You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2014/12/12 02:30:25 UTC
[42/51] [partial] incubator-ranger git commit: RANGER-194: Rename
packages from xasecure to apache ranger
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java
deleted file mode 100644
index 29f2c22..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/URLBasedAuthDB.java
+++ /dev/null
@@ -1,480 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.xasecure.pdp.hdfs;
-
-import java.io.File;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-import java.util.TreeSet;
-
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.log4j.Level;
-import org.apache.log4j.LogManager;
-
-import com.xasecure.authorization.hadoop.HDFSAccessVerifier;
-import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
-import com.xasecure.pdp.config.PolicyChangeListener;
-import com.xasecure.pdp.config.PolicyRefresher;
-import com.xasecure.pdp.constants.XaSecureConstants;
-import com.xasecure.pdp.model.Policy;
-import com.xasecure.pdp.model.PolicyContainer;
-import com.xasecure.pdp.model.ResourcePath;
-import com.xasecure.pdp.model.RolePermission;
-
-public class URLBasedAuthDB implements HDFSAccessVerifier, PolicyChangeListener {
-
- private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class) ;
-
- private static URLBasedAuthDB me = null;
-
- private PolicyRefresher refresher = null ;
-
- private PolicyContainer policyContainer = null;
-
- private HashMap<String,Boolean> cachedAuditFlag = new HashMap<String,Boolean>() ; // needs to be cleaned when ruleList changes
-
- private static final long MAX_NO_OF_AUDIT_CACHE_ENTRIES = 1000L ;
-
-
- public static URLBasedAuthDB getInstance() {
- if (me == null) {
- synchronized (URLBasedAuthDB.class) {
- URLBasedAuthDB temp = me;
- if (temp == null) {
- me = new URLBasedAuthDB();
- me.init() ;
- }
- }
- }
- return me;
- }
-
- private URLBasedAuthDB() {
- String url = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_PROP);
- long refreshInMilli = XaSecureConfiguration.getInstance().getLong(
- XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP ,
- XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT);
- String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_POLICYMGR_SSL_CONFIG_FILE_PROP) ;
-
- String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_LAST_SAVED_POLICY_FILE_PROP) ;
-
- refresher = new PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ;
-
- String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HDFS_POLICYMGR_URL_SAVE_FILE_PROP) ;
- if (saveAsFileName != null) {
- refresher.setSaveAsFileName(saveAsFileName) ;
- }
-
- if (lastStoredFileName != null) {
- refresher.setLastStoredFileName(lastStoredFileName);
- }
- }
-
- private void init() {
- refresher.setPolicyChangeListener(this);
- }
-
- @Override
- public void OnPolicyChange(PolicyContainer aPolicyContainer) {
- setPolicyContainer(aPolicyContainer);
- }
-
-
- @Override
- public boolean isAccessGranted(String aPathName, String pathOwnerName, String access, String username, Set<String> groups) {
-
- PolicyContainer pc = getPolicyContainer() ;
-
- if (pc == null) {
- return false ;
- }
-
- for(Policy acl : pc.getAcl()) {
-
- if (! acl.isEnabled()) {
- LOG.debug("Diabled acl found [" + acl + "]. Skipping this acl ...") ;
- continue ;
- }
-
- for(ResourcePath resource : acl.getResourceList()) {
-
- String path = resource.getPath() ;
-
- boolean rulePathMatched = false ;
-
- if (acl.getRecursiveInd() == 1) {
- if (resource.isWildcardPath()) {
- rulePathMatched = isRecursiveWildCardMatch(aPathName, path) ;
- }
- else {
- rulePathMatched = aPathName.startsWith(path) ;
- }
- }
- else {
- if (resource.isWildcardPath()) {
- rulePathMatched = FilenameUtils.wildcardMatch(aPathName, path) ;
- }
- else {
- rulePathMatched = aPathName.equals(path) ;
- }
- }
-
-
- if (rulePathMatched) {
- for (RolePermission rp : acl.getPermissions()) {
- if (rp.getAccess().contains(access)) {
- if ( rp.getUsers().contains(username) ) {
- return true ;
- }
- for(String ug : groups) {
- if ( rp.getGroups().contains(ug)) {
- return true ;
- }
- }
- if (rp.getGroups().contains(XaSecureConstants.PUBLIC_ACCESS_ROLE)) {
- return true ;
- }
- }
- }
- }
-
- }
- }
-
- return false ;
-
- }
-
- public static boolean isRecursiveWildCardMatch(String pathToCheck, String wildcardPath) {
- if (pathToCheck != null) {
- StringBuilder sb = new StringBuilder() ;
- for(String p : pathToCheck.split(File.separator) ) {
- sb.append(p) ;
- boolean matchFound = FilenameUtils.wildcardMatch(sb.toString(), wildcardPath) ;
- if (matchFound) {
- return true ;
- }
- sb.append(File.separator) ;
- }
- sb = null;
- }
- return false;
- }
-
- public PolicyContainer getPolicyContainer() {
- return policyContainer;
- }
-
- private synchronized void setPolicyContainer(PolicyContainer aPolicyContainer) {
-
- for(Policy p : aPolicyContainer.getAcl()) {
- for(RolePermission rp : p.getPermissions()) {
- List<String> rpaccess = rp.getAccess() ;
- if (rpaccess != null && rpaccess.size() > 0) {
- List<String> temp = new ArrayList<String>() ;
- for(String s : rpaccess) {
- temp.add(s.toLowerCase()) ;
- }
- rp.setAccess(temp);
- }
- }
- }
-
- this.policyContainer = aPolicyContainer ;
- this.cachedAuditFlag.clear();
- }
-
-
-
- public UserPermission printPermissionInfo(UserGroupInformation ugi) {
- return printPermissionInfo(ugi, null) ;
- }
-
- public UserPermission printPermissionInfo(UserGroupInformation ugi, String aPathName) {
-
- String username = ugi.getShortUserName() ;
-
- String[] groups = ugi.getGroupNames() ;
-
- UserPermission up = new UserPermission(username,groups, aPathName) ;
-
- PolicyContainer pc = getPolicyContainer() ;
-
- if (pc != null) {
-
- for(Policy acl : pc.getAcl()) {
-
- for(ResourcePath resource : acl.getResourceList()) {
-
- String path = resource.getPath() ;
-
- boolean rulePathMatched = false ;
-
- if (acl.getRecursiveInd() == 1) {
- if (resource.isWildcardPath()) {
- rulePathMatched = isRecursiveWildCardMatch(aPathName, path) ;
- }
- else {
- rulePathMatched = aPathName.startsWith(path) ;
- }
- }
- else {
- if (resource.isWildcardPath()) {
- rulePathMatched = FilenameUtils.wildcardMatch(aPathName, path) ;
- }
- else {
- rulePathMatched = aPathName.equals(path) ;
- }
- }
-
-
- if (rulePathMatched) {
- for (RolePermission rp : acl.getPermissions()) {
- boolean isAccessGranted = false ;
- if (! isAccessGranted ) {
- if ( rp.getUsers().contains(username) ) {
- up.add(resource, acl.getRecursiveInd(), username, null, rp.getAccess());
- isAccessGranted = true ;
- }
- }
- if ( ! isAccessGranted ) {
- for(String ug : groups) {
- if ( rp.getGroups().contains(ug)) {
- up.add(resource, acl.getRecursiveInd(), null, ug, rp.getAccess());
- }
- }
- }
- if (! isAccessGranted ) {
- if (rp.getGroups().contains(XaSecureConstants.PUBLIC_ACCESS_ROLE)) {
- up.add(resource, acl.getRecursiveInd(), null, XaSecureConstants.PUBLIC_ACCESS_ROLE, rp.getAccess());
- }
- }
- }
- }
- }
- }
- }
-
- return up ;
- }
-
-
- class UserPermission {
-
- private String userName ;
- private String groups ;
- private String pathName ;
- private HashMap<String,HashSet<String>> userPermissionMap = new HashMap<String,HashSet<String>>() ;
-
- public UserPermission(String userName, String[] groupList, String pathName) {
- this.userName = userName ;
- this.pathName = pathName ;
- StringBuilder sb = new StringBuilder() ;
- boolean first = true ;
- TreeSet<String> gl = new TreeSet<String>() ;
- for(String g : groupList) {
- gl.add(g) ;
- }
- for(String group : gl) {
- if (first) {
- first = false ;
- }
- else {
- sb.append(",") ;
- }
- sb.append(group) ;
- }
- this.groups = sb.toString() ;
- }
-
-
- public void add(ResourcePath resource, int recursiveInd, String userName, String groupName, List<String> accessList) {
-
- String path = resource.getPath() ;
-
- if (recursiveInd == 1) {
- if (path.endsWith("/")) {
- path = path + "**" ;
- }
- else {
- path = path + "/" + "**" ;
- }
- }
-
- HashSet<String> permMap = userPermissionMap.get(path) ;
-
- if (permMap == null) {
- permMap = new HashSet<String>() ;
- userPermissionMap.put(path,permMap) ;
- }
-
- for(String access : accessList) {
- if (! permMap.contains(access)) {
- permMap.add(access) ;
- }
- }
-
- }
-
- public void printUserInfo() {
- System.out.println("# USER INFORMATION") ;
- System.out.println("USER: " + userName ) ;
