ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From omal...@apache.org
Subject [41/44] ARGUS-1. Initial code commit (Selvamohan Neethiraj via omalley)
Date Thu, 14 Aug 2014 20:50:52 GMT
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/hbase/XASecureAuthorizer.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hbase/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/hbase/XASecureAuthorizer.java
new file mode 100644
index 0000000..b56b114
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/hbase/XASecureAuthorizer.java
@@ -0,0 +1,107 @@
+/**************************************************************************
+ *                                                                        *
+ * The information in this document is proprietary to XASecure Inc.,      *
+ * It may not be used, reproduced or disclosed without the written        *
+ * approval from the XASecure Inc.,                                       *
+ *                                                                        *
+ * PRIVILEGED AND CONFIDENTIAL XASECURE PROPRIETARY INFORMATION           *
+ *                                                                        *
+ * Copyright (c) 2013 XASecure, Inc.  All rights reserved.                *
+ *                                                                        *
+ *************************************************************************/
+
+ /**
+  *
+  *	@version: 1.0.004
+  *
+  */
+
+package com.xasecure.pdp.hbase;
+
+import java.util.List;
+
+import org.apache.hadoop.hbase.security.User;
+import org.apache.hadoop.hbase.security.access.Permission.Action;
+import org.apache.hadoop.hbase.security.access.UserPermission;
+
+import com.xasecure.authorization.hbase.HBaseAccessController;
+
+public class XASecureAuthorizer implements HBaseAccessController {
+
+	private HBaseAccessController authDB = URLBasedAuthDB.getInstance();
+	
+	@Override
+	public boolean isAccessAllowed(User user, Action accessAction) {
+		if (authDB != null) {
+			return authDB.isAccessAllowed(user, accessAction);
+		} else {
+			return false;
+		}
+	}
+
+	@Override
+	public boolean isAccessAllowed(User user, byte[] tableName, Action accessAction) {
+		if (authDB != null) {
+			return authDB.isAccessAllowed(user, tableName, accessAction);
+		} else {
+			return false;
+		}
+	}
+
+
+	@Override
+	public boolean isAccessAllowed(User user, byte[] tableName, byte[] columnFamily, byte[] qualifier, Action accessAction) {
+		if (authDB != null) {
+			return authDB.isAccessAllowed(user, tableName, columnFamily, qualifier, accessAction);
+		} else {
+			return false;
+		}
+	}
+
+	@Override
+	public boolean isEncrypted(byte[] tableName, byte[] columnFamily, byte[] qualifier) {
+		if (authDB != null) {
+			return authDB.isEncrypted(tableName, columnFamily, qualifier);
+		} else {
+			return false;
+		}
+	}
+	
+	@Override
+	public boolean isTableHasEncryptedColumn(byte[] tableName) {
+		if (authDB != null) {
+			return authDB.isTableHasEncryptedColumn(tableName);
+		} else {
+			return false;
+		}
+	}
+
+
+	@Override
+	public boolean isAudited(byte[] tableName) {
+		if (authDB != null) {
+			return authDB.isAudited(tableName);
+		} else {
+			return false;
+		}
+	}
+	
+	@Override
+	public List<UserPermission> getUserPermissions(User aUser) {
+		if (authDB != null) {
+			return authDB.getUserPermissions(aUser) ;
+		} else {
+			return null;
+		}
+	}
+
+	@Override
+	public List<UserPermission> getUserPermissions(User aUser, byte[] aTableName) {
+		if (authDB != null) {
+			return authDB.getUserPermissions(aUser, aTableName) ;
+		} else {
+			return null;
+		}
+	}
+	
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/hdfs/AdminPolicyChecker.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/AdminPolicyChecker.java b/agents-impl/src/main/java/com/xasecure/pdp/hdfs/AdminPolicyChecker.java
new file mode 100644
index 0000000..121f8b7
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/hdfs/AdminPolicyChecker.java
@@ -0,0 +1,164 @@
+package com.xasecure.pdp.hdfs;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Random;
+
+import org.apache.commons.io.FilenameUtils;
+
+public class AdminPolicyChecker {
+		
+	private  static final String PATH_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrst0123456789-_." ;
+	private  static char[] PATH_CHAR_SET = PATH_CHARS.toCharArray() ; 
+	private static int PATH_CHAR_SET_LEN = PATH_CHAR_SET.length ; 
+
+	
+	public static List<String> adminUserList = new ArrayList<String>() ;  // "cli@adfpros.com"
+	public static List<String> adminGroupList = new ArrayList<String>()  ;
+	
+	static {
+		adminUserList.add("cli@adfpros.com") ;
+		adminGroupList.add("policymgradmin") ;
+	}
+	
+	
+	public void checkAdminAccessForResource(String selectedResourcePath, boolean isRecursiveFlag, String username) {
+		
+		if (adminUserList.contains(username)) {
+			return ;  
+		}
+		
+		List<String> groups = getUserGroupsForUser(username) ;
+		
+		if (adminGroupList.contains(groups)) {
+			
+		}
+		
+		checkAdminAccessForResource(new Path(selectedResourcePath, isRecursiveFlag), username) ;
+	}
+
+	private void checkAdminAccessForResource(Path resourcePath, String username) {
+
+		List<Path> adminPathList = getAdminPathFromDB(username)  ;
+
+		if (!adminPathList.isEmpty()) {
+			for(Path adminPath : adminPathList ) {
+				if (adminPath.isMatched(resourcePath)) {
+					return  ;
+				}
+			}
+		}
+
+		throw new SecurityException("User [" + username + "]  does not have admin privileges on path [" + resourcePath + "]") ;
+
+	}
+	
+	class Path {
+		String fullPath ;
+		boolean recursiveFlag ;
+
+		Path(String fullPath, boolean recursiveFlag) {
+			this.fullPath = fullPath;
+			this.recursiveFlag = recursiveFlag;
+		}
+
+		public boolean isMatched(Path resourcePath) {
+			// Since it is a Regular Expression Compared with Regular Expression
+			// We will expand the resourcepath to a normalized form and see if it matches with the fullpath using a WildCardMatch
+			// THIS IS JUST A WORK-AROUND. Need more permanent solution - 11/19/2013
+			
+			String expandedPath = repaceMetaChars(resourcePath) ;
+			
+			if (recursiveFlag) {
+				return URLBasedAuthDB.isRecursiveWildCardMatch(expandedPath, fullPath) ;
+			}
+			else {
+				return FilenameUtils.wildcardMatch(expandedPath, fullPath) ;
+			}
+		}
+		
+		private String repaceMetaChars(Path regEx) {
+			
+			String expandedPath = regEx.fullPath ;
+			
+			if (expandedPath.contains("*")) {
+				String replacement = getRandomString(5,60) ;
+				expandedPath.replaceAll("\\*", replacement) ;
+			}
+			
+			if (expandedPath.contains("?")) {
+				String replacement = getRandomString(1,1) ;
+				expandedPath.replaceAll("\\?", replacement) ;
+			}
+			
+			if (regEx.recursiveFlag) {
+				int level = getRandomInt(3,10) ;
+				if (! expandedPath.endsWith("/")) {
+					expandedPath = expandedPath + "/" ;
+				}
+				expandedPath = expandedPath + getRandomString(5,60) ;
+				
+				for(int i = 1 ; i  < level ; i++) {
+					expandedPath = expandedPath + "/" + getRandomString(5,60) ;
+				}
+			}
+			return expandedPath ;
+		}
+		
+		
+		private Random random = new Random() ;
+
+		private String getRandomString(int minLen, int maxLen) {
+			StringBuilder sb = new StringBuilder() ;
+			int len = getRandomInt(minLen,maxLen) ;
+			for(int i = 0 ; i < len ; i++) {
+				int charIdx = random.nextInt(PATH_CHAR_SET_LEN) ;
+				sb.append( PATH_CHAR_SET[charIdx] ) ;
+			}
+			return null;
+		}
+		
+		private int getRandomInt(int min, int max) {
+			if (min == max) {
+				return min ;
+			}
+			else {
+				int interval = max - min ;
+				return ((random.nextInt() % interval) + min) ;
+			}
+		}
+
+	}
+	
+	
+	private List<Path> getAdminPathFromDB(String username) {
+		
+		List<Path> ret = new ArrayList<Path>() ;
+
+		//
+		// TODO:  database work to get ACL ....
+		//
+		
+		// Get all policy acl where the user has ADMIN permission +
+		// Get all policy acl where group associated with user has ADMIN permission 
+		// For each of the acl
+		//	  For path in acl.getResourcePath().splitBy(",")
+		//	     ret.add(new Path(path, acl.recursiveFlag)) ;
+		
+		return ret;
+	}
+	
+	
+	private List<String>  getUserGroupsForUser(String username) {
+		List<String> groupList = new ArrayList<String>() ;
+
+		//
+		// TODO:  database work to get List of groups ....
