You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2014/12/12 02:30:24 UTC
[41/51] [partial] incubator-ranger git commit: RANGER-194: Rename
packages from xasecure to apache ranger
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/model/RolePermission.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/model/RolePermission.java b/agents-impl/src/main/java/com/xasecure/pdp/model/RolePermission.java
deleted file mode 100644
index 53dfe6e..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/model/RolePermission.java
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.pdp.model;
-
-import java.util.ArrayList;
-import java.util.List;
-
-public class RolePermission {
-
- private List<String> users ;
- private List<String> groups ;
- private List<String> access ;
- private List<String> ipAddress ;
-
- public RolePermission() {
- users = new ArrayList<String>() ;
- groups = new ArrayList<String>() ;
- access = new ArrayList<String>() ;
- }
-
-
- public List<String> getUsers() {
- return users;
- }
-
- public void setUsers(List<String> users) {
- this.users = users;
- }
-
- public List<String> getGroups() {
- return groups;
- }
-
- public void setGroups(List<String> groups) {
- this.groups = groups;
- }
-
- public List<String> getAccess() {
- return this.access;
- }
-
- public List<String> getIpAddress() {
- return this.ipAddress;
- }
-
- public void setIpAddress(List<String> ipAddress) {
- this.ipAddress = ipAddress ;
- }
-
- public void setAccess(List<String> access) {
- this.access = access ;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java b/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java
deleted file mode 100644
index d7ec72d..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/storm/StormAuthRule.java
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.pdp.storm;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.commons.io.FilenameUtils;
-
-import com.xasecure.authorization.utils.StringUtil;
-
-public class StormAuthRule {
- private String topologyName ;
- private List<String> accessTypeList ;
- private List<String> groupList ;
- private List<String> userList;
- private boolean auditEnabled ;
-
-
- public StormAuthRule(String topologyName, List<String> accessTypeList,
- List<String> userList, List<String> groupList, boolean auditEnabled) {
- super();
- this.topologyName = topologyName;
- this.accessTypeList = accessTypeList;
- if (this.accessTypeList == null) {
- this.accessTypeList = new ArrayList<String>();
- }
- this.userList = userList;
- if (this.userList == null) {
- this.userList = new ArrayList<String>();
- }
-
- this.groupList = groupList;
- if (this.groupList == null) {
- this.groupList = new ArrayList<String>();
- }
-
- this.auditEnabled = auditEnabled ;
- }
-
- public String getTopologyName() {
- return topologyName;
- }
- public void setTopologyName(String topologyName) {
- this.topologyName = topologyName;
- }
- public List<String> getAccessTypeList() {
- return accessTypeList;
- }
- public void setAccessTypeList(List<String> accessTypeList) {
- this.accessTypeList = accessTypeList;
- }
- public List<String> getGroupList() {
- return groupList;
- }
- public void setGroupList(List<String> groupList) {
- this.groupList = groupList;
- }
- public List<String> getUserList() {
- return userList;
- }
- public void setUserList(List<String> userList) {
- this.userList = userList;
- }
-
- public boolean isMatchedTopology(String aTopologyName) {
-
- boolean ret = false ;
-
- if (aTopologyName == null || aTopologyName.length() == 0) {
- ret = "*".equals(this.topologyName) ;
- }
- else {
- ret = (aTopologyName.equals(this.topologyName) || FilenameUtils.wildcardMatch(aTopologyName,this.topologyName)) ;
- }
- return ret ;
- }
-
- public boolean isOperationAllowed(String aOperationName) {
- return this.accessTypeList.contains(aOperationName);
- }
-
- private static final String PUBLIC_GROUP_NAME = "public" ;
-
- public boolean isUserAllowed(String aUserName, String[] aGroupList) {
-
- boolean accessAllowed = false ;
-
- if ( this.userList.contains(aUserName) ) {
- accessAllowed = true ;
- }
- else if (this.groupList.contains(PUBLIC_GROUP_NAME)) {
- accessAllowed = true ;
- }
- else if (aGroupList != null ) {
- for(String userGroup : aGroupList ) {
- if (this.groupList.contains(userGroup) ) {
- accessAllowed = true ;
- break ;
- }
- }
- }
-
- return accessAllowed ;
- }
-
- public boolean getAuditEnabled() {
- return this.auditEnabled ;
- }
-
- @Override
- public String toString() {
- return "StormAuthRule: { topologyName: [" + topologyName + "]," +
- "userList: [" + StringUtil.toString(userList) + "]" +
- "groupList: [" + StringUtil.toString(groupList) + "]" +
- "accessTypeList: [" + StringUtil.toString(accessTypeList) + "]" +
- "auditEnabled: [" + auditEnabled + "] }";
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java
deleted file mode 100644
index 3cb2916..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/storm/URLBasedAuthDB.java
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.pdp.storm;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
-import com.xasecure.authorization.storm.XaStormAccessVerifier;
-import com.xasecure.pdp.config.PolicyChangeListener;
-import com.xasecure.pdp.config.PolicyRefresher;
-import com.xasecure.pdp.constants.XaSecureConstants;
-import com.xasecure.pdp.model.Policy;
-import com.xasecure.pdp.model.PolicyContainer;
-import com.xasecure.pdp.model.RolePermission;
-
-
-public class URLBasedAuthDB implements PolicyChangeListener, XaStormAccessVerifier {
-
- private static final Logger LOG = LoggerFactory.getLogger(URLBasedAuthDB.class) ;
-
- private static URLBasedAuthDB me = null;
-
- private PolicyRefresher refresher = null ;
-
- private PolicyContainer policyContainer = null;
-
- private List<StormAuthRule> stormAuthDB = null ;
-
- public static URLBasedAuthDB getInstance() {
- if (me == null) {
- synchronized (URLBasedAuthDB.class) {
- URLBasedAuthDB temp = me;
- if (temp == null) {
- me = new URLBasedAuthDB();
- me.init() ;
- }
- }
- }
- return me;
- }
-
- private URLBasedAuthDB() {
-
- String url = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_STORM_POLICYMGR_URL_PROP);
-
- long refreshInMilli = XaSecureConfiguration.getInstance().getLong(
- XaSecureConstants.XASECURE_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP ,
- XaSecureConstants.XASECURE_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT);
-
- String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_STORM_LAST_SAVED_POLICY_FILE_PROP) ;
-
- String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_STORM_POLICYMGR_SSL_CONFIG_FILE_PROP) ;
-
- refresher = new PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ;
-
- String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_STORM_POLICYMGR_URL_SAVE_FILE_PROP) ;
- if (saveAsFileName != null) {
- refresher.setSaveAsFileName(saveAsFileName) ;
- }
-
- if (lastStoredFileName != null) {
- refresher.setLastStoredFileName(lastStoredFileName);
- }
- }
-
-
- private void init() {
- refresher.setPolicyChangeListener(this);
- }
-
-
- @Override
- public void OnPolicyChange(PolicyContainer aPolicyContainer) {
- setPolicyContainer(aPolicyContainer);
- }
-
-
- public PolicyContainer getPolicyContainer() {
- return policyContainer;
- }
-
-
-
- public synchronized void setPolicyContainer(PolicyContainer aPolicyContainer) {
-
- if (aPolicyContainer != null) {
-
- List<StormAuthRule> tempStormAuthDB = new ArrayList<StormAuthRule>() ;
-
- for(Policy p : aPolicyContainer.getAcl()) {
-
- if (! p.isEnabled()) {
- continue;
- }
-
