You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2019/03/07 20:49:10 UTC
[ranger] branch master updated: RANGER-2340:Add Policy Version to
the Ranger Audit log
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 23e5e19 RANGER-2340:Add Policy Version to the Ranger Audit log
23e5e19 is described below
commit 23e5e190e59baf525400633034f64832429a48c7
Author: rmani <rm...@hortonworks.com>
AuthorDate: Tue Mar 5 20:09:00 2019 -0800
RANGER-2340:Add Policy Version to the Ranger Audit log
Signed-off-by: rmani <rm...@hortonworks.com>
---
.../audit/destination/SolrAuditDestination.java | 1 +
.../apache/ranger/audit/model/AuthzAuditEvent.java | 24 +++++++++++++++
.../plugin/audit/RangerDefaultAuditHandler.java | 1 +
.../plugin/policyengine/RangerAccessResult.java | 9 ++++++
.../policyengine/RangerPolicyEngineImpl.java | 1 +
.../authorization/hadoop/RangerHdfsAuthorizer.java | 1 +
hive-agent/pom.xml | 6 ----
.../solr_for_audit_setup/conf/managed-schema | 1 +
...add-column-version-in-x_policy_export_audit.sql | 29 +++++++++++++++++
...add-column-version-in-x_policy_export_audit.sql | 23 ++++++++++++++
...add-column-version-in-x_policy_export_audit.sql | 32 +++++++++++++++++++
...add-column-version-in-x_policy_export_audit.sql | 21 +++++++++++++
...add-column-version-in-x_policy_export_audit.sql | 23 ++++++++++++++
.../apache/ranger/entity/XXPolicyExportAudit.java | 28 +++++++++++++++++
.../java/org/apache/ranger/rest/ServiceREST.java | 36 ++++++++++++++++------
.../service/XPolicyExportAuditServiceBase.java | 2 ++
.../ranger/solr/SolrAccessAuditsService.java | 5 +++
.../java/org/apache/ranger/view/VXAccessAudit.java | 20 ++++++++++++
.../apache/ranger/view/VXPolicyExportAudit.java | 11 +++++++
.../src/main/webapp/scripts/models/RangerPolicy.js | 1 +
.../webapp/scripts/modules/globalize/message/en.js | 3 ++
.../scripts/views/policies/RangerPolicyRO.js | 1 +
.../webapp/scripts/views/reports/AuditLayout.js | 20 +++++++++++-
.../templates/policies/RangerPolicyRO_tmpl.html | 9 ++++++
.../org/apache/ranger/rest/TestServiceREST.java | 3 ++
25 files changed, 295 insertions(+), 16 deletions(-)
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
index 7b806e7..11da40e 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
@@ -278,6 +278,7 @@ public class SolrAuditDestination extends AuditDestination {
doc.setField("tags", auditEvent.getTags());
doc.setField("cluster", auditEvent.getClusterName());
doc.setField("zoneName", auditEvent.getZoneName());
+ doc.setField("policyVersion", auditEvent.getPolicyVersion());
return doc;
}
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
index be22df7..28db58c 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
@@ -121,6 +121,9 @@ public class AuthzAuditEvent extends AuditEventBase {
@SerializedName("zone_name")
protected String zoneName;
+ @SerializedName("policy_version")
+ protected Long policyVersion;
+
public AuthzAuditEvent() {
super();
@@ -143,6 +146,17 @@ public class AuthzAuditEvent extends AuditEventBase {
short accessResult, String agentId, long policyId,
String resultReason, String aclEnforcer, String sessionId,
String clientType, String clientIP, String requestData, String clusterName, String zoneName) {
+ this(repositoryType, repositoryName, user, eventTime, accessType, resourcePath, resourceType, action, accessResult, agentId,
+ policyId, resultReason, aclEnforcer, sessionId, clientType, clientIP, requestData, clusterName, zoneName, null);
+
+ }
+
+ public AuthzAuditEvent(int repositoryType, String repositoryName,
+ String user, Date eventTime, String accessType,
+ String resourcePath, String resourceType, String action,
