ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sneet...@apache.org
Subject [1/2] git commit: ARGUS-9: added based on earlier review from Madhan and UGI support for getting groups
Date Fri, 05 Sep 2014 02:17:06 GMT
Repository: incubator-argus
Updated Branches:
  refs/heads/master ea17097a2 -> 31b101b3e


ARGUS-9: added based on earlier review from Madhan and UGI support for getting groups


Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/1ae7dc8a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/1ae7dc8a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/1ae7dc8a

Branch: refs/heads/master
Commit: 1ae7dc8a233fc6440d871c4f81189c3efd9ad8e5
Parents: 933bae5
Author: sneethiraj <sneethir@apache.org>
Authored: Thu Sep 4 16:48:16 2014 -0400
Committer: sneethiraj <sneethir@apache.org>
Committed: Thu Sep 4 21:32:13 2014 -0400

----------------------------------------------------------------------
 .../com/xasecure/pdp/storm/StormAuthRule.java   |  24 ++---
 .../com/xasecure/pdp/storm/URLBasedAuthDB.java  |   1 +
 .../.settings/org.eclipse.core.resources.prefs  |   1 +
 storm-agent/scripts/install.properties          |   5 +
 storm-agent/scripts/install.sh                  |  82 ++++++++++++++-
 storm-agent/scripts/uninstall.sh                |  95 +++++++++--------
 .../authorizer/XaSecureStormAuthorizer.java     | 101 ++++++++++---------
 7 files changed, 195 insertions(+), 114 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/1ae7dc8a/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java b/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java
index b9ead2a..1cdabef 100644
--- a/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java
+++ b/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java
@@ -3,6 +3,10 @@ package com.xasecure.pdp.storm;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.apache.commons.io.FilenameUtils;
+
+import com.xasecure.authorization.utils.StringUtil;
+
 public class StormAuthRule {
 	private String topologyName ;
 	private List<String> accessTypeList ;
@@ -65,7 +69,7 @@ public class StormAuthRule {
 			ret = "*".equals(this.topologyName) ;
 		}
 		else {
-			ret = (aTopologyName.equals(this.topologyName) || aTopologyName.matches(this.topologyName))
;
+			ret = (aTopologyName.equals(this.topologyName) ||  FilenameUtils.wildcardMatch(aTopologyName,this.topologyName))
;
 		}
 		return ret ;
 	}
@@ -105,22 +109,10 @@ public class StormAuthRule {
 	@Override
 	public String toString() {
 		return "StormAuthRule: { topologyName: [" + topologyName + "]," +
-			    "userList: [" + toList(userList) + "]" + 
-			    "groupList: [" + toList(groupList) + "]" + 
-			    "accessTypeList: [" + toList(accessTypeList) + "]" + 
+			    "userList: [" + StringUtil.toString(userList) + "]" + 
+			    "groupList: [" + StringUtil.toString(groupList) + "]" + 
+			    "accessTypeList: [" + StringUtil.toString(accessTypeList) + "]" + 
 			    "auditEnabled: [" + auditEnabled  + "] }";
  	}
 	
-	private String toList(List<String> strList) {
-		StringBuilder sb = new StringBuilder() ;
-		if (strList != null) {
-			for(String s : strList) {
-				sb.append(s).append(",") ;
-			}
-		}
-		return sb.toString() ;
-	}
-	
-	
-	
 }

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/1ae7dc8a/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java
index ff8b6a2..c3e3710 100644
--- a/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java
+++ b/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java
@@ -125,6 +125,7 @@ public class URLBasedAuthDB implements PolicyChangeListener, XaStormAccessVerifi
 					if (rule.isOperationAllowed(aOperationName)) {
 						if (rule.isUserAllowed(aUserName, aGroupName)) {
 							accessAllowed = true ;
+							break ;
 						}
 					}
 				}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/1ae7dc8a/embededwebserver/.settings/org.eclipse.core.resources.prefs
----------------------------------------------------------------------
diff --git a/embededwebserver/.settings/org.eclipse.core.resources.prefs b/embededwebserver/.settings/org.eclipse.core.resources.prefs
index e9441bb..f9fe345 100644
--- a/embededwebserver/.settings/org.eclipse.core.resources.prefs
+++ b/embededwebserver/.settings/org.eclipse.core.resources.prefs
@@ -1,3 +1,4 @@
 eclipse.preferences.version=1
 encoding//src/main/java=UTF-8
+encoding//src/test/java=UTF-8
 encoding/<project>=UTF-8

