You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ni...@apache.org on 2019/06/24 14:05:50 UTC
[ranger] branch master updated: RANGER-2466 : Improvement in
setting cluster Name in RangerAccessRequest
This is an automated email from the ASF dual-hosted git repository.
nikhil pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 51bb1f8 RANGER-2466 : Improvement in setting cluster Name in RangerAccessRequest
51bb1f8 is described below
commit 51bb1f831f956c6f88efb5305fd7aeb3859aee1f
Author: Nikhil P <ni...@apache.org>
AuthorDate: Mon Jun 24 19:34:55 2019 +0530
RANGER-2466 : Improvement in setting cluster Name in RangerAccessRequest
---
.../policyengine/RangerAccessRequestImpl.java | 1 -
.../plugin/policyengine/RangerPluginContext.java | 63 ++++++++++++++++++++++
.../policyengine/RangerPolicyEngineCache.java | 7 ++-
.../policyengine/RangerPolicyEngineImpl.java | 32 ++++++++---
.../ranger/plugin/service/RangerAuthContext.java | 52 +++++++++++++-----
.../ranger/plugin/service/RangerBasePlugin.java | 26 +++------
.../ranger/plugin/policyengine/TestPolicyACLs.java | 4 +-
.../ranger/plugin/policyengine/TestPolicyDb.java | 5 +-
.../plugin/policyengine/TestPolicyEngine.java | 6 ++-
.../authorization/hbase/AuthorizationSession.java | 11 +---
.../hbase/RangerAuthorizationCoprocessor.java | 33 +++---------
.../authorization/hbase/TestPolicyEngine.java | 6 ++-
.../authorization/hadoop/RangerHdfsAuthorizer.java | 12 ++---
.../hive/authorizer/RangerHiveAccessRequest.java | 13 ++---
.../hive/authorizer/RangerHiveAuthorizer.java | 22 +++-----
.../authorization/knox/KnoxRangerPlugin.java | 6 ---
.../authorization/knox/RangerPDPKnoxFilter.java | 5 +-
.../atlas/authorizer/RangerAtlasAuthorizer.java | 10 ----
.../authorizer/RangerElasticsearchAuthorizer.java | 6 +--
.../kafka/authorizer/RangerKafkaAuthorizer.java | 2 -
.../kms/authorizer/RangerKmsAuthorizer.java | 9 ++--
.../kylin/authorizer/RangerKylinAuthorizer.java | 6 +--
.../solr/authorizer/RangerSolrAuthorizer.java | 8 ++-
.../sqoop/authorizer/RangerSqoopAuthorizer.java | 8 +--
.../yarn/authorizer/RangerYarnAuthorizer.java | 6 +--
.../apache/ranger/policyengine/PerfTestEngine.java | 8 ++-
.../RangerPolicyEnginePerformanceTest.java | 6 ++-
.../authorization/storm/StormRangerPlugin.java | 3 +-
.../storm/authorizer/RangerStormAuthorizer.java | 3 +-
29 files changed, 208 insertions(+), 171 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index fd41222..1f2f8ea 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -72,7 +72,6 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
setRequestData(null);
setSessionId(null);
setContext(null);
- setClusterName(null);
}
@Override
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
new file mode 100644
index 0000000..36dcec1
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.authorization.utils.StringUtil;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+
+public class RangerPluginContext {
+
+ private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class);
+ private String clusterName;
+
+ public RangerPluginContext(String serviceType){
+ this.clusterName = findClusterName(serviceType);
+ }
+
+ public String getClusterName() {
+ return clusterName;
+ }
+
+ public void setClusterName(String clusterName) {
+ this.clusterName = clusterName;
+ }
+
+ private String findClusterName(String serviceType) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPluginContext.findClusterName , serviceType = " + serviceType);
+ }
+
+ String propertyPrefix = "ranger.plugin." + serviceType;
+ String clusterName = RangerConfiguration.getInstance().get(propertyPrefix + ".access.cluster.name", "");
+ if(StringUtil.isEmpty(clusterName)){
+ clusterName = RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.name", "");
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPluginContext.findClusterName ");
+ }
+
+ return clusterName;
+ }
+
+}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
index 4a41e62..015ca09 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
@@ -32,6 +32,7 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
import org.apache.ranger.plugin.model.RangerSecurityZone;
+import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.store.SecurityZoneStore;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.ServicePolicies;
@@ -75,7 +76,11 @@ public class RangerPolicyEngineCache {
private RangerPolicyEngine addPolicyEngine(ServicePolicies policies, RangerPolicyEngineOptions options) {
- RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, options);
+ RangerServiceDef serviceDef = policies.getServiceDef();
+ String serviceType = (serviceDef != null) ? serviceDef.getName() : "";
+
+ RangerPluginContext rangerPluginContext = new RangerPluginContext(serviceType);
+ RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, options, rangerPluginContext);
policyEngineCache.put(policies.getServiceName(), ret);
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index e0043ff..0edf149 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -86,8 +86,13 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
private Map<String, String> zoneTagServiceMap;
private final Map<String, Set<String>> userRoleMapping;
private final Map<String, Set<String>> groupRoleMapping;
+ private final RangerPluginContext rangerPluginContext;
public RangerPolicyEngineImpl(final RangerPolicyEngineImpl other, ServicePolicies servicePolicies) {
+ this(other, servicePolicies, null);
+ }
+
+ public RangerPolicyEngineImpl(final RangerPolicyEngineImpl other, ServicePolicies servicePolicies, RangerPluginContext rangerPluginContext) {
List<RangerPolicyDelta> deltas = servicePolicies.getPolicyDeltas();
long policyVersion = servicePolicies.getPolicyVersion();
@@ -195,8 +200,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
- List<RangerContextEnricher> tmpList;
+ this.rangerPluginContext = (rangerPluginContext != null) ? rangerPluginContext : null;
+ List<RangerContextEnricher> tmpList;
List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers();
List<RangerContextEnricher> resourceContextEnrichers = policyRepository.getContextEnrichers();
@@ -219,8 +225,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
public RangerPolicyEngineImpl(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options) {
+ this(appId, servicePolicies, options, null);
+ }
+
+ public RangerPolicyEngineImpl(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext rangerPluginContext) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl(" + appId + ", " + servicePolicies + ", " + options + ")");
+ LOG.debug("==> RangerPolicyEngineImpl(" + appId + ", " + servicePolicies + ", " + options + ", " + rangerPluginContext + ")");
}
RangerPerfTracer perf = null;
@@ -236,6 +246,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
options = new RangerPolicyEngineOptions();
}
+ this.rangerPluginContext = (rangerPluginContext != null) ? rangerPluginContext : null;
+
if(StringUtils.isBlank(options.evaluatorType) || StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO)) {
String serviceType = servicePolicies.getServiceDef().getName();
@@ -270,7 +282,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyEngineImpl : Building tag-policy-repository for tag-service " + tagPolicies.getServiceName());
