You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2017/04/25 22:18:40 UTC
[2/3] ranger git commit: RANGER-1481 : Capture cluster name in ranger
audit info
RANGER-1481 : Capture cluster name in ranger audit info
Signed-off-by: pradeep <pr...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/1bd34894
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/1bd34894
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/1bd34894
Branch: refs/heads/ranger-0.7
Commit: 1bd34894bdae33e159b2de89c503b060ff8351e9
Parents: 70dcd59
Author: Bhavik Patel <bh...@gmail.com>
Authored: Tue Apr 25 11:50:51 2017 +0530
Committer: pradeep <pr...@apache.org>
Committed: Wed Apr 26 03:43:57 2017 +0530
----------------------------------------------------------------------
.../audit/destination/SolrAuditDestination.java | 1 +
.../ranger/audit/model/AuthzAuditEvent.java | 14 +++-
.../audit/provider/solr/SolrAuditProvider.java | 1 +
.../admin/client/RangerAdminRESTClient.java | 8 +-
.../plugin/audit/RangerDefaultAuditHandler.java | 1 +
.../policyengine/RangerAccessRequest.java | 2 +
.../policyengine/RangerAccessRequestImpl.java | 11 +++
.../RangerAccessRequestReadOnly.java | 3 +
.../ranger/plugin/service/RangerBasePlugin.java | 11 +++
.../ranger/plugin/util/GrantRevokeRequest.java | 21 +++++-
.../ranger/plugin/util/RangerRESTUtils.java | 3 +-
.../hbase/AuthorizationSession.java | 8 ++
.../hbase/RangerAuthorizationCoprocessor.java | 31 ++++++--
.../hadoop/RangerHdfsAuthorizer.java | 7 +-
.../authorizer/RangerHiveAccessRequest.java | 15 ++--
.../hive/authorizer/RangerHiveAuthorizer.java | 17 +++--
.../client/RangerAdminJersey2RESTClient.java | 4 +
.../authorization/knox/KnoxRangerPlugin.java | 9 ++-
.../authorization/knox/RangerPDPKnoxFilter.java | 10 ++-
.../atlas/authorizer/RangerAtlasAuthorizer.java | 8 +-
.../kafka/authorizer/RangerKafkaAuthorizer.java | 2 +
.../kms/authorizer/RangerKmsAuthorizer.java | 9 ++-
.../yarn/authorizer/RangerYarnAuthorizer.java | 6 +-
.../026-add-column-in-x_policy_export_audit.sql | 29 ++++++++
.../026-add-column-in-x_policy_export_audit.sql | 23 ++++++
.../026-add-column-in-x_policy_export_audit.sql | 32 ++++++++
.../026-add-column-in-x_policy_export_audit.sql | 21 ++++++
.../026-add-column-in-x_policy_export_audit.sql | 23 ++++++
.../ranger/entity/XXPolicyExportAudit.java | 34 ++++++++-
.../java/org/apache/ranger/rest/AssetREST.java | 5 +-
.../org/apache/ranger/rest/ServiceREST.java | 34 ++++++---
.../ranger/service/XAccessAuditService.java | 2 +
.../service/XPolicyExportAuditService.java | 2 +
.../service/XPolicyExportAuditServiceBase.java | 2 +
.../ranger/solr/SolrAccessAuditsService.java | 9 ++-
.../java/org/apache/ranger/solr/SolrUtil.java | 3 +-
.../org/apache/ranger/view/VXAccessAudit.java | 17 +++++
.../apache/ranger/view/VXPolicyExportAudit.java | 12 +++
.../scripts/modules/globalize/message/en.js | 5 +-
.../webapp/scripts/views/reports/AuditLayout.js | 77 ++++++++++++--------
.../org/apache/ranger/rest/TestAssetREST.java | 8 +-
.../org/apache/ranger/rest/TestServiceREST.java | 2 +-
.../authorization/storm/StormRangerPlugin.java | 3 +-
.../storm/authorizer/RangerStormAuthorizer.java | 3 +-
44 files changed, 456 insertions(+), 92 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
index e689e5d..14ad791 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
@@ -281,6 +281,7 @@ public class SolrAuditDestination extends AuditDestination {
doc.setField("event_count", auditEvent.getEventCount());
doc.setField("event_dur_ms", auditEvent.getEventDurationMS());
doc.setField("tags", auditEvent.getTags());
+ doc.setField("cluster", auditEvent.getClusterName());
return doc;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
index b547c43..8d71851 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
@@ -114,6 +114,9 @@ public class AuthzAuditEvent extends AuditEventBase {
@SerializedName("additional_info")
protected String additionalInfo;
+
+ @SerializedName("cluster_name")
+ protected String clusterName;
public AuthzAuditEvent() {
super();
@@ -126,7 +129,7 @@ public class AuthzAuditEvent extends AuditEventBase {
String resourcePath, String resourceType, String action,
short accessResult, String agentId, long policyId,
String resultReason, String aclEnforcer, String sessionId,
- String clientType, String clientIP, String requestData) {
+ String clientType, String clientIP, String requestData, String clusterName) {
this.repositoryType = repositoryType;
this.repositoryName = repositoryName;
this.user = user;
@@ -144,6 +147,7 @@ public class AuthzAuditEvent extends AuditEventBase {
this.clientType = clientType;
this.clientIP = clientIP;
this.requestData = requestData;
+ this.clusterName = clusterName;
}
/**
@@ -453,6 +457,14 @@ public class AuthzAuditEvent extends AuditEventBase {
this.tags = tags;
}
+ public String getClusterName() {
+ return clusterName;
+ }
+
+ public void setClusterName(String clusterName) {
+ this.clusterName = clusterName;
+ }
+
public String getAdditionalInfo() { return this.additionalInfo; }
public void setAdditionalInfo(String additionalInfo) { this.additionalInfo = additionalInfo; }
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
index 22aebb5..e0c192c 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
@@ -287,6 +287,7 @@ public class SolrAuditProvider extends AuditDestination {
doc.addField("action", auditEvent.getAction());
doc.addField("evtTime", auditEvent.getEventTime());
doc.addField("tags", auditEvent.getTags());
+ doc.addField("cluster", auditEvent.getClusterName());
return doc;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index bcb07d7..a32db46 100644
--- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -50,6 +50,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
private String serviceName = null;
private String pluginId = null;
private RangerRESTClient restClient = null;
+ private String clusterName = null;
private RangerRESTUtils restUtils = new RangerRESTUtils();
public RangerAdminRESTClient() {
@@ -81,6 +82,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
String url = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.url");
String sslConfigFileName = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.ssl.config.file");
+ clusterName = RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.name", "");
int restClientConnTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
int restClientReadTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
@@ -107,7 +109,8 @@ public class RangerAdminRESTClient implements RangerAdminClient {
WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + serviceName)
.queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion))
.queryParam(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME, Long.toString(lastActivationTimeInMillis))
- .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId)
+ .queryParam(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName);
return secureWebResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
}
};
@@ -119,7 +122,8 @@ public class RangerAdminRESTClient implements RangerAdminClient {
WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName)
.queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion))
.queryParam(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME, Long.toString(lastActivationTimeInMillis))
- .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId)
+ .queryParam(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName);
response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
index 1cb2295..55c3d8a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
