You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/01/16 22:57:44 UTC
incubator-ranger git commit: RANGER-203: seperated audit handling
from policy-engine into a different object,
to enable plugins to provide diffent audit-handlers without having to
implement policy engine.
Repository: incubator-ranger
Updated Branches:
refs/heads/stack e551d589b -> eb271129c
RANGER-203: seperated audit handling from policy-engine into a different
object, to enable plugins to provide diffent audit-handlers without
having to implement policy engine.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/eb271129
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/eb271129
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/eb271129
Branch: refs/heads/stack
Commit: eb271129c4d868b12fb9e13d1ae59d56036b884e
Parents: e551d58
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Fri Jan 16 13:54:17 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Fri Jan 16 13:54:17 2015 -0800
----------------------------------------------------------------------
.../ranger/plugin/audit/RangerAuditHandler.java | 32 +++
.../plugin/audit/RangerDefaultAuditHandler.java | 249 +++++++++++++++++++
.../plugin/policyengine/RangerAccessResult.java | 50 ++--
.../plugin/policyengine/RangerPolicyEngine.java | 15 +-
.../policyengine/RangerPolicyEngineImpl.java | 187 +-------------
.../plugin/policyengine/TestPolicyEngine.java | 5 +-
.../policyengine/test_policyengine_hdfs.json | 10 +-
7 files changed, 329 insertions(+), 219 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java
new file mode 100644
index 0000000..53edc18
--- /dev/null
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.audit;
+
+import java.util.List;
+
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+
+
+public interface RangerAuditHandler {
+ void logAudit(RangerAccessRequest request, RangerAccessResult result);
+
+ void logAudit(List<RangerAccessRequest> requests, List<RangerAccessResult> results);
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
new file mode 100644
index 0000000..bf55276
--- /dev/null
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
@@ -0,0 +1,249 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.audit;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.audit.model.AuthzAuditEvent;
+import org.apache.ranger.audit.provider.AuditProviderFactory;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerResource;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult.ResultDetail;
+
+
+public class RangerDefaultAuditHandler implements RangerAuditHandler {
+ private static final Log LOG = LogFactory.getLog(RangerDefaultAuditHandler.class);
+
+ private static final String RESOURCE_SEP = "/";
+
+
+ public RangerDefaultAuditHandler() {
+ }
+
+ @Override
+ public void logAudit(RangerAccessRequest request, RangerAccessResult result) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + request + ", " + result + ")");
+ }
+
+ Collection<AuthzAuditEvent> events = getAuditEvents(request, result);
+
+ logAudit(events);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + request + ", " + result + ")");
+ }
+ }
+
+ @Override
+ public void logAudit(List<RangerAccessRequest> requests, List<RangerAccessResult> results) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + requests + ", " + results + ")");
+ }
+
+ Collection<AuthzAuditEvent> events = getAuditEvents(requests, results);
+
+ logAudit(events);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + requests + ", " + results + ")");
+ }
+ }
+
+
+ public Collection<AuthzAuditEvent> getAuditEvents(RangerAccessRequest request, RangerAccessResult result) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerDefaultAuditHandler.getAuditEvents(" + request + ", " + result + ")");
+ }
+
+ List<AuthzAuditEvent> ret = null;
+
+ if(request != null && result != null) {
+ RangerServiceDef serviceDef = result.getServiceDef();
+ int serviceType = (serviceDef != null && serviceDef.getId() != null) ? serviceDef.getId().intValue() : -1;
+ String serviceName = result.getServiceName();
+ String resourceType = getResourceName(request.getResource(), serviceDef);
+ String resourcePath = getResourceValueAsString(request.getResource(), serviceDef);
+
+ // TODO: optimize the number of audit logs created
+ for(Map.Entry<String, ResultDetail> e : result.getAccessTypeResults().entrySet()) {
+ String accessType = e.getKey();
+ ResultDetail accessResult = e.getValue();
+
+ if(! accessResult.isAudited()) {
+ continue;
+ }
+
+ AuthzAuditEvent event = createAuthzAuditEvent();
+
+ event.setRepositoryName(serviceName);
+ event.setRepositoryType(serviceType);
+ event.setResourceType(resourceType);
+ event.setResourcePath(resourcePath);
+ event.setEventTime(request.getAccessTime());
+ event.setUser(request.getUser());
+ event.setAccessType(request.getAction());
+ event.setAccessResult((short)(accessResult.isAllowed() ? 1 : 0));