}
-
tagPolicyRepository = new RangerPolicyRepository(appId, tagPolicies, options, servicePolicies.getServiceDef(), servicePolicies.getServiceName());
} else {
@@ -333,9 +344,10 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cloneWithDelta()");
}
-
- if (CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) && RangerPolicyDeltaUtil.isValidDeltas(servicePolicies.getPolicyDeltas(), this.getServiceDef().getName())) {
- ret = new RangerPolicyEngineImpl(this, servicePolicies);
+ RangerServiceDef serviceDef = this.getServiceDef();
+ String serviceType = (serviceDef != null) ? serviceDef.getName() : "";
+ if (CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) && RangerPolicyDeltaUtil.isValidDeltas(servicePolicies.getPolicyDeltas(), serviceType)) {
+ ret = new RangerPolicyEngineImpl(this, servicePolicies, this.rangerPluginContext);
} else {
ret = null;
}
@@ -410,7 +422,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
setResourceServiceDef(request);
if (request instanceof RangerAccessRequestImpl) {
- ((RangerAccessRequestImpl) request).extractAndSetClientIPAddress(useForwardedIPAddress, trustedProxyAddresses);
+ RangerAccessRequestImpl reqImpl = (RangerAccessRequestImpl) request;
+ reqImpl.extractAndSetClientIPAddress(useForwardedIPAddress, trustedProxyAddresses);
+
+ if(rangerPluginContext != null) {
+ reqImpl.setClusterName(rangerPluginContext.getClusterName());
+ }
}
RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), request.getUser());
@@ -440,7 +457,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
-
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.preProcess(" + request + ")");
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
index e854e05..67c068b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
@@ -21,6 +21,8 @@ package org.apache.ranger.plugin.service;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -30,6 +32,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.policyengine.RangerMutableResource;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
@@ -44,27 +47,40 @@ import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
public class RangerAuthContext implements RangerPolicyEngine {
+ private static final Log LOG = LogFactory.getLog(RangerAuthContext.class);
+ private final RangerPluginContext rangerPluginContext;
private RangerPolicyEngine policyEngine;
private Map<RangerContextEnricher, Object> requestContextEnrichers;
- protected RangerAuthContext() {
- this(null, null);
+ protected RangerAuthContext() {
+ this(null, null, null);
+ }
+
+ protected RangerAuthContext(RangerPluginContext rangerPluginContext) {
+ this(null, null, rangerPluginContext);
}
- RangerAuthContext(RangerPolicyEngine policyEngine, Map<RangerContextEnricher, Object> requestContextEnrichers) {
+ RangerAuthContext(RangerPolicyEngine policyEngine, Map<RangerContextEnricher, Object> requestContextEnrichers, RangerPluginContext rangerPluginContext) {
this.policyEngine = policyEngine;
this.requestContextEnrichers = requestContextEnrichers;
+ this.rangerPluginContext = rangerPluginContext;
}
- RangerAuthContext(RangerAuthContext other) {
- if (other != null) {
- this.policyEngine = other.getPolicyEngine();
- Map<RangerContextEnricher, Object> localReference = other.requestContextEnrichers;
- if (MapUtils.isNotEmpty(localReference)) {
- this.requestContextEnrichers = new ConcurrentHashMap<>(localReference);
- }
- }
+ RangerAuthContext(RangerAuthContext other) {
+ this(other, null);
+ }
+
+ RangerAuthContext(RangerAuthContext other, RangerPluginContext rangerPluginContext) {
+ if (other != null) {
+ this.policyEngine = other.getPolicyEngine();
+ Map<RangerContextEnricher, Object> localReference = other.requestContextEnrichers;
+ if (MapUtils.isNotEmpty(localReference)) {
+ this.requestContextEnrichers = new ConcurrentHashMap<>(localReference);
+ }
+ }
+ this.rangerPluginContext = rangerPluginContext;
}
+
public RangerPolicyEngine getPolicyEngine() {
return policyEngine;
}
@@ -143,6 +159,10 @@ public class RangerAuthContext implements RangerPolicyEngine {
@Override
public void preProcess(RangerAccessRequest request) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAuthContext.preProcess");
+ }
+
RangerAccessResource resource = request.getResource();
if (resource.getServiceDef() == null) {
if (resource instanceof RangerMutableResource) {
@@ -151,7 +171,11 @@ public class RangerAuthContext implements RangerPolicyEngine {
}
}
if (request instanceof RangerAccessRequestImpl) {
- ((RangerAccessRequestImpl) request).extractAndSetClientIPAddress(getUseForwardedIPAddress(), getTrustedProxyAddresses());
+ RangerAccessRequestImpl reqImpl = (RangerAccessRequestImpl) request;
+ reqImpl.extractAndSetClientIPAddress(getUseForwardedIPAddress(), getTrustedProxyAddresses());
+ if(rangerPluginContext != null) {
+ reqImpl.setClusterName(rangerPluginContext.getClusterName());
+ }
}
RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), request.getUser());
@@ -172,6 +196,10 @@ public class RangerAuthContext implements RangerPolicyEngine {
}
}
}
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAuthContext.preProcess");
+ }
}
@Override
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index ddf181c..df1fba5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -51,6 +51,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
@@ -73,10 +74,10 @@ public class RangerBasePlugin {
private String serviceType;
private String appId;
private String serviceName;
- private String clusterName;
private PolicyRefresher refresher;
private RangerPolicyEngine policyEngine;
private RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
+ private RangerPluginContext rangerPluginContext;
private RangerAuthContext currentAuthContext;
private RangerAuthContext readOnlyAuthContext;
private RangerAccessResultProcessor resultProcessor;
@@ -146,20 +147,12 @@ public class RangerBasePlugin {
return serviceType;
}
- public String getClusterName() {
- return clusterName;
- }
-
public RangerAuthContext createRangerAuthContext() {
return new RangerAuthContext(readOnlyAuthContext);
}
public RangerAuthContext getCurrentRangerAuthContext() { return currentAuthContext; }
- public void setClusterName(String clusterName) {
- this.clusterName = clusterName;
- }
-
public RangerServiceDef getServiceDef() {
RangerPolicyEngine policyEngine = this.policyEngine;
@@ -192,10 +185,6 @@ public class RangerBasePlugin {
long pollingIntervalMs = configuration.getLong(propertyPrefix + ".policy.pollIntervalMs", 30 * 1000);
String cacheDir = configuration.get(propertyPrefix + ".policy.cache.dir");
serviceName = configuration.get(propertyPrefix + ".service.name");
- clusterName = RangerConfiguration.getInstance().get(propertyPrefix + ".access.cluster.name", "");
- if(StringUtil.isEmpty(clusterName)){
- clusterName = RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.name", "");
- }
useForwardedIPAddress = configuration.getBoolean(propertyPrefix + ".use.x-forwarded-for.ipaddress", false);
String trustedProxyAddressString = configuration.get(propertyPrefix + ".trusted.proxy.ipaddresses");
trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, RANGER_TRUSTED_PROXY_IPADDRESSES_SEPARATOR_CHAR);
@@ -322,8 +311,9 @@ public class RangerBasePlugin {
