You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/01/23 10:22:35 UTC
incubator-ranger git commit: RANGER-203: updated RangerBasePlugin
with policy-engine methods,
to make it easier for the plugins to use. Fix in HDFS plugin.
Repository: incubator-ranger
Updated Branches:
refs/heads/stack 1e8dc41a8 -> 615e2c52e
RANGER-203: updated RangerBasePlugin with policy-engine methods, to make
it easier for the plugins to use. Fix in HDFS plugin.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/615e2c52
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/615e2c52
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/615e2c52
Branch: refs/heads/stack
Commit: 615e2c52ea0835152a57da7732960af3ba43bec5
Parents: 1e8dc41
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Fri Jan 23 01:22:20 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Fri Jan 23 01:22:20 2015 -0800
----------------------------------------------------------------------
.../ranger/audit/model/AuditEventBase.java | 4 -
.../audit/provider/AuditProviderFactory.java | 2 -
.../namenode/RangerFSPermissionChecker.java | 12 +-
.../agent/HadoopAuthClassTransformer.java | 9 +-
.../ranger/plugin/service/RangerBasePlugin.java | 150 +++++++++++++++----
5 files changed, 126 insertions(+), 51 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/615e2c52/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java
index f5753f0..82fcab8 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java
@@ -19,12 +19,8 @@
package org.apache.ranger.audit.model;
-import java.util.Date;
-
import org.apache.ranger.audit.dao.DaoManager;
-import com.google.gson.annotations.SerializedName;
-
public abstract class AuditEventBase {
protected AuditEventBase() {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/615e2c52/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
index 8decfc2..fb5e8b5 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
@@ -19,9 +19,7 @@
package org.apache.ranger.audit.provider;
import java.util.ArrayList;
-import java.util.HashMap;
import java.util.List;
-import java.util.Map;
import java.util.Properties;
import org.apache.commons.logging.Log;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/615e2c52/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java
index 9cf57a9..a4339af 100644
--- a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java
+++ b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java
@@ -47,8 +47,6 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.policyengine.RangerResource;
import org.apache.ranger.plugin.service.RangerBasePlugin;
@@ -108,12 +106,12 @@ public class RangerFSPermissionChecker {
}
}
- if (rangerPlugin != null && rangerPlugin.getPolicyEngine() != null) {
+ if (rangerPlugin != null) {
RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(aPathName, aPathOwnerName, access, user, groups);
- RangerAccessResult result = rangerPlugin.getPolicyEngine().isAccessAllowed(request, getCurrentAuditHandler());
+ RangerAccessResult result = rangerPlugin.isAccessAllowed(request, getCurrentAuditHandler());
- accessGranted = result.getResult() == RangerAccessResult.Result.ALLOWED;
+ accessGranted = (result != null && result.getResult() == RangerAccessResult.Result.ALLOWED);
}
}
@@ -159,9 +157,7 @@ class RangerHdfsPlugin extends RangerBasePlugin {
}
public void init() {
- RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl();
-
- super.init(policyEngine);
+ super.init();
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/615e2c52/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/agent/HadoopAuthClassTransformer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/agent/HadoopAuthClassTransformer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/agent/HadoopAuthClassTransformer.java
index 35d3981..1f21053 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/agent/HadoopAuthClassTransformer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/agent/HadoopAuthClassTransformer.java
@@ -109,15 +109,16 @@ public class HadoopAuthClassTransformer implements ClassFileTransformer {
}
if (checkMethod != null) {
+ checkMethod.insertAfter("org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.logHadoopEvent($1,true) ;");
+ CtClass throwable = ClassPool.getDefault().get("java.lang.Throwable");
+ checkMethod.addCatch("{ org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.logHadoopEvent($1,false) ; throw $e; }", throwable);
+
if (snapShotClass == null && (!withIntParamInMiddle)) {
checkMethod.insertBefore("{ if ( org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.check(ugi,$1,$2) ) { return ; } }");
}
else {
checkMethod.insertBefore("{ if ( org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.check(ugi,$1,$3) ) { return ; } }");
}
- checkMethod.insertAfter("org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.logHadoopEvent($1,true) ;");
- CtClass throwable = ClassPool.getDefault().get("java.lang.Throwable");
- checkMethod.addCatch("{ org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.logHadoopEvent($1,false) ; throw $e; }", throwable);
System.out.println("Injection of code is successfull ....");
}
@@ -141,10 +142,10 @@ public class HadoopAuthClassTransformer implements ClassFileTransformer {
CtMethod checkMethod = curClass.getDeclaredMethod("checkPermission");
if (checkMethod != null) {
- checkMethod.insertBefore("org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.checkPermissionPre($1) ;");
checkMethod.insertAfter("org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.checkPermissionPost($1) ;");