- for (String topologyName : p.getTopologyList()) {
-
- List<RolePermission> rpList = p.getPermissions() ;
-
- for(RolePermission rp : rpList) {
- StormAuthRule rule = new StormAuthRule(topologyName, rp.getAccess() , rp.getUsers(), rp.getGroups(), (p.getAuditInd() == 1)) ;
- tempStormAuthDB.add(rule) ;
- }
- }
- }
-
- this.stormAuthDB = tempStormAuthDB ;
-
- this.policyContainer = aPolicyContainer ;
- }
- }
-
- @Override
- public boolean isAccessAllowed(String aUserName, String[] aGroupName, String aOperationName, String aTopologyName) {
-
- boolean accessAllowed = false ;
-
- List<StormAuthRule> tempStormAuthDB = this.stormAuthDB ;
-
- if (tempStormAuthDB != null) {
- for(StormAuthRule rule : tempStormAuthDB) {
- if (rule.isMatchedTopology(aTopologyName)) {
- if (rule.isOperationAllowed(aOperationName)) {
- if (rule.isUserAllowed(aUserName, aGroupName)) {
- accessAllowed = true ;
- break ;
- }
- }
- }
- }
- }
-
- return accessAllowed ;
- }
-
- @Override
- public boolean isAudited(String aTopologyName) {
- boolean auditEnabled = false ;
-
- List<StormAuthRule> tempStormAuthDB = stormAuthDB ;
-
- if (tempStormAuthDB != null) {
- for(StormAuthRule rule : tempStormAuthDB) {
- if (rule.isMatchedTopology(aTopologyName)) {
- auditEnabled = rule.getAuditEnabled() ;
- if (auditEnabled) {
- break ;
- }
- }
- }
- }
-
- return auditEnabled ;
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/storm/XASecureAuthorizer.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/storm/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/storm/XASecureAuthorizer.java
deleted file mode 100644
index 82a9c8d..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/storm/XASecureAuthorizer.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.pdp.storm;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import com.xasecure.authorization.storm.XaStormAccessVerifier;
-
-public class XASecureAuthorizer implements XaStormAccessVerifier {
-
- private static final Log LOG = LogFactory.getLog(XASecureAuthorizer.class) ;
-
- private static URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ;
-
-
- @Override
- public boolean isAccessAllowed(String aUserName, String[] aGroupName, String aOperationName, String aTopologyName) {
- boolean ret = false ;
-
- if (authDB != null) {
- ret = authDB.isAccessAllowed(aUserName, aGroupName, aOperationName, aTopologyName) ;
- }
- else {
- LOG.error("Unable to find a URLBasedAuthDB for authorization - Found null");
- }
-
- return ret ;
- }
-
- @Override
- public boolean isAudited(String aTopologyName) {
- boolean ret = false ;
-
- if (authDB != null) {
- ret = authDB.isAudited(aTopologyName) ;
- }
- else {
- LOG.error("Unable to find a URLBasedAuthDB for authorization - Found null");
- }
-
- return ret ;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/utils/XaSecureUtils.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/utils/XaSecureUtils.java b/agents-impl/src/main/java/com/xasecure/pdp/utils/XaSecureUtils.java
deleted file mode 100644
index 93c257e..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/utils/XaSecureUtils.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.xasecure.pdp.utils;
-
-import java.io.File;
-import java.net.URL;
-
-public class XaSecureUtils {
-
- public static String getFilePathFromClassPath(String aFileName) {
- String pathName = null;
-
- File lf = new File(aFileName) ;
-
- if (lf.exists()) {
- pathName = lf.getAbsolutePath();
- }
- else {
- URL lurl = XaSecureUtils.class.getResource(aFileName);
- if (lurl == null) {
- if (!aFileName.startsWith("/")) {
- lurl = XaSecureUtils.class.getResource("/" + aFileName);
- }
- }
- if (lurl != null) {
- pathName = lurl.getFile();
- }
- }
- return pathName;
-
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/ConfigWatcher.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/ConfigWatcher.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/ConfigWatcher.java
new file mode 100644
index 0000000..63b6733
--- /dev/null
+++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/ConfigWatcher.java
@@ -0,0 +1,543 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.pdp.config;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider;
+import org.apache.ranger.pdp.config.gson.PolicyExclusionStrategy;
+import org.apache.ranger.pdp.constants.RangerConstants;
+import org.apache.ranger.pdp.model.PolicyContainer;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.sun.jersey.api.client.Client;
+import com.sun.jersey.api.client.ClientResponse;
+import com.sun.jersey.api.client.WebResource;
+import com.sun.jersey.api.client.config.ClientConfig;
+import com.sun.jersey.api.client.config.DefaultClientConfig;
+import com.sun.jersey.client.urlconnection.HTTPSProperties;
+
+public abstract class ConfigWatcher extends Thread {
+
+ private static final Log LOG = LogFactory.getLog(ConfigWatcher.class);
+
+ public static final String EXPECTED_MIME_TYPE = "application/json" ;
+
+ // public static final String EXPECTED_MIME_TYPE = "application/octet-stream";
+
+ private static final String LASTUPDATED_PARAM = "epoch";
+ private static final String POLICY_COUNT_PARAM = "policyCount";
+ private static final String AGENT_NAME_PARAM = "agentId" ;
+
+ private static final int MAX_AGENT_NAME_LEN = 255 ;
+
+
+ private String url;
+
+ private long intervalInMilliSeconds;
+
+ private long lastModifiedTime = 0;
+
+ private boolean shutdownFlag = false;
+
+ private String lastStoredFileName = null;
+
+ protected PolicyContainer policyContainer = null;
+
+ private static PolicyExclusionStrategy policyExclusionStrategy = new PolicyExclusionStrategy();
+
+ private static RangerCredentialProvider rangerCp = null;
+
+
+ public abstract void doOnChange();
+
+ private String keyStoreFile = null ;
+ private String keyStoreFilepwd = null;
+ private String keyStoreURL = null;
+ private String keyStoreAlias = null;
+ private String trustStoreFile = null ;
+ private String trustStoreFilepwd = null ;
+ private String trustStoreURL = null;
+ private String trustStoreAlias = null;
+ private String keyStoreType = null ;
+ private String trustStoreType = null ;
+ private SSLContext sslContext = null ;
+ private HostnameVerifier hv = null ;
+ private String agentName = "unknown" ;
+
+ private String sslConfigFileName = null ;
+
+ public boolean policyCacheLoadedOnce = false;
+
+ public boolean cacheModfied = false;
+
+ public ConfigWatcher(String url, long aIntervalInMilliSeconds,String sslConfigFileName,String lastStoredFileName) {
+ super("RangerConfigURLWatcher");
+ setDaemon(true);
+ this.url = url;
+ intervalInMilliSeconds = aIntervalInMilliSeconds;
+ this.sslConfigFileName = sslConfigFileName ;
+ this.agentName = getAgentName(this.url) ;
+ this.lastStoredFileName = lastStoredFileName;
+ if (LOG.isInfoEnabled()) {
+ LOG.info("Creating PolicyRefreshser with url: " + url +
+ ", refreshInterval(milliSeconds): " + aIntervalInMilliSeconds +
+ ", sslConfigFileName: " + sslConfigFileName +
+ ", lastStoredFileName: " + lastStoredFileName);
+ }
+ init();
+ validateAndRun();
+ LOG.debug("Created new ConfigWatcher for URL [" + url + "]");
+ }
+
+
+ public void init() {
+ if (sslConfigFileName != null) {
+ LOG.debug("Loading SSL Configuration from [" + sslConfigFileName + "]");
+ InputStream in = null ;
+ try {
+ Configuration conf = new Configuration() ;
+ in = getFileInputStream(sslConfigFileName) ;
+ if (in != null) {
+ conf.addResource(in);
+ }
+
+ rangerCp = RangerCredentialProvider.getInstance();
+
+ keyStoreFile = conf.get(RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE);
+