+		//
+
+		return groupList ;
+	}
+
+
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java
new file mode 100644
index 0000000..9e8bbcb
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java
@@ -0,0 +1,479 @@
+/**************************************************************************
+ *                                                                        *
+ * The information in this document is proprietary to XASecure Inc.,      *
+ * It may not be used, reproduced or disclosed without the written        *
+ * approval from the XASecure Inc.,                                       *
+ *                                                                        *
+ * PRIVILEGED AND CONFIDENTIAL XASECURE PROPRIETARY INFORMATION           *
+ *                                                                        *
+ * Copyright (c) 2013 XASecure, Inc.  All rights reserved.                *
+ *                                                                        *
+ *************************************************************************/
+
+ /**
+  *
+  *	@version: 1.0.004
+  *
+  */
+
+package com.xasecure.pdp.hdfs;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.log4j.Level;
+import org.apache.log4j.LogManager;
+
+import com.xasecure.authorization.hadoop.HDFSAccessVerifier;
+import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
+import com.xasecure.pdp.config.PolicyChangeListener;
+import com.xasecure.pdp.config.PolicyRefresher;
+import com.xasecure.pdp.constants.XaSecureConstants;
+import com.xasecure.pdp.model.Policy;
+import com.xasecure.pdp.model.PolicyContainer;
+import com.xasecure.pdp.model.ResourcePath;
+import com.xasecure.pdp.model.RolePermission;
+
+public class URLBasedAuthDB implements HDFSAccessVerifier, PolicyChangeListener {
+
+	private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class) ;
+
+	private static URLBasedAuthDB me = null;
+	
+	private PolicyRefresher refresher = null ;
+	
+	private PolicyContainer policyContainer = null;
+	
+	private HashMap<String,Boolean> cachedAuditFlag = new HashMap<String,Boolean>() ;	// needs to be cleaned when ruleList changes
+	
+	private static final long MAX_NO_OF_AUDIT_CACHE_ENTRIES = 1000L ;
+
+
+	public static URLBasedAuthDB getInstance() {
+		if (me == null) {
+			synchronized (URLBasedAuthDB.class) {
+				URLBasedAuthDB temp = me;
+				if (temp == null) {
+					me = new URLBasedAuthDB();
+					me.init() ;
+				}
+			}
+		}
+		return me;
+	}
+
+	private URLBasedAuthDB() {
+		String url 			 = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_PROP);
+		long  refreshInMilli = XaSecureConfiguration.getInstance().getLong(
+				XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP ,
+				XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT);
+		String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_POLICYMGR_SSL_CONFIG_FILE_PROP) ;
+		
+		String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_LAST_SAVED_POLICY_FILE_PROP) ;
+		
+		refresher = new PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ;
+	
+		String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_SAVE_FILE_PROP) ;
+		if (saveAsFileName != null) {
+			refresher.setSaveAsFileName(saveAsFileName) ;
+		}
+		
+		if (lastStoredFileName != null) {
+			refresher.setLastStoredFileName(lastStoredFileName);
+		}	
+	}
+
+	private void init() {
+		refresher.setPolicyChangeListener(this);
+	}
+	
+	@Override
+	public void OnPolicyChange(PolicyContainer aPolicyContainer) {
+		setPolicyContainer(aPolicyContainer);
+	}
+
+
+	@Override
+	public boolean isAccessGranted(String aPathName, String pathOwnerName, String access, String username, Set<String> groups) {
+
+		PolicyContainer pc = getPolicyContainer() ;
+		
+		if (pc == null) {
+			return false ;
+		}
+		
+		for(Policy acl :  pc.getAcl()) {
+			
+			if (! acl.isEnabled()) {
+				LOG.debug("Diabled acl found [" + acl + "]. Skipping this acl ...") ;
+				continue ;
+			}
+
+			for(ResourcePath resource : acl.getResourceList()) {
+				
+				String path = resource.getPath() ;
+				
+				boolean rulePathMatched = false ;
+				
+				if (acl.getRecursiveInd() == 1) {
+					if (resource.isWildcardPath()) {
+						rulePathMatched = isRecursiveWildCardMatch(aPathName, path) ;
+					}
+					else {
+						rulePathMatched = aPathName.startsWith(path) ;
+					}
+				}
+				else {
+					if (resource.isWildcardPath()) {
+						rulePathMatched = FilenameUtils.wildcardMatch(aPathName, path) ;
+					}
+					else {
+						rulePathMatched = aPathName.equals(path) ;
+					}
+				}
+				
+				
+				if (rulePathMatched) {
+					for (RolePermission rp : acl.getPermissions()) {
+						if (rp.getAccess().contains(access)) {
+							if ( rp.getUsers().contains(username) ) {
+								return true ;
+							}
+							for(String ug : groups) {
+								if ( rp.getGroups().contains(ug)) {
+									return true ;
+								}
+							}
+							if (rp.getGroups().contains(XaSecureConstants.PUBLIC_ACCESS_ROLE)) {
+								return true ;
+							}
+						}
+					}
+				}
+			
+			}
+		}
+		
+		return false ;
+
+	}
+	
+	public static boolean isRecursiveWildCardMatch(String pathToCheck, String wildcardPath) {
+		if (pathToCheck != null) {
+			StringBuilder sb = new StringBuilder() ;
+			for(String p :  pathToCheck.split(File.separator) ) {
+				sb.append(p) ;
+				boolean matchFound = FilenameUtils.wildcardMatch(sb.toString(), wildcardPath) ;
+				if (matchFound) {
+					return true ;
+				}
+				sb.append(File.separator) ;
+			}
+			sb = null;
+		}
+		return false;
+	}
+
+	public PolicyContainer getPolicyContainer() {
+		return policyContainer;
+	}
+
+	private synchronized void setPolicyContainer(PolicyContainer aPolicyContainer) {
+		
+		for(Policy p : aPolicyContainer.getAcl()) {
+			for(RolePermission rp : p.getPermissions()) {
+				List<String> rpaccess = rp.getAccess() ;
+				if (rpaccess != null && rpaccess.size() > 0) {
+					List<String> temp = new ArrayList<String>() ;
+					for(String s : rpaccess) {
+						temp.add(s.toLowerCase()) ;
+					}
+					rp.setAccess(temp);
+				}
+			}
+		}
+		
+		this.policyContainer = aPolicyContainer ;
+		this.cachedAuditFlag.clear(); 
+	}
+	
+
+
+	public UserPermission printPermissionInfo(UserGroupInformation ugi) {
+		return printPermissionInfo(ugi, null) ;
+	}
+
+	public UserPermission printPermissionInfo(UserGroupInformation ugi, String aPathName) {
+		
+		String username = ugi.getShortUserName() ;
+		
+		String[] groups = ugi.getGroupNames() ;
+		
+		UserPermission up = new UserPermission(username,groups, aPathName) ;
+		
+		PolicyContainer pc = getPolicyContainer() ;
+		
+		if (pc != null) {
+		
+			for(Policy acl :  pc.getAcl()) {
+	
+				for(ResourcePath resource : acl.getResourceList()) {
+					
+					String path = resource.getPath() ;
+					
+					boolean rulePathMatched = false ;
+					
+					if (acl.getRecursiveInd() == 1) {
+						if (resource.isWildcardPath()) {
+							rulePathMatched = isRecursiveWildCardMatch(aPathName, path) ;
+						}
+						else {
+							rulePathMatched = aPathName.startsWith(path) ;
+						}
+					}
+					else {
+						if (resource.isWildcardPath()) {
+							rulePathMatched = FilenameUtils.wildcardMatch(aPathName, path) ;
+						}
+						else {
+							rulePathMatched = aPathName.equals(path) ;
+						}
+					}
+					
+					
+					if (rulePathMatched) {
+						for (RolePermission rp : acl.getPermissions()) {
+							boolean isAccessGranted = false ;
+							if (! isAccessGranted ) {
+								if ( rp.getUsers().contains(username) ) {
+									up.add(resource, acl.getRecursiveInd(), username, null,  rp.getAccess());
+									isAccessGranted = true ;
+								}
+							}
+							if ( ! isAccessGranted ) { 
+								for(String ug : groups) {
+									if ( rp.getGroups().contains(ug)) {
+										up.add(resource, acl.getRecursiveInd(), null, ug,  rp.getAccess());
+									}
+								}
+							}
+							if (! isAccessGranted ) {
+								if (rp.getGroups().contains(XaSecureConstants.PUBLIC_ACCESS_ROLE)) {
+									up.add(resource, acl.getRecursiveInd(), null, XaSecureConstants.PUBLIC_ACCESS_ROLE,  rp.getAccess());
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+		
+		return up ;
+	}
+	
+	
+	class UserPermission {
+
+		private String userName ;
+		private String groups ;
+		private String pathName ;
+		private HashMap<String,HashSet<String>> userPermissionMap = new HashMap<String,HashSet<String>>() ;
+
+		public UserPermission(String userName, String[] groupList, String pathName) {
+			this.userName = userName ;
+			this.pathName = pathName ;
+			StringBuilder sb = new StringBuilder() ;
+			boolean first = true ;
+			TreeSet<String> gl = new TreeSet<String>() ;
+			for(String g : groupList) {
+				gl.add(g) ;
+			}
+			for(String group : gl) {
+				if (first) {
+					first = false ;
+				}
+				else {
+					sb.append(",") ;
+				}
+				sb.append(group) ;
+			}
+			this.groups = sb.toString()  ;
+		}
+		
+		
+		public void add(ResourcePath resource, int recursiveInd, String userName, String groupName, List<String> accessList) {
+			
+			String path = resource.getPath() ;
+			
+			if (recursiveInd == 1) {
+				if (path.endsWith("/")) {
+					path = path + "**" ;
+				}
+				else {
+					path = path + "/" + "**" ;
+				}
+			}
+			
+			HashSet<String> permMap = userPermissionMap.get(path) ;
+			
+			if (permMap == null) {
+				permMap = new HashSet<String>() ;
+				userPermissionMap.put(path,permMap) ;
+			}
+			
+			for(String access : accessList) {
+				if (! permMap.contains(access)) {
+					permMap.add(access) ;
+				}
+			}
+			
+		}
+		
+		public void printUserInfo() {
+			System.out.println("# USER INFORMATION") ;