+ short accessResult, String agentId, long policyId,
+ String resultReason, String aclEnforcer, String sessionId,
+ String clientType, String clientIP, String requestData, String clusterName, String zoneName, Long policyVersion) {
this.repositoryType = repositoryType;
this.repositoryName = repositoryName;
this.user = user;
@@ -162,6 +176,7 @@ public class AuthzAuditEvent extends AuditEventBase {
this.requestData = requestData;
this.clusterName = clusterName;
this.zoneName = zoneName;
+ this.policyVersion = policyVersion;
}
/**
@@ -483,6 +498,14 @@ public class AuthzAuditEvent extends AuditEventBase {
return zoneName;
}
+ public void setPolicyVersion(Long policyVersion) {
+ this.policyVersion = policyVersion;
+ }
+
+ public Long getPolicyVersion() {
+ return policyVersion;
+ }
+
public void setClusterName(String clusterName) {
this.clusterName = clusterName;
}
@@ -546,6 +569,7 @@ public class AuthzAuditEvent extends AuditEventBase {
.append("]")
.append(FIELD_SEPARATOR).append("clusterName=").append(clusterName)
.append(FIELD_SEPARATOR).append("zoneName=").append(zoneName)
+ .append(FIELD_SEPARATOR).append("policyVersion=").append(policyVersion)
.append(FIELD_SEPARATOR).append("additionalInfo=").append(additionalInfo);
return sb;
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
index 8d97e99..4421442 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
@@ -124,6 +124,7 @@ public class RangerDefaultAuditHandler implements RangerAccessResultProcessor {
ret.setAdditionalInfo(getAdditionalInfo(request));
ret.setClusterName(request.getClusterName());
ret.setZoneName(result.getZoneName());
+ ret.setPolicyVersion(result.getPolicyVersion());
populateDefaults(ret);
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index c4e7b75..b82ff29 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -47,6 +47,7 @@ public class RangerAccessResult {
private long policyId = -1;
private int policyPriority;
private String zoneName;
+ private Long policyVersion;
private long evaluatedPoliciesCount;
private String reason;
private Map<String, Object> additionalInfo;
@@ -63,6 +64,7 @@ public class RangerAccessResult {
this.auditPolicyId = -1;
this.policyId = -1;
this.zoneName = null;
+ this.policyVersion = null;
this.policyPriority = RangerPolicy.POLICY_PRIORITY_NORMAL;
this.evaluatedPoliciesCount = 0;
this.reason = null;
@@ -74,6 +76,7 @@ public class RangerAccessResult {
this.policyId = other.getPolicyId();
this.policyPriority = other.getPolicyPriority();
this.zoneName = other.zoneName;
+ this.policyVersion = other.policyVersion;
this.evaluatedPoliciesCount = other.evaluatedPoliciesCount;
this.reason = other.getReason();
this.additionalInfo = other.additionalInfo == null ? new HashMap<String, Object>() : new HashMap<>(other.additionalInfo);
@@ -83,6 +86,7 @@ public class RangerAccessResult {
this.isAuditedDetermined = other.getIsAuditedDetermined();
this.isAudited = other.getIsAudited();
this.auditPolicyId = other.getAuditPolicyId();
+ this.policyVersion = other.policyVersion;
}
/**
@@ -137,6 +141,10 @@ public class RangerAccessResult {
public void setZoneName(String zoneName) { this.zoneName = zoneName; }
+ public Long getPolicyVersion() { return policyVersion; }
+
+ public void setPolicyVersion(Long policyVersion) { this.policyVersion = policyVersion; }
+
/**
* @param reason the reason to set
*/
@@ -328,6 +336,7 @@ public class RangerAccessResult {
sb.append("policyId={").append(policyId).append("} ");
sb.append("zoneName={").append(zoneName).append("} ");
sb.append("auditPolicyId={").append(auditPolicyId).append("} ");
+ sb.append("policyVersion={").append(policyVersion).append("} ");
