You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2019/02/18 08:35:41 UTC
[ranger] branch master updated: RANGER-2334 : Audits: filter out
service audit logs and additional users logs from user audit logs
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 24e8f31 RANGER-2334 : Audits: filter out service audit logs and additional users logs from user audit logs
24e8f31 is described below
commit 24e8f31af06433e159a6215b5bfb1588d7eb0700
Author: Nikhil P <ni...@gmail.com>
AuthorDate: Thu Feb 7 17:49:05 2019 +0530
RANGER-2334 : Audits: filter out service audit logs and additional users logs from user audit logs
Signed-off-by: Pradeep <pr...@apache.org>
---
.../plugin/store/EmbeddedServiceDefsUtil.java | 2 +-
.../java/org/apache/ranger/rest/AssetREST.java | 3 +-
.../ranger/solr/SolrAccessAuditsService.java | 64 +++++++++++++++++++---
.../webapp/scripts/views/reports/AuditLayout.js | 10 +++-
.../java/org/apache/ranger/rest/TestAssetREST.java | 4 +-
5 files changed, 69 insertions(+), 14 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
index 110f763..cbfd649 100755
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
@@ -48,7 +48,7 @@ public class EmbeddedServiceDefsUtil {
// following servicedef list should be reviewed/updated whenever a new embedded service-def is added
- private static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr,atlas,nifi,nifi-registry,sqoop,kylin,elasticsearch";
+ public static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr,atlas,nifi,nifi-registry,sqoop,kylin,elasticsearch";
private static final String PROPERTY_SUPPORTED_SERVICE_DEFS = "ranger.supportedcomponents";
private Set<String> supportedServiceDefs;
public static final String EMBEDDED_SERVICEDEF_TAG_NAME = "tag";
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
index 8a0ca95..d708927 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
@@ -636,7 +636,8 @@ public class AssetREST {
"Client IP", StringUtil.VALIDATION_TEXT);
searchUtil.extractString(request, searchCriteria, "resourceType",
"Resource Type", StringUtil.VALIDATION_TEXT);
-
+ searchUtil.extractString(request,searchCriteria,"excludeServiceUser",
+ "Exclude Service User",StringUtil.VALIDATION_TEXT);
searchUtil.extractInt(request, searchCriteria, "auditType", "Audit Type");
searchUtil.extractInt(request, searchCriteria, "accessResult", "Result");
searchUtil.extractInt(request, searchCriteria, "assetId", "Audit Type");
diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
index f64c0db..1b49c13 100644
--- a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
+++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
@@ -21,8 +21,11 @@ package org.apache.ranger.solr;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.PropertiesUtil;
@@ -36,6 +39,7 @@ import org.apache.ranger.common.SearchField.SEARCH_TYPE;
import org.apache.ranger.common.SortField.SORT_ORDER;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXServiceDef;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.view.VXAccessAudit;
import org.apache.ranger.view.VXAccessAuditList;
import org.apache.ranger.view.VXLong;
@@ -86,10 +90,10 @@ public class SolrAccessAuditsService {
SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
searchFields.add(new SearchField("requestUser", "reqUser",
SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
- searchFields.add(new SearchField("requestData", "reqData",
- SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.PARTIAL));
- searchFields.add(new SearchField("resourcePath", "resource",
- SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.PARTIAL));
+ searchFields.add(new SearchField("requestData", "reqData", SearchField.DATA_TYPE.STRING,
+ SearchField.SEARCH_TYPE.PARTIAL));
+ searchFields.add(new SearchField("resourcePath", "resource", SearchField.DATA_TYPE.STRING,