CtClass throwable = ClassPool.getDefault().get("org.apache.hadoop.security.AccessControlException");
checkMethod.addCatch("{ org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.checkPermissionPost($1); throw $e; }", throwable);
+ checkMethod.insertBefore("org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker.checkPermissionPre($1) ;");
injected_cm = true ;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/615e2c52/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index dae02fc..8b312af 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -19,72 +19,156 @@
package org.apache.ranger.plugin.service;
+import java.util.Collection;
+
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.audit.RangerAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.store.ServiceStoreFactory;
import org.apache.ranger.plugin.util.PolicyRefresher;
public class RangerBasePlugin {
- private boolean initDone = false;
- private String serviceType = null;
- private PolicyRefresher refresher = null;
+ private String serviceType = null;
+ private String serviceName = null;
+ private RangerPolicyEngine policyEngine = null;
+ private PolicyRefresher refresher = null;
+
-
public RangerBasePlugin(String serviceType) {
this.serviceType = serviceType;
}
- public RangerPolicyEngine getPolicyEngine() {
- return refresher == null ? null : refresher.getPolicyEngine();
+ public String getServiceType() {
+ return serviceType;
}
public String getServiceName() {
- return refresher == null ? null : refresher.getServiceName();
+ return serviceName;
}
- public boolean init(RangerPolicyEngine policyEngine) {
- if(!initDone) {
- synchronized(this) {
- if(! initDone) {
- String serviceName = null;
-
- // get the serviceName from download URL: http://ranger-admin-host:port/service/assets/policyList/serviceName
- String policyDownloadUrl = RangerConfiguration.getInstance().get("xasecure." + serviceType + ".policymgr.url");
-
- if(! StringUtils.isEmpty(policyDownloadUrl)) {
- int idx = policyDownloadUrl.lastIndexOf('/');
-
- if(idx != -1) {
- serviceName = policyDownloadUrl.substring(idx + 1);
- }
- }
+ public RangerPolicyEngine getPolicyEngine() {
+ return policyEngine;
+ }
- if(StringUtils.isEmpty(serviceName)) {
- serviceName = RangerConfiguration.getInstance().get("ranger.plugin." + serviceType + ".service.name");
- }
+ public void init() {
+ RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl();
+
+ init(policyEngine);
+ }
- ServiceStore serviceStore = ServiceStoreFactory.instance().getServiceStore();
+ public synchronized void init(RangerPolicyEngine policyEngine) {
+ cleanup();
- refresher = new PolicyRefresher(policyEngine, serviceName, serviceStore);
+ // get the serviceName from download URL: http://ranger-admin-host:port/service/assets/policyList/serviceName
+ String policyDownloadUrl = RangerConfiguration.getInstance().get("xasecure." + serviceType + ".policymgr.url");
- refresher.startRefresher();
+ if(! StringUtils.isEmpty(policyDownloadUrl)) {
+ int idx = policyDownloadUrl.lastIndexOf('/');
- initDone = true;
- }
+ if(idx != -1) {
+ serviceName = policyDownloadUrl.substring(idx + 1);
}
}
- return initDone;
+ if(StringUtils.isEmpty(serviceName)) {
+ serviceName = RangerConfiguration.getInstance().get("ranger.plugin." + serviceType + ".service.name");
+ }
+
+ ServiceStore serviceStore = ServiceStoreFactory.instance().getServiceStore();
+
+ refresher = new PolicyRefresher(policyEngine, serviceName, serviceStore);
+ refresher.startRefresher();
+ this.policyEngine = policyEngine;
}
- public void cleanup() {
+ public synchronized void cleanup() {
PolicyRefresher refresher = this.refresher;
+ this.serviceName = null;
+ this.policyEngine = null;
+ this.refresher = null;
+
if(refresher != null) {
refresher.stopRefresher();
}
}
+
+ public void setDefaultAuditHandler(RangerAuditHandler auditHandler) {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
+ if(policyEngine != null) {
+ policyEngine.setDefaultAuditHandler(auditHandler);
+ }
+ }
+
+ public RangerAuditHandler getDefaultAuditHandler() {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
+ if(policyEngine != null) {
+ return policyEngine.getDefaultAuditHandler();
+ }
+
+ return null;
+ }
+
+
+ public RangerAccessResult createAccessResult(RangerAccessRequest request) {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
+ if(policyEngine != null) {
+ return policyEngine.createAccessResult(request);
+ }
+
+ return null;
+ }
+
+
+ public RangerAccessResult isAccessAllowed(RangerAccessRequest request) {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
+ if(policyEngine != null) {
+ return policyEngine.isAccessAllowed(request);
+ }
+
+ return null;
+ }
+
+
+ public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests) {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
+ if(policyEngine != null) {
+ return policyEngine.isAccessAllowed(requests);
+ }
+
+ return null;
+ }
+
+
+ public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAuditHandler auditHandler) {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
+ if(policyEngine != null) {
+ return policyEngine.isAccessAllowed(request, auditHandler);
+ }
+
+ return null;
+ }
+
+
+ public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAuditHandler auditHandler) {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
+ if(policyEngine != null) {
+ return policyEngine.isAccessAllowed(requests, auditHandler);
+ }
+
+ return null;
+ }
}