You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ga...@apache.org on 2016/05/25 04:07:25 UTC
[1/2] incubator-ranger git commit: RANGER-991: Ranger should support
authorization for Apache Atlas
Repository: incubator-ranger
Updated Branches:
refs/heads/master be7465968 -> d21e6bb47
RANGER-991: Ranger should support authorization for Apache Atlas
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/72d61a87
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/72d61a87
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/72d61a87
Branch: refs/heads/master
Commit: 72d61a87ed746d0e67cfdc3324faf7f5c5f7be45
Parents: be74659
Author: Gautam Borad <ga...@apache.org>
Authored: Tue May 24 12:14:33 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Tue May 24 12:14:33 2016 +0530
----------------------------------------------------------------------
agents-common/scripts/enable-agent.sh | 33 +++
.../plugin/store/EmbeddedServiceDefsUtil.java | 10 +-
.../ranger/services/tag/RangerServiceTag.java | 119 -----------
.../service-defs/ranger-servicedef-atlas.json | 207 +++++++++++++++++++
plugin-atlas/.gitignore | 3 +
.../conf/ranger-atlas-audit-changes.cfg | 30 +++
plugin-atlas/conf/ranger-atlas-audit.xml | 122 +++++++++++
.../conf/ranger-atlas-security-changes.cfg | 29 +++
plugin-atlas/conf/ranger-atlas-security.xml | 83 ++++++++
.../conf/ranger-policymgr-ssl-changes.cfg | 23 +++
plugin-atlas/conf/ranger-policymgr-ssl.xml | 63 ++++++
plugin-atlas/pom.xml | 66 ++++++
plugin-atlas/scripts/install.properties | 110 ++++++++++
.../atlas/authorizer/RangerAtlasAuthorizer.java | 143 +++++++++++++
.../atlas/authorizer/RangerAtlasResource.java | 60 ++++++
.../services/atlas/RangerServiceAtlas.java | 62 ++++++
plugin-atlas/src/test/resource/log4j.properties | 34 +++
plugin-atlas/template/configuration.xml | 20 ++
pom.xml | 5 +
ranger-atlas-plugin-shim/.gitignore | 2 +
ranger-atlas-plugin-shim/pom.xml | 84 ++++++++
.../atlas/authorizer/RangerAtlasAuthorizer.java | 142 +++++++++++++
src/main/assembly/atlas-agent.xml | 170 +++++++++++++++
23 files changed, 1500 insertions(+), 120 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/agents-common/scripts/enable-agent.sh
----------------------------------------------------------------------
diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh
index 1fa1845..39c4633 100755
--- a/agents-common/scripts/enable-agent.sh
+++ b/agents-common/scripts/enable-agent.sh
@@ -184,6 +184,8 @@ elif [ "${HCOMPONENT_NAME}" = "kafka" ]; then
HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/libs
elif [ "${HCOMPONENT_NAME}" = "storm" ]; then
HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/extlib-daemon
+elif [ "${HCOMPONENT_NAME}" = "atlas" ]; then
+ HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/server/webapp/atlas/WEB-INF/lib
fi
HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/conf
@@ -713,6 +715,37 @@ then
fi
fi
+#Update Properties to File
+#$1 -> propertyName $2 -> newPropertyValue $3 -> fileName
+updatePropertyToFile(){
+ sed -i 's@^'$1'=[^ ]*$@'$1'='$2'@g' $3
+ validate=$(sed '/^\#/d' $3 | grep "^$1" | tail -n 1 | cut -d "=" -f2-) # for validation
+ if test -z "$validate" ; then log "[E] '$1' not found in $3 file while Updating....!!"; exit 1; fi
+ echo "Property $1 updated successfully with : '$2'"
+}
+
+if [ "${HCOMPONENT_NAME}" = "atlas" ]
+then
+ if [ "${action}" = "enable" ]
+ then
+ authName="org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer"
+ else
+ authName="org.apache.atlas.authorize.SimpleAtlasAuthorizer"
+ fi
+
+ dt=`date '+%Y%m%d%H%M%S'`
+ fn=`ls ${HCOMPONENT_CONF_DIR}/atlas-application.properties 2> /dev/null`
+ if [ -f "${fn}" ]
+ then
+ dn=`dirname ${fn}`
+ bn=`basename ${fn}`
+ bf=${dn}/.${bn}.${dt}
+ echo "backup of ${fn} to ${bf} ..."
+ cp ${fn} ${bf}
+ echo "Updating properties file: [${fn}] ... "
+ updatePropertyToFile atlas.authorizer.impl $authName ${fn}
+ fi
+fi
#
# Set notice to restart the ${HCOMPONENT_NAME}
#
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
index bf29ee6..2002295 100755
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
@@ -47,7 +47,7 @@ public class EmbeddedServiceDefsUtil {
// following servicedef list should be reviewed/updated whenever a new embedded service-def is added
- private static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr";
+ private static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr,atlas";
private static final String PROPERTY_SUPPORTED_SERVICE_DEFS = "ranger.supportedcomponents";
private Set<String> supportedServiceDefs;
public static final String EMBEDDED_SERVICEDEF_TAG_NAME = "tag";
@@ -61,6 +61,7 @@ public class EmbeddedServiceDefsUtil {
public static final String EMBEDDED_SERVICEDEF_KAFKA_NAME = "kafka";
public static final String EMBEDDED_SERVICEDEF_SOLR_NAME = "solr";
public static final String EMBEDDED_SERVICEDEF_NIFI_NAME = "nifi";
+ public static final String EMBEDDED_SERVICEDEF_ATLAS_NAME = "atlas";
public static final String PROPERTY_CREATE_EMBEDDED_SERVICE_DEFS = "ranger.service.store.create.embedded.service-defs";
@@ -74,6 +75,7 @@ public class EmbeddedServiceDefsUtil {
public static final String KAFKA_IMPL_CLASS_NAME = "org.apache.ranger.services.kafka.RangerServiceKafka";
public static final String SOLR_IMPL_CLASS_NAME = "org.apache.ranger.services.solr.RangerServiceSolr";
public static final String NIFI_IMPL_CLASS_NAME = "org.apache.ranger.services.nifi.RangerServiceNiFi";
+ public static final String ATLAS_IMPL_CLASS_NAME = "org.apache.ranger.services.atlas.RangerServiceAtlas";
private static EmbeddedServiceDefsUtil instance = new EmbeddedServiceDefsUtil();
@@ -88,6 +90,7 @@ public class EmbeddedServiceDefsUtil {
private RangerServiceDef kafkaServiceDef = null;
private RangerServiceDef solrServiceDef = null;
private RangerServiceDef nifiServiceDef = null;
+ private RangerServiceDef atlasServiceDef = null;
private RangerServiceDef tagServiceDef = null;
@@ -125,6 +128,7 @@ public class EmbeddedServiceDefsUtil {
kafkaServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_KAFKA_NAME);
solrServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_SOLR_NAME);
nifiServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_NIFI_NAME);
+ atlasServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_ATLAS_NAME);
tagServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_TAG_NAME);
@@ -177,6 +181,10 @@ public class EmbeddedServiceDefsUtil {
return getId(nifiServiceDef);
}
+ public long getAtlasServiceDefId() {
+ return getId(atlasServiceDef);
+ }
+
public long getTagServiceDefId() { return getId(tagServiceDef); }
private long getId(RangerServiceDef serviceDef) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java b/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java
deleted file mode 100644
index f36a9a6..0000000
--- a/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.services.tag;
-
-import java.util.*;
-
-import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.collections.MapUtils;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.lang.StringUtils;
-import org.apache.ranger.plugin.model.RangerService;
-import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.service.RangerBaseService;
-import org.apache.ranger.plugin.service.ResourceLookupContext;
-import org.apache.ranger.plugin.store.TagStore;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-public class RangerServiceTag extends RangerBaseService {
-
- private static final Log LOG = LogFactory.getLog(RangerServiceTag.class);
-
- public static final String TAG_RESOURCE_NAME = "tag";
-
- private TagStore tagStore = null;
-
-
- public RangerServiceTag() {
- super();
- }
-
- @Override
- public void init(RangerServiceDef serviceDef, RangerService service) {
- super.init(serviceDef, service);
- }
-
- public void setTagStore(TagStore tagStore) {
- this.tagStore = tagStore;
- }
-
- @Override
- public HashMap<String,Object> validateConfig() throws Exception {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerServiceTag.validateConfig(" + serviceName + " )");
- }
-
- HashMap<String, Object> ret = new HashMap<String, Object>();
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerServiceTag.validateConfig(" + serviceName + " ): " + ret);
- }
-
- return ret;
- }
-
- @Override
- public List<String> lookupResource(ResourceLookupContext context) throws Exception {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerServiceTag.lookupResource(" + context + ")");
- }
-
- List<String> ret = new ArrayList<String>();
-
- if (context != null && StringUtils.equals(context.getResourceName(), TAG_RESOURCE_NAME)) {
- try {
- List<String> tags = tagStore != null ? tagStore.getTagTypes() : null;
-