sb.append("evaluatedPoliciesCount={").append(evaluatedPoliciesCount).append("} ");
sb.append("reason={").append(reason).append("} ");
sb.append("additionalInfo={");
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index d709dcc..c00f072 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -1316,6 +1316,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
if (ret.getIsAuditedDetermined() && ret.getIsAccessDetermined()) {
+ ret.setPolicyVersion(evaluator.getPolicy().getVersion());
break; // Break out of policy-evaluation loop
}
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 466f22a..f204c15 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -914,6 +914,7 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler {
auditEvent.setAccessResult((short) (result.getIsAllowed() ? 1 : 0));
auditEvent.setPolicyId(result.getPolicyId());
+ auditEvent.setPolicyVersion(result.getPolicyVersion());
Set<String> tags = getTags(request);
if (tags != null) {
diff --git a/hive-agent/pom.xml b/hive-agent/pom.xml
index 53f6e2f..43e4d6e 100644
--- a/hive-agent/pom.xml
+++ b/hive-agent/pom.xml
@@ -62,12 +62,6 @@
<version>${hive.version}</version>
</dependency>
<dependency>
- <groupId>org.apache.hive</groupId>
- <artifactId>hive-jdbc</artifactId>
- <version>${hive.version}</version>
- <classifier>standalone</classifier>
- </dependency>
- <dependency>
<groupId>org.apache.ranger</groupId>
<artifactId>ranger-plugins-common</artifactId>
<version>${project.version}</version>
diff --git a/security-admin/contrib/solr_for_audit_setup/conf/managed-schema b/security-admin/contrib/solr_for_audit_setup/conf/managed-schema
index 2cfd617..c33f6de 100644
--- a/security-admin/contrib/solr_for_audit_setup/conf/managed-schema
+++ b/security-admin/contrib/solr_for_audit_setup/conf/managed-schema
@@ -91,4 +91,5 @@
<field name="tags_str" type="text_std_token_lower_case" multiValued="false"/>
<field name="text" type="text_std_token_lower_case" multiValued="true" indexed="true" stored="false"/>
<field name="zoneName" type="key_lower_case" multiValued="false"/>
+ <field name="policyVersion" type="tlong" multiValued="false"/>
</schema>
\ No newline at end of file
diff --git a/security-admin/db/mysql/patches/038-add-column-version-in-x_policy_export_audit.sql b/security-admin/db/mysql/patches/038-add-column-version-in-x_policy_export_audit.sql
new file mode 100644
index 0000000..b9dd306
--- /dev/null
+++ b/security-admin/db/mysql/patches/038-add-column-version-in-x_policy_export_audit.sql
@@ -0,0 +1,29 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+drop procedure if exists add_column_version_in_x_policy_export_audit;
+
+delimiter ;;
+create procedure add_column_version_in_x_policy_export_audit() begin
+
+if not exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_policy_export_audit' and column_name='policy_version') then
+ ALTER TABLE x_policy_export_audit ADD policy_version bigint(20) NULL DEFAULT NULL;
+end if;
+end;;
+
+delimiter ;
+call add_column_version_in_x_policy_export_audit();
+
+drop procedure if exists add_column_version_in_x_policy_export_audit;
\ No newline at end of file
diff --git a/security-admin/db/oracle/patches/038-add-column-version-in-x_policy_export_audit.sql b/security-admin/db/oracle/patches/038-add-column-version-in-x_policy_export_audit.sql
new file mode 100644
index 0000000..63bb333
--- /dev/null
+++ b/security-admin/db/oracle/patches/038-add-column-version-in-x_policy_export_audit.sql
@@ -0,0 +1,23 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+DECLARE
+ v_count number:=0;
+BEGIN