+			System.out.println("USER:   " + userName ) ;
+			System.out.println("GROUPS: " + groups ) ;
+		}
+		
+		public void print() {
+			if (pathName != null) {
+				System.out.println("# PERMISSION INFORMATION FOR PATH [" + pathName + "]" + (userPermissionMap.size() == 0 ? " - NO RULES FOUND" : "")) ;
+			}
+			else {
+				System.out.println("# PERMISSION INFORMATION" + (userPermissionMap.size() == 0 ? " - NO RULES FOUND" : "")) ;
+			}
+			
+
+			if (userPermissionMap.size() > 0) {
+				TreeSet<String> pathSet = new TreeSet<String>() ;
+				pathSet.addAll(userPermissionMap.keySet()) ;
+				StringBuilder sb = new StringBuilder();
+				for(String path : pathSet) {
+					sb.setLength(0) ;
+					sb.append(String.format("%-50s", path)).append("|") ;
+					TreeSet<String> permSet = new TreeSet<String>() ;
+					permSet.addAll(userPermissionMap.get(path)) ;
+					boolean first = true ;
+					for(String perm: permSet) {
+						if (! first) {
+							sb.append(",") ;
+						}
+						else {
+							first = false ;
+						}
+						sb.append(perm) ;
+					}
+					System.out.println(sb.toString()) ;
+				}
+			}
+			
+		}
+	}
+	
+	
+	@Override
+	public boolean isAuditLogEnabled(String aPathName) {
+		boolean ret = false ;
+		
+		HashMap<String,Boolean> tempCachedAuditFlag = cachedAuditFlag ;
+		
+		Boolean auditResult = (tempCachedAuditFlag == null ? null : tempCachedAuditFlag.get(aPathName)) ;
+		
+		if (auditResult != null) {
+			ret =  auditResult ;
+		}
+		else {
+			ret = isAuditLogEnabledByACL(aPathName) ;
+			if (tempCachedAuditFlag != null) {
+				// tempCachedAuditFlag.put(aPathName,Boolean.valueOf(ret)) ;
+				synchronized(tempCachedAuditFlag) {
+					if (tempCachedAuditFlag.size() > MAX_NO_OF_AUDIT_CACHE_ENTRIES) {
+						tempCachedAuditFlag.clear(); 
+					}
+					tempCachedAuditFlag.put(aPathName,Boolean.valueOf(ret)) ;
+				}
+			}
+		}
+		
+		return ret ;
+		
+	}
+
+	
+	public boolean isAuditLogEnabledByACL(String aPathName) {
+		
+		boolean ret = false ;
+		
+		PolicyContainer pc = getPolicyContainer() ;
+		
+		if (pc == null) {
+			return false ;
+		}
+		
+		for(Policy acl :  pc.getAcl()) {
+
+			for(ResourcePath resource : acl.getResourceList()) {
+				
+				String path = resource.getPath() ;
+				
+				boolean rulePathMatched = false ;
+				
+				if (acl.getRecursiveInd() == 1) {
+					if (resource.isWildcardPath()) {
+						rulePathMatched = isRecursiveWildCardMatch(aPathName, path) ;
+					}
+					else {
+						rulePathMatched = aPathName.startsWith(path) ;
+					}
+				}
+				else {
+					if (resource.isWildcardPath()) {
+						rulePathMatched = FilenameUtils.wildcardMatch(aPathName, path) ;
+					}
+					else {
+						rulePathMatched = aPathName.equals(path) ;
+					}
+				}
+				
+				
+				if (rulePathMatched) {
+					ret = ( acl.getAuditInd() == 1)  ;
+					break ;
+				}
+			}
+		}
+
+		return ret ;
+	}
+	
+	public static void main(String[] args) throws Throwable {
+		LogManager.getLogger(URLBasedAuthDB.class).setLevel(Level.ERROR);
+		URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ;
+		UserPermission up = null; 
+		if (args.length == 0) {
+			up = authDB.printPermissionInfo(UserGroupInformation.getCurrentUser());
+			up.printUserInfo() ;
+			up.print();
+		}
+		else {
+			up = authDB.printPermissionInfo(UserGroupInformation.getCurrentUser());
+			up.printUserInfo() ;
+			for(String path : args) {
+				up = authDB.printPermissionInfo(UserGroupInformation.getCurrentUser(), path);
+				up.print();
+				System.out.println();
+			}
+		}
+		System.exit(0);
+	}
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java
new file mode 100644
index 0000000..f558ba1
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java
@@ -0,0 +1,21 @@
+package com.xasecure.pdp.hdfs;
+
+import java.util.Set;
+
+import com.xasecure.authorization.hadoop.HDFSAccessVerifier;
+
+public class XASecureAuthorizer implements HDFSAccessVerifier {
+
+	private static URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ;
+	
+	@Override
+	public boolean isAccessGranted(String aPathName, String aPathOwnerName, String access, String username, Set<String> groups) {
+		return authDB.isAccessGranted(aPathName, aPathOwnerName, access, username, groups);
+	}
+
+	@Override
+	public boolean isAuditLogEnabled(String aPathName) {
+		return authDB.isAuditLogEnabled(aPathName) ;
+	}
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java
new file mode 100644
index 0000000..624bd31
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java
@@ -0,0 +1,298 @@
+/**************************************************************************
+ *                                                                        *
+ * The information in this document is proprietary to XASecure Inc.,      *
+ * It may not be used, reproduced or disclosed without the written        *
+ * approval from the XASecure Inc.,                                       *
+ *                                                                        *
+ * PRIVILEGED AND CONFIDENTIAL XASECURE PROPRIETARY INFORMATION           *
+ *                                                                        *
+ * Copyright (c) 2013 XASecure, Inc.  All rights reserved.                *
+ *                                                                        *
+ *************************************************************************/
+
+ /**
+  *
+  *	@version: 1.0.004
+  *
+  */
+
+package com.xasecure.pdp.hive;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import com.xasecure.authorization.hive.XaHiveObjectAccessInfo;
+import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveAccessType;
+import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveObjectType;
+import com.xasecure.authorization.utils.StringUtil;
+
+public class HiveAuthDB {
+
+	private static final Log LOG = LogFactory.getLog(HiveAuthDB.class);
+
+	private ArrayList<HiveAuthRule> allRuleList = null;
+	private ArrayList<HiveAuthRule> tblRuleList = null;
+	private ArrayList<HiveAuthRule> colRuleList = null;
+
+	public HiveAuthDB() {
+		this(null) ;
+	}
+
+
+	public HiveAuthDB(ArrayList<HiveAuthRule> aRuleList) {
+		
+		if (aRuleList == null) {
+			aRuleList = new ArrayList<HiveAuthRule>() ;
+		}
+		
+		LOG.info("Number of Rules in the PolicyContainer: " +  ((aRuleList == null) ? 0 : aRuleList.size()) ) ; 
+		
+		allRuleList = new ArrayList<HiveAuthRule>() ;
+		colRuleList = new  ArrayList<HiveAuthRule>();
+		tblRuleList = new  ArrayList<HiveAuthRule>() ;
+		
+		allRuleList = aRuleList ;
+		
+		for (HiveAuthRule rule : aRuleList) {
+			if (rule.isTableRule()) {
+				this.tblRuleList.add(rule);
+			} else {
+				this.colRuleList.add(rule);
+			}
+		}
+		
+	}
+
+	public boolean isAccessAllowed(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo) {
+		boolean ret = false;
+
+		if(objAccessInfo.getAccessType() == HiveAccessType.NONE || objAccessInfo.getObjectType() == HiveObjectType.NONE) {
+			return true;
+		}
+		
+		String accessType = objAccessInfo.getAccessType().name();
+
+		switch(objAccessInfo.getObjectType()) {
+			case DATABASE:
+				ret = isAccessAllowed(ugi, accessType, objAccessInfo.getDatabase());
+			break;
+
+			case TABLE:
+			case INDEX:
+			case PARTITION:
+				ret = isAccessAllowed(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getTable());
+			break;
+
+			case VIEW:
+				ret = isAccessAllowed(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getView());
+			break;
+
+			case COLUMN:
+			{
+				String deniedColumn = findDeniedColumn(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getTable(), objAccessInfo.getColumns());
+				
+				ret = StringUtil.isEmpty(deniedColumn);
+				
+				if(! ret) {
+					objAccessInfo.setDeinedObjectName(XaHiveObjectAccessInfo.getObjectName(objAccessInfo.getDatabase(), objAccessInfo.getTable(), deniedColumn));
+				}
+			}
+			break;
+
+			case FUNCTION:
+				ret = isUDFAccessAllowed(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getFunction());
+			break;
+
+			case NONE:
+			break;
+		}
+
+		return ret;
+	}
+
+	public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) {
+		boolean ret = false;
+
+		if(objAccessInfo.getAccessType() == HiveAccessType.NONE || objAccessInfo.getObjectType() == HiveObjectType.NONE) {
+			return false;
+		}
+		
+		String       database = null;
+		String       table    = null;
+		List<String> columns  = null;
+		boolean      isUDF    = false;
+		
+		switch(objAccessInfo.getObjectType()) {
+			case DATABASE:
+				database = objAccessInfo.getDatabase();
+			break;
+
+			case TABLE:
+			case INDEX:
+			case PARTITION:
+				database = objAccessInfo.getDatabase();
+				table    = objAccessInfo.getTable();
+			break;
+
+			case VIEW:
+				database = objAccessInfo.getDatabase();
+				table    = objAccessInfo.getView();
+			break;
+
+			case COLUMN:
+				database = objAccessInfo.getDatabase();
+				table    = objAccessInfo.getTable();
+				columns  = objAccessInfo.getColumns();
+			break;
+
+			case FUNCTION:
+				database = objAccessInfo.getDatabase();
+				table    = objAccessInfo.getFunction();
+				isUDF    = true;
+			break;
+
+			case NONE:
+			break;
+		}
+		
+		if(StringUtil.isEmpty(columns)) {
+			for (HiveAuthRule rule : allRuleList) {
+				if(isUDF != rule.isUdf()) {
+					continue;
+				}
+
+				if (rule.isTableMatch(database, table)) {
+					ret = rule.isAudited() ;
+
+					if (ret) {
+						if (LOG.isDebugEnabled()) {
+							LOG.debug("isAudited(database=" + database + ", table=" + table + ", columns=" + StringUtil.toString(columns) + ") => [" + ret + "] as matched for rule: " + rule);
+						}
+
+						break ;
+					}
+				}
+			}
+		} else {
+			// is audit enabled for any one column being accessed?