- if(CollectionUtils.isNotEmpty(tags)) {
- List<String> valuesToExclude = MapUtils.isNotEmpty(context.getResources()) ? context.getResources().get(TAG_RESOURCE_NAME) : null;
-
- if(CollectionUtils.isNotEmpty(valuesToExclude)) {
- for (String valueToExclude : valuesToExclude) {
- tags.remove(valueToExclude);
- }
- }
-
- String valueToMatch = context.getUserInput();
-
- if(StringUtils.isNotEmpty(valueToMatch)) {
- if(! valueToMatch.endsWith("*")) {
- valueToMatch += "*";
- }
-
- for (String tag : tags) {
- if(FilenameUtils.wildcardMatch(tag, valueToMatch)) {
- ret.add(tag);
- }
- }
- }
- }
- } catch (Exception excp) {
- LOG.error("RangerServiceTag.lookupResource()", excp);
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerServiceTag.lookupResource(): tag count=" + ret.size());
- }
-
- return ret;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json
new file mode 100644
index 0000000..4a550c6
--- /dev/null
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json
@@ -0,0 +1,207 @@
+{
+ "id":11,
+ "name": "atlas",
+ "implClass": "org.apache.ranger.services.atlas.RangerServiceAtlas",
+ "label": "Atlas Metadata Server",
+ "description": "Atlas Metadata Server",
+ "resources":
+ [
+ {
+ "itemId": 1,
+ "name": "entity",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":true },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Entity",
+ "description": "Entity"
+ },
+
+ {
+ "itemId": 2,
+ "name": "type",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":true },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Type",
+ "description": "Type"
+ },
+
+ {
+ "itemId": 3,
+ "name": "operation",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":true },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Operations",
+ "description": "Admin Operations"
+ },
+
+ {
+ "itemId": 4,
+ "name": "taxonomy",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":true },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Taxonomy",
+ "description": "Taxonomy"
+ },
+
+ {
+ "itemId": 5,
+ "name": "term",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":true },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Term",
+ "description": "Term"
+ }
+
+
+ ],
+
+ "accessTypes":
+ [
+ {
+ "itemId": 1,
+ "name": "read",
+ "label": "read"
+ },
+
+ {
+ "itemId": 2,
+ "name": "create",
+ "label": "create"
+ },
+
+ {
+ "itemId": 3,
+ "name": "update",
+ "label": "update"
+ },
+
+ {
+ "itemId": 4,
+ "name": "delete",
+ "label": "delete"
+ },
+
+
+ {
+ "itemId": 5,
+ "name": "all",
+ "label": "All",
+ "impliedGrants":
+ [
+ "read",
+ "create",
+ "update",
+ "delete"
+ ]
+ }
+ ],
+
+ "configs":
+ [
+ {
+ "itemId": 1,
+ "name": "username",
+ "type": "string",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Username"
+ },
+
+ {
+ "itemId": 2,
+ "name": "password",
+ "type": "password",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Password"
+ },
+
+ {
+ "itemId": 3,
+ "name": "atlas.rest.address",
+ "type": "string",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "defaultValue": "http://localhost:21000"
+ },
+
+ {
+ "itemId": 4,
+ "name": "commonNameForCertificate",
+ "type": "string",
+ "mandatory": false,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Common Name for Certificate"
+ }
+ ],
+
+ "enums":
+ [
+
+ ],
+
+ "contextEnrichers":
+ [
+ ],
+
+ "policyConditions":
+ [
+ ]
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/.gitignore
----------------------------------------------------------------------
diff --git a/plugin-atlas/.gitignore b/plugin-atlas/.gitignore
new file mode 100644
index 0000000..02f68bb
--- /dev/null
+++ b/plugin-atlas/.gitignore
@@ -0,0 +1,3 @@
+/target/
+/bin/
+.settings/
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-atlas-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-atlas/conf/ranger-atlas-audit-changes.cfg b/plugin-atlas/conf/ranger-atlas-audit-changes.cfg
new file mode 100644
index 0000000..07fc382
--- /dev/null
+++ b/plugin-atlas/conf/ranger-atlas-audit-changes.cfg
@@ -0,0 +1,30 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+#solr configuration
+xasecure.audit.destination.solr %XAAUDIT.SOLR.ENABLE% mod create-if-not-exists
+xasecure.audit.destination.solr.urls %XAAUDIT.SOLR.URL% mod create-if-not-exists
+xasecure.audit.destination.solr.user %XAAUDIT.SOLR.USER% mod create-if-not-exists
+xasecure.audit.destination.solr.password %XAAUDIT.SOLR.PASSWORD% mod create-if-not-exists
+xasecure.audit.destination.solr.zookeepers %XAAUDIT.SOLR.ZOOKEEPER% mod create-if-not-exists
+
+
+#hdfs configuration
+xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% mod create-if-not-exists
+xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+
+
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-atlas-audit.xml
----------------------------------------------------------------------
diff --git a/plugin-atlas/conf/ranger-atlas-audit.xml b/plugin-atlas/conf/ranger-atlas-audit.xml
new file mode 100644
index 0000000..93ad238
--- /dev/null
+++ b/plugin-atlas/conf/ranger-atlas-audit.xml
@@ -0,0 +1,122 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+ <property>
+ <name>xasecure.audit.is.enabled</name>
+ <value>true</value>
+ </property>
+
+ <!-- Solr audit provider configuration -->
+
+ <property>
+ <name>xasecure.audit.destination.solr</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.solr.urls</name>
+ <value>NONE</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.solr.zookeepers</name>
+ <value></value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.solr.collection</name>
+ <value>NONE</value>
+ </property>
+
+
+ <!-- HDFS audit provider configuration -->
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.subdir</name>
+ <value>%app-type%/%time:yyyyMMdd%</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.filename.format</name>
+ <value>%app-type%_ranger_audit_%hostname%.log</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.file.rollover.sec</name>
+ <value>86400</value>
+ </property>
+
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
+
+ <!-- Log4j audit provider configuration -->
+ <property>
+ <name>xasecure.audit.destination.log4j</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.log4j.logger</name>
+ <value></value>
+ </property>
+
+</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-atlas-security-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-atlas/conf/ranger-atlas-security-changes.cfg b/plugin-atlas/conf/ranger-atlas-security-changes.cfg
new file mode 100644
index 0000000..08790b9
--- /dev/null
+++ b/plugin-atlas/conf/ranger-atlas-security-changes.cfg
@@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Change the original policy parameter to work with policy manager based.
+#
+#
+ranger.plugin.atlas.service.name %REPOSITORY_NAME% mod create-if-not-exists
+
+ranger.plugin.atlas.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists
+
+ranger.plugin.atlas.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists
+ranger.plugin.atlas.policy.rest.ssl.config.file /etc/atlas/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
+ranger.plugin.atlas.policy.pollIntervalMs 30000 mod create-if-not-exists
+ranger.plugin.atlas.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.plugin.atlas.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.plugin.atlas.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-atlas-security.xml
----------------------------------------------------------------------
diff --git a/plugin-atlas/conf/ranger-atlas-security.xml b/plugin-atlas/conf/ranger-atlas-security.xml
new file mode 100644
index 0000000..933c8e7
--- /dev/null
+++ b/plugin-atlas/conf/ranger-atlas-security.xml
@@ -0,0 +1,83 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+ <property>
+ <name>ranger.plugin.atlas.service.name</name>
+ <value>atlasdev</value>
+ <description>
+ Name of the Ranger service containing policies for this YARN instance
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.atlas.policy.source.impl</name>
+ <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
+ <description>
+ Class to retrieve policies from the source
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.atlas.policy.rest.url</name>
+ <value>http://policymanagerhost:port</value>
+ <description>
+ URL to Ranger Admin
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.atlas.policy.rest.ssl.config.file</name>
+ <value>/etc/atlas/conf/ranger-policymgr-ssl.xml</value>
+ <description>
+ Path to the file containing SSL details to contact Ranger Admin
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.atlas.policy.pollIntervalMs</name>
+ <value>30000</value>
+ <description>
+ How often to poll for changes in policies?