+ select count(*) into v_count from user_tab_cols where table_name='X_POLICY_EXPORT_AUDIT' and column_name='policy_version';
+ if (v_count = 0) then
+ execute immediate 'ALTER TABLE x_policy_export_audit ADD policy_version NUMBER(20) DEFAULT NULL NULL';
+ end if;
+ commit;
+END;/
diff --git a/security-admin/db/postgres/patches/038-add-column-version-in-x_policy_export_audit.sql b/security-admin/db/postgres/patches/038-add-column-version-in-x_policy_export_audit.sql
new file mode 100644
index 0000000..3177d5a
--- /dev/null
+++ b/security-admin/db/postgres/patches/038-add-column-version-in-x_policy_export_audit.sql
@@ -0,0 +1,32 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+-- function add_x_policy_export_audit
+select 'delimiter start';
+CREATE OR REPLACE FUNCTION add_x_policy_version_export_audit()
+RETURNS void AS $$
+DECLARE
+ v_column_exists integer := 0;
+BEGIN
+ select count(*) into v_column_exists from pg_attribute where attrelid in(select oid from pg_class where relname='x_policy_export_audit') and attname='policy_version';
+ IF v_column_exists = 0 THEN
+ ALTER TABLE x_policy_export_audit ADD COLUMN policy_version bigint DEFAULT NULL;
+ END IF;
+END;
+$$ LANGUAGE plpgsql;
+select 'delimiter end';
+
+select add_x_policy_version_export_audit();
+select 'delimiter end';
diff --git a/security-admin/db/sqlanywhere/patches/038-add-column-version-in-x_policy_export_audit.sql b/security-admin/db/sqlanywhere/patches/038-add-column-version-in-x_policy_export_audit.sql
new file mode 100644
index 0000000..310a63a
--- /dev/null
+++ b/security-admin/db/sqlanywhere/patches/038-add-column-version-in-x_policy_export_audit.sql
@@ -0,0 +1,21 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+IF NOT EXISTS(select * from SYS.SYSCOLUMNS where tname = 'x_policy_export_audit' and cname = 'policy_version') THEN
+ ALTER TABLE dbo.x_policy_export_audit ADD policy_version bigint DEFAULT NULL NULL;
+END IF;
+GO
+
+exit
diff --git a/security-admin/db/sqlserver/patches/038-add-column-version-in-x_policy_export_audit.sql b/security-admin/db/sqlserver/patches/038-add-column-version-in-x_policy_export_audit.sql
new file mode 100644
index 0000000..f9ce950
--- /dev/null
+++ b/security-admin/db/sqlserver/patches/038-add-column-version-in-x_policy_export_audit.sql
@@ -0,0 +1,23 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+GO
+IF NOT EXISTS(select * from INFORMATION_SCHEMA.columns where table_name = 'x_policy_export_audit' and column_name = 'policy_version')
+BEGIN
+ ALTER TABLE [dbo].[x_policy_export_audit] ADD [policy_version] [bigint] DEFAULT NULL NULL;
+END
+GO
+
+exit
diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java
index 4060e01..4d3d5d7 100644
--- a/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java
+++ b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java
@@ -152,6 +152,14 @@ public class XXPolicyExportAudit extends XXDBBase implements java.io.Serializabl
/**
+ * Name of the policyVersion
+ * <ul>
+ * </ul>
+ */
+ @Column(name="POLICY_VERSION")
+ protected Long policyVersion;
+
+ /**
* Default constructor. This will set all the attributes to default value.
*/
public XXPolicyExportAudit ( ) {
@@ -316,6 +324,22 @@ public class XXPolicyExportAudit extends XXDBBase implements java.io.Serializabl
}
/**
+ * This method sets the value to the member attribute <b>policyVersion</b>.
+ * @param policyVersion Value to set member attribute <b>policyVersion</b>
+ */
+ public void setPolicyVersion(Long policyVersion) {
+ this.policyVersion = policyVersion;
+ }
+
+ /**
+ * Returns the value for the member attribute <b>policyVersion</b>
+ * @return String - value of member attribute <b>policyVersion</b>.