+ keyStoreURL=conf.get(RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL);
+ keyStoreAlias=RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS;
+
+ char[] v_keyStoreFilePwd = getCredential(keyStoreURL,keyStoreAlias);
+ if ( v_keyStoreFilePwd == null ) {
+ keyStoreFilepwd = null;
+ } else {
+ keyStoreFilepwd = new String(v_keyStoreFilePwd);
+ }
+
+ trustStoreFile = conf.get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE);
+
+ trustStoreURL=conf.get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL);
+ trustStoreAlias=RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS;
+
+ char[] v_TrustStoreFilePwd = getCredential(trustStoreURL,trustStoreAlias);
+ if ( v_TrustStoreFilePwd == null ) {
+ trustStoreFilepwd = null;
+ } else {
+ trustStoreFilepwd = new String(v_TrustStoreFilePwd);
+ }
+
+
+ keyStoreType = conf.get(RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE, RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT);
+ trustStoreType = conf.get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE, RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT);
+ }
+ catch(IOException ioe) {
+ LOG.error("Unable to load SSL Config FileName: [" + sslConfigFileName + "]", ioe);
+ }
+ finally {
+ if (in != null) {
+ try {
+ in.close() ;
+ } catch (IOException e) {
+ LOG.error("Unable to close SSL Config FileName: [" + sslConfigFileName + "]", e) ;
+ }
+ }
+ }
+
+ LOG.debug("Keystore filename:[" + keyStoreFile + "]");
+ LOG.debug("TrustStore filename:[" + trustStoreFile + "]");
+
+ }
+ }
+
+ public String getURL() {
+ return url;
+ }
+
+ public long getIntervalInMilliSeconds() {
+ return intervalInMilliSeconds;
+ }
+
+ public long getLastModifiedTime() {
+ return lastModifiedTime;
+ }
+
+ public void run() {
+ while (!shutdownFlag) {
+ validateAndRun();
+ try {
+ Thread.sleep(intervalInMilliSeconds);
+ } catch (InterruptedException e) {
+ LOG.error("Unable to complete sleep for [" + intervalInMilliSeconds + "]", e);
+ }
+ }
+ }
+
+ private void validateAndRun() {
+ if (isFileChanged()) {
+ LOG.debug("Policy has been changed from " + url + " ... RELOADING");
+ try {
+ doOnChange();
+ } catch (Exception e) {
+ LOG.error("Unable to complete doOnChange() method on file change [" + url + "]", e);
+ }
+ } else {
+ LOG.debug("No Change found in the policy from " + url);
+ }
+ }
+
+ public boolean iscacheModfied() {
+ return cacheModfied;
+ }
+
+ private boolean isFileChanged() {
+ boolean isChanged = false;
+
+ cacheModfied = false;
+ try {
+
+ Client client = null;
+ ClientResponse response = null;
+
+ try {
+
+ int policyCount = getPolicyCount(policyContainer);
+
+ if (url.contains("https")) {
+ // build SSL Client
+ client = buildSSLClient();
+ }
+
+ if (client == null) {
+ client = Client.create();
+ }
+
+ WebResource webResource = client.resource(url)
+ .queryParam(LASTUPDATED_PARAM, String.valueOf(lastModifiedTime))
+ .queryParam(POLICY_COUNT_PARAM, String.valueOf(policyCount))
+ .queryParam(AGENT_NAME_PARAM, agentName);
+
+ response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+
+
+ if (response != null) {
+
+ boolean responsePresent = true;
+ int responseStatus = response.getStatus();
+
+ if ( fetchPolicyfromCahce(responsePresent,responseStatus,lastStoredFileName) ) {
+ /* If the response is other than 200 and 304 load the policy from the cache */
+ isChanged = true;
+
+ } else {
+ /* If Policy Manager is available fetch the policy from it */
+ if (response.getStatus() == 200) {
+ String jsonString = response.getEntity(String.class);
+ Gson gson = new GsonBuilder().setPrettyPrinting().addDeserializationExclusionStrategy(policyExclusionStrategy).create();
+ PolicyContainer newPolicyContainer = gson.fromJson(jsonString, PolicyContainer.class);
+ if ((newPolicyContainer.getLastUpdatedTimeInEpoc() > lastModifiedTime) || (getPolicyCount(newPolicyContainer) != policyCount)) {
+ policyContainer = newPolicyContainer;
+ lastModifiedTime = policyContainer.getLastUpdatedTimeInEpoc();
+ isChanged = true;
+ policyCacheLoadedOnce = false;
+ cacheModfied = true;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Got response: 200 with {change in lastupdatedTime}\n" + gson.toJson(newPolicyContainer));
+ }
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Got response: 200 with {no-change in lastupdatedTime}\n" + gson.toJson(newPolicyContainer));
+ }
+ isChanged = false;
+ }
+ } else if (response.getStatus() == 304) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Got response: 304 ");
+ }
+ isChanged = false; // No Change has been there since our
+ // earlier request
+ } else {
+ LOG.error("Unable to get a valid response for isFileChanged() call for [" + url + "] = response code found [" + response.getStatus() + "]");
+ }
+ }
+
+ } else {
+ LOG.error("Unable to get a valid response for isFileChanged() call for [" + url + "] - got null response.");
+ // force the policy update to get fresh copy
+ lastModifiedTime = 0;
+ }
+
+ } finally {
+ if (response != null) {
+ response.close();
+ }
+ if (client != null) {
+ client.destroy();
+ }
+ }
+ } catch (Throwable t) {
+
+ boolean responsePresent = false;
+ int responseStatus = -1;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Policy Manager Failed",t);
+ }
+ if ( fetchPolicyfromCahce(responsePresent,responseStatus,lastStoredFileName) ) {
+ /* Successfully found the Policy Cache file and loaded */
+ isChanged = false;
+ } else {
+ LOG.error("Unable to complete isFileChanged() call for [" + url + "]", t);
+ // force the policy update to get fresh copy
+ lastModifiedTime = 0;
+ LOG.error("Policy file Cache not found..");
+ throw new RuntimeException("Unable to find Enterprise Policy Storage");
+ }
+
+ } finally {
+ if (isChanged) {
+ LOG.info("URL: [" + url + "], isModified: " + isChanged + ", lastModifiedTime:" + lastModifiedTime);
+ } else if (LOG.isDebugEnabled()) {
+ LOG.debug("URL: [" + url + "], isModified: " + isChanged + ", lastModifiedTime:" + lastModifiedTime);
+ }
+ }
+ return isChanged;
+ }
+
+ public PolicyContainer getPolicyContainer() {
+ return policyContainer;
+ }
+
+ private int getPolicyCount(PolicyContainer aPolicyContainer) {
+ return (aPolicyContainer == null ? 0 : (aPolicyContainer.getAcl() == null ? 0 : aPolicyContainer.getAcl().size()));
+ }
+
+
+ public synchronized Client buildSSLClient() {
+ Client client = null;
+ try {
+
+ ClientConfig config = new DefaultClientConfig();
+
+ if (sslContext == null) {
+
+ KeyManager[] kmList = null;
+ TrustManager[] tmList = null;
+
+ if (keyStoreFile != null && keyStoreFilepwd != null) {
+
+ KeyStore keyStore = KeyStore.getInstance(keyStoreType);
+ InputStream in = null ;
+ try {
+ in = getFileInputStream(keyStoreFile) ;
+ if (in == null) {
+ LOG.error("Unable to obtain keystore from file [" + keyStoreFile + "]");
+ return client ;
+ }
+ keyStore.load(in, keyStoreFilepwd.toCharArray());
+ KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(RangerConstants.RANGER_SSL_KEYMANAGER_ALGO_TYPE);
+ keyManagerFactory.init(keyStore, keyStoreFilepwd.toCharArray());
+ kmList = keyManagerFactory.getKeyManagers();
+ }
+ finally {
+ if (in != null) {
+ in.close();
+ }
+ }
+
+ }
+
+ if (trustStoreFile != null && trustStoreFilepwd != null) {
+
+ KeyStore trustStore = KeyStore.getInstance(trustStoreType);
+ InputStream in = null ;
+ try {
+ in = getFileInputStream(trustStoreFile) ;
+ if (in == null) {
+ LOG.error("Unable to obtain keystore from file [" + trustStoreFile + "]");
+ return client ;
+ }
+ trustStore.load(in, trustStoreFilepwd.toCharArray());
+ TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(RangerConstants.RANGER_SSL_TRUSTMANAGER_ALGO_TYPE);
