ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [5/7] incubator-ranger git commit: RANGER-557: Ranger Storm authorizer to be consistent with default authorizer
Date Thu, 18 Jun 2015 02:31:21 GMT
RANGER-557: Ranger Storm  authorizer to be consistent with default authorizer


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9d29006e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9d29006e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9d29006e

Branch: refs/heads/tag-policy
Commit: 9d29006ee770487b84fa94c37918d99163a62053
Parents: 6411479
Author: rmani <rmani@hortonworks.com>
Authored: Tue Jun 16 19:50:30 2015 -0700
Committer: rmani <rmani@hortonworks.com>
Committed: Tue Jun 16 19:50:30 2015 -0700

----------------------------------------------------------------------
 .../storm/authorizer/RangerStormAuthorizer.java | 62 +++++++++++---------
 1 file changed, 35 insertions(+), 27 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9d29006e/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java
----------------------------------------------------------------------
diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java
b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java
index b94988b..3687527 100644
--- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java
+++ b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java
@@ -21,6 +21,7 @@
 
 import java.security.Principal;
 import java.util.Map;
+import java.util.Set;
 
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.ranger.authorization.storm.StormRangerPlugin;
@@ -30,6 +31,8 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.collect.Sets;
+
 import backtype.storm.Config;
 import backtype.storm.security.auth.IAuthorizer;
 import backtype.storm.security.auth.ReqContext;
@@ -39,7 +42,9 @@ public class RangerStormAuthorizer implements IAuthorizer {
 	private static final Logger LOG = LoggerFactory.getLogger(RangerStormAuthorizer.class);
 	
 	static final StormRangerPlugin plugin = new StormRangerPlugin();
-	
+
+	static final Set<String> noAuthzOperations = Sets.newHashSet(new String[] { "getNimbusConf",
"getClusterInfo" });
+
 	/**
      * permit() method is invoked for each incoming Thrift request.
      * @param context request context includes info about 
@@ -53,7 +58,7 @@ public class RangerStormAuthorizer implements IAuthorizer {
 		
 		boolean accessAllowed = false ;
 		boolean isAuditEnabled = false;
-		
+
 		String topologyName = null ;
 		
 		try {
@@ -76,39 +81,42 @@ public class RangerStormAuthorizer implements IAuthorizer {
 					LOG.debug("TOPOLOGY CONFIG MAP is passed as null.") ;
 				}
 			}
+
+			if(noAuthzOperations.contains(aOperationName)) {
+				accessAllowed = true;
+			} else {
+				String userName = null ;
+				String[] groups = null ;
 	
-			String userName = null ;
-			String[] groups = null ;
-	
-			Principal user = aRequestContext.principal() ;
+				Principal user = aRequestContext.principal() ;
 			
-			if (user != null) {
-				userName = user.getName() ;
-				if (userName != null) {
-					UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName) ;
-					userName = ugi.getShortUserName() ;
-					groups = ugi.getGroupNames() ;
-					if (LOG.isDebugEnabled()) {
-						LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName
+ "], groups:[" + StringUtil.toString(groups) + "]") ;
+				if (user != null) {
+					userName = user.getName() ;
+					if (userName != null) {
+						UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName) ;
+						userName = ugi.getShortUserName() ;
+						groups = ugi.getGroupNames() ;
+						if (LOG.isDebugEnabled()) {
+							LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName
+ "], groups:[" + StringUtil.toString(groups) + "]") ;
+						}
 					}
-
 				}
-			}
 				
 				
-			if (userName != null) {
-				String clientIp =  (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress()
) ;
-				RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp,
topologyName, aOperationName); 
-				RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
-				accessAllowed = result != null && result.getIsAllowed();
-				isAuditEnabled = result != null && result.getIsAudited();
+				if (userName != null) {
+					String clientIp =  (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress()
) ;
+					RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp,
topologyName, aOperationName); 
+					RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
+					accessAllowed = result != null && result.getIsAllowed();
+					isAuditEnabled = result != null && result.getIsAudited();
 				
-				if (LOG.isDebugEnabled()) {
-					LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups)
+ "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed
+ "], Audit Enabled:" + isAuditEnabled);
+					if (LOG.isDebugEnabled()) {
+						LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups)
+ "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed
+ "], Audit Enabled:" + isAuditEnabled);
+					}
+				}
+				else {
+					LOG.info("NULL User found from principal [" + user + "]: Skipping authorization;  allowedFlag
=> [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
 				}
-			}
-			else {
-				LOG.info("NULL User found from principal [" + user + "]: Skipping authorization;  allowedFlag
=> [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
 			}
 		}
 		catch(Throwable t) {


Mime
View raw message