- System.out.println("GROUPS: " + groups ) ;
- }
-
- public void print() {
- if (pathName != null) {
- System.out.println("# PERMISSION INFORMATION FOR PATH [" + pathName + "]" + (userPermissionMap.size() == 0 ? " - NO RULES FOUND" : "")) ;
- }
- else {
- System.out.println("# PERMISSION INFORMATION" + (userPermissionMap.size() == 0 ? " - NO RULES FOUND" : "")) ;
- }
-
-
- if (userPermissionMap.size() > 0) {
- TreeSet<String> pathSet = new TreeSet<String>() ;
- pathSet.addAll(userPermissionMap.keySet()) ;
- StringBuilder sb = new StringBuilder();
- for(String path : pathSet) {
- sb.setLength(0) ;
- sb.append(String.format("%-50s", path)).append("|") ;
- TreeSet<String> permSet = new TreeSet<String>() ;
- permSet.addAll(userPermissionMap.get(path)) ;
- boolean first = true ;
- for(String perm: permSet) {
- if (! first) {
- sb.append(",") ;
- }
- else {
- first = false ;
- }
- sb.append(perm) ;
- }
- System.out.println(sb.toString()) ;
- }
- }
-
- }
- }
-
-
- @Override
- public boolean isAuditLogEnabled(String aPathName) {
- boolean ret = false ;
-
- HashMap<String,Boolean> tempCachedAuditFlag = cachedAuditFlag ;
-
- Boolean auditResult = (tempCachedAuditFlag == null ? null : tempCachedAuditFlag.get(aPathName)) ;
-
- if (auditResult != null) {
- ret = auditResult ;
- }
- else {
- ret = isAuditLogEnabledByACL(aPathName) ;
- if (tempCachedAuditFlag != null) {
- // tempCachedAuditFlag.put(aPathName,Boolean.valueOf(ret)) ;
- synchronized(tempCachedAuditFlag) {
- if (tempCachedAuditFlag.size() > MAX_NO_OF_AUDIT_CACHE_ENTRIES) {
- tempCachedAuditFlag.clear();
- }
- tempCachedAuditFlag.put(aPathName,Boolean.valueOf(ret)) ;
- }
- }
- }
-
- return ret ;
-
- }
-
-
- public boolean isAuditLogEnabledByACL(String aPathName) {
-
- boolean ret = false ;
-
- PolicyContainer pc = getPolicyContainer() ;
-
- if (pc == null) {
- return false ;
- }
-
- for(Policy acl : pc.getAcl()) {
-
- for(ResourcePath resource : acl.getResourceList()) {
-
- String path = resource.getPath() ;
-
- boolean rulePathMatched = false ;
-
- if (acl.getRecursiveInd() == 1) {
- if (resource.isWildcardPath()) {
- rulePathMatched = isRecursiveWildCardMatch(aPathName, path) ;
- }
- else {
- rulePathMatched = aPathName.startsWith(path) ;
- }
- }
- else {
- if (resource.isWildcardPath()) {
- rulePathMatched = FilenameUtils.wildcardMatch(aPathName, path) ;
- }
- else {
- rulePathMatched = aPathName.equals(path) ;
- }
- }
-
-
- if (rulePathMatched) {
- ret = ( acl.getAuditInd() == 1) ;
- break ;
- }
- }
- }
-
- return ret ;
- }
-
- public static void main(String[] args) throws Throwable {
- LogManager.getLogger(URLBasedAuthDB.class).setLevel(Level.ERROR);
- URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ;
- UserPermission up = null;
- if (args.length == 0) {
- up = authDB.printPermissionInfo(UserGroupInformation.getCurrentUser());
- up.printUserInfo() ;
- up.print();
- }
- else {
- up = authDB.printPermissionInfo(UserGroupInformation.getCurrentUser());
- up.printUserInfo() ;
- for(String path : args) {
- up = authDB.printPermissionInfo(UserGroupInformation.getCurrentUser(), path);
- up.print();
- System.out.println();
- }
- }
- System.exit(0);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java
deleted file mode 100644
index c29dd7c..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/hdfs/XASecureAuthorizer.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.pdp.hdfs;
-
-import java.util.Set;
-
-import com.xasecure.authorization.hadoop.HDFSAccessVerifier;
-
-public class XASecureAuthorizer implements HDFSAccessVerifier {
-
- private static URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ;
-
- @Override
- public boolean isAccessGranted(String aPathName, String aPathOwnerName, String access, String username, Set<String> groups) {
- return authDB.isAccessGranted(aPathName, aPathOwnerName, access, username, groups);
- }
-
- @Override
- public boolean isAuditLogEnabled(String aPathName) {
- return authDB.isAuditLogEnabled(aPathName) ;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java
deleted file mode 100644
index e64c3e9..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthDB.java
+++ /dev/null
@@ -1,307 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.xasecure.pdp.hive;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.security.UserGroupInformation;
-
-import com.xasecure.authorization.hive.XaHiveObjectAccessInfo;
-import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveAccessType;
-import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveObjectType;
-import com.xasecure.authorization.utils.StringUtil;
-
-public class HiveAuthDB {
-
- private static final Log LOG = LogFactory.getLog(HiveAuthDB.class);
-
- private ArrayList<HiveAuthRule> allRuleList = null;
- private ArrayList<HiveAuthRule> tblRuleList = null;
- private ArrayList<HiveAuthRule> colRuleList = null;
-
- public HiveAuthDB() {
- this(null) ;
- }
-
-
- public HiveAuthDB(ArrayList<HiveAuthRule> aRuleList) {
-
- if (aRuleList == null) {
- aRuleList = new ArrayList<HiveAuthRule>() ;
- }
-
- LOG.info("Number of Rules in the PolicyContainer: " + ((aRuleList == null) ? 0 : aRuleList.size()) ) ;
-
- allRuleList = new ArrayList<HiveAuthRule>() ;
- colRuleList = new ArrayList<HiveAuthRule>();
- tblRuleList = new ArrayList<HiveAuthRule>() ;
-
- allRuleList = aRuleList ;
-
- for (HiveAuthRule rule : aRuleList) {
- if (rule.isTableRule()) {
- this.tblRuleList.add(rule);
- } else {
- this.colRuleList.add(rule);
- }
- }
-
- }
-
- public boolean isAccessAllowed(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo) {
- boolean ret = false;
-
- if(objAccessInfo.getAccessType() == HiveAccessType.NONE || objAccessInfo.getObjectType() == HiveObjectType.NONE) {
- return true;
- }
-
- String accessType = objAccessInfo.getAccessType().name();
-
- switch(objAccessInfo.getObjectType()) {
- case DATABASE:
- ret = isAccessAllowed(ugi, accessType, objAccessInfo.getDatabase());
- break;
-
- case TABLE:
- case INDEX:
- case PARTITION:
- ret = isAccessAllowed(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getTable());
- break;
-
- case VIEW:
- ret = isAccessAllowed(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getView());
- break;
-
- case COLUMN:
- {
- String deniedColumn = findDeniedColumn(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getTable(), objAccessInfo.getColumns());
-
- ret = StringUtil.isEmpty(deniedColumn);
-
- if(! ret) {
- objAccessInfo.setDeinedObjectName(XaHiveObjectAccessInfo.getObjectName(objAccessInfo.getDatabase(), objAccessInfo.getTable(), deniedColumn));
- }
- }
- break;
-
- case FUNCTION:
- ret = isUDFAccessAllowed(ugi, accessType, objAccessInfo.getDatabase(), objAccessInfo.getFunction());
- break;
-
- case URI:
- // Handled in XaSecureHiveAuthorizer
- break;
-
- case NONE:
- break;
- }
-
- return ret;
- }
-
- public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) {
- boolean ret = false;
-
- if( objAccessInfo.getAccessType() == HiveAccessType.NONE
- || objAccessInfo.getObjectType() == HiveObjectType.NONE
- || objAccessInfo.getObjectType() == HiveObjectType.URI
- ) {
- return false;
- }
-
- String database = null;
- String table = null;
- List<String> columns = null;
- boolean isUDF = false;
-
- switch(objAccessInfo.getObjectType()) {
- case DATABASE:
- database = objAccessInfo.getDatabase();
- break;
-
- case TABLE:
- case INDEX:
- case PARTITION:
- database = objAccessInfo.getDatabase();
- table = objAccessInfo.getTable();
- break;
-
- case VIEW:
- database = objAccessInfo.getDatabase();
- table = objAccessInfo.getView();
- break;
-
- case COLUMN:
- database = objAccessInfo.getDatabase();
- table = objAccessInfo.getTable();
- columns = objAccessInfo.getColumns();
- break;
-
- case FUNCTION:
- database = objAccessInfo.getDatabase();
- table = objAccessInfo.getFunction();
- isUDF = true;
- break;
-
- case NONE:
- case URI:
- break;
- }
-
- if(StringUtil.isEmpty(columns)) {
- for (HiveAuthRule rule : allRuleList) {
- if(isUDF != rule.isUdf()) {
- continue;
- }
-
- if (rule.isTableMatch(database, table)) {
- ret = rule.isAudited() ;
-
- if (ret) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("isAudited(database=" + database + ", table=" + table + ", columns=" + StringUtil.toString(columns) + ") => [" + ret + "] as matched for rule: " + rule);
- }
-
- break ;
- }
- }
- }
- } else {
- // is audit enabled for any one column being accessed?
