hawq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From adenis...@apache.org
Subject incubator-hawq git commit: HAWQ-1353. Added SOLR properties to RPS audit config
Date Thu, 02 Mar 2017 00:48:25 GMT
Repository: incubator-hawq
Updated Branches:
  refs/heads/master 55d9e8574 -> ee79ec2fc


HAWQ-1353. Added SOLR properties to RPS audit config


Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/ee79ec2f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/ee79ec2f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/ee79ec2f

Branch: refs/heads/master
Commit: ee79ec2fc70dc1bb33939180659597d7c9d151cb
Parents: 55d9e85
Author: Alexander Denissov <adenissov@pivotal.io>
Authored: Thu Feb 23 10:54:48 2017 -0800
Committer: Alexander Denissov <adenissov@pivotal.io>
Committed: Wed Mar 1 16:47:35 2017 -0800

----------------------------------------------------------------------
 ranger-plugin/conf/ranger-hawq-audit.xml        | 43 +++++++++++++++++++-
 ranger-plugin/pom.xml                           |  6 +++
 .../authorization/RangerHawqAuthorizer.java     | 19 +++++----
 3 files changed, 57 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/ee79ec2f/ranger-plugin/conf/ranger-hawq-audit.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/conf/ranger-hawq-audit.xml b/ranger-plugin/conf/ranger-hawq-audit.xml
index 01fe5ab..981f249 100644
--- a/ranger-plugin/conf/ranger-hawq-audit.xml
+++ b/ranger-plugin/conf/ranger-hawq-audit.xml
@@ -1,4 +1,5 @@
 <?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
 <!--
   Licensed to the Apache Software Foundation (ASF) under one or more
   contributor license agreements.  See the NOTICE file distributed with
@@ -15,9 +16,12 @@
   See the License for the specific language governing permissions and
   limitations under the License.
 -->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+
 <configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+
+    <!-- ********************************* -->
     <!-- HDFS audit provider configuration -->
+    <!-- ********************************* -->
     <property>
         <name>xasecure.audit.destination.hdfs</name>
         <value>false</value>
@@ -30,11 +34,46 @@
 
     <property>
         <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
-        <value>/tmp/audit/hdfs/spool</value>
+        <value>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/logs/spool/audit/hdfs</value>
+    </property>
+
+
+    <!-- ********************************* -->
+    <!-- SOLR audit provider configuration -->
+    <!-- ********************************* -->
+    <property>
+        <name>xasecure.audit.destination.solr</name>
+        <value>false</value>
+    </property>
+
+    <!-- if not using zookeepers but direct url instead, then leave this property empty
or set it to NONE -->
+    <property>
+        <name>xasecure.audit.destination.solr.zookeepers</name>
+        <value>zkhost1:2181,zkhost2:2181/infra-solr</value>
+    </property>
+
+    <!-- if not using zookeepers but direct url instead, then leave this property empty
or set it to NONE -->
+    <property>
+        <name>xasecure.audit.destination.solr.collection</name>
+        <value>ranger_audits</value>
+    </property>
+
+    <!-- if not using direct url and using zookeeper instead, then leave this property
empty or set it to NONE. -->
+    <!-- example value: http://solrHost1:6083/solr/ranger_audits,http://solrHost2:6083/solr/ranger_audits
-->
+    <property>
+        <name>xasecure.audit.destination.solr.urls</name>
+        <value></value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
+        <value>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/logs/spool/audit/solr</value>
     </property>
 
 
+    <!-- ********************************** -->
     <!-- Log4j audit provider configuration -->
+    <!-- ********************************** -->
     <property>
         <name>xasecure.audit.destination.log4j</name>
         <value>true</value>

