You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/04/17 06:03:00 UTC
incubator-ranger git commit: RANGER-404: Fix for missed audit-log in
HDFS plugin when mkdir fails
Repository: incubator-ranger
Updated Branches:
refs/heads/master 6f888a61f -> b3e31fadd
RANGER-404: Fix for missed audit-log in HDFS plugin when mkdir fails
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b3e31fad
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b3e31fad
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b3e31fad
Branch: refs/heads/master
Commit: b3e31fadd9fc35a4867d5bbbde0320ed791e0d1d
Parents: 6f888a6
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu Apr 16 16:53:10 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Apr 16 21:01:41 2015 -0700
----------------------------------------------------------------------
.../hadoop/RangerHdfsAuthorizer.java | 52 ++++++++++++++++----
1 file changed, 43 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b3e31fad/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 61a95d2..55d8f73 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -286,7 +286,21 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
accessGranted = true;
} finally {
if(auditHandler != null) {
- auditHandler.logHadoopEvent(path, access, accessGranted);
+ FsAction action = access;
+
+ if(action == null) {
+ if(parentAccess != null) {
+ action = parentAccess;
+ } else if(ancestorAccess != null) {
+ action = ancestorAccess;
+ } else if(subAccess != null) {
+ action = subAccess;
+ } else {
+ action = FsAction.NONE;
+ }
+ }
+
+ auditHandler.logHadoopEvent(path, action, accessGranted);
}
}
}
@@ -436,6 +450,10 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler {
@Override
public void logAudit(RangerAccessResult result) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerHdfsAuditHandler.logAudit(" + result + ")");
+ }
+
if(! isAuditEnabled && result.getIsAudited()) {
isAuditEnabled = true;
}
@@ -457,30 +475,46 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler {
auditEvent.setRepositoryType(result.getServiceType());
auditEvent.setRepositoryName(result.getServiceName());
auditEvent.setResultReason(resourcePath);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerHdfsAuditHandler.logAudit(" + result + "): " + auditEvent);
+ }
}
public void logHadoopEvent(String path, FsAction action, boolean accessGranted) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerHdfsAuditHandler.logHadoopEvent(" + path + ", " + action + ", " + accessGranted + ")");
+ }
+
auditEvent.setResultReason(path);
auditEvent.setAccessResult((short) (accessGranted ? 1 : 0));
auditEvent.setAccessType(action == null ? null : action.toString());
auditEvent.setAclEnforcer(HadoopModuleName);
auditEvent.setPolicyId(-1);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerHdfsAuditHandler.logHadoopEvent(" + path + ", " + action + ", " + accessGranted + "): " + auditEvent);
+ }
}
public void flushAudit() {
- if(! isAuditEnabled || StringUtils.isEmpty(auditEvent.getAccessType())) {
- return;
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerHdfsAuditHandler.flushAudit(" + isAuditEnabled + ", " + auditEvent + ")");
}
- String username = auditEvent.getUser();
+ if(isAuditEnabled && !StringUtils.isEmpty(auditEvent.getAccessType())) {
+ String username = auditEvent.getUser();
- boolean skipLog = (username != null && excludeUsers != null && excludeUsers.contains(username)) ;
-
- if (skipLog) {
- return ;
+ boolean skipLog = (username != null && excludeUsers != null && excludeUsers.contains(username)) ;
+
+ if (! skipLog) {
+ super.logAuthzAudit(auditEvent);
+ }
}
- super.logAuthzAudit(auditEvent);
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerHdfsAuditHandler.flushAudit(" + isAuditEnabled + ", " + auditEvent + ")");
+ }
}
}