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/1ae7dc8a/storm-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/storm-agent/scripts/install.properties b/storm-agent/scripts/install.properties
index 7b98c12..1a1ec6a 100644
--- a/storm-agent/scripts/install.properties
+++ b/storm-agent/scripts/install.properties
@@ -9,6 +9,11 @@
 POLICY_MGR_URL=
 
 #
+# Location of mysql client library (please check the location of the jar file)
+#
+MYSQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
+
+#
 # This is the repository name created within policy manager
 #
 # Example:

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/1ae7dc8a/storm-agent/scripts/install.sh
----------------------------------------------------------------------
diff --git a/storm-agent/scripts/install.sh b/storm-agent/scripts/install.sh
index 8adab27..5de6106 100644
--- a/storm-agent/scripts/install.sh
+++ b/storm-agent/scripts/install.sh
@@ -28,6 +28,18 @@ install_dir=`dirname $0`
 
 [ "${install_dir}" = "." ] && install_dir=`pwd`
 
+
+#verify mysql-connector path is valid
+MYSQL_CONNECTOR_JAR=`grep '^MYSQL_CONNECTOR_JAR'  ${install_dir}/install.properties | awk
-F= '{ print $2 }'`
+echo "[I] Checking MYSQL CONNECTOR FILE : $MYSQL_CONNECTOR_JAR"
+if test -f "$MYSQL_CONNECTOR_JAR"; then
+    echo "[I] MYSQL CONNECTOR FILE : $MYSQL_CONNECTOR_JAR file found"
+else
+    echo "[E] MYSQL CONNECTOR FILE : $MYSQL_CONNECTOR_JAR does not exists" ; exit 1;
+fi
+#copying mysql connector jar file to lib directory
+cp ${MYSQL_CONNECTOR_JAR} ${install_dir}/lib
+
 #echo "Current Install Directory: [${install_dir}]"
 
 
@@ -46,7 +58,7 @@ CUR_VERSION_FILE=${XASECURE_ROOT}/.current_version
 CUR_CFG_DIR_FILE=${XASECURE_ROOT}/.config_dir
 PRE_INSTALL_CONFIG=${XASECURE_ROOT}/${BACKUP_TYPE}-${XASECURE_VERSION}
 
-if [ -d ${XASECURE_ROOT} ]
+if [ ! -d ${XASECURE_ROOT} ]
 then
 	mkdir -p ${XASECURE_ROOT}
 fi
@@ -210,4 +222,72 @@ done
 chmod go-rwx ${storm_conf_dir}/xasecure-policymgr-ssl.xml
 chown ${CONFIG_FILE_OWNER} ${storm_conf_dir}/xasecure-policymgr-ssl.xml
 
+#
+# Adding authorizer to storm.yaml configuration file ...
+#
+STORM_DIR=/etc/storm
+STORM_CONFIG_FILE=storm.yaml
+STORM_BIN_FILE=/usr/bin/storm
+
+dt=`date '+%Y%m%d%H%M%S'`
+CONFIG_FILE=${STORM_DIR}/${STORM_CONFIG_FILE}
+ARCHIVE_FILE=${STORM_DIR}/.${STORM_CONFIG_FILE}.${dt}
+STORM_BIN_ARCHIVE_FILE=/usr/bin/.storm.${dt}
+
+cp ${CONFIG_FILE} ${ARCHIVE_FILE}
+
+awk -F: 'BEGIN {
+	configured = 0 ;
+}
+{ 
+	if ($1 == "nimbus.authorizer") {
+		if ($2 ~ /^[ \t]*"com.xasecure.authorization.storm.authorizer.XaSecureStormAuthorizer"[
\t]*$/) {
+			configured = 1 ;
+			printf("%s\n",$0) ;
+		}
+		else {
+			printf("#%s\n",$0);
+			printf("nimbus.authorizer: \"com.xasecure.authorization.storm.authorizer.XaSecureStormAuthorizer\"\n")
;
+			configured = 1 ;
+		}
+	}
+	else {
+		printf("%s\n",$0) ;
+	}
+}
+END {
+	if (configured == 0) {
+		printf("nimbus.authorizer: \"com.xasecure.authorization.storm.authorizer.XaSecureStormAuthorizer\"\n")
;
+	}
+}' ${ARCHIVE_FILE} > ${ARCHIVE_FILE}.new 
+
+if [ ! -z ${ARCHIVE_FILE}.new ] 
+then
+	cat ${ARCHIVE_FILE}.new > ${CONFIG_FILE}
+	rm -f ${ARCHIVE_FILE}.new
+else
+	echo "ERROR: ${ARCHIVE_FILE}.new file has not created successfully."
+	exit 1
+fi
+
+#
+# Modify the CLASSPATH of the Storm Servers (ui, nimbus) ....
+#
+grep 'ret.extend(\["/etc/storm/conf"' ${STORM_BIN_FILE} > /dev/null
+if [ $? -ne 0 ]
+then
+        temp=/tmp/storm.tmp.$$
+        cat ${STORM_BIN_FILE} | sed -e '/ret = get_jars_full(STORM_DIR)/ a\
+    ret.extend(["/etc/storm/conf","/usr/lib/storm/lib/*"])' > ${temp}
+        if [ ! -z ${temp} ]
+        then
+				cp ${STORM_BIN_FILE} ${STORM_BIN_ARCHIVE_FILE}
+                cat ${temp} > ${STORM_BIN_FILE}
+		else
+			echo "ERROR: ${temp} file has not been created successfully."
+			exit 1
+        fi
+fi
+
+
 exit 0

