Repository: incubator-ranger Updated Branches: refs/heads/ranger-0.6 6d30412d4 -> 13e36cf1d
RANGER-1129: Ability to specify 'audit all accesses' via Ranger admin configuration Signed-off-by: Madhan Neethiraj <mad...@apache.org> (cherry picked from commit 6bdb535df11f31e5701f1b5865e9da72e5cf44a8) Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b323f908 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b323f908 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b323f908 Branch: refs/heads/ranger-0.6 Commit: b323f9088ae0b73db492c03aa48bcc178be4e9b1 Parents: 6d30412 Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Wed Jul 27 19:10:43 2016 -0700 Committer: Madhan Neethiraj <mad...@apache.org> Committed: Thu Sep 15 12:13:27 2016 -0700 ---------------------------------------------------------------------- .../plugin/policyengine/RangerPolicyEngine.java | 4 + .../policyengine/RangerPolicyRepository.java | 78 +++++-- .../ranger/plugin/util/ServicePolicies.java | 35 +++- .../plugin/policyengine/TestPolicyEngine.java | 22 ++ .../test_policyengine_hdfs_allaudit.json | 205 +++++++++++++++++++ .../test_policyengine_hdfs_noaudit.json | 205 +++++++++++++++++++ .../org/apache/ranger/biz/ServiceDBStore.java | 22 ++ 7 files changed, 548 insertions(+), 23 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b323f908/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 360da0c..3e69d03 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -33,6 +33,10 @@ public interface RangerPolicyEngine { String ANY_ACCESS = "_any"; String ADMIN_ACCESS = "_admin"; + String AUDIT_ALL = "audit-all"; + String AUDIT_NONE = "audit-none"; + String AUDIT_DEFAULT = "audit-default"; + String getServiceName(); RangerServiceDef getServiceDef(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b323f908/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index be98f3b..01a547c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -35,13 +35,22 @@ import org.apache.ranger.plugin.util.RangerPerfTracer; import org.apache.ranger.plugin.util.ServiceDefUtil; import org.apache.ranger.plugin.util.ServicePolicies; -import java.util.*; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.Iterator; +import java.util.List; +import java.util.Map; public class RangerPolicyRepository { private static final Log LOG = LogFactory.getLog(RangerPolicyRepository.class); private static final Log PERF_CONTEXTENRICHER_INIT_LOG = RangerPerfTracer.getPerfLogger("contextenricher.init"); + private enum AuditModeEnum { + AUDIT_ALL, AUDIT_NONE, AUDIT_DEFAULT + } + private final String serviceName; private final String appId; private final RangerServiceDef serviceDef; @@ -51,6 +60,7 @@ public class RangerPolicyRepository { private List<RangerPolicyEvaluator> policyEvaluators; private List<RangerPolicyEvaluator> dataMaskPolicyEvaluators; private List<RangerPolicyEvaluator> rowFilterPolicyEvaluators; + private final AuditModeEnum auditModeEnum; private final Map<String, Boolean> accessAuditCache; private final String componentServiceName; @@ -71,17 +81,35 @@ public class RangerPolicyRepository { LOG.debug("RangerPolicyRepository : building resource-policy-repository for service " + serviceName); } - String propertyName = "ranger.plugin." + serviceName + ".policyengine.auditcachesize"; - - if (options.cacheAuditResults) { - final int RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE = 64*1024; + String auditMode = servicePolicies.getAuditMode(); - int auditResultCacheSize = RangerConfiguration.getInstance().getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE); - accessAuditCache = Collections.synchronizedMap(new CacheMap<String, Boolean>(auditResultCacheSize)); + if (StringUtils.equals(auditMode, RangerPolicyEngine.AUDIT_ALL)) { + auditModeEnum = AuditModeEnum.AUDIT_ALL; + } else if (StringUtils.equals(auditMode, RangerPolicyEngine.AUDIT_NONE)) { + auditModeEnum = AuditModeEnum.AUDIT_NONE; } else { + auditModeEnum = AuditModeEnum.AUDIT_DEFAULT; + } + + if (auditModeEnum == AuditModeEnum.AUDIT_DEFAULT) { + String propertyName = "ranger.plugin." + serviceName + ".policyengine.auditcachesize"; + + if (options.cacheAuditResults) { + final int RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE = 64 * 1024; + + int auditResultCacheSize = RangerConfiguration.getInstance().getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE); + accessAuditCache = Collections.synchronizedMap(new CacheMap<String, Boolean>(auditResultCacheSize)); + } else { accessAuditCache = null; } + } else { + this.accessAuditCache = null; + } + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyRepository : building policy-repository for service[" + serviceName + + "] with auditMode[" + auditModeEnum + "]"); + } init(options); } @@ -100,10 +128,22 @@ public class RangerPolicyRepository { this.policies = Collections.unmodifiableList(normalizeAndPrunePolicies(tagPolicies.getPolicies(), componentServiceDef.getName())); this.policyVersion = tagPolicies.getPolicyVersion() != null ? tagPolicies.getPolicyVersion() : -1; + + String auditMode = tagPolicies.getAuditMode(); + + if (StringUtils.equals(auditMode, RangerPolicyEngine.AUDIT_ALL)) { + auditModeEnum = AuditModeEnum.AUDIT_ALL; + } else if (StringUtils.equals(auditMode, RangerPolicyEngine.AUDIT_NONE)) { + auditModeEnum = AuditModeEnum.AUDIT_NONE; + } else { + auditModeEnum = AuditModeEnum.AUDIT_DEFAULT; + } + this.accessAuditCache = null; if(LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyRepository : building tag-policy-repository for tag service " + serviceName); + LOG.debug("RangerPolicyRepository : building tag-policy-repository for tag service[" + serviceName + + "] with auditMode[" + auditModeEnum +"]"); } init(options); @@ -472,8 +512,18 @@ public class RangerPolicyRepository { Boolean value = null; - if (accessAuditCache != null) { - value = accessAuditCache.get(request.getResource().getAsString()); + switch (auditModeEnum) { + case AUDIT_ALL: + value = Boolean.TRUE; + break; + case AUDIT_NONE: + value = Boolean.FALSE; + break; + default: + if (accessAuditCache != null) { + value = accessAuditCache.get(request.getResource().getAsString()); + } + break; } if ((value != null)) { @@ -492,14 +542,10 @@ public class RangerPolicyRepository { LOG.debug("==> RangerPolicyRepository.storeAuditEnabledInCache()"); } - if ((ret.getIsAuditedDetermined())) { + if (accessAuditCache != null && ret.getIsAuditedDetermined()) { String strResource = request.getResource().getAsString(); - Boolean value = ret.getIsAudited() ? Boolean.TRUE : Boolean.FALSE; - - if (accessAuditCache != null) { - accessAuditCache.put(strResource, value); - } + accessAuditCache.put(strResource, value); } if (LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b323f908/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java index d450af1..3764d1c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java @@ -29,6 +29,7 @@ import javax.xml.bind.annotation.XmlRootElement; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.codehaus.jackson.annotate.JsonAutoDetect; import org.codehaus.jackson.annotate.JsonIgnoreProperties; import org.codehaus.jackson.annotate.JsonAutoDetect.Visibility; @@ -50,6 +51,7 @@ public class ServicePolicies implements java.io.Serializable { private Date policyUpdateTime; private List<RangerPolicy> policies; private RangerServiceDef serviceDef; + private String auditMode = RangerPolicyEngine.AUDIT_DEFAULT; private TagPolicies tagPolicies; /** @@ -124,6 +126,14 @@ public class ServicePolicies implements java.io.Serializable { public void setServiceDef(RangerServiceDef serviceDef) { this.serviceDef = serviceDef; } + + public String getAuditMode() { + return auditMode; + } + + public void setAuditMode(String auditMode) { + this.auditMode = auditMode; + } /** * @return the tagPolicies */ @@ -146,6 +156,7 @@ public class ServicePolicies implements java.io.Serializable { .add("policyUpdateTime", policyUpdateTime) .add("policies", policies) .add("serviceDef", serviceDef) + .add("auditMode", auditMode) .add("tagPolicies", tagPolicies) .toString(); } @@ -164,6 +175,7 @@ public class ServicePolicies implements java.io.Serializable { private Date policyUpdateTime; private List<RangerPolicy> policies; private RangerServiceDef serviceDef; + private String auditMode = RangerPolicyEngine.AUDIT_DEFAULT; /** * @return the serviceName */ @@ -237,16 +249,25 @@ public class ServicePolicies implements java.io.Serializable { this.serviceDef = serviceDef; } + public String getAuditMode() { + return auditMode; + } + + public void setAuditMode(String auditMode) { + this.auditMode = auditMode; + } + @Override public String toString() { return Objects.toStringHelper(this.getClass()) - .add("serviceName", serviceName) - .add("serviceId", serviceId) - .add("policyVersion", policyVersion) - .add("policyUpdateTime", policyUpdateTime) - .add("policies", policies) - .add("serviceDef", serviceDef) - .toString(); + .add("serviceName", serviceName) + .add("serviceId", serviceId) + .add("policyVersion", policyVersion) + .add("policyUpdateTime", policyUpdateTime) + .add("policies", policies) + .add("serviceDef", serviceDef) + .add("auditMode", auditMode) + .toString(); } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b323f908/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index dd15ff8..1d03ef8 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -167,6 +167,20 @@ public class TestPolicyEngine { } @Test + public void testPolicyEngine_hdfs_allaudit() { + String[] hdfsTestResourceFiles = { "/policyengine/test_policyengine_hdfs_allaudit.json" }; + + runTestsFromResourceFiles(hdfsTestResourceFiles); + } + + @Test + public void testPolicyEngine_hdfs_noaudit() { + String[] hdfsTestResourceFiles = { "/policyengine/test_policyengine_hdfs_noaudit.json" }; + + runTestsFromResourceFiles(hdfsTestResourceFiles); + } + + @Test public void testPolicyEngine_hdfsForTag() { String[] hdfsTestResourceFiles = { "/policyengine/test_policyengine_tag_hdfs.json" }; @@ -255,12 +269,19 @@ public class TestPolicyEngine { servicePolicies.setServiceDef(testCase.serviceDef); servicePolicies.setPolicies(testCase.policies); + if (StringUtils.isNotBlank(testCase.auditMode)) { + servicePolicies.setAuditMode(testCase.auditMode); + } + if (null != testCase.tagPolicyInfo) { ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies(); tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName); tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef); tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies); + if (StringUtils.isNotBlank(testCase.auditMode)) { + tagPolicies.setAuditMode(testCase.auditMode); + } servicePolicies.setTagPolicies(tagPolicies); } @@ -403,6 +424,7 @@ public class TestPolicyEngine { public RangerServiceDef serviceDef; public List<RangerPolicy> policies; public TagPolicyInfo tagPolicyInfo; + public String auditMode; public List<TestData> tests; class TestData { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b323f908/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_allaudit.