You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2020/05/18 03:35:05 UTC

[ranger] branch master updated: RANGER-2829: plugins to support super-users/groups, and audit-exclude-users/groups/roles via configurations

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 6effe96  RANGER-2829: plugins to support super-users/groups, and audit-exclude-users/groups/roles via configurations
6effe96 is described below

commit 6effe9615cbf47aa4aadc4cb7874fd87ff5c1bad
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Sun May 17 12:19:03 2020 -0700

    RANGER-2829: plugins to support super-users/groups, and audit-exclude-users/groups/roles via configurations
---
 .../authorization/hadoop/config/RangerPluginConfig.java   |  8 ++++++++
 .../apache/ranger/plugin/service/RangerBasePlugin.java    | 13 +++++++++++++
 .../ranger/plugin/policyengine/TestPolicyEngine.java      | 15 +++++++++++++--
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
index 89a31cc..43004cb 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
@@ -156,11 +156,19 @@ public class RangerPluginConfig extends RangerConfiguration {
         auditExcludedUsers  = CollectionUtils.isEmpty(users) ? Collections.emptySet() : new HashSet<>(users);
         auditExcludedGroups = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(groups);
         auditExcludedRoles  = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(roles);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("auditExcludedUsers=" + auditExcludedUsers + ", auditExcludedGroups=" + auditExcludedGroups + ", auditExcludedRoles=" + auditExcludedRoles);
+        }
     }
 
     public void setSuperUsersGroups(Set<String> users, Set<String> groups) {
         superUsers  = CollectionUtils.isEmpty(users) ? Collections.emptySet() : new HashSet<>(users);
         superGroups = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(groups);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("superUsers=" + superUsers + ", superGroups=" + superGroups);
+        }
     }
 
     public boolean isAuditExcludedUser(String userName) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 41b2492..236a4ab 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -80,6 +80,15 @@ public class RangerBasePlugin {
 		this.pluginConfig  = pluginConfig;
 		this.pluginContext = new RangerPluginContext(pluginConfig);
 
+		Set<String> superUsers         = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".super.users"));
+		Set<String> superGroups        = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".super.groups"));
+		Set<String> auditExcludeUsers  = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".audit.exclude.users"));
+		Set<String> auditExcludeGroups = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".audit.exclude.groups"));
+		Set<String> auditExcludeRoles  = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".audit.exclude.roles"));
+
+		setSuperUsersAndGroups(superUsers, superGroups);
+		setAuditExcludedUsersGroupsRoles(auditExcludeUsers, auditExcludeGroups, auditExcludeRoles);
+
 		RangerScriptExecutionContext.init(pluginConfig);
 	}
 
@@ -692,6 +701,10 @@ public class RangerBasePlugin {
 		return false;
 	}
 
+	private Set<String> toSet(String value) {
+		return StringUtils.isNotBlank(value) ? StringUtil.toSet(value) : Collections.emptySet();
+	}
+
 	static private final class LogHistory {
 		long lastLogTime;
 		int counter;
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 2567edb..c71461b 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -47,6 +47,7 @@ import org.apache.ranger.plugin.model.validation.ValidationFailureDetails;
 import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData;
 import org.apache.ranger.plugin.policyevaluator.RangerValidityScheduleEvaluator;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
 import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
 import org.apache.ranger.plugin.util.RangerRequestedResources;
 import org.apache.ranger.plugin.util.RangerRoles;
@@ -522,8 +523,14 @@ public class TestPolicyEngine {
 
         policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
 
-        pluginContext.getConfig().setSuperUsersGroups(testCase.superUsers,  testCase.superGroups);
-		pluginContext.getConfig().setAuditExcludedUsersGroupsRoles(testCase.auditExcludedUsers,  testCase.auditExcludedGroups, testCase.auditExcludedRoles);
+        setPluginConfig(pluginContext.getConfig(), ".super.users", testCase.superUsers);
+        setPluginConfig(pluginContext.getConfig(), ".super.groups", testCase.superGroups);
+        setPluginConfig(pluginContext.getConfig(), ".audit.exclude.users", testCase.auditExcludedUsers);
+        setPluginConfig(pluginContext.getConfig(), ".audit.exclude.groups", testCase.auditExcludedGroups);
+        setPluginConfig(pluginContext.getConfig(), ".audit.exclude.roles", testCase.auditExcludedRoles);
+
+        // so that setSuperUsersAndGroups(), setAuditExcludedUsersGroupsRoles() will be called on the pluginConfig
+        new RangerBasePlugin(pluginContext.getConfig());
 
         RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
 
@@ -695,6 +702,10 @@ public class TestPolicyEngine {
 
 	}
 
+	private void setPluginConfig(RangerPluginConfig conf, String suffix, Set<String> value) {
+		conf.set(conf.getPropertyPrefix() + suffix, CollectionUtils.isNotEmpty(value) ? StringUtils.join(value, ',') : "");
+	}
+
 	static class PolicyEngineTestCase {
 		public String             serviceName;
 		public RangerServiceDef   serviceDef;