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/ee79ec2f/ranger-plugin/pom.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/pom.xml b/ranger-plugin/pom.xml
index 5d88707..8943e2a 100644
--- a/ranger-plugin/pom.xml
+++ b/ranger-plugin/pom.xml
@@ -248,6 +248,12 @@
               <artifactId>guava</artifactId>
               <version>11.0.2</version>
             </dependency>
+            <!-- SolrJ client for auditing to Solr requires httpcore 4.2+ -->
+            <dependency>
+                <groupId>org.apache.httpcomponents</groupId>
+                <artifactId>httpcore</artifactId>
+                <version>4.4.4</version>
+            </dependency>
             <dependency>
                 <groupId>javax.servlet</groupId>
                 <artifactId>servlet-api</artifactId>

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/ee79ec2f/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java
b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java
index 0d97e21..0458bae 100644
--- a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java
+++ b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java
@@ -37,10 +37,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 import static org.apache.hawq.ranger.authorization.Utils.HAWQ;
 
@@ -93,7 +90,7 @@ public class RangerHawqAuthorizer implements HawqAuthorizer {
 
         // iterate over resource requests, augment processed ones with the decision and add
to the response
         for (ResourceAccess resourceAccess : request.getAccess()) {
-            boolean accessAllowed = authorizeResource(resourceAccess, request.getUser());
+            boolean accessAllowed = authorizeResource(resourceAccess, request.getUser(),
request.getClientIp(), request.getContext());
             resourceAccess.setAllowed(accessAllowed);
             access.add(resourceAccess);
         }
@@ -108,7 +105,7 @@ public class RangerHawqAuthorizer implements HawqAuthorizer {
      * @param user user requesting authorization
      * @return true if access is authorized, false otherwise
      */
-    private boolean authorizeResource(ResourceAccess resourceAccess, String user) {
+    private boolean authorizeResource(ResourceAccess resourceAccess, String user, String
clientIp, String context) {
 
         if (LOG.isDebugEnabled()) {
             LOG.debug(String.format("Request: access for user=%s to resource=%s with privileges=%s",
@@ -126,7 +123,7 @@ public class RangerHawqAuthorizer implements HawqAuthorizer {
         for (HawqPrivilege privilege : resourceAccess.getPrivileges()) {
             // TODO not clear how we will get user groups -- Kerberos case ?
             Set<String> userGroups = Collections.emptySet();
-            boolean privilegeAuthorized = authorizeResourcePrivilege(rangerResource, privilege.name(),
user, userGroups);
+            boolean privilegeAuthorized = authorizeResourcePrivilege(rangerResource, privilege.name(),
user, userGroups, clientIp, context);
             // ALL model of evaluation -- all privileges must be authorized for access to
be allowed
             if (!privilegeAuthorized) {
                 accessAllowed = false;
@@ -151,7 +148,7 @@ public class RangerHawqAuthorizer implements HawqAuthorizer {
      * @param userGroups groups a user belongs to
      * @return true if access is authorized, false otherwise
      */
-    private boolean authorizeResourcePrivilege(RangerAccessResource rangerResource, String
accessType, String user, Set<String> userGroups) {
+    private boolean authorizeResourcePrivilege(RangerAccessResource rangerResource, String
accessType, String user, Set<String> userGroups, String clientIp, String context) {
 
         Map<String, String> resourceMap = rangerResource.getAsMap();
         String database = resourceMap.get(HawqResource.database.name());
@@ -167,7 +164,11 @@ public class RangerHawqAuthorizer implements HawqAuthorizer {
             LOG.debug("accessType mapped to: usage-schema");
         }
 
-        RangerAccessRequest rangerRequest = new RangerAccessRequestImpl(rangerResource, accessType,
user, userGroups);
+        RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource,
accessType, user, userGroups);
+        rangerRequest.setAccessTime(new Date());
+        rangerRequest.setAction(accessType);
+        rangerRequest.setClientIPAddress(clientIp);
+        rangerRequest.setRequestData(context);
         RangerAccessResult result = rangerPlugin.isAccessAllowed(rangerRequest);
         boolean accessAllowed = result != null && result.getIsAllowed();
 


Mime
View raw message