ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [02/15] incubator-ranger git commit: RANGER-510 : Client IP not getting populated for KMS in audit
Date Mon, 01 Jun 2015 23:20:08 GMT
RANGER-510 : Client IP not getting populated for KMS in audit

Signed-off-by: Velmurugan Periasamy <vel@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/dda7a165
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/dda7a165
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/dda7a165

Branch: refs/heads/tag-policy
Commit: dda7a165c5a7c80d13023c91a095a373a6dd3e70
Parents: f0a8931
Author: Gautam Borad <gborad@gmail.com>
Authored: Fri May 29 12:11:11 2015 +0530
Committer: Velmurugan Periasamy <vel@apache.org>
Committed: Fri May 29 10:16:55 2015 -0400

----------------------------------------------------------------------
 .../hadoop/crypto/key/kms/server/KMS.java       | 68 ++++++++++----------
 .../hadoop/crypto/key/kms/server/KMSACLs.java   |  6 +-
 .../kms/server/KeyAuthorizationKeyProvider.java |  5 +-
 .../crypto/key/kms/server/TestKMSACLs.java      | 11 ++--
 .../kms/authorizer/RangerKmsAuthorizer.java     | 30 +++------
 5 files changed, 57 insertions(+), 63 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
index 5575eab..404b710 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
@@ -30,6 +30,7 @@ import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
 import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type;
 import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.DefaultValue;
@@ -39,6 +40,7 @@ import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 
@@ -74,13 +76,13 @@ public class KMS {
   }
 
   private void assertAccess(Type aclType, UserGroupInformation ugi,
-      KMSOp operation) throws AccessControlException {
-    KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, null);
+      KMSOp operation, String clientIp) throws AccessControlException {
+    KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, null, clientIp);
   }
   
   private void assertAccess(Type aclType, UserGroupInformation ugi,
-      KMSOp operation, String key) throws AccessControlException {
-    KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, key);
+      KMSOp operation, String key, String clientIp) throws AccessControlException {
+    KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, key, clientIp);
   }
 
   private static KeyProvider.KeyVersion removeKeyMaterial(
@@ -99,12 +101,12 @@ public class KMS {
   @Consumes(MediaType.APPLICATION_JSON)
   @Produces(MediaType.APPLICATION_JSON)
   @SuppressWarnings("unchecked")
-  public Response createKey(Map jsonKey) throws Exception {
+  public Response createKey(Map jsonKey, @Context HttpServletRequest request) throws Exception
{
     KMSWebApp.getAdminCallsMeter().mark();
     UserGroupInformation user = HttpUserGroupInformation.get();
     final String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
-    KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
-    assertAccess(Type.CREATE, user, KMSOp.CREATE_KEY, name);
+    KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);    
+    assertAccess(Type.CREATE, user, KMSOp.CREATE_KEY, name, request.getRemoteAddr());
     String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD);
     final String material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
     int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD))
@@ -115,7 +117,7 @@ public class KMS {
         jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD);
     if (material != null) {
       assertAccess(Type.SET_KEY_MATERIAL, user,
-          KMSOp.CREATE_KEY, name);
+          KMSOp.CREATE_KEY, name, request.getRemoteAddr());
     }
     final KeyProvider.Options options = new KeyProvider.Options(
         KMSWebApp.getConfiguration());
@@ -144,7 +146,7 @@ public class KMS {
     kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" +
         (material != null) + " Description:" + description);
 
-    if (!KMSWebApp.getACLs().hasAccess(Type.GET, user)) {
+    if (!KMSWebApp.getACLs().hasAccess(Type.GET, user, request.getRemoteAddr())) {
       keyVersion = removeKeyMaterial(keyVersion);
     }
     Map json = KMSServerJSONUtils.toJSON(keyVersion);
@@ -158,11 +160,11 @@ public class KMS {
 
   @DELETE
   @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
-  public Response deleteKey(@PathParam("name") final String name)
+  public Response deleteKey(@PathParam("name") final String name, @Context HttpServletRequest
request)
       throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
     UserGroupInformation user = HttpUserGroupInformation.get();
-    assertAccess(Type.DELETE, user, KMSOp.DELETE_KEY, name);
+    assertAccess(Type.DELETE, user, KMSOp.DELETE_KEY, name, request.getRemoteAddr());
     KMSClientProvider.checkNotEmpty(name, "name");
 
     user.doAs(new PrivilegedExceptionAction<Void>() {
@@ -184,16 +186,16 @@ public class KMS {
   @Consumes(MediaType.APPLICATION_JSON)
   @Produces(MediaType.APPLICATION_JSON)
   public Response rolloverKey(@PathParam("name") final String name,
-      Map jsonMaterial) throws Exception {
+      Map jsonMaterial, @Context HttpServletRequest request) throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
     UserGroupInformation user = HttpUserGroupInformation.get();
-    assertAccess(Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name);
+    assertAccess(Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name, request.getRemoteAddr());
     KMSClientProvider.checkNotEmpty(name, "name");
     final String material = (String)
         jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD);
     if (material != null) {
       assertAccess(Type.SET_KEY_MATERIAL, user,
-          KMSOp.ROLL_NEW_VERSION, name);
+          KMSOp.ROLL_NEW_VERSION, name, request.getRemoteAddr());
     }
 
