ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From v..@apache.org
Subject incubator-ranger git commit: RANGER-1233: Audit logs not showing up for denied hbase scan operation for tag based policy
Date Tue, 17 Jan 2017 19:07:43 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/master 387aaf8a9 -> b2774746c


RANGER-1233: Audit logs not showing up for denied hbase scan operation for tag based policy

Signed-off-by: Velmurugan Periasamy <vel@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b2774746
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b2774746
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b2774746

Branch: refs/heads/master
Commit: b2774746c65f037d5bab2e04b6db24122abe9405
Parents: 387aaf8
Author: Abhay Kulkarni <akulkarni@hortonworks.com>
Authored: Tue Dec 27 10:34:24 2016 -0800
Committer: Velmurugan Periasamy <vel@apache.org>
Committed: Tue Jan 17 14:07:15 2017 -0500

----------------------------------------------------------------------
 .../ranger/authorization/hbase/HbaseAuditHandlerImpl.java | 10 +++++++---
 .../hbase/RangerAuthorizationCoprocessor.java             |  4 ++++
 2 files changed, 11 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b2774746/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java
index 845cd51..1dc06eb 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java
@@ -52,6 +52,9 @@ public class HbaseAuditHandlerImpl extends RangerDefaultAuditHandler implements
 		}
 		_mostRecentEvent = event;
 
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> getAuthzEvents: mostRecentEvent:" + _mostRecentEvent);
+		}
 		// We return null because we don't want default audit handler to audit anything!
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("<== HbaseAuditHandlerImpl.getAuthzEvents(" + result + "): null");
@@ -134,13 +137,14 @@ public class HbaseAuditHandlerImpl extends RangerDefaultAuditHandler
implements
 	
 	void applySuperUserOverride(AuthzAuditEvent event) {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== HbaseAuditHandlerImpl.applySuperUserOverride(" + event + ")");
+			LOG.debug("==> HbaseAuditHandlerImpl.applySuperUserOverride(" + event + ")");
 		}
 		if (event != null && _superUserOverride) {
-			event.setAccessResult((short)1);
+			event.setAccessResult((short) 1);
+			event.setPolicyId(-1);
 		}
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> HbaseAuditHandlerImpl.applySuperUserOverride(...)");
+			LOG.debug("<== HbaseAuditHandlerImpl.applySuperUserOverride(...)");
 		}
 	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b2774746/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index b28a10e..cc61a83 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -408,6 +408,10 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 					}
 				} else {
 					everythingIsAccessible = false;
+					if (auditEvent != null && deniedEvent == null) { // we need to capture just
one denial event
+						LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure
audit event.");
+						deniedEvent = auditEvent;
+					}
 					if (LOG.isDebugEnabled()) {
 						LOG.debug("evaluateAccess: no family level access [" + family + "].  Checking if has
partial access (of any type)...");
 					}


Mime
View raw message