- for(String colName : columns) {
- for (HiveAuthRule rule : allRuleList) {
- if(isUDF != rule.isUdf()) {
- continue;
- }
-
- ret = rule.isMatched(database, table, colName) && rule.isAudited();
-
- if (ret) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("isAudited(database=" + database + ", table=" + table + ", columns=" + StringUtil.toString(columns) + ") => [" + ret + "] as matched for rule: " + rule);
- }
-
- break ;
- }
- }
-
- if(ret) {
- break;
- }
- }
- }
-
- return ret ;
- }
-
- private boolean isAccessAllowed(UserGroupInformation ugi, String accessType, String database) {
- boolean ret = false;
-
- for (HiveAuthRule rule : allRuleList) {
- ret = rule.isMatched(database, ugi.getShortUserName(), ugi.getGroupNames(), accessType);
-
- if(ret) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ") => [" + ret + "] as matched for rule: " + rule);
- }
-
- break;
- }
- }
-
- return ret;
- }
-
- private boolean isAccessAllowed(UserGroupInformation ugi, String accessType, String database, String tableOrView) {
- boolean ret = false;
-
- for (HiveAuthRule rule : tblRuleList) {
- ret = rule.isMatched(database, tableOrView, ugi.getShortUserName(), ugi.getGroupNames(), accessType);
-
- if(ret) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", tableOrView=" + tableOrView + ") => [" + ret + "] as matched for rule: " + rule);
- }
-
- break;
- }
- }
-
- return ret;
- }
-
- private String findDeniedColumn(UserGroupInformation ugi, String accessType, String database, String tableOrView, List<String> columns) {
- String deinedColumn = null;
-
- boolean isAllowed = isAccessAllowed(ugi, accessType, database, tableOrView); // check if access is allowed at the table level
-
- if(!isAllowed && !StringUtil.isEmpty(columns)) {
- for(String column : columns) {
- for (HiveAuthRule rule : colRuleList) {
- isAllowed = rule.isMatched(database, tableOrView, column, ugi.getShortUserName(), ugi.getGroupNames(), accessType);
-
- if(isAllowed) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", tableOrView=" + tableOrView + ", column=" + column + ") => [" + isAllowed + "] as matched for rule: " + rule);
- }
-
- break;
- }
- }
-
- if(!isAllowed) {
- deinedColumn = column;
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", tableOrView=" + tableOrView + ", column=" + column + ") => [" + isAllowed + "]");
- }
- break;
- }
- }
- }
-
- return deinedColumn;
- }
-
- private boolean isUDFAccessAllowed(UserGroupInformation ugi, String accessType, String database, String udfName) {
- boolean ret = false;
-
- for (HiveAuthRule rule : tblRuleList) {
- if(! rule.isUdf()) {
- continue;
- }
-
- ret = rule.isMatched(database, udfName, ugi.getShortUserName(), ugi.getGroupNames(), accessType);
-
- if(ret) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("isAccessAllowed(user=" + ugi.getShortUserName() + ", groups=" + StringUtil.toString(ugi.getGroupNames()) + ", accessType=" + accessType + ", database=" + database + ", udfName=" + udfName + ") => [" + ret + "] as matched for rule: " + rule);
- }
-
- break;
- }
- }
-
- return ret;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java
deleted file mode 100644
index 984b680..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthRule.java
+++ /dev/null
@@ -1,223 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.xasecure.pdp.hive;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveAccessType;
-import com.xasecure.authorization.hive.constants.XaSecureHiveConstants;
-import com.xasecure.authorization.utils.StringUtil;
-
-
-public class HiveAuthRule {
-
- private static final Log LOG = LogFactory.getLog(HiveAuthRule.class) ;
-
- public static final String WILDCARD_OBJECT = ".*" ;
-
- private String databaseName;
- private String tableName;
- private String columnName;
- private String accessType;
- private String group;
- private String user;
- private boolean tableRule = false;
- private boolean allGranted = false;
- private boolean udf = false;
- private boolean tableExcluded = false;
- private boolean columnExcluded = false;
- private boolean audited = false;
- private boolean encrypted = false;
-
- public HiveAuthRule(String dbName, String tableName, String colName, String permission, String user, String group) {
- this(false, dbName,tableName,colName,permission,user,group, false, false) ;
- }
-
- public HiveAuthRule(boolean udfInd, String dbName, String tableName, String colName, String permission, String user, String group, boolean tableExclusionFlag, boolean columnExclusionFlag) {
- this.udf = udfInd ;
- this.databaseName = StringUtil.toLower(dbName);
- this.tableName = StringUtil.toLower(tableName);
- this.columnName = StringUtil.toLower(colName);
- this.accessType = permission ;
- this.user = user;
- this.group = group ;
- this.tableExcluded = tableExclusionFlag ;
- this.columnExcluded = columnExclusionFlag ;
-
- this.allGranted = StringUtil.equalsIgnoreCase(HiveAccessType.ALL.name(), accessType);
-
- tableRule = StringUtil.isEmpty(columnName) || WILDCARD_OBJECT.matches(columnName) ;
- }
-
- @Override
- public String toString() {
- return "db:" + databaseName + ", table: " + tableName + ", columnName: " + columnName + ", accessType: " + accessType + ",user: " + user + ", group: " + group + ",isTable:" + tableRule + ",audited:" + audited + ",encrypted:" + encrypted ;
- }
-
- public boolean isMatched(String user, String[] groups, String accessType) {
- String dbName = null;
- String tblName = null;
- String colName = null;
-
- return isMatched(dbName, tblName, colName, user, groups, accessType) ;
- }
-
- public boolean isMatched(String dbName, String user, String[] groups, String accessType) {
- String tblName = null;
- String colName = null;
-
- return isMatched(dbName, tblName, colName, user, groups, accessType) ;
- }
-
- public boolean isMatched(String dbName, String tblName, String user, String[] groups, String accessType) {
- String colName = null;
-
- return isMatched(dbName, tblName, colName, user, groups, accessType) ;
- }
-
- public boolean isMatched(String dbName, String tblName, String colName, String user, String[] groups, String accessType) {
- boolean ret = isMatched(dbName, tblName, colName);
-
- if(ret) {
- // does accessType match?
- ret = StringUtil.equalsIgnoreCase(accessType, this.accessType);
-
- if(! ret && !StringUtil.equalsIgnoreCase(accessType, HiveAccessType.ADMIN.name())) {
- ret = this.isAllGranted() || StringUtil.equalsIgnoreCase(accessType, "USE");
- }
-
- if(ret) {
- // does user/group match?