@@ -119,6 +119,7 @@ public class RangerDefaultAuditHandler implements RangerAccessResultProcessor {
ret.setTags(tags);
}
ret.setAdditionalInfo(getAdditionalInfo(request));
+ ret.setClusterName(request.getClusterName());
populateDefaults(ret);
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
index 0668d57..cb06d26 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
@@ -52,6 +52,8 @@ public interface RangerAccessRequest {
String getRequestData();
String getSessionId();
+
+ String getClusterName();
Map<String, Object> getContext();
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index 17d1a71..daef06e 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -47,6 +47,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
private String requestData = null;
private String sessionId = null;
private Map<String, Object> context = null;
+ private String clusterName = null;
private boolean isAccessTypeAny = false;
private boolean isAccessTypeDelegatedAdmin = false;
@@ -71,6 +72,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
setRequestData(null);
setSessionId(null);
setContext(null);
+ setClusterName(null);
}
@Override
@@ -149,6 +151,10 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
return isAccessTypeDelegatedAdmin;
}
+ public String getClusterName() {
+ return clusterName;
+ }
+
public void setResource(RangerAccessResource resource) {
this.resource = resource;
}
@@ -203,6 +209,10 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
this.sessionId = sessionId;
}
+ public void setClusterName(String clusterName) {
+ this.clusterName = clusterName;
+ }
+
public void setResourceMatchingScope(ResourceMatchingScope scope) { this.resourceMatchingScope = scope; }
public void setContext(Map<String, Object> context) {
@@ -280,6 +290,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
sb.append("requestData={").append(requestData).append("} ");
sb.append("sessionId={").append(sessionId).append("} ");
sb.append("resourceMatchingScope={").append(resourceMatchingScope).append("} ");
+ sb.append("clusterName={").append(clusterName).append("} ");
sb.append("context={");
if(context != null) {
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
index a18e8bc..48d42a7 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
@@ -92,4 +92,7 @@ public class RangerAccessRequestReadOnly implements RangerAccessRequest {
@Override
public ResourceMatchingScope getResourceMatchingScope() { return source.getResourceMatchingScope(); }
+
+ @Override
+ public String getClusterName() { return source.getClusterName(); }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index eda0014..1803dae 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -63,6 +63,7 @@ public class RangerBasePlugin {
private RangerAccessResultProcessor resultProcessor = null;
private boolean useForwardedIPAddress = false;
private String[] trustedProxyAddresses = null;
+ private String clusterName = null;
private Timer policyEngineRefreshTimer;
Map<String, LogHistory> logHistoryList = new Hashtable<String, RangerBasePlugin.LogHistory>();
@@ -77,6 +78,14 @@ public class RangerBasePlugin {
public String getServiceType() {
return serviceType;
}
+
+ public String getClusterName() {
+ return clusterName;
+ }
+
+ public void setClusterName(String clusterName) {
+ this.clusterName = clusterName;
+ }
public RangerServiceDef getServiceDef() {
RangerPolicyEngine policyEngine = this.policyEngine;
@@ -108,6 +117,7 @@ public class RangerBasePlugin {
long pollingIntervalMs = RangerConfiguration.getInstance().getLong(propertyPrefix + ".policy.pollIntervalMs", 30 * 1000);
String cacheDir = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.cache.dir");
serviceName = RangerConfiguration.getInstance().get(propertyPrefix + ".service.name");
+ clusterName = RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.name", "");
useForwardedIPAddress = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".use.x-forwarded-for.ipaddress", false);
String trustedProxyAddressString = RangerConfiguration.getInstance().get(propertyPrefix + ".trusted.proxy.ipaddresses");
@@ -399,6 +409,7 @@ public class RangerBasePlugin {
accessRequest.setClientType(request.getClientType());
accessRequest.setRequestData(request.getRequestData());
accessRequest.setSessionId(request.getSessionId());
+ accessRequest.setClusterName(request.getClusterName());
// call isAccessAllowed() to determine if audit is enabled or not
RangerAccessResult accessResult = isAccessAllowed(accessRequest, null);
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
index c9b3481..143698f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
@@ -56,13 +56,14 @@ public class GrantRevokeRequest implements Serializable {
private String clientType = null;
private String requestData = null;
private String sessionId = null;
+ private String clusterName = null;
public GrantRevokeRequest() {
- this(null, null, null, null, null, null, null, null, null, null, null, null, null);
+ this(null, null, null, null, null, null, null, null, null, null, null, null, null, null);
}
- public GrantRevokeRequest(String grantor, Map<String, String> resource, Set<String> users, Set<String> groups, Set<String> accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions, Boolean isRecursive, String clientIPAddress, String clientType, String requestData, String sessionId) {
+ public GrantRevokeRequest(String grantor, Map<String, String> resource, Set<String> users, Set<String> groups, Set<String> accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions, Boolean isRecursive, String clientIPAddress, String clientType, String requestData, String sessionId, String clusterName) {
setGrantor(grantor);
setResource(resource);
setUsers(users);
@@ -76,6 +77,7 @@ public class GrantRevokeRequest implements Serializable {
setClientType(clientType);
setRequestData(requestData);
setSessionId(sessionId);
+ setClusterName(clusterName);
}
/**
@@ -260,6 +262,20 @@ public class GrantRevokeRequest implements Serializable {
this.sessionId = sessionId;
}
+ /**
+ * @return the clusterName
+ */
+ public String getClusterName() {
+ return clusterName;
+ }
+
+ /**
+ * @param clusterName the clusterName to set
+ */
+ public void setClusterName(String clusterName) {
+ this.clusterName = clusterName;
+ }
+
@Override
public String toString( ) {
@@ -315,6 +331,7 @@ public class GrantRevokeRequest implements Serializable {
sb.append("clientType={").append(clientType).append("} ");
sb.append("requestData={").append(requestData).append("} ");
sb.append("sessionId={").append(sessionId).append("} ");
+ sb.append("clusterName={").append(clusterName).append("} ");
sb.append("}");
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java
index 609f717..961b8bc 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java
@@ -60,7 +60,8 @@ public class RangerRESTUtils {
public static final String REST_PARAM_PLUGIN_ID = "pluginId";
private static final int MAX_PLUGIN_ID_LEN = 255;
-
+
+ public static final String REST_PARAM_CLUSTER_NAME = "clusterName";
public String getPolicyRestUrl(String propertyPrefix) {
String url = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.url");
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
index dedbe1e..1349aef 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
@@ -55,6 +55,8 @@ public class AuthorizationSession {
String _column;
String _columnFamily;
String _remoteAddress;
+ String _clusterName;
+
User _user;
Set<String> _groups; // this exits to avoid having to get group for a user repeatedly. It is kept in sync with _user;
// Passing a null handler to policy engine would suppress audit logging.