+			for(String colName : columns) {
+				for (HiveAuthRule rule : allRuleList) {
+					if(isUDF != rule.isUdf()) {
+						continue;
+					}
+
+					ret = rule.isMatched(database, table, colName) && rule.isAudited();
+
+					if (ret) {
+						if (LOG.isDebugEnabled()) {
+							LOG.debug("isAudited(database=" + database + ", table=" + table + ", columns=" + StringUtil.toString(columns) + ") => [" + ret + "] as matched for rule: " + rule);
+						}
+
+						break ;
+					}
+				}
+				
+				if(ret) {
+					break;
+				}
+			}
+		}
+
+		return ret ;
+	}
+
+	private boolean isAccessAllowed(UserGroupInformation ugi, String accessType, String database) {
+		boolean ret = false;
+
+		for (HiveAuthRule rule : allRuleList) {
+			ret = rule.isMatched(database, ugi.getShortUserName(), ugi.getGroupNames(), accessType);
+
+			if(ret) {
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ") => [" + ret + "] as matched for rule: " + rule);
+				}
+
+				break;
+			}
+		}
+
+		return ret;
+	}
+
+	private boolean isAccessAllowed(UserGroupInformation ugi, String accessType, String database, String tableOrView) {
+		boolean ret = false;
+
+		for (HiveAuthRule rule : tblRuleList) {
+			ret = rule.isMatched(database, tableOrView, ugi.getShortUserName(), ugi.getGroupNames(), accessType);
+
+			if(ret) {
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", tableOrView=" + tableOrView + ") => [" + ret + "] as matched for rule: " + rule);
+				}
+
+				break;
+			}
+		}
+
+		return ret;
+	}
+
+	private String findDeniedColumn(UserGroupInformation ugi, String accessType, String database, String tableOrView, List<String> columns) {
+		String deinedColumn = null;
+
+		boolean isAllowed = isAccessAllowed(ugi, accessType, database, tableOrView); // check if access is allowed at the table level
+
+		if(!isAllowed && !StringUtil.isEmpty(columns)) {
+			for(String column : columns) {
+				for (HiveAuthRule rule : colRuleList) {
+					isAllowed = rule.isMatched(database, tableOrView, column, ugi.getShortUserName(), ugi.getGroupNames(), accessType);
+
+					if(isAllowed) {
+						if (LOG.isDebugEnabled()) {
+							LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", tableOrView=" + tableOrView + ", column=" + column + ") => [" + isAllowed + "] as matched for rule: " + rule);
+						}
+
+						break;
+					}
+				}
+				
+				if(!isAllowed) {
+					deinedColumn = column;
+
+					if (LOG.isDebugEnabled()) {
+						LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", tableOrView=" + tableOrView + ", column=" + column + ") => [" + isAllowed + "]");
+					}
+					break;
+				}
+			}
+		}
+
+		return deinedColumn;
+	}
+
+	private boolean isUDFAccessAllowed(UserGroupInformation ugi, String accessType, String database, String udfName) {
+		boolean ret = false;
+
+		for (HiveAuthRule rule : tblRuleList) {
+			if(! rule.isUdf()) {
+				continue;
+			}
+
+			ret = rule.isMatched(database, udfName, ugi.getShortUserName(), ugi.getGroupNames(), accessType);
+
+			if(ret) {
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", udfName=" + udfName + ") => [" + ret + "] as matched for rule: " + rule);
+				}
+
+				break;
+			}
+		}
+
+		return ret;
+	}
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java
new file mode 100644
index 0000000..272bcb6
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java
@@ -0,0 +1,218 @@
+/**************************************************************************
+ *                                                                        *
+ * The information in this document is proprietary to XASecure Inc.,      *
+ * It may not be used, reproduced or disclosed without the written        *
+ * approval from the XASecure Inc.,                                       *
+ *                                                                        *
+ * PRIVILEGED AND CONFIDENTIAL XASECURE PROPRIETARY INFORMATION           *
+ *                                                                        *
+ * Copyright (c) 2013 XASecure, Inc.  All rights reserved.                *
+ *                                                                        *
+ *************************************************************************/
+
+ /**
+  *
+  *	@version: 1.0.004
+  *
+  */
+
+package com.xasecure.pdp.hive;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.hive.ql.security.authorization.Privilege;
+
+import com.xasecure.authorization.hive.constants.XaSecureHiveConstants;
+import com.xasecure.authorization.utils.StringUtil;
+
+
+public class HiveAuthRule {
+	
+	private static final Log LOG = LogFactory.getLog(HiveAuthRule.class) ;
+
+	public static final String WILDCARD_OBJECT = ".*" ;
+	
+	private String databaseName;     
+	private String tableName;  
+	private String columnName;
+	private String accessType;
+	private String group;
+	private String user;
+	private boolean tableRule      = false;
+	private boolean allGranted     = false;
+	private boolean udf            = false;
+	private boolean tableExcluded  = false;
+	private boolean columnExcluded = false;
+	private boolean audited        = false;
+	private boolean encrypted      = false;
+
+	public HiveAuthRule(String dbName, String tableName, String colName, String permission, String user, String group) {
+		this(false, dbName,tableName,colName,permission,user,group, false, false) ;
+	}
+	
+	public HiveAuthRule(boolean udfInd,  String dbName, String tableName, String colName, String permission, String user, String group, boolean tableExclusionFlag, boolean columnExclusionFlag) {
+		this.udf            = udfInd ;
+		this.databaseName   = StringUtil.toLower(dbName);
+		this.tableName      = StringUtil.toLower(tableName);
+		this.columnName     = StringUtil.toLower(colName);
+		this.accessType     = permission ;
+		this.user           = user;
+		this.group          = group ;
+		this.tableExcluded  = tableExclusionFlag ;
+		this.columnExcluded = columnExclusionFlag ;
+
+		this.allGranted = StringUtil.equalsIgnoreCase(Privilege.ALL.toString(), accessType);
+
+		tableRule = StringUtil.isEmpty(columnName) || WILDCARD_OBJECT.matches(columnName) ;
+	}
+	
+	@Override
+	public String toString() {
+		return "db:" + databaseName + ", table: " + tableName + ", columnName: " + columnName + ", accessType: " + accessType + ",user: " + user +  ", group: " + group + ",isTable:" + tableRule + ",audited:"  + audited + ",encrypted:" + encrypted ;
+	}
+
+	public boolean isMatched(String user, String[] groups, String accessType) {
+		String dbName  = null;
+		String tblName = null;
+		String colName = null;
+
+		return isMatched(dbName, tblName, colName, user, groups, accessType) ;
+	}
+
+	public boolean isMatched(String dbName, String user, String[] groups, String accessType) {
+		String tblName = null;
+		String colName = null;
+
+		return isMatched(dbName, tblName, colName, user, groups, accessType) ;
+	}
+	
+	public boolean isMatched(String dbName, String tblName, String user, String[] groups, String accessType) {
+		String colName = null;
+
+		return isMatched(dbName, tblName, colName, user, groups, accessType) ;
+	}
+
+	public boolean isMatched(String dbName, String tblName, String colName,  String user, String[] groups, String accessType) {
+		boolean ret = isMatched(dbName, tblName, colName);
+
+		if(ret) {
+			// does accessType match?
