You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2020/05/18 03:35:05 UTC
[ranger] branch master updated: RANGER-2829: plugins to support
super-users/groups, and audit-exclude-users/groups/roles via configurations
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 6effe96 RANGER-2829: plugins to support super-users/groups, and audit-exclude-users/groups/roles via configurations
6effe96 is described below
commit 6effe9615cbf47aa4aadc4cb7874fd87ff5c1bad
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Sun May 17 12:19:03 2020 -0700
RANGER-2829: plugins to support super-users/groups, and audit-exclude-users/groups/roles via configurations
---
.../authorization/hadoop/config/RangerPluginConfig.java | 8 ++++++++
.../apache/ranger/plugin/service/RangerBasePlugin.java | 13 +++++++++++++
.../ranger/plugin/policyengine/TestPolicyEngine.java | 15 +++++++++++++--
3 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
index 89a31cc..43004cb 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
@@ -156,11 +156,19 @@ public class RangerPluginConfig extends RangerConfiguration {
auditExcludedUsers = CollectionUtils.isEmpty(users) ? Collections.emptySet() : new HashSet<>(users);
auditExcludedGroups = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(groups);
auditExcludedRoles = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(roles);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("auditExcludedUsers=" + auditExcludedUsers + ", auditExcludedGroups=" + auditExcludedGroups + ", auditExcludedRoles=" + auditExcludedRoles);
+ }
}
public void setSuperUsersGroups(Set<String> users, Set<String> groups) {
superUsers = CollectionUtils.isEmpty(users) ? Collections.emptySet() : new HashSet<>(users);
superGroups = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(groups);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("superUsers=" + superUsers + ", superGroups=" + superGroups);
+ }
}
public boolean isAuditExcludedUser(String userName) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 41b2492..236a4ab 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -80,6 +80,15 @@ public class RangerBasePlugin {
this.pluginConfig = pluginConfig;
this.pluginContext = new RangerPluginContext(pluginConfig);
+ Set<String> superUsers = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".super.users"));
+ Set<String> superGroups = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".super.groups"));
+ Set<String> auditExcludeUsers = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".audit.exclude.users"));
+ Set<String> auditExcludeGroups = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".audit.exclude.groups"));
+ Set<String> auditExcludeRoles = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".audit.exclude.roles"));
+
+ setSuperUsersAndGroups(superUsers, superGroups);
+ setAuditExcludedUsersGroupsRoles(auditExcludeUsers, auditExcludeGroups, auditExcludeRoles);
+
RangerScriptExecutionContext.init(pluginConfig);
}
@@ -692,6 +701,10 @@ public class RangerBasePlugin {
return false;
}
+ private Set<String> toSet(String value) {
+ return StringUtils.isNotBlank(value) ? StringUtil.toSet(value) : Collections.emptySet();
+ }
+
static private final class LogHistory {
long lastLogTime;
int counter;
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 2567edb..c71461b 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -47,6 +47,7 @@ import org.apache.ranger.plugin.model.validation.ValidationFailureDetails;
import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData;
import org.apache.ranger.plugin.policyevaluator.RangerValidityScheduleEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerRequestedResources;
import org.apache.ranger.plugin.util.RangerRoles;
@@ -522,8 +523,14 @@ public class TestPolicyEngine {
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
- pluginContext.getConfig().setSuperUsersGroups(testCase.superUsers, testCase.superGroups);
- pluginContext.getConfig().setAuditExcludedUsersGroupsRoles(testCase.auditExcludedUsers, testCase.auditExcludedGroups, testCase.auditExcludedRoles);
+ setPluginConfig(pluginContext.getConfig(), ".super.users", testCase.superUsers);
+ setPluginConfig(pluginContext.getConfig(), ".super.groups", testCase.superGroups);
+ setPluginConfig(pluginContext.getConfig(), ".audit.exclude.users", testCase.auditExcludedUsers);
+ setPluginConfig(pluginContext.getConfig(), ".audit.exclude.groups", testCase.auditExcludedGroups);
+ setPluginConfig(pluginContext.getConfig(), ".audit.exclude.roles", testCase.auditExcludedRoles);
+
+ // so that setSuperUsersAndGroups(), setAuditExcludedUsersGroupsRoles() will be called on the pluginConfig
+ new RangerBasePlugin(pluginContext.getConfig());
RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
@@ -695,6 +702,10 @@ public class TestPolicyEngine {
}
+ private void setPluginConfig(RangerPluginConfig conf, String suffix, Set<String> value) {
+ conf.set(conf.getPropertyPrefix() + suffix, CollectionUtils.isNotEmpty(value) ? StringUtils.join(value, ',') : "");
+ }
+
static class PolicyEngineTestCase {
public String serviceName;
public RangerServiceDef serviceDef;