if (LOG.isDebugEnabled()) {
LOG.debug("policies are not null. Creating engine from policies");
}
- currentAuthContext = new RangerAuthContext();
- newPolicyEngine = new RangerPolicyEngineImpl(appId, policies, policyEngineOptions);
+ rangerPluginContext = new RangerPluginContext(serviceType);
+ currentAuthContext = new RangerAuthContext(rangerPluginContext);
+ newPolicyEngine = new RangerPolicyEngineImpl(appId, policies, policyEngineOptions, rangerPluginContext);
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("policy-deltas are not null");
@@ -342,8 +332,9 @@ public class RangerBasePlugin {
LOG.debug("Failed to apply policyDeltas=" + Arrays.toString(policies.getPolicyDeltas().toArray()) + "), Creating engine from policies");
LOG.debug("Creating new engine from servicePolicies:[" + servicePolicies + "]");
}
- currentAuthContext = new RangerAuthContext();
- newPolicyEngine = new RangerPolicyEngineImpl(appId, servicePolicies, policyEngineOptions);
+ rangerPluginContext = new RangerPluginContext(serviceType);
+ currentAuthContext = new RangerAuthContext(rangerPluginContext);
+ newPolicyEngine = new RangerPolicyEngineImpl(appId, servicePolicies, policyEngineOptions, rangerPluginContext);
}
} else {
if (LOG.isDebugEnabled()) {
@@ -649,7 +640,6 @@ public class RangerBasePlugin {
accessRequest.setClientType(request.getClientType());
accessRequest.setRequestData(request.getRequestData());
accessRequest.setSessionId(request.getSessionId());
- accessRequest.setClusterName(request.getClusterName());
// call isAccessAllowed() to determine if audit is enabled or not
RangerAccessResult accessResult = isAccessAllowed(accessRequest, null);
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
index 1abd209..33b26e0 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
@@ -91,7 +91,9 @@ public class TestPolicyACLs {
for(PolicyACLsTests.TestCase testCase : testCases.testCases) {
RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
- RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, policyEngineOptions);
+ RangerPluginContext pluginContext = new RangerPluginContext("hive");
+ pluginContext.setClusterName("cl1");
+ RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, policyEngineOptions, pluginContext);
for(PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) {
if(oneTest == null) {
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
index 85ea679..f373339 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
@@ -115,8 +115,9 @@ public class TestPolicyDb {
policyEngineOptions.cacheAuditResults = false;
policyEngineOptions.disableContextEnrichers = true;
policyEngineOptions.disableCustomConditions = true;
-
- RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policydb", testCase.servicePolicies, policyEngineOptions);
+ RangerPluginContext pluginContext = new RangerPluginContext("hive");
+ pluginContext.setClusterName("cl1");
+ RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policydb", testCase.servicePolicies, policyEngineOptions, pluginContext);
for(TestData test : testCase.tests) {
boolean expected = test.result;
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index c3b31bb..cce5129 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -435,7 +435,9 @@ public class TestPolicyEngine {
trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
}
}
- RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
+ RangerPluginContext pluginContext = new RangerPluginContext("hive");
+ pluginContext.setClusterName("cl1");
+ RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions, pluginContext);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
@@ -443,7 +445,7 @@ public class TestPolicyEngine {
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
policyEngineOptions.optimizeTrieForRetrieval = false;
- RangerPolicyEngine policyEngineForResourceAccessInfo = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
+ RangerPolicyEngine policyEngineForResourceAccessInfo = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions, pluginContext);
policyEngineForResourceAccessInfo.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngineForResourceAccessInfo.setTrustedProxyAddresses(trustedProxyAddresses);
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
index d51f0fb..6461a24 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
@@ -56,7 +56,6 @@ public class AuthorizationSession {
String _column;
String _columnFamily;
String _remoteAddress;
- String _clusterName;
User _user;
Set<String> _groups; // this exits to avoid having to get group for a user repeatedly. It is kept in sync with _user;
@@ -92,11 +91,6 @@ public class AuthorizationSession {
_access = anAccess;
return this;
}
-
- AuthorizationSession clusterName(String clusterName) {
- _clusterName = clusterName;
- return this;
- }
AuthorizationSession user(User aUser) {
_user = aUser;
@@ -200,7 +194,6 @@ public class AuthorizationSession {
request.setRequestData(_otherInformation);
request.setClientIPAddress(_remoteAddress);
request.setResourceMatchingScope(_resourceMatchingScope);
- request.setClusterName(_clusterName);
request.setAccessTime(new Date());
_request = request;
@@ -345,7 +338,6 @@ public class AuthorizationSession {
.add(RangerHBaseResource.KEY_COLUMN, _column)
.add(RangerHBaseResource.KEY_COLUMN_FAMILY, _columnFamily)
.add("resource-matching-scope", _resourceMatchingScope)
- .add("clusterName", _clusterName)
.toString();
}
@@ -361,8 +353,7 @@ public class AuthorizationSession {
String format = "Access[%s] by user[%s] belonging to groups[%s] to table[%s] for column-family[%s], column[%s] triggered by operation[%s], otherInformation[%s]";
String user = _userUtils.getUserAsString();
String message = String.format(format, getPrintableValue(_access), getPrintableValue(user), _groups, getPrintableValue(_table),
- getPrintableValue(_columnFamily), getPrintableValue(_column), getPrintableValue(_operation), getPrintableValue(_otherInformation),
- getPrintableValue(_clusterName));
+ getPrintableValue(_columnFamily), getPrintableValue(_column), getPrintableValue(_operation), getPrintableValue(_otherInformation));
return message;
}
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 449d77d..5729eb2 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -275,12 +275,11 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
final List<AuthzAuditEvent> _familyLevelAccessEvents;
final AuthzAuditEvent _accessDeniedEvent;
final String _denialReason;
- final RangerAuthorizationFilter _filter;
- final String _clusterName;
+ final RangerAuthorizationFilter _filter;;
ColumnFamilyAccessResult(boolean everythingIsAccessible, boolean somethingIsAccessible,
List<AuthzAuditEvent> accessAllowedEvents, List<AuthzAuditEvent> familyLevelAccessEvents, AuthzAuditEvent accessDeniedEvent, String denialReason,
- RangerAuthorizationFilter filter, String clusterName) {
+ RangerAuthorizationFilter filter) {
_everythingIsAccessible = everythingIsAccessible;
_somethingIsAccessible = somethingIsAccessible;
// WARNING: we are just holding on to reference of the collection. Potentially risky optimization
@@ -290,7 +289,6 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
_denialReason = denialReason;
// cached values of access results
_filter = filter;
- _clusterName = clusterName;