+			ret = this.isAllGranted() || StringUtil.equals(accessType, this.accessType) || StringUtil.equalsIgnoreCase(accessType, "USE");
+
+			if(ret) {
+				// does user/group match?
+				ret = StringUtil.equals(user, this.user) ||
+				      StringUtil.equals(XaSecureHiveConstants.PUBLIC_ACCESS_ROLE, this.group) ||
+				      StringUtil.contains(groups, this.group);
+			}
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("isMatched(db=" + dbName + ", table=" + tblName + ", col=" + colName + ", user=" + user + ", groups=" + StringUtil.toString(groups) + ", accessType=" + accessType + ") => rule[" + this.databaseName + ":" +  this.tableName + ":" + this.columnName + ":" + this.user + ":" + this.group + ":" + this.accessType + "] returns [" + ret + "]");
+		}
+
+		return ret ;
+	}
+
+	public boolean isMatched(String dbName, String tblName, String colName) {
+		boolean ret = isTableMatch(dbName, tblName);
+
+		if (ret) {
+	 		colName = StringUtil.toLower(colName);
+
+	 		if (colName != null) {
+				ret = colName.matches(this.columnName);
+
+				if (columnExcluded) {
+					ret = (! ret) ;
+				}
+			}
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("isMatched(db=" + dbName + ", table=" + tblName + ", col=" + colName + ") => rule[" + this.databaseName + ":" +  this.tableName + ":" + this.columnName + "] returns [" + ret + "]");
+		}
+
+		return ret ;
+	}
+
+	public boolean isTableMatch(String dbName, String tblName) {
+		boolean ret = isDBMatch(dbName);
+
+		if(ret) {
+			tblName = StringUtil.toLower(tblName);
+
+			if(tblName != null) {
+				ret = tblName.matches(this.tableName);
+
+				if(tableExcluded) {
+					ret = !ret;
+				}
+			}
+		}
+		
+		return ret;
+	}
+
+	public boolean isDBMatch(String dbName) {
+		boolean ret = false;
+		
+		dbName = StringUtil.toLower(dbName);
+		
+		ret = dbName == null || dbName.matches(this.databaseName);
+		
+		return ret;
+	}
+
+	public String getDbName() {
+		return databaseName;
+	}
+
+	public String getTableName() {
+		return tableName;
+	}
+
+	public String getColumnName() {
+		return columnName;
+	}
+
+	public String getAccessType() {
+		return accessType;
+	}
+	
+	public String getUser() {
+		return user;
+	}
+
+	public String getGroup() {
+		return group;
+	}
+
+	public boolean isTableRule() {
+		return tableRule;
+	}
+
+	public boolean isAllGranted() {
+		return allGranted ;
+	}
+
+	public boolean isUdf() {
+		return udf;
+	}
+
+	public boolean isAudited() {
+		return audited;
+	}
+
+	public void setAudited(boolean audited) {
+		this.audited = audited;
+	}
+
+	public boolean isEncrypted() {
+		return encrypted;
+	}
+
+	public void setEncrypted(boolean encrypted) {
+		this.encrypted = encrypted;
+	}
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java
new file mode 100644
index 0000000..a924acc
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java
@@ -0,0 +1,64 @@
+/**************************************************************************
+ *                                                                        *
+ * The information in this document is proprietary to XASecure Inc.,      *
+ * It may not be used, reproduced or disclosed without the written        *
+ * approval from the XASecure Inc.,                                       *
+ *                                                                        *
+ * PRIVILEGED AND CONFIDENTIAL XASECURE PROPRIETARY INFORMATION           *
+ *                                                                        *
+ * Copyright (c) 2013 XASecure, Inc.  All rights reserved.                *
+ *                                                                        *
+ *************************************************************************/
+
+ /**
+  *
+  *	@version: 1.0.004
+  *
+  */
+
+package com.xasecure.pdp.hive;
+
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import com.xasecure.authorization.hive.XaHiveAccessVerifier;
+import com.xasecure.authorization.hive.XaHiveObjectAccessInfo;
+
+public class HiveAuthorizationProviderBase implements XaHiveAccessVerifier {
+
+	private static final Log LOG = LogFactory.getLog(HiveAuthorizationProviderBase.class);
+
+	protected HiveAuthDB authDB = new HiveAuthDB()  ;
+
+	
+	public HiveAuthDB getAuthDB() {
+		return authDB ;
+	}
+
+	@Override
+	public boolean isAccessAllowed(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo) {
+		HiveAuthDB ldb = authDB ;
+
+		if (ldb == null) {
+			throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ;
+		}
+		
+		boolean ret = ldb.isAccessAllowed(ugi, objAccessInfo);
+		
+		return ret;
+	}
+
+	@Override
+	public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) {
+		HiveAuthDB ldb = authDB ;
+
+		if (ldb == null) {
+			throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ;
+		}
+
+		return ldb.isAudited(objAccessInfo) ;
+	}
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java
new file mode 100644
index 0000000..adda780
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java
@@ -0,0 +1,221 @@
+/**************************************************************************
+ *                                                                        *
+ * The information in this document is proprietary to XASecure Inc.,      *
+ * It may not be used, reproduced or disclosed without the written        *
+ * approval from the XASecure Inc.,                                       *
+ *                                                                        *
+ * PRIVILEGED AND CONFIDENTIAL XASECURE PROPRIETARY INFORMATION           *
+ *                                                                        *
+ * Copyright (c) 2013 XASecure, Inc.  All rights reserved.                *
+ *                                                                        *
+ *************************************************************************/
+
+ /**
+  *
+  *	@version: 1.0.004
+  *
+  */
+
+package com.xasecure.pdp.hive;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
+import com.xasecure.pdp.config.PolicyChangeListener;
+import com.xasecure.pdp.config.PolicyRefresher;
+import com.xasecure.pdp.constants.XaSecureConstants;
+import com.xasecure.pdp.model.Policy;
+import com.xasecure.pdp.model.PolicyContainer;
+import com.xasecure.pdp.model.RolePermission;
+
+public class URLBasedAuthDB extends HiveAuthorizationProviderBase implements PolicyChangeListener {
+	
+	private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class) ;
+		
+	private static URLBasedAuthDB me = null ;
+	
+	private PolicyContainer policyContainer = null ;
+	
+	private PolicyRefresher refresher = null ;
+	
+
+	public static URLBasedAuthDB getInstance() {
+		if (me == null) {
+			synchronized(URLBasedAuthDB.class) {
+				URLBasedAuthDB temp = me ;
+				if (temp == null) {
+					me = new URLBasedAuthDB() ;
+					me.init() ;
+				}
+			}
+		}
+		return me ;
+	}
+	
+	private URLBasedAuthDB() {
+		String url 			 = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_PROP);
+		long  refreshInMilli = XaSecureConfiguration.getInstance().getLong(
+				XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP ,
+				XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT);
+		
+		String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_LAST_SAVED_POLICY_FILE_PROP) ;
+		
+		String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_POLICYMGR_SSL_CONFIG_FILE_PROP) ;
+		refresher = new PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ;
+		
+		String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_SAVE_FILE_PROP) ;
+		if (saveAsFileName != null) {
+			refresher.setSaveAsFileName(saveAsFileName) ;
+		}
+		
+		if (lastStoredFileName != null) {
+			refresher.setLastStoredFileName(lastStoredFileName);
+		}	
+
+	}
+	
+	private void init() {
+		refresher.setPolicyChangeListener(this);
+	}
+	
+	public PolicyContainer getPolicyContainer() {
+		return policyContainer;
+	}
+
+	@Override
+	public void OnPolicyChange(PolicyContainer policyContainer) {
+
+		LOG.debug("OnPolicyChange() has been called with new PolicyContainer .....") ;
+		
+		try {
+			
+			ArrayList<HiveAuthRule> ruleListTemp = new ArrayList<HiveAuthRule>();
+				
+			this.policyContainer = policyContainer;
+	
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("Number of acl found (before isEnabled check): " +  ( policyContainer.getAcl() == null ? 0 :  policyContainer.getAcl().size() ) );
+			}
+			
+			for(Policy acl : policyContainer.getAcl()) {
+				
+				if (! acl.isEnabled()) {
+					LOG.debug("Diabled acl found [" + acl + "]. Skipping this acl ...") ;
+					continue ;
+				}
+				
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("Number of database found in acl [" + acl + "] " +  ( acl.getDatabaseList() == null ? 0 :  acl.getDatabaseList().size() ) );
+					LOG.debug("Number of Tables found in acl [" + acl + "] " +  ( acl.getTableList() == null ? 0 :  acl.getTableList().size() ) );
+					LOG.debug("Number of Columns found in acl [" + acl + "] " +  ( acl.getColumnList()== null ? 0 :  acl.getColumnList().size() ) );
+				}
+
+				boolean isUDF = false ;
+				