+ */
+ public Long getPolicyVersion() {
+ return policyVersion;
+ }
+
+ /**
* This return the bean content in string format
* @return formatedStr
*/
@@ -332,6 +356,7 @@ public class XXPolicyExportAudit extends XXDBBase implements java.io.Serializabl
str += "httpRetCode={" + httpRetCode + "} ";
str += "clusterName={" + clusterName + "} ";
str += "zoneName={" + zoneName + "} ";
+ str += "policyVersion={" + policyVersion + "} ";
str += "}";
return str;
}
@@ -371,6 +396,9 @@ public class XXPolicyExportAudit extends XXDBBase implements java.io.Serializabl
if ((this.zoneName == null && other.zoneName != null) || (this.zoneName != null && !this.zoneName.equals(other.zoneName))) {
return false;
}
+ if ((this.policyVersion == null && other.policyVersion != null) || (this.policyVersion != null && !this.policyVersion.equals(other.policyVersion))) {
+ return false;
+ }
return true;
}
public static String getEnumName(String fieldName ) {
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 78029e0..602eb3f 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -3029,6 +3029,7 @@ public class ServiceREST {
String eventTimeStr = request.getParameter("eventTime");
String policyIdStr = request.getParameter("policyId");
+ String versionNoStr = request.getParameter("versionNo");
if (StringUtils.isEmpty(eventTimeStr) || StringUtils.isEmpty(policyIdStr)) {
throw restErrorUtil.createRESTException("EventTime or policyId cannot be null or empty string.",
@@ -3038,17 +3039,34 @@ public class ServiceREST {
Long policyId = Long.parseLong(policyIdStr);
RangerPolicy policy=null;
- try {
- policy = svcStore.getPolicyFromEventTime(eventTimeStr, policyId);
- if(policy != null) {
- ensureAdminAndAuditAccess(policy);
+
+ if (!StringUtil.isEmpty(versionNoStr)) {
+ int policyVersion = Integer.parseInt(versionNoStr);
+ try {
+ policy = svcStore.getPolicyForVersionNumber(policyId, policyVersion);
+ if (policy != null) {
+ ensureAdminAndAuditAccess(policy);
+ }
+ } catch (WebApplicationException excp) {
+ throw excp;
+ } catch (Throwable excp) {
+ // Ignore any other exception and go for fetching the policy by eventTime
}
- } catch(WebApplicationException excp) {
- throw excp;
- } catch(Throwable excp) {
- LOG.error("getPolicy(" + policyId + ") failed", excp);
+ }
- throw restErrorUtil.createRESTException(excp.getMessage());
+ if (policy == null) {
+ try {
+ policy = svcStore.getPolicyFromEventTime(eventTimeStr, policyId);
+ if (policy != null) {
+ ensureAdminAndAuditAccess(policy);
+ }
+ } catch (WebApplicationException excp) {
+ throw excp;
+ } catch (Throwable excp) {
+ LOG.error("getPolicy(" + policyId + ") failed", excp);
+
+ throw restErrorUtil.createRESTException(excp.getMessage());
+ }
}
if(policy == null) {
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java
index 51711a8..48940ba 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java
@@ -51,6 +51,7 @@ public abstract class XPolicyExportAuditServiceBase<T extends XXPolicyExportAudi
mObj.setHttpRetCode( vObj.getHttpRetCode());
mObj.setClusterName( vObj.getClusterName());
mObj.setZoneName( vObj.getZoneName());
+ mObj.setPolicyVersion( vObj.getPolicyVersion());
return mObj;
}
@@ -66,6 +67,7 @@ public abstract class XPolicyExportAuditServiceBase<T extends XXPolicyExportAudi
vObj.setSyncStatus( MapUtil.getPolicyExportAuditSyncStatus(mObj.getHttpRetCode()));
vObj.setClusterName( mObj.getClusterName());
vObj.setZoneName( mObj.getZoneName());
+ vObj.setPolicyVersion( mObj.getPolicyVersion());
return vObj;
}
diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
index 1b49c13..cf2a3b4 100644
--- a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
+++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
@@ -246,6 +246,11 @@ public class SolrAccessAuditsService {
accessAudit.setZoneName(value.toString());
}
+ value = doc.getFieldValue("policyVersion");
+ if (value != null) {
+ accessAudit.setPolicyVersion(solrUtil.toLong(value));
+ }
+
value = doc.getFieldValue("access");
if (value != null) {
accessAudit.setAccessType(value.toString());
diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java b/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
index 1fe85ae..7b63a63 100644
--- a/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
@@ -138,6 +138,10 @@ public class VXAccessAudit extends VXDataObject implements java.io.Serializable
// Security Zone
protected String zoneName;
+ // Policy Version
+
+ protected Long policyVersion;
+
/**
* Default constructor. This will set all the attributes to default value.
