You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/04/07 05:08:22 UTC

incubator-ranger git commit: RANGER-373: fixed Hive plugin audit handler to handle audits from Grant/Revoke

Repository: incubator-ranger
Updated Branches:
  refs/heads/master 10f5fd607 -> 931315383


RANGER-373: fixed Hive plugin audit handler to handle audits from Grant/Revoke


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/93131538
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/93131538
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/93131538

Branch: refs/heads/master
Commit: 9313153838c1cdf0249c1908cf80ca45f719ade7
Parents: 10f5fd6
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Mon Apr 6 09:51:09 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Apr 6 19:52:51 2015 -0700

----------------------------------------------------------------------
 .../ranger/plugin/service/RangerBasePlugin.java |  6 ++++
 .../hive/authorizer/RangerHiveAuditHandler.java | 33 ++++++++++++++------
 2 files changed, 30 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/93131538/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 3b9c309..5c37c7b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -333,11 +333,17 @@ public class RangerBasePlugin {
 			accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
 			accessRequest.setAction(action);
 
+			// call isAccessAllowed() to determine if audit is enabled or not
 			RangerAccessResult accessResult = policyEngine.isAccessAllowed(accessRequest, null);
 
 			if(accessResult != null && accessResult.getIsAudited()) {
+				accessRequest.setAccessType(action);
 				accessResult.setIsAllowed(isSuccess);
 
+				if(! isSuccess) {
+					accessResult.setPolicyId(-1);
+				}
+
 				auditHandler.logAudit(accessResult);
 			}
 		}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/93131538/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
index 4d2d40f..2cb73b8 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
@@ -26,12 +26,15 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
 import org.apache.ranger.audit.model.AuthzAuditEvent;
 import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
 import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
 import org.apache.ranger.authorization.utils.StringUtil;
 import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResource;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 
 import com.google.common.collect.Lists;
@@ -47,14 +50,15 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
 	}
 	
 	AuthzAuditEvent createAuditEvent(RangerAccessResult result, String accessType, String resourcePath) {
-		RangerHiveAccessRequest request  = (RangerHiveAccessRequest)result.getAccessRequest();
-		RangerHiveResource      resource = (RangerHiveResource)request.getResource();
+		RangerAccessRequest  request      = result.getAccessRequest();
+		RangerAccessResource resource     = request.getResource();
+		String               resourceType = resource != null ? resource.getLeafName(result.getServiceDef()) : null;
 
 		AuthzAuditEvent auditEvent = new AuthzAuditEvent();
 		auditEvent.setAclEnforcer(RangerModuleName);
 		auditEvent.setSessionId(request.getSessionId());
-		auditEvent.setResourceType("@" + StringUtil.toLower(resource.getObjectType().name())); // to be consistent with earlier release
-		auditEvent.setAccessType(request.getHiveAccessType().toString());
+		auditEvent.setResourceType("@" + resourceType); // to be consistent with earlier release
+		auditEvent.setAccessType(accessType);
 		auditEvent.setAction(request.getAction());
 		auditEvent.setUser(request.getUser());
 		auditEvent.setAccessResult((short)(result.getIsAllowed() ? 1 : 0));
@@ -65,17 +69,28 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
 		auditEvent.setRepositoryType(result.getServiceType());
 		auditEvent.setRepositoryName(result.getServiceName()) ;
 		auditEvent.setRequestData(request.getRequestData());
-		auditEvent.setResourcePath(resource != null ? resource.getAsString(result.getServiceDef()) : null);
-		
+		auditEvent.setResourcePath(resourcePath);
+
 		return auditEvent;
 	}
 	
 	AuthzAuditEvent createAuditEvent(RangerAccessResult result) {
+		RangerAccessRequest  request  = result.getAccessRequest();
+		RangerAccessResource resource = request.getResource();
+
+		String accessType = null;
+		if(request instanceof RangerHiveAccessRequest) {
+			RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest)request;
+
+			accessType = hiveRequest.getHiveAccessType().toString();
+		}
+
+		if(StringUtils.isEmpty(accessType)) {
+			accessType = request.getAccessType();
+		}
 
-		RangerHiveAccessRequest request  = (RangerHiveAccessRequest)result.getAccessRequest();
-		RangerHiveResource      resource = (RangerHiveResource)request.getResource();
-		String accessType = request.getHiveAccessType().toString();
 		String resourcePath = resource != null ? resource.getAsString(result.getServiceDef()) : null;
+
 		return createAuditEvent(result, accessType, resourcePath);
 	}