You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@atlas.apache.org by ma...@apache.org on 2017/03/20 17:27:38 UTC
incubator-atlas git commit: ATLAS-1671: fix for missing client IP in
Ranger audit log for Atlas authorizations
Repository: incubator-atlas
Updated Branches:
refs/heads/master b86e8591a -> d6e40806f
ATLAS-1671: fix for missing client IP in Ranger audit log for Atlas authorizations
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/d6e40806
Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/d6e40806
Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/d6e40806
Branch: refs/heads/master
Commit: d6e40806f8133db38996d93ac0da3161c39865fa
Parents: b86e859
Author: nixonrodrigues <ni...@freestoneinfotech.com>
Authored: Fri Mar 17 14:58:05 2017 +0530
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Mar 20 10:27:29 2017 -0700
----------------------------------------------------------------------
.../atlas/authorize/AtlasAccessRequest.java | 6 +--
.../simple/AtlasAuthorizationUtils.java | 43 +++++++++++++-------
.../simple/SimpleAtlasAuthorizerTest.java | 8 ++--
.../atlas/web/resources/AdminResource.java | 11 ++---
.../org/apache/atlas/web/util/Servlets.java | 17 --------
5 files changed, 42 insertions(+), 43 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/d6e40806/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
index 377aca7..9b405cc 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
@@ -40,11 +40,11 @@ public class AtlasAccessRequest {
public AtlasAccessRequest(HttpServletRequest request, String user, Set<String> userGroups) {
this(AtlasAuthorizationUtils.getAtlasResourceType(request.getServletPath()), "*", AtlasAuthorizationUtils
- .getAtlasAction(request.getMethod()), user, userGroups);
+ .getAtlasAction(request.getMethod()), user, userGroups,AtlasAuthorizationUtils.getRequestIpAddress(request));
}
public AtlasAccessRequest(Set<AtlasResourceTypes> resourceType, String resource, AtlasActionTypes action,
- String user, Set<String> userGroups) {
+ String user, Set<String> userGroups, String clientIPAddress) {
if (isDebugEnabled) {
LOG.debug("==> AtlasAccessRequestImpl-- Initializing AtlasAccessRequest");
}
@@ -56,7 +56,7 @@ public class AtlasAccessRequest {
// set remaining fields to default value
setAccessTime(null);
- setClientIPAddress(null);
+ setClientIPAddress(clientIPAddress);
}
public Set<AtlasResourceTypes> getResourceTypes() {
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/d6e40806/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
index 1b4661e..e907bf5 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
@@ -18,6 +18,7 @@
package org.apache.atlas.authorize.simple;
+import javax.servlet.http.HttpServletRequest;
import org.apache.atlas.AtlasClient;
import org.apache.atlas.authorize.AtlasActionTypes;
import org.apache.atlas.authorize.AtlasResourceTypes;
@@ -27,7 +28,8 @@ import org.apache.atlas.authorize.AtlasAccessRequest;
import org.apache.atlas.authorize.AtlasAuthorizerFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
+import java.net.InetAddress;
+import java.net.UnknownHostException;
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
@@ -53,7 +55,7 @@ public class AtlasAuthorizationUtils {
String[] split = contextPath.split("/", 3);
String api = split[0];
- if(Pattern.matches("v\\d", api)) {
+ if (Pattern.matches("v\\d", api)) {
api = split[1];
}
@@ -98,16 +100,16 @@ public class AtlasAuthorizationUtils {
* @param contextPath
* @return set of AtlasResourceTypes types api mapped with AtlasResourceTypes.TYPE eg :- /api/atlas/types/*
*
- * gremlin discovery,admin,graph apis are mapped with AtlasResourceTypes.OPERATION eg :-/api/atlas/admin/*
- * /api/atlas/discovery/search/gremlin /api/atlas/graph/*
+ * gremlin discovery,admin,graph apis are mapped with AtlasResourceTypes.OPERATION eg :-/api/atlas/admin/*
+ * /api/atlas/discovery/search/gremlin /api/atlas/graph/*
+ *
+ * entities,lineage and discovery apis are mapped with AtlasResourceTypes.ENTITY eg :- /api/atlas/lineage/hive/table/*
+ * /api/atlas/entities/{guid}* /api/atlas/discovery/*
*
- * entities,lineage and discovery apis are mapped with AtlasResourceTypes.ENTITY eg :- /api/atlas/lineage/hive/table/*
- * /api/atlas/entities/{guid}* /api/atlas/discovery/*
- *
- * taxonomy API are also mapped to AtlasResourceTypes.TAXONOMY & AtlasResourceTypes.ENTITY and its terms APIs have
- * added AtlasResourceTypes.TERM associations.