- ret = StringUtil.equals(user, this.user) ||
- StringUtil.equals(XaSecureHiveConstants.PUBLIC_ACCESS_ROLE, this.group) ||
- StringUtil.contains(groups, this.group);
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("isMatched(db=" + dbName + ", table=" + tblName + ", col=" + colName + ", user=" + user + ", groups=" + StringUtil.toString(groups) + ", accessType=" + accessType + ") => rule[" + this.databaseName + ":" + this.tableName + ":" + this.columnName + ":" + this.user + ":" + this.group + ":" + this.accessType + "] returns [" + ret + "]");
- }
-
- return ret ;
- }
-
- public boolean isMatched(String dbName, String tblName, String colName) {
- boolean ret = isTableMatch(dbName, tblName);
-
- if (ret) {
- colName = StringUtil.toLower(colName);
-
- if (colName != null) {
- ret = colName.matches(this.columnName);
-
- if (columnExcluded) {
- ret = (! ret) ;
- }
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("isMatched(db=" + dbName + ", table=" + tblName + ", col=" + colName + ") => rule[" + this.databaseName + ":" + this.tableName + ":" + this.columnName + "] returns [" + ret + "]");
- }
-
- return ret ;
- }
-
- public boolean isTableMatch(String dbName, String tblName) {
- boolean ret = isDBMatch(dbName);
-
- if(ret) {
- tblName = StringUtil.toLower(tblName);
-
- if(tblName != null) {
- ret = tblName.matches(this.tableName);
-
- if(tableExcluded) {
- ret = !ret;
- }
- }
- }
-
- return ret;
- }
-
- public boolean isDBMatch(String dbName) {
- boolean ret = false;
-
- dbName = StringUtil.toLower(dbName);
-
- ret = dbName == null || dbName.matches(this.databaseName);
-
- return ret;
- }
-
- public String getDbName() {
- return databaseName;
- }
-
- public String getTableName() {
- return tableName;
- }
-
- public String getColumnName() {
- return columnName;
- }
-
- public String getAccessType() {
- return accessType;
- }
-
- public String getUser() {
- return user;
- }
-
- public String getGroup() {
- return group;
- }
-
- public boolean isTableRule() {
- return tableRule;
- }
-
- public boolean isAllGranted() {
- return allGranted ;
- }
-
- public boolean isUdf() {
- return udf;
- }
-
- public boolean isAudited() {
- return audited;
- }
-
- public void setAudited(boolean audited) {
- this.audited = audited;
- }
-
- public boolean isEncrypted() {
- return encrypted;
- }
-
- public void setEncrypted(boolean encrypted) {
- this.encrypted = encrypted;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java
deleted file mode 100644
index 3fd845e..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/hive/HiveAuthorizationProviderBase.java
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.xasecure.pdp.hive;
-
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
-import org.apache.hadoop.security.UserGroupInformation;
-
-import com.xasecure.authorization.hive.XaHiveAccessVerifier;
-import com.xasecure.authorization.hive.XaHiveObjectAccessInfo;
-
-public class HiveAuthorizationProviderBase implements XaHiveAccessVerifier {
-
- private static final Log LOG = LogFactory.getLog(HiveAuthorizationProviderBase.class);
-
- protected HiveAuthDB authDB = new HiveAuthDB() ;
-
-
- public HiveAuthDB getAuthDB() {
- return authDB ;
- }
-
- @Override
- public boolean isAccessAllowed(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo) {
- HiveAuthDB ldb = authDB ;
-
- if (ldb == null) {
- throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ;
- }
-
- boolean ret = ldb.isAccessAllowed(ugi, objAccessInfo);
-
- return ret;
- }
-
- @Override
- public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) {
- HiveAuthDB ldb = authDB ;
-
- if (ldb == null) {
- throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ;
- }
-
- return ldb.isAudited(objAccessInfo) ;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java
deleted file mode 100644
index fc07c6e..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/hive/URLBasedAuthDB.java
+++ /dev/null
@@ -1,222 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.xasecure.pdp.hive;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
-import com.xasecure.pdp.config.PolicyChangeListener;
-import com.xasecure.pdp.config.PolicyRefresher;
-import com.xasecure.pdp.constants.XaSecureConstants;
-import com.xasecure.pdp.model.Policy;
-import com.xasecure.pdp.model.PolicyContainer;
-import com.xasecure.pdp.model.RolePermission;
-
-public class URLBasedAuthDB extends HiveAuthorizationProviderBase implements PolicyChangeListener {
-
- private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class) ;
-
- private static URLBasedAuthDB me = null ;
-
- private PolicyContainer policyContainer = null ;
-
- private PolicyRefresher refresher = null ;
-
-
- public static URLBasedAuthDB getInstance() {
- if (me == null) {
- synchronized(URLBasedAuthDB.class) {
- URLBasedAuthDB temp = me ;
- if (temp == null) {
- me = new URLBasedAuthDB() ;
- me.init() ;
- }
- }
- }
- return me ;
- }
-
- private URLBasedAuthDB() {
- String url = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_PROP);
- long refreshInMilli = XaSecureConfiguration.getInstance().getLong(
- XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP ,
- XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT);
-
- String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_LAST_SAVED_POLICY_FILE_PROP) ;
-
- String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_POLICYMGR_SSL_CONFIG_FILE_PROP) ;
- refresher = new PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ;
-
- String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_HIVE_POLICYMGR_URL_SAVE_FILE_PROP) ;
- if (saveAsFileName != null) {
- refresher.setSaveAsFileName(saveAsFileName) ;
- }
-
- if (lastStoredFileName != null) {
- refresher.setLastStoredFileName(lastStoredFileName);
- }
-
- }
-
- private void init() {
- refresher.setPolicyChangeListener(this);
- }
-
- public PolicyContainer getPolicyContainer() {
- return policyContainer;
- }
-
- @Override
- public void OnPolicyChange(PolicyContainer policyContainer) {
-
- LOG.debug("OnPolicyChange() has been called with new PolicyContainer .....") ;
-
- try {
-
- ArrayList<HiveAuthRule> ruleListTemp = new ArrayList<HiveAuthRule>();
-
- this.policyContainer = policyContainer;
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Number of acl found (before isEnabled check): " + ( policyContainer.getAcl() == null ? 0 : policyContainer.getAcl().size() ) );
- }
-
- for(Policy acl : policyContainer.getAcl()) {
-
- if (! acl.isEnabled()) {
- LOG.debug("Diabled acl found [" + acl + "]. Skipping this acl ...") ;
- continue ;
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Number of database found in acl [" + acl + "] " + ( acl.getDatabaseList() == null ? 0 : acl.getDatabaseList().size() ) );
- LOG.debug("Number of Tables found in acl [" + acl + "] " + ( acl.getTableList() == null ? 0 : acl.getTableList().size() ) );
- LOG.debug("Number of Columns found in acl [" + acl + "] " + ( acl.getColumnList()== null ? 0 : acl.getColumnList().size() ) );
- }
-
- boolean isUDF = false ;
-
- List<String> dbList = new ArrayList<String>() ;
- String dbs = replaceFileBasedRegEx(acl.getDatabases()) ;
- dbList.add(getRegExFormatted(dbs)) ;
-
- List<String> tableList = new ArrayList<String>() ;
- String udfs = acl.getUdfs() ;
- if (udfs != null) {
- isUDF = true ;
- dbList.clear();
- dbList.add(HiveAuthRule.WILDCARD_OBJECT) ;
- tableList.clear();
- udfs = replaceFileBasedRegEx(udfs) ;
- tableList.add(getRegExFormatted(udfs)) ;
- }
- else {
- String tables = replaceFileBasedRegEx(acl.getTables()) ;
- tableList.add(getRegExFormatted(tables)) ;
- }
-
- List<String> columnList = new ArrayList<String>() ;
- String columns = replaceFileBasedRegEx(acl.getColumns()) ;
- columnList.add(getRegExFormatted(columns)) ;
-
-
- boolean isAudited = (acl.getAuditInd() == 1) ;
-
- boolean isEncrypted = (acl.getEncryptInd() == 1) ;
-
- for(String db : dbList) {
-
- for(String table : tableList) {
-
- for(String col : columnList) {
-
- for(RolePermission rp : acl.getPermissions()) {
- for (String accessLevel : rp.getAccess() ) {
- for (String group : rp.getGroups()) {
- HiveAuthRule rule = new HiveAuthRule(isUDF, db, table, col, accessLevel.toLowerCase(), null, group, acl.isTableSelectionExcluded(), acl.isColumnSelectionExcluded());
- rule.setAudited(isAudited);
- rule.setEncrypted(isEncrypted);
- LOG.debug("Adding rule [" + rule + "] to the authdb.");
- ruleListTemp.add(rule);
- }
- for (String user : rp.getUsers()) {
- HiveAuthRule rule = new HiveAuthRule(isUDF, db, table, col, accessLevel.toLowerCase(), user, null,acl.isTableSelectionExcluded(), acl.isColumnSelectionExcluded());
- rule.setAudited(isAudited);
- rule.setEncrypted(isEncrypted);
- LOG.debug("Adding rule [" + rule + "] to the authdb.");
- ruleListTemp.add(rule);
- }
- }
- }
-
-
- }
- }
- }
- }
- HiveAuthDB authDBTemp = new HiveAuthDB(ruleListTemp);
- authDB = authDBTemp;
- }
- catch(Throwable t) {
- LOG.error("OnPolicyChange has failed with an exception", t);
- }
- }
-
- public static String getRegExFormatted(String userEnteredStr) {
-
- if (userEnteredStr == null || userEnteredStr.trim().length() == 0) {
- return HiveAuthRule.WILDCARD_OBJECT ;
- }
-
- StringBuilder sb = new StringBuilder() ;
-
- for(String s : userEnteredStr.split(",")) {
- if (sb.length() == 0) {
- sb.append("(") ;
- }
- else {
- sb.append("|") ;
- }
- sb.append(s.trim()) ;
- }
-
- if (sb.length() > 0) {
- sb.append(")") ;
- }
-
- return sb.toString() ;
- }
-
-
- public static String replaceFileBasedRegEx(String userEnteredStr) {
- if (userEnteredStr != null) {
- userEnteredStr = userEnteredStr.replaceAll("\\.", "\\.")