@@ -89,6 +91,11 @@ public class AuthorizationSession {
_access = anAccess;
return this;
}
+
+ AuthorizationSession clusterName(String clusterName) {
+ _clusterName = clusterName;
+ return this;
+ }
AuthorizationSession user(User aUser) {
_user = aUser;
@@ -191,6 +198,7 @@ public class AuthorizationSession {
request.setRequestData(_otherInformation);
request.setClientIPAddress(_remoteAddress);
request.setResourceMatchingScope(_resourceMatchingScope);
+ request.setClusterName(_clusterName);
_request = request;
if (LOG.isDebugEnabled()) {
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 8ee3580..cf2ffcf 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -268,10 +268,11 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
final AuthzAuditEvent _accessDeniedEvent;
final String _denialReason;
final RangerAuthorizationFilter _filter;
+ final String _clusterName;
ColumnFamilyAccessResult(boolean everythingIsAccessible, boolean somethingIsAccessible,
List<AuthzAuditEvent> accessAllowedEvents, List<AuthzAuditEvent> familyLevelAccessEvents, AuthzAuditEvent accessDeniedEvent, String denialReason,
- RangerAuthorizationFilter filter) {
+ RangerAuthorizationFilter filter, String clusterName) {
_everythingIsAccessible = everythingIsAccessible;
_somethingIsAccessible = somethingIsAccessible;
// WARNING: we are just holding on to reference of the collection. Potentially risky optimization
@@ -281,6 +282,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
_denialReason = denialReason;
// cached values of access results
_filter = filter;
+ _clusterName = clusterName;
}
@Override
@@ -293,6 +295,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
.add("accessDeniedEvent", _accessDeniedEvent)
.add("denialReason", _denialReason)
.add("filter", _filter)
+ .add("clusterName", _clusterName)
.toString();
}
@@ -317,12 +320,13 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
throw new AccessDeniedException("Insufficient permissions for operation '" + operation + "',action: " + action);
}
String table = Bytes.toString(tableBytes);
+ String clusterName = hbasePlugin.getClusterName();
final String messageTemplate = "evaluateAccess: exiting: user[%s], Operation[%s], access[%s], families[%s], verdict[%s]";
ColumnFamilyAccessResult result;
if (canSkipAccessCheck(operation, access, table) || canSkipAccessCheck(operation, access, env)) {
LOG.debug("evaluateAccess: exiting: isKnownAccessPattern returned true: access allowed, not audited");
- result = new ColumnFamilyAccessResult(true, true, null, null, null, null, null);
+ result = new ColumnFamilyAccessResult(true, true, null, null, null, null, null, null);
if (LOG.isDebugEnabled()) {
Map<String, Set<String>> families = getColumnFamilies(familyMap);
String message = String.format(messageTemplate, userName, operation, access, families.toString(), result.toString());
@@ -339,7 +343,8 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
.auditHandler(auditHandler)
.user(user)
.access(access)
- .table(table);
+ .table(table)
+ .clusterName(clusterName);
Map<String, Set<String>> families = getColumnFamilies(familyMap);
if (LOG.isDebugEnabled()) {
LOG.debug("evaluateAccess: families to process: " + families.toString());
@@ -358,11 +363,10 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
reason = String.format("Insufficient permissions for user \u2018%s',action: %s, tableName:%s, no column families found.", user.getName(), operation, table);
}
AuthzAuditEvent event = auditHandler.getAndDiscardMostRecentEvent(); // this could be null, of course, depending on audit settings of table.
-
// if authorized then pass captured events as access allowed set else as access denied set.
result = new ColumnFamilyAccessResult(authorized, authorized,
authorized ? Collections.singletonList(event) : null,
- null, authorized ? null : event, reason, null);
+ null, authorized ? null : event, reason, null, clusterName);
if (LOG.isDebugEnabled()) {
String message = String.format(messageTemplate, userName, operation, access, families.toString(), result.toString());
LOG.debug(message);
@@ -488,7 +492,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
}
// Cache of auth results are encapsulated the in the filter. Not every caller of the function uses it - only preGet and preOpt will.
RangerAuthorizationFilter filter = new RangerAuthorizationFilter(session, familesAccessAllowed, familesAccessDenied, familesAccessIndeterminate, columnsAccessAllowed);
- result = new ColumnFamilyAccessResult(everythingIsAccessible, somethingIsAccessible, authorizedEvents, familyLevelAccessEvents, deniedEvent, denialReason, filter);
+ result = new ColumnFamilyAccessResult(everythingIsAccessible, somethingIsAccessible, authorizedEvents, familyLevelAccessEvents, deniedEvent, denialReason, filter, clusterName);
if (LOG.isDebugEnabled()) {
String message = String.format(messageTemplate, userName, operation, access, families.toString(), result.toString());
LOG.debug(message);
@@ -580,6 +584,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
return;
}
User user = getActiveUser();
+ String clusterName = hbasePlugin.getClusterName();
HbaseAuditHandler auditHandler = _factory.getAuditHandler();
AuthorizationSession session = new AuthorizationSession(hbasePlugin)
@@ -592,6 +597,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
.table(table)
.columnFamily(columnFamily)
.column(column)
+ .clusterName(clusterName)
.buildRequest()
.authorize();
@@ -626,6 +632,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
boolean canSkipAccessCheck(final String operation, String access, final RegionCoprocessorEnvironment regionServerEnv) throws AccessDeniedException {
+ String clusterName = hbasePlugin.getClusterName();
User user = getActiveUser();
// read access to metadata tables is always allowed and isn't audited.