+ SearchField.SEARCH_TYPE.PARTIAL));
searchFields.add(new SearchField("clientIP", "cliIP",
SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
@@ -104,7 +108,9 @@ public class SolrAccessAuditsService {
searchFields.add(new SearchField("repoType", "repoType",
SearchField.DATA_TYPE.INTEGER, SearchField.SEARCH_TYPE.FULL));
searchFields.add(new SearchField("-repoType", "-repoType",
- SearchField.DATA_TYPE.INTEGER, SearchField.SEARCH_TYPE.FULL));
+ SearchField.DATA_TYPE.INTEGER, SearchField.SEARCH_TYPE.FULL));
+ searchFields.add(new SearchField("-requestUser", "-reqUser",
+ SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
searchFields.add(new SearchField("resourceType", "resType",
SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
searchFields.add(new SearchField("reason", "reason",
@@ -127,20 +133,29 @@ public class SolrAccessAuditsService {
SORT_ORDER.DESC));
}
+
public VXAccessAuditList searchXAccessAudits(SearchCriteria searchCriteria) {
// Make call to Solr
SolrClient solrClient = solrMgr.getSolrClient();
- final boolean hiveQueryVisibility = PropertiesUtil.getBooleanProperty("ranger.audit.hive.query.visibility", true);
+ final boolean hiveQueryVisibility = PropertiesUtil.getBooleanProperty("ranger.audit.hive.query.visibility", true);
if (solrClient == null) {
logger.warn("Solr client is null, so not running the query.");
throw restErrorUtil.createRESTException(
"Error connecting to search engine",
MessageEnums.ERROR_SYSTEM);
}
-
+ List<String> excludeUsersList = new ArrayList<String>();
List<VXAccessAudit> xAccessAuditList = new ArrayList<VXAccessAudit>();
+ String val = (String) searchCriteria.getParamList().get("excludeServiceUser");
+
+ if(val !=null && Boolean.valueOf(val.trim())) { //add param to negate requestUsers which will be added as filter query in solr
+ excludeUsersList = getExcludeUsersList();
+ if(CollectionUtils.isNotEmpty(excludeUsersList)) {
+ searchCriteria.getParamList().put("-requestUser", excludeUsersList);
+ }
+ }
QueryResponse response = solrUtil.searchResources(searchCriteria,
searchFields, sortFields, solrClient);
SolrDocumentList docs = response.getResults();
@@ -159,7 +174,7 @@ public class SolrAccessAuditsService {
}
}
}
- xAccessAuditList.add(vXAccessAudit);
+ xAccessAuditList.add(vXAccessAudit);
}
VXAccessAuditList returnList = new VXAccessAuditList();
@@ -171,6 +186,39 @@ public class SolrAccessAuditsService {
return returnList;
}
+ private List<String> getExcludeUsersList() {
+ List<String> excludeUsersList = new ArrayList<String>();
+ //for excluding serviceUsers using existing property in ranger-admin-site
+ List<String> serviceUsersList = getServiceUserList();
+ excludeUsersList.addAll(serviceUsersList);
+
+ //for excluding additional users using new property in ranger-admin-site
+ String additionalExcludeUsers = PropertiesUtil.getProperty("ranger.accesslogs.exclude.users.list");
+ List<String> additionalExcludeUsersList = null;
+ if (StringUtils.isNotBlank(additionalExcludeUsers)) {
+ additionalExcludeUsersList = new ArrayList<>(Arrays.asList(StringUtils.split(additionalExcludeUsers, ",")));
+ for (String serviceUser : additionalExcludeUsersList) {
+ if (StringUtils.isNotBlank(serviceUser) && !excludeUsersList.contains(serviceUser.trim())) {
+ excludeUsersList.add(serviceUser);
+ }
+ }
+ }
+ return excludeUsersList;
+ }
+
+ private List<String> getServiceUserList() {
+ String components = EmbeddedServiceDefsUtil.DEFAULT_BOOTSTRAP_SERVICEDEF_LIST;
+ List<String> serviceUsersList = new ArrayList<String>();
+ List<String> componentNames = Arrays.asList(StringUtils.split(components,","));
+ for(String componentName : componentNames) {
+ String serviceUser = PropertiesUtil.getProperty("ranger.plugins."+componentName+".serviceuser");
+ if(StringUtils.isNotBlank(serviceUser)) {
