You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2019/12/14 01:28:04 UTC
[ranger] branch master updated: RANGER-2669: Blacklist for Ranger
Audits
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 7bc6266 RANGER-2669: Blacklist for Ranger Audits
7bc6266 is described below
commit 7bc6266e4d2c30e01fdaedc4b2c5e1d09ed7b79b
Author: Pradeep <pr...@apache.org>
AuthorDate: Fri Dec 13 23:38:15 2019 +0530
RANGER-2669: Blacklist for Ranger Audits
---
.../ranger/authorization/utils/StringUtil.java | 17 +++++++++
.../ranger/plugin/policyengine/PolicyEngine.java | 41 ++++++++++++++++++++++
.../plugin/policyengine/RangerPolicyEngine.java | 4 +++
.../apache/ranger/plugin/store/ServiceStore.java | 1 +
.../apache/ranger/plugin/util/ServicePolicies.java | 9 +++++
.../atlas/authorizer/RangerAtlasAuthorizer.java | 4 +--
.../java/org/apache/ranger/biz/ServiceDBStore.java | 41 ++++++++++++++++++++--
.../java/org/apache/ranger/rest/ServiceREST.java | 3 +-
8 files changed, 115 insertions(+), 5 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java b/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
index 2bb834d..17a0651 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
@@ -24,10 +24,14 @@ import java.util.Collection;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.TimeZone;
+import org.apache.commons.lang.StringUtils;
+
public class StringUtil {
private static final TimeZone gmtTimeZone = TimeZone.getTimeZone("GMT+0");
@@ -289,4 +293,17 @@ public class StringUtil {
return ret;
}
+
+ public static Set<String> toSet(String str) {
+ Set<String> values = new HashSet<String>();
+ if (StringUtils.isNotBlank(str)) {
+ for (String item : str.split(",")) {
+ if (StringUtils.isNotBlank(item)) {
+ values.add(StringUtils.trim(item));
+ }
+ }
+ }
+ return values;
+ }
+
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index a75a6c6..bc80677 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -33,6 +33,7 @@ import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
@@ -63,6 +64,9 @@ public class PolicyEngine {
private boolean useForwardedIPAddress;
private String[] trustedProxyAddresses;
private boolean isPreCleaned = false;
+ private final Set<String> auditExcludeUsers;
+ private final Set<String> auditExcludeGroups;
+ private final Set<String> auditExcludeRoles;
public boolean getUseForwardedIPAddress() {
@@ -111,6 +115,18 @@ public class PolicyEngine {
public RangerPluginContext getPluginContext() { return pluginContext; }
+ public Set<String> getAuditExcludeUsers() {
+ return auditExcludeUsers;
+ }
+
+ public Set<String> getAuditExcludeGroups() {
+ return auditExcludeGroups;
+ }
+
+ public Set<String> getAuditExcludeRoles() {
+ return auditExcludeRoles;
+ }
+
@Override
public String toString() {
return toString(new StringBuilder()).toString();
@@ -180,9 +196,26 @@ public class PolicyEngine {
break;
}
+ if (isAuditExcludedRequest(request)) {
+ ret.setIsAudited(false);
+ }
return ret;
}
+ private boolean isAuditExcludedRequest(RangerAccessRequest request) {
+ boolean ret = getAuditExcludeUsers().contains(request.getUser());
+
+ if (!ret && CollectionUtils.isNotEmpty(getAuditExcludeGroups())) {
+ ret = CollectionUtils.containsAny(getAuditExcludeGroups(), request.getUserGroups());
+ }
+
+ if (!ret && CollectionUtils.isNotEmpty(getAuditExcludeRoles())) {
+ Set<String> roles = this.pluginContext.getAuthContext().getRolesForUserAndGroups(request.getUser(), request.getUserGroups());
+ ret = CollectionUtils.containsAny(getAuditExcludeRoles(), roles);
+ }
+ return ret;
+ }
+
public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine(" + ", " + servicePolicies + ", " + pluginContext + ")");
@@ -257,6 +290,10 @@ public class PolicyEngine {
}
}
+ this.auditExcludeUsers = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_USERS)) : new HashSet<String>();