if (isAccessForMetaTables(regionServerEnv) && _authUtils.isReadAccess(access)) {
@@ -640,6 +647,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
.remoteAddress(getRemoteAddress())
.user(user)
.access(createAccess)
+ .clusterName(clusterName)
.buildRequest()
.authorize();
if (session.isAuthorized()) {
@@ -1087,6 +1095,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
LOG.debug(String.format("==> postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", tableNamesList == null ? 0 : tableNamesList.size(),
descriptors == null ? 0 : descriptors.size(), regex));
}
+ String clusterName = hbasePlugin.getClusterName();
if (CollectionUtils.isNotEmpty(descriptors)) {
// Retains only those which passes authorization checks
@@ -1099,7 +1108,8 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
.remoteAddress(getRemoteAddress())
.auditHandler(auditHandler)
.user(user)
- .access(access);
+ .access(access)
+ .clusterName(clusterName);
Iterator<HTableDescriptor> itr = descriptors.iterator();
while (itr.hasNext()) {
@@ -1166,6 +1176,10 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
RangerHBasePlugin plugin = hbasePlugin;
if(plugin != null) {
+
+ String clusterName = plugin.getClusterName();
+ grData.setClusterName(clusterName);
+
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
plugin.grantAccess(grData, auditHandler);
@@ -1205,6 +1219,9 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
RangerHBasePlugin plugin = hbasePlugin;
if(plugin != null) {
+ String clusterName = plugin.getClusterName();
+ grData.setClusterName(clusterName);
+
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
plugin.revokeAccess(grData, auditHandler);
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 460c692..d28685a 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -57,6 +57,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import com.google.common.collect.Sets;
+
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
public class RangerHdfsAuthorizer extends INodeAttributeProvider {
@@ -424,6 +425,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
AuthzStatus ret = null;
String path = inode != null ? inode.getFullPathName() : null;
String pathOwner = inodeAttribs != null ? inodeAttribs.getUserName() : null;
+ String clusterName = plugin.getClusterName();
if(pathOwner == null && inode != null) {
pathOwner = inode.getUserName();
@@ -446,7 +448,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
}
for(String accessType : accessTypes) {
- RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, accessType, user, groups);
+ RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, accessType, user, groups, clusterName);
RangerAccessResult result = plugin.isAccessAllowed(request, auditHandler);
@@ -511,7 +513,7 @@ class RangerHdfsResource extends RangerAccessResourceImpl {
class RangerHdfsAccessRequest extends RangerAccessRequestImpl {
- public RangerHdfsAccessRequest(INode inode, String path, String pathOwner, FsAction access, String accessType, String user, Set<String> groups) {
+ public RangerHdfsAccessRequest(INode inode, String path, String pathOwner, FsAction access, String accessType, String user, Set<String> groups, String clusterName) {
super.setResource(new RangerHdfsResource(path, pathOwner));
super.setAccessType(accessType);
super.setUser(user);
@@ -519,6 +521,7 @@ class RangerHdfsAccessRequest extends RangerAccessRequestImpl {
super.setAccessTime(new Date());
super.setClientIPAddress(getRemoteIp());
super.setAction(access.toString());
+ super.setClusterName(clusterName);
if (inode != null) {
buildRequestContext(inode);
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
index b9f1cde..a8bf543 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
@@ -42,7 +42,8 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
String hiveOpTypeName,
HiveAccessType accessType,
HiveAuthzContext context,
- HiveAuthzSessionContext sessionContext) {
+ HiveAuthzSessionContext sessionContext,
+ String clusterName) {
this.setResource(resource);
this.setUser(user);
this.setUserGroups(userGroups);
@@ -60,6 +61,8 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
this.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
this.setSessionId(sessionContext.getSessionString());
}
+
+ this.setClusterName(clusterName);
}
public RangerHiveAccessRequest(RangerHiveResource resource,
@@ -68,12 +71,13 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
HiveOperationType hiveOpType,
HiveAccessType accessType,
HiveAuthzContext context,
- HiveAuthzSessionContext sessionContext) {
- this(resource, user, userGroups, hiveOpType.name(), accessType, context, sessionContext);
+ HiveAuthzSessionContext sessionContext,
+ String clusterName) {
+ this(resource, user, userGroups, hiveOpType.name(), accessType, context, sessionContext, clusterName);
}
- public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) {
- this(resource, user, groups, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext);
+ public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, HiveAuthzContext context, HiveAuthzSessionContext sessionContext, String clusterName) {
+ this(resource, user, groups, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext, clusterName);
}
public HiveAccessType getHiveAccessType() {
@@ -109,6 +113,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
ret.setSessionId(getSessionId());
ret.setContext(RangerAccessRequestUtil.copyContext(getContext()));
ret.accessType = accessType;
+ ret.setClusterName(getClusterName());
return ret;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 2baa97b..870131b 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -142,6 +142,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
try {
RangerHiveResource resource = getHiveResource(HiveOperationType.GRANT_PRIVILEGE, hivePrivObject);
GrantRevokeRequest request = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);
+ request.setClusterName(hivePlugin.getClusterName());
LOG.info("grantPrivileges(): " + request);
if(LOG.isDebugEnabled()) {
@@ -182,6 +183,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
try {
RangerHiveResource resource = getHiveResource(HiveOperationType.REVOKE_PRIVILEGE, hivePrivObject);
GrantRevokeRequest request = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);
+ request.setClusterName(hivePlugin.getClusterName());
LOG.info("revokePrivileges(): " + request);
if(LOG.isDebugEnabled()) {
@@ -223,6 +225,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
+ String clusterName = hivePlugin.getClusterName();
if(LOG.isDebugEnabled()) {
LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, context, sessionContext));
@@ -262,7 +265,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
if(!existsByResourceAndAccessType(requests, resource, accessType)) {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext, clusterName);
requests.add(request);
}
@@ -271,7 +274,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
// this should happen only for SHOWDATABASES
if (hiveOpType == HiveOperationType.SHOWDATABASES) {
RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.USE, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.USE, context, sessionContext, clusterName);
requests.add(request);
} else {
if (LOG.isDebugEnabled()) {
@@ -306,7 +309,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
if(!existsByResourceAndAccessType(requests, resource, accessType)) {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext, clusterName);
requests.add(request);
}
@@ -482,7 +485,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
if (resource == null) {
LOG.error("filterListCmdObjects: RangerHiveResource returned by createHiveResource is null");
} else {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, context, sessionContext, hivePlugin.getClusterName());
RangerAccessResult result = hivePlugin.isAccessAllowed(request);
if (result == null) {
LOG.error("filterListCmdObjects: Internal error: null RangerAccessResult object received back from isAccessAllowed()!");
