You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by me...@apache.org on 2019/09/19 18:42:52 UTC

[ranger] branch master updated: RANGER-2571 : Need to add Knox proxy configuration support in Ranger plugins

This is an automated email from the ASF dual-hosted git repository.

mehul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 8fe1ce8  RANGER-2571 : Need to add Knox proxy configuration support in Ranger plugins
8fe1ce8 is described below

commit 8fe1ce872ab13c4543f6eb70cfe01bcdc36ff8f3
Author: Dhaval B.Shah <dh...@gmail.com>
AuthorDate: Thu Sep 19 20:28:23 2019 +0530

    RANGER-2571 : Need to add Knox proxy configuration support in Ranger plugins
    
    Signed-off-by: Mehul Parikh <me...@apache.org>
---
 .../ranger/plugin/util/GrantRevokeRequest.java      | 21 +++++++++++++++++++++
 .../hbase/RangerAuthorizationCoprocessor.java       |  7 ++++++-
 .../authorization/hadoop/RangerHdfsAuthorizer.java  |  2 ++
 .../yarn/authorizer/RangerYarnAuthorizer.java       |  9 ++++++---
 4 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
index 870ec96..63f0f25 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
@@ -20,8 +20,10 @@
 package org.apache.ranger.plugin.util;
 
 import java.io.Serializable;
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
@@ -50,6 +52,8 @@ public class GrantRevokeRequest implements Serializable {
 	private Set<String>         groups;
 	private Set<String>         roles;
 	private Set<String>         accessTypes;
+	private List<String>        forwardedAddresses;
+	private String              remoteIPAddress;
 	private Boolean             delegateAdmin              = Boolean.FALSE;
 	private Boolean             enableAudit                = Boolean.TRUE;
 	private Boolean             replaceExistingPermissions = Boolean.FALSE;
@@ -137,6 +141,15 @@ public class GrantRevokeRequest implements Serializable {
 	public Map<String, String> getResource() {
 		return resource;
 	}
+	
+	public void setForwardedAddresses(List<String> forwardedAddresses) {
+		this.forwardedAddresses = (forwardedAddresses == null) ? new ArrayList<String>() : forwardedAddresses;
+	}
+
+	public void setRemoteIPAddress(String remoteIPAddress) {
+		this.remoteIPAddress = remoteIPAddress;
+	}
+
 
 	/**
 	 * @param resource the resource to set
@@ -334,6 +347,14 @@ public class GrantRevokeRequest implements Serializable {
 	public String getClusterName() {
 		return clusterName;
 	}
+	
+	public String getRemoteIPAddress() {
+		return remoteIPAddress;
+	}
+
+	public List<String> getForwardedAddresses() { 
+		return forwardedAddresses; 
+	}
 
 	/**
 	 * @param clusterName the clusterName to set
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 5729eb2..364a415 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1495,6 +1495,8 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 		ret.setReplaceExistingPermissions(Boolean.TRUE);
 		ret.setResource(mapResource);
 		ret.setClientIPAddress(getRemoteAddress());
+		ret.setForwardedAddresses(null);//TODO: Need to check with Knox proxy how they handle forwarded add.
+		ret.setRemoteIPAddress(getRemoteAddress());
 
 		if(userName.startsWith(GROUP_PREFIX)) {
 			ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
@@ -1600,7 +1602,10 @@ public class RangerAuthorizationCoprocessor implements AccessControlService.Inte
 		ret.setReplaceExistingPermissions(Boolean.TRUE);
 		ret.setResource(mapResource);
 		ret.setClientIPAddress(getRemoteAddress());
-
+		ret.setForwardedAddresses(null);//TODO: Need to check with Knox proxy how they handle forwarded add.
+		ret.setRemoteIPAddress(getRemoteAddress());
+		
+		
 		if(userName.startsWith(GROUP_PREFIX)) {
 			ret.getGroups().add(userName.substring(GROUP_PREFIX.length()));
 		} else {
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 7b2882c..52df2db 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -826,6 +826,8 @@ class RangerHdfsAccessRequest extends RangerAccessRequestImpl {
 		super.setAccessTime(new Date());
 		super.setClientIPAddress(getRemoteIp());
 		super.setAction(access.toString());
+		super.setForwardedAddresses(null);
+		super.setRemoteIPAddress(getRemoteIp());
 
 		if (inode != null) {
 			buildRequestContext(inode);
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
index b49fb8a..eb473c4 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
@@ -98,7 +98,8 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
 		AccessType accessType = accessRequest.getAccessType();
 	    PrivilegedEntity entity = accessRequest.getEntity();
 		UserGroupInformation ugi = accessRequest.getUser();
-
+		List<String> forwardedAddresses = accessRequest.getForwardedAddresses();
+		String remoteIpAddress = accessRequest.getRemoteAddress();
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerYarnAuthorizer.checkPermission(" + accessType + ", " + toString(entity) + ", " + ugi + ")");
 		}
@@ -117,7 +118,7 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
 				perf = RangerPerfTracer.getPerfTracer(PERF_YARNAUTH_REQUEST_LOG, "RangerYarnAuthorizer.checkPermission(entity=" + entity + ")");
 			}
 
-			RangerYarnAccessRequest request = new RangerYarnAccessRequest(entity, getRangerAccessType(accessType), accessType.name(), ugi);
+			RangerYarnAccessRequest request = new RangerYarnAccessRequest(entity, getRangerAccessType(accessType), accessType.name(), ugi, forwardedAddresses, remoteIpAddress);
 
 			auditHandler = new RangerYarnAuditHandler();
 
@@ -300,7 +301,7 @@ class RangerYarnResource extends RangerAccessResourceImpl {
 }
 
 class RangerYarnAccessRequest extends RangerAccessRequestImpl {
-	public RangerYarnAccessRequest(PrivilegedEntity entity, String accessType, String action, UserGroupInformation ugi) {
+	public RangerYarnAccessRequest(PrivilegedEntity entity, String accessType, String action, UserGroupInformation ugi, List<String> forwardedAddresses, String remoteIpAddress) {
 		super.setResource(new RangerYarnResource(entity));
 		super.setAccessType(accessType);
 		super.setUser(ugi.getShortUserName());
@@ -308,6 +309,8 @@ class RangerYarnAccessRequest extends RangerAccessRequestImpl {
 		super.setAccessTime(new Date());
 		super.setClientIPAddress(getRemoteIp());
 		super.setAction(action);
+		super.setRemoteIPAddress(remoteIpAddress);
+		super.setForwardedAddresses(forwardedAddresses);
 	}
 	
 	private static String getRemoteIp() {