     KeyProvider.KeyVersion keyVersion = user.doAs(
@@ -212,7 +214,7 @@ public class KMS {
     kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
         (material != null) + " NewVersion:" + keyVersion.getVersionName());
 
-    if (!KMSWebApp.getACLs().hasAccess(Type.GET, user)) {
+    if (!KMSWebApp.getACLs().hasAccess(Type.GET, user, request.getRemoteAddr())) {
       keyVersion = removeKeyMaterial(keyVersion);
     }
     Map json = KMSServerJSONUtils.toJSON(keyVersion);
@@ -223,12 +225,12 @@ public class KMS {
   @Path(KMSRESTConstants.KEYS_METADATA_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
   public Response getKeysMetadata(@QueryParam(KMSRESTConstants.KEY)
-      List<String> keyNamesList) throws Exception {
+      List<String> keyNamesList, @Context HttpServletRequest request) throws Exception
{
     KMSWebApp.getAdminCallsMeter().mark();
     UserGroupInformation user = HttpUserGroupInformation.get();
     final String[] keyNames = keyNamesList.toArray(
         new String[keyNamesList.size()]);
-    assertAccess(Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA);
+    assertAccess(Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA, request.getRemoteAddr());
 
     KeyProvider.Metadata[] keysMeta = user.doAs(
         new PrivilegedExceptionAction<KeyProvider.Metadata[]>() {
@@ -247,10 +249,10 @@ public class KMS {
   @GET
   @Path(KMSRESTConstants.KEYS_NAMES_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getKeyNames() throws Exception {
+  public Response getKeyNames(@Context HttpServletRequest request) throws Exception {
     KMSWebApp.getAdminCallsMeter().mark();
     UserGroupInformation user = HttpUserGroupInformation.get();
-    assertAccess(Type.GET_KEYS, user, KMSOp.GET_KEYS);
+    assertAccess(Type.GET_KEYS, user, KMSOp.GET_KEYS, request.getRemoteAddr());
 
     List<String> json = user.doAs(
         new PrivilegedExceptionAction<List<String>>() {
@@ -267,21 +269,21 @@ public class KMS {
 
   @GET
   @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
-  public Response getKey(@PathParam("name") String name)
+  public Response getKey(@PathParam("name") String name, @Context HttpServletRequest request)
       throws Exception {
-    return getMetadata(name);
+    return getMetadata(name, request);
   }
 
   @GET
   @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
       KMSRESTConstants.METADATA_SUB_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getMetadata(@PathParam("name") final String name)
+  public Response getMetadata(@PathParam("name") final String name, @Context HttpServletRequest
request)
       throws Exception {
     UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(name, "name");
     KMSWebApp.getAdminCallsMeter().mark();
-    assertAccess(Type.GET_METADATA, user, KMSOp.GET_METADATA, name);
+    assertAccess(Type.GET_METADATA, user, KMSOp.GET_METADATA, name, request.getRemoteAddr());
 
     KeyProvider.Metadata metadata = user.doAs(
         new PrivilegedExceptionAction<KeyProvider.Metadata>() {
@@ -301,12 +303,12 @@ public class KMS {
   @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
       KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getCurrentVersion(@PathParam("name") final String name)
+  public Response getCurrentVersion(@PathParam("name") final String name, @Context HttpServletRequest
request)
       throws Exception {
     UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(name, "name");
     KMSWebApp.getKeyCallsMeter().mark();
-    assertAccess(Type.GET, user, KMSOp.GET_CURRENT_KEY, name);
+    assertAccess(Type.GET, user, KMSOp.GET_CURRENT_KEY, name, request.getRemoteAddr());
 
     KeyVersion keyVersion = user.doAs(
         new PrivilegedExceptionAction<KeyVersion>() {
@@ -329,11 +331,11 @@ public class KMS {
   @Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}")
   @Produces(MediaType.APPLICATION_JSON)
   public Response getKeyVersion(
-      @PathParam("versionName") final String versionName) throws Exception {
+      @PathParam("versionName") final String versionName, @Context HttpServletRequest request)
throws Exception {
     UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(versionName, "versionName");
     KMSWebApp.getKeyCallsMeter().mark();
-    assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSION);
+    assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSION, request.getRemoteAddr());
 