}
@Override
@@ -303,7 +301,6 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
.add("accessDeniedEvent", _accessDeniedEvent)
.add("denialReason", _denialReason)
.add("filter", _filter)
- .add("clusterName", _clusterName)
.toString();
}
@@ -328,13 +325,12 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
throw new AccessDeniedException("Insufficient permissions for operation '" + operation + "',action: " + action);
}
String table = Bytes.toString(tableBytes);
- String clusterName = hbasePlugin.getClusterName();
final String messageTemplate = "evaluateAccess: exiting: user[%s], Operation[%s], access[%s], families[%s], verdict[%s]";
ColumnFamilyAccessResult result;
if (canSkipAccessCheck(user, operation, access, table) || canSkipAccessCheck(user, operation, access, env)) {
LOG.debug("evaluateAccess: exiting: isKnownAccessPattern returned true: access allowed, not audited");
- result = new ColumnFamilyAccessResult(true, true, null, null, null, null, null, null);
+ result = new ColumnFamilyAccessResult(true, true, null, null, null, null, null);
if (LOG.isDebugEnabled()) {
Map<String, Set<String>> families = getColumnFamilies(familyMap);
String message = String.format(messageTemplate, userName, operation, access, families.toString(), result.toString());
@@ -351,8 +347,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
.auditHandler(auditHandler)
.user(user)
.access(access)
- .table(table)
- .clusterName(clusterName);
+ .table(table);
Map<String, Set<String>> families = getColumnFamilies(familyMap);
if (LOG.isDebugEnabled()) {
LOG.debug("evaluateAccess: families to process: " + families.toString());
@@ -374,7 +369,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
// if authorized then pass captured events as access allowed set else as access denied set.
result = new ColumnFamilyAccessResult(authorized, authorized,
authorized ? Collections.singletonList(event) : null,
- null, authorized ? null : event, reason, null, clusterName);
+ null, authorized ? null : event, reason, null);
if (LOG.isDebugEnabled()) {
String message = String.format(messageTemplate, userName, operation, access, families.toString(), result.toString());
LOG.debug(message);
@@ -520,7 +515,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
}
// Cache of auth results are encapsulated the in the filter. Not every caller of the function uses it - only preGet and preOpt will.
RangerAuthorizationFilter filter = new RangerAuthorizationFilter(session, familesAccessAllowed, familesAccessDenied, familesAccessIndeterminate, columnsAccessAllowed);
- result = new ColumnFamilyAccessResult(everythingIsAccessible, somethingIsAccessible, authorizedEvents, familyLevelAccessEvents, deniedEvent, denialReason, filter, clusterName);
+ result = new ColumnFamilyAccessResult(everythingIsAccessible, somethingIsAccessible, authorizedEvents, familyLevelAccessEvents, deniedEvent, denialReason, filter);
if (LOG.isDebugEnabled()) {
String message = String.format(messageTemplate, userName, operation, access, families.toString(), result.toString());
LOG.debug(message);
@@ -626,7 +621,6 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
return;
}
- String clusterName = hbasePlugin.getClusterName();
HbaseAuditHandler auditHandler = _factory.getAuditHandler();
AuthorizationSession session = new AuthorizationSession(hbasePlugin)
@@ -639,7 +633,6 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
.table(table)
.columnFamily(columnFamily)
.column(column)
- .clusterName(clusterName)
.buildRequest()
.authorize();
@@ -673,7 +666,6 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
boolean canSkipAccessCheck(User user, final String operation, String access, final RegionCoprocessorEnvironment regionServerEnv) throws AccessDeniedException {
- String clusterName = hbasePlugin.getClusterName();
// read access to metadata tables is always allowed and isn't audited.
if (isAccessForMetaTables(regionServerEnv) && _authUtils.isReadAccess(access)) {
LOG.debug("isKnownAccessPattern: exiting: Read access for metadata tables allowed, not audited!");
@@ -687,7 +679,6 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
.remoteAddress(getRemoteAddress())
.user(user)
.access(createAccess)
- .clusterName(clusterName)
.buildRequest()
.authorize();
if (session.isAuthorized()) {
@@ -1179,7 +1170,6 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
LOG.debug(String.format("==> postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", tableNamesList == null ? 0 : tableNamesList.size(),
descriptors == null ? 0 : descriptors.size(), regex));
}
- String clusterName = hbasePlugin.getClusterName();
if (CollectionUtils.isNotEmpty(descriptors)) {
// Retains only those which passes authorization checks
@@ -1192,8 +1182,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
.remoteAddress(getRemoteAddress())
.auditHandler(auditHandler)
.user(user)
- .access(access)
- .clusterName(clusterName);
+ .access(access);
Iterator<TableDescriptor> itr = descriptors.iterator();
while (itr.hasNext()) {
@@ -1248,9 +1237,6 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
if(plugin != null) {
- String clusterName = plugin.getClusterName();
- grData.setClusterName(clusterName);
-
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
plugin.grantAccess(grData, auditHandler);
@@ -1290,9 +1276,7 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
RangerHBasePlugin plugin = hbasePlugin;
if(plugin != null) {
- String clusterName = plugin.getClusterName();
- grData.setClusterName(clusterName);
-
+
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
plugin.revokeAccess(grData, auditHandler);
@@ -1344,7 +1328,6 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
rangerAccessrequest.setAction(operation);
rangerAccessrequest.setClientIPAddress(getRemoteAddress());
rangerAccessrequest.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
- rangerAccessrequest.setClusterName(hbasePlugin.getClusterName());
List<UserPermission> perms = null;
if (request.getType() == AccessControlProtos.Permission.Type.Table) {
final TableName table = request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName()) : null;
diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
index 6efe2e3..6dd81fa 100644
--- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
+++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
@@ -37,6 +37,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
@@ -102,8 +103,9 @@ public class TestPolicyEngine {
servicePolicies.setPolicies(testCase.policies);
RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
-
- RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
+ RangerPluginContext pluginContext = new RangerPluginContext("hive");
+ pluginContext.setClusterName("cl1");
+ RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions, pluginContext);
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index f204c15..7b2882c 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -520,7 +520,6 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
private AuthzStatus isAccessAllowedForTraversal(INode inode, INodeAttributes inodeAttribs, String path, String user, Set<String> groups, RangerHdfsPlugin plugin, RangerHdfsAuditHandler auditHandler, boolean skipAuditOnAllow) {
final AuthzStatus ret;