+ serviceUsersList.add(serviceUser);
+ }
+ }
+ return serviceUsersList;
+ }
+
/**
* @param doc
* @return
diff --git a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
index 4894480..0b47ba7 100644
--- a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
@@ -309,6 +309,7 @@ define(function(require) {
addSearchForBigDataTab :function(){
var that = this , query = '';
var serverListForRepoType = this.serviceDefList.map(function(serviceDef){ return {'label' : serviceDef.get('name').toUpperCase(), 'value' : serviceDef.get('id')}; })
+ var serviceUser = [{'label' : 'True' , 'value' : true},{'label' : 'False' , 'value' : false}]
var serverAttrName = [{text : 'Start Date',label :'startDate'},{text : 'End Date',label :'endDate'},
{text : 'User',label :'requestUser'},{text : 'Resource Name',label :'resourcePath'},
{text : 'Service Name',label :'repoName'},{text : 'Policy ID',label :'policyId'},
@@ -317,8 +318,10 @@ define(function(require) {
{text : 'Access Type',label :'accessType'},{text : 'Access Enforcer',label :'aclEnforcer'},
{text : 'Client IP',label :'clientIP'},{text : 'Tags',label :'tags'},
{text : 'Resource Type',label : 'resourceType'},{text : 'Cluster Name',label : 'cluster'},
- {text : 'Zone Name',label : 'zoneName'}];
- var searchOpt = ['Resource Type','Start Date','End Date','User','Service Name','Service Type','Resource Name','Access Type','Result','Access Enforcer','Client IP','Tags','Cluster Name', 'Zone Name'];//,'Policy ID'
+ {text : 'Zone Name',label : 'zoneName'},
+ {text : 'Exclude Service User', label : 'excludeServiceUser', 'multiple' : true, 'optionsArr' : serviceUser}];
+ var searchOpt = ['Resource Type','Start Date','End Date','User','Service Name','Service Type','Resource Name','Access Type','Result','Access Enforcer',
+ 'Client IP','Tags','Cluster Name', 'Zone Name', 'Exclude Service User'];//,'Policy ID'
this.clearVisualSearch(this.accessAuditList, serverAttrName);
this.searchInfoArr =[{text :'Access Enforcer', info :localization.tt('msg.accessEnforcer')},
{text :'Access Type' , info :localization.tt('msg.accessTypeMsg')},
@@ -414,6 +417,9 @@ define(function(require) {
}
XAUtils.displayDatepicker(that.ui.visualSearch, facet, startDate, callback);
break;
+ case 'Exclude Service User' :
+ callback(XAUtils.hackForVSLabelValuePairs(serviceUser));
+ break;
}
}
}
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java
index 40e680a..a1b0e45 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java
@@ -761,7 +761,7 @@ public class TestAssetREST {
Mockito.verify(msBizUtil).isKeyAdmin();
Mockito.verify(assetMgr).getAccessLogs(searchCriteria);
Mockito.verify(daoManager).getXXServiceDef();
- Mockito.verify(searchUtil, Mockito.times(13)).extractString((HttpServletRequest) Mockito.any(),
+ Mockito.verify(searchUtil, Mockito.times(14)).extractString((HttpServletRequest) Mockito.any(),
(SearchCriteria) Mockito.any(), Mockito.anyString(), Mockito.anyString(), Mockito.nullable(String.class));
Mockito.verify(searchUtil, Mockito.times(4)).extractInt((HttpServletRequest) Mockito.any(),
(SearchCriteria) Mockito.any(), Mockito.anyString(), Mockito.anyString());
@@ -804,7 +804,7 @@ public class TestAssetREST {
Mockito.verify(msBizUtil).isKeyAdmin();
Mockito.verify(assetMgr).getAccessLogs(searchCriteria);
Mockito.verify(daoManager).getXXServiceDef();
- Mockito.verify(searchUtil, Mockito.times(13)).extractString((HttpServletRequest) Mockito.any(),
+ Mockito.verify(searchUtil, Mockito.times(14)).extractString((HttpServletRequest) Mockito.any(),
(SearchCriteria) Mockito.any(), Mockito.anyString(), Mockito.anyString(), Mockito.nullable(String.class));
Mockito.verify(searchUtil, Mockito.times(4)).extractInt((HttpServletRequest) Mockito.any(),
(SearchCriteria) Mockito.any(), Mockito.anyString(), Mockito.anyString());