@@ -637,8 +640,9 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
HiveObjectType objectType = HiveObjectType.TABLE;
+ String clusterName = hivePlugin.getClusterName();
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, clusterName);
RangerRowFilterResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);
@@ -659,6 +663,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
private boolean addCellValueTransformerAndCheckIfTransformed(HiveAuthzContext context, String databaseName, String tableOrViewName, String columnName, List<String> columnTransformers) throws SemanticException {
UserGroupInformation ugi = getCurrentUserGroupInfo();
+ String clusterName = hivePlugin.getClusterName();
if(ugi == null) {
throw new SemanticException("user information not available");
}
@@ -678,7 +683,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
HiveObjectType objectType = HiveObjectType.COLUMN;
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, clusterName);
RangerDataMaskResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
index fb92616..d856f89 100644
--- a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
+++ b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
@@ -62,6 +62,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
String _baseUrl = null;
String _sslConfigFileName = null;
String _serviceName = null;
+ String _clusterName = null;
String _pluginId = null;
int _restClientConnTimeOutMs;
int _restClientReadTimeOutMs;
@@ -79,6 +80,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
_isSSL = _utils.isSsl(_baseUrl);
_restClientConnTimeOutMs = RangerConfiguration.getInstance().getInt(configPropertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
_restClientReadTimeOutMs = RangerConfiguration.getInstance().getInt(configPropertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
+ _clusterName = RangerConfiguration.getInstance().get(configPropertyPrefix + ".ambari.cluster.name", "");
LOG.info("Init params: " + String.format("Base URL[%s], SSL Congig filename[%s], ServiceName=[%s]", _baseUrl, _sslConfigFileName, _serviceName));
@@ -116,6 +118,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
.queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion))
.queryParam(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME, Long.toString(lastActivationTimeInMillis))
.queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, _pluginId)
+ .queryParam(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, _clusterName)
.request(MediaType.APPLICATION_JSON_TYPE)
.get();
}
@@ -130,6 +133,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
.queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion))
.queryParam(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME, Long.toString(lastActivationTimeInMillis))
.queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, _pluginId)
+ .queryParam(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, _clusterName)
.request(MediaType.APPLICATION_JSON_TYPE)
.get();
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
index 61604b0..d248785 100644
--- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
+++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
@@ -55,6 +55,8 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
String _user;
Set<String> _groups;
String _clientIp;
+ String _clusterName;
+
RequestBuilder service(String service) {
_service = service;
return this;
@@ -75,7 +77,10 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
_clientIp = clientIp;
return this;
}
-
+ RequestBuilder clusterName(String clusterName) {
+ _clusterName = clusterName;
+ return this;
+ }
void verifyBuildable() {
if (_topology == null) throw new IllegalStateException("_topology can't be null!");
if (_service == null) throw new IllegalStateException("_service can't be null!");
@@ -95,7 +100,7 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
request.setUser(_user);
request.setUserGroups(_groups);
request.setResource(resource);
-
+ request.setClusterName(_clusterName);
return request;
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
index 55ebf58..1d58b21 100644
--- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
+++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
@@ -121,11 +121,14 @@ public class RangerPDPKnoxFilter implements Filter {
}
String clientIp = request.getRemoteAddr();
+ String clusterName = plugin.getClusterName();
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: "
- + impersonatedUser + ", effectiveUser: " + user +
- ", groups: " + groups + ", clientIp: " + clientIp);
+ LOG.debug("Checking access primaryUser: " + primaryUser
+ + ", impersonatedUser: " + impersonatedUser
+ + ", effectiveUser: " + user + ", groups: " + groups
+ + ", clientIp: " + clientIp + ", clusterName: "
+ + clusterName);
}
RangerAccessRequest accessRequest = new KnoxRangerPlugin.RequestBuilder()
.service(serviceName)
@@ -133,6 +136,7 @@ public class RangerPDPKnoxFilter implements Filter {
.user(user)
.groups(groups)
.clientIp(clientIp)
+ .clusterName(clusterName)
.build();
boolean accessAllowed = false;
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index 2038645..9712f95 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -77,14 +77,15 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
String action = request.getAction().name();
Set<AtlasResourceTypes> resourceTypes = request.getResourceTypes();
String clientIPAddress = request.getClientIPAddress();
+ String clusterName = atlasPlugin.getClusterName();
for (AtlasResourceTypes resourceType : resourceTypes) {
RangerAtlasAccessRequest rangerRequest =
- new RangerAtlasAccessRequest(resourceType, resource, action, user, userGroups, clientIPAddress);
+ new RangerAtlasAccessRequest(resourceType, resource, action, user, userGroups, clientIPAddress, clusterName);
if (isDebugEnabled) {
LOG.debug("Creating RangerAtlasAccessRequest with values [resource : " + resource + ", user : " + user
+ ", Groups : " + userGroups + ", action : " + action + ", resourceType : " + resourceType
- + ", clientIP : " + clientIPAddress + "]");
+ + ", clientIP : " + clientIPAddress + ", clusterName : " + clusterName + "]");
}
isAccessAllowed = checkAccess(rangerRequest);
if (!isAccessAllowed) {
@@ -130,7 +131,7 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
class RangerAtlasAccessRequest extends RangerAccessRequestImpl {
public RangerAtlasAccessRequest(AtlasResourceTypes resType, String resource, String action, String user,
- Set<String> userGroups, String clientIp) {
+ Set<String> userGroups, String clientIp, String clusterName) {
super.setResource(new RangerAtlasResource(resType, resource));
super.setAccessType(action);
super.setUser(user);
@@ -138,6 +139,7 @@ class RangerAtlasAccessRequest extends RangerAccessRequestImpl {
super.setAccessTime(new Date(System.currentTimeMillis()));
super.setClientIPAddress(clientIp);
super.setAction(action);
+ super.setClusterName(clusterName);
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
index 472b734..ec7f887 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
@@ -160,6 +160,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
validationStr += "Unsupported access type. operation=" + operation;
}
String action = accessType;
+ String clusterName = rangerPlugin.getClusterName();
RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
rangerRequest.setUser(userName);
@@ -172,6 +173,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
rangerRequest.setAccessType(accessType);
rangerRequest.setAction(action);
rangerRequest.setRequestData(resource.name());
+ rangerRequest.setClusterName(clusterName);
if (resource.resourceType().equals(Topic$.MODULE$)) {
rangerResource.setValue(KEY_TOPIC, resource.name());
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
index 9bebafa..4cda8fa 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
@@ -208,9 +208,10 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
if(!ret){
LOG.debug("Operation "+rangerAccessType+" blocked in the blacklist for user "+ugi.getUserName());
}