+ event.setAclEnforcer("ranger-acl"); // TODO: review
+ event.setAction(accessType);
+ event.setClientIP(request.getClientIPAddress());
+ event.setClientType(request.getClientType());
+ event.setAgentHostname(null);
+ event.setAgentId(null);
+ event.setEventId(null);
+
+ if(ret == null) {
+ ret = new ArrayList<AuthzAuditEvent>();
+ }
+
+ ret.add(event);
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerDefaultAuditHandler.getAuditEvents(" + request + ", " + result + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ public Collection<AuthzAuditEvent> getAuditEvents(List<RangerAccessRequest> requests, List<RangerAccessResult> results) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerDefaultAuditHandler.getAuditEvents(" + requests + ", " + results + ")");
+ }
+
+ List<AuthzAuditEvent> ret = null;
+
+ if(requests != null && results != null) {
+ int count = Math.min(requests.size(), results.size());
+
+ // TODO: optimize the number of audit logs created
+ for(int i = 0; i < count; i++) {
+ Collection<AuthzAuditEvent> events = getAuditEvents(requests.get(i), results.get(i));
+
+ if(events == null) {
+ continue;
+ }
+
+ if(ret == null) {
+ ret = new ArrayList<AuthzAuditEvent>();
+ }
+
+ ret.addAll(events);
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerDefaultAuditHandler.getAuditEvents(" + requests + ", " + results + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ public void logAuthzAudit(AuthzAuditEvent auditEvent) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + auditEvent + ")");
+ }
+
+ if(auditEvent != null) {
+ AuditProviderFactory.getAuditProvider().log(auditEvent);
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + auditEvent + ")");
+ }
+ }
+
+ public void logAudit(Collection<AuthzAuditEvent> auditEvents) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + auditEvents + ")");
+ }
+
+ if(auditEvents != null) {
+ for(AuthzAuditEvent auditEvent : auditEvents) {
+ logAuthzAudit(auditEvent);
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + auditEvents + ")");
+ }
+ }
+
+ public AuthzAuditEvent createAuthzAuditEvent() {
+ return new AuthzAuditEvent();
+ }
+
+ public String getResourceName(RangerResource resource, RangerServiceDef serviceDef) {
+ String ret = null;
+
+ if(resource != null && serviceDef != null && serviceDef.getResources() != null) {
+ List<RangerResourceDef> resourceDefs = serviceDef.getResources();
+
+ for(int idx = resourceDefs.size() - 1; idx >= 0; idx--) {
+ RangerResourceDef resourceDef = resourceDefs.get(idx);
+
+ if(resourceDef == null || !resource.exists(resourceDef.getName())) {
+ continue;
+ }
+
+ ret = resourceDef.getName();
+
+ break;
+ }
+ }
+
+ return ret;
+ }
+
+ public String getResourceValueAsString(RangerResource resource, RangerServiceDef serviceDef) {
+ String ret = null;
+
+ if(resource != null && serviceDef != null && serviceDef.getResources() != null) {
+ StringBuilder sb = new StringBuilder();
+
+ for(RangerResourceDef resourceDef : serviceDef.getResources()) {
+ if(resourceDef == null || !resource.exists(resourceDef.getName())) {
+ continue;
+ }
+
+ if(sb.length() > 0) {
+ sb.append(RESOURCE_SEP);
+ }
+
+ sb.append(resource.getValue(resourceDef.getName()));
+ }
+
+ if(sb.length() > 0) {
+ ret = sb.toString();
+ }
+ }
+
+ return ret;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index a5a1ef3..ae75fe7 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -22,24 +22,43 @@ package org.apache.ranger.plugin.policyengine;
import java.util.HashMap;
import java.util.Map;
-import org.apache.commons.lang.ObjectUtils;
import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerServiceDef;
public class RangerAccessResult {
public enum Result { ALLOWED, DENIED, PARTIALLY_ALLOWED };
+ private String serviceName = null;
+ private RangerServiceDef serviceDef = null;
private Map<String, ResultDetail> accessTypeResults = null;
- public RangerAccessResult() {
- this(null);
+ public RangerAccessResult(String serviceName, RangerServiceDef serviceDef) {
+ this(serviceName, serviceDef, null);
}
- public RangerAccessResult(Map<String, ResultDetail> accessTypeResults) {
+ public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, Map<String, ResultDetail> accessTypeResults) {
+ this.serviceName = serviceName;
+ this.serviceDef = serviceDef;
+
setAccessTypeResults(accessTypeResults);
}
/**
+ * @return the serviceName
+ */
+ public String getServiceName() {
+ return serviceName;
+ }
+
+ /**
+ * @return the serviceDef
+ */
+ public RangerServiceDef getServiceDef() {
+ return serviceDef;
+ }
+
+ /**
* @return the accessTypeResults
*/
public Map<String, ResultDetail> getAccessTypeResults() {
@@ -121,29 +140,6 @@ public class RangerAccessResult {
}
@Override
- public boolean equals(Object obj) {
- boolean ret = false;
-
- if(obj != null && (obj instanceof RangerAccessResult)) {
- RangerAccessResult other = (RangerAccessResult)obj;