+ this.auditExcludeGroups = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_GROUPS)) : new HashSet<String>();
+ this.auditExcludeRoles = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES)) : new HashSet<String>();
+
RangerPerfTracer.log(perf);
if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) {
@@ -585,6 +622,10 @@ public class PolicyEngine {
this.trustedProxyAddresses = other.trustedProxyAddresses;
this.pluginContext = other.pluginContext;
+ this.auditExcludeUsers = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_USERS)) : new HashSet<String>();
+ this.auditExcludeGroups = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_GROUPS)) : new HashSet<String>();
+ this.auditExcludeRoles = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES)) : new HashSet<String>();
+
long policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1L;
List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>();
List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies = new ArrayList<>();
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 50313bc..4602903 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -38,6 +38,10 @@ public interface RangerPolicyEngine {
String AUDIT_NONE = "audit-none";
String AUDIT_DEFAULT = "audit-default";
+ String PLUGIN_AUDIT_EXCLUDE_USERS = "ranger.plugin.audit.exclude.users";
+ String PLUGIN_AUDIT_EXCLUDE_GROUPS = "ranger.plugin.audit.exclude.groups";
+ String PLUGIN_AUDIT_EXCLUDE_ROLES = "ranger.plugin.audit.exclude.roles";
+
String USER_CURRENT = "{" + RangerAccessRequestUtil.KEY_USER + "}";
String RESOURCE_OWNER = "{OWNER}";
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
index a52e96d..6283e02 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
@@ -119,4 +119,5 @@ public interface ServiceStore {
long getPoliciesCount(final String serviceName);
+ Map<String, String> getServiceConfigForPlugin(Long serviceId);
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
index 360404a..6ab068f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
@@ -59,6 +59,7 @@ public class ServicePolicies implements java.io.Serializable {
private TagPolicies tagPolicies;
private Map<String, SecurityZoneInfo> securityZones;
private List<RangerPolicyDelta> policyDeltas;
+ private Map<String, String> serviceConfig;
/**
* @return the serviceName
@@ -108,6 +109,14 @@ public class ServicePolicies implements java.io.Serializable {
public void setPolicyUpdateTime(Date policyUpdateTime) {
this.policyUpdateTime = policyUpdateTime;
}
+
+ public Map<String, String> getServiceConfig() {
+ return serviceConfig;
+ }
+ public void setServiceConfig(Map<String, String> serviceConfig) {
+ this.serviceConfig = serviceConfig;
+ }
+
/**
* @return the policies
*/
diff --git a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index b50fdcf..0e220f1 100644
--- a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -77,7 +77,7 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
@Override
public void init() {
if (isDebugEnabled) {
- LOG.debug("gautam init <===");
+ LOG.debug("==> RangerAtlasAuthorizer.init");
}
try {
@@ -89,7 +89,7 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
}
if (isDebugEnabled) {
- LOG.debug("gautam init ===> " );
+ LOG.debug("<== RangerAtlasAuthorizer.init()");
}
}
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index ecb8d11..4158900 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -1651,6 +1651,9 @@ public class ServiceDBStore extends AbstractServiceStore {
boolean hasIsEnabledChanged = !existing.getIsenabled().equals(service.getIsEnabled());
+ List<XXServiceConfigMap> dbConfigMaps = daoMgr.getXXServiceConfigMap().findByServiceId(service.getId());
+ boolean hasExcludedUGRConfigChanged = hasExcludedUGRConfigChanged(dbConfigMaps, validConfigs);
+