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/1ae7dc8a/storm-agent/scripts/uninstall.sh
----------------------------------------------------------------------
diff --git a/storm-agent/scripts/uninstall.sh b/storm-agent/scripts/uninstall.sh
index 90643a5..7f07ded 100644
--- a/storm-agent/scripts/uninstall.sh
+++ b/storm-agent/scripts/uninstall.sh
@@ -1,54 +1,49 @@
 #!/bin/bash
-COMPONENT_NAME=storm
-CFG_DIR=/etc/${COMPONENT_NAME}/conf
-XASECURE_ROOT=/etc/xasecure/${COMPONENT_NAME}
-BACKUP_TYPE=pre
-CUR_VERSION_FILE=${XASECURE_ROOT}/.current_version
-CUR_CFG_DIR_FILE=${XASECURE_ROOT}/.config_dir
-if [ -f ${CUR_VERSION_FILE} ]
+#
+# Replacing authorizer to storm.yaml configuration file ...
+#
+STORM_DIR=/etc/storm
+STORM_CONFIG_FILE=storm.yaml
+
+dt=`date '+%Y%m%d%H%M%S'`
+CONFIG_FILE=${STORM_DIR}/${STORM_CONFIG_FILE}
+ARCHIVE_FILE=${STORM_DIR}/.${STORM_CONFIG_FILE}.${dt}
+
+cp ${CONFIG_FILE} ${ARCHIVE_FILE}
+
+awk -F: 'BEGIN {
+	configured = 0 ;
+}
+{ 
+	if ($1 == "nimbus.authorizer") {
+		if ($2 ~ /^[ \t]*"backtype.storm.security.auth.authorizer.SimpleACLAuthorizer"[ \t]*$/)
{
+			configured = 1 ;
+			printf("%s\n",$0) ;
+		}
+		else {
+			printf("#%s\n",$0);
+			printf("nimbus.authorizer: \"backtype.storm.security.auth.authorizer.SimpleACLAuthorizer\"\n")
;
+			configured = 1 ;
+		}
+	}
+	else {
+		printf("%s\n",$0) ;
+	}
+}
+END {
+	if (configured == 0) {
+		printf("nimbus.authorizer: \"backtype.storm.security.auth.authorizer.SimpleACLAuthorizer\"\n")
;
+	}
+}' ${ARCHIVE_FILE} > ${ARCHIVE_FILE}.new 
+
+if [ ! -z ${ARCHIVE_FILE}.new ] 
 then
-	XASECURE_VERSION=`cat ${CUR_VERSION_FILE}`
-	PRE_INSTALL_CONFIG=${XASECURE_ROOT}/${BACKUP_TYPE}-${XASECURE_VERSION}
-	dt=`date '+%Y%m%d%H%M%S'`
-	if [ -d "${PRE_INSTALL_CONFIG}" ]
-	then
-		if [ -f ${CUR_CFG_DIR_FILE} ] 
-		then
-			CFG_DIR=`cat ${CUR_CFG_DIR_FILE}`
-		fi 
-		[ -d ${CFG_DIR} ] && mv ${CFG_DIR} ${CFG_DIR}-${dt}
-		( cd ${PRE_INSTALL_CONFIG} ; find . -print | cpio -pdm ${CFG_DIR} )
-		[ -f ${CUR_VERSION_FILE} ] && mv ${CUR_VERSION_FILE} ${CUR_VERSION_FILE}-uninstalled-${dt}
-		echo "XASecure version - ${XASECURE_VERSION} has been uninstalled successfully."
-	else
-		echo "ERROR: Unable to find pre-install configuration directory: [${PRE_INSTALL_CONFIG}]"
-		exit 1
-	fi
+	cat ${ARCHIVE_FILE}.new > ${CONFIG_FILE}
+	rm -f ${ARCHIVE_FILE}.new
+	echo "Apache Argus Plugin has been uninstalled from Storm Service. Please restart Storm
nimbus and ui services ..."
 else
-	cd ${CFG_DIR}
-	saved_files=`find . -type f -name '.*' |  sort | grep -v -- '-new.' | grep '[0-9]*$' | grep
-v -- '-[0-9]*$' | sed -e 's:\.[0-9]*$::' | sed -e 's:^./::' | sort -u`
-	dt=`date '+%Y%m%d%H%M%S'`
-	if [ "${saved_files}" != "" ]
-	then
-	        for f in ${saved_files}
-	        do
-	                oldf=`ls ${f}.[0-9]* | sort | head -1`
-	                if [ -f "${oldf}" ]
-	                then
-	                        nf=`echo ${f} | sed -e 's:^\.::'`
-	                        if [ -f "${nf}" ]
-	                        then
-	                                echo "+cp -p ${nf} .${nf}-${dt}"
-	                                cp -p ${nf} .${nf}-${dt}
-	                                echo "+cp ${oldf} ${nf}"
-	                                cp ${oldf} ${nf}
-	                        else
-	                                echo "ERROR: ${nf} not found to save. However, old file
is being recovered."
-	                                echo "+cp -p ${oldf} ${nf}"
-	                                cp -p ${oldf} ${nf}
-	                        fi
-	                fi
-	        done
-	        echo "XASecure configuration has been uninstalled successfully."
-	fi
+	echo "ERROR: ${ARCHIVE_FILE}.new file has not created successfully."
+	exit 1
 fi
+
+exit 0