+ trustManagerFactory.init(trustStore);
+ tmList = trustManagerFactory.getTrustManagers();
+ }
+ finally {
+ if (in != null) {
+ in.close() ;
+ }
+ }
+ }
+
+ sslContext = SSLContext.getInstance(RangerConstants.RANGER_SSL_CONTEXT_ALGO_TYPE);
+
+ sslContext.init(kmList, tmList, new SecureRandom());
+
+ hv = new HostnameVerifier() {
+ public boolean verify(String urlHostName, SSLSession session) {
+ return session.getPeerHost().equals(urlHostName);
+ }
+ };
+
+ }
+
+ config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(hv, sslContext));
+
+ client = Client.create(config);
+
+ } catch (KeyStoreException e) {
+ LOG.error("Unable to obtain from KeyStore", e);
+ } catch (NoSuchAlgorithmException e) {
+ LOG.error("SSL algorithm is available in the environment", e);
+ } catch (CertificateException e) {
+ LOG.error("Unable to obtain the requested certification ", e);
+ } catch (FileNotFoundException e) {
+ LOG.error("Unable to find the necessary SSL Keystore and TrustStore Files", e);
+ } catch (IOException e) {
+ LOG.error("Unable to read the necessary SSL Keystore and TrustStore Files", e);
+ } catch (KeyManagementException e) {
+ LOG.error("Unable to initials the SSLContext", e);
+ } catch (UnrecoverableKeyException e) {
+ LOG.error("Unable to recover the key from keystore", e);
+ }
+ return client;
+ }
+
+ private InputStream getFileInputStream(String fileName) throws IOException {
+ InputStream in = null ;
+
+ File f = new File(fileName) ;
+
+ if (f.exists()) {
+ in = new FileInputStream(f) ;
+ }
+ else {
+ in = ClassLoader.getSystemResourceAsStream(fileName) ;
+ }
+ return in ;
+ }
+
+ public static String getAgentName(String aUrl) {
+ String hostName = null ;
+ String repoName = null ;
+ try {
+ hostName = InetAddress.getLocalHost().getHostName() ;
+ } catch (UnknownHostException e) {
+ LOG.error("ERROR: Unable to find hostname for the agent ", e);
+ hostName = "unknownHost" ;
+ }
+
+ String[] tokens = aUrl.split("/") ;
+
+ if ( tokens.length > 0 ) {
+ repoName = tokens[tokens.length-1] ;
+ }
+ else {
+ repoName = "unknownRepo" ;
+ }
+
+ String agentName = hostName + "-" + repoName ;
+
+ if (agentName.length() > MAX_AGENT_NAME_LEN ) {
+ agentName = agentName.substring(0,MAX_AGENT_NAME_LEN) ;
+ }
+
+ return agentName ;
+ }
+
+ private boolean fetchPolicyfromCahce( boolean responsePresent, int responseStatus, String lastStoredFileName){
+
+ boolean cacheFound = false;
+
+ if ( ( responsePresent == false ) || ( responseStatus != 200 && responseStatus != 304) ) {
+
+ /* Policy Manager not available read the policy from the last enforced one */
+
+ if (policyCacheLoadedOnce) {
+ cacheFound = true;
+ return cacheFound;
+ }
+
+ try {
+ /* read the last stored policy file and load the PolicyContainer */
+ LOG.info("Policy Manager not available, using the last stored Policy File" + this.lastStoredFileName );
+ LOG.debug("LastStoredFileName when policymgr was available" + this.lastStoredFileName);
+
+ BufferedReader jsonString = new BufferedReader(new FileReader(this.lastStoredFileName));
+ Gson gson = new GsonBuilder().setPrettyPrinting().addDeserializationExclusionStrategy(policyExclusionStrategy).create();
+ PolicyContainer newPolicyContainer = gson.fromJson(jsonString, PolicyContainer.class);
+ policyContainer = newPolicyContainer;
+ lastModifiedTime = policyContainer.getLastUpdatedTimeInEpoc();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Policy Manager not available.Got response =" + responseStatus +"\n" + gson.toJson(newPolicyContainer));
+ }
+
+ cacheFound = true;
+ policyCacheLoadedOnce = true;
+
+ } catch( FileNotFoundException fe ){
+
+ /* unable to get the last stored policy, raise warning for unavailability of policy cache file and continue...*/
+ if ( this.lastStoredFileName == null ) {
+ LOG.info("Policy cache file not found...XAagent authorization not enabled");
+ }
+ else {
+ LOG.info("Unable to access Policy cache file...XAagent authorization not enabled");
+ }
+ }
+
+ }
+
+ return cacheFound;
+ }
+
+ private char[] getCredential(String url, String alias) {
+ char[] credStr=rangerCp.getCredentialString(url,alias);
+ return credStr;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2ConfigWatcher.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2ConfigWatcher.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2ConfigWatcher.java
new file mode 100644
index 0000000..4fcb489
--- /dev/null
+++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2ConfigWatcher.java
@@ -0,0 +1,565 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.pdp.config;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.ws.rs.client.Client;
+import javax.ws.rs.client.ClientBuilder;
+import javax.ws.rs.client.WebTarget;
+import javax.ws.rs.core.Response;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider;
+import org.apache.ranger.pdp.config.gson.PolicyExclusionStrategy;
+import org.apache.ranger.pdp.constants.RangerConstants;
+import org.apache.ranger.pdp.model.PolicyContainer;
+import org.glassfish.jersey.client.ClientConfig;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.sun.jersey.client.urlconnection.HTTPSProperties;
+
+public abstract class Jersey2ConfigWatcher extends Thread {
+
+ private static final Log LOG = LogFactory.getLog(Jersey2ConfigWatcher.class);
+
+ public static final String EXPECTED_MIME_TYPE = "application/json" ;
+
+ // public static final String EXPECTED_MIME_TYPE = "application/octet-stream";
+
+ private static final String LASTUPDATED_PARAM = "epoch";
+ private static final String POLICY_COUNT_PARAM = "policyCount";
+ private static final String AGENT_NAME_PARAM = "agentId" ;
+
+ private static final int MAX_AGENT_NAME_LEN = 255 ;
+
+ private static final String RANGER_KNOX_CREDENTIAL_PROVIDER_FILE
+ = "xasecure.knox.credential.provider.file";
+
+ private String url;
+
+ private long intervalInMilliSeconds;
+
+ private long lastModifiedTime = 0;
+
+ private boolean shutdownFlag = false;
+
+ private String lastStoredFileName = null;
+
+ protected PolicyContainer policyContainer = null;
+
+ private static PolicyExclusionStrategy policyExclusionStrategy = new PolicyExclusionStrategy();
+
+ private static RangerCredentialProvider rangerCp = null;
+
+ public abstract void doOnChange();
+
+ private String credentialProviderFile = null;
+ private String keyStoreFile = null ;
+ private String keyStorePassword = null;
+ private String trustStoreFile = null ;
+ private String trustStorePassword = null ;
+ private String keyStoreType = null ;
+ private String trustStoreType = null ;
+ private SSLContext sslContext = null ;
+ private HostnameVerifier hv = null ;
+ private String agentName = "unknown" ;
+
+ private String sslConfigFileName = null ;
+
+ boolean policyCacheLoadedOnce = false;
+
+ public Jersey2ConfigWatcher(String url, long aIntervalInMilliSeconds,String sslConfigFileName,String lastStoredFileName) {
+ super("RangerConfigURLWatcher");
+ setDaemon(true);
+ this.url = url;
+ intervalInMilliSeconds = aIntervalInMilliSeconds;
+ this.sslConfigFileName = sslConfigFileName ;
+ this.agentName = getAgentName(this.url) ;
+ this.lastStoredFileName = lastStoredFileName;
+ if (LOG.isInfoEnabled()) {
+ LOG.info("Creating PolicyRefreshser with url: " + url +
+ ", refreshInterval(milliSeconds): " + aIntervalInMilliSeconds +
+ ", sslConfigFileName: " + sslConfigFileName +
+ ", lastStoredFileName: " + lastStoredFileName);
+ }
+ init();
+ validateAndRun();
+ LOG.debug("Created new ConfigWatcher for URL [" + url + "]");
+ }
+
+
+ public void init() {
+ if (sslConfigFileName != null) {