*/
@@ -538,6 +542,21 @@ public class VXAccessAudit extends VXDataObject implements java.io.Serializable
}
/**
+ * @return the policyVersion
+ */
+ public Long getPolicyVersion() {
+ return policyVersion;
+ }
+ /**
+ * @param policyVersion
+ * the policyVersion to set
+ */
+ public void setPolicyVersion(Long policyVersion) {
+ this.policyVersion = policyVersion;
+ }
+
+
+ /**
* This return the bean content in string format
* @return formatedStr
*/
@@ -552,6 +571,7 @@ public class VXAccessAudit extends VXDataObject implements java.io.Serializable
str += "clientIP={" + clientIP + "} ";
str += "clientType={" + clientType + "} ";
str += "policyId={" + policyId + "} ";
+ str += "policyVersion={" + policyVersion + "} ";
str += "repoName={" + repoName + "} ";
str += "repoType={" + repoType + "} ";
str += "serviceType={" + serviceType + "} ";
diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java b/security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java
index 8fca5ba..e7178a4 100644
--- a/security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java
@@ -79,6 +79,8 @@ public class VXPolicyExportAudit extends VXDataObject implements java.io.Seriali
protected String zoneName;
+ protected Long policyVersion;
+
/**
* Default constructor. This will set all the attributes to default value.
*/
@@ -229,6 +231,14 @@ public class VXPolicyExportAudit extends VXDataObject implements java.io.Seriali
this.zoneName = zoneName;
}
+ public Long getPolicyVersion() {
+ return policyVersion;
+ }
+
+ public void setPolicyVersion(Long policyVersion) {
+ this.policyVersion = policyVersion;
+ }
+
@Override
public int getMyClassType( ) {
return AppConstants.CLASS_TYPE_XA_POLICY_EXPORT_AUDIT;
@@ -251,6 +261,7 @@ public class VXPolicyExportAudit extends VXDataObject implements java.io.Seriali
str += "syncStatus={" + syncStatus + "} ";
str += "clusterName={" + clusterName + "} ";
str += "zoneName={" + zoneName + "}";
+ str += "policyVersion={" + policyVersion + "}";
str += "}";
return str;
}
diff --git a/security-admin/src/main/webapp/scripts/models/RangerPolicy.js b/security-admin/src/main/webapp/scripts/models/RangerPolicy.js
index 4027132..30e36ac 100644
--- a/security-admin/src/main/webapp/scripts/models/RangerPolicy.js
+++ b/security-admin/src/main/webapp/scripts/models/RangerPolicy.js
@@ -111,6 +111,7 @@ define(function(require){
fetchByEventTime : function(opt){
var queryParams = opt.data;
queryParams.policyId = this.get('id');
+ queryParams.versionNo = this.get('version');
if(_.isUndefined(queryParams.eventTime)){
throw('eventTime can not be undefined');
}
diff --git a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
index cce9358..03412d5 100644
--- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
+++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
@@ -243,6 +243,7 @@ define(function(require) {
modules : 'Modules',
clusterName : 'Cluster Name',
zoneName : 'Zone Name',
+ policyVersion : 'Policy Version',
policyLabels : 'Policy Labels',
activeStatus : 'Active Status',
selectTagService : 'Tag Service',
@@ -350,6 +351,7 @@ define(function(require) {
pluginStatus :'Plugin Status',
clusterName :'Name of ambari cluster',
zoneName :"Name of Zone",
+ policyVersion :'Policy Version',
url :'Hive url.',
rowFilter : 'Row Filter',
policyLabelsinfo : 'Label of policy',
@@ -446,6 +448,7 @@ define(function(require) {
duplicateNewConfigValidationMsg :'Please make sure the new configuration has no duplicate names',
zoneDeleteMsg : 'Zone deleted successfully',
zoneNameValidation : 'Please select Zone Name.',
+ policyVersionValidation : 'Please select Policy Version.',
zoneServiceNameValidation: 'Please select Service Name for selected zone.',
adminUserGroupValidation: 'Please select atleast one Admin Users/Usergroups to Zone else Zone will not be added.',
auditorUserGroupValidation: 'Please select atleast one Auditor Users/Usergroups to Zone else Zone will not be added.',
diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js
index da0078f..e6634cc 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js
@@ -114,6 +114,7 @@ define(function(require) {
var self = this , resourceDef;
var details = this.policyDetails = {};
details.id = this.policy.get('id');
+ details.version = this.policy.get('version');
details.name = this.policy.get('name');
details.isEnabled = this.policy.get('isEnabled') ? localization.tt('lbl.ActiveStatus_STATUS_ENABLED') : localization.tt('lbl.ActiveStatus_STATUS_DISABLED');
details.policyPriority = this.policy.get('policyPriority') == 1 ? localization.tt('lbl.override') : localization.tt('lbl.normal');
diff --git a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
index f20b2e8..e7b45d9 100644
--- a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
@@ -172,6 +172,7 @@ define(function(require) {
modifyTableForSubcolumns : function(){
this.$el.find('[data-id="r_tableList"] table thead').prepend('<tr>\
<th class="renderable pid"></th>\
+ <th class="renderable cip"></th>\
<th class="renderable ruser"></th>\
<th class="renderable ruser"></th>\
<th class="renderable cip">Service</th>\
@@ -1004,8 +1005,11 @@ define(function(require) {
}
var eventTime = this.model.get('eventTime');
+ var policyVersion = this.model.get('policyVersion');
+
var policy = new RangerPolicy({
- id: policyId
+ id: policyId,
+ version:policyVersion
});
var policyVersionList = policy.fetchVersions();
var view = new RangerPolicyRO({
@@ -1071,6 +1075,20 @@ define(function(require) {
editable: false,
sortable : false
},
+ policyVersion: {
+ label : localization.tt("lbl.policyVersion"),
+ cell: "html",
+ click: false,
+ formatter: _.extend({}, Backgrid.CellFormatter.prototype, {
+ fromRaw: function (rawValue, model) {
+ rawValue = _.escape(rawValue);
+ return '<span title="'+rawValue+'">'+rawValue+'</span>';
+ }
+ }),
+ drag: false,
+ sortable: false,
+ editable: false,
+ },
eventTime : {
label : 'Event Time',
cell: "String",
diff --git a/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html b/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html
index 26b43f7..a50903c 100644
--- a/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html
+++ b/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html
@@ -49,6 +49,15 @@
</td>
</tr>
<tr>
+ <td>
+ {{tt 'lbl.version'}}
+ </td>
+ <td>
+ <div class="controls"><label class="label label-ranger" style="cursor: auto;">{{PolicyDetails.version}}</label></div>
+ </td>
+ </tr>
+ <tr>
+ <tr>
<td>
{{tt 'lbl.policyName'}}
</td>
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index ed2b7e5..8f39607 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -1088,6 +1088,7 @@ public class TestServiceREST {
userGroupsList.add("group2");
Mockito.when(request.getParameter("eventTime")).thenReturn(strdt);
Mockito.when(request.getParameter("policyId")).thenReturn("1");
+ Mockito.when(request.getParameter("versionNo")).thenReturn("1");
RangerPolicy policy=new RangerPolicy();
Map<String, RangerPolicyResource> resources=new HashMap<String, RangerPolicy.RangerPolicyResource>();
policy.setService("services");
@@ -1105,6 +1106,7 @@ public class TestServiceREST {
Assert.assertNull(dbRangerPolicy);
Mockito.verify(request).getParameter("eventTime");
Mockito.verify(request).getParameter("policyId");
+ Mockito.verify(request).getParameter("versionNo");
}
@Test
@@ -1912,6 +1914,7 @@ public class TestServiceREST {
userGroupsList.add("group2");
Mockito.when(request.getParameter("eventTime")).thenReturn(strdt);
Mockito.when(request.getParameter("policyId")).thenReturn("1");
+ Mockito.when(request.getParameter("versionNo")).thenReturn("1");
RangerPolicy policy = new RangerPolicy();
Map<String, RangerPolicyResource> resources = new HashMap<String, RangerPolicy.RangerPolicyResource>();
policy.setService("services");