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_allaudit.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_allaudit.json new file mode 100644 index 0000000..8686251 --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_allaudit.json @@ -0,0 +1,205 @@ +{ + "serviceName":"hdfsdev", + + "auditMode":"audit-all", + + "serviceDef":{ + "name":"hdfs", + "id":1, + "resources":[ + {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Resource Path","description":"HDFS file or directory path"} + ], + "accessTypes":[ + {"name":"read","label":"Read"}, + {"name":"write","label":"Write"}, + {"name":"execute","label":"Execute"} + ], + "contextEnrichers": + [ + { + "itemId":1, + "name" : "GeolocationEnricher", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", + "enricherOptions" : { + "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true" + ,"geolocation.meta.prefix": "TEST_" + } + } + ], + "policyConditions": [ + { + "itemId":1, + "name":"ScriptConditionEvaluator", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", + "evaluatorOptions" : {"engineName":"JavaScript"}, + "label":"Script", + "description": "Script to execute" + } + ] + }, + + "policies":[ + {"id":1,"name":"audit-all-access under /finance/restricted/","isEnabled":true,"isAuditEnabled":true, + "resources":{"path":{"values":["/finance/restricted/"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"allow-read-to-all under /public/","isEnabled":true,"isAuditEnabled":false, + "resources":{"path":{"values":["/public/*"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":3,"name":"allow-read-to-finance under /finance/restricted","isEnabled":true,"isAuditEnabled":true, + "resources":{"path":{"values":["/finance/restricted"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false, + "conditions":[{ + "type":"ScriptConditionEvaluator", + "values":["var country_code = ctx.getRequestContextAttribute('LOCATION_TEST_COUNTRY_CODE'); ctx.result = !!country_code;"] + }]} + ] + } + ], + + "tests":[ + {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance; valid clientIPAddress", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db", + "remoteIPAddress":"255.255.255.255" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":3} + } + , + {"name":"DENY 'read /finance/restricted/sales.db' for g=finance; invalid clientIPAddress", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db", + "remoteIPAddress":"128.101.101.99" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance; no clientIPAddress", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /finance/restricted/hr/payroll.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/hr/payroll.db", + "remoteIPAddress":"128.101.101.101" + + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":3} + } + , + {"name":"DENY 'read /operations/visitors.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /operations/visitors.db", + "clientIPAddress":"128.101.101.99" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + + {"name":"DENY 'read /finance/restricted/sales.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"FALSE 'read /finance/restricted/hr/payroll.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /operations/visitors.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /operations/visitors.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + + {"name":"DENY 'read /finance/restricted/sales.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /finance/restricted/hr/payroll.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /operations/visitors.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /operations/visitors.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'read /public/technology' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'read /public/technology' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"execute","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + ] +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b323f908/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_noaudit.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_noaudit.