+ LOG.debug("Loading SSL Configuration from [" + sslConfigFileName
+ + "]");
+ InputStream in = null;
+ try {
+ Configuration conf = new Configuration();
+ in = getFileInputStream(sslConfigFileName);
+ if (in != null) {
+ conf.addResource(in);
+ }
+
+ if (url.startsWith("https")) {
+ rangerCp = RangerCredentialProvider.getInstance();
+
+ keyStoreFile = conf
+ .get(RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE);
+
+ credentialProviderFile = conf
+ .get(RANGER_KNOX_CREDENTIAL_PROVIDER_FILE);
+ String keyStorePasswordAlias = RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS;
+
+ char[] v_keyStorePassword = getCredential(credentialProviderFile,
+ keyStorePasswordAlias);
+ if (v_keyStorePassword == null) {
+ keyStorePassword = null;
+ } else {
+ keyStorePassword = new String(v_keyStorePassword);
+ }
+
+ trustStoreFile = conf
+ .get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE);
+
+ //trustStoreURL = conf
+ // .get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL);
+ String trustStorePasswordAlias = RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS;
+
+ char[] v_trustStorePassword = getCredential(credentialProviderFile,
+ trustStorePasswordAlias);
+ if (v_trustStorePassword == null) {
+ trustStorePassword = null;
+ } else {
+ trustStorePassword = new String(v_trustStorePassword);
+ }
+
+ keyStoreType = conf
+ .get(RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE,
+ RangerConstants.RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT);
+ trustStoreType = conf
+ .get(RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE,
+ RangerConstants.RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT);
+ }
+ } catch (IOException ioe) {
+ LOG.error("Unable to load SSL Config FileName: ["
+ + sslConfigFileName + "]", ioe);
+ } finally {
+ if (in != null) {
+ try {
+ in.close();
+ } catch (IOException e) {
+ LOG.error("Unable to close SSL Config FileName: ["
+ + sslConfigFileName + "]", e);
+ }
+ }
+ }
+
+ LOG.debug("Keystore filename:[" + keyStoreFile + "]");
+ LOG.debug("TrustStore filename:[" + trustStoreFile + "]");
+
+ }
+ }
+
+ public String getURL() {
+ return url;
+ }
+
+ public long getIntervalInMilliSeconds() {
+ return intervalInMilliSeconds;
+ }
+
+ public long getLastModifiedTime() {
+ return lastModifiedTime;
+ }
+
+ public void run() {
+ while (!shutdownFlag) {
+ validateAndRun();
+ try {
+ Thread.sleep(intervalInMilliSeconds);
+ } catch (InterruptedException e) {
+ LOG.error("Unable to complete sleep for [" + intervalInMilliSeconds + "]", e);
+ }
+ }
+ }
+
+ private void validateAndRun() {
+ if (isFileChanged()) {
+ LOG.debug("Policy has been changed from " + url + " ... RELOADING");
+ try {
+ doOnChange();
+ } catch (Exception e) {
+ LOG.error("Unable to complete doOnChange() method on file change [" + url + "]", e);
+ }
+ } else {
+ LOG.debug("No Change found in the policy from " + url);
+ }
+ }
+
+ private boolean isFileChanged() {
+ boolean isChanged = false;
+
+
+ try {
+
+ Client client = null;
+ Response response = null;
+
+ try {
+
+ int policyCount = getPolicyCount(policyContainer);
+
+ if (url.contains("https")) {
+ // build SSL Client
+ client = buildSSLClient();
+ }
+
+ if (client == null) {
+ client = ClientBuilder.newClient();
+ }
+
+ WebTarget webTarget = client.target(url)
+ .queryParam(LASTUPDATED_PARAM, String.valueOf(lastModifiedTime))
+ .queryParam(POLICY_COUNT_PARAM, String.valueOf(policyCount))
+ .queryParam(AGENT_NAME_PARAM, agentName);
+
+ response = webTarget.request().accept(EXPECTED_MIME_TYPE).get();
+
+
+ if (response != null) {
+
+ Boolean responsePresent = true;
+ int responseStatus = response.getStatus();
+
+ if ( fetchPolicyfromCahce(responsePresent,responseStatus,lastStoredFileName) ) {
+ /* If the response is other than 200 and 304 load the policy from the cache */
+ isChanged = true;
+
+ } else {
+ /*
+ * If Policy Manager is available fetch the policy from
+ * it
+ */
+ if (response.getStatus() == 200) {
+
+ String entityString = response
+ .readEntity(String.class);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("JSON response from server: "
+ + entityString);
+ }
+
+ Gson gson = new GsonBuilder()
+ .setPrettyPrinting()
+ .addDeserializationExclusionStrategy(
+ policyExclusionStrategy).create();
+ PolicyContainer newPolicyContainer = gson.fromJson(
+ entityString, PolicyContainer.class);
+ if ((newPolicyContainer.getLastUpdatedTimeInEpoc() > lastModifiedTime)
+ || (getPolicyCount(newPolicyContainer) != policyCount)) {
+ policyContainer = newPolicyContainer;
+ lastModifiedTime = policyContainer
+ .getLastUpdatedTimeInEpoc();
+ isChanged = true;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Got response: 200 with {change in lastupdatedTime}\n"
+ + gson.toJson(newPolicyContainer));
+ }
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Got response: 200 with {no-change in lastupdatedTime}\n"
+ + gson.toJson(newPolicyContainer));
+ }
+ isChanged = false;
+ }
+ } else if (response.getStatus() == 304) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Got response: 304 ");
+ }
+ isChanged = false; // No Change has been there since
+ // our
+ // earlier request
+ } else {
+ LOG.error("Unable to get a valid response for isFileChanged() call for ["
+ + url
+ + "] = response code found ["
+ + response.getStatus() + "]");
+ }
+ }
+
+ } else {
+ LOG.error("Unable to get a valid response for isFileChanged() call for [" + url + "] - got null response.");
+ // force the policy update to get fresh copy
+ lastModifiedTime = 0;
+ }
+
+ } finally {
+ if (response != null) {
+ response.close();
+ }
+ if (client != null) {
+ client.close();
+ }
+ }
+ } catch (Throwable t) {
+
+ Boolean responsePresent = false;
+ int responseStatus = -1;
+
+ if ( fetchPolicyfromCahce(responsePresent,responseStatus,lastStoredFileName) ) {
+ /* Successfully found the Policy Cache file and loaded */
+ isChanged = true;
+ } else {
+ LOG.error("Unable to complete isFileChanged() call for [" + url + "]", t);
+ // force the policy update to get fresh copy
+ lastModifiedTime = 0;
+ LOG.error("Policy file Cache not found..");
+ throw new RuntimeException("Unable to find Enterprise Policy Storage");
+ }
+
+ } finally {
+ if (isChanged) {
+ LOG.info("URL: [" + url + "], isModified: " + isChanged + ", lastModifiedTime:" + lastModifiedTime);
+ } else if (LOG.isDebugEnabled()) {
+ LOG.debug("URL: [" + url + "], isModified: " + isChanged + ", lastModifiedTime:" + lastModifiedTime);
+ }
+ }
+ return isChanged;
+ }
+
+ public PolicyContainer getPolicyContainer() {
+ return policyContainer;
+ }
+
+ private int getPolicyCount(PolicyContainer aPolicyContainer) {
+ return (aPolicyContainer == null ? 0 : (aPolicyContainer.getAcl() == null ? 0 : aPolicyContainer.getAcl().size()));
+ }
+
+
+ public synchronized Client buildSSLClient() {
+ Client client = null;
+ try {
+
+ ClientConfig config = new ClientConfig();
+
+ if (sslContext == null) {
+
+ KeyManager[] kmList = null;
+ TrustManager[] tmList = null;
+
+ if (keyStoreFile != null && keyStorePassword != null) {
+
+ KeyStore keyStore = KeyStore.getInstance(keyStoreType);
+ InputStream in = null ;
+ try {
+ in = getFileInputStream(keyStoreFile) ;
+ if (in == null) {
+ LOG.error("Unable to obtain keystore from file [" + keyStoreFile + "]");
+ return client ;
+ }
+ keyStore.load(in, keyStorePassword.toCharArray());
+ KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(RangerConstants.RANGER_SSL_KEYMANAGER_ALGO_TYPE);
+ keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());
+ kmList = keyManagerFactory.getKeyManagers();
+ }
+ finally {
