kms-plugin-shim/pom.xml new file mode 100644 index 0000000..5f3114c --- /dev/null +++ b/ranger-kms-plugin-shim/pom.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <modelVersion>4.0.0</modelVersion> + <artifactId>ranger-kms-plugin-shim</artifactId> + <name>KMS Security Plugin Shim</name> + <description>KMS Security Plugin Shim</description> + <packaging>jar</packaging> + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + </properties> + <parent> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger</artifactId> + <version>0.6.0-SNAPSHOT</version> + <relativePath>..</relativePath> + </parent> + <dependencies> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugins-common</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugins-audit</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-kms</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.solr</groupId> + <artifactId>solr-solrj</artifactId> + <version>${solr.version}</version> + </dependency> + <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpcore</artifactId> + <version>${httpcomponents.httpcore.version}</version> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugin-classloader</artifactId> + <version>${project.version}</version> + </dependency> + </dependencies> +</project> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2f648372/ranger-kms-plugin-shim/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java ---------------------------------------------------------------------- diff --git a/ranger-kms-plugin-shim/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/ranger-kms-plugin-shim/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java new file mode 100644 index 0000000..3b123bb --- /dev/null +++ b/ranger-kms-plugin-shim/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java @@ -0,0 +1,244 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.kms.authorizer; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.crypto.key.kms.server.KMS.KMSOp; +import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type; +import org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs; +import org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType; +import org.apache.hadoop.security.AccessControlException; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; + +public class RangerKmsAuthorizer implements Runnable, KeyACLs { + + private static final Log LOG = LogFactory.getLog(RangerKmsAuthorizer.class); + + private static final String RANGER_PLUGIN_TYPE = "kms"; + private static final String RANGER_KMS_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer"; + + private Object impl = null; + private Runnable implRunnable = null; + private KeyACLs implKeyACLs = null; + + private static RangerPluginClassLoader rangerPluginClassLoader = null; + + + public RangerKmsAuthorizer() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKmsAuthorizer.RangerKmsAuthorizer()"); + } + + this.init(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKmsAuthorizer.RangerKmsAuthorizer()"); + } + } + + private void init(){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKmsAuthorizer.init()"); + } + + try { + + rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); + + Class<?> cls = Class.forName(RANGER_KMS_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + + activatePluginClassLoader(); + + impl = cls.newInstance(); + implRunnable = (Runnable)impl; + implKeyACLs = (KeyACLs)impl; + } catch (Exception e) { + // check what need to be done + LOG.error("Error Enabling RangerKMSPlugin", e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKmsAuthorizer.init()"); + } + } + + @Override + public boolean hasAccessToKey(String keyName, UserGroupInformation ugi, KeyOpType opType) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")"); + } + + boolean ret = false; + + try { + activatePluginClassLoader(); + + ret = implKeyACLs.hasAccessToKey(keyName,ugi,opType); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")"); + } + + return ret; + } + + @Override + public boolean isACLPresent(String aclName, KeyOpType opType) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKmsAuthorizer.isACLPresent(" + aclName + ", " + opType + ")"); + } + + boolean ret = false; + + try { + activatePluginClassLoader(); + + ret = implKeyACLs.isACLPresent(aclName,opType); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKmsAuthorizer.isACLPresent(" + aclName + ", " + opType + ")"); + } + + return ret; + } + + + @Override + public boolean hasAccess(Type aclType, UserGroupInformation ugi, String clientIp) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + aclType + ", " + ugi + ")"); + } + + boolean ret = false; + + try { + activatePluginClassLoader(); + + ret = implKeyACLs.hasAccess(aclType,ugi,clientIp); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKmsAuthorizer.hasAccess(" + aclType + ", " + ugi + ")"); + } + + return ret; + } + + @Override + public void assertAccess(Type aclType, UserGroupInformation ugi,KMSOp operation, String key, String clientIp) throws AccessControlException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKmsAuthorizer.assertAccess(" + key + ", " + ugi +", " + aclType + ")"); + } + + try { + activatePluginClassLoader(); + + implKeyACLs.assertAccess(aclType,ugi,operation,key,clientIp); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKmsAuthorizer.assertAccess(" + key + ", " + ugi +", " + aclType + ")"); + } + + } + + @Override + public void startReloader() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKmsAuthorizer.startReloader()"); + } + + try { + activatePluginClassLoader(); + + implKeyACLs.startReloader(); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKmsAuthorizer.startReloader()"); + } + } + + @Override + public void stopReloader() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKmsAuthorizer.stopReloader()"); + } + + try { + activatePluginClassLoader(); + + implKeyACLs.stopReloader(); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKmsAuthorizer.stopReloader()"); + } + } + + @Override + public void run() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKmsAuthorizer.run()"); + } + + try { + activatePluginClassLoader(); + implRunnable.run(); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKmsAuthorizer.run()"); + } + + } + + private void activatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.activate(); + } + } + + private void deactivatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.deactivate(); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2f648372/src/main/assembly/kms.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml index 0598e39..1390642 100755 --- a/src/main/assembly/kms.xml +++ b/src/main/assembly/kms.xml @@ -100,11 +100,11 @@ <include>xmlenc:xmlenc</include> <include>org.tukaani:xz</include> <include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include> + <include>org.apache.httpcomponents:httpclient:jar:${kms.httpcomponents.httpclient.version}</include> <include>org.noggit:noggit:jar:${noggit.version}</include> <include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include> <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include> <include>org.apache.htrace:htrace-core:jar:${htrace-core.version}</include> - <include>org.apache.ranger:ranger-plugins-common</include> </includes> </dependencySet> </dependencySets> @@ -181,9 +181,23 @@ <unpack>false</unpack> <directoryMode>755</directoryMode> <fileMode>644</fileMode> + <outputDirectory>/ews/webapp/WEB-INF/classes/lib</outputDirectory> + </binaries> + <includes> + <include>org.apache.ranger:ranger-kms-plugin-shim</include> + <include>org.apache.ranger:ranger-plugin-classloader</include> + <include>org.apache.ranger:credentialbuilder</include> + </includes> + </moduleSet> + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> <dependencySets> <dependencySet> - <outputDirectory>/ews/plugin/lib</outputDirectory> + <outputDirectory>/ews/webapp/WEB-INF/classes/lib/ranger-kms-plugin-impl</outputDirectory> <unpack>false</unpack> <includes> <include>commons-configuration:commons-configuration:jar:${commons.pool.version}</include> @@ -198,6 +212,7 @@ <include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include> <include>org.noggit:noggit:jar:${noggit.version}</include> <include>org.apache.zookeeper:zookeeper:jar:${zookeeper.version}</include> + <include>org.apache.solr:solr-solrj</include> </includes> </dependencySet> <dependencySet> @@ -221,14 +236,13 @@ </includes> </dependencySet> </dependencySets> - <outputDirectory>/ews/webapp/WEB-INF/classes/lib</outputDirectory> + <outputDirectory>/ews/webapp/WEB-INF/classes/lib/ranger-kms-plugin-impl</outputDirectory> </binaries> <includes> <include>org.apache.ranger:ranger-plugins-audit</include> <include>org.apache.ranger:ranger-plugins-cred</include> <include>org.apache.ranger:ranger-plugins-common</include> <include>org.apache.ranger:ranger-kms-plugin</include> - <include>org.apache.ranger:credentialbuilder</include> </includes> </moduleSet> <moduleSet> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2f648372/src/main/assembly/plugin-kms.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/plugin-kms.xml b/src/main/assembly/plugin-kms.xml index a0ac51f..69fe437 100755 --- a/src/main/assembly/plugin-kms.xml +++ b/src/main/assembly/plugin-kms.xml @@ -30,9 +30,22 @@ <unpack>false</unpack> <directoryMode>755</directoryMode> <fileMode>644</fileMode> + <outputDirectory>/lib</outputDirectory> + </binaries> + <includes> + <include>org.apache.ranger:ranger-kms-plugin-shim</include> + <include>org.apache.ranger:ranger-plugin-classloader</include> + </includes> + </moduleSet> + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> <dependencySets> <dependencySet> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>/lib/ranger-kms-plugin-impl</outputDirectory> <unpack>false</unpack> <includes> <include>commons-configuration:commons-configuration:jar:${commons.pool.version}</include> @@ -72,7 +85,7 @@ </includes> </dependencySet> </dependencySets> - <outputDirectory>/lib</outputDirectory> + <outputDirectory>/lib/ranger-kms-plugin-impl</outputDirectory> </binaries> <includes> <include>org.apache.ranger:ranger-plugins-audit</include>
