ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject incubator-ranger git commit: RANGER-203: seperated audit handling from policy-engine into a different object, to enable plugins to provide diffent audit-handlers without having to implement policy engine.
Date Fri, 16 Jan 2015 21:57:44 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/stack e551d589b -> eb271129c


RANGER-203: seperated audit handling from policy-engine into a different
object, to enable plugins to provide diffent audit-handlers without
having to implement policy engine.

Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/eb271129
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/eb271129
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/eb271129

Branch: refs/heads/stack
Commit: eb271129c4d868b12fb9e13d1ae59d56036b884e
Parents: e551d58
Author: Madhan Neethiraj <madhan@apache.org>
Authored: Fri Jan 16 13:54:17 2015 -0800
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Fri Jan 16 13:54:17 2015 -0800

----------------------------------------------------------------------
 .../ranger/plugin/audit/RangerAuditHandler.java |  32 +++
 .../plugin/audit/RangerDefaultAuditHandler.java | 249 +++++++++++++++++++
 .../plugin/policyengine/RangerAccessResult.java |  50 ++--
 .../plugin/policyengine/RangerPolicyEngine.java |  15 +-
 .../policyengine/RangerPolicyEngineImpl.java    | 187 +-------------
 .../plugin/policyengine/TestPolicyEngine.java   |   5 +-
 .../policyengine/test_policyengine_hdfs.json    |  10 +-
 7 files changed, 329 insertions(+), 219 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java
new file mode 100644
index 0000000..53edc18
--- /dev/null
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.audit;
+
+import java.util.List;
+
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+
+
+public interface RangerAuditHandler {
+	void logAudit(RangerAccessRequest request, RangerAccessResult result);
+
+	void logAudit(List<RangerAccessRequest> requests, List<RangerAccessResult> results);
+}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
new file mode 100644
index 0000000..bf55276
--- /dev/null
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
@@ -0,0 +1,249 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.audit;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.audit.model.AuthzAuditEvent;
+import org.apache.ranger.audit.provider.AuditProviderFactory;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerResource;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult.ResultDetail;
+
+
+public class RangerDefaultAuditHandler implements RangerAuditHandler {
+	private static final Log LOG = LogFactory.getLog(RangerDefaultAuditHandler.class);
+
+	private static final String RESOURCE_SEP = "/";
+
+
+	public RangerDefaultAuditHandler() {
+	}
+
+	@Override
+	public void logAudit(RangerAccessRequest request, RangerAccessResult result) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + request + ", " + result + ")");
+		}
+
+		Collection<AuthzAuditEvent> events = getAuditEvents(request, result);
+
+		logAudit(events);
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + request + ", " + result + ")");
+		}
+	}
+
+	@Override
+	public void logAudit(List<RangerAccessRequest> requests, List<RangerAccessResult>
results) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + requests + ", " + results + ")");
+		}
+
+		Collection<AuthzAuditEvent> events = getAuditEvents(requests, results);
+
+		logAudit(events);
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + requests + ", " + results + ")");
+		}
+	}
+
+
+	public Collection<AuthzAuditEvent> getAuditEvents(RangerAccessRequest request, RangerAccessResult
result) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerDefaultAuditHandler.getAuditEvents(" + request + ", " + result
+ ")");
+		}
+
+		List<AuthzAuditEvent> ret = null;
+
+		if(request != null && result != null) {
+			RangerServiceDef serviceDef   = result.getServiceDef();
+			int              serviceType  = (serviceDef != null && serviceDef.getId() != null)
? serviceDef.getId().intValue() : -1;
+			String           serviceName  = result.getServiceName();
+			String           resourceType = getResourceName(request.getResource(), serviceDef);
+			String           resourcePath = getResourceValueAsString(request.getResource(), serviceDef);
+
+			// TODO: optimize the number of audit logs created
