You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/04/07 05:08:22 UTC
incubator-ranger git commit: RANGER-373: fixed Hive plugin audit
handler to handle audits from Grant/Revoke
Repository: incubator-ranger
Updated Branches:
refs/heads/master 10f5fd607 -> 931315383
RANGER-373: fixed Hive plugin audit handler to handle audits from Grant/Revoke
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/93131538
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/93131538
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/93131538
Branch: refs/heads/master
Commit: 9313153838c1cdf0249c1908cf80ca45f719ade7
Parents: 10f5fd6
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Mon Apr 6 09:51:09 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Apr 6 19:52:51 2015 -0700
----------------------------------------------------------------------
.../ranger/plugin/service/RangerBasePlugin.java | 6 ++++
.../hive/authorizer/RangerHiveAuditHandler.java | 33 ++++++++++++++------
2 files changed, 30 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/93131538/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 3b9c309..5c37c7b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -333,11 +333,17 @@ public class RangerBasePlugin {
accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
accessRequest.setAction(action);
+ // call isAccessAllowed() to determine if audit is enabled or not
RangerAccessResult accessResult = policyEngine.isAccessAllowed(accessRequest, null);
if(accessResult != null && accessResult.getIsAudited()) {
+ accessRequest.setAccessType(action);
accessResult.setIsAllowed(isSuccess);
+ if(! isSuccess) {
+ accessResult.setPolicyId(-1);
+ }
+
auditHandler.logAudit(accessResult);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/93131538/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
index 4d2d40f..2cb73b8 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
@@ -26,12 +26,15 @@ import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import com.google.common.collect.Lists;
@@ -47,14 +50,15 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
}
AuthzAuditEvent createAuditEvent(RangerAccessResult result, String accessType, String resourcePath) {
- RangerHiveAccessRequest request = (RangerHiveAccessRequest)result.getAccessRequest();
- RangerHiveResource resource = (RangerHiveResource)request.getResource();
+ RangerAccessRequest request = result.getAccessRequest();
+ RangerAccessResource resource = request.getResource();
+ String resourceType = resource != null ? resource.getLeafName(result.getServiceDef()) : null;
AuthzAuditEvent auditEvent = new AuthzAuditEvent();
auditEvent.setAclEnforcer(RangerModuleName);
auditEvent.setSessionId(request.getSessionId());
- auditEvent.setResourceType("@" + StringUtil.toLower(resource.getObjectType().name())); // to be consistent with earlier release
- auditEvent.setAccessType(request.getHiveAccessType().toString());
+ auditEvent.setResourceType("@" + resourceType); // to be consistent with earlier release
+ auditEvent.setAccessType(accessType);
auditEvent.setAction(request.getAction());
auditEvent.setUser(request.getUser());
auditEvent.setAccessResult((short)(result.getIsAllowed() ? 1 : 0));
@@ -65,17 +69,28 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
auditEvent.setRepositoryType(result.getServiceType());
auditEvent.setRepositoryName(result.getServiceName()) ;
auditEvent.setRequestData(request.getRequestData());
- auditEvent.setResourcePath(resource != null ? resource.getAsString(result.getServiceDef()) : null);
-
+ auditEvent.setResourcePath(resourcePath);
+
return auditEvent;
}
AuthzAuditEvent createAuditEvent(RangerAccessResult result) {
+ RangerAccessRequest request = result.getAccessRequest();
+ RangerAccessResource resource = request.getResource();
+
+ String accessType = null;
+ if(request instanceof RangerHiveAccessRequest) {
+ RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest)request;
+
+ accessType = hiveRequest.getHiveAccessType().toString();
+ }
+
+ if(StringUtils.isEmpty(accessType)) {
+ accessType = request.getAccessType();
+ }
- RangerHiveAccessRequest request = (RangerHiveAccessRequest)result.getAccessRequest();
- RangerHiveResource resource = (RangerHiveResource)request.getResource();
- String accessType = request.getHiveAccessType().toString();
String resourcePath = resource != null ? resource.getAsString(result.getServiceDef()) : null;
+
return createAuditEvent(result, accessType, resourcePath);
}