String pathOwner = inodeAttribs != null ? inodeAttribs.getUserName() : null;
- String clusterName = plugin.getClusterName();
FsAction access = FsAction.EXECUTE;
@@ -536,7 +535,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
LOG.debug("==> RangerAccessControlEnforcer.isAccessAllowedForTraversal(" + path + ", " + access + ", " + user + ", " + skipAuditOnAllow + ")");
}
- RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, EXECUTE_ACCCESS_TYPE, user, groups, clusterName);
+ RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, EXECUTE_ACCCESS_TYPE, user, groups);
RangerAccessResult result = plugin.isAccessAllowed(request, null);
@@ -639,7 +638,6 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
private AuthzStatus isAccessAllowed(INode inode, INodeAttributes inodeAttribs, String path, FsAction access, String user, Set<String> groups, RangerHdfsPlugin plugin, RangerHdfsAuditHandler auditHandler) {
AuthzStatus ret = null;
String pathOwner = inodeAttribs != null ? inodeAttribs.getUserName() : null;
- String clusterName = plugin.getClusterName();
if(pathOwner == null && inode != null) {
pathOwner = inode.getUserName();
@@ -662,7 +660,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
}
for(String accessType : accessTypes) {
- RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, accessType, user, groups, clusterName);
+ RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, accessType, user, groups);
RangerAccessResult result = plugin.isAccessAllowed(request, auditHandler);
@@ -693,7 +691,6 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
private AuthzStatus isAccessAllowedForHierarchy(INode inode, INodeAttributes inodeAttribs, String path, FsAction access, String user, Set<String> groups, RangerHdfsPlugin plugin) {
AuthzStatus ret = null;
String pathOwner = inodeAttribs != null ? inodeAttribs.getUserName() : null;
- String clusterName = plugin.getClusterName();
if (pathOwner == null && inode != null) {
pathOwner = inode.getUserName();
@@ -724,7 +721,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
subDirPath = subDirPath + RangerHdfsPlugin.getRandomizedWildcardPathName();
for (String accessType : accessTypes) {
- RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(null, subDirPath, pathOwner, access, accessType, user, groups, clusterName);
+ RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(null, subDirPath, pathOwner, access, accessType, user, groups);
RangerAccessResult result = plugin.isAccessAllowed(request, null);
@@ -821,7 +818,7 @@ class RangerHdfsResource extends RangerAccessResourceImpl {
class RangerHdfsAccessRequest extends RangerAccessRequestImpl {
- public RangerHdfsAccessRequest(INode inode, String path, String pathOwner, FsAction access, String accessType, String user, Set<String> groups, String clusterName) {
+ public RangerHdfsAccessRequest(INode inode, String path, String pathOwner, FsAction access, String accessType, String user, Set<String> groups) {
super.setResource(new RangerHdfsResource(path, pathOwner));
super.setAccessType(accessType);
super.setUser(user);
@@ -829,7 +826,6 @@ class RangerHdfsAccessRequest extends RangerAccessRequestImpl {
super.setAccessTime(new Date());
super.setClientIPAddress(getRemoteIp());
super.setAction(access.toString());
- super.setClusterName(clusterName);
if (inode != null) {
buildRequestContext(inode);
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
index df379c3..ce5cf64 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
@@ -42,8 +42,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
String hiveOpTypeName,
HiveAccessType accessType,
HiveAuthzContext context,
- HiveAuthzSessionContext sessionContext,
- String clusterName) {
+ HiveAuthzSessionContext sessionContext) {
this.setResource(resource);
this.setUser(user);
this.setUserGroups(userGroups);
@@ -62,7 +61,6 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
this.setSessionId(sessionContext.getSessionString());
}
- this.setClusterName(clusterName);
}
public RangerHiveAccessRequest(RangerHiveResource resource,
@@ -71,13 +69,12 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
HiveOperationType hiveOpType,
HiveAccessType accessType,
HiveAuthzContext context,
- HiveAuthzSessionContext sessionContext,
- String clusterName) {
- this(resource, user, userGroups, hiveOpType.name(), accessType, context, sessionContext, clusterName);
+ HiveAuthzSessionContext sessionContext) {
+ this(resource, user, userGroups, hiveOpType.name(), accessType, context, sessionContext);
}
- public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, HiveAuthzContext context, HiveAuthzSessionContext sessionContext, String clusterName) {
- this(resource, user, groups, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext, clusterName);
+ public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) {
+ this(resource, user, groups, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext);
}
public HiveAccessType getHiveAccessType() {
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 625b7bb..de74cc7 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -161,7 +161,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
try {
RangerHiveResource resource = getHiveResource(HiveOperationType.GRANT_PRIVILEGE, hivePrivObject);
GrantRevokeRequest request = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);
- request.setClusterName(hivePlugin.getClusterName());
LOG.info("grantPrivileges(): " + request);
if(LOG.isDebugEnabled()) {
@@ -202,7 +201,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
try {
RangerHiveResource resource = getHiveResource(HiveOperationType.REVOKE_PRIVILEGE, hivePrivObject);
GrantRevokeRequest request = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);
- request.setClusterName(hivePlugin.getClusterName());
LOG.info("revokePrivileges(): " + request);
if(LOG.isDebugEnabled()) {
@@ -246,7 +244,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
- String clusterName = hivePlugin.getClusterName();
if(LOG.isDebugEnabled()) {
LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, context, sessionContext));
@@ -292,8 +289,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
if(!existsByResourceAndAccessType(requests, resource, accessType)) {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext, clusterName);
-
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext);
requests.add(request);
}
}
@@ -301,7 +297,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
// this should happen only for SHOWDATABASES
if (hiveOpType == HiveOperationType.SHOWDATABASES) {
RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.USE, context, sessionContext, clusterName);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.USE, context, sessionContext);
requests.add(request);
} else if ( hiveOpType == HiveOperationType.REPLDUMP) {
// This happens when REPL DUMP command with null inputHObjs is sent in checkPrivileges()
@@ -317,7 +313,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName, null);
}
//
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext, clusterName);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
requests.add(request);
} else {
if (LOG.isDebugEnabled()) {
@@ -354,7 +350,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