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.atlas.policy.cache.dir</name>
+ <value>/etc/ranger/atlasdev/policycache</value>
+ <description>
+ Directory where Ranger policies are cached after successful retrieval from the source
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.atlas.policy.rest.client.connection.timeoutMs</name>
+ <value>120000</value>
+ <description>
+ RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.atlas.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-policymgr-ssl-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-atlas/conf/ranger-policymgr-ssl-changes.cfg b/plugin-atlas/conf/ranger-policymgr-ssl-changes.cfg
new file mode 100644
index 0000000..6bf4265
--- /dev/null
+++ b/plugin-atlas/conf/ranger-policymgr-ssl-changes.cfg
@@ -0,0 +1,23 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SSL Params
+#
+xasecure.policymgr.clientssl.keystore %SSL_KEYSTORE_FILE_PATH% mod create-if-not-exists
+xasecure.policymgr.clientssl.keystore.password %SSL_KEYSTORE_PASSWORD% mod create-if-not-exists
+xasecure.policymgr.clientssl.keystore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists
+xasecure.policymgr.clientssl.truststore %SSL_TRUSTSTORE_FILE_PATH% mod create-if-not-exists
+xasecure.policymgr.clientssl.truststore.password %SSL_TRUSTSTORE_PASSWORD% mod create-if-not-exists
+xasecure.policymgr.clientssl.truststore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-policymgr-ssl.xml
----------------------------------------------------------------------
diff --git a/plugin-atlas/conf/ranger-policymgr-ssl.xml b/plugin-atlas/conf/ranger-policymgr-ssl.xml
new file mode 100644
index 0000000..964aac7
--- /dev/null
+++ b/plugin-atlas/conf/ranger-policymgr-ssl.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+ <!-- The following properties are used for 2-way SSL client server validation -->
+ <property>
+ <name>xasecure.policymgr.clientssl.keystore</name>
+ <value>hadoopdev-clientcert.jks</value>
+ <description>
+ Java Keystore files
+ </description>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.keystore.password</name>
+ <value>none</value>
+ <description>
+ password for keystore
+ </description>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.truststore</name>
+ <value>cacerts-xasecure.jks</value>
+ <description>
+ java truststore file
+ </description>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.truststore.password</name>
+ <value>none</value>
+ <description>
+ java truststore password
+ </description>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
+ <value>jceks://file/tmp/keystore-hadoopdev-ssl.jceks</value>
+ <description>
+ java keystore credential file
+ </description>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
+ <value>jceks://file/tmp/truststore-hadoopdev-ssl.jceks</value>
+ <description>
+ java truststore credential file
+ </description>
+ </property>
+</configuration>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/pom.xml
----------------------------------------------------------------------
diff --git a/plugin-atlas/pom.xml b/plugin-atlas/pom.xml
new file mode 100644
index 0000000..2c82c57
--- /dev/null
+++ b/plugin-atlas/pom.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>ranger-atlas-plugin</artifactId>
+ <name>Atlas Security Plugin</name>
+ <description>Atlas Security Plugins</description>
+ <packaging>jar</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+ <parent>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger</artifactId>
+ <version>0.6.0-SNAPSHOT</version>
+ <relativePath>..</relativePath>
+ </parent>
+ <dependencies>
+ <dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ <version>${commons.lang.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.google.code.gson</groupId>
+ <artifactId>gson</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-audit</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.atlas</groupId>
+ <artifactId>atlas-authorization</artifactId>
+ <version>${atlas.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.atlas</groupId>
+ <artifactId>atlas-common</artifactId>
+ <version>${atlas.version}</version>
+ </dependency>
+ </dependencies>
+</project>
+
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/scripts/install.properties
----------------------------------------------------------------------
diff --git a/plugin-atlas/scripts/install.properties b/plugin-atlas/scripts/install.properties
new file mode 100644
index 0000000..b339d26
--- /dev/null
+++ b/plugin-atlas/scripts/install.properties
@@ -0,0 +1,110 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# Location of Policy Manager URL
+#
+# Example:
+# POLICY_MGR_URL=http://policymanager.xasecure.net:6080
+#
+POLICY_MGR_URL=
+
+#
+# Location of db client library (please check the location of the jar file)
+#
+# Example:
+# SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
+# SQL_CONNECTOR_JAR=/usr/share/java/ojdbc6.jar
+#
+SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
+
+#
+# This is the repository name created within policy manager
+#
+# Example:
+# REPOSITORY_NAME=atlasdev
+#
+REPOSITORY_NAME=
+
+# AUDIT configuration with V3 properties
+
+#Should audit be summarized at source
+XAAUDIT.SUMMARY.ENABLE=true
+
+# Enable audit logs to Solr
+#Example
+#XAAUDIT.SOLR.ENABLE=true
+#XAAUDIT.SOLR.URL=http://localhost:6083/solr/ranger_audits
+#XAAUDIT.SOLR.ZOOKEEPER=
+#XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/atlas/audit/solr/spool
+
+XAAUDIT.SOLR.ENABLE=false
+XAAUDIT.SOLR.URL=NONE
+XAAUDIT.SOLR.USER=NONE
+XAAUDIT.SOLR.PASSWORD=NONE
+XAAUDIT.SOLR.ZOOKEEPER=NONE
+
+# Enable audit logs to HDFS
+#Example
+#XAAUDIT.HDFS.ENABLE=true
+#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
+#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/atlas/audit/hdfs/spool
+
+XAAUDIT.HDFS.ENABLE=false
+XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
+
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
+# End of V3 properties
+
+
+#
+# SSL Client Certificate Information
+#
+# Example:
+# SSL_KEYSTORE_FILE_PATH=/etc/atlas/conf/ranger-plugin-keystore.jks
+# SSL_KEYSTORE_PASSWORD=none
+# SSL_TRUSTSTORE_FILE_PATH=/etc/atlas/conf/ranger-plugin-truststore.jks
+# SSL_TRUSTSTORE_PASSWORD=none
+#
+# You do not need use SSL between agent and security admin tool, please leave these sample value as it is.
+#
+SSL_KEYSTORE_FILE_PATH=/etc/atlas/conf/ranger-plugin-keystore.jks
+SSL_KEYSTORE_PASSWORD=myKeyFilePassword
+SSL_TRUSTSTORE_FILE_PATH=/etc/atlas/conf/ranger-plugin-truststore.jks
+SSL_TRUSTSTORE_PASSWORD=changeit
+
+#
+# Custom component user
+# CUSTOM_COMPONENT_USER=<custom-user>
+# keep blank if component user is default
+CUSTOM_USER=atlas
+
+
+#
+# Custom component group
+# CUSTOM_COMPONENT_GROUP=<custom-group>
+# keep blank if component group is default
+CUSTOM_GROUP=hadoop
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
new file mode 100644
index 0000000..c735aa7
--- /dev/null
+++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -0,0 +1,143 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.authorization.atlas.authorizer;
+
+import java.util.Date;
+import java.util.Set;
+
+import org.apache.atlas.authorize.AtlasAccessRequest;
+import org.apache.atlas.authorize.AtlasAuthorizationException;
+import org.apache.atlas.authorize.AtlasAuthorizer;
+import org.apache.atlas.authorize.AtlasResourceTypes;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class RangerAtlasAuthorizer implements AtlasAuthorizer {
+ private static final Logger LOG = LoggerFactory.getLogger(RangerAtlasAuthorizer.class);
+ private static boolean isDebugEnabled = LOG.isDebugEnabled();
+ private static volatile RangerBasePlugin atlasPlugin = null;
+
+ @Override
+ public void init() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAtlasPlugin.init()");
+ }
+
+ RangerBasePlugin plugin = atlasPlugin;
+
+ if (plugin == null) {
+ synchronized (RangerAtlasPlugin.class) {
+ plugin = atlasPlugin;
+
+ if (plugin == null) {
+ plugin = new RangerAtlasPlugin();
+ plugin.init();
+ plugin.setResultProcessor(new RangerDefaultAuditHandler());
+ atlasPlugin = plugin;
+
+ }
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAtlasPlugin.init()");
+ }
+ }
+
+ @Override
+ public boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException {
+ boolean isAccessAllowed = true;
+ if (isDebugEnabled) {
+ LOG.debug("==> isAccessAllowed( " + request + " )");
+ }
+
+ String resource = request.getResource();
+ String user = request.getUser();
+ Set<String> userGroups = request.getUserGroups();
+ String action = request.getAction().name();
+ Set<AtlasResourceTypes> resourceTypes = request.getResourceTypes();
+ String clientIPAddress = request.getClientIPAddress();
+
+ for (AtlasResourceTypes resourceType : resourceTypes) {
+ RangerAtlasAccessRequest rangerRequest =
+ new RangerAtlasAccessRequest(resourceType, resource, action, user, userGroups, clientIPAddress);
+ if (isDebugEnabled) {
+ LOG.debug("Creating RangerAtlasAccessRequest with values [resource : " + resource + ", user : " + user
+ + ", Groups : " + userGroups + ", action : " + action + ", resourceType : " + resourceType