+ String clusterName = kmsPlugin.getClusterName();
if(plugin != null && ret) {
- RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi, clientIp);
+ RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi, clientIp, clusterName);
RangerAccessResult result = plugin.isAccessAllowed(request);
ret = result == null ? false : result.getIsAllowed();
}
@@ -234,9 +235,10 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
if(!ret){
LOG.debug("Operation "+rangerAccessType+" blocked in the blacklist for user "+ugi.getUserName());
}
+ String clusterName = kmsPlugin.getClusterName();
if(plugin != null && ret) {
- RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi, clientIp);
+ RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi, clientIp, clusterName);
RangerAccessResult result = plugin.isAccessAllowed(request);
ret = result == null ? false : result.getIsAllowed();
}
@@ -352,7 +354,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
class RangerKMSAccessRequest extends RangerAccessRequestImpl {
- public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi, String clientIp) {
+ public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi, String clientIp, String clusterName) {
super.setResource(new RangerKMSResource(keyName));
super.setAccessType(accessType);
super.setUser(ugi.getShortUserName());
@@ -360,5 +362,6 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
super.setAccessTime(new Date());
super.setClientIPAddress(clientIp);
super.setAction(accessType);
+ super.setClusterName(clusterName);
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
index 2338ba1..c589060 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
@@ -99,9 +99,10 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
RangerYarnPlugin plugin = yarnPlugin;
RangerYarnAuditHandler auditHandler = null;
RangerAccessResult result = null;
+ String clusterName = yarnPlugin.getClusterName();
if(plugin != null) {
- RangerYarnAccessRequest request = new RangerYarnAccessRequest(entity, getRangerAccessType(accessType), accessType.name(), ugi);
+ RangerYarnAccessRequest request = new RangerYarnAccessRequest(entity, getRangerAccessType(accessType), accessType.name(), ugi, clusterName);
auditHandler = new RangerYarnAuditHandler();
@@ -268,7 +269,7 @@ class RangerYarnResource extends RangerAccessResourceImpl {
}
class RangerYarnAccessRequest extends RangerAccessRequestImpl {
- public RangerYarnAccessRequest(PrivilegedEntity entity, String accessType, String action, UserGroupInformation ugi) {
+ public RangerYarnAccessRequest(PrivilegedEntity entity, String accessType, String action, UserGroupInformation ugi, String clusterName) {
super.setResource(new RangerYarnResource(entity));
super.setAccessType(accessType);
super.setUser(ugi.getShortUserName());
@@ -276,6 +277,7 @@ class RangerYarnAccessRequest extends RangerAccessRequestImpl {
super.setAccessTime(new Date());
super.setClientIPAddress(getRemoteIp());
super.setAction(action);
+ super.setClusterName(clusterName);
}
private static String getRemoteIp() {
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/db/mysql/patches/026-add-column-in-x_policy_export_audit.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/mysql/patches/026-add-column-in-x_policy_export_audit.sql b/security-admin/db/mysql/patches/026-add-column-in-x_policy_export_audit.sql
new file mode 100644
index 0000000..0d5ca26
--- /dev/null
+++ b/security-admin/db/mysql/patches/026-add-column-in-x_policy_export_audit.sql
@@ -0,0 +1,29 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+drop procedure if exists add_column_in_x_policy_export_audit;
+
+delimiter ;;
+create procedure add_column_in_x_policy_export_audit() begin
+
+if not exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_policy_export_audit' and column_name='cluster_name') then
+ ALTER TABLE x_policy_export_audit ADD cluster_name varchar(255) NULL DEFAULT NULL;
+end if;
+end;;
+
+delimiter ;
+call add_column_in_x_policy_export_audit();
+
+drop procedure if exists add_column_in_x_policy_export_audit;
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/db/oracle/patches/026-add-column-in-x_policy_export_audit.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/oracle/patches/026-add-column-in-x_policy_export_audit.sql b/security-admin/db/oracle/patches/026-add-column-in-x_policy_export_audit.sql
new file mode 100644
index 0000000..675a5ef
--- /dev/null
+++ b/security-admin/db/oracle/patches/026-add-column-in-x_policy_export_audit.sql
@@ -0,0 +1,23 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+DECLARE
+ v_count number:=0;
+BEGIN
+ select count(*) into v_count from user_tab_cols where table_name='X_POLICY_EXPORT_AUDIT' and column_name='CLUSTER_NAME';
+ if (v_count = 0) then
+ execute immediate 'ALTER TABLE x_policy_export_audit ADD cluster_name varchar(255) DEFAULT NULL NULL';
+ end if;
+ commit;
+END;/
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/db/postgres/patches/026-add-column-in-x_policy_export_audit.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/postgres/patches/026-add-column-in-x_policy_export_audit.sql b/security-admin/db/postgres/patches/026-add-column-in-x_policy_export_audit.sql
new file mode 100644
index 0000000..3fdd1ea
--- /dev/null
+++ b/security-admin/db/postgres/patches/026-add-column-in-x_policy_export_audit.sql
@@ -0,0 +1,32 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+-- function add_x_policy_export_audit
+select 'delimiter start';
+CREATE OR REPLACE FUNCTION add_x_policy_export_audit()
+RETURNS void AS $$
+DECLARE
+ v_column_exists integer := 0;
+BEGIN
+ select count(*) into v_column_exists from pg_attribute where attrelid in(select oid from pg_class where relname='x_policy_export_audit') and attname='cluster_name';
+ IF v_column_exists = 0 THEN
+ ALTER TABLE x_policy_export_audit ADD COLUMN cluster_name VARCHAR(255) DEFAULT NULL NULL;
+ END IF;
+END;
+$$ LANGUAGE plpgsql;
+select 'delimiter end';
+
+select add_x_policy_export_audit();
+select 'delimiter end';
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/db/sqlanywhere/patches/026-add-column-in-x_policy_export_audit.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/sqlanywhere/patches/026-add-column-in-x_policy_export_audit.sql b/security-admin/db/sqlanywhere/patches/026-add-column-in-x_policy_export_audit.sql
new file mode 100644
index 0000000..b58dace
--- /dev/null
+++ b/security-admin/db/sqlanywhere/patches/026-add-column-in-x_policy_export_audit.sql
@@ -0,0 +1,21 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+IF NOT EXISTS(select * from SYS.SYSCOLUMNS where tname = 'x_policy_export_audit' and cname = 'cluster_name') THEN
+ ALTER TABLE dbo.x_policy_export_audit ADD cluster_name varchar(255) DEFAULT NULL NULL;
+END IF;
+GO
+
+exit
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/db/sqlserver/patches/026-add-column-in-x_policy_export_audit.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/sqlserver/patches/026-add-column-in-x_policy_export_audit.sql b/security-admin/db/sqlserver/patches/026-add-column-in-x_policy_export_audit.sql
new file mode 100644
index 0000000..f5b5531
--- /dev/null
+++ b/security-admin/db/sqlserver/patches/026-add-column-in-x_policy_export_audit.sql
@@ -0,0 +1,23 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+GO
+IF NOT EXISTS(select * from INFORMATION_SCHEMA.columns where table_name = 'x_policy_export_audit' and column_name = 'cluster_name')
+BEGIN
+ ALTER TABLE [dbo].[x_policy_export_audit] ADD [cluster_name] [varchar](255) DEFAULT NULL NULL;
+END
+GO
+
+exit
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java
index 4544614..1545e04 100644
--- a/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java
+++ b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java
@@ -129,6 +129,17 @@ public class XXPolicyExportAudit extends XXDBBase implements java.io.Serializabl
*/
@Column(name="HTTP_RET_CODE" , nullable=false )
protected int httpRetCode;
+
+ /**
+ * Name of the Cluster
+ * <ul>
+ * <li>The maximum length for this attribute is <b>255</b>.
