You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by me...@apache.org on 2019/09/19 18:42:52 UTC
[ranger] branch master updated: RANGER-2571 : Need to add Knox
proxy configuration support in Ranger plugins
This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 8fe1ce8 RANGER-2571 : Need to add Knox proxy configuration support in Ranger plugins
8fe1ce8 is described below
commit 8fe1ce872ab13c4543f6eb70cfe01bcdc36ff8f3
Author: Dhaval B.Shah <dh...@gmail.com>
AuthorDate: Thu Sep 19 20:28:23 2019 +0530
RANGER-2571 : Need to add Knox proxy configuration support in Ranger plugins
Signed-off-by: Mehul Parikh <me...@apache.org>
---
.../ranger/plugin/util/GrantRevokeRequest.java | 21 +++++++++++++++++++++
.../hbase/RangerAuthorizationCoprocessor.java | 7 ++++++-
.../authorization/hadoop/RangerHdfsAuthorizer.java | 2 ++
.../yarn/authorizer/RangerYarnAuthorizer.java | 9 ++++++---
4 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
index 870ec96..63f0f25 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
@@ -20,8 +20,10 @@
package org.apache.ranger.plugin.util;
import java.io.Serializable;
+import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -50,6 +52,8 @@ public class GrantRevokeRequest implements Serializable {
private Set<String> groups;
private Set<String> roles;
private Set<String> accessTypes;
+ private List<String> forwardedAddresses;
+ private String remoteIPAddress;
private Boolean delegateAdmin = Boolean.FALSE;
private Boolean enableAudit = Boolean.TRUE;
private Boolean replaceExistingPermissions = Boolean.FALSE;
@@ -137,6 +141,15 @@ public class GrantRevokeRequest implements Serializable {
public Map<String, String> getResource() {
return resource;
}
+
+ public void setForwardedAddresses(List<String> forwardedAddresses) {
+ this.forwardedAddresses = (forwardedAddresses == null) ? new ArrayList<String>() : forwardedAddresses;
+ }
+
+ public void setRemoteIPAddress(String remoteIPAddress) {
+ this.remoteIPAddress = remoteIPAddress;
+ }
+
/**
* @param resource the resource to set
@@ -334,6 +347,14 @@ public class GrantRevokeRequest implements Serializable {
public String getClusterName() {
return clusterName;
}
+
+ public String getRemoteIPAddress() {
+ return remoteIPAddress;
+ }
+
+ public List<String> getForwardedAddresses() {
+ return forwardedAddresses;
+ }
/**
* @param clusterName the clusterName to set
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 5729eb2..364a415 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1495,6 +1495,8 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
ret.setReplaceExistingPermissions(Boolean.TRUE);
ret.setResource(mapResource);
ret.setClientIPAddress(getRemoteAddress());
+ ret.setForwardedAddresses(null);//TODO: Need to check with Knox proxy how they handle forwarded add.
+ ret.setRemoteIPAddress(getRemoteAddress());
if(userName.startsWith(GROUP_PREFIX)) {
ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
@@ -1600,7 +1602,10 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
ret.setReplaceExistingPermissions(Boolean.TRUE);
ret.setResource(mapResource);
ret.setClientIPAddress(getRemoteAddress());
-
+ ret.setForwardedAddresses(null);//TODO: Need to check with Knox proxy how they handle forwarded add.
+ ret.setRemoteIPAddress(getRemoteAddress());
+
+
if(userName.startsWith(GROUP_PREFIX)) {
ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
} else {
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 7b2882c..52df2db 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -826,6 +826,8 @@ class RangerHdfsAccessRequest extends RangerAccessRequestImpl {
super.setAccessTime(new Date());
super.setClientIPAddress(getRemoteIp());
super.setAction(access.toString());
+ super.setForwardedAddresses(null);
+ super.setRemoteIPAddress(getRemoteIp());
if (inode != null) {
buildRequestContext(inode);
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
index b49fb8a..eb473c4 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
@@ -98,7 +98,8 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
AccessType accessType = accessRequest.getAccessType();
PrivilegedEntity entity = accessRequest.getEntity();
UserGroupInformation ugi = accessRequest.getUser();
-
+ List<String> forwardedAddresses = accessRequest.getForwardedAddresses();
+ String remoteIpAddress = accessRequest.getRemoteAddress();
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerYarnAuthorizer.checkPermission(" + accessType + ", " + toString(entity) + ", " + ugi + ")");
}
@@ -117,7 +118,7 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
perf = RangerPerfTracer.getPerfTracer(PERF_YARNAUTH_REQUEST_LOG, "RangerYarnAuthorizer.checkPermission(entity=" + entity + ")");
}
- RangerYarnAccessRequest request = new RangerYarnAccessRequest(entity, getRangerAccessType(accessType), accessType.name(), ugi);
+ RangerYarnAccessRequest request = new RangerYarnAccessRequest(entity, getRangerAccessType(accessType), accessType.name(), ugi, forwardedAddresses, remoteIpAddress);
auditHandler = new RangerYarnAuditHandler();
@@ -300,7 +301,7 @@ class RangerYarnResource extends RangerAccessResourceImpl {
}
class RangerYarnAccessRequest extends RangerAccessRequestImpl {
- public RangerYarnAccessRequest(PrivilegedEntity entity, String accessType, String action, UserGroupInformation ugi) {
+ public RangerYarnAccessRequest(PrivilegedEntity entity, String accessType, String action, UserGroupInformation ugi, List<String> forwardedAddresses, String remoteIpAddress) {
super.setResource(new RangerYarnResource(entity));
super.setAccessType(accessType);
super.setUser(ugi.getShortUserName());
@@ -308,6 +309,8 @@ class RangerYarnAccessRequest extends RangerAccessRequestImpl {
super.setAccessTime(new Date());
super.setClientIPAddress(getRemoteIp());
super.setAction(action);
+ super.setRemoteIPAddress(remoteIpAddress);
+ super.setForwardedAddresses(forwardedAddresses);
}
private static String getRemoteIp() {