+ + ", clientIP : " + clientIPAddress + "]");
+ }
+ isAccessAllowed = checkAccess(rangerRequest);
+ if (!isAccessAllowed) {
+ break;
+ }
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("<== isAccessAllowed Returning value :: " + isAccessAllowed);
+ }
+ return isAccessAllowed;
+ }
+
+ private boolean checkAccess(RangerAtlasAccessRequest request) {
+ boolean isAccessAllowed = false;
+ RangerBasePlugin plugin = atlasPlugin;
+
+ if (plugin != null) {
+ RangerAccessResult rangerResult = plugin.isAccessAllowed(request);
+ isAccessAllowed = (rangerResult == null) ? false : rangerResult.getIsAllowed();
+ } else {
+ isAccessAllowed = false;
+ LOG.warn("AtlasPlugin not initialized properly : " + plugin+"... Access blocked!!!");
+ }
+ return isAccessAllowed;
+ }
+
+ @Override
+ public void cleanUp() {
+ if (isDebugEnabled) {
+ LOG.debug("==> cleanUp ");
+ }
+ }
+
+ class RangerAtlasPlugin extends RangerBasePlugin {
+ RangerAtlasPlugin() {
+ super("atlas", "atlas");
+ }
+ }
+
+}
+
+class RangerAtlasAccessRequest extends RangerAccessRequestImpl {
+
+ public RangerAtlasAccessRequest(AtlasResourceTypes resType, String resource, String action, String user,
+ Set<String> userGroups, String clientIp) {
+ super.setResource(new RangerAtlasResource(resType, resource));
+ super.setAccessType(action);
+ super.setUser(user);
+ super.setUserGroups(userGroups);
+ super.setAccessTime(new Date(System.currentTimeMillis()));
+ super.setClientIPAddress(clientIp);
+ super.setAction(action);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasResource.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasResource.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasResource.java
new file mode 100644
index 0000000..01b0f82
--- /dev/null
+++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasResource.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.authorization.atlas.authorizer;
+
+import org.apache.atlas.authorize.AtlasResourceTypes;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class RangerAtlasResource extends RangerAccessResourceImpl {
+ public static final String KEY_TYPE = "type";
+ public static final String KEY_ENTITY = "entity";
+ public static final String KEY_OPERATION = "operation";
+ public static final String KEY_TAXONOMY = "taxonomy";
+ public static final String KEY_TERM = "term";
+
+ private static final Logger LOG = LoggerFactory.getLogger(RangerAtlasResource.class);
+
+ public RangerAtlasResource(AtlasResourceTypes resourceType, String atlasResource) {
+ switch (resourceType) {
+ case TYPE:
+ setValue(KEY_TYPE, atlasResource);
+ break;
+ case ENTITY:
+ setValue(KEY_ENTITY, atlasResource);
+ break;
+ case OPERATION:
+ setValue(KEY_OPERATION, atlasResource);
+ break;
+ case TAXONOMY:
+ setValue(KEY_TAXONOMY, atlasResource);
+ break;
+ case TERM:
+ setValue(KEY_TERM, atlasResource);
+ break;
+ default:
+ LOG.warn("Invalid Resource : " + atlasResource);
+ break;
+ }
+
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
new file mode 100644
index 0000000..47616f4
--- /dev/null
+++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.services.atlas;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.client.BaseClient;
+import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.service.RangerBaseService;
+import org.apache.ranger.plugin.service.ResourceLookupContext;
+
+public class RangerServiceAtlas extends RangerBaseService {
+
+ private static final Log LOG = LogFactory.getLog(RangerServiceAtlas.class);
+
+ public RangerServiceAtlas() {
+ super();
+ }
+
+ @Override
+ public void init(RangerServiceDef serviceDef, RangerService service) {
+ super.init(serviceDef, service);
+ }
+
+ @Override
+ public HashMap<String, Object> validateConfig() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("This method will be implemented");
+ }
+ HashMap<String, Object> responseMap = new HashMap<String, Object>();
+ String msg = "This feature is not available currently";
+ BaseClient.generateResponseDataMap(true, msg, msg, null, null, responseMap);
+ return responseMap;
+ }
+
+ @Override
+ public List<String> lookupResource(ResourceLookupContext context) throws Exception {
+ //This feature is not available currently
+ return new ArrayList<String>();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/src/test/resource/log4j.properties
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/test/resource/log4j.properties b/plugin-atlas/src/test/resource/log4j.properties
new file mode 100644
index 0000000..f7ab2ba
--- /dev/null
+++ b/plugin-atlas/src/test/resource/log4j.properties
@@ -0,0 +1,34 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+##-- To prevent junits from cluttering the build run by default all test runs send output to null appender
+log4j.appender.devnull=org.apache.log4j.varia.NullAppender
+ranger.root.logger=FATAL,devnull
+
+##-- uncomment the following line during during development/debugging so see debug messages during test run to be emitted to console
+# ranger.root.logger=DEBUG,console
+log4j.rootLogger=${ranger.root.logger}
+
+# Logging Threshold
+log4j.threshold=ALL
+
+#
+# console
+# Add "console" to rootlogger above if you want to use this
+#
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+log4j.appender.console.target=System.err
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %m%n
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/template/configuration.xml
----------------------------------------------------------------------
diff --git a/plugin-atlas/template/configuration.xml b/plugin-atlas/template/configuration.xml
new file mode 100644
index 0000000..bdb0125
--- /dev/null
+++ b/plugin-atlas/template/configuration.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<configuration>
+</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 327f30c..29292a7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -104,9 +104,11 @@
<module>ranger-storm-plugin-shim</module>
<module>ranger-kafka-plugin-shim</module>
<module>ranger-solr-plugin-shim</module>
+ <module>ranger-atlas-plugin-shim</module>
<module>ranger-hive-utils</module>
<module>ranger-examples</module>
<module>ranger-tools</module>
+ <module>plugin-atlas</module>
</modules>
<properties>
<javac.source.version>1.7</javac.source.version>
@@ -162,6 +164,7 @@
<hamcrest.all.version>1.3</hamcrest.all.version>
<hbase.version>1.1.3</hbase.version>
<hive.version>2.1.0-SNAPSHOT</hive.version>
+ <atlas.version>0.7-incubating-SNAPSHOT</atlas.version>
<htrace-core.version>3.1.0-incubating</htrace-core.version>
<httpcomponents.httpclient.version>4.3.6</httpcomponents.httpclient.version>
<httpcomponents.httpcore.version>4.4.3</httpcomponents.httpcore.version>
@@ -401,6 +404,7 @@
<descriptor>src/main/assembly/kms.xml</descriptor>
<descriptor>src/main/assembly/ranger-tools.xml</descriptor>
<descriptor>src/main/assembly/ranger-src.xml</descriptor>
+ <descriptor>src/main/assembly/atlas-agent.xml</descriptor>
</descriptors>
</configuration>
</plugin>
@@ -517,6 +521,7 @@
<exclude>**/.classpath/**</exclude>
<exclude>**/*.iml</exclude>
<exclude>**/target/**</exclude>
+ <exclude>**/bin/**</exclude>
<exclude>**/CHANGES</exclude>
<exclude>**/ISSUES</exclude>
<exclude>**/patchprocess/**</exclude>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/ranger-atlas-plugin-shim/.gitignore
----------------------------------------------------------------------
diff --git a/ranger-atlas-plugin-shim/.gitignore b/ranger-atlas-plugin-shim/.gitignore
new file mode 100644
index 0000000..b9c5b0b
--- /dev/null
+++ b/ranger-atlas-plugin-shim/.gitignore
@@ -0,0 +1,2 @@
+/target/
+.settings/
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/ranger-atlas-plugin-shim/pom.xml
----------------------------------------------------------------------
diff --git a/ranger-atlas-plugin-shim/pom.xml b/ranger-atlas-plugin-shim/pom.xml
new file mode 100644
index 0000000..a656d94
--- /dev/null
+++ b/ranger-atlas-plugin-shim/pom.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>ranger-atlas-plugin-shim</artifactId>
+ <name>Atlas Security Plugin Shim</name>
+ <description>Atlas Security Plugins Shim</description>
+ <packaging>jar</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+ <parent>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger</artifactId>
+ <version>0.6.0-SNAPSHOT</version>
+ <relativePath>..</relativePath>
+ </parent>
+ <dependencies>
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ <version>${commons.logging.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-common</artifactId>
+ <version>${hadoop.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-hdfs</artifactId>
+ <version>${hadoop.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugin-classloader</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ <version>${commons.lang.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.google.code.gson</groupId>
+ <artifactId>gson</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-audit</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.atlas</groupId>
+ <artifactId>atlas-authorization</artifactId>
+ <version>${atlas.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.atlas</groupId>