+ * taxonomy API are also mapped to AtlasResourceTypes.TAXONOMY & AtlasResourceTypes.ENTITY and its terms APIs have
+ * added AtlasResourceTypes.TERM associations.
*
- * unprotected types are mapped with AtlasResourceTypes.UNKNOWN, access to these are allowed.
+ * unprotected types are mapped with AtlasResourceTypes.UNKNOWN, access to these are allowed.
*/
public static Set<AtlasResourceTypes> getAtlasResourceType(String contextPath) {
Set<AtlasResourceTypes> resourceTypes = new HashSet<>();
@@ -123,7 +125,7 @@ public class AtlasAuthorizationUtils {
|| api.startsWith("graph")) {
resourceTypes.add(AtlasResourceTypes.OPERATION);
} else if (api.startsWith("entities") || api.startsWith("lineage") ||
- api.startsWith("discovery") || api.startsWith("entity") || api.startsWith("search")) {
+ api.startsWith("discovery") || api.startsWith("entity") || api.startsWith("search")) {
resourceTypes.add(AtlasResourceTypes.ENTITY);
} else if (api.startsWith("taxonomies")) {
resourceTypes.add(AtlasResourceTypes.TAXONOMY);
@@ -134,7 +136,7 @@ public class AtlasAuthorizationUtils {
}
} else {
LOG.error("Unable to find Atlas Resource corresponding to : {}\nSetting {}"
- , api, AtlasResourceTypes.UNKNOWN.name());
+ , api, AtlasResourceTypes.UNKNOWN.name());
resourceTypes.add(AtlasResourceTypes.UNKNOWN);
}
@@ -144,13 +146,13 @@ public class AtlasAuthorizationUtils {
return resourceTypes;
}
- public static boolean isAccessAllowed(AtlasResourceTypes resourcetype, AtlasActionTypes actionType, String userName, Set<String> groups) {
+ public static boolean isAccessAllowed(AtlasResourceTypes resourcetype, AtlasActionTypes actionType, String userName, Set<String> groups, HttpServletRequest request) {
AtlasAuthorizer authorizer = null;
boolean isaccessAllowed = false;
Set<AtlasResourceTypes> resourceTypes = new HashSet<>();
resourceTypes.add(resourcetype);
- AtlasAccessRequest atlasRequest = new AtlasAccessRequest(resourceTypes, "*", actionType, userName, groups);
+ AtlasAccessRequest atlasRequest = new AtlasAccessRequest(resourceTypes, "*", actionType, userName, groups, AtlasAuthorizationUtils.getRequestIpAddress(request));
try {
authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer();
if (authorizer != null) {
@@ -162,4 +164,17 @@ public class AtlasAuthorizationUtils {
return isaccessAllowed;
}
+
+ public static String getRequestIpAddress(HttpServletRequest httpServletRequest) {
+ try {
+ InetAddress inetAddr = InetAddress.getByName(httpServletRequest.getRemoteAddr());
+
+ String ip = inetAddr.getHostAddress();
+
+ return ip;
+ } catch (UnknownHostException ex) {
+ LOG.error("Error occured when retrieving IP address", ex);
+ return "";
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/d6e40806/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java
index a3fc489..b36c9c7 100644
--- a/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java
+++ b/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java
@@ -60,7 +60,7 @@ public class SimpleAtlasAuthorizerTest {
userGroups.add("grp3");
try {
AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
- resource, action, user, userGroups);
+ resource, action, user, userGroups,"127.0.0.1");
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
.getAtlasAuthorizer();
@@ -103,7 +103,7 @@ public class SimpleAtlasAuthorizerTest {
Set<String> userGroups = new HashSet<>();
userGroups.add("grp1");
AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
- resource, action, user, userGroups);
+ resource, action, user, userGroups,"127.0.0.1");
try {
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
.getAtlasAuthorizer();
@@ -146,7 +146,7 @@ public class SimpleAtlasAuthorizerTest {
Set<String> userGroups = new HashSet<>();
userGroups.add("grp1");
AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
- resource, action, user, userGroups);
+ resource, action, user, userGroups,"127.0.0.1");
try {
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
.getAtlasAuthorizer();
@@ -188,7 +188,7 @@ public class SimpleAtlasAuthorizerTest {