- .replaceAll("\\?", "\\.")
- .replaceAll("\\*", ".*") ;
- }
- return userEnteredStr ;
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java
deleted file mode 100644
index 2eca90f..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/hive/XASecureAuthorizer.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.pdp.hive;
-
-import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
-import org.apache.hadoop.security.UserGroupInformation;
-
-import com.xasecure.authorization.hive.XaHiveAccessVerifier;
-import com.xasecure.authorization.hive.XaHiveObjectAccessInfo;
-
-public class XASecureAuthorizer implements XaHiveAccessVerifier {
-
- private XaHiveAccessVerifier authDB = URLBasedAuthDB.getInstance() ;
-
-
- @Override
- public boolean isAccessAllowed(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo) {
- if (authDB == null) {
- throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ;
- }
- return authDB.isAccessAllowed(ugi, objAccessInfo);
- }
-
- @Override
- public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) {
- if (authDB == null) {
- throw new AuthorizationException("No Authorization Agent is available for AuthorizationCheck") ;
- }
- return authDB.isAudited(objAccessInfo) ;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java
deleted file mode 100644
index fb147b3..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/knox/URLBasedAuthDB.java
+++ /dev/null
@@ -1,453 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.xasecure.pdp.knox;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
-import com.xasecure.pdp.config.Jersey2PolicyRefresher;
-import com.xasecure.pdp.config.PolicyChangeListener;
-import com.xasecure.pdp.constants.XaSecureConstants;
-import com.xasecure.pdp.model.Policy;
-import com.xasecure.pdp.model.PolicyContainer;
-import com.xasecure.pdp.model.RolePermission;
-
-public class URLBasedAuthDB implements PolicyChangeListener {
-
- private static final Log LOG = LogFactory.getLog(URLBasedAuthDB.class) ;
-
- private static URLBasedAuthDB me = null;
-
- private Jersey2PolicyRefresher refresher = null ;
-
- private PolicyContainer policyContainer = null;
-
- private HashMap<String,Boolean> cachedAuditFlag = new HashMap<String,Boolean>() ; // needs to be cleaned when ruleList changes
-
- public static URLBasedAuthDB getInstance() {
- if (me == null) {
- synchronized (URLBasedAuthDB.class) {
- URLBasedAuthDB temp = me;
- if (temp == null) {
- me = new URLBasedAuthDB();
- me.init() ;
- }
- }
- }
- return me;
- }
-
- public static URLBasedAuthDB getInstanceWithBackEndMocked() {
- return new URLBasedAuthDB("instanceWithBackednMocked");
- }
-
- private URLBasedAuthDB() {
- String url = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_PROP);
- long refreshInMilli = XaSecureConfiguration.getInstance().getLong(
- XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_PROP ,
- XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_RELOAD_INTERVAL_IN_MILLIS_DEFAULT);
- String sslConfigFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_POLICYMGR_SSL_CONFIG_FILE_PROP) ;
-
- String lastStoredFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_LAST_SAVED_POLICY_FILE_PROP) ;
-
- refresher = new Jersey2PolicyRefresher(url, refreshInMilli,sslConfigFileName,lastStoredFileName) ;
-
- String saveAsFileName = XaSecureConfiguration.getInstance().get(XaSecureConstants.XASECURE_KNOX_POLICYMGR_URL_SAVE_FILE_PROP) ;
- if (saveAsFileName != null) {
- refresher.setSaveAsFileName(saveAsFileName) ;
- }
-
- if (lastStoredFileName != null) {
- refresher.setLastStoredFileName(lastStoredFileName);
- }
- }
-
- private URLBasedAuthDB(String mockName) {
- }
-
- private void init() {
- refresher.setPolicyChangeListener(this);
- }
-
-
- @Override
- public void OnPolicyChange(PolicyContainer aPolicyContainer) {
- setPolicyContainer(aPolicyContainer);
- }
-
-
- public boolean isAccessGranted(String topology, String service, String access, String userName, Set<String> groups,
- String requestIp) {
-
- boolean accessGranted = false;
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Evaluating access for topology: " + topology +
- ", service: " + service +
- ", access: " + access +
- ", requestingIp: " +requestIp +
- ", requestingUser: " + userName +
- ", requestingUserGroups: " + groups);
- }
- PolicyContainer policyContainer = getPolicyContainer() ;
-
- if (policyContainer == null) {
- LOG.warn("Denying access: policyContainer is null") ;
- return false ;
- }
-
- for(Policy policy : policyContainer.getAcl()) {
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Evaluating policy: " + policy.toString() ) ;
- }
-
- if (!policy.isEnabled()) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Skipping policy: " + policy + ", policy disabled") ;
- }
- continue; // jump to next policy
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Evaluating topology match for policyTopologyList: " + policy.getTopologyList() +
- ", requestTopology: " + topology) ;
- }
-
- boolean topologyMatched = false;
-
- List<String> topologyList = policy.getTopologyList();
- if (topologyList == null || topologyList.isEmpty()) {
- LOG.debug("Denying access: policy topologyList is empty") ;
- continue; // jump to next policy
- }
-
- if (topologyList.contains("*") || topologyList.contains(topology)) {
- topologyMatched = true;
- LOG.debug("Policy topologyList matches requested topology");
- }
-
- if (!topologyMatched) {
- for (String policyTopology : topologyList) {
- if (FilenameUtils.wildcardMatch(topology, policyTopology)) {
- topologyMatched = true;
- LOG.debug("Policy topologyList matches requested topology");
- break; // break out of topologyList
- }
- }
- }
- if (!topologyMatched) {
- LOG.debug("Denying access: policy topologyList does not match requested topology") ;
- continue; // jump to next policy
- } else {
- LOG.debug("policy topologyList matches requested topology");
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Evaluating service match for policyServiceList: " + policy.getServiceList() +
- ", requestService: " + service) ;
- }
-
- boolean serviceMatched = false;
-
- List<String> serviceList = policy.getServiceList();
- if (serviceList == null || serviceList.isEmpty()) {
- LOG.debug("Denying access: policy serviceList is empty") ;
- continue; // jump to next policy
- }
-
- if (serviceList.contains("*") || serviceList.contains(service)) {
- serviceMatched = true;
- LOG.debug("Policy serviceList matches requested service");
- }
-
- if (!serviceMatched) {
- for (String policyService : serviceList) {
- if (FilenameUtils.wildcardMatch(service, policyService)) {
- serviceMatched = true;
- LOG.debug("Policy serviceList matches requested service");
- break; // break out of serviceList
- }
- }
- }
- if (!serviceMatched) {
- LOG.debug("Denying access: policy serviceList does not match requested service") ;
- continue; // jump to next policy
- } else {
- LOG.debug("Policy serviceList matches requested service");
- }
-
- LOG.debug("Checking accessType, IP, User, Group based permission");
- if ( policy.getPermissions() == null
- || policy.getPermissions().isEmpty()) {
- LOG.debug("Policy not applicable, no user or group based permission");
- }
-
- for (RolePermission rp : policy.getPermissions()) {
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Evaluating RolePermission: " + rp);
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking accessTypeMatch for rolePermissionAccesType: "
- + rp.getAccess() + ", requestAccessType: " + access);
- }
-
- if (rp.getAccess().contains(access)) {
-
- LOG.debug("RolePermission accessType matches request accessType");
-
- boolean ipMatched = false;
- List<String> ipList = rp.getIpAddress();