+ <artifactId>atlas-common</artifactId>
+ <version>${atlas.version}</version>
+ </dependency>
+ </dependencies>
+</project>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
new file mode 100644
index 0000000..d8bdefd
--- /dev/null
+++ b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -0,0 +1,142 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.authorization.atlas.authorizer;
+
+import org.apache.atlas.authorize.AtlasAccessRequest;
+import org.apache.atlas.authorize.AtlasAuthorizationException;
+import org.apache.atlas.authorize.AtlasAuthorizer;
+import org.apache.ranger.plugin.classloader.RangerPluginClassLoader;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class RangerAtlasAuthorizer implements AtlasAuthorizer {
+ private static final Logger LOG = LoggerFactory.getLogger(RangerAtlasAuthorizer.class);
+ private static boolean isDebugEnabled = LOG.isDebugEnabled();
+ private static volatile RangerBasePlugin atlasPlugin = null;
+
+ private static final String RANGER_PLUGIN_TYPE = "atlas";
+ private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-atlas-plugin"};
+ private static final String RANGER_ATLAS_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer";
+
+ private AtlasAuthorizer rangerAtlasAuthorizerImpl = null;
+ private static RangerPluginClassLoader rangerPluginClassLoader = null;
+
+ public RangerAtlasAuthorizer() {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAtlasAuthorizer.RangerAtlasAuthorizer()");
+ }
+
+ this.init0();
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAtlasAuthorizer.RangerAtlasAuthorizer()");
+ }
+ }
+
+ private void init0() {
+ LOG.info("Initializing RangerAtlasPlugin");
+ try {
+ rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass());
+
+ @SuppressWarnings("unchecked")
+ Class<AtlasAuthorizer> cls = (Class<AtlasAuthorizer>) Class.forName(RANGER_ATLAS_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader);
+
+ activatePluginClassLoader();
+
+ rangerAtlasAuthorizerImpl = cls.newInstance();
+ } catch (Exception e) {
+ // check what need to be done
+ LOG.error("Error Enabling RangerAtlasPluing", e);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAtlasPlugin.init()");
+ }
+ }
+
+ @Override
+ public void init() {
+ if (isDebugEnabled) {
+ LOG.debug("gautam init <===");
+ }
+
+ try {
+ activatePluginClassLoader();
+
+ rangerAtlasAuthorizerImpl.init();
+ } finally {
+ deactivatePluginClassLoader();
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("gautam init ===> " );
+ }
+
+ }
+
+ @Override
+ public boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException {
+ boolean isAccessAllowed = false;
+ if (isDebugEnabled) {
+ LOG.debug("isAccessAllowed <===");
+ }
+
+ try {
+ activatePluginClassLoader();
+
+ isAccessAllowed = rangerAtlasAuthorizerImpl.isAccessAllowed(request);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("isAccessAllowed ===> Returning value :: " + isAccessAllowed);
+ }
+ return isAccessAllowed;
+ }
+
+ @Override
+ public void cleanUp() {
+ if (isDebugEnabled) {
+ LOG.debug("cleanUp <===");
+ }
+ try {
+ activatePluginClassLoader();
+ rangerAtlasAuthorizerImpl.cleanUp();
+ } finally {
+ deactivatePluginClassLoader();
+ }
+
+ }
+
+ private void activatePluginClassLoader() {
+ if(rangerPluginClassLoader != null) {
+ rangerPluginClassLoader.activate();
+ }
+ }
+
+ private void deactivatePluginClassLoader() {
+ if(rangerPluginClassLoader != null) {
+ rangerPluginClassLoader.deactivate();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/src/main/assembly/atlas-agent.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/atlas-agent.xml b/src/main/assembly/atlas-agent.xml
new file mode 100644
index 0000000..a1c1cc5
--- /dev/null
+++ b/src/main/assembly/atlas-agent.xml
@@ -0,0 +1,170 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<assembly>
+ <id>atlas-plugin</id>
+ <formats>
+ <format>tar.gz</format>
+ <format>zip</format>
+ </formats>
+ <baseDirectory>${project.name}-${project.version}-atlas-plugin</baseDirectory>
+ <includeBaseDirectory>true</includeBaseDirectory>
+ <moduleSets>
+
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <outputDirectory>/lib</outputDirectory>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-atlas-plugin-shim</include>
+ <include>org.apache.ranger:ranger-plugin-classloader</include>
+ </includes>
+ </moduleSet>
+
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>/lib/ranger-atlas-plugin-impl</outputDirectory>
+ <includes>
+ <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include>
+ <include>com.google.code.gson:gson</include>
+ <include>org.eclipse.persistence:eclipselink</include>
+ <include>org.eclipse.persistence:javax.persistence</include>
+ <include>com.sun.jersey:jersey-bundle</include>
+ <include>com.google.guava:guava:jar:${guava.version}</include>
+ <include>org.codehaus.jackson:jackson-core-asl</include>
+ <include>org.codehaus.jackson:jackson-jaxrs</include>
+ <include>org.codehaus.jackson:jackson-mapper-asl</include>
+ <include>org.codehaus.jackson:jackson-xc</include>
+ <include>commons-configuration:commons-configuration</include>
+ <include>com.google.code.gson:gson*</include>
+ <include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include>
+ <include>org.noggit:noggit:jar:${noggit.version}</include>
+ <include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include>
+ <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include>
+ <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include>
+ <include>org.apache.htrace:htrace-core:jar:${htrace-core.version}</include>
+ <include>org.codehaus.jackson:jackson-core-asl:jar:${codehaus.jackson.version}</include>
+ <include>org.codehaus.jackson:jackson-mapper-asl:jar:${codehaus.jackson.version}</include>
+ </includes>
+ <unpack>false</unpack>
+ </dependencySet>
+ <dependencySet>
+ <outputDirectory>/install/lib</outputDirectory>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <includes>
+ <include>commons-cli:commons-cli</include>
+ <include>commons-collections:commons-collections</include>
+ <include>commons-configuration:commons-configuration:jar:${commons.configuration.version}</include>
+ <include>commons-io:commons-io:jar:${commons.io.version}</include>
+ <include>commons-lang:commons-lang:jar:${commons.lang.version}</include>
+ <include>commons-logging:commons-logging</include>
+ <include>com.google.guava:guava:jar:${guava.version}</include>
+ <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include>
+ <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include>
+ <include>org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version}</include>
+ <include>org.apache.ranger:ranger-plugins-cred</include>
+ <include>org.apache.ranger:credentialbuilder</include>
+ </includes>
+ </dependencySet>
+ </dependencySets>
+ <outputDirectory>/lib/ranger-atlas-plugin-impl</outputDirectory>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger_solrj</include>
+ <include>org.apache.ranger:ranger-plugins-audit</include>
+ <include>org.apache.ranger:ranger-plugins-cred</include>
+ <include>org.apache.ranger:ranger-plugins-common</include>
+ <include>org.apache.ranger:ranger-atlas-plugin</include>
+ </includes>
+ </moduleSet>
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
+ <outputDirectory>/install/lib</outputDirectory>
+ <unpack>false</unpack>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-plugins-installer</include>
+ <include>org.apache.ranger:credentialbuilder</include>
+ </includes>
+ </moduleSet>
+ </moduleSets>
+ <fileSets>
+ <!-- conf.templates for enable -->
+ <fileSet>
+ <outputDirectory>/install/conf.templates/enable</outputDirectory>
+ <directory>plugin-atlas/conf</directory>
+ <excludes>
+ <exclude>*.sh</exclude>
+ </excludes>
+ <fileMode>700</fileMode>
+ </fileSet>
+ <fileSet>
+ <outputDirectory>/install/conf.templates/default</outputDirectory>
+ <directory>plugin-atlas/template</directory>
+ <fileMode>700</fileMode>
+ </fileSet>
+ <!-- version file -->
+ <fileSet>
+ <outputDirectory>/</outputDirectory>
+ <directory>${project.build.outputDirectory}</directory>
+ <includes>
+ <include>version</include>
+ </includes>
+ <fileMode>444</fileMode>
+ </fileSet>
+ </fileSets>
+ <!-- enable/disable script for plugin -->
+ <files>
+ <file>
+ <source>agents-common/scripts/enable-agent.sh</source>
+ <outputDirectory>/</outputDirectory>
+ <destName>enable-atlas-plugin.sh</destName>
+ <fileMode>755</fileMode>
+ </file>
+ <file>
+ <source>security-admin/scripts/ranger_credential_helper.py</source>
+ <outputDirectory>/</outputDirectory>
+ <fileMode>755</fileMode>
+ </file>
+ <file>
+ <source>agents-common/scripts/enable-agent.sh</source>
+ <outputDirectory>/</outputDirectory>
+ <destName>disable-atlas-plugin.sh</destName>
+ <fileMode>755</fileMode>
+ </file>
+ <file>
+ <source>plugin-atlas/scripts/install.properties</source>
+ <outputDirectory>/</outputDirectory>
+ <destName>install.properties</destName>
+ <fileMode>755</fileMode>
+ </file>
+ </files>
+</assembly>
+
[2/2] incubator-ranger git commit: RANGER-993: Row filtering and
column masking audit log fix
Posted by ga...@apache.org.