+				List<String> dbList = new ArrayList<String>() ;
+				String dbs = replaceFileBasedRegEx(acl.getDatabases()) ;
+				dbList.add(getRegExFormatted(dbs)) ;
+				
+				List<String> tableList = new ArrayList<String>() ;
+				String udfs   = acl.getUdfs() ;
+				if (udfs != null) {
+					isUDF = true ;
+					dbList.clear(); 
+					dbList.add(HiveAuthRule.WILDCARD_OBJECT) ;
+					tableList.clear(); 
+					udfs  = replaceFileBasedRegEx(udfs) ;
+					tableList.add(getRegExFormatted(udfs)) ;
+				}
+				else {
+					String tables = replaceFileBasedRegEx(acl.getTables()) ;
+					tableList.add(getRegExFormatted(tables)) ;
+				}
+				
+				List<String> columnList = new ArrayList<String>() ;
+				String columns = replaceFileBasedRegEx(acl.getColumns()) ;
+				columnList.add(getRegExFormatted(columns)) ;
+
+
+				boolean isAudited = (acl.getAuditInd() == 1) ;
+				
+				boolean isEncrypted = (acl.getEncryptInd() == 1) ;
+
+				for(String db : dbList)  {
+					
+					for(String table : tableList) {
+						
+						for(String col : columnList) {
+							
+							for(RolePermission rp : acl.getPermissions()) {
+								for (String accessLevel : rp.getAccess() ) {
+									for (String group : rp.getGroups()) {
+										HiveAuthRule rule = new HiveAuthRule(isUDF, db, table, col, accessLevel.toLowerCase(), null, group, acl.isTableSelectionExcluded(), acl.isColumnSelectionExcluded());
+										rule.setAudited(isAudited);
+										rule.setEncrypted(isEncrypted);
+										LOG.debug("Adding rule [" + rule + "] to the authdb.");
+										ruleListTemp.add(rule);
+									}
+									for (String user : rp.getUsers()) {
+										HiveAuthRule rule = new HiveAuthRule(isUDF, db, table, col, accessLevel.toLowerCase(), user, null,acl.isTableSelectionExcluded(), acl.isColumnSelectionExcluded());
+										rule.setAudited(isAudited);
+										rule.setEncrypted(isEncrypted);
+										LOG.debug("Adding rule [" + rule + "] to the authdb.");
+										ruleListTemp.add(rule);
+									}
+								}
+							}
+							
+							
+						}
+					}
+				}
+			}
+			HiveAuthDB authDBTemp = new HiveAuthDB(ruleListTemp);
+			authDB = authDBTemp;
+		}
+		catch(Throwable t) {
+			LOG.error("OnPolicyChange has failed with an exception", t);
+		}
+	}
+	
+	public static String getRegExFormatted(String userEnteredStr) {
+		
+		if (userEnteredStr == null || userEnteredStr.trim().length() == 0) {
+			return HiveAuthRule.WILDCARD_OBJECT ;
+		}
+
+		StringBuilder sb = new StringBuilder() ;
+
+		for(String s : userEnteredStr.split(",")) {
+			if (sb.length() == 0) {
+				sb.append("(") ;
+			}
+			else {
+				sb.append("|") ;
+			}
+			sb.append(s.trim()) ;
+		}
+		
+		if (sb.length() > 0) {
+			sb.append(")") ;
+		}
+		
+		return sb.toString() ;
+	}
+	
+	
+	public static String replaceFileBasedRegEx(String userEnteredStr) {
+		if (userEnteredStr != null) {
+			userEnteredStr = userEnteredStr.replaceAll("\\.", "\\.")
+												.replaceAll("\\?", "\\.") 
+												.replaceAll("\\*", ".*") ;
+		}
+		return userEnteredStr ;
+	}
+	
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java
new file mode 100644
index 0000000..06a77de
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java
@@ -0,0 +1,29 @@
+package com.xasecure.pdp.hive;
+
+import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import com.xasecure.authorization.hive.XaHiveAccessVerifier;
+import com.xasecure.authorization.hive.XaHiveObjectAccessInfo;
+
+public class XASecureAuthorizer implements XaHiveAccessVerifier {
+	
+	private XaHiveAccessVerifier authDB = URLBasedAuthDB.getInstance() ;
+	
+
+	@Override
+	public boolean isAccessAllowed(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo) {
+		if (authDB == null) {
+			throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ;
+		}
+		return authDB.isAccessAllowed(ugi, objAccessInfo);
+	}
+
+	@Override
+	public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) {
+		if (authDB == null) {
+			throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ;
+		}
+		return authDB.isAudited(objAccessInfo) ;
+	}
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java
new file mode 100644
index 0000000..59e10b2
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java
@@ -0,0 +1,453 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.xasecure.pdp.knox;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
+import com.xasecure.pdp.config.Jersey2PolicyRefresher;
+import com.xasecure.pdp.config.PolicyChangeListener;
+import com.xasecure.pdp.constants.XaSecureConstants;
+import com.xasecure.pdp.model.Policy;
+import com.xasecure.pdp.model.PolicyContainer;
+import com.xasecure.pdp.model.RolePermission;
+
+public class URLBasedAuthDB implements PolicyChangeListener {
+
+	private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class) ;
+
+	private static URLBasedAuthDB me = null;
+	
+	private Jersey2PolicyRefresher refresher = null ;
+	
+	private PolicyContainer policyContainer = null;
+	
+	private HashMap<String,Boolean> cachedAuditFlag = new HashMap<String,Boolean>() ;	// needs to be cleaned when ruleList changes
+	
+	public static URLBasedAuthDB getInstance() {
+		if (me == null) {
+			synchronized (URLBasedAuthDB.class) {
+				URLBasedAuthDB temp = me;
+				if (temp == null) {
+					me = new URLBasedAuthDB();
+					me.init() ;
+				}
+			}
+		}
+		return me;
+	}
+
+	public static URLBasedAuthDB getInstanceWithBackEndMocked() {
+		return new URLBasedAuthDB("instanceWithBackednMocked");
+	}
+	
+	private URLBasedAuthDB() {
+		String url 			 = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_PROP);
+		long  refreshInMilli = XaSecureConfiguration.getInstance().getLong(
+				XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP ,
+				XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT);
+		String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_POLICYMGR_SSL_CONFIG_FILE_PROP) ;
+		
+		String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_LAST_SAVED_POLICY_FILE_PROP) ;
+		
+		refresher = new Jersey2PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ;
+	
+		String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_SAVE_FILE_PROP) ;
+		if (saveAsFileName != null) {
+			refresher.setSaveAsFileName(saveAsFileName) ;
+		}
+		
+		if (lastStoredFileName != null) {
+			refresher.setLastStoredFileName(lastStoredFileName);
+		}	
+	}
+
+	private URLBasedAuthDB(String mockName) {
+	}
+	
+	private void init() {
+		refresher.setPolicyChangeListener(this);
+	}
+	
+	
+	@Override
+	public void OnPolicyChange(PolicyContainer aPolicyContainer) {
+		setPolicyContainer(aPolicyContainer);
+	}
+
+
+	public boolean isAccessGranted(String topology, String service, String access, String userName, Set<String> groups, 
+					String requestIp) {
+
+		boolean accessGranted = false;
+		
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Evaluating access for topology: " + topology +
+					", service: " + service +
+					", access: " + access +
+					", requestingIp: " +requestIp +
+					", requestingUser: " + userName +
+					", requestingUserGroups: " + groups);
+		}
+		PolicyContainer policyContainer = getPolicyContainer() ;
+		
+		if (policyContainer == null) {
+			LOG.warn("Denying access: policyContainer is null") ;
+			return false ;
+		}
+		
+		for(Policy policy :  policyContainer.getAcl()) {
+			
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("Evaluating policy: " + policy.toString() ) ;
+			}
+			
+			if (!policy.isEnabled()) {
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("Skipping policy: " + policy + ", policy disabled") ;
+				}
+				continue; // jump to next policy
+			}
+			
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("Evaluating topology match for policyTopologyList: " + policy.getTopologyList() +
+						", requestTopology: " + topology) ;
+			}
+			
+			boolean topologyMatched = false;
+			
+			List<String> topologyList = policy.getTopologyList();
+			if (topologyList == null || topologyList.isEmpty()) {
+				LOG.debug("Denying access: policy topologyList is empty") ;
+				continue; // jump to next policy
+			}
+			
+			if (topologyList.contains("*") || topologyList.contains(topology)) {
+				topologyMatched = true;
+				LOG.debug("Policy topologyList matches requested topology");
+			}
+			
+			if (!topologyMatched) {
+				for (String policyTopology : topologyList) {
+					if (FilenameUtils.wildcardMatch(topology, policyTopology)) {
+						topologyMatched = true;
+						LOG.debug("Policy topologyList matches requested topology");
+						break; // break out of topologyList
+					}
+				}
+			}
+			if (!topologyMatched) {
+				LOG.debug("Denying access: policy topologyList does not match requested topology") ;
+				continue; // jump to next policy
+			} else {
+				LOG.debug("policy topologyList matches requested topology");
+			}
+			
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("Evaluating service match for policyServiceList: " + policy.getServiceList() +
+						", requestService: " + service) ;
+			}
+			
+			boolean serviceMatched = false;
+			
+			List<String> serviceList = policy.getServiceList();