+ if (in != null) {
+ in.close();
+ }
+ }
+
+ }
+
+ if (trustStoreFile != null && trustStorePassword != null) {
+
+ KeyStore trustStore = KeyStore.getInstance(trustStoreType);
+ InputStream in = null ;
+ try {
+ in = getFileInputStream(trustStoreFile) ;
+ if (in == null) {
+ LOG.error("Unable to obtain keystore from file [" + trustStoreFile + "]");
+ return client ;
+ }
+ trustStore.load(in, trustStorePassword.toCharArray());
+ TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(RangerConstants.RANGER_SSL_TRUSTMANAGER_ALGO_TYPE);
+ trustManagerFactory.init(trustStore);
+ tmList = trustManagerFactory.getTrustManagers();
+ }
+ finally {
+ if (in != null) {
+ in.close() ;
+ }
+ }
+ }
+
+ sslContext = SSLContext.getInstance(RangerConstants.RANGER_SSL_CONTEXT_ALGO_TYPE);
+
+ sslContext.init(kmList, tmList, new SecureRandom());
+
+ hv = new HostnameVerifier() {
+ public boolean verify(String urlHostName, SSLSession session) {
+ return session.getPeerHost().equals(urlHostName);
+ }
+ };
+
+ }
+
+ config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(hv, sslContext));
+
+ client = ClientBuilder.newClient(config);
+
+ } catch (KeyStoreException e) {
+ LOG.error("Unable to obtain from KeyStore", e);
+ } catch (NoSuchAlgorithmException e) {
+ LOG.error("SSL algorithm is available in the environment", e);
+ } catch (CertificateException e) {
+ LOG.error("Unable to obtain the requested certification ", e);
+ } catch (FileNotFoundException e) {
+ LOG.error("Unable to find the necessary SSL Keystore and TrustStore Files", e);
+ } catch (IOException e) {
+ LOG.error("Unable to read the necessary SSL Keystore and TrustStore Files", e);
+ } catch (KeyManagementException e) {
+ LOG.error("Unable to initials the SSLContext", e);
+ } catch (UnrecoverableKeyException e) {
+ LOG.error("Unable to recover the key from keystore", e);
+ }
+ return client;
+ }
+
+ private InputStream getFileInputStream(String fileName) throws IOException {
+ InputStream in = null ;
+
+ File f = new File(fileName) ;
+
+ if (f.exists()) {
+ in = new FileInputStream(f) ;
+ }
+ else {
+ in = ClassLoader.getSystemResourceAsStream(fileName) ;
+ }
+ return in ;
+ }
+
+ public static String getAgentName(String aUrl) {
+ String hostName = null ;
+ String repoName = null ;
+ try {
+ hostName = InetAddress.getLocalHost().getHostName() ;
+ } catch (UnknownHostException e) {
+ LOG.error("ERROR: Unable to find hostname for the agent ", e);
+ hostName = "unknownHost" ;
+ }
+
+ String[] tokens = aUrl.split("/") ;
+
+ if ( tokens.length > 0 ) {
+ repoName = tokens[tokens.length-1] ;
+ }
+ else {
+ repoName = "unknownRepo" ;
+ }
+
+ String agentName = hostName + "-" + repoName ;
+
+ if (agentName.length() > MAX_AGENT_NAME_LEN ) {
+ agentName = agentName.substring(0,MAX_AGENT_NAME_LEN) ;
+ }
+
+ return agentName ;
+ }
+
+ private boolean fetchPolicyfromCahce( Boolean responsePresent, int responseStatus, String lastStoredFileName){
+
+ boolean cacheFound = false;
+
+ if ( ( responsePresent == false ) || ( responseStatus != 200 && responseStatus != 304) ) {
+
+ /* Policy Manager not available read the policy from the last enforced one */
+
+ if (policyCacheLoadedOnce) {
+ cacheFound = true;
+ return cacheFound;
+ }
+
+ try {
+ /* read the last stored policy file and load the PolicyContainer */
+ LOG.info("Policy Manager not available, using the last stored Policy File" + this.lastStoredFileName );
+ LOG.debug("LastStoredFileName when policymgr was available" + this.lastStoredFileName);
+
+ BufferedReader jsonString = new BufferedReader(new FileReader(this.lastStoredFileName));
+ Gson gson = new GsonBuilder().setPrettyPrinting().addDeserializationExclusionStrategy(policyExclusionStrategy).create();
+ PolicyContainer newPolicyContainer = gson.fromJson(jsonString, PolicyContainer.class);
+ policyContainer = newPolicyContainer;
+ lastModifiedTime = policyContainer.getLastUpdatedTimeInEpoc();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Policy Manager not available.Got response =" + responseStatus +"\n" + gson.toJson(newPolicyContainer));
+ }
+
+ cacheFound = true;
+ policyCacheLoadedOnce = true;
+
+ } catch( FileNotFoundException fe ){
+
+ /* unable to get the last stored policy, raise warning for unavailability of policy cache file and continue...*/
+ if ( this.lastStoredFileName == null ) {
+ LOG.info("Policy cache file not found...XAagent authorization not enabled");
+ }
+ else {
+ LOG.info("Unable to access Policy cache file...XAagent authorization not enabled");
+ }
+ }
+
+ }
+
+ return cacheFound;
+ }
+
+ private char[] getCredential(String url, String alias) {
+ char[] credStr=rangerCp.getCredentialString(url,alias);
+ return credStr;
+ }
+
+}
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2PolicyRefresher.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2PolicyRefresher.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2PolicyRefresher.java
new file mode 100644
index 0000000..112b89a
--- /dev/null
+++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/Jersey2PolicyRefresher.java
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.pdp.config;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.pdp.config.gson.PolicyExclusionStrategy;
+import org.apache.ranger.pdp.model.PolicyContainer;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+
+public class Jersey2PolicyRefresher {
+
+ private static final Log LOG = LogFactory.getLog(Jersey2PolicyRefresher.class);
+
+ private String url ;
+ private long refreshInterval ;
+
+ private Jersey2ConfigWatcher watcherDaemon = null;
+
+ protected PolicyContainer policyContainer = null ;
+
+ private PolicyChangeListener policyChangeListener = null ;
+
+ private String saveAsFileName = null ;
+
+ private String sslConfigFileName = null ;
+
+ private String lastStoredFileName = null;
+
+ private PolicyExclusionStrategy policyExclusionStrategy = new PolicyExclusionStrategy() ;
+
+ public Jersey2PolicyRefresher(String url, long refreshInterval, String sslConfigFileName, String lastStoredFileName) {
+ if (LOG.isInfoEnabled()) {
+ LOG.info("Creating PolicyRefreshser with url: " + url +
+ ", refreshInterval: " + refreshInterval +
+ ", sslConfigFileName: " + sslConfigFileName +
+ ", lastStoredFileName: " + lastStoredFileName);
+ }
+ this.url = url ;
+ this.refreshInterval = refreshInterval ;
+ this.sslConfigFileName = sslConfigFileName ;
+ this.lastStoredFileName = lastStoredFileName;
+ checkFileWatchDogThread();
+ }
+
+ public PolicyChangeListener getPolicyChangeListener() {
+ return policyChangeListener;
+ }
+
+ public synchronized void setPolicyChangeListener(PolicyChangeListener policyChangeListener) {
+ this.policyChangeListener = policyChangeListener;
+ if (this.policyContainer != null) {
+ savePolicyToFile() ;
+ notifyPolicyChange() ;
+ }
+ }
+
+ private void setPolicyContainer(PolicyContainer aPolicyContainer) {
+ this.policyContainer = aPolicyContainer ;
+ }
+
+ public PolicyContainer getPolicyContainer() {
+ return policyContainer ;
+ }
+
+ public String getSaveAsFileName() {
+ return saveAsFileName;
+ }
+
+ public void setSaveAsFileName(String saveAsFileName) {
+ this.saveAsFileName = saveAsFileName;
+ }
+
+ public String getSslConfigFileName() {
+ return sslConfigFileName;
+ }
+
+ public String getLastStoredFileName() {
+ return lastStoredFileName;
+ }
+
+ public void setLastStoredFileName(String lastStoredFileName) {
+ this.lastStoredFileName = lastStoredFileName;
+ }
+
+ public void setSslConfigFileName(String sslConfigFileName) {
+ this.sslConfigFileName = sslConfigFileName;
+ }
+
+