if(!existsByResourceAndAccessType(requests, resource, accessType)) {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext, clusterName);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext);
requests.add(request);
}
@@ -373,7 +369,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
} else {
resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName, null);
}
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext, clusterName);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
requests.add(request);
}
}
@@ -554,7 +550,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
if (resource == null) {
LOG.error("filterListCmdObjects: RangerHiveResource returned by createHiveResource is null");
} else {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, context, sessionContext, hivePlugin.getClusterName());
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, context, sessionContext);
RangerAccessResult result = hivePlugin.isAccessAllowed(request);
if (result == null) {
LOG.error("filterListCmdObjects: Internal error: null RangerAccessResult object received back from isAccessAllowed()!");
@@ -719,9 +715,8 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
HiveObjectType objectType = HiveObjectType.TABLE;
- String clusterName = hivePlugin.getClusterName();
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, clusterName);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
RangerAccessResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);
@@ -742,7 +737,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
private boolean addCellValueTransformerAndCheckIfTransformed(HiveAuthzContext context, String databaseName, String tableOrViewName, String columnName, List<String> columnTransformers) throws SemanticException {
UserGroupInformation ugi = getCurrentUserGroupInfo();
- String clusterName = hivePlugin.getClusterName();
if(ugi == null) {
throw new SemanticException("user information not available");
}
@@ -762,7 +756,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
HiveObjectType objectType = HiveObjectType.COLUMN;
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, clusterName);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
RangerAccessResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);
diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
index 814aedd..94a47b3 100644
--- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
+++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
@@ -56,7 +56,6 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
String _user;
Set<String> _groups;
String _clientIp;
- String _clusterName;
String _remoteIp;
List<String> _forwardedAddresses;
@@ -80,10 +79,6 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
_clientIp = clientIp;
return this;
}
- RequestBuilder clusterName(String clusterName) {
- _clusterName = clusterName;
- return this;
- }
RequestBuilder remoteIp(String remoteIp) {
_remoteIp = remoteIp;
return this;
@@ -111,7 +106,6 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
request.setUser(_user);
request.setUserGroups(_groups);
request.setResource(resource);
- request.setClusterName(_clusterName);
request.setRemoteIPAddress(_remoteIp);
request.setForwardedAddresses(_forwardedAddresses);
return request;
diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
index e75f314..62363ab 100644
--- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
+++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
@@ -134,15 +134,13 @@ public class RangerPDPKnoxFilter implements Filter {
}
String clientIp = request.getRemoteAddr();
- String clusterName = plugin.getClusterName();
List<String> forwardedAddresses = getForwardedAddresses(request);
if (LOG.isDebugEnabled()) {
LOG.debug("Checking access primaryUser: " + primaryUser
+ ", impersonatedUser: " + impersonatedUser
+ ", effectiveUser: " + user + ", groups: " + groups
- + ", clientIp: " + clientIp + ", clusterName: " + clusterName
- + ", remoteIp: " + clientIp + ", forwardedAddresses: " + forwardedAddresses);
+ + ", clientIp: " + clientIp + ", remoteIp: " + clientIp + ", forwardedAddresses: " + forwardedAddresses);
}
RangerAccessRequest accessRequest = new RequestBuilder()
@@ -151,7 +149,6 @@ public class RangerPDPKnoxFilter implements Filter {
.user(user)
.groups(groups)
.clientIp(clientIp)
- .clusterName(clusterName)
.remoteIp(clientIp)
.forwardedAddresses(forwardedAddresses)
.build();
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index b52a22e..c6008ba 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -111,7 +111,6 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
rangerRequest.setClientIPAddress(request.getClientIPAddress());
rangerRequest.setAccessTime(request.getAccessTime());
rangerRequest.setAction(action);
- rangerRequest.setClusterName(getClusterName());
ret = checkAccess(rangerRequest);
} finally {
@@ -183,7 +182,6 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
rangerRequest.setClientIPAddress(request.getClientIPAddress());
rangerRequest.setAccessTime(request.getAccessTime());
- rangerRequest.setClusterName(getClusterName());
rangerRequest.setAction(action);
@@ -229,7 +227,6 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
rangerRequest.setClientIPAddress(request.getClientIPAddress());
rangerRequest.setAccessTime(request.getAccessTime());
- rangerRequest.setClusterName(getClusterName());
rangerRequest.setAction(action);
@@ -314,12 +311,6 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
}
}
- private String getClusterName() {
- RangerBasePlugin plugin = atlasPlugin;
-
- return plugin != null ? plugin.getClusterName() : null;
- }
-
private RangerServiceDef getServiceDef() {
RangerBasePlugin plugin = atlasPlugin;
@@ -351,7 +342,6 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
rangerRequest.setUserGroups(request.getUserGroups());
rangerRequest.setClientIPAddress(request.getClientIPAddress());
rangerRequest.setAccessTime(request.getAccessTime());
- rangerRequest.setClusterName(getClusterName());
rangerRequest.setResource(rangerResource);
if (StringUtils.isNotEmpty(classification)) {
diff --git a/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java b/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java
index a6b024f..31de631 100644
--- a/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java
+++ b/plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java
@@ -89,9 +89,8 @@ public class RangerElasticsearchAuthorizer implements RangerElasticsearchAccessC
if (elasticsearchPlugin != null) {
String privilege = IndexPrivilegeUtils.getPrivilegeFromAction(action);
- String clusterName = elasticsearchPlugin.getClusterName();
RangerElasticsearchAccessRequest request = new RangerElasticsearchAccessRequest(user, groups, index,
- privilege, clusterName, clientIPAddress);
+ privilege, clientIPAddress);
RangerAccessResult result = elasticsearchPlugin.isAccessAllowed(request);
if (result != null && result.getIsAllowed()) {
@@ -133,7 +132,7 @@ class RangerElasticsearchResource extends RangerAccessResourceImpl {
class RangerElasticsearchAccessRequest extends RangerAccessRequestImpl {
public RangerElasticsearchAccessRequest(String user, List<String> groups, String index, String privilege,
- String clusterName, String clientIPAddress) {
+ String clientIPAddress) {