Set<String> userGroups = new HashSet<>();
userGroups.add("grp3");
AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
- resource, action, user, userGroups);
+ resource, action, user, userGroups,"127.0.0.1");
try {
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
.getAtlasAuthorizer();
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/d6e40806/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java
----------------------------------------------------------------------
diff --git a/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java b/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java
index 0dfdeb2..097589f 100755
--- a/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java
+++ b/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java
@@ -244,10 +244,11 @@ public class AdminResource {
for (GrantedAuthority c : authorities) {
groups.add(c.getAuthority());
}
+
isEntityUpdateAccessAllowed = AtlasAuthorizationUtils.isAccessAllowed(AtlasResourceTypes.ENTITY,
- AtlasActionTypes.UPDATE, userName, groups);
+ AtlasActionTypes.UPDATE, userName, groups, httpServletRequest);
isEntityCreateAccessAllowed = AtlasAuthorizationUtils.isAccessAllowed(AtlasResourceTypes.ENTITY,
- AtlasActionTypes.CREATE, userName, groups);
+ AtlasActionTypes.CREATE, userName, groups, httpServletRequest);
}
JSONObject responseData = new JSONObject();
@@ -313,7 +314,7 @@ public class AdminResource {
AtlasExportResult result = exportService.run(exportSink, request, Servlets.getUserName(httpServletRequest),
Servlets.getHostName(httpServletRequest),
- Servlets.getRequestIpAddress(httpServletRequest));
+ AtlasAuthorizationUtils.getRequestIpAddress(httpServletRequest));
exportSink.close();
@@ -364,7 +365,7 @@ public class AdminResource {
result = importService.run(zipSource, request, Servlets.getUserName(httpServletRequest),
Servlets.getHostName(httpServletRequest),
- Servlets.getRequestIpAddress(httpServletRequest));
+ AtlasAuthorizationUtils.getRequestIpAddress(httpServletRequest));
} catch (Exception excp) {
LOG.error("importData(binary) failed", excp);
@@ -398,7 +399,7 @@ public class AdminResource {
result = importService.run(request, Servlets.getUserName(httpServletRequest),
Servlets.getHostName(httpServletRequest),
- Servlets.getRequestIpAddress(httpServletRequest));
+ AtlasAuthorizationUtils.getRequestIpAddress(httpServletRequest));
} catch (Exception excp) {
LOG.error("importFile() failed", excp);
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/d6e40806/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java
----------------------------------------------------------------------
diff --git a/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java b/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java
index 926c509..4a92763 100755
--- a/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java
+++ b/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java
@@ -26,7 +26,6 @@ import org.apache.commons.collections.MapUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.security.UserGroupInformation;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URLEncodedUtils;
import org.codehaus.jettison.json.JSONException;
@@ -38,10 +37,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import java.io.IOException;
-import java.io.PrintWriter;
import java.io.StringWriter;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.List;
@@ -184,19 +180,6 @@ public final class Servlets {
return StringEscapeUtils.escapeJson(inputStr);
}
- public static String getRequestIpAddress(HttpServletRequest httpServletRequest) {
- try {
- InetAddress inetAddr = InetAddress.getByName(httpServletRequest.getRemoteAddr());
-
- String ip = inetAddr.getHostAddress();
-
- return ip;
- } catch(UnknownHostException ex) {
- LOG.error("Error occured when retrieving IP address", ex);
- return "";
- }
- }
-
public static String getHostName(HttpServletRequest httpServletRequest) {
return httpServletRequest.getLocalName();
}