Return-Path: X-Original-To: apmail-ranger-commits-archive@www.apache.org Delivered-To: apmail-ranger-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3F61C10018 for ; Fri, 16 Jan 2015 21:59:20 +0000 (UTC) Received: (qmail 42197 invoked by uid 500); 16 Jan 2015 21:59:22 -0000 Delivered-To: apmail-ranger-commits-archive@ranger.apache.org Received: (qmail 42175 invoked by uid 500); 16 Jan 2015 21:59:22 -0000 Mailing-List: contact commits-help@ranger.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ranger.incubator.apache.org Delivered-To: mailing list commits@ranger.incubator.apache.org Received: (qmail 42166 invoked by uid 99); 16 Jan 2015 21:59:22 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Jan 2015 21:59:22 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 16 Jan 2015 21:59:19 +0000 Received: (qmail 41545 invoked by uid 99); 16 Jan 2015 21:57:44 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Jan 2015 21:57:44 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 58F8EE03C4; Fri, 16 Jan 2015 21:57:44 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: madhan@apache.org To: commits@ranger.incubator.apache.org Message-Id: <6fcf90311e5b41e69e1d64c6cd40f125@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: incubator-ranger git commit: RANGER-203: seperated audit handling from policy-engine into a different object, to enable plugins to provide diffent audit-handlers without having to implement policy engine. Date: Fri, 16 Jan 2015 21:57:44 +0000 (UTC) X-Virus-Checked: Checked by ClamAV on apache.org Repository: incubator-ranger Updated Branches: refs/heads/stack e551d589b -> eb271129c RANGER-203: seperated audit handling from policy-engine into a different object, to enable plugins to provide diffent audit-handlers without having to implement policy engine. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/eb271129 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/eb271129 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/eb271129 Branch: refs/heads/stack Commit: eb271129c4d868b12fb9e13d1ae59d56036b884e Parents: e551d58 Author: Madhan Neethiraj Authored: Fri Jan 16 13:54:17 2015 -0800 Committer: Madhan Neethiraj Committed: Fri Jan 16 13:54:17 2015 -0800 ---------------------------------------------------------------------- .../ranger/plugin/audit/RangerAuditHandler.java | 32 +++ .../plugin/audit/RangerDefaultAuditHandler.java | 249 +++++++++++++++++++ .../plugin/policyengine/RangerAccessResult.java | 50 ++-- .../plugin/policyengine/RangerPolicyEngine.java | 15 +- .../policyengine/RangerPolicyEngineImpl.java | 187 +------------- .../plugin/policyengine/TestPolicyEngine.java | 5 +- .../policyengine/test_policyengine_hdfs.json | 10 +- 7 files changed, 329 insertions(+), 219 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java new file mode 100644 index 0000000..53edc18 --- /dev/null +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java @@ -0,0 +1,32 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.audit; + +import java.util.List; + +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; + + +public interface RangerAuditHandler { + void logAudit(RangerAccessRequest request, RangerAccessResult result); + + void logAudit(List requests, List results); +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java new file mode 100644 index 0000000..bf55276 --- /dev/null +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java @@ -0,0 +1,249 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.audit; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import java.util.Map; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.audit.model.AuthzAuditEvent; +import org.apache.ranger.audit.provider.AuditProviderFactory; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; +import org.apache.ranger.plugin.policyengine.RangerResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResult.ResultDetail; + + +public class RangerDefaultAuditHandler implements RangerAuditHandler { + private static final Log LOG = LogFactory.getLog(RangerDefaultAuditHandler.class); + + private static final String RESOURCE_SEP = "/"; + + + public RangerDefaultAuditHandler() { + } + + @Override + public void logAudit(RangerAccessRequest request, RangerAccessResult result) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + request + ", " + result + ")"); + } + + Collection events = getAuditEvents(request, result); + + logAudit(events); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + request + ", " + result + ")"); + } + } + + @Override + public void logAudit(List requests, List results) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + requests + ", " + results + ")"); + } + + Collection events = getAuditEvents(requests, results); + + logAudit(events); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + requests + ", " + results + ")"); + } + } + + + public Collection getAuditEvents(RangerAccessRequest request, RangerAccessResult result) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultAuditHandler.getAuditEvents(" + request + ", " + result + ")"); + } + + List ret = null; + + if(request != null && result != null) { + RangerServiceDef serviceDef = result.getServiceDef(); + int serviceType = (serviceDef != null && serviceDef.getId() != null) ? serviceDef.getId().intValue() : -1; + String serviceName = result.getServiceName(); + String resourceType = getResourceName(request.getResource(), serviceDef); + String resourcePath = getResourceValueAsString(request.getResource(), serviceDef); + + // TODO: optimize the number of audit logs created + for(Map.Entry e : result.getAccessTypeResults().entrySet()) { + String accessType = e.getKey(); + ResultDetail accessResult = e.getValue(); + + if(! accessResult.isAudited()) { + continue; + } + + AuthzAuditEvent event = createAuthzAuditEvent(); + + event.setRepositoryName(serviceName); + event.setRepositoryType(serviceType); + event.setResourceType(resourceType); + event.setResourcePath(resourcePath); + event.setEventTime(request.getAccessTime()); + event.setUser(request.getUser()); + event.setAccessType(request.getAction()); + event.setAccessResult((short)(accessResult.isAllowed() ? 1 : 0)); + event.setAclEnforcer("ranger-acl"); // TODO: review + event.setAction(accessType); + event.setClientIP(request.getClientIPAddress()); + event.setClientType(request.getClientType()); + event.setAgentHostname(null); + event.setAgentId(null); + event.setEventId(null); + + if(ret == null) { + ret = new ArrayList(); + } + + ret.add(event); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultAuditHandler.getAuditEvents(" + request + ", " + result + "): " + ret); + } + + return ret; + } + + public Collection getAuditEvents(List requests, List results) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultAuditHandler.getAuditEvents(" + requests + ", " + results + ")"); + } + + List ret = null; + + if(requests != null && results != null) { + int count = Math.min(requests.size(), results.size()); + + // TODO: optimize the number of audit logs created + for(int i = 0; i < count; i++) { + Collection events = getAuditEvents(requests.get(i), results.get(i)); + + if(events == null) { + continue; + } + + if(ret == null) { + ret = new ArrayList(); + } + + ret.addAll(events); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultAuditHandler.getAuditEvents(" + requests + ", " + results + "): " + ret); + } + + return ret; + } + + public void logAuthzAudit(AuthzAuditEvent auditEvent) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + auditEvent + ")"); + } + + if(auditEvent != null) { + AuditProviderFactory.getAuditProvider().log(auditEvent); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + auditEvent + ")"); + } + } + + public void logAudit(Collection auditEvents) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + auditEvents + ")"); + } + + if(auditEvents != null) { + for(AuthzAuditEvent auditEvent : auditEvents) { + logAuthzAudit(auditEvent); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + auditEvents + ")"); + } + } + + public AuthzAuditEvent createAuthzAuditEvent() { + return new AuthzAuditEvent(); + } + + public String getResourceName(RangerResource resource, RangerServiceDef serviceDef) { + String ret = null; + + if(resource != null && serviceDef != null && serviceDef.getResources() != null) { + List resourceDefs = serviceDef.getResources(); + + for(int idx = resourceDefs.size() - 1; idx >= 0; idx--) { + RangerResourceDef resourceDef = resourceDefs.get(idx); + + if(resourceDef == null || !resource.exists(resourceDef.getName())) { + continue; + } + + ret = resourceDef.getName(); + + break; + } + } + + return ret; + } + + public String getResourceValueAsString(RangerResource resource, RangerServiceDef serviceDef) { + String ret = null; + + if(resource != null && serviceDef != null && serviceDef.getResources() != null) { + StringBuilder sb = new StringBuilder(); + + for(RangerResourceDef resourceDef : serviceDef.getResources()) { + if(resourceDef == null || !resource.exists(resourceDef.getName())) { + continue; + } + + if(sb.length() > 0) { + sb.append(RESOURCE_SEP); + } + + sb.append(resource.getValue(resourceDef.getName())); + } + + if(sb.length() > 0) { + ret = sb.toString(); + } + } + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index a5a1ef3..ae75fe7 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -22,24 +22,43 @@ package org.apache.ranger.plugin.policyengine; import java.util.HashMap; import java.util.Map; -import org.apache.commons.lang.ObjectUtils; import org.apache.commons.lang.StringUtils; +import org.apache.ranger.plugin.model.RangerServiceDef; public class RangerAccessResult { public enum Result { ALLOWED, DENIED, PARTIALLY_ALLOWED }; + private String serviceName = null; + private RangerServiceDef serviceDef = null; private Map accessTypeResults = null; - public RangerAccessResult() { - this(null); + public RangerAccessResult(String serviceName, RangerServiceDef serviceDef) { + this(serviceName, serviceDef, null); } - public RangerAccessResult(Map