super.setUser(user);
if (CollectionUtils.isNotEmpty(groups)) {
super.setUserGroups(Sets.newHashSet(groups));
@@ -141,7 +140,6 @@ class RangerElasticsearchAccessRequest extends RangerAccessRequestImpl {
super.setResource(new RangerElasticsearchResource(index));
super.setAccessType(privilege);
super.setAction(privilege);
- super.setClusterName(clusterName);
super.setClientIPAddress(clientIPAddress);
super.setAccessTime(new Date());
}
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
index 8a661d8..43dd35f 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
@@ -183,7 +183,6 @@ public class RangerKafkaAuthorizer implements Authorizer {
validationStr += "Unsupported access type. operation=" + operation;
}
String action = accessType;
- String clusterName = rangerPlugin.getClusterName();
RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
rangerRequest.setUser(userName);
@@ -196,7 +195,6 @@ public class RangerKafkaAuthorizer implements Authorizer {
rangerRequest.setAccessType(accessType);
rangerRequest.setAction(action);
rangerRequest.setRequestData(resource.name());
- rangerRequest.setClusterName(clusterName);
if (resource.resourceType().equals(Topic$.MODULE$)) {
rangerResource.setValue(KEY_TOPIC, resource.name());
diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
index 07921a9..aab4639 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
@@ -217,10 +217,9 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
if(!ret){
LOG.debug("Operation "+rangerAccessType+" blocked in the blacklist for user "+ugi.getUserName());
}
- String clusterName = kmsPlugin.getClusterName();
if(plugin != null && ret) {
- RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi, clientIp, clusterName);
+ RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi, clientIp);
RangerAccessResult result = plugin.isAccessAllowed(request);
ret = result != null && result.getIsAllowed();
}
@@ -244,10 +243,9 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
if(!ret){
LOG.debug("Operation "+rangerAccessType+" blocked in the blacklist for user "+ugi.getUserName());
}
- String clusterName = kmsPlugin.getClusterName();
if(plugin != null && ret) {
- RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi, clientIp, clusterName);
+ RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi, clientIp);
RangerAccessResult result = plugin.isAccessAllowed(request);
ret = result != null && result.getIsAllowed();
}
@@ -363,7 +361,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
class RangerKMSAccessRequest extends RangerAccessRequestImpl {
- public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi, String clientIp, String clusterName) {
+ public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi, String clientIp) {
super.setResource(new RangerKMSResource(keyName));
super.setAccessType(accessType);
super.setUser(ugi.getShortUserName());
@@ -371,6 +369,5 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
super.setAccessTime(new Date());
super.setClientIPAddress(clientIp);
super.setAction(accessType);
- super.setClusterName(clusterName);
}
}
diff --git a/plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java b/plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
index a745b87..ed935f8 100644
--- a/plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
+++ b/plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
@@ -101,9 +101,8 @@ public class RangerKylinAuthorizer extends ExternalAclProvider {
}
String accessType = ExternalAclProvider.transformPermission(permission);
- String clusterName = kylinPlugin.getClusterName();
RangerKylinAccessRequest request = new RangerKylinAccessRequest(projectName, user, groups, accessType,
- clusterName, clientIPAddress);
+ clientIPAddress);
RangerAccessResult result = kylinPlugin.isAccessAllowed(request);
if (result != null && result.getIsAllowed()) {
@@ -169,7 +168,7 @@ class RangerKylinResource extends RangerAccessResourceImpl {
class RangerKylinAccessRequest extends RangerAccessRequestImpl {
public RangerKylinAccessRequest(String projectName, String user, List<String> groups, String accessType,
- String clusterName, String clientIPAddress) {
+ String clientIPAddress) {
super.setResource(new RangerKylinResource(projectName));
super.setAccessType(accessType);
super.setUser(user);
@@ -177,6 +176,5 @@ class RangerKylinAccessRequest extends RangerAccessRequestImpl {
super.setAccessTime(new Date());
super.setClientIPAddress(clientIPAddress);
super.setAction(accessType);
- super.setClusterName(clusterName);
}
}
\ No newline at end of file
diff --git a/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
index 6c0201d..f87e531 100644
--- a/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
+++ b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
@@ -200,13 +200,12 @@ public class RangerSolrAuthorizer implements AuthorizationPlugin {
List<RangerAccessRequestImpl> rangerRequests = new ArrayList<RangerAccessRequestImpl>();
List<CollectionRequest> collectionRequests = context.getCollectionRequests();
- String clusterName = solrPlugin.getClusterName();
if (CollectionUtils.isEmpty(collectionRequests)) {
// if Collection is empty we set the collection to *. This happens when LIST is done.
RangerAccessRequestImpl requestForCollection = createRequest(
userName, userGroups, ip, eventTime, context,
- null, clusterName);
+ null);
if (requestForCollection != null) {
rangerRequests.add(requestForCollection);
}
@@ -219,7 +218,7 @@ public class RangerSolrAuthorizer implements AuthorizationPlugin {
RangerAccessRequestImpl requestForCollection = createRequest(
userName, userGroups, ip, eventTime, context,
- collectionRequest, clusterName);
+ collectionRequest);
if (requestForCollection != null) {
rangerRequests.add(requestForCollection);
}
@@ -351,7 +350,7 @@ public class RangerSolrAuthorizer implements AuthorizationPlugin {
*/
private RangerAccessRequestImpl createRequest(String userName,
Set<String> userGroups, String ip, Date eventTime,
- AuthorizationContext context, CollectionRequest collectionRequest, String clusterName) {
+ AuthorizationContext context, CollectionRequest collectionRequest) {
String accessType = mapToRangerAccessType(context);
String action = accessType;
@@ -366,7 +365,6 @@ public class RangerSolrAuthorizer implements AuthorizationPlugin {
rangerRequest.setResource(rangerResource);
rangerRequest.setAccessType(accessType);
rangerRequest.setAction(action);
- rangerRequest.setClusterName(clusterName);
return rangerRequest;
}
diff --git a/plugin-sqoop/src/main/java/org/apache/ranger/authorization/sqoop/authorizer/RangerSqoopAuthorizer.java b/plugin-sqoop/src/main/java/org/apache/ranger/authorization/sqoop/authorizer/RangerSqoopAuthorizer.java
index 17a7a63..d099f00 100644
--- a/plugin-sqoop/src/main/java/org/apache/ranger/authorization/sqoop/authorizer/RangerSqoopAuthorizer.java
+++ b/plugin-sqoop/src/main/java/org/apache/ranger/authorization/sqoop/authorizer/RangerSqoopAuthorizer.java
@@ -100,12 +100,10 @@ public class RangerSqoopAuthorizer extends AuthorizationValidator {
}
RangerSqoopPlugin plugin = sqoopPlugin;
- String clusterName = sqoopPlugin.getClusterName();
if (plugin != null) {
for (MPrivilege privilege : privileges) {
- RangerSqoopAccessRequest request = new RangerSqoopAccessRequest(principal, privilege, clusterName,