-
- ret = (this == other) ||
- ObjectUtils.equals(accessTypeResults, other.accessTypeResults);
- }
-
- return ret;
- }
-
- @Override
- public int hashCode() {
- int ret = 7;
-
- ret = 31 * ret + (accessTypeResults == null ? 0 : accessTypeResults.hashCode()); // TODO: review
-
- return ret;
- }
-
- @Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index f5f10e8..c0d30c1 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -19,10 +19,9 @@
package org.apache.ranger.plugin.policyengine;
-import java.util.Collection;
import java.util.List;
-import org.apache.ranger.audit.model.AuthzAuditEvent;
+import org.apache.ranger.plugin.audit.RangerAuditHandler;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -33,15 +32,7 @@ public interface RangerPolicyEngine {
void setPolicies(String serviceName, RangerServiceDef serviceDef, List<RangerPolicy> policies);
- RangerAccessResult isAccessAllowed(RangerAccessRequest request);
+ RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAuditHandler auditHandler);
- List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests);
-
- void logAudit(AuthzAuditEvent auditEvent);
-
- void logAudit(Collection<AuthzAuditEvent> auditEvents);
-
- Collection<AuthzAuditEvent> getAuditEvents(RangerAccessRequest request, RangerAccessResult result);
-
- Collection<AuthzAuditEvent> getAuditEvents(List<RangerAccessRequest> requests, List<RangerAccessResult> results);
+ List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests, RangerAuditHandler auditHandler);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index c3b3098..351d8bd 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -20,28 +20,21 @@
package org.apache.ranger.plugin.policyengine;
import java.util.ArrayList;
-import java.util.Collection;
import java.util.List;
-import java.util.Map;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.audit.RangerAuditHandler;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult.ResultDetail;
import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
-import org.apache.ranger.audit.provider.AuditProviderFactory;
-import org.apache.ranger.audit.model.AuthzAuditEvent;
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class);
- private static final String RESOURCE_SEP = "/";
-
private String serviceName = null;
private RangerServiceDef serviceDef = null;
private List<RangerPolicyEvaluator> policyEvaluators = null;
@@ -91,14 +84,16 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
@Override
- public RangerAccessResult isAccessAllowed(RangerAccessRequest request) {
+ public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAuditHandler auditHandler) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + request + ")");
}
RangerAccessResult ret = isAccessAllowedNoAudit(request);
- logAudit(getAuditEvents(request, ret));
+ if(auditHandler != null) {
+ auditHandler.logAudit(request, ret);
+ }
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + request + "): " + ret);
@@ -108,7 +103,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
@Override
- public List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests) {
+ public List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests, RangerAuditHandler auditHandler) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + requests + ")");
}
@@ -123,174 +118,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
- logAudit(getAuditEvents(requests, ret));
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + requests + "): " + ret);
- }
-
- return ret;
- }
-
- @Override
- public Collection<AuthzAuditEvent> getAuditEvents(RangerAccessRequest request, RangerAccessResult result) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl.getAuditEvents(" + request + ", " + result + ")");
- }
-
- List<AuthzAuditEvent> ret = null;
-
- if(request != null && result != null) {
- // TODO: optimize the number of audit logs created
- for(Map.Entry<String, ResultDetail> e : result.getAccessTypeResults().entrySet()) {
- String accessType = e.getKey();
- ResultDetail accessResult = e.getValue();
-
- if(! accessResult.isAudited()) {
- continue;
- }
-
- AuthzAuditEvent event = new AuthzAuditEvent();
-
- event.setRepositoryName(serviceName);
- event.setRepositoryType(serviceDef.getId().intValue());
- event.setResourcePath(getResourceValueAsString(request.getResource()));
- event.setEventTime(request.getAccessTime());
- event.setUser(request.getUser());
- event.setAccessType(request.getAction());
- event.setAccessResult((short)(accessResult.isAllowed() ? 1 : 0));
- event.setAclEnforcer("ranger-acl"); // TODO: review
- event.setAction(accessType);
- event.setClientIP(request.getClientIPAddress());
- event.setClientType(request.getClientType());
- event.setAgentHostname(null);
- event.setAgentId(null);
- event.setEventId(null);
-
- if(ret == null) {
- ret = new ArrayList<AuthzAuditEvent>();
- }
-
- ret.add(event);