+			for(Map.Entry<String, ResultDetail> e : result.getAccessTypeResults().entrySet())
{
+				String       accessType   = e.getKey();
+				ResultDetail accessResult = e.getValue();
+
+				if(! accessResult.isAudited()) {
+					continue;
+				}
+
+				AuthzAuditEvent event = createAuthzAuditEvent();
+
+				event.setRepositoryName(serviceName);
+				event.setRepositoryType(serviceType);
+				event.setResourceType(resourceType);
+				event.setResourcePath(resourcePath);
+				event.setEventTime(request.getAccessTime());
+				event.setUser(request.getUser());
+				event.setAccessType(request.getAction());
+				event.setAccessResult((short)(accessResult.isAllowed() ? 1 : 0));
+				event.setAclEnforcer("ranger-acl"); // TODO: review
+				event.setAction(accessType);
+				event.setClientIP(request.getClientIPAddress());
+				event.setClientType(request.getClientType());
+				event.setAgentHostname(null);
+				event.setAgentId(null);
+				event.setEventId(null);
+
+				if(ret == null) {
+					ret = new ArrayList<AuthzAuditEvent>();
+				}
+
+				ret.add(event);
+			}
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerDefaultAuditHandler.getAuditEvents(" + request + ", " + result
+ "): " + ret);
+		}
+
+		return ret;
+	}
+
+	public Collection<AuthzAuditEvent> getAuditEvents(List<RangerAccessRequest>
requests, List<RangerAccessResult> results) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerDefaultAuditHandler.getAuditEvents(" + requests + ", " + results
+ ")");
+		}
+
+		List<AuthzAuditEvent> ret = null;
+
+		if(requests != null && results != null) {
+			int count = Math.min(requests.size(), results.size());
+
+			// TODO: optimize the number of audit logs created
+			for(int i = 0; i < count; i++) {
+				Collection<AuthzAuditEvent> events = getAuditEvents(requests.get(i), results.get(i));
+
+				if(events == null) {
+					continue;
+				}
+
+				if(ret == null) {
+					ret = new ArrayList<AuthzAuditEvent>();
+				}
+
+				ret.addAll(events);
+			}
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerDefaultAuditHandler.getAuditEvents(" + requests + ", " + results
+ "): " + ret);
+		}
+
+		return ret;
+	}
+
+	public void logAuthzAudit(AuthzAuditEvent auditEvent) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + auditEvent + ")");
+		}
+
+		if(auditEvent != null) {
+			AuditProviderFactory.getAuditProvider().log(auditEvent);
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + auditEvent + ")");
+		}
+	}
+
+	public void logAudit(Collection<AuthzAuditEvent> auditEvents) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + auditEvents + ")");
+		}
+
+		if(auditEvents != null) {
+			for(AuthzAuditEvent auditEvent : auditEvents) {
+				logAuthzAudit(auditEvent);
+			}
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + auditEvents + ")");
+		}
+	}
+
+	public AuthzAuditEvent createAuthzAuditEvent() {
+		return new AuthzAuditEvent();
+	}
+
+	public String getResourceName(RangerResource resource, RangerServiceDef serviceDef) {
+		String ret = null;
+
+		if(resource != null && serviceDef != null && serviceDef.getResources()
!= null) {
+			List<RangerResourceDef> resourceDefs = serviceDef.getResources();
+
+			for(int idx = resourceDefs.size() - 1; idx >= 0; idx--) {
+				RangerResourceDef resourceDef = resourceDefs.get(idx);
+
+				if(resourceDef == null || !resource.exists(resourceDef.getName())) {
+					continue;
+				}
+
+				ret = resourceDef.getName();
+
+				break;
+			}
+		}
+		
+		return ret;
+	}
+
+	public String getResourceValueAsString(RangerResource resource, RangerServiceDef serviceDef)
{
+		String ret = null;
+
+		if(resource != null && serviceDef != null && serviceDef.getResources()
!= null) {
+			StringBuilder sb = new StringBuilder();
+
+			for(RangerResourceDef resourceDef : serviceDef.getResources()) {
+				if(resourceDef == null || !resource.exists(resourceDef.getName())) {
+					continue;
+				}
+
+				if(sb.length() > 0) {
+					sb.append(RESOURCE_SEP);
+				}
+
+				sb.append(resource.getValue(resourceDef.getName()));
+			}
+
+			if(sb.length() > 0) {
+				ret = sb.toString();
+			}
+		}
+
+		return ret;
+	}
+}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index a5a1ef3..ae75fe7 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -22,24 +22,43 @@ package org.apache.ranger.plugin.policyengine;
 import java.util.HashMap;
 import java.util.Map;
 