List<XXTrxLog> trxLogList = svcService.getTransactionLog(service, existing, RangerServiceService.OPERATION_UPDATE_CONTEXT);
if(populateExistingBaseFields) {
@@ -1663,7 +1666,7 @@ public class ServiceDBStore extends AbstractServiceStore {
service.setVersion(existing.getVersion());
service = svcService.update(service);
- if (hasTagServiceValueChanged || hasIsEnabledChanged) {
+ if (hasTagServiceValueChanged || hasIsEnabledChanged || hasExcludedUGRConfigChanged) {
updatePolicyVersion(service, RangerPolicyDelta.CHANGE_TYPE_SERVICE_CHANGE, null, false);
}
}
@@ -1672,7 +1675,6 @@ public class ServiceDBStore extends AbstractServiceStore {
String oldPassword = null;
- List<XXServiceConfigMap> dbConfigMaps = daoMgr.getXXServiceConfigMap().findByServiceId(service.getId());
for(XXServiceConfigMap dbConfigMap : dbConfigMaps) {
if(StringUtils.equalsIgnoreCase(dbConfigMap.getConfigkey(), CONFIG_KEY_PASSWORD)) {
oldPassword = dbConfigMap.getConfigvalue();
@@ -5316,4 +5318,39 @@ public class ServiceDBStore extends AbstractServiceStore {
ServiceDBStore.persistVersionChange(this);
}
}
+
+ @Override
+ public Map<String, String> getServiceConfigForPlugin(Long serviceId) {
+ Map<String, String> configs = new HashMap<String, String>();
+ List<XXServiceConfigMap> xxServiceConfigMaps = daoMgr.getXXServiceConfigMap().findByServiceId(serviceId);
+ if (CollectionUtils.isNotEmpty(xxServiceConfigMaps)) {
+ for (XXServiceConfigMap svcConfMap : xxServiceConfigMaps) {
+ if (StringUtils.startsWith(svcConfMap.getConfigkey(), "ranger.plugin.")) {
+ configs.put(svcConfMap.getConfigkey(), svcConfMap.getConfigvalue());
+ }
+ }
+ }
+ return configs;
+ }
+
+ private boolean hasExcludedUGRConfigChanged(List<XXServiceConfigMap> dbConfigMaps, Map<String, String> validConfigs) {
+ boolean ret = false;
+ String auditExcludeUsers = null;
+ String auditExcludeGroups = null;
+ String auditExcludeRoles = null;
+ for (XXServiceConfigMap dbConfigMap : dbConfigMaps) {
+ if (StringUtils.equalsIgnoreCase(dbConfigMap.getConfigkey(), RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_USERS)) {
+ auditExcludeUsers = StringUtils.trimToEmpty(dbConfigMap.getConfigvalue());
+ } else if (StringUtils.equalsIgnoreCase(dbConfigMap.getConfigkey(), RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_GROUPS)) {
+ auditExcludeGroups = StringUtils.trimToEmpty(dbConfigMap.getConfigvalue());
+ } else if (StringUtils.equalsIgnoreCase(dbConfigMap.getConfigkey(), RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES)) {
+ auditExcludeRoles = StringUtils.trimToEmpty(dbConfigMap.getConfigvalue());
+ }
+ }
+ ret = !StringUtils.equals(auditExcludeUsers, validConfigs.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_USERS))
+ || !StringUtils.equals(auditExcludeGroups, validConfigs.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_GROUPS))
+ || !StringUtils.equals(auditExcludeRoles, validConfigs.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES));
+ return ret;
+ }
+
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 62ffee4..8ad020e 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -3095,7 +3095,7 @@ public class ServiceREST {
} else {
ret = updatedServicePolicies;
}
-
+ ret.setServiceConfig(svcStore.getServiceConfigForPlugin(ret.getServiceId()));
httpCode = HttpServletResponse.SC_OK;
logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : (ret.getPolicyDeltas() != null ? ret.getPolicyDeltas().size() : 0)) + " policies. Policy version=" + ret.getPolicyVersion();
}
@@ -3217,6 +3217,7 @@ public class ServiceREST {
} else {
ret = updatedServicePolicies;
}
+ ret.setServiceConfig(svcStore.getServiceConfigForPlugin(ret.getServiceId()));
httpCode = HttpServletResponse.SC_OK;
logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : (ret.getPolicyDeltas() != null ? ret.getPolicyDeltas().size() : 0)) + " policies. Policy version=" + ret.getPolicyVersion();
}