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/1ae7dc8a/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java
----------------------------------------------------------------------
diff --git a/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java
b/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java
index c96a7dd..697f6b0 100644
--- a/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java
+++ b/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java
@@ -3,6 +3,7 @@ package com.xasecure.authorization.storm.authorizer;
 import java.security.Principal;
 import java.util.Map;
 
+import org.apache.hadoop.security.UserGroupInformation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -26,8 +27,6 @@ public class XaSecureStormAuthorizer implements IAuthorizer {
 	private static final String XaSecureModuleName =  XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_XASECURE_MODULE_ACL_NAME_PROP
, XaSecureHadoopConstants.DEFAULT_XASECURE_MODULE_ACL_NAME) ;
 	
 	private static final String repositoryName     = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_REPOSITORY_NAME_PROP);
-
-	
 	
 	private XaStormAccessVerifier xaStormVerifier = XaStormAccessVerifierFactory.getInstance()
;
 	
@@ -47,51 +46,65 @@ public class XaSecureStormAuthorizer implements IAuthorizer {
 		String topologyName = null ;
 		
 		try {
-		topologyName = (aTopologyConfigMap == null ? "" : (String)aTopologyConfigMap.get(Config.TOPOLOGY_NAME))
;
-
-		LOG.info("[req "+ aRequestContext.requestID()+ "] Access "
-                + " from: [" + aRequestContext.remoteAddress() + "]"
-                + " user: [" + aRequestContext.principal() + "],"  
-                + " op:   [" + aOperationName + "],"
-                + "topology: [" + topologyName + "]") ;
-		
-		if (aTopologyConfigMap != null) {
-			for(Object keyObj : aTopologyConfigMap.keySet()) {
-				Object valObj = aTopologyConfigMap.get(keyObj) ;
-				LOG.info("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]");
+			topologyName = (aTopologyConfigMap == null ? "" : (String)aTopologyConfigMap.get(Config.TOPOLOGY_NAME))
;
+	
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("[req "+ aRequestContext.requestID()+ "] Access "
+		                + " from: [" + aRequestContext.remoteAddress() + "]"
+		                + " user: [" + aRequestContext.principal() + "],"  
+		                + " op:   [" + aOperationName + "],"
+		                + "topology: [" + topologyName + "]") ;
+				
+				if (aTopologyConfigMap != null) {
+					for(Object keyObj : aTopologyConfigMap.keySet()) {
+						Object valObj = aTopologyConfigMap.get(keyObj) ;
+						LOG.debug("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]");
+					}
+				}
+				else {
+					LOG.debug("TOPOLOGY CONFIG MAP is passed as null.") ;
+				}
 			}
-		}
-		else {
-			LOG.info("TOPOLOGY CONFIG MAP is passed as null.") ;
-		}
-		
-		Principal user = aRequestContext.principal() ;
-		
-		if (user != null) {
-			
-			String userName = user.getName() ;
+	
+			String userName = null ;
+			String[] groups = null ;
+	
+			Principal user = aRequestContext.principal() ;
 			