+			if (serviceList == null || serviceList.isEmpty()) {
+				LOG.debug("Denying access: policy serviceList is empty") ;
+				continue; // jump to next policy
+			}
+			
+			if (serviceList.contains("*") || serviceList.contains(service)) {
+				serviceMatched = true;
+				LOG.debug("Policy serviceList matches requested service");
+			}
+			
+			if (!serviceMatched) {
+				for (String policyService : serviceList) {
+					if (FilenameUtils.wildcardMatch(service, policyService)) {
+						serviceMatched = true;
+						LOG.debug("Policy serviceList matches requested service");
+						break; // break out of serviceList 
+					}
+				}
+			}
+			if (!serviceMatched) {
+				LOG.debug("Denying access: policy serviceList does not match requested service") ;
+				continue; // jump to next policy
+			} else {
+				LOG.debug("Policy serviceList matches requested service");
+			}
+			
+			LOG.debug("Checking accessType, IP, User, Group based permission");
+			if ( policy.getPermissions() == null 
+					|| policy.getPermissions().isEmpty()) {
+				LOG.debug("Policy not applicable, no user or group based permission");
+			}
+			
+			for (RolePermission rp : policy.getPermissions()) {
+				
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("Evaluating RolePermission: " + rp);
+				}
+
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("Checking accessTypeMatch for rolePermissionAccesType: " 
+							+ rp.getAccess() + ", requestAccessType: " + access);
+				}
+				
+				if (rp.getAccess().contains(access)) {
+					
+					LOG.debug("RolePermission accessType matches request accessType");
+					
+					boolean ipMatched = false;
+					List<String> ipList = rp.getIpAddress();
+					if (LOG.isDebugEnabled()) {
+						LOG.debug("Checking ipMatch for rolePermissionIpList: " + ipList +
+								", requestIP: " + requestIp);
+					}
+					
+					if (ipList == null || ipList.isEmpty()) {
+						LOG.debug("RolePermission does not require IP Matching");
+						ipMatched = true;
+					} else if ( ipList.contains("*") ) {
+						LOG.debug("RolePermission allows any IP: *");
+						ipMatched = true;
+					} else {
+						for (String ip : ipList) {
+							if (ipMatches(ip, requestIp)) {
+								LOG.debug("RolePermission IP matches request IP");
+								ipMatched = true;
+								break;// break out of ipList
+							}
+						}
+					}
+					
+					if (!ipMatched) {
+						// ip not matched, jump to next RolePermission check
+						LOG.debug("Request IP does not match RolePermission");
+						continue; // jump to next rolePermission
+					} else {
+						LOG.debug("Request IP matches RolePermission");
+					}
+					
+					if (LOG.isDebugEnabled()) {
+						LOG.debug("Checking userMatch for rolePermissionUsers: " 
+								+ rp.getUsers() + ", requestUser: " + userName);
+					}
+					
+					if ( rp.getUsers() != null && rp.getUsers().contains(userName) ) {
+						LOG.debug("Request user matches RolePermission");
+						return true ;
+					}
+					LOG.debug("RolePermission does not permit request by request user, would check by groups");
+					
+					if (LOG.isDebugEnabled()) {
+						LOG.debug("Checking groupMatch for rolePermissionGroups: " 
+								+ rp.getGroups() + ", requestGroups: " + groups);
+					}
+					
+					for(String ug : groups) {
+						if ( rp.getGroups() != null && rp.getGroups().contains(ug)) {
+							LOG.debug("Request userGroups matches RolePermission");
+							return true ;
+						}
+					}
+					LOG.debug("RolePermission does not permit request by request user groups");
+					
+					if (rp.getGroups().contains(XaSecureConstants.PUBLIC_ACCESS_ROLE)) {
+						LOG.debug("RolePermission applies to public group");
+						return true ;
+					}
+					
+					LOG.debug("RolePermission does not permit by users, groups or public group");
+				} else {
+					LOG.debug("rolePermissionAccessType does not match requestAccessType");
+				}
+			}
+		}
+		LOG.debug("No matching policy permission found, denying access");
+		return accessGranted;
+	}
+	
+	public boolean isAuditEnabled(String topology, String service) {
+		
+		boolean auditEnabled = false;
+		
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Checcking whether audit is enabled for topology: " + topology +
+					", service: " + service );
+		}
+		
+		PolicyContainer policyContainer = getPolicyContainer() ;
+		if (policyContainer == null) {
+			LOG.warn("PolicyContainer is null") ;
+			return false ;
+		}
+		
+		for(Policy policy :  policyContainer.getAcl()) {
+			
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("Evaluating policy: " + policy) ;
+			}
+			
+			if (!policy.isEnabled()) {
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("Skipping policy: " + policy + ", policy disabled") ;
+				}
+				continue; // jump to next policy
+			}
+			
+			if (policy.getAuditInd() == 0) {
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("Skipping policy: " + policy + ", policy audit disabled") ;
+				}
+				continue; // jump to next policy
+			}
+			
+			boolean topologyMatched = false;
+			
+			List<String> topologyList = policy.getTopologyList();
+			if (topologyList == null || topologyList.isEmpty()) {
+				LOG.debug("Policy not applicable: policy topologyList is empty") ;
+				continue; // jump to next policy
+			}
+			
+			if (topologyList.contains("*") || topologyList.contains(topology)) {
+				topologyMatched = true;
+				LOG.debug("Policy topologyList matches requested topology");
+			}
+			
+			if (!topologyMatched) {
+				for (String policyTopology : topologyList) {
+					if (FilenameUtils.wildcardMatch(topology, policyTopology)) {
+						topologyMatched = true;
+						LOG.debug("Policy topologyList matches requested topology");
+						break; // break out of topologyList check
+					}
+				}
+			}
+			if (!topologyMatched) {
+				LOG.debug("Policy not applicable: polocy topologyList does not match requested topology") ;
+				continue; // jump to next policy
+			} else {
+				LOG.debug("Policy topologyList matches requested topology");
+			}
+			
+			boolean serviceMatched = false;
+			
+			List<String> serviceList = policy.getServiceList();
+			if (serviceList == null || serviceList.isEmpty()) {
+				LOG.debug("Policy not applicable: serviceList is empty") ;
+				continue; // jump to next policy
+			}
+			
+			if (serviceList.contains("*") || serviceList.contains(service)) {
+				serviceMatched = true;
+				LOG.debug("Policy serviceList matches requested service");
+			}
+			
+			if (!serviceMatched) {
+				for (String policyService : serviceList) {
+					if (FilenameUtils.wildcardMatch(service, policyService)) {
+						serviceMatched = true;
+						LOG.debug("Policy serviceList matches requested service");
+						break; // break out of serviceList check
+					}
+				}
+			}
+			if (!serviceMatched) {
+				LOG.debug("Policy not applicable: policy serviceList does not match requested service") ;
+				continue; // jump to next policy
+			} else {
+				LOG.debug("Policy serviceList matches requested service");
+			}
+			auditEnabled = true;;
+			break; // break out of policyList check
+		}
+		return auditEnabled;
+	}
+		
+	public PolicyContainer getPolicyContainer() {
+		return policyContainer;
+	}
+
+	
+	synchronized void setPolicyContainer(PolicyContainer aPolicyContainer) {
+		
+		for(Policy p : aPolicyContainer.getAcl()) {
+			for(RolePermission rp : p.getPermissions()) {
+				// lowercase accesType value stings
+				List<String> rpaccess = rp.getAccess() ;
+				if (rpaccess != null && rpaccess.size() > 0) {
+					List<String> temp = new ArrayList<String>() ;
+					for(String s : rpaccess) {
+						temp.add(s.toLowerCase()) ;
+					}
+					rp.setAccess(temp);
+				}
+			}
+		}
+		
+		this.policyContainer = aPolicyContainer ;
+		this.cachedAuditFlag.clear(); 
+	}
+
+
+	private boolean ipMatches(String policyIp, String requestIp) {
+		if (policyIp == null) {
+			return false;
+		}
+		policyIp = policyIp.trim();
+		if (policyIp.isEmpty()) {
+			return false;
+		}
+		boolean ipMatched = false;
+		boolean wildEnd = false;
+		if (policyIp.contains(".")) {
+			while (policyIp.endsWith(".*")) {
+				wildEnd = true;
+				policyIp = policyIp.substring(0, policyIp.lastIndexOf(".*"));
+			}
+			if (wildEnd) {
+				policyIp = policyIp + ".";
+			}
+		} else if (policyIp.contains(":")) {
+			while (policyIp.endsWith(":*")) {
+				wildEnd = true;
+				policyIp = policyIp.substring(0, policyIp.lastIndexOf(":*"));
+			}
+			if (wildEnd) {
+				policyIp = policyIp + ":";
+			}
+		}
+		if (wildEnd && requestIp.startsWith(policyIp)) {
+			ipMatched = true;
+		} else if (policyIp.equals(requestIp)) {
+			ipMatched = true;
+		}
+		return ipMatched;
+	}
+	
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java
new file mode 100644
index 0000000..d3d2500
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.xasecure.pdp.knox;
+
+import java.util.Set;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import com.xasecure.authorization.knox.KnoxAccessVerifier;
+
+public class XASecureAuthorizer  implements KnoxAccessVerifier  {
+
+	private static final Log LOG = LogFactory.getLog(XASecureAuthorizer.class) ;