+ * </ul>
+ *
+ */
+ @Column(name="CLUSTER_NAME" , nullable=false , length=255)
+ protected String clusterName;
+
/**
* Default constructor. This will set all the attributes to default value.
@@ -259,6 +270,23 @@ public class XXPolicyExportAudit extends XXDBBase implements java.io.Serializabl
public int getHttpRetCode( ) {
return this.httpRetCode;
}
+
+ /**
+ * This method sets the value to the member attribute <b>clusterName</b>.
+ * You cannot set null to the attribute.
+ * @param clusterName Value to set member attribute <b>clusterName</b>
+ */
+ public void setClusterName(String clusterName) {
+ this.clusterName = clusterName;
+ }
+
+ /**
+ * Returns the value for the member attribute <b>clusterName</b>
+ * @return String - value of member attribute <b>clusterName</b>.
+ */
+ public String getClusterName() {
+ return clusterName;
+ }
/**
* This return the bean content in string format
@@ -275,6 +303,7 @@ public class XXPolicyExportAudit extends XXDBBase implements java.io.Serializabl
str += "repositoryName={" + repositoryName + "} ";
str += "exportedJson={" + exportedJson + "} ";
str += "httpRetCode={" + httpRetCode + "} ";
+ str += "clusterName={" + clusterName + "} ";
str += "}";
return str;
}
@@ -307,7 +336,10 @@ public class XXPolicyExportAudit extends XXDBBase implements java.io.Serializabl
if ((this.exportedJson == null && other.exportedJson != null) || (this.exportedJson != null && !this.exportedJson.equals(other.exportedJson))) {
return false;
}
- if( this.httpRetCode != other.httpRetCode ) return false;
+ if( this.httpRetCode != other.httpRetCode ) return false;
+ if ((this.clusterName == null && other.clusterName != null) || (this.clusterName != null && !this.clusterName.equals(other.clusterName))) {
+ return false;
+ }
return true;
}
public static String getEnumName(String fieldName ) {
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
index f0d2401..ed34525 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
@@ -535,7 +535,7 @@ public class AssetREST {
ServicePolicies servicePolicies = null;
try {
- servicePolicies = serviceREST.getServicePoliciesIfUpdated(repository, lastKnowPolicyVersion, 0L, agentId, request);
+ servicePolicies = serviceREST.getServicePoliciesIfUpdated(repository, lastKnowPolicyVersion, 0L, agentId, "",request);
} catch(Exception excp) {
logger.error("failed to retrieve policies for repository " + repository, excp);
}
@@ -582,6 +582,8 @@ public class AssetREST {
"Start date for search", null);
searchUtil.extractDate(request, searchCriteria, "endDate",
"End date for search", null);
+ searchUtil.extractString(request, searchCriteria, "cluster",
+ "Cluster Name", StringUtil.VALIDATION_TEXT);
return assetMgr.searchXPolicyExportAudits(searchCriteria);
}
@@ -656,6 +658,7 @@ public class AssetREST {
"MM/dd/yyyy");
searchUtil.extractString(request, searchCriteria, "tags", "tags", null);
+ searchUtil.extractString(request, searchCriteria, "cluster", "Cluster Name", StringUtil.VALIDATION_TEXT);
boolean isKeyAdmin = msBizUtil.isKeyAdmin();
XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME);
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 9ec81b3..c33d044 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -2299,9 +2299,17 @@ public class ServiceREST {
@GET
@Path("/policies/download/{serviceName}")
@Produces({ "application/json", "application/xml" })
- public ServicePolicies getServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName, @QueryParam("lastKnownVersion") Long lastKnownVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @Context HttpServletRequest request) throws Exception {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> ServiceREST.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ")");
+ public ServicePolicies getServicePoliciesIfUpdated(
+ @PathParam("serviceName") String serviceName,
+ @QueryParam("lastKnownVersion") Long lastKnownVersion,
+ @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime,
+ @QueryParam("pluginId") String pluginId,
+ @DefaultValue("") @QueryParam("clusterName") String clusterName,
+ @Context HttpServletRequest request) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceREST.getServicePoliciesIfUpdated("
+ + serviceName + ", " + lastKnownVersion + ", "
+ + lastActivationTime + ")");
}
ServicePolicies ret = null;
@@ -2347,7 +2355,7 @@ public class ServiceREST {
httpCode = HttpServletResponse.SC_BAD_REQUEST;
logMsg = excp.getMessage();
} finally {
- createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, request);
+ createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, clusterName, request);
RangerPerfTracer.log(perf);
}
}
@@ -2368,9 +2376,16 @@ public class ServiceREST {
@GET
@Path("/secure/policies/download/{serviceName}")
@Produces({ "application/json", "application/xml" })
- public ServicePolicies getSecureServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName,@QueryParam("lastKnownVersion") Long lastKnownVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId,@Context HttpServletRequest request) throws Exception {
+ public ServicePolicies getSecureServicePoliciesIfUpdated(
+ @PathParam("serviceName") String serviceName,
+ @QueryParam("lastKnownVersion") Long lastKnownVersion,
+ @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime,
+ @QueryParam("pluginId") String pluginId,
+ @DefaultValue("") @QueryParam("clusterName") String clusterName,
+ @Context HttpServletRequest request) throws Exception {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> ServiceREST.getSecureServicePoliciesIfUpdated("+ serviceName + ", " + lastKnownVersion + ")");
+ LOG.debug("==> ServiceREST.getSecureServicePoliciesIfUpdated("
+ + serviceName + ", " + lastKnownVersion + ")");
}
ServicePolicies ret = null;
int httpCode = HttpServletResponse.SC_OK;
@@ -2451,7 +2466,7 @@ public class ServiceREST {
httpCode = HttpServletResponse.SC_BAD_REQUEST;
logMsg = excp.getMessage();
} finally {
- createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, request);
+ createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, clusterName, request);
RangerPerfTracer.log(perf);
}
}
@@ -2467,7 +2482,7 @@ public class ServiceREST {
return ret;
}
- private void createPolicyDownloadAudit(String serviceName, Long lastKnownVersion, String pluginId, int httpRespCode, HttpServletRequest request) {
+ private void createPolicyDownloadAudit(String serviceName, Long lastKnownVersion, String pluginId, int httpRespCode, String clusterName, HttpServletRequest request) {
try {
String ipAddress = request.getHeader("X-FORWARDED-FOR");
@@ -2482,7 +2497,8 @@ public class ServiceREST {
policyExportAudit.setClientIP(ipAddress);
policyExportAudit.setRequestedEpoch(lastKnownVersion);
policyExportAudit.setHttpRetCode(httpRespCode);
-
+ policyExportAudit.setClusterName(clusterName);
+
assetMgr.createPolicyAudit(policyExportAudit);
} catch(Exception excp) {
LOG.error("error while creating policy download audit", excp);