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking ipMatch for rolePermissionIpList: " + ipList +
- ", requestIP: " + requestIp);
- }
-
- if (ipList == null || ipList.isEmpty()) {
- LOG.debug("RolePermission does not require IP Matching");
- ipMatched = true;
- } else if ( ipList.contains("*") ) {
- LOG.debug("RolePermission allows any IP: *");
- ipMatched = true;
- } else {
- for (String ip : ipList) {
- if (ipMatches(ip, requestIp)) {
- LOG.debug("RolePermission IP matches request IP");
- ipMatched = true;
- break;// break out of ipList
- }
- }
- }
-
- if (!ipMatched) {
- // ip not matched, jump to next RolePermission check
- LOG.debug("Request IP does not match RolePermission");
- continue; // jump to next rolePermission
- } else {
- LOG.debug("Request IP matches RolePermission");
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking userMatch for rolePermissionUsers: "
- + rp.getUsers() + ", requestUser: " + userName);
- }
-
- if ( rp.getUsers() != null && rp.getUsers().contains(userName) ) {
- LOG.debug("Request user matches RolePermission");
- return true ;
- }
- LOG.debug("RolePermission does not permit request by request user, would check by groups");
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking groupMatch for rolePermissionGroups: "
- + rp.getGroups() + ", requestGroups: " + groups);
- }
-
- for(String ug : groups) {
- if ( rp.getGroups() != null && rp.getGroups().contains(ug)) {
- LOG.debug("Request userGroups matches RolePermission");
- return true ;
- }
- }
- LOG.debug("RolePermission does not permit request by request user groups");
-
- if (rp.getGroups().contains(XaSecureConstants.PUBLIC_ACCESS_ROLE)) {
- LOG.debug("RolePermission applies to public group");
- return true ;
- }
-
- LOG.debug("RolePermission does not permit by users, groups or public group");
- } else {
- LOG.debug("rolePermissionAccessType does not match requestAccessType");
- }
- }
- }
- LOG.debug("No matching policy permission found, denying access");
- return accessGranted;
- }
-
- public boolean isAuditEnabled(String topology, String service) {
-
- boolean auditEnabled = false;
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checcking whether audit is enabled for topology: " + topology +
- ", service: " + service );
- }
-
- PolicyContainer policyContainer = getPolicyContainer() ;
- if (policyContainer == null) {
- LOG.warn("PolicyContainer is null") ;
- return false ;
- }
-
- for(Policy policy : policyContainer.getAcl()) {
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Evaluating policy: " + policy) ;
- }
-
- if (!policy.isEnabled()) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Skipping policy: " + policy + ", policy disabled") ;
- }
- continue; // jump to next policy
- }
-
- if (policy.getAuditInd() == 0) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Skipping policy: " + policy + ", policy audit disabled") ;
- }
- continue; // jump to next policy
- }
-
- boolean topologyMatched = false;
-
- List<String> topologyList = policy.getTopologyList();
- if (topologyList == null || topologyList.isEmpty()) {
- LOG.debug("Policy not applicable: policy topologyList is empty") ;
- continue; // jump to next policy
- }
-
- if (topologyList.contains("*") || topologyList.contains(topology)) {
- topologyMatched = true;
- LOG.debug("Policy topologyList matches requested topology");
- }
-
- if (!topologyMatched) {
- for (String policyTopology : topologyList) {
- if (FilenameUtils.wildcardMatch(topology, policyTopology)) {
- topologyMatched = true;
- LOG.debug("Policy topologyList matches requested topology");
- break; // break out of topologyList check
- }
- }
- }
- if (!topologyMatched) {
- LOG.debug("Policy not applicable: polocy topologyList does not match requested topology") ;
- continue; // jump to next policy
- } else {
- LOG.debug("Policy topologyList matches requested topology");
- }
-
- boolean serviceMatched = false;
-
- List<String> serviceList = policy.getServiceList();
- if (serviceList == null || serviceList.isEmpty()) {
- LOG.debug("Policy not applicable: serviceList is empty") ;
- continue; // jump to next policy
- }
-
- if (serviceList.contains("*") || serviceList.contains(service)) {
- serviceMatched = true;
- LOG.debug("Policy serviceList matches requested service");
- }
-
- if (!serviceMatched) {
- for (String policyService : serviceList) {
- if (FilenameUtils.wildcardMatch(service, policyService)) {
- serviceMatched = true;
- LOG.debug("Policy serviceList matches requested service");
- break; // break out of serviceList check
- }
- }
- }
- if (!serviceMatched) {
- LOG.debug("Policy not applicable: policy serviceList does not match requested service") ;
- continue; // jump to next policy
- } else {
- LOG.debug("Policy serviceList matches requested service");
- }
- auditEnabled = true;;
- break; // break out of policyList check
- }
- return auditEnabled;
- }
-
- public PolicyContainer getPolicyContainer() {
- return policyContainer;
- }
-
-
- synchronized void setPolicyContainer(PolicyContainer aPolicyContainer) {
-
- for(Policy p : aPolicyContainer.getAcl()) {
- for(RolePermission rp : p.getPermissions()) {
- // lowercase accesType value stings
- List<String> rpaccess = rp.getAccess() ;
- if (rpaccess != null && rpaccess.size() > 0) {
- List<String> temp = new ArrayList<String>() ;
- for(String s : rpaccess) {
- temp.add(s.toLowerCase()) ;
- }
- rp.setAccess(temp);
- }
- }
- }
-
- this.policyContainer = aPolicyContainer ;
- this.cachedAuditFlag.clear();
- }
-
-
- private boolean ipMatches(String policyIp, String requestIp) {
- if (policyIp == null) {
- return false;
- }
- policyIp = policyIp.trim();
- if (policyIp.isEmpty()) {
- return false;
- }
- boolean ipMatched = false;
- boolean wildEnd = false;
- if (policyIp.contains(".")) {
- while (policyIp.endsWith(".*")) {
- wildEnd = true;
- policyIp = policyIp.substring(0, policyIp.lastIndexOf(".*"));
- }
- if (wildEnd) {
- policyIp = policyIp + ".";
- }
- } else if (policyIp.contains(":")) {
- while (policyIp.endsWith(":*")) {
- wildEnd = true;
- policyIp = policyIp.substring(0, policyIp.lastIndexOf(":*"));
- }
- if (wildEnd) {
- policyIp = policyIp + ":";
- }
- }
- if (wildEnd && requestIp.toLowerCase().startsWith(policyIp.toLowerCase())) {
- ipMatched = true;
- } else if (policyIp.equalsIgnoreCase(requestIp)) {
- ipMatched = true;
- }
- return ipMatched;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java
deleted file mode 100644
index d3d2500..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/knox/XASecureAuthorizer.java
+++ /dev/null
@@ -1,65 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.xasecure.pdp.knox;
-
-import java.util.Set;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import com.xasecure.authorization.knox.KnoxAccessVerifier;
-
-public class XASecureAuthorizer implements KnoxAccessVerifier {
-
- private static final Log LOG = LogFactory.getLog(XASecureAuthorizer.class) ;
-
- private static URLBasedAuthDB authDB = URLBasedAuthDB.getInstance() ;
-
- public XASecureAuthorizer() {
- }
-
- @Override
- public boolean isAccessAllowed(String topologyName, String serviceName, String accessType,
- String userName, Set<String> groups, String requestIp) {
- boolean accessAllowed = authDB.isAccessGranted(topologyName, serviceName, accessType, userName, groups,
- requestIp);
- if (LOG.isDebugEnabled()) {
- LOG.debug("Computed access permission for topology: " + topologyName +
- ", service: " + serviceName +
- ", access: " + accessType +
- ", requestingIp: " +requestIp +
- ", requestingUser: " + userName +
- ", requestingUserGroups: " + groups +
- ", permitted: " + accessAllowed);
- }
- return accessAllowed;
- }
-
- @Override