+ private synchronized void checkFileWatchDogThread() {
+ if (watcherDaemon == null) {
+ try {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Starting WatchDog for the Path [" + url + "] ....");
+ }
+ watcherDaemon = new Jersey2ConfigWatcher(url, refreshInterval,sslConfigFileName,this.getLastStoredFileName()) {
+ public void doOnChange() {
+ PolicyContainer newPolicyContainer = getPolicyContainer() ;
+ setPolicyContainer(newPolicyContainer) ;
+ savePolicyToFile() ;
+ notifyPolicyChange();
+ };
+ };
+ watcherDaemon.start();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Completed kick-off of FileWatchDog for the Path [" + url + "] interval in millisecond:" + refreshInterval);
+ }
+ } catch (Throwable t) {
+ LOG.error("Unable to start the FileWatchDog for path [" + url + "]", t);
+ }
+ }
+ }
+
+ private void notifyPolicyChange() {
+ if (policyChangeListener != null) {
+ try {
+ policyChangeListener.OnPolicyChange(policyContainer);
+ }
+ catch(Throwable t) {
+ LOG.error("Error during notification of policy changes to listener [" + policyChangeListener + "]", t) ;
+ }
+ finally {
+ LOG.debug("Completed notification of policy changes to listener [" + policyChangeListener + "]") ;
+ }
+ }
+ }
+
+
+ private void savePolicyToFile() {
+
+ LOG.debug("savePolicyToFile() is called with [" + saveAsFileName + "] - START") ;
+ String fileName = null;
+ if (saveAsFileName != null) {
+ String currentDateTime = new SimpleDateFormat("yyyyMMddHHmmss").format(new Date()) ;
+ fileName = saveAsFileName + "." + currentDateTime ;
+ File saveFile = new File(fileName) ;
+ Gson gson = new GsonBuilder().setPrettyPrinting().setExclusionStrategies(policyExclusionStrategy).create() ;
+ String policyAsJson = gson.toJson(policyContainer) ;
+ PrintWriter writer = null ;
+ try {
+ writer = new PrintWriter(new FileWriter(saveFile)) ;
+ writer.println(policyAsJson) ;
+ }
+ catch(IOException ioe) {
+ LOG.error("Unable to save policy into file: [" + saveFile.getAbsolutePath() + "]", ioe);
+ }
+ finally {
+ if (writer != null) {
+ writer.close();
+ }
+ }
+
+ if (lastStoredFileName != null) {
+ File lastSaveFileName = new File(lastStoredFileName);
+
+ try {
+ writer = new PrintWriter(new FileWriter(lastSaveFileName));
+ writer.println(policyAsJson);
+
+ }
+ catch(IOException ioe){
+ LOG.error("Unable to save the policy into Last Stored Policy File [" + lastSaveFileName.getAbsolutePath() + "]", ioe );
+ }
+ finally {
+ //make the policy file cache to be 600 permission when it gets created and updated
+ lastSaveFileName.setReadable(false,false);
+ lastSaveFileName.setReadable(true,true);
+ if (writer != null) {
+ writer.close();
+ }
+ }
+
+ }
+ }
+
+ LOG.debug("savePolicyToFile() is called with [" + fileName + "] - END") ;
+
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyChangeListener.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyChangeListener.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyChangeListener.java
new file mode 100644
index 0000000..a403e54
--- /dev/null
+++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyChangeListener.java
@@ -0,0 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+ package org.apache.ranger.pdp.config;
+
+import org.apache.ranger.pdp.model.PolicyContainer;
+
+public interface PolicyChangeListener {
+ public void OnPolicyChange(PolicyContainer aPolicyContainer) ;
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyRefresher.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyRefresher.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyRefresher.java
new file mode 100644
index 0000000..eed7c8d
--- /dev/null
+++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/PolicyRefresher.java
@@ -0,0 +1,229 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.pdp.config;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.pdp.config.gson.PolicyExclusionStrategy;
+import org.apache.ranger.pdp.model.PolicyContainer;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+
+public class PolicyRefresher {
+
+ private static final Log LOG = LogFactory.getLog(PolicyRefresher.class);
+
+ private String url ;
+ private long refreshInterval ;
+
+ private ConfigWatcher watcherDaemon = null;
+
+ protected PolicyContainer policyContainer = null ;
+
+ private PolicyChangeListener policyChangeListener = null ;
+
+ private String saveAsFileName = null ;
+
+ private String sslConfigFileName = null ;
+
+ private String lastStoredFileName = null;
+
+ private PolicyExclusionStrategy policyExclusionStrategy = new PolicyExclusionStrategy() ;
+
+ public PolicyRefresher(String url, long refreshInterval, String sslConfigFileName, String lastStoredFileName) {
+ if (LOG.isInfoEnabled()) {
+ LOG.info("Creating PolicyRefreshser with url: " + url +
+ ", refreshInterval: " + refreshInterval +
+ ", sslConfigFileName: " + sslConfigFileName +
+ ", lastStoredFileName: " + lastStoredFileName);
+ }
+ this.url = url ;
+ this.refreshInterval = refreshInterval ;
+ this.sslConfigFileName = sslConfigFileName ;
+ this.lastStoredFileName = lastStoredFileName;
+ checkFileWatchDogThread();
+ }
+
+ public PolicyChangeListener getPolicyChangeListener() {
+ return policyChangeListener;
+ }
+
+ public synchronized void setPolicyChangeListener(PolicyChangeListener policyChangeListener) {
+ this.policyChangeListener = policyChangeListener;
+ if (this.policyContainer != null) {
+ savePolicyToFile() ;
+ savePolicyToCacheFile();
+ notifyPolicyChange() ;
+ }
+ }
+
+ public void setPolicyContainer(PolicyContainer aPolicyContainer) {
+ this.policyContainer = aPolicyContainer ;
+ }
+
+ public PolicyContainer getPolicyContainer() {
+ return policyContainer ;
+ }
+
+ public String getSaveAsFileName() {
+ return saveAsFileName;
+ }
+
+ public void setSaveAsFileName(String saveAsFileName) {
+ this.saveAsFileName = saveAsFileName;
+ }
+
+ public String getSslConfigFileName() {
+ return sslConfigFileName;
+ }
+
+ public String getLastStoredFileName() {
+ return lastStoredFileName;
+ }
+
+ public void setLastStoredFileName(String lastStoredFileName) {
+ this.lastStoredFileName = lastStoredFileName;
+ }
+
+ public void setSslConfigFileName(String sslConfigFileName) {
+ this.sslConfigFileName = sslConfigFileName;
+ }
+
+
+ private synchronized void checkFileWatchDogThread() {
+ if (watcherDaemon == null) {
+ try {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Starting WatchDog for the Path [" + url + "] ....");
+ }
+ watcherDaemon = new ConfigWatcher(url, refreshInterval,sslConfigFileName,this.getLastStoredFileName()) {
+ public void doOnChange() {
+ PolicyContainer newPolicyContainer = getPolicyContainer() ;
+ setPolicyContainer(newPolicyContainer) ;
+ savePolicyToFile() ;
+ savePolicyToCacheFile();
+ notifyPolicyChange();
+ };
+ };
+ watcherDaemon.start();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Completed kick-off of FileWatchDog for the Path [" + url + "] interval in millisecond:" + refreshInterval);
+ }
+ } catch (Throwable t) {
+ LOG.error("Unable to start the FileWatchDog for path [" + url + "]", t);
+ }
+ }
+ }
+
+ private void notifyPolicyChange() {
+ if (policyChangeListener != null) {
+ try {
+ policyChangeListener.OnPolicyChange(policyContainer);
+ }
+ catch(Throwable t) {
+ LOG.error("Error during notification of policy changes to listener [" + policyChangeListener + "]", t) ;
+ }
+ finally {
+ LOG.debug("Completed notification of policy changes to listener [" + policyChangeListener + "]") ;
+ }
+ }
+ }
+
+
+ private void savePolicyToFile() {
+ if (watcherDaemon != null && !watcherDaemon.iscacheModfied()) {
+ // Do not Save the file if the policy is not modified.