-import org.apache.commons.lang.ObjectUtils;
 import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerServiceDef;
 
 
 public class RangerAccessResult {
 	public enum Result { ALLOWED, DENIED, PARTIALLY_ALLOWED };
 
+	private String           serviceName = null;
+	private RangerServiceDef serviceDef  = null;
 	private Map<String, ResultDetail> accessTypeResults = null;
 
-	public RangerAccessResult() {
-		this(null);
+	public RangerAccessResult(String serviceName, RangerServiceDef serviceDef) {
+		this(serviceName, serviceDef, null);
 	}
 
-	public RangerAccessResult(Map<String, ResultDetail> accessTypeResults) {
+	public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, Map<String,
ResultDetail> accessTypeResults) {
+		this.serviceName = serviceName;
+		this.serviceDef  = serviceDef;
+
 		setAccessTypeResults(accessTypeResults);
 	}
 
 	/**
+	 * @return the serviceName
+	 */
+	public String getServiceName() {
+		return serviceName;
+	}
+
+	/**
+	 * @return the serviceDef
+	 */
+	public RangerServiceDef getServiceDef() {
+		return serviceDef;
+	}
+
+	/**
 	 * @return the accessTypeResults
 	 */
 	public Map<String, ResultDetail> getAccessTypeResults() {
@@ -121,29 +140,6 @@ public class RangerAccessResult {
 	}
 
 	@Override
-	public boolean equals(Object obj) {
-		boolean ret = false;
-
-		if(obj != null && (obj instanceof RangerAccessResult)) {
-			RangerAccessResult other = (RangerAccessResult)obj;
-
-			ret = (this == other) ||
-				   ObjectUtils.equals(accessTypeResults, other.accessTypeResults);
-		}
-
-		return ret;
-	}
-
-	@Override
-	public int hashCode() {
-		int ret = 7;
-
-		ret = 31 * ret + (accessTypeResults == null ? 0 : accessTypeResults.hashCode()); // TODO:
review
-
-		return ret;
-	}
-
-	@Override
 	public String toString( ) {
 		StringBuilder sb = new StringBuilder();
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index f5f10e8..c0d30c1 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -19,10 +19,9 @@
 
 package org.apache.ranger.plugin.policyengine;
 
-import java.util.Collection;
 import java.util.List;
 
-import org.apache.ranger.audit.model.AuthzAuditEvent;
+import org.apache.ranger.plugin.audit.RangerAuditHandler;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 
@@ -33,15 +32,7 @@ public interface RangerPolicyEngine {
 
 	void setPolicies(String serviceName, RangerServiceDef serviceDef, List<RangerPolicy>
policies);
 
-	RangerAccessResult isAccessAllowed(RangerAccessRequest request);
+	RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAuditHandler auditHandler);
 
-	List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests);
-
-	void logAudit(AuthzAuditEvent auditEvent);
-
-	void logAudit(Collection<AuthzAuditEvent> auditEvents);
-
-	Collection<AuthzAuditEvent> getAuditEvents(RangerAccessRequest request, RangerAccessResult
result);
-
-	Collection<AuthzAuditEvent> getAuditEvents(List<RangerAccessRequest> requests,
List<RangerAccessResult> results);
+	List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests,
RangerAuditHandler auditHandler);
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index c3b3098..351d8bd 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -20,28 +20,21 @@
 package org.apache.ranger.plugin.policyengine;
 
 import java.util.ArrayList;
-import java.util.Collection;
 import java.util.List;
-import java.util.Map;
 
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.audit.RangerAuditHandler;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult.ResultDetail;
 import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator;
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
-import org.apache.ranger.audit.provider.AuditProviderFactory;
-import org.apache.ranger.audit.model.AuthzAuditEvent;
 
 
 public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 	private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class);
 