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngineImpl.getAuditEvents(" + request + ", " + result + "): " + ret);
- }
-
- return ret;
- }
-
- @Override
- public Collection<AuthzAuditEvent> getAuditEvents(List<RangerAccessRequest> requests, List<RangerAccessResult> results) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl.getAuditEvents(" + requests + ", " + results + ")");
- }
-
- List<AuthzAuditEvent> ret = null;
-
- if(requests != null && results != null) {
- int count = Math.min(requests.size(), results.size());
-
- // TODO: optimize the number of audit logs created
- for(int i = 0; i < count; i++) {
- Collection<AuthzAuditEvent> events = getAuditEvents(requests.get(i), results.get(i));
-
- if(events == null) {
- continue;
- }
-
- if(ret == null) {
- ret = new ArrayList<AuthzAuditEvent>();
- }
-
- ret.addAll(events);
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngineImpl.getAuditEvents(" + requests + ", " + results + "): " + ret);
- }
-
- return ret;
- }
-
- @Override
- public void logAudit(AuthzAuditEvent auditEvent) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl.logAudit(" + auditEvent + ")");
- }
-
- if(auditEvent != null) {
- AuditProviderFactory.getAuditProvider().log(auditEvent);
+ if(auditHandler != null) {
+ auditHandler.logAudit(requests, ret);
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngineImpl.logAudit(" + auditEvent + ")");
- }
- }
-
- @Override
- public void logAudit(Collection<AuthzAuditEvent> auditEvents) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl.logAudit(" + auditEvents + ")");
- }
-
- if(auditEvents != null) {
- for(AuthzAuditEvent auditEvent : auditEvents) {
- logAudit(auditEvent);
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngineImpl.logAudit(" + auditEvents + ")");
- }
- }
-
- public String getResourceName(RangerResource resource) {
- String ret = null;
-
- if(resource != null && serviceDef != null && serviceDef.getResources() != null) {
- List<RangerResourceDef> resourceDefs = serviceDef.getResources();
-
- for(int idx = resourceDefs.size() - 1; idx >= 0; idx--) {
- RangerResourceDef resourceDef = resourceDefs.get(idx);
-
- if(resourceDef == null || !resource.exists(resourceDef.getName())) {
- continue;
- }
-
- ret = resourceDef.getName();
-
- break;
- }
- }
-
- return ret;
- }
-
- public String getResourceValueAsString(RangerResource resource) {
- String ret = null;
-
- if(resource != null && serviceDef != null && serviceDef.getResources() != null) {
- StringBuilder sb = new StringBuilder();
-
- for(RangerResourceDef resourceDef : serviceDef.getResources()) {
- if(resourceDef == null || !resource.exists(resourceDef.getName())) {
- continue;
- }
-
- if(sb.length() > 0) {
- sb.append(RESOURCE_SEP);
- }
-
- sb.append(resource.getValue(resourceDef.getName()));
- }
-
- if(sb.length() > 0) {
- ret = sb.toString();
- }
+ LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + requests + "): " + ret);
}
return ret;
@@ -301,7 +134,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")");
}
- RangerAccessResult ret = new RangerAccessResult();
+ RangerAccessResult ret = new RangerAccessResult(serviceName, serviceDef);
if(request != null) {
if(CollectionUtils.isEmpty(request.getAccessTypes())) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 811c873..28f108e 100644
--- a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -100,9 +100,10 @@ public class TestPolicyEngine {
for(TestData test : testCase.tests) {
RangerAccessResult expected = test.result;
- RangerAccessResult result = policyEngine.isAccessAllowed(test.request);
+ RangerAccessResult result = policyEngine.isAccessAllowed(test.request, null);
- assertEquals(test.name, expected, result);
+ assertNotNull(test.name, result);
+ assertEquals(test.name, expected.getAccessTypeResults(), result.getAccessTypeResults());
}
} catch(Throwable excp) {
excp.printStackTrace();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eb271129/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index b9afd8b..9579ace 100644
--- a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -25,7 +25,7 @@
{"id":2,"name":"allow-read-to-all under /public/","isEnabled":true,"isAuditEnabled":false,
"resources":{"path":{"values":["/public/"],"isRecursive":true}},
"policyItems":[
- {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
+ {"accesses":[{"type":"read","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
]
}
,
@@ -135,6 +135,14 @@
},
"result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}}
}
+ ,
+ {"name":"ALLOW 'read /public/technology' for u=user1",
+ "request":{
+ "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+ "accessTypes":["read","execute"],"user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db"
+ },
+ "result":{"accessTypeResults":{"execute":{"isAllowed":true,"isAudited":false,"policyId":2},"read":{"isAllowed":true,"isAudited":false,"policyId":2}}}
+ }
]
}