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java b/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
index e8fff6a..8604bed 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
@@ -90,6 +90,8 @@ public class XAccessAuditService extends XAccessAuditServiceBase<XXAccessAudit,
searchFields.add(new SearchField("endDate", "obj.eventTime",
DATA_TYPE.DATE, SEARCH_TYPE.LESS_EQUAL_THAN));
searchFields.add(new SearchField("tags", "obj.tags", DATA_TYPE.STRING, SEARCH_TYPE.PARTIAL));
+ searchFields.add(new SearchField("cluster", "obj.cluster",
+ SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
sortFields.add(new SortField("eventTime", "obj.eventTime", true, SORT_ORDER.DESC));
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditService.java b/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditService.java
index 870e45d..01c56e9 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditService.java
@@ -42,6 +42,8 @@ public class XPolicyExportAuditService extends XPolicyExportAuditServiceBase<XXP
SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.PARTIAL));
searchFields.add(new SearchField("repositoryName", "obj.repositoryName",
SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.PARTIAL));
+ searchFields.add(new SearchField("cluster", "obj.clusterName",
+ SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
searchFields.add(new SearchField("startDate", "obj.createTime",
DATA_TYPE.DATE, SEARCH_TYPE.GREATER_EQUAL_THAN));
searchFields.add(new SearchField("endDate", "obj.createTime",
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java
index e83d70a..a25cfc1 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java
@@ -49,6 +49,7 @@ public abstract class XPolicyExportAuditServiceBase<T extends XXPolicyExportAudi
mObj.setRepositoryName( vObj.getRepositoryName());
mObj.setExportedJson( vObj.getExportedJson());
mObj.setHttpRetCode( vObj.getHttpRetCode());
+ mObj.setClusterName( vObj.getClusterName());
return mObj;
}
@@ -62,6 +63,7 @@ public abstract class XPolicyExportAuditServiceBase<T extends XXPolicyExportAudi
vObj.setExportedJson( mObj.getExportedJson());
vObj.setHttpRetCode( mObj.getHttpRetCode());
vObj.setSyncStatus( MapUtil.getPolicyExportAuditSyncStatus(mObj.getHttpRetCode()));
+ vObj.setClusterName( mObj.getClusterName());
return vObj;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
index 917c760..ac1eac4 100644
--- a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
+++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
@@ -115,6 +115,8 @@ public class SolrAccessAuditsService {
SEARCH_TYPE.LESS_EQUAL_THAN));
searchFields.add(new SearchField("tags", "tags", DATA_TYPE.STRING, SEARCH_TYPE.PARTIAL));
+ searchFields.add(new SearchField("cluster", "cluster",
+ SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
sortFields.add(new SortField("eventTime", "evtTime", true,
SORT_ORDER.DESC));
@@ -176,7 +178,12 @@ public class SolrAccessAuditsService {
// TODO: Converting ID to hashcode for now
accessAudit.setId((long) value.hashCode());
}
-
+
+ value = doc.getFieldValue("cluster");
+ if (value != null) {
+ accessAudit.setClusterName(value.toString());
+ }
+
value = doc.getFieldValue("access");
if (value != null) {
accessAudit.setAccessType(value.toString());
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java
index a851c3e..fc58c7d 100644
--- a/security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java
@@ -95,8 +95,7 @@ public class SolrUtil {
String dateFieldName = null;
for (SearchField searchField : searchFields) {
- Object paramValue = searchCriteria.getParamValue(searchField
- .getClientFieldName());
+ Object paramValue = searchCriteria.getParamValue(searchField.getClientFieldName());
if (paramValue == null || paramValue.toString().isEmpty()) {
continue;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java b/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
index f99aa05..f6689c1 100644
--- a/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
@@ -133,6 +133,8 @@ public class VXAccessAudit extends VXDataObject implements java.io.Serializable
protected String tags;
+ protected String clusterName;
+
/**
* Default constructor. This will set all the attributes to default value.
*/
@@ -498,6 +500,20 @@ public class VXAccessAudit extends VXDataObject implements java.io.Serializable
public void setTags(String tags) {
this.tags = tags;
}
+
+ /**
+ * @return the clusterName
+ */
+ public String getClusterName() {
+ return clusterName;
+ }
+ /**
+ * @param clusterName
+ * the clusterName to set
+ */
+ public void setClusterName(String clusterName) {
+ this.clusterName = clusterName;
+ }
@Override
public int getMyClassType( ) {
@@ -534,6 +550,7 @@ public class VXAccessAudit extends VXDataObject implements java.io.Serializable
str += "eventCount={" + eventCount + "}";
str += "eventDuration={" + eventDuration + "}";
str += "tags={" + tags + "}";
+ str += "clusterName={" + clusterName + "}";
str += "}";
return str;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java b/security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java
index 41322da..ce5a21e 100644
--- a/security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java
@@ -74,6 +74,8 @@ public class VXPolicyExportAudit extends VXDataObject implements java.io.Seriali
protected int httpRetCode;
protected String syncStatus;
+
+ protected String clusterName;
/**
* Default constructor. This will set all the attributes to default value.
@@ -209,6 +211,15 @@ public class VXPolicyExportAudit extends VXDataObject implements java.io.Seriali
this.syncStatus = syncStatus;
}
+ public String getClusterName() {
+ return clusterName;
+ }
+
+ public void setClusterName(String clusterName) {
+ this.clusterName = clusterName;
+ }
+
+
@Override
public int getMyClassType( ) {
return AppConstants.CLASS_TYPE_XA_POLICY_EXPORT_AUDIT;
@@ -229,6 +240,7 @@ public class VXPolicyExportAudit extends VXDataObject implements java.io.Seriali
str += "exportedJson={" + exportedJson + "} ";
str += "httpRetCode={" + httpRetCode + "} ";
str += "syncStatus={" + syncStatus + "} ";
+ str += "clusterName={" + clusterName + "} ";
str += "}";
return str;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/1bd34894/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
index 1551d86..3eda870 100644
--- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
+++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
@@ -242,7 +242,7 @@ define(function(require) {
selectAndAddGroup : 'Select and Add Group',
download : 'Download',
lastUpdate : 'Last Update',
-
+ clusterName : 'Cluster Name'
},
btn : {
add : 'Add',
@@ -328,7 +328,8 @@ define(function(require) {
topic :'Kafka topic.',
type :'Policy for all type.',
udf :'Hive udf.',
- pluginStatus :'Plugin Status'
+ pluginStatus :'Plugin Status',
+ clusterName :'Name of ambari cluster'
},
msg : {
deletePolicyValidationMsg : 'Policy does not have any settings for the specific resource. Policy will be deleted. Press [Ok] to continue. Press [Cancel] to edit the policy.',