+	
+	private static URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ;
+	
+	public XASecureAuthorizer() {
+	}
+
+	@Override
+	public boolean isAccessAllowed(String topologyName, String serviceName, String accessType,
+			String userName, Set<String> groups, String requestIp) {
+		boolean accessAllowed = authDB.isAccessGranted(topologyName, serviceName, accessType, userName, groups, 
+				requestIp);
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Computed access permission for topology: " + topologyName +
+					", service: " + serviceName +
+					", access: " + accessType +
+					", requestingIp: " +requestIp +
+					", requestingUser: " + userName +
+					", requestingUserGroups: " + groups +
+					", permitted: " + accessAllowed);
+		}
+		return accessAllowed;
+	}
+	
+	@Override
+	public boolean isAuditEnabled(String topologyName, String serviceName) {
+		boolean auditEnabled = authDB.isAuditEnabled(topologyName, serviceName);
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Computed audit enabled for topology: " + topologyName +
+					", service: " + serviceName +
+					", auditLogEnabled: " + auditEnabled);
+		}
+		return auditEnabled;
+	}
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java
new file mode 100644
index 0000000..c851a11
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.xasecure.pdp.knox.deploy;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+public class XASecurePDPKnoxDeploymentContributor extends ProviderDeploymentContributorBase {
+
+  private static final String FILTER_CLASSNAME = "com.xasecure.pdp.knox.filter.XASecurePDPKnoxFilter";
+
+  @Override
+  public String getRole() {
+    return "authorization";
+  }
+
+  @Override
+  public String getName() {
+    return "XASecurePDPKnox";
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    super.initializeContribution(context);
+  }
+
+  @Override
+  public void contributeProvider( DeploymentContext context, Provider provider ) {
+  }
+
+  @Override
+  public void contributeFilter( DeploymentContext context, Provider provider, Service service, 
+      ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+    if (params == null) {
+      params = new ArrayList<FilterParamDescriptor>();
+    }
+    // add resource role to params so that we can determine the acls to enforce at runtime
+    params.add( resource.createFilterParam().name( "resource.role" ).value(resource.role() ) );
+
+    // blindly add all the provider params as filter init params
+    // this will include any {resource.role}-ACLS parameters to be enforced - such as NAMENODE-ACLS
+    Map<String, String> providerParams = provider.getParams();
+    for(Entry<String, String> entry : providerParams.entrySet()) {
+      params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
+    }
+
+    resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java
new file mode 100644
index 0000000..af67146
--- /dev/null
+++ b/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java
@@ -0,0 +1,211 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.xasecure.pdp.knox.filter;
+
+import java.io.IOException;
+import java.security.AccessController;
+import java.security.Principal;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.gateway.filter.AbstractGatewayFilter;
+import org.apache.hadoop.gateway.security.GroupPrincipal;
+import org.apache.hadoop.gateway.security.ImpersonatedPrincipal;
+import org.apache.hadoop.gateway.security.PrimaryPrincipal;
+
+import com.xasecure.audit.model.EnumRepositoryType;
+import com.xasecure.audit.model.KnoxAuditEvent;
+import com.xasecure.audit.provider.AuditProvider;
+import com.xasecure.audit.provider.AuditProviderFactory;
+import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
+import com.xasecure.authorization.hadoop.constants.XaSecureHadoopConstants;
+import com.xasecure.authorization.knox.KnoxAccessVerifier;
+import com.xasecure.authorization.knox.KnoxAccessVerifierFactory;
+
+public class XASecurePDPKnoxFilter implements Filter {
+
+	private static final Log LOG = LogFactory.getLog(XASecurePDPKnoxFilter.class);
+	private static final String  ACL_ENFORCER = "xasecure-acl";
+	private static final String PERM_ALLOW = "allow";
+	private String resourceRole = null;
+	private KnoxAccessVerifier knoxAccessVerifier;
+
+
+	AuditProvider auditProvider = AuditProviderFactory.getAuditProvider();
+	private final String REPOSITORY_NAME = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_REPOSITORY_NAME_PROP);
+
+	@Override
+	public void init(FilterConfig filterConfig) throws ServletException {
+		resourceRole = getInitParameter(filterConfig, "resource.role");
+		knoxAccessVerifier = KnoxAccessVerifierFactory.getInstance();
+	}
+
+	private String getInitParameter(FilterConfig filterConfig, String paramName) {
+		return filterConfig.getInitParameter(paramName.toLowerCase());
+	}
+
+	public void destroy() {
+	}
+
+	public void doFilter(ServletRequest request, ServletResponse response,
+			FilterChain chain) throws IOException, ServletException {
+
+		String sourceUrl = (String) request
+				.getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
+		String topologyName = getTopologyName(sourceUrl);
+		String serviceName = getServiceName();
+
+		Subject subject = Subject.getSubject(AccessController.getContext());
+
+		Principal primaryPrincipal = (Principal) subject.getPrincipals(
+				PrimaryPrincipal.class).toArray()[0];
+		String primaryUser = primaryPrincipal.getName();
+
+		String impersonatedUser = null;
+		Object[] impersonations = subject.getPrincipals(
+				ImpersonatedPrincipal.class).toArray();
+		if (impersonations != null && impersonations.length > 0) {
+			impersonatedUser = ((Principal) impersonations[0]).getName();
+		}
+
+		String user = (impersonatedUser != null) ? impersonatedUser
+				: primaryUser;
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: "
+					+ impersonatedUser + ", effectiveUser: " + user);
+		}
+
+		Object[] groupObjects = subject.getPrincipals(GroupPrincipal.class)
+				.toArray();
+		Set<String> groups = new HashSet<String>();
+		for (Object obj : groupObjects) {
+			groups.add(((Principal) obj).getName());
+		}
+
+		String clientIp = request.getRemoteAddr();
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: "
+					+ impersonatedUser + ", effectiveUser: " + user +
+					", groups: " + groups + ", clientIp: " + clientIp);
+		}
+		boolean accessAllowed = knoxAccessVerifier.isAccessAllowed(
+				topologyName, serviceName, PERM_ALLOW, user, groups, clientIp);
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Access allowed: " + accessAllowed);
+		}
+		if (accessAllowed) {
+			chain.doFilter(request, response);
+			if (knoxAccessVerifier.isAuditEnabled(topologyName, serviceName)) {
+				LOG.debug("Audit is enabled");
+				logAuditEvent(user, clientIp, topologyName, serviceName,
+						"allow", true);
+			} else {
+				LOG.debug("Audit is not  enabled");
+			}
+		} else {
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("Access is denied");
+			}
+			if (knoxAccessVerifier.isAuditEnabled(topologyName, serviceName)) {
+				LOG.debug("Audit is enabled");
+				logAuditEvent(user, clientIp, topologyName, serviceName,
+						"allow", false);
+			} else {
+				LOG.debug("Audit is not  enabled");
+			}
+			sendForbidden((HttpServletResponse) response);
+		}
+	}
+
+	private void sendForbidden(HttpServletResponse res) {
+		sendErrorCode(res, 403);
+	}
+
+	private void sendErrorCode(HttpServletResponse res, int code) {
+		try {
+			res.sendError(code);
+		} catch (IOException e) {
+			LOG.error("Error while redireting:", e);
+		}
+	}
+
+	private String getTopologyName(String requestUrl) {
+		if (requestUrl == null) {
+			return null;
+		}
+		String url = requestUrl.trim();
+		String[] tokens = url.split("/");
+		if (tokens.length > 2) {
+			return tokens[2];
+		} else {
+			return null;
+		}
+	}
+
+	private String getServiceName() {
+		return resourceRole;
+	}
+
+	private void logAuditEvent(String userName, String clientIp, 
+			String topology, String service,
+			String accessType, boolean accessGranted) {
+
+		KnoxAuditEvent auditEvent = new KnoxAuditEvent();
+
+		auditEvent.setUser(userName == null ? 
+				XaSecureHadoopConstants.AUDITLOG_EMPTY_STRING : userName);
+		auditEvent.setResourcePath("/" + topology + "/" + service);
+		auditEvent.setResourceType("service");
+		auditEvent.setAccessType(accessType);
+		auditEvent.setClientIP(clientIp);
+		auditEvent.setEventTime(new Date());
+		auditEvent.setAccessResult((short) (accessGranted ? 1 : 0));
+		auditEvent.setResultReason(null);
+		auditEvent.setRepositoryType(EnumRepositoryType.KNOX);
+		auditEvent.setRepositoryName(REPOSITORY_NAME);
+		auditEvent.setAclEnforcer(ACL_ENFORCER);
+	
+		try {
+			LOG.debug("logEvent [" + auditEvent + "] - START");
+			
+			AuditProvider ap = AuditProviderFactory.getAuditProvider();
+			ap.log(auditEvent);
+			
+			LOG.debug("logEvent [" + auditEvent + "] - END");
+		} catch (Throwable t) {
+			LOG.error("ERROR logEvent [" + auditEvent + "]", t);
+		}
+	}
+
+
+}


Mime
View raw message