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_noaudit.json new file mode 100644 index 0000000..cb0ed43 --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_noaudit.json @@ -0,0 +1,205 @@ +{ + "serviceName":"hdfsdev", + + "auditMode":"audit-none", + + "serviceDef":{ + "name":"hdfs", + "id":1, + "resources":[ + {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Resource Path","description":"HDFS file or directory path"} + ], + "accessTypes":[ + {"name":"read","label":"Read"}, + {"name":"write","label":"Write"}, + {"name":"execute","label":"Execute"} + ], + "contextEnrichers": + [ + { + "itemId":1, + "name" : "GeolocationEnricher", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", + "enricherOptions" : { + "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true" + ,"geolocation.meta.prefix": "TEST_" + } + } + ], + "policyConditions": [ + { + "itemId":1, + "name":"ScriptConditionEvaluator", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", + "evaluatorOptions" : {"engineName":"JavaScript"}, + "label":"Script", + "description": "Script to execute" + } + ] + }, + + "policies":[ + {"id":1,"name":"audit-all-access under /finance/restricted/","isEnabled":true,"isAuditEnabled":true, + "resources":{"path":{"values":["/finance/restricted/"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"allow-read-to-all under /public/","isEnabled":true,"isAuditEnabled":false, + "resources":{"path":{"values":["/public/*"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":3,"name":"allow-read-to-finance under /finance/restricted","isEnabled":true,"isAuditEnabled":true, + "resources":{"path":{"values":["/finance/restricted"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false, + "conditions":[{ + "type":"ScriptConditionEvaluator", + "values":["var country_code = ctx.getRequestContextAttribute('LOCATION_TEST_COUNTRY_CODE'); ctx.result = !!country_code;"] + }]} + ] + } + ], + + "tests":[ + {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance; valid clientIPAddress", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db", + "remoteIPAddress":"255.255.255.255" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":3} + } + , + {"name":"DENY 'read /finance/restricted/sales.db' for g=finance; invalid clientIPAddress", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db", + "remoteIPAddress":"128.101.101.99" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance; no clientIPAddress", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /finance/restricted/hr/payroll.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/hr/payroll.db", + "remoteIPAddress":"128.101.101.101" + + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":3} + } + , + {"name":"DENY 'read /operations/visitors.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /operations/visitors.db", + "clientIPAddress":"128.101.101.99" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + + {"name":"DENY 'read /finance/restricted/sales.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"FALSE 'read /finance/restricted/hr/payroll.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /operations/visitors.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /operations/visitors.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + + {"name":"DENY 'read /finance/restricted/sales.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /finance/restricted/hr/payroll.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /operations/visitors.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /operations/visitors.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'read /public/technology' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'read /public/technology' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"execute","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + ] +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b323f908/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 27bc277..2338d36 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -56,6 +56,7 @@ import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.common.AppConstants; import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.util.PasswordUtils; import org.apache.ranger.common.PropertiesUtil; import org.apache.ranger.common.RESTErrorUtil; @@ -2269,6 +2270,8 @@ public class ServiceDBStore extends AbstractServiceStore { List<RangerPolicy> policies = null; ServicePolicies.TagPolicies tagPolicies = null; + String auditMode = getAuditMode(serviceDef.getName(), serviceName); + if (serviceDbObj.getIsenabled()) { if (serviceDbObj.getTagService() != null) { XXService tagServiceDbObj = daoMgr.getXXService().getById(serviceDbObj.getTagService()); @@ -2293,6 +2296,7 @@ public class ServiceDBStore extends AbstractServiceStore { tagPolicies.setPolicyUpdateTime(tagServiceVersionInfoDbObj == null ? null : tagServiceVersionInfoDbObj.getPolicyUpdateTime()); tagPolicies.setPolicies(getServicePoliciesFromDb(tagServiceDbObj)); tagPolicies.setServiceDef(tagServiceDef); + tagPolicies.setAuditMode(auditMode); } } @@ -2310,6 +2314,7 @@ public class ServiceDBStore extends AbstractServiceStore { ret.setPolicyUpdateTime(serviceVersionInfoDbObj == null ? null : serviceVersionInfoDbObj.getPolicyUpdateTime()); ret.setPolicies(policies); ret.setServiceDef(serviceDef); + ret.setAuditMode(auditMode); ret.setTagPolicies(tagPolicies); if (LOG.isDebugEnabled()) { @@ -3795,4 +3800,21 @@ public class ServiceDBStore extends AbstractServiceStore { LOG.error("Error getting Services : "+e.getMessage()); } } + + private String getAuditMode(String serviceTypeName, String serviceName) { + RangerConfiguration config = RangerConfiguration.getInstance(); + String ret = config.get("ranger.audit.global.mode"); + if (StringUtils.isNotBlank(ret)) { + return ret; + } + ret = config.get("ranger.audit.servicedef." + serviceTypeName + ".mode"); + if (StringUtils.isNotBlank(ret)) { + return ret; + } + ret = config.get("ranger.audit.service." + serviceName + ".mode"); + if (StringUtils.isNotBlank(ret)) { + return ret; + } + return RangerPolicyEngine.AUDIT_DEFAULT; + } }