-	private static final String RESOURCE_SEP = "/";
-
 	private String                      serviceName      = null;
 	private RangerServiceDef            serviceDef       = null;
 	private List<RangerPolicyEvaluator> policyEvaluators = null;
@@ -91,14 +84,16 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 	}
 
 	@Override
-	public RangerAccessResult isAccessAllowed(RangerAccessRequest request) {
+	public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAuditHandler
auditHandler) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + request + ")");
 		}
 
 		RangerAccessResult ret = isAccessAllowedNoAudit(request);
 
-		logAudit(getAuditEvents(request, ret));
+		if(auditHandler != null) {
+			auditHandler.logAudit(request, ret);
+		}
 
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + request + "): " + ret);
@@ -108,7 +103,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 	}
 
 	@Override
-	public List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests)
{
+	public List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests,
RangerAuditHandler auditHandler) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + requests + ")");
 		}
@@ -123,174 +118,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			}
 		}
 
-		logAudit(getAuditEvents(requests, ret));
-
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + requests + "): " + ret);
-		}
-
-		return ret;
-	}
-
-	@Override
-	public Collection<AuthzAuditEvent> getAuditEvents(RangerAccessRequest request, RangerAccessResult
result) {
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerPolicyEngineImpl.getAuditEvents(" + request + ", " + result +
")");
-		}
-
-		List<AuthzAuditEvent> ret = null;
-
-		if(request != null && result != null) {
-			// TODO: optimize the number of audit logs created
-			for(Map.Entry<String, ResultDetail> e : result.getAccessTypeResults().entrySet())
{
-				String       accessType   = e.getKey();
-				ResultDetail accessResult = e.getValue();
-
-				if(! accessResult.isAudited()) {
-					continue;
-				}
-
-				AuthzAuditEvent event = new AuthzAuditEvent();
-
-				event.setRepositoryName(serviceName);
-				event.setRepositoryType(serviceDef.getId().intValue());
-				event.setResourcePath(getResourceValueAsString(request.getResource()));
-				event.setEventTime(request.getAccessTime());
-				event.setUser(request.getUser());
-				event.setAccessType(request.getAction());
-				event.setAccessResult((short)(accessResult.isAllowed() ? 1 : 0));
-				event.setAclEnforcer("ranger-acl"); // TODO: review
-				event.setAction(accessType);
-				event.setClientIP(request.getClientIPAddress());
-				event.setClientType(request.getClientType());
-				event.setAgentHostname(null);
-				event.setAgentId(null);
-				event.setEventId(null);
-
-				if(ret == null) {
-					ret = new ArrayList<AuthzAuditEvent>();
-				}
-
-				ret.add(event);
-			}
-		}
-
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerPolicyEngineImpl.getAuditEvents(" + request + ", " + result +
"): " + ret);
-		}
-
-		return ret;
-	}
-	
-	@Override
-	public Collection<AuthzAuditEvent> getAuditEvents(List<RangerAccessRequest>
requests, List<RangerAccessResult> results) {
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerPolicyEngineImpl.getAuditEvents(" + requests + ", " + results
+ ")");
-		}
-
-		List<AuthzAuditEvent> ret = null;
-
-		if(requests != null && results != null) {
-			int count = Math.min(requests.size(), results.size());
-
-			// TODO: optimize the number of audit logs created
-			for(int i = 0; i < count; i++) {
-				Collection<AuthzAuditEvent> events = getAuditEvents(requests.get(i), results.get(i));
-
-				if(events == null) {
-					continue;
-				}
-
-				if(ret == null) {
-					ret = new ArrayList<AuthzAuditEvent>();
-				}
-
-				ret.addAll(events);
-			}
-		}
-
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerPolicyEngineImpl.getAuditEvents(" + requests + ", " + results
+ "): " + ret);
-		}
-
-		return ret;
-	}
-
-	@Override
-	public void logAudit(AuthzAuditEvent auditEvent) {
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerPolicyEngineImpl.logAudit(" + auditEvent + ")");
-		}
-
-		if(auditEvent != null) {
-			AuditProviderFactory.getAuditProvider().log(auditEvent);
+		if(auditHandler != null) {
+			auditHandler.logAudit(requests, ret);
 		}
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerPolicyEngineImpl.logAudit(" + auditEvent + ")");
-		}
-	}
-
-	@Override
-	public void logAudit(Collection<AuthzAuditEvent> auditEvents) {
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerPolicyEngineImpl.logAudit(" + auditEvents + ")");
-		}
-
-		if(auditEvents != null) {
-			for(AuthzAuditEvent auditEvent : auditEvents) {
-				logAudit(auditEvent);
-			}
-		}
-
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerPolicyEngineImpl.logAudit(" + auditEvents + ")");
-		}
-	}
-
-	public String getResourceName(RangerResource resource) {
-		String ret = null;
-
-		if(resource != null && serviceDef != null && serviceDef.getResources()
!= null) {
-			List<RangerResourceDef> resourceDefs = serviceDef.getResources();
-
-			for(int idx = resourceDefs.size() - 1; idx >= 0; idx--) {
-				RangerResourceDef resourceDef = resourceDefs.get(idx);
-
-				if(resourceDef == null || !resource.exists(resourceDef.getName())) {
-					continue;
-				}
-
-				ret = resourceDef.getName();
-
-				break;
-			}
-		}
-		
-		return ret;
-	}
-
-	public String getResourceValueAsString(RangerResource resource) {
-		String ret = null;
-
-		if(resource != null && serviceDef != null && serviceDef.getResources()
!= null) {
-			StringBuilder sb = new StringBuilder();
-
-			for(RangerResourceDef resourceDef : serviceDef.getResources()) {
-				if(resourceDef == null || !resource.exists(resourceDef.getName())) {
-					continue;
-				}
-
-				if(sb.length() > 0) {
-					sb.append(RESOURCE_SEP);
-				}
-
-				sb.append(resource.getValue(resourceDef.getName()));
-			}
-
-			if(sb.length() > 0) {
-				ret = sb.toString();
-			}
+			LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + requests + "): " + ret);
 		}
 