     KeyVersion keyVersion = user.doAs(
         new PrivilegedExceptionAction<KeyVersion>() {
@@ -360,7 +362,7 @@ public class KMS {
           @PathParam("name") final String name,
           @QueryParam(KMSRESTConstants.EEK_OP) String edekOp,
           @DefaultValue("1")
-          @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys)
+          @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys, @Context HttpServletRequest
request)
           throws Exception {
     UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(name, "name");
@@ -368,7 +370,7 @@ public class KMS {
 
     Object retJSON;
     if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) {
-      assertAccess(Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name);
+      assertAccess(Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name, request.getRemoteAddr());
 
       final List<EncryptedKeyVersion> retEdeks =
           new LinkedList<EncryptedKeyVersion>();
@@ -412,7 +414,7 @@ public class KMS {
   public Response decryptEncryptedKey(
       @PathParam("versionName") final String versionName,
       @QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
-      Map jsonPayload)
+      Map jsonPayload, @Context HttpServletRequest request)
       throws Exception {
     UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(versionName, "versionName");
@@ -425,7 +427,7 @@ public class KMS {
         (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
     Object retJSON;
     if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
-      assertAccess(Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
+      assertAccess(Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName, request.getRemoteAddr());
       KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
       final byte[] iv = Base64.decodeBase64(ivStr);
       KMSClientProvider.checkNotNull(encMaterialStr,
@@ -461,12 +463,12 @@ public class KMS {
   @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
       KMSRESTConstants.VERSIONS_SUB_RESOURCE)
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getKeyVersions(@PathParam("name") final String name)
+  public Response getKeyVersions(@PathParam("name") final String name, @Context HttpServletRequest
request)
       throws Exception {
     UserGroupInformation user = HttpUserGroupInformation.get();
     KMSClientProvider.checkNotEmpty(name, "name");
     KMSWebApp.getKeyCallsMeter().mark();
-    assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSIONS, name);
+    assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSIONS, name, request.getRemoteAddr());
 
     List<KeyVersion> ret = user.doAs(
         new PrivilegedExceptionAction<List<KeyVersion>>() {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
index dc09709..ff2f6d9 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
@@ -195,7 +195,7 @@ public class KMSACLs implements Runnable, KeyACLs {
    * @return true is user has access
    */
   @Override
-  public boolean hasAccess(Type type, UserGroupInformation ugi) {
+  public boolean hasAccess(Type type, UserGroupInformation ugi, String clientIp) {
     boolean access = acls.get(type).isUserAllowed(ugi);
     if (access) {
       AccessControlList blacklist = blacklistedAcls.get(type);
@@ -206,9 +206,9 @@ public class KMSACLs implements Runnable, KeyACLs {
 
   @Override
   public void assertAccess(Type aclType,
-      UserGroupInformation ugi, KMSOp operation, String key)
+      UserGroupInformation ugi, KMSOp operation, String key, String clientIp)
       throws AccessControlException {
-    if (!KMSWebApp.getACLs().hasAccess(aclType, ugi)) {
+    if (!KMSWebApp.getACLs().hasAccess(aclType, ugi, clientIp)) {
       KMSWebApp.getUnauthorizedCallsMeter().mark();
       KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
       throw new AuthorizationException(String.format(

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
index 1e43dac..201ecbb 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
@@ -27,6 +27,7 @@ import java.util.Map;
 import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
 import org.apache.hadoop.crypto.key.kms.server.KMS.KMSOp;
+import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.AuthorizationException;
@@ -86,10 +87,10 @@ public class KeyAuthorizationKeyProvider extends KeyProviderCryptoExtension
{
 	
 	public void stopReloader();
 
-	public boolean hasAccess(KMSACLsType.Type aclType, UserGroupInformation ugi);
+	public boolean hasAccess(KMSACLsType.Type aclType, UserGroupInformation ugi, String clientIp);
 
 	public void assertAccess(KMSACLsType.Type aclType, UserGroupInformation ugi,
-			KMSOp operation, String key) throws AccessControlException;
+			KMSOp operation, String key, String clientIp) throws AccessControlException;
   }
 
   private final KeyProviderCryptoExtension provider;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
----------------------------------------------------------------------
diff --git a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
index 12945d7..2e1cacc 100644
--- a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
+++ b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
@@ -25,17 +25,19 @@ import org.junit.Test;
 
 public class TestKMSACLs {
 
+  String ipAddress = "192.168.90.1";
+  
   @Test
   public void testDefaults() {
     KMSACLs acls = new KMSACLs(new Configuration(false));
     for (Type type : Type.values()) {
       Assert.assertTrue(acls.hasAccess(type,
-          UserGroupInformation.createRemoteUser("foo")));
+          UserGroupInformation.createRemoteUser("foo"), ipAddress));
     }
   }
 