RANGER-993: Row filtering and column masking audit log fix
Signed-off-by: Gautam Borad <ga...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d21e6bb4
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d21e6bb4
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d21e6bb4
Branch: refs/heads/master
Commit: d21e6bb47edd8d7c6bda014a2899099c501c7585
Parents: 72d61a8
Author: pradeep agrawal <pr...@freestoneinfotech.com>
Authored: Tue May 24 09:45:25 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Wed May 25 09:37:11 2016 +0530
----------------------------------------------------------------------
.../ranger/service/RangerPolicyService.java | 148 ++++++++++++++
.../views/reports/PlugableServiceDiffDetail.js | 62 +++++-
security-admin/src/main/webapp/styles/xa.css | 7 +
.../reports/PlugableServicePolicyDiff_tmpl.html | 86 +++++++-
.../PlugableServicePolicyUpdateDiff_tmpl.html | 199 +++++++++++++++++--
5 files changed, 484 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d21e6bb4/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
index 7987057..042c239 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
@@ -34,8 +34,10 @@ import org.apache.ranger.entity.XXPolicyBase;
import org.apache.ranger.entity.XXService;
import org.apache.ranger.entity.XXTrxLog;
import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
import org.codehaus.jackson.JsonParseException;
import org.codehaus.jackson.map.JsonMappingException;
import org.codehaus.jackson.map.ObjectMapper;
@@ -58,6 +60,8 @@ public class RangerPolicyService extends RangerPolicyServiceBase<XXPolicy, Range
public static final String DENYPOLICY_ITEM_CLASS_FIELD_NAME = "denyPolicyItems";
public static final String ALLOW_EXCEPTIONS_CLASS_FIELD_NAME="allowExceptions";
public static final String DENY_EXCEPTIONS_CLASS_FIELD_NAME="denyExceptions";
+ public static final String DATAMASK_POLICY_ITEM_CLASS_FIELD_NAME="dataMaskPolicyItems";
+ public static final String ROWFILTER_POLICY_ITEM_CLASS_FIELD_NAME="rowFilterPolicyItems";
static HashMap<String, VTrxLogAttr> trxLogAttrs = new HashMap<String, VTrxLogAttr>();
String actionCreate;
@@ -73,6 +77,8 @@ public class RangerPolicyService extends RangerPolicyServiceBase<XXPolicy, Range
trxLogAttrs.put("denyPolicyItems", new VTrxLogAttr("denyPolicyItems", "DenyPolicy Items", false));
trxLogAttrs.put("allowExceptions", new VTrxLogAttr("allowExceptions", "Allow Exceptions", false));
trxLogAttrs.put("denyExceptions", new VTrxLogAttr("denyExceptions", "Deny Exceptions", false));
+ trxLogAttrs.put("dataMaskPolicyItems", new VTrxLogAttr("dataMaskPolicyItems", "Masked Policy Items", false));
+ trxLogAttrs.put("rowFilterPolicyItems", new VTrxLogAttr("rowFilterPolicyItems", "Row level filter Policy Items", false));
}
public RangerPolicyService() {
@@ -193,6 +199,10 @@ public class RangerPolicyService extends RangerPolicyServiceBase<XXPolicy, Range
value = processPolicyItemsForTrxLog(field.get(vObj));
} else if (fieldName.equalsIgnoreCase(DENY_EXCEPTIONS_CLASS_FIELD_NAME)){
value = processPolicyItemsForTrxLog(field.get(vObj));
+ } else if (fieldName.equalsIgnoreCase(DATAMASK_POLICY_ITEM_CLASS_FIELD_NAME)){
+ value = processDataMaskPolicyItemsForTrxLog(field.get(vObj));
+ } else if (fieldName.equalsIgnoreCase(ROWFILTER_POLICY_ITEM_CLASS_FIELD_NAME)){
+ value = processRowFilterPolicyItemForTrxLog(field.get(vObj));
}
else {
value = "" + field.get(vObj);
@@ -252,6 +262,14 @@ public class RangerPolicyService extends RangerPolicyServiceBase<XXPolicy, Range
if (oldPolicy != null) {
oldValue = processPolicyItemsForTrxLog(oldPolicy.getDenyExceptions());
}
+ } else if (fieldName.equalsIgnoreCase(DATAMASK_POLICY_ITEM_CLASS_FIELD_NAME)) {
+ if (oldPolicy != null) {
+ oldValue = processDataMaskPolicyItemsForTrxLog(oldPolicy.getDataMaskPolicyItems());
+ }
+ } else if (fieldName.equalsIgnoreCase(ROWFILTER_POLICY_ITEM_CLASS_FIELD_NAME)) {
+ if (oldPolicy != null) {
+ oldValue = processRowFilterPolicyItemForTrxLog(oldPolicy.getRowFilterPolicyItems());
+ }
}
if (oldValue == null || value.equalsIgnoreCase(oldValue)) {
return null;
@@ -290,6 +308,16 @@ public class RangerPolicyService extends RangerPolicyServiceBase<XXPolicy, Range
if(org.apache.commons.lang.StringUtils.equals(value, oldValue)) {
return null;
}
+ } else if (fieldName.equalsIgnoreCase(DATAMASK_POLICY_ITEM_CLASS_FIELD_NAME)) {
+ //compare old and new dataMaskPolicyItems
+ if(compareTwoDataMaskingPolicyItemList(value, oldValue)) {
+ return null;
+ }
+ } else if (fieldName.equalsIgnoreCase(ROWFILTER_POLICY_ITEM_CLASS_FIELD_NAME)) {
+ //compare old and new rowFilterPolicyItems
+ if(compareTwoRowFilterPolicyItemList(value, oldValue)) {
+ return null;
+ }
}
xTrxLog.setPreviousValue(oldValue);
xTrxLog.setNewValue(value);
@@ -443,4 +471,124 @@ public class RangerPolicyService extends RangerPolicyServiceBase<XXPolicy, Range
String name = (String) value;
return name;
}
+
+ @SuppressWarnings("unchecked")
+ private String processDataMaskPolicyItemsForTrxLog(Object value) {
+ if(value == null) {
+ return "";
+ }
+ List<RangerDataMaskPolicyItem> rangerPolicyItems = (List<RangerDataMaskPolicyItem>) value;
+ if(rangerPolicyItems==null || rangerPolicyItems.size()==0){
+ return "";
+ }
+ String ret = jsonUtil.readListToString(rangerPolicyItems);
+ if(ret == null) {
+ return "";
+ }
+ return ret;
+ }
+
+ @SuppressWarnings("unchecked")
+ private String processRowFilterPolicyItemForTrxLog(Object value) {
+ if(value == null) {
+ return "";
+ }
+ List<RangerRowFilterPolicyItem> rangerPolicyItems = (List<RangerRowFilterPolicyItem>) value;
+ if(rangerPolicyItems==null || rangerPolicyItems.size()==0){
+ return "";
+ }
+ String ret = jsonUtil.readListToString(rangerPolicyItems);
+ if(ret == null) {
+ return "";
+ }
+ return ret;
+ }
+
+ private boolean compareTwoDataMaskingPolicyItemList(String value, String oldValue) {
+ if (value == null && oldValue == null) {
+ return true;
+ }
+ if (value == "" && oldValue == "") {
+ return true;
+ }
+ if (stringUtil.isEmpty(value) || stringUtil.isEmpty(oldValue)) {
+ return false;
+ }
+ ObjectMapper mapper = new ObjectMapper();
+ try {
+ List<RangerDataMaskPolicyItem> obj = mapper.readValue(value,
+ new TypeReference<List<RangerDataMaskPolicyItem>>() {
+ });
+ List<RangerDataMaskPolicyItem> oldObj = mapper.readValue(oldValue,
+ new TypeReference<List<RangerDataMaskPolicyItem>>() {
+ });
+ int oldListSize = oldObj.size();
+ int listSize = obj.size();
+ if(oldListSize != listSize) {
+ return false;
+ }
+ for(RangerDataMaskPolicyItem polItem : obj) {
+ if(!oldObj.contains(polItem)) {
+ return false;
+ }
+ }
+ return true;
+ } catch (JsonParseException e) {
+ throw restErrorUtil.createRESTException(
+ "Invalid input data: " + e.getMessage(),
+ MessageEnums.INVALID_INPUT_DATA);
+ } catch (JsonMappingException e) {
+ throw restErrorUtil.createRESTException(
+ "Invalid input data: " + e.getMessage(),
+ MessageEnums.INVALID_INPUT_DATA);
+ } catch (IOException e) {
+ throw restErrorUtil.createRESTException(
+ "Invalid input data: " + e.getMessage(),
+ MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
+
+ private boolean compareTwoRowFilterPolicyItemList(String value, String oldValue) {
+ if (value == null && oldValue == null) {
+ return true;
+ }
+ if (value == "" && oldValue == "") {
+ return true;
+ }
+ if (stringUtil.isEmpty(value) || stringUtil.isEmpty(oldValue)) {
+ return false;
+ }
+ ObjectMapper mapper = new ObjectMapper();
+ try {
+ List<RangerRowFilterPolicyItem> obj = mapper.readValue(value,
+ new TypeReference<List<RangerRowFilterPolicyItem>>() {
+ });
+ List<RangerRowFilterPolicyItem> oldObj = mapper.readValue(oldValue,
+ new TypeReference<List<RangerRowFilterPolicyItem>>() {
+ });
+ int oldListSize = oldObj.size();
+ int listSize = obj.size();
+ if(oldListSize != listSize) {
+ return false;
+ }
+ for(RangerRowFilterPolicyItem polItem : obj) {
+ if(!oldObj.contains(polItem)) {
+ return false;
+ }
+ }
+ return true;
+ } catch (JsonParseException e) {