- clientIPAddress);
+ RangerSqoopAccessRequest request = new RangerSqoopAccessRequest(principal, privilege, clientIPAddress);
RangerAccessResult result = plugin.isAccessAllowed(request);
if (result != null && !result.getIsAllowed()) {
@@ -168,8 +166,7 @@ class RangerSqoopResource extends RangerAccessResourceImpl {
}
class RangerSqoopAccessRequest extends RangerAccessRequestImpl {
- public RangerSqoopAccessRequest(MPrincipal principal, MPrivilege privilege, String clusterName,
- String clientIPAddress) {
+ public RangerSqoopAccessRequest(MPrincipal principal, MPrivilege privilege,String clientIPAddress) {
super.setResource(new RangerSqoopResource(privilege.getResource()));
if (MPrincipal.TYPE.USER.name().equals(principal.getType())) {
super.setUser(principal.getName());
@@ -184,6 +181,5 @@ class RangerSqoopAccessRequest extends RangerAccessRequestImpl {
super.setAccessTime(new Date());
super.setClientIPAddress(clientIPAddress);
- super.setClusterName(clusterName);
}
}
\ No newline at end of file
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
index 54f230c..b49fb8a 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
@@ -107,7 +107,6 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
RangerYarnPlugin plugin = yarnPlugin;
RangerYarnAuditHandler auditHandler = null;
RangerAccessResult result = null;
- String clusterName = yarnPlugin.getClusterName();
RangerPerfTracer perf = null;
RangerPerfTracer yarnAclPerf = null;
@@ -118,7 +117,7 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
perf = RangerPerfTracer.getPerfTracer(PERF_YARNAUTH_REQUEST_LOG, "RangerYarnAuthorizer.checkPermission(entity=" + entity + ")");
}
- RangerYarnAccessRequest request = new RangerYarnAccessRequest(entity, getRangerAccessType(accessType), accessType.name(), ugi, clusterName);
+ RangerYarnAccessRequest request = new RangerYarnAccessRequest(entity, getRangerAccessType(accessType), accessType.name(), ugi);
auditHandler = new RangerYarnAuditHandler();
@@ -301,7 +300,7 @@ class RangerYarnResource extends RangerAccessResourceImpl {
}
class RangerYarnAccessRequest extends RangerAccessRequestImpl {
- public RangerYarnAccessRequest(PrivilegedEntity entity, String accessType, String action, UserGroupInformation ugi, String clusterName) {
+ public RangerYarnAccessRequest(PrivilegedEntity entity, String accessType, String action, UserGroupInformation ugi) {
super.setResource(new RangerYarnResource(entity));
super.setAccessType(accessType);
super.setUser(ugi.getShortUserName());
@@ -309,7 +308,6 @@ class RangerYarnAccessRequest extends RangerAccessRequestImpl {
super.setAccessTime(new Date());
super.setClientIPAddress(getRemoteIp());
super.setAction(action);
- super.setClusterName(clusterName);
}
private static String getRemoteIp() {
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
index 590c1e7..df31a61 100644
--- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
@@ -24,6 +24,7 @@ import com.google.gson.GsonBuilder;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.*;
import org.apache.ranger.plugin.util.ServicePolicies;
@@ -41,6 +42,7 @@ public class PerfTestEngine {
private final URL servicePoliciesFileURL;
private final RangerPolicyEngineOptions policyEngineOptions;
private RangerPolicyEngine policyEvaluationEngine;
+ private RangerPluginContext rangerPluginContext;
private final boolean disableDynamicPolicyEvalReordering;
private AtomicLong requestCount = new AtomicLong();
@@ -71,8 +73,10 @@ public class PerfTestEngine {
reader = new InputStreamReader(in, Charset.forName("UTF-8"));
servicePolicies = gsonBuilder.fromJson(reader, ServicePolicies.class);
-
- policyEvaluationEngine = new RangerPolicyEngineImpl("perf-test", servicePolicies, policyEngineOptions);
+ RangerServiceDef serviceDef = servicePolicies.getServiceDef();
+ String serviceType = (serviceDef != null) ? serviceDef.getName() : "";
+ rangerPluginContext = new RangerPluginContext(serviceType);
+ policyEvaluationEngine = new RangerPolicyEngineImpl("perf-test", servicePolicies, policyEngineOptions, rangerPluginContext);
requestCount.set(0L);
diff --git a/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java b/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java
index 7a39396..97f474b 100644
--- a/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java
+++ b/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java
@@ -34,6 +34,7 @@ import java.util.concurrent.CountDownLatch;
import org.apache.commons.lang.text.StrSubstitutor;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.util.PerfDataRecorder;
import org.apache.ranger.plugin.util.PerfDataRecorder.PerfStatistic;
@@ -144,8 +145,9 @@ public class RangerPolicyEnginePerformanceTest {
public void policyEngineTest() throws InterruptedException {
List<RangerAccessRequest> requests = requestsCache.getUnchecked(concurrency);
ServicePolicies servicePolicies = servicePoliciesCache.getUnchecked(numberOfPolicies);
-
- final RangerPolicyEngineImpl rangerPolicyEngine = new RangerPolicyEngineImpl("perf-test", servicePolicies, RangerPolicyFactory.createPolicyEngineOption());
+ RangerPluginContext pluginContext = new RangerPluginContext("hive");
+ pluginContext.setClusterName("cl1");
+ final RangerPolicyEngineImpl rangerPolicyEngine = new RangerPolicyEngineImpl("perf-test", servicePolicies, RangerPolicyFactory.createPolicyEngineOption(), pluginContext);
rangerPolicyEngine.preProcess(requests);
for (int iterations = 0; iterations < WARM_UP__ITERATIONS; iterations++) {
diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java
index 88ea05e..111083c 100644
--- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java
+++ b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java
@@ -82,7 +82,7 @@ public class StormRangerPlugin extends RangerBasePlugin {
}
}
- public RangerAccessRequest buildAccessRequest(String _user, String[] _groups, String _clientIp, String _topology, String _operation, String clusterName) {
+ public RangerAccessRequest buildAccessRequest(String _user, String[] _groups, String _clientIp, String _topology, String _operation) {
RangerAccessRequestImpl request = new RangerAccessRequestImpl();
request.setUser(_user);
@@ -98,7 +98,6 @@ public class StormRangerPlugin extends RangerBasePlugin {
RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(ResourceName.Topology, _topology);
request.setResource(resource);
- request.setClusterName(clusterName);
if (LOG.isDebugEnabled()) {
LOG.debug("Returning request: " + request.toString());
diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java
index 0fe658e..ea367af 100644
--- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java
+++ b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java
@@ -122,8 +122,7 @@ public class RangerStormAuthorizer implements IAuthorizer {
if (userName != null) {
String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() );
- String clusterName = plugin.getClusterName();
- RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName, clusterName);
+ RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName);
RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
accessAllowed = result != null && result.getIsAllowed();
isAuditEnabled = result != null && result.getIsAudited();