Return-Path: 
 <commits-return-105-apmail-argus-commits-archive=argus.apache.org@argus.incubator.apache.org>
X-Original-To: apmail-argus-commits-archive@minotaur.apache.org
Delivered-To: apmail-argus-commits-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 9BAE9118F1
	for <apmail-argus-commits-archive@minotaur.apache.org>;
 Sun, 17 Aug 2014 22:15:57 +0000 (UTC)
Received: (qmail 44564 invoked by uid 500); 17 Aug 2014 22:15:57 -0000
Delivered-To: apmail-argus-commits-archive@argus.apache.org
Received: (qmail 44546 invoked by uid 500); 17 Aug 2014 22:15:57 -0000
Mailing-List: contact commits-help@argus.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@argus.incubator.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@argus.incubator.apache.org>
List-Post: <mailto:commits@argus.incubator.apache.org>
List-Id: <commits.argus.incubator.apache.org>
Reply-To: dev@argus.incubator.apache.org
Delivered-To: mailing list commits@argus.incubator.apache.org
Received: (qmail 44534 invoked by uid 99); 17 Aug 2014 22:15:57 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 17 Aug 2014 22:15:57 +0000
X-ASF-Spam-Status: No, hits=-2000.7 required=5.0
	tests=ALL_TRUSTED,RP_MATCHES_RCVD
X-Spam-Check-By: apache.org
Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3)
    by apache.org (qpsmtpd/0.29) with SMTP; Sun, 17 Aug 2014 22:15:34 +0000
Received: (qmail 44166 invoked by uid 99); 17 Aug 2014 22:15:32 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 17 Aug 2014 22:15:32 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id 33C1B929EDE; Sun, 17 Aug 2014 22:15:32 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: madhan@apache.org
To: commits@argus.incubator.apache.org
Date: Sun, 17 Aug 2014 22:15:33 -0000
Message-Id: <5e1970da700d4d26921d1f0a94b28a6f@git.apache.org>
In-Reply-To: <96ba5e309b0a47a583a0e64d47c39aaa@git.apache.org>
References: <96ba5e309b0a47a583a0e64d47c39aaa@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [2/2] git commit: ARGUS-3: Disallow DFS command, similar to SQLStd
 authorizer. One difference from SQLStd authorizer is that Argus agent will
 deny for all users, instead of allowing the command for admin users;
 because Argus agnet doesn't have built-in n
X-Virus-Checked: Checked by ClamAV on apache.org

ARGUS-3: Disallow DFS command, similar to SQLStd authorizer. One
difference from SQLStd authorizer is that Argus agent will deny for all
users, instead of allowing the command for admin users; because Argus
agnet doesn't have built-in notion of admin users.

Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/8908fb8c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/8908fb8c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/8908fb8c

Branch: refs/heads/master
Commit: 8908fb8c2eac90648beeb44ea46d73191e00659d
Parents: f021846
Author: mneethiraj <mneethiraj@hortonworks.com>
Authored: Fri Aug 15 17:15:22 2014 -0700
Committer: mneethiraj <mneethiraj@hortonworks.com>
Committed: Fri Aug 15 17:15:22 2014 -0700

----------------------------------------------------------------------
 .../hive/authorizer/XaSecureHiveAuthorizer.java | 71 +++++++++++++++++++-
 1 file changed, 68 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/8908fb8c/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
index a7617ba..2e9c6c4 100644
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
+++ b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
@@ -54,7 +54,6 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase {
 		mHiveAccessVerifier = XaHiveAccessVerifierFactory.getInstance() ;
 	}
 
-
 	@Override
 	public void checkPrivileges(HiveOperationType         hiveOpType,
 								List<HivePrivilegeObject> inputHObjs,
@@ -65,6 +64,12 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, context));
 		}
+		
+		if(hiveOpType == HiveOperationType.DFS) {
+			handleDfsCommand(hiveOpType, inputHObjs, outputHObjs, context);
+			
+			return;
+		}
 
 		UserGroupInformation ugi =  this.getCurrentUserGroupInfo();
 
@@ -429,8 +434,69 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase {
 
         return ret;
     }
-	private void logAuditEvent(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo, boolean accessGranted) {
+
+	private void handleDfsCommand(HiveOperationType         hiveOpType,
+								  List<HivePrivilegeObject> inputHObjs,
+							      List<HivePrivilegeObject> outputHObjs,
+							      HiveAuthzContext          context)
+	      throws HiveAuthzPluginException, HiveAccessControlException {
+
+		String dfsCommandParams = null;
+
+		if(inputHObjs != null) {
+			for(HivePrivilegeObject hiveObj : inputHObjs) {
+				if(hiveObj.getType() == HivePrivilegeObjectType.COMMAND_PARAMS) {
+					dfsCommandParams = StringUtil.toString(hiveObj.getCommandParams());
+
+					if(! StringUtil.isEmpty(dfsCommandParams)) {
+						break;
+					}
+				}
+			}
+		}
+		
+		UserGroupInformation ugi = this.getCurrentUserGroupInfo();
+
+		logAuditEventForDfs(ugi, dfsCommandParams, false);
+
+		throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
+											 ugi.getShortUserName(), hiveOpType.name()));
+		
+	}
+   
+    private void logAuditEventForDfs(UserGroupInformation ugi, String dfsCommand, boolean accessGranted) {
+		HiveAuditEvent auditEvent = new HiveAuditEvent();
+
+		try {
+			auditEvent.setAclEnforcer(XaSecureModuleName);
+			auditEvent.setResourceType("@dfs"); // to be consistent with earlier release
+			auditEvent.setAccessType("DFS");
+			auditEvent.setAction("DFS");
+			auditEvent.setUser(ugi.getShortUserName());
+			auditEvent.setAccessResult((short)(accessGranted ? 1 : 0));
+			auditEvent.setEventTime(StringUtil.getUTCDate());
+			auditEvent.setRepositoryType(EnumRepositoryType.HIVE);
+			auditEvent.setRepositoryName(repositoryName) ;
+			auditEvent.setRequestData(dfsCommand);
+
+			auditEvent.setResourcePath(dfsCommand);
 		
+			if(LOG.isDebugEnabled()) {
+				LOG.debug("logAuditEvent [" + auditEvent + "] - START");
+			}
+
+			AuditProviderFactory.getAuditProvider().log(auditEvent);
+
+			if(LOG.isDebugEnabled()) {
+				LOG.debug("logAuditEvent [" + auditEvent + "] - END");
+			}
+		}
+		catch(Throwable t) {
+			LOG.error("ERROR logEvent [" + auditEvent + "]", t);
+		}
+    }
+
+	private void logAuditEvent(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo, boolean accessGranted) {
 		HiveAuditEvent auditEvent = new HiveAuditEvent();
 
 		try {
@@ -467,7 +533,6 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase {
 		catch(Throwable t) {
 			LOG.error("ERROR logEvent [" + auditEvent + "]", t);
 		}
-		
 	}
 	
 	private String toString(HiveOperationType         hiveOpType,