+			if (user != null) {
+				userName = user.getName() ;
+				if (userName != null) {
+					UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName) ;
+					userName = ugi.getShortUserName() ;
+					groups = ugi.getGroupNames() ;
+					if (LOG.isDebugEnabled()) {
+						LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName
+ "], groups:[" + StringUtil.toString(groups) + "]") ;
+					}
+
+				}
+			}
+				
+				
 			if (userName != null) {
-				int foundAt = userName.indexOf("/") ;
-				if (foundAt > -1) {
-					userName = userName.substring(0,foundAt) ;
+				accessAllowed = xaStormVerifier.isAccessAllowed(userName, groups, aOperationName, topologyName)
;
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups)
+ "]: verifying using [" + xaStormVerifier.getClass().getName() + "], allowedFlag => ["
+ accessAllowed + "]");
 				}
 			}
-
-			String[] groups = null ;
-			
-			LOG.info("User found from principal [" + userName + "] and verifying using [" + xaStormVerifier.getClass().getName()
+ "]");
-			
-			accessAllowed = xaStormVerifier.isAccessAllowed(userName, groups, aOperationName, topologyName)
;
-			
+			else {
+				LOG.info("NULL User found from principal [" + user + "]: Skipping authorization;  allowedFlag
=> [" + accessAllowed + "]");
+			}
+				
 			boolean isAuditEnabled = xaStormVerifier.isAudited(topologyName) ;
 			
-			LOG.info("User found from principal [" + userName + "] and verifying using [" + xaStormVerifier
+ "], Audit Enabled:" + isAuditEnabled);
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("User found from principal [" + userName + "] and verifying using [" + xaStormVerifier
+ "], Audit Enabled:" + isAuditEnabled);
+			}
 			
 			if (isAuditEnabled) {
 				
 				StormAuditEvent auditEvent = new StormAuditEvent() ;
-
+	
 				String sessionId = null ;
 				String clientIp = null ;
 				
@@ -114,17 +127,15 @@ public class XaSecureStormAuthorizer implements IAuthorizer {
 					auditEvent.setRepositoryType(EnumRepositoryType.STORM);
 					auditEvent.setRepositoryName(repositoryName) ;
 					auditEvent.setRequestData("");
-
+	
 					auditEvent.setResourcePath(topologyName);
 				
-					LOG.info("logAuditEvent [" + auditEvent + "] - START");
-					
 					if(LOG.isDebugEnabled()) {
 						LOG.debug("logAuditEvent [" + auditEvent + "] - START");
 					}
-
+	
 					AuditProviderFactory.getAuditProvider().log(auditEvent);
-
+	
 					if(LOG.isDebugEnabled()) {
 						LOG.debug("logAuditEvent [" + auditEvent + "] - END");
 					}
@@ -132,11 +143,9 @@ public class XaSecureStormAuthorizer implements IAuthorizer {
 				catch(Throwable t) {
 					LOG.error("ERROR logEvent [" + auditEvent + "]", t);
 				}
-				
+					
 			}
 		}
-		
-		}
 		catch(Throwable t) {
 			LOG.error("XaSecureStormAuthorizer found this exception", t);
 		}
@@ -148,8 +157,6 @@ public class XaSecureStormAuthorizer implements IAuthorizer {
 	                + "topology: [" + topologyName + "] => returns [" + accessAllowed + "]")
;
 		}
 		
-		
-		
 		return accessAllowed ;
 	}
 	
@@ -161,5 +168,5 @@ public class XaSecureStormAuthorizer implements IAuthorizer {
 	@Override
 	public void prepare(Map aStormConfigMap) {
 	}
-
+	
 }


Mime
View raw message