accessTypeResults) { + public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, Map accessTypeResults) { + this.serviceName = serviceName; + this.serviceDef = serviceDef; + setAccessTypeResults(accessTypeResults); } /** + * @return the serviceName + */ + public String getServiceName() { + return serviceName; + } + + /** + * @return the serviceDef + */ + public RangerServiceDef getServiceDef() { + return serviceDef; + } + + /** * @return the accessTypeResults */ public Map getAccessTypeResults() { @@ -121,29 +140,6 @@ public class RangerAccessResult { } @Override - public boolean equals(Object obj) { - boolean ret = false; - - if(obj != null && (obj instanceof RangerAccessResult)) { - RangerAccessResult other = (RangerAccessResult)obj; - - ret = (this == other) || - ObjectUtils.equals(accessTypeResults, other.accessTypeResults); - } - - return ret; - } - - @Override - public int hashCode() { - int ret = 7; - - ret = 31 * ret + (accessTypeResults == null ? 0 : accessTypeResults.hashCode()); // TODO: review - - return ret; - } - - @Override public String toString( ) { StringBuilder sb = new StringBuilder(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index f5f10e8..c0d30c1 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -19,10 +19,9 @@ package org.apache.ranger.plugin.policyengine; -import java.util.Collection; import java.util.List; -import org.apache.ranger.audit.model.AuthzAuditEvent; +import org.apache.ranger.plugin.audit.RangerAuditHandler; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; @@ -33,15 +32,7 @@ public interface RangerPolicyEngine { void setPolicies(String serviceName, RangerServiceDef serviceDef, List policies); - RangerAccessResult isAccessAllowed(RangerAccessRequest request); + RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAuditHandler auditHandler); - List isAccessAllowed(List requests); - - void logAudit(AuthzAuditEvent auditEvent); - - void logAudit(Collection auditEvents); - - Collection getAuditEvents(RangerAccessRequest request, RangerAccessResult result); - - Collection getAuditEvents(List requests, List results); + List isAccessAllowed(List requests, RangerAuditHandler auditHandler); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index c3b3098..351d8bd 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -20,28 +20,21 @@ package org.apache.ranger.plugin.policyengine; import java.util.ArrayList; -import java.util.Collection; import java.util.List; -import java.util.Map; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.audit.RangerAuditHandler; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; -import org.apache.ranger.plugin.policyengine.RangerAccessResult.ResultDetail; import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; -import org.apache.ranger.audit.provider.AuditProviderFactory; -import org.apache.ranger.audit.model.AuthzAuditEvent; public class RangerPolicyEngineImpl implements RangerPolicyEngine { private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class); - private static final String RESOURCE_SEP = "/"; - private String serviceName = null; private RangerServiceDef serviceDef = null; private List policyEvaluators = null; @@ -91,14 +84,16 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } @Override - public RangerAccessResult isAccessAllowed(RangerAccessRequest request) { + public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAuditHandler auditHandler) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + request + ")"); } RangerAccessResult ret = isAccessAllowedNoAudit(request); - logAudit(getAuditEvents(request, ret)); + if(auditHandler != null) { + auditHandler.logAudit(request, ret); + } if(LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + request + "): " + ret); @@ -108,7 +103,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } @Override - public List isAccessAllowed(List requests) { + public List isAccessAllowed(List requests, RangerAuditHandler auditHandler) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + requests + ")"); } @@ -123,174 +118,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } } - logAudit(getAuditEvents(requests, ret)); - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + requests + "): " + ret); - } - - return ret; - } - - @Override - public Collection getAuditEvents(RangerAccessRequest request, RangerAccessResult result) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.getAuditEvents(" + request + ", " + result + ")"); - } - - List ret = null; - - if(request != null && result != null) { - // TODO: optimize the number of audit logs created - for(Map.Entry e : result.getAccessTypeResults().entrySet()) { - String accessType = e.getKey(); - ResultDetail accessResult = e.getValue(); - - if(! accessResult.isAudited()) { - continue; - } - - AuthzAuditEvent event = new AuthzAuditEvent(); - - event.setRepositoryName(serviceName); - event.setRepositoryType(serviceDef.getId().intValue()); - event.setResourcePath(getResourceValueAsString(request.getResource())); - event.setEventTime(request.getAccessTime()); - event.setUser(request.getUser()); - event.setAccessType(request.getAction()); - event.setAccessResult((short)(accessResult.isAllowed() ? 