+ return;
+ }
+ LOG.debug("savePolicyToFile() is called with [" + saveAsFileName + "] - START") ;
+ String fileName = null;
+ if (saveAsFileName != null) {
+ String currentDateTime = new SimpleDateFormat("yyyyMMddHHmmss").format(new Date()) ;
+ fileName = saveAsFileName + "." + currentDateTime ;
+ File saveFile = new File(fileName) ;
+ Gson gson = new GsonBuilder().setPrettyPrinting().setExclusionStrategies(policyExclusionStrategy).create() ;
+ String policyAsJson = gson.toJson(policyContainer) ;
+ PrintWriter writer = null ;
+ try {
+ writer = new PrintWriter(new FileWriter(saveFile)) ;
+ writer.println(policyAsJson) ;
+ }
+ catch(IOException ioe) {
+ LOG.warn("Unable to save policy into file: [" + saveFile.getAbsolutePath() + "]");
+ }
+ finally {
+ if (writer != null) {
+ writer.close();
+ }
+ }
+ LOG.debug("savePolicyToFile() is called with [" + fileName + "] - END") ;
+ }
+ }
+
+ private void savePolicyToCacheFile() {
+
+ if (watcherDaemon != null && !watcherDaemon.iscacheModfied()) {
+ // Don't Save the file if the policy is not modified.
+ return;
+ }
+
+ LOG.debug("savePolicyToCacheFile() is called with [" + lastStoredFileName + "] - START") ;
+
+ if (lastStoredFileName != null) {
+
+ File lastSaveFile = new File(lastStoredFileName) ;
+ Gson gson = new GsonBuilder().setPrettyPrinting().setExclusionStrategies(policyExclusionStrategy).create() ;
+ String policyAsJson = gson.toJson(policyContainer) ;
+ PrintWriter writer = null ;
+
+ try {
+ writer = new PrintWriter(new FileWriter(lastSaveFile));
+ writer.println(policyAsJson);
+
+ }
+ catch(IOException ioe){
+ LOG.warn("Unable to save the policy into Last Stored Policy File [" + lastSaveFile.getAbsolutePath() + "]");
+ }
+ finally {
+ //make the policy file cache to be 600 permission when it gets created and updated
+ lastSaveFile.setReadable(false,false);
+ lastSaveFile.setWritable(false,false);
+ lastSaveFile.setReadable(true,true);
+ lastSaveFile.setWritable(true,true);
+ if (writer != null) {
+ writer.close();
+ }
+ }
+
+ }
+
+ LOG.debug("savePolicyToCacheFile() is called with [" + lastStoredFileName + "] - END") ;
+
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/ExcludeSerialization.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/ExcludeSerialization.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/ExcludeSerialization.java
new file mode 100644
index 0000000..cbb460e
--- /dev/null
+++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/ExcludeSerialization.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+ package org.apache.ranger.pdp.config.gson;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.FIELD})
+
+public @interface ExcludeSerialization {
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/PolicyExclusionStrategy.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/PolicyExclusionStrategy.java b/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/PolicyExclusionStrategy.java
new file mode 100644
index 0000000..ad3a354
--- /dev/null
+++ b/agents-impl/src/main/java/org/apache/ranger/pdp/config/gson/PolicyExclusionStrategy.java
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+ package org.apache.ranger.pdp.config.gson;
+
+import com.google.gson.ExclusionStrategy;
+import com.google.gson.FieldAttributes;
+
+public class PolicyExclusionStrategy implements ExclusionStrategy {
+
+ @Override
+ public boolean shouldSkipClass(Class<?> objectClass) {
+ return (objectClass.getAnnotation(ExcludeSerialization.class) != null) ;
+ }
+
+ @Override
+ public boolean shouldSkipField(FieldAttributes aFieldAttributes) {
+ return (aFieldAttributes.getAnnotation(ExcludeSerialization.class) != null) ;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/org/apache/ranger/pdp/constants/RangerConstants.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/org/apache/ranger/pdp/constants/RangerConstants.java b/agents-impl/src/main/java/org/apache/ranger/pdp/constants/RangerConstants.java
new file mode 100644
index 0000000..466e00f
--- /dev/null
+++ b/agents-impl/src/main/java/org/apache/ranger/pdp/constants/RangerConstants.java
@@ -0,0 +1,89 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+ package org.apache.ranger.pdp.constants;
+
+public class RangerConstants {
+ public static final String PUBLIC_ACCESS_ROLE = "public" ;
+
+ public static final String RANGER_HBASE_POLICYMGR_URL_PROP = "xasecure.hbase.policymgr.url";
+ public static final String RANGER_HBASE_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.hbase.policymgr.url.saveAsFile";
+ public static final String RANGER_HBASE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.hbase.policymgr.url.reloadIntervalInMillis";
+ public static final String RANGER_HBASE_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.hbase.policymgr.ssl.config";
+ public static final long RANGER_HBASE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ;
+ public static final String RANGER_HBASE_LAST_SAVED_POLICY_FILE_PROP = "xasecure.hbase.policymgr.url.laststoredfile";
+
+ public static final String RANGER_HDFS_POLICYMGR_URL_PROP = "xasecure.hdfs.policymgr.url";
+ public static final String RANGER_HDFS_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.hdfs.policymgr.url.saveAsFile";
+ public static final String RANGER_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.hdfs.policymgr.url.reloadIntervalInMillis";
+ public static final String RANGER_HDFS_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.hdfs.policymgr.ssl.config";
+ public static final long RANGER_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ;
+ public static final String RANGER_HDFS_LAST_SAVED_POLICY_FILE_PROP = "xasecure.hdfs.policymgr.url.laststoredfile";
+
+
+ public static final String RANGER_KNOX_POLICYMGR_URL_PROP = "xasecure.knox.policymgr.url";
+ public static final String RANGER_KNOX_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.knox.policymgr.url.saveAsFile";
+ public static final String RANGER_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.knox.policymgr.url.reloadIntervalInMillis";
+ public static final String RANGER_KNOX_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.knox.policymgr.ssl.config";
+ public static final long RANGER_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ;
+ public static final String RANGER_KNOX_LAST_SAVED_POLICY_FILE_PROP = "xasecure.knox.policymgr.url.laststoredfile";
+
+
+ public static final String RANGER_HIVE_POLICYMGR_URL_PROP = "xasecure.hive.policymgr.url";
+ public static final String RANGER_HIVE_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.hive.policymgr.url.saveAsFile";
+ public static final String RANGER_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.hive.policymgr.url.reloadIntervalInMillis";
+ public static final String RANGER_HIVE_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.hive.policymgr.ssl.config";
+ public static final long RANGER_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ;
+ public static final String RANGER_HIVE_LAST_SAVED_POLICY_FILE_PROP = "xasecure.hive.policymgr.url.laststoredfile";
+
+
+ // xasecure 2-way ssl configuration
+
+ public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE = "xasecure.policymgr.clientssl.keystore";
+ public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE_PASSWORD = "xasecure.policymgr.clientssl.keystore.password";
+ public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE = "xasecure.policymgr.clientssl.keystore.type";
+ public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL = "xasecure.policymgr.clientssl.keystore.credential.file";
+ public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS = "sslKeyStore";
+
+ public static final String RANGER_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT = "jks";
+
+ public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE = "xasecure.policymgr.clientssl.truststore";
+ public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE_PASSWORD = "xasecure.policymgr.clientssl.truststore.password";
+ public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE = "xasecure.policymgr.clientssl.truststore.type";
+ public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL = "xasecure.policymgr.clientssl.truststore.credential.file";
+ public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS = "sslTrustStore";
+
+ public static final String RANGER_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT = "jks";
+
+
+ public static final String RANGER_SSL_KEYMANAGER_ALGO_TYPE = "SunX509" ;
+ public static final String RANGER_SSL_TRUSTMANAGER_ALGO_TYPE = "SunX509" ;
+ public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "SSL" ;
+
+
+
+ public static final String RANGER_STORM_POLICYMGR_URL_PROP = "xasecure.storm.policymgr.url";
+ public static final String RANGER_STORM_POLICYMGR_URL_SAVE_FILE_PROP = "xasecure.storm.policymgr.url.saveAsFile";
+ public static final String RANGER_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP = "xasecure.storm.policymgr.url.reloadIntervalInMillis";
+ public static final String RANGER_STORM_POLICYMGR_SSL_CONFIG_FILE_PROP = "xasecure.storm.policymgr.ssl.config";
+ public static final long RANGER_STORM_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT = 60000L ;
+ public static final String RANGER_STORM_LAST_SAVED_POLICY_FILE_PROP = "xasecure.storm.policymgr.url.laststoredfile";
+
+
+}