ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [2/2] git commit: ARGUS-3: Disallow DFS command, similar to SQLStd authorizer. One difference from SQLStd authorizer is that Argus agent will deny for all users, instead of allowing the command for admin users; because Argus agnet doesn't have built-in n
Date Sun, 17 Aug 2014 22:15:33 GMT
ARGUS-3: Disallow DFS command, similar to SQLStd authorizer. One
difference from SQLStd authorizer is that Argus agent will deny for all
users, instead of allowing the command for admin users; because Argus
agnet doesn't have built-in notion of admin users.

Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/8908fb8c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/8908fb8c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/8908fb8c

Branch: refs/heads/master
Commit: 8908fb8c2eac90648beeb44ea46d73191e00659d
Parents: f021846
Author: mneethiraj <mneethiraj@hortonworks.com>
Authored: Fri Aug 15 17:15:22 2014 -0700
Committer: mneethiraj <mneethiraj@hortonworks.com>
Committed: Fri Aug 15 17:15:22 2014 -0700

----------------------------------------------------------------------
 .../hive/authorizer/XaSecureHiveAuthorizer.java | 71 +++++++++++++++++++-
 1 file changed, 68 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/8908fb8c/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
index a7617ba..2e9c6c4 100644
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
+++ b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
@@ -54,7 +54,6 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase {
 		mHiveAccessVerifier = XaHiveAccessVerifierFactory.getInstance() ;
 	}
 
-
 	@Override
 	public void checkPrivileges(HiveOperationType         hiveOpType,
 								List<HivePrivilegeObject> inputHObjs,
@@ -65,6 +64,12 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 		if(LOG.isDebugEnabled()) {
 			LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, context));
 		}
+		
+		if(hiveOpType == HiveOperationType.DFS) {
+			handleDfsCommand(hiveOpType, inputHObjs, outputHObjs, context);
+			
+			return;
+		}
 
 		UserGroupInformation ugi =  this.getCurrentUserGroupInfo();
 
@@ -429,8 +434,69 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 
         return ret;
     }
-	private void logAuditEvent(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo,
boolean accessGranted) {
+
+	private void handleDfsCommand(HiveOperationType         hiveOpType,
+								  List<HivePrivilegeObject> inputHObjs,
+							      List<HivePrivilegeObject> outputHObjs,
+							      HiveAuthzContext          context)
+	      throws HiveAuthzPluginException, HiveAccessControlException {
+
+		String dfsCommandParams = null;
+
+		if(inputHObjs != null) {
+			for(HivePrivilegeObject hiveObj : inputHObjs) {
+				if(hiveObj.getType() == HivePrivilegeObjectType.COMMAND_PARAMS) {
+					dfsCommandParams = StringUtil.toString(hiveObj.getCommandParams());
+
+					if(! StringUtil.isEmpty(dfsCommandParams)) {
+						break;
+					}
+				}
+			}
+		}
+		
+		UserGroupInformation ugi = this.getCurrentUserGroupInfo();
+
+		logAuditEventForDfs(ugi, dfsCommandParams, false);
+
+		throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not
have privilege for [%s] command",
+											 ugi.getShortUserName(), hiveOpType.name()));
+		
+	}
+   
+    private void logAuditEventForDfs(UserGroupInformation ugi, String dfsCommand, boolean
accessGranted) {
+		HiveAuditEvent auditEvent = new HiveAuditEvent();
+
+		try {
+			auditEvent.setAclEnforcer(XaSecureModuleName);
+			auditEvent.setResourceType("@dfs"); // to be consistent with earlier release
+			auditEvent.setAccessType("DFS");
+			auditEvent.setAction("DFS");
+			auditEvent.setUser(ugi.getShortUserName());
+			auditEvent.setAccessResult((short)(accessGranted ? 1 : 0));
+			auditEvent.setEventTime(StringUtil.getUTCDate());
+			auditEvent.setRepositoryType(EnumRepositoryType.HIVE);
+			auditEvent.setRepositoryName(repositoryName) ;
+			auditEvent.setRequestData(dfsCommand);
+
+			auditEvent.setResourcePath(dfsCommand);
 		
+			if(LOG.isDebugEnabled()) {
+				LOG.debug("logAuditEvent [" + auditEvent + "] - START");
+			}
+
+			AuditProviderFactory.getAuditProvider().log(auditEvent);
+
+			if(LOG.isDebugEnabled()) {
+				LOG.debug("logAuditEvent [" + auditEvent + "] - END");
+			}
+		}
+		catch(Throwable t) {
+			LOG.error("ERROR logEvent [" + auditEvent + "]", t);
+		}
+    }
+
+	private void logAuditEvent(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo,
boolean accessGranted) {
 		HiveAuditEvent auditEvent = new HiveAuditEvent();
 
 		try {
@@ -467,7 +533,6 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 		catch(Throwable t) {
 			LOG.error("ERROR logEvent [" + auditEvent + "]", t);
 		}
-		
 	}
 	
 	private String toString(HiveOperationType         hiveOpType,


Mime
View raw message