- public boolean isAuditEnabled(String topologyName, String serviceName) {
- boolean auditEnabled = authDB.isAuditEnabled(topologyName, serviceName);
- if (LOG.isDebugEnabled()) {
- LOG.debug("Computed audit enabled for topology: " + topologyName +
- ", service: " + serviceName +
- ", auditLogEnabled: " + auditEnabled);
- }
- return auditEnabled;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java
deleted file mode 100644
index c851a11..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/knox/deploy/XASecurePDPKnoxDeploymentContributor.java
+++ /dev/null
@@ -1,73 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.xasecure.pdp.knox.deploy;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
-import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
-import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
-import org.apache.hadoop.gateway.topology.Provider;
-import org.apache.hadoop.gateway.topology.Service;
-
-public class XASecurePDPKnoxDeploymentContributor extends ProviderDeploymentContributorBase {
-
- private static final String FILTER_CLASSNAME = "com.xasecure.pdp.knox.filter.XASecurePDPKnoxFilter";
-
- @Override
- public String getRole() {
- return "authorization";
- }
-
- @Override
- public String getName() {
- return "XASecurePDPKnox";
- }
-
- @Override
- public void initializeContribution(DeploymentContext context) {
- super.initializeContribution(context);
- }
-
- @Override
- public void contributeProvider( DeploymentContext context, Provider provider ) {
- }
-
- @Override
- public void contributeFilter( DeploymentContext context, Provider provider, Service service,
- ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
- if (params == null) {
- params = new ArrayList<FilterParamDescriptor>();
- }
- // add resource role to params so that we can determine the acls to enforce at runtime
- params.add( resource.createFilterParam().name( "resource.role" ).value(resource.role() ) );
-
- // blindly add all the provider params as filter init params
- // this will include any {resource.role}-ACLS parameters to be enforced - such as NAMENODE-ACLS
- Map<String, String> providerParams = provider.getParams();
- for(Entry<String, String> entry : providerParams.entrySet()) {
- params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
- }
-
- resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java b/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java
deleted file mode 100644
index dfa68b5..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java
+++ /dev/null
@@ -1,215 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.xasecure.pdp.knox.filter;
-
-import java.io.IOException;
-import java.security.AccessController;
-import java.security.Principal;
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.security.auth.Subject;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.gateway.filter.AbstractGatewayFilter;
-import org.apache.hadoop.gateway.security.GroupPrincipal;
-import org.apache.hadoop.gateway.security.ImpersonatedPrincipal;
-import org.apache.hadoop.gateway.security.PrimaryPrincipal;
-
-import com.xasecure.audit.model.EnumRepositoryType;
-import com.xasecure.audit.model.KnoxAuditEvent;
-import com.xasecure.audit.provider.AuditProvider;
-import com.xasecure.audit.provider.AuditProviderFactory;
-import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
-import com.xasecure.authorization.hadoop.constants.XaSecureHadoopConstants;
-import com.xasecure.authorization.knox.KnoxAccessVerifier;
-import com.xasecure.authorization.knox.KnoxAccessVerifierFactory;
-import com.xasecure.authorization.utils.StringUtil;
-
-public class XASecurePDPKnoxFilter implements Filter {
-
- private static final Log LOG = LogFactory.getLog(XASecurePDPKnoxFilter.class);
- private static final String ACL_ENFORCER = "xasecure-acl";
- private static final String PERM_ALLOW = "allow";
- private String resourceRole = null;
- private KnoxAccessVerifier knoxAccessVerifier;
-
-
- AuditProvider auditProvider = AuditProviderFactory.getAuditProvider();
- private final String REPOSITORY_NAME = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_REPOSITORY_NAME_PROP);
-
- static {
- XaSecureConfiguration.getInstance().initAudit(AuditProviderFactory.ApplicationType.Knox);
- }
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- resourceRole = getInitParameter(filterConfig, "resource.role");
- knoxAccessVerifier = KnoxAccessVerifierFactory.getInstance();
- }
-
- private String getInitParameter(FilterConfig filterConfig, String paramName) {
- return filterConfig.getInitParameter(paramName.toLowerCase());
- }
-
- public void destroy() {
- }
-
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
-
- String sourceUrl = (String) request
- .getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
- String topologyName = getTopologyName(sourceUrl);
- String serviceName = getServiceName();
-
- Subject subject = Subject.getSubject(AccessController.getContext());
-
- Principal primaryPrincipal = (Principal) subject.getPrincipals(
- PrimaryPrincipal.class).toArray()[0];
- String primaryUser = primaryPrincipal.getName();
-
- String impersonatedUser = null;
- Object[] impersonations = subject.getPrincipals(
- ImpersonatedPrincipal.class).toArray();
- if (impersonations != null && impersonations.length > 0) {
- impersonatedUser = ((Principal) impersonations[0]).getName();
- }
-
- String user = (impersonatedUser != null) ? impersonatedUser
- : primaryUser;
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: "
- + impersonatedUser + ", effectiveUser: " + user);
- }
-
- Object[] groupObjects = subject.getPrincipals(GroupPrincipal.class)
- .toArray();
- Set<String> groups = new HashSet<String>();
- for (Object obj : groupObjects) {
- groups.add(((Principal) obj).getName());
- }
-
- String clientIp = request.getRemoteAddr();
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: "
- + impersonatedUser + ", effectiveUser: " + user +
- ", groups: " + groups + ", clientIp: " + clientIp);
- }
- boolean accessAllowed = knoxAccessVerifier.isAccessAllowed(
- topologyName, serviceName, PERM_ALLOW, user, groups, clientIp);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Access allowed: " + accessAllowed);
- }
- if (accessAllowed) {
- chain.doFilter(request, response);
- if (knoxAccessVerifier.isAuditEnabled(topologyName, serviceName)) {
- LOG.debug("Audit is enabled");
- logAuditEvent(user, clientIp, topologyName, serviceName,
- "allow", true);
- } else {
- LOG.debug("Audit is not enabled");
- }
- } else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Access is denied");
- }
- if (knoxAccessVerifier.isAuditEnabled(topologyName, serviceName)) {
- LOG.debug("Audit is enabled");
- logAuditEvent(user, clientIp, topologyName, serviceName,
- "allow", false);
- } else {
- LOG.debug("Audit is not enabled");
- }
- sendForbidden((HttpServletResponse) response);
- }
- }
-
- private void sendForbidden(HttpServletResponse res) {
- sendErrorCode(res, 403);
- }
-
- private void sendErrorCode(HttpServletResponse res, int code) {
- try {
- res.sendError(code);
- } catch (IOException e) {
- LOG.error("Error while redireting:", e);
- }
- }
-
- private String getTopologyName(String requestUrl) {
- if (requestUrl == null) {
- return null;
- }
- String url = requestUrl.trim();
- String[] tokens = url.split("/");
- if (tokens.length > 2) {
- return tokens[2];
- } else {
- return null;
- }
- }
-
- private String getServiceName() {
- return resourceRole;
- }
-
- private void logAuditEvent(String userName, String clientIp,
- String topology, String service,
- String accessType, boolean accessGranted) {
-
- KnoxAuditEvent auditEvent = new KnoxAuditEvent();
-
- auditEvent.setUser(userName == null ?