   @Test
-  public void testCustom() {
+  public void testCustom()  {
     Configuration conf = new Configuration(false);
     for (Type type : Type.values()) {
       conf.set(type.getAclConfigKey(), type.toString() + " ");
@@ -43,10 +45,9 @@ public class TestKMSACLs {
     KMSACLs acls = new KMSACLs(conf);
     for (Type type : Type.values()) {
       Assert.assertTrue(acls.hasAccess(type,
-          UserGroupInformation.createRemoteUser(type.toString())));
+          UserGroupInformation.createRemoteUser(type.toString()), ipAddress));
       Assert.assertFalse(acls.hasAccess(type,
-          UserGroupInformation.createRemoteUser("foo")));
+          UserGroupInformation.createRemoteUser("foo"), ipAddress));
     }
   }
-
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
index eb2081d..3407a1d 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
@@ -20,6 +20,7 @@
 package org.apache.ranger.authorization.kms.authorizer;
 
 import java.net.InetAddress;
+import java.net.UnknownHostException;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.Executors;
@@ -138,11 +139,10 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
 	   * @return true is user has access
 	   */
 	  @Override
-	  public boolean hasAccess(Type type, UserGroupInformation ugi) {
+	  public boolean hasAccess(Type type, UserGroupInformation ugi, String clientIp) {
 		  if(LOG.isDebugEnabled()) {
 				LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + ")");
 			}
-
 			boolean ret = false;
 			RangerKMSPlugin plugin = kmsPlugin;
 			String rangerAccessType = getRangerAccessType(type);
@@ -153,7 +153,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
 		    }
 		    
 			if(plugin != null && ret) {				
-				RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi);
+				RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi,
clientIp);
 				RangerAccessResult result = plugin.isAccessAllowed(request);
 				ret = result == null ? false : result.getIsAllowed();
 			}
@@ -165,11 +165,10 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
 			return ret;
 	  }
 	  
-	  public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName) {
+	  public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName, String clientIp)
{
 		  if(LOG.isDebugEnabled()) {
 				LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + " , "+keyName+")");
 			}
-
 			boolean ret = false;
 			RangerKMSPlugin plugin = kmsPlugin;
 			String rangerAccessType = getRangerAccessType(type);
@@ -180,7 +179,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
 		    }
 		    
 			if(plugin != null && ret) {				
-				RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType,
ugi);
+				RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType,
ugi, clientIp);
 				RangerAccessResult result = plugin.isAccessAllowed(request);
 				ret = result == null ? false : result.getIsAllowed();
 			}
@@ -193,13 +192,13 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
 	  }
 
 	  @Override
-	  public void assertAccess(Type aclType, UserGroupInformation ugi, KMSOp operation, String
key)
+	  public void assertAccess(Type aclType, UserGroupInformation ugi, KMSOp operation, String
key, String clientIp)
 	      throws AccessControlException {
 		    if(LOG.isDebugEnabled()) {
 				LOG.debug("==> RangerKmsAuthorizer.assertAccess(" + key + ", " + ugi +", " + aclType
+ ")");
 			}
 		  	key = (key == null)?"":key;
-		  	if (!hasAccess(aclType, ugi, key)) {
+		  	if (!hasAccess(aclType, ugi, key, clientIp)) {
 		  		KMSWebApp.getUnauthorizedCallsMeter().mark();
 		  		KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
 		  		throw new AuthorizationException(String.format(
@@ -217,7 +216,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
 			if(LOG.isDebugEnabled()) {
 				LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " +
opType + ")");
 			}
-
+			
 			return true;
 	 }
 
@@ -331,22 +330,13 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
 	}
 
 	class RangerKMSAccessRequest extends RangerAccessRequestImpl {
-		public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi)
{
+		public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi,
String clientIp) {
 			super.setResource(new RangerKMSResource(keyName));
 			super.setAccessType(accessType);
 			super.setUser(ugi.getShortUserName());
 			super.setUserGroups(Sets.newHashSet(ugi.getGroupNames()));
 			super.setAccessTime(StringUtil.getUTCDate());
-			super.setClientIPAddress(getRemoteIp());			
+			super.setClientIPAddress(clientIp);			
 			super.setAction(accessType);
 		}
-		
-		private static String getRemoteIp() {
-			String ret = null ;
-			InetAddress ip = Server.getRemoteIp() ;
-			if (ip != null) {
-				ret = ip.getHostAddress();
-			}
-			return ret ;
-		}
 	}


Mime
View raw message