 		return ret;
@@ -301,7 +134,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")");
 		}
 
-		RangerAccessResult ret = new RangerAccessResult();
+		RangerAccessResult ret = new RangerAccessResult(serviceName, serviceDef);
 
 		if(request != null) {
 			if(CollectionUtils.isEmpty(request.getAccessTypes())) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 811c873..28f108e 100644
--- a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -100,9 +100,10 @@ public class TestPolicyEngine {
 
 			for(TestData test : testCase.tests) {
 				RangerAccessResult expected = test.result;
-				RangerAccessResult result   = policyEngine.isAccessAllowed(test.request);
+				RangerAccessResult result   = policyEngine.isAccessAllowed(test.request, null);
 
-				assertEquals(test.name, expected, result);
+				assertNotNull(test.name, result);
+				assertEquals(test.name, expected.getAccessTypeResults(), result.getAccessTypeResults());
 			}
 		} catch(Throwable excp) {
 			excp.printStackTrace();

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index b9afd8b..9579ace 100644
--- a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -25,7 +25,7 @@
     {"id":2,"name":"allow-read-to-all under /public/","isEnabled":true,"isAuditEnabled":false,
      "resources":{"path":{"values":["/public/"],"isRecursive":true}},
      "policyItems":[
-       {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
+       {"accesses":[{"type":"read","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
      ]
     }
     ,
@@ -135,6 +135,14 @@
      },
      "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}}
     }
+    ,
+    {"name":"ALLOW 'read /public/technology' for u=user1",
+     "request":{
+      "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+      "accessTypes":["read","execute"],"user":"user1","userGroups":[],"requestData":"read
/public/technology/blogs.db"
+     },
+     "result":{"accessTypeResults":{"execute":{"isAllowed":true,"isAudited":false,"policyId":2},"read":{"isAllowed":true,"isAudited":false,"policyId":2}}}
+    }
   ]
 }
 


Mime
View raw message