- XaSecureHadoopConstants.AUDITLOG_EMPTY_STRING : userName);
- auditEvent.setResourcePath("/" + topology + "/" + service);
- auditEvent.setResourceType("service");
- auditEvent.setAccessType(accessType);
- auditEvent.setClientIP(clientIp);
- auditEvent.setEventTime(StringUtil.getUTCDate());
- auditEvent.setAccessResult((short) (accessGranted ? 1 : 0));
- auditEvent.setResultReason(null);
- auditEvent.setRepositoryType(EnumRepositoryType.KNOX);
- auditEvent.setRepositoryName(REPOSITORY_NAME);
- auditEvent.setAclEnforcer(ACL_ENFORCER);
-
- try {
- LOG.debug("logEvent [" + auditEvent + "] - START");
-
- AuditProvider ap = AuditProviderFactory.getAuditProvider();
- ap.log(auditEvent);
-
- LOG.debug("logEvent [" + auditEvent + "] - END");
- } catch (Throwable t) {
- LOG.error("ERROR logEvent [" + auditEvent + "]", t);
- }
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/model/Policy.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/model/Policy.java b/agents-impl/src/main/java/com/xasecure/pdp/model/Policy.java
deleted file mode 100644
index a2bace7..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/model/Policy.java
+++ /dev/null
@@ -1,325 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.pdp.model;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import com.google.gson.annotations.SerializedName;
-import com.xasecure.pdp.config.gson.ExcludeSerialization;
-
-public class Policy {
-
- public static final String RESOURCE_SPLITER = "," ;
- public static final String POLICY_ENABLED_STATUS = "Enabled" ;
- public static final String SELECTION_TYPE_INCLUSIVE = "Inclusion" ;
- public static final String SELECTION_TYPE_EXCLUSIVE = "Exclusion" ;
-
- //
- // Only for HDFS policies
- //
- private String resource ;
- @SerializedName("isRecursive")
- private int recursiveInd;
-
- // Only for Knox Policies
- //
-
- @SerializedName("topology_name")
- private String topologies ;
-
- @SerializedName("service_name")
- private String services ;
-
-
- //
- // Only for Hive Policies
- //
-
- @SerializedName("database_name")
- private String databases ;
-
- @SerializedName("table_name")
- private String tables ;
-
- @SerializedName("udf_name")
- private String udfs ;
-
- @SerializedName("column_name")
- private String columns ;
-
- @SerializedName("column_families")
- private String columnfamilies ;
-
- //
- // Neede for all Policies
- //
- @SerializedName("permission")
- private List<RolePermission> permissions ;
-
- @SerializedName("audit")
- private int auditInd ;
-
- @SerializedName("encrypt")
- private int encryptInd ;
-
- @SerializedName("policyStatus")
- private String policyStatus;
-
- @SerializedName("tablePolicyType")
- private String tableSelectionType ;
-
- @SerializedName("columnPolicyType")
- private String columnSelectionType ;
-
- // Derived fields for PolicyAnalysis
- @ExcludeSerialization
- private List<ResourcePath> resourceList ;
- @ExcludeSerialization
- private List<String> databaseList ;
- @ExcludeSerialization
- private List<String> tableList ;
- @ExcludeSerialization
- private List<String> udfList ;
- @ExcludeSerialization
- private List<String> columnList ;
- @ExcludeSerialization
- private List<String> columnFamilyList ;
- @ExcludeSerialization
- private List<String> topologyList ;
- @ExcludeSerialization
- private List<String> serviceList ;
-
- public Policy() {
- permissions = new ArrayList<RolePermission>() ;
- }
-
-
- public String getResource() {
- return resource;
- }
-
- public void setResource(String resource) {
- this.resource = resource;
- }
-
- public String getDatabases() {
- return databases;
- }
-
- public void setDatabases(String databases) {
- this.databases = databases;
- }
-
- public String getTables() {
- return tables;
- }
-
- public void setTables(String tables) {
- this.tables = tables;
- }
-
- public String gettopologies() {
- return topologies;
- }
-
- public void setTopologies(String topologies) {
- this.topologies = topologies;
- }
-
- public String getServices() {
- return services;
- }
-
- public void setServices(String services) {
- this.services = services;
- }
- public String getUdfs() {
- return udfs;
- }
-
- public void setUdfs(String udfs) {
- this.udfs = udfs;
- }
-
-
- public String getColumns() {
- return columns;
- }
- public void setColumns(String columns) {
- this.columns = columns;
- }
- public String getColumnfamilies() {
- return columnfamilies;
- }
- public void setColumnfamilies(String columnfamilies) {
- this.columnfamilies = columnfamilies;
- }
-
- public List<RolePermission> getPermissions() {
- return permissions;
- }
- public void setPermissions(List<RolePermission> permissions) {
- this.permissions = permissions;
- }
-
- public int getRecursiveInd() {
- return recursiveInd;
- }
- public void setRecursiveInd(int recursiveInd) {
- this.recursiveInd = recursiveInd;
- }
-
- public int getAuditInd() {
- return auditInd;
- }
-
-
- public void setAuditInd(int auditInd) {
- this.auditInd = auditInd;
- }
-
-
- public int getEncryptInd() {
- return encryptInd;
- }
-
-
- public void setEncryptInd(int encryptInd) {
- this.encryptInd = encryptInd;
- }
-
- public String getPolicyStatus() {
- return policyStatus;
- }
-
-
- public void setPolicyStatus(String policyStatus) {
- this.policyStatus = policyStatus;
- }
-
- public String getTableSelectionType() {
- return tableSelectionType;
- }
-
-
- public void setTableSelectionType(String tableSelectionType) {
- this.tableSelectionType = tableSelectionType;
- }
-
-
- public String getColumnSelectionType() {
- return columnSelectionType;
- }
-
-
- public void setColumnSelectionType(String columnSelectionType) {
- this.columnSelectionType = columnSelectionType;
- }
-
- public boolean isTableSelectionExcluded() {
- return (this.tableSelectionType != null && SELECTION_TYPE_EXCLUSIVE.equalsIgnoreCase(this.tableSelectionType)) ;
- }
-
- public boolean isColumnSelectionExcluded() {
- return (this.columnSelectionType != null && SELECTION_TYPE_EXCLUSIVE.equalsIgnoreCase(this.columnSelectionType)) ;
- }
-
-
- // An older version of policy manager would show policyStatus as NULL (considered that as Enabled)
- public boolean isEnabled() {
- return (this.policyStatus == null || POLICY_ENABLED_STATUS.equalsIgnoreCase(this.policyStatus)) ;
- }
-
- public List<ResourcePath> getResourceList() {
- if (this.resourceList == null) {
- this.resourceList = getResourceList(resource) ;
- }
- return this.resourceList;
- }
- public List<String> getDatabaseList() {
- if (this.databaseList == null) {
- this.databaseList = getList(this.databases) ;
- }
- return this.databaseList;
- }
- public List<String> getTableList() {
- if (this.tableList == null) {
- this.tableList = getList(this.tables) ;
- }
- return this.tableList;
- }
- public List<String> getColumnList() {
- if (this.columnList == null) {
- this.columnList = getList(this.columns) ;
- }
- return this.columnList;
- }
- public List<String> getColumnFamilyList() {
- if (this.columnFamilyList == null) {
- this.columnFamilyList = getList(this.columnfamilies) ;
- }
- return this.columnFamilyList;
- }
- public List<String> getUDFList() {
- if (this.udfList == null && this.udfList != null) {
- this.udfList = getList(this.udfs) ;
- }
- return this.udfList;
- }
-
- public List<String> getTopologyList() {
- if (this.topologyList == null) {
- this.topologyList = getList(this.topologies) ;
- }
- return this.topologyList;
- }
-
- public List<String> getServiceList() {
- if (this.serviceList == null) {
- this.serviceList = getList(this.services) ;
- }
- return this.serviceList;
- }
-
-
- private List<String> getList(String resource) {
- List<String> ret = new ArrayList<String>() ;
- if (resource == null || resource.trim().isEmpty()) {
- resource = "*" ;
- }
- for(String r : resource.split(RESOURCE_SPLITER)) {
- ret.add(r) ;
- }
-
- return ret;
- }
-
- private List<ResourcePath> getResourceList(String resource) {
- List<ResourcePath> ret = new ArrayList<ResourcePath>() ;
- if (resource != null && ! resource.isEmpty()) {
- for(String path : resource.split(RESOURCE_SPLITER)) {
- ret.add(new ResourcePath(path)) ;
- }
- }
- return ret ;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/model/PolicyContainer.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/model/PolicyContainer.java b/agents-impl/src/main/java/com/xasecure/pdp/model/PolicyContainer.java
deleted file mode 100644
index 1675d34..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/model/PolicyContainer.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.pdp.model;
-
-import java.util.List;
-
-import com.google.gson.annotations.SerializedName;
-
-public class PolicyContainer {
-
- @SerializedName("repository_name")
- private String repositoryName ;
-
- @SerializedName("last_updated")
- private long lastUpdatedTimeInEpoc ;
-
- @SerializedName("acl")
- private List<Policy> acl;
-
- public String getRepositoryName() {
- return repositoryName;
- }
- public void setRepositoryName(String repositoryName) {
- this.repositoryName = repositoryName;
- }
- public long getLastUpdatedTimeInEpoc() {
- return lastUpdatedTimeInEpoc;
- }
- public void setLastUpdatedTimeInEpoc(long lastUpdatedTimeInEpoc) {
- this.lastUpdatedTimeInEpoc = lastUpdatedTimeInEpoc;
- }
- public List<Policy> getAcl() {
- return acl;
- }
- public void setAcl(List<Policy> acl) {
- this.acl = acl;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/main/java/com/xasecure/pdp/model/ResourcePath.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/model/ResourcePath.java b/agents-impl/src/main/java/com/xasecure/pdp/model/ResourcePath.java
deleted file mode 100644
index ff6a754..0000000
--- a/agents-impl/src/main/java/com/xasecure/pdp/model/ResourcePath.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.pdp.model;
-
-public class ResourcePath {
-
- String path ;
- boolean wildcardPath ;
-
- public ResourcePath(String path) {
- this.path = path ;
- if (this.path.contains("*") || this.path.contains("?")) {
- this.wildcardPath = true ;
- }
- }
-
- public String getPath() {
- return path;
- }
-
- public boolean isWildcardPath() {
- return wildcardPath;
- }
-
-
-}