+ throw restErrorUtil.createRESTException(
+ "Invalid input data: " + e.getMessage(),
+ MessageEnums.INVALID_INPUT_DATA);
+ } catch (JsonMappingException e) {
+ throw restErrorUtil.createRESTException(
+ "Invalid input data: " + e.getMessage(),
+ MessageEnums.INVALID_INPUT_DATA);
+ } catch (IOException e) {
+ throw restErrorUtil.createRESTException(
+ "Invalid input data: " + e.getMessage(),
+ MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d21e6bb4/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js b/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js
index 800eed7..7ff1b0e 100644
--- a/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js
+++ b/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js
@@ -59,6 +59,11 @@ define(function(require){
oldDenyPolicyItems : this.oldDenyPolicyItems,
newDenyExceptionPolicyItems : this.newDenyExceptionPolicyItems,
oldDenyExceptionPolicyItems : this.oldDenyExceptionPolicyItems,
+ newMaskPolicyItems: this.newMaskPolicyItems,
+ newRowFilterPolicyItems: this.newRowFilterPolicyItems,
+ oldMaskPolicyItems: this.oldMaskPolicyItems,
+ oldRowFilterPolicyItems: this.oldRowFilterPolicyItems,
+
};
},
/** ui selector cache */
@@ -149,6 +154,7 @@ define(function(require){
this.highLightElement($(ol).find('.groupname'), $(newOl[i]).find('.groupname'));
this.highLightElement($(ol).find('.perm'), $(newOl[i]).find('.perm'));
this.highLightElement($(ol).find('.condition'), $(newOl[i]).find('.condition'));
+ this.highLightElement($(ol).find('.maskingAndRow'), $(newOl[i]).find('.maskingAndRow'));
},this);
},
@@ -192,6 +198,8 @@ define(function(require){
this.newAllowExceptionPolicyItems = null, this.oldAllowExceptionPolicyItems = null,
this.newDenyPolicyItems = null, this.oldDenyPolicyItems = null,
this.newDenyExceptionPolicyItems = null, this.oldDenyExceptionPolicyItems = null;
+ this.newMaskPolicyItems = null, this.newRowFilterPolicyItems = null,
+ this.oldMaskPolicyItems = null, this.oldRowFilterPolicyItems = null;
var policyStatus = this.collection.findWhere({'attributeName':'Policy Status'})
if(!_.isUndefined(policyStatus)){
if(!_.isEmpty(policyStatus.get('previousValue'))){
@@ -239,6 +247,22 @@ define(function(require){
this.oldDenyExceptionPolicyItems = perms.oldPerms;
}
}
+ var policyItems = this.collection.findWhere({'attributeName':'Masked Policy Items'});
+ if(!_.isUndefined(policyItems)){
+ var perms = this.getPolicyItems('Masked Policy Items');
+ if(!_.isEmpty(perms)){
+ this.newMaskPolicyItems = perms.newPerms;
+ this.oldMaskPolicyItems = perms.oldPerms;
+ }
+ }
+ var policyItems = this.collection.findWhere({'attributeName':'Row level filter Policy Items'});
+ if(!_.isUndefined(policyItems)){
+ var perms = this.getPolicyItems('Row level filter Policy Items');
+ if(!_.isEmpty(perms)){
+ this.newRowFilterPolicyItems = perms.newPerms;
+ this.oldRowFilterPolicyItems = perms.oldPerms;
+ }
+ }
},
getPolicyResources : function() {
var policyResources = this.collection.findWhere({'attributeName':'Policy Resources'});
@@ -294,7 +318,7 @@ define(function(require){
}
},
getPolicyItems : function(itemType) {
- var items = {};
+ var items = {},that = this;
var newPolicyItems=[], oldPolicyItems =[];
var policyItems = this.collection.findWhere({'attributeName': itemType });
this.collection.remove(policyItems);
@@ -318,9 +342,32 @@ define(function(require){
}
});
}
+ if(itemType === 'Masked Policy Items') {
+ for(var i = 0; i < newPolicyItems.length ; i++){
+ var maskingType = newPolicyItems[i].dataMaskInfo.dataMaskType;
+ var dataMaskDefs = that.rangerServiceDefModel.get('dataMaskDef');
+ _.each(dataMaskDefs.maskTypes,function(maskType){
+ if(maskType.name === maskingType) {
+ newPolicyItems[i].dataMaskInfo.dataMaskType = maskType.label;
+ }
+ });
+ };
+
+ for(var i = 0; i < oldPolicyItems.length ; i++){
+ var maskingType = oldPolicyItems[i].dataMaskInfo.dataMaskType;
+ var dataMaskDefs = that.rangerServiceDefModel.get('dataMaskDef');
+ _.each(dataMaskDefs.maskTypes,function(maskType){
+ if(maskType.name === maskingType) {
+ oldPolicyItems[i].dataMaskInfo.dataMaskType = maskType.label;
+ }
+ });
+ };
+ }
+
// this.oldPermList =[], this.newPermList =[]
if(this.action == "update"){
- return this.setOldeNewPermList(newPolicyItems, oldPolicyItems);
+ //return this.setOldeNewPermList(newPolicyItems, oldPolicyItems);
+ return this.setOldNewPermDiff(newPolicyItems, oldPolicyItems);
} else {
return {'oldPerms' : oldPolicyItems, 'newPerms' : newPolicyItems};
@@ -328,6 +375,17 @@ define(function(require){
// this.newPermList = this.newPolicyItems;
}
},
+ setOldNewPermDiff: function(newPolicyItems, oldPolicyItems){
+ var oldPerms = [], newPerms = [];
+ var len = oldPolicyItems.length > newPolicyItems.length ? oldPolicyItems.length : newPolicyItems.length;
+ for(var i = 0; i < len ; i++) {
+ if (JSON.stringify(newPolicyItems[i]) != JSON.stringify(oldPolicyItems[i])) {
+ oldPerms.push(oldPolicyItems[i]);
+ newPerms.push(newPolicyItems[i]);
+ }
+ }
+ return {'newPerms': newPerms, 'oldPerms': oldPerms};
+ },
setOldeNewPermList : function(newPolicyItems, oldPolicyItems) {
var found = false, oldPerms = [], newPerms = [];
for(var i=0; i< newPolicyItems.length ;i++){
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d21e6bb4/security-admin/src/main/webapp/styles/xa.css
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/styles/xa.css b/security-admin/src/main/webapp/styles/xa.css
index f8e7273..b586e11 100644
--- a/security-admin/src/main/webapp/styles/xa.css
+++ b/security-admin/src/main/webapp/styles/xa.css
@@ -1468,6 +1468,13 @@ ul.tabs > li > a {
.diff-right .data li {
min-width: 16.5em;
}
+.diff-list > ol {
+ display: initial;
+ min-width: 250px;
+}
+.diff .diff-left{
+ min-width: 16.5em;
+}
.change {
background-color: #ffd;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d21e6bb4/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html
index 5ed8d00..3018c84 100644
--- a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html
+++ b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html
@@ -46,7 +46,7 @@
{{#if newPolicyItems}}
<h5>Allow PolicyItems :</h5>
<div class="diff diff-perms" >
- <div class="diff-right" data-id="diff">
+ <div class="diff-right diff-list" data-id="diff">
<h3>New Value</h3>
{{#each newPolicyItems}}
<ol class="unstyled data">
@@ -89,7 +89,7 @@
{{#if newAllowExceptionPolicyItems}}
<h5>Allow Exceptions :</h5>
<div class="diff diff-perms" >
- <div class="diff-right" data-id="diff">
+ <div class="diff-right diff-list" data-id="diff">
<h3>New Value</h3>
{{#each newAllowExceptionPolicyItems}}
<ol class="unstyled data">
@@ -132,7 +132,7 @@
{{#if newDenyPolicyItems}}
<h5>Deny PolicyItems :</h5>
<div class="diff diff-perms" >
- <div class="diff-right" data-id="diff">
+ <div class="diff-right diff-list" data-id="diff">
<h3>New Value</h3>
{{#each newDenyPolicyItems}}
<ol class="unstyled data">
@@ -173,7 +173,7 @@
{{#if oldDenyExceptionPolicyItems}}
<h5>Deny Exception PolicyItems:</h5>
<div class="diff diff-perms" >
- <div class="diff-right" data-id="diff">
+ <div class="diff-right diff-list" data-id="diff">
<h3>New Value</h3>
{{#each oldDenyExceptionPolicyItems}}
<ol class="unstyled data">
@@ -211,4 +211,82 @@
</div>
{{/if}}
+<!-- Masking Policy Items -->
+{{#if newMaskPolicyItems}}
+ <h5>Masking Policy Items :</h5>
+ <div class="diff diff-perms" >
+ <div class="diff-right diff-list" data-id="diff">
+ <h3>New Value</h3>
+ {{#each newMaskPolicyItems}}
+ <ol class="unstyled data">
+ <li class="change-row">Groups:
+ {{#if_eq this.groups compare=0}}
+ <empty>
+ {{else}}
+ {{this.groups}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row">Users:
+ {{#if_eq this.users compare=0}}
+ <empty>
+ {{else}}
+ {{this.users}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row">Accesses:
+ {{#each this.accesses}}
+ {{this.type}} <span>,</span>
+ {{/each}}
+ </li>
+ {{#if this.dataMaskInfo}}
+ <li class="change-row">
+ Data Mask Types:
+ {{this.dataMaskInfo.dataMaskType}}
+ </li>
+ {{/if}}
+ </ol><br/>
+ {{/each}}
+ </div>
+ </div>
+{{/if}}
+
+<!-- Row Filter Policy Items-->
+{{#if newRowFilterPolicyItems}}
+ <h5>Row Level Filter Policy Items :</h5>
+ <div class="diff diff-perms" >
+ <div class="diff-right diff-list" data-id="diff">
+ <h3>New Value</h3>
+ {{#each newRowFilterPolicyItems}}
+ <ol class="unstyled data">
+ <li class="change-row">Groups:
+ {{#if_eq this.groups compare=0}}
+ <empty>
+ {{else}}
+ {{this.groups}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row">Users:
+ {{#if_eq this.users compare=0}}
+ <empty>
+ {{else}}
+ {{this.users}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row">Accesses:
+ {{#each this.accesses}}
+ {{this.type}} <span>,</span>
+ {{/each}}
+ </li>
+ {{#if this.rowFilterInfo}}
+ <li class="change-row">
+ Row Level Filter:
+ {{this.rowFilterInfo.filterExpr}}
+ </li>
+ {{/if}}
+ </ol><br/>
+ {{/each}}
+ </div>
+ </div>
+{{/if}}
+
</div>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d21e6bb4/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html
index d2a4f80..c2d6c2d 100644
--- a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html
+++ b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html
@@ -70,8 +70,8 @@
{{#if oldPolicyItems}}
<h5>Allow PolicyItems :</h5>
<div class="diff diff-perms">
- <div class="diff-left" data-id="diff">
- <h3>old Value</h3>
+ <div class="diff-left diff-list" data-id="diff">
+ <h3>Old Value</h3>
{{#each oldPolicyItems}}
<ol class="unstyled data">
{{#if this.permissions}}
@@ -113,7 +113,7 @@
</ol><br/>
{{/each}}
</div>
- <div class="diff-right" data-id="diff">
+ <div class="diff-right diff-list" data-id="diff">
<h3>New Value</h3>
{{#each newPolicyItems}}
<ol class="unstyled data">
@@ -162,8 +162,8 @@
{{#if oldAllowExceptionPolicyItems}}
<h5>Allow Exception PolicyItems :</h5>
<div class="diff diff-perms">
- <div class="diff-left" data-id="diff">
- <h3>old Value</h3>
+ <div class="diff-left diff-list" data-id="diff">
+ <h3>Old Value</h3>
{{#each oldAllowExceptionPolicyItems}}
<ol class="unstyled data">
{{#if this.permissions}}
@@ -205,7 +205,7 @@
</ol><br/>
{{/each}}
</div>
- <div class="diff-right" data-id="diff">
+ <div class="diff-right diff-list" data-id="diff">
<h3>New Value</h3>
{{#each newAllowExceptionPolicyItems}}
<ol class="unstyled data">
@@ -255,8 +255,8 @@
{{#if oldDenyPolicyItems}}
<h5>Deny PolicyItems :</h5>
<div class="diff diff-perms">
- <div class="diff-left" data-id="diff">
- <h3>old Value</h3>
+ <div class="diff-left diff-list" data-id="diff">
+ <h3>Old Value</h3>
{{#each oldDenyPolicyItems}}
<ol class="unstyled data">
{{#if this.permissions}}
@@ -298,7 +298,7 @@
</ol><br/>
{{/each}}
</div>
- <div class="diff-right" data-id="diff">
+ <div class="diff-right diff-list" data-id="diff">
<h3>New Value</h3>
{{#each newDenyPolicyItems}}
<ol class="unstyled data">
@@ -349,8 +349,8 @@
{{#if oldDenyExceptionPolicyItems}}
<h5>Deny Exception PolicyItems :</h5>
<div class="diff diff-perms">
- <div class="diff-left" data-id="diff">
- <h3>old Value</h3>
+ <div class="diff-left diff-list" data-id="diff">
+ <h3>Old Value</h3>
{{#each oldDenyExceptionPolicyItems}}
<ol class="unstyled data">
{{#if this.permissions}}
@@ -392,7 +392,7 @@
</ol><br/>
{{/each}}
</div>
- <div class="diff-right" data-id="diff">
+ <div class="diff-right diff-list" data-id="diff">
<h3>New Value</h3>
{{#each newDenyExceptionPolicyItems}}
<ol class="unstyled data">
@@ -438,5 +438,180 @@
</div>
{{/if}}
+<!-- Masking Policy Items -->
+{{#if oldMaskPolicyItems}}
+ <h5>Masking Policy Items :</h5>
+ <div class="diff diff-perms">
+ <div class="diff-left diff-list" data-id="diff">
+ <h3>Old Value</h3>
+ {{#each oldMaskPolicyItems}}
+ <ol class="unstyled data">
+ {{#if this.accesses}}
+ <li class="change-row"><i>Groups</i>:
+ {{#if_eq this.groups compare=0}}
+ <empty>
+ {{else}}
+ {{#each this.groups}}
+ <span class="groupname">{{this}}</span><span>,</span>
+ {{/each}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row"><i>Users</i>:
+ {{#if_eq this.users compare=0}}
+ <empty>
+ {{else}}
+ {{#each this.users}}
+ <span class="username">{{this}}</span><span>,</span>
+ {{/each}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row"><i>Accesses</i>:
+ {{#each this.accesses}}
+ <span class="perm">{{this.type}}</span> <span>,</span>
+ {{/each}}
+ </li>
+ {{#if this.dataMaskInfo}}
+ <li class="change-row">
+ <i>Data Mask Types</i>:
+ <span class="maskingAndRow">{{this.dataMaskInfo.dataMaskType}}</span> <span>,</span>
+ </li>
+ {{/if}}
+ {{else}}
+ <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li>
+ {{/if}}
+ </ol><br/>
+ {{/each}}
+ </div>
+ <div class="diff-right diff-list" data-id="diff">
+ <h3>New Value</h3>
+ {{#each newMaskPolicyItems}}
+ <ol class="unstyled data">
+ {{#if this.accesses}}
+ <li class="change-row"><i>Groups</i>:
+ {{#if_eq this.groups compare=0}}
+ <empty>
+ {{else}}
+ {{#each this.groups}}
+ <span class="groupname">{{this}}</span><span>,</span>
+ {{/each}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row"><i>Users</i>:
+ {{#if_eq this.users compare=0}}
+ <empty>
+ {{else}}
+ {{#each this.users}}
+ <span class="username">{{this}}</span><span>,</span>
+ {{/each}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row"><i>Accesses</i>:
+ {{#each this.accesses}}
+ <span class="perm">{{this.type}}</span> <span>,</span>
+ {{/each}}
+ </li>
+ {{#if this.dataMaskInfo}}
+ <li class="change-row">
+ <i>Data Mask Types</i>:
+ <span class="maskingAndRow">{{this.dataMaskInfo.dataMaskType}}</span> <span>,</span>
+ </li>
+ {{/if}}
+
+ {{else}}
+ <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li>
+ {{/if}}
+ </ol><br/>
+ {{/each}}
+ </div>
+ </div>
+ {{/if}}
+
+<!-- Row filter Policy Items-->
+{{#if oldRowFilterPolicyItems}}
+ <h5>Row Level Filter Policy Items :</h5>
+ <div class="diff diff-perms">
+ <div class="diff-left diff-list" data-id="diff">
+ <h3>Old Value</h3>
+ {{#each oldRowFilterPolicyItems}}
+ <ol class="unstyled data">
+ {{#if this.accesses}}
+ <li class="change-row"><i>Groups</i>:
+ {{#if_eq this.groups compare=0}}
+ <empty>
+ {{else}}
+ {{#each this.groups}}
+ <span class="groupname">{{this}}</span><span>,</span>
+ {{/each}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row"><i>Users</i>:
+ {{#if_eq this.users compare=0}}
+ <empty>
+ {{else}}
+ {{#each this.users}}
+ <span class="username">{{this}}</span><span>,</span>
+ {{/each}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row"><i>Accesses</i>:
+ {{#each this.accesses}}
+ <span class="perm">{{this.type}}</span> <span>,</span>
+ {{/each}}
+ </li>
+ {{#if this.rowFilterInfo}}
+ <li class="change-row">
+ <i>Row Level Filter</i>:
+ <span class="maskingAndRow">{{this.rowFilterInfo.filterExpr}}</span> <span>,</span>
+ </li>
+ {{/if}}
+ {{else}}
+ <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li>
+ {{/if}}
+ </ol><br/>
+ {{/each}}
+ </div>
+ <div class="diff-right diff-list" data-id="diff">
+ <h3>New Value</h3>
+ {{#each newRowFilterPolicyItems}}
+ <ol class="unstyled data">
+ {{#if this.accesses}}
+ <li class="change-row"><i>Groups</i>:
+ {{#if_eq this.groups compare=0}}
+ <empty>
+ {{else}}
+ {{#each this.groups}}
+ <span class="groupname">{{this}}</span><span>,</span>
+ {{/each}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row"><i>Users</i>:
+ {{#if_eq this.users compare=0}}
+ <empty>
+ {{else}}
+ {{#each this.users}}
+ <span class="username">{{this}}</span><span>,</span>
+ {{/each}}
+ {{/if_eq}}
+ </li>
+ <li class="change-row"><i>Accesses</i>:
+ {{#each this.accesses}}
+ <span class="perm">{{this.type}}</span> <span>,</span>
+ {{/each}}
+ </li>
+ {{#if this.rowFilterInfo}}
+ <li class="change-row">
+ <i>Row Level Filter</i>:
+ <span class="maskingAndRow">{{this.rowFilterInfo.filterExpr}}</span> <span>,</span>
+ </li>
+ {{/if}}
+
+ {{else}}
+ <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li>
+ {{/if}}
+ </ol><br/>
+ {{/each}}
+ </div>
+ </div>
+ {{/if}}
</div>