1 : 0)); - event.setAclEnforcer("ranger-acl"); // TODO: review - event.setAction(accessType); - event.setClientIP(request.getClientIPAddress()); - event.setClientType(request.getClientType()); - event.setAgentHostname(null); - event.setAgentId(null); - event.setEventId(null); - - if(ret == null) { - ret = new ArrayList(); - } - - ret.add(event); - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.getAuditEvents(" + request + ", " + result + "): " + ret); - } - - return ret; - } - - @Override - public Collection getAuditEvents(List requests, List results) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.getAuditEvents(" + requests + ", " + results + ")"); - } - - List ret = null; - - if(requests != null && results != null) { - int count = Math.min(requests.size(), results.size()); - - // TODO: optimize the number of audit logs created - for(int i = 0; i < count; i++) { - Collection events = getAuditEvents(requests.get(i), results.get(i)); - - if(events == null) { - continue; - } - - if(ret == null) { - ret = new ArrayList(); - } - - ret.addAll(events); - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.getAuditEvents(" + requests + ", " + results + "): " + ret); - } - - return ret; - } - - @Override - public void logAudit(AuthzAuditEvent auditEvent) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.logAudit(" + auditEvent + ")"); - } - - if(auditEvent != null) { - AuditProviderFactory.getAuditProvider().log(auditEvent); + if(auditHandler != null) { + auditHandler.logAudit(requests, ret); } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.logAudit(" + auditEvent + ")"); - } - } - - @Override - public void logAudit(Collection auditEvents) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.logAudit(" + auditEvents + ")"); - } - - if(auditEvents != null) { - for(AuthzAuditEvent auditEvent : auditEvents) { - logAudit(auditEvent); - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.logAudit(" + auditEvents + ")"); - } - } - - public String getResourceName(RangerResource resource) { - String ret = null; - - if(resource != null && serviceDef != null && serviceDef.getResources() != null) { - List resourceDefs = serviceDef.getResources(); - - for(int idx = resourceDefs.size() - 1; idx >= 0; idx--) { - RangerResourceDef resourceDef = resourceDefs.get(idx); - - if(resourceDef == null || !resource.exists(resourceDef.getName())) { - continue; - } - - ret = resourceDef.getName(); - - break; - } - } - - return ret; - } - - public String getResourceValueAsString(RangerResource resource) { - String ret = null; - - if(resource != null && serviceDef != null && serviceDef.getResources() != null) { - StringBuilder sb = new StringBuilder(); - - for(RangerResourceDef resourceDef : serviceDef.getResources()) { - if(resourceDef == null || !resource.exists(resourceDef.getName())) { - continue; - } - - if(sb.length() > 0) { - sb.append(RESOURCE_SEP); - } - - sb.append(resource.getValue(resourceDef.getName())); - } - - if(sb.length() > 0) { - ret = sb.toString(); - } + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + requests + "): " + ret); } return ret; @@ -301,7 +134,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")"); } - RangerAccessResult ret = new RangerAccessResult(); + RangerAccessResult ret = new RangerAccessResult(serviceName, serviceDef); if(request != null) { if(CollectionUtils.isEmpty(request.getAccessTypes())) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 811c873..28f108e 100644 --- a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -100,9 +100,10 @@ public class TestPolicyEngine { for(TestData test : testCase.tests) { RangerAccessResult expected = test.result; - RangerAccessResult result = policyEngine.isAccessAllowed(test.request); + RangerAccessResult result = policyEngine.isAccessAllowed(test.request, null); - assertEquals(test.name, expected, result); + assertNotNull(test.name, result); + assertEquals(test.name, expected.getAccessTypeResults(), result.getAccessTypeResults()); } } catch(Throwable excp) { excp.printStackTrace(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json index b9afd8b..9579ace 100644 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json @@ -25,7 +25,7 @@ {"id":2,"name":"allow-read-to-all under /public/","isEnabled":true,"isAuditEnabled":false, "resources":{"path":{"values":["/public/"],"isRecursive":true}}, "policyItems":[ - {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} + {"accesses":[{"type":"read","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} ] } , @@ -135,6 +135,14 @@ }, "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}} } + , + {"name":"ALLOW 'read /public/technology' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessTypes":["read","execute"],"user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"accessTypeResults":{"execute":{"isAllowed":true,"isAudited":false,"policyId":2},"read":{"isAllowed":true,"isAudited":false,"policyId":2}}} + } ] }