You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ranger.apache.org by pr...@apache.org on 2021/11/30 16:37:36 UTC

[ranger] branch master updated (fe97016 -> bb9b3cd)

This is an automated email from the ASF dual-hosted git repository.

pradeep pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git.


    from fe97016  RANGER-3526: policy evaluation ordering to use name as secondary sorting key - #2
     new a7b527b  RANGER-3518: Limit the query size stored in Audit logs
     new bb9b3cd  RANGER-3528 : Ranger Group creation audit is not shown during service creation

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../hive/authorizer/RangerHiveAuditHandler.java    | 20 ++++++++++++++-
 .../hive/authorizer/RangerHiveAuthorizer.java      | 30 +++++++++++-----------
 .../java/org/apache/ranger/biz/ServiceDBStore.java |  4 ++-
 3 files changed, 37 insertions(+), 17 deletions(-)

[ranger] 02/02: RANGER-3528 : Ranger Group creation audit is not shown during service creation

Posted by pr...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git

commit bb9b3cd14d5ebdb5381ca4a03db27b469c2277e1
Author: mateenmansoori <ma...@gmail.com>
AuthorDate: Tue Nov 30 18:16:33 2021 +0530

    RANGER-3528 : Ranger Group creation audit is not shown during service creation
    
    Signed-off-by: pradeep <pr...@apache.org>
---
 .../src/main/java/org/apache/ranger/biz/ServiceDBStore.java           | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index cb57b99..59acd52 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -3430,7 +3430,9 @@ public class ServiceDBStore extends AbstractServiceStore {
 					vXGroup.setDescription(policyGroup);
 					vXGroup.setGroupSource(RangerCommonEnums.GROUP_INTERNAL);
 					vXGroup.setIsVisible(RangerCommonEnums.IS_VISIBLE);
-					xGroupService.createResource(vXGroup);
+					VXGroup createdVXGrp = xGroupService.createResource(vXGroup);
+					List<XXTrxLog> trxLogList = xGroupService.getTransactionLog(createdVXGrp, "create");
+					bizUtil.createTrxLog(trxLogList);
 				}
 			}
 		}

[ranger] 01/02: RANGER-3518: Limit the query size stored in Audit logs

Posted by pr...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git

commit a7b527bbd0df8ba86eee7b3fdc65b470bbbc17fa
Author: Mahesh Bandal <ma...@gmail.com>
AuthorDate: Fri Nov 19 15:26:13 2021 +0530

    RANGER-3518: Limit the query size stored in Audit logs
    
    Signed-off-by: pradeep <pr...@apache.org>
---
 .../hive/authorizer/RangerHiveAuditHandler.java    | 20 ++++++++++++++-
 .../hive/authorizer/RangerHiveAuthorizer.java      | 30 +++++++++++-----------
 2 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
index 5c04bdb..742aeca 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
@@ -26,6 +26,7 @@ import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
 import org.apache.ranger.audit.model.AuthzAuditEvent;
 import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
@@ -43,7 +44,9 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
 	public static final String  ACCESS_TYPE_ROWFILTER = "ROW_FILTER";
 	public static final String  ACTION_TYPE_METADATA_OPERATION = "METADATA OPERATION";
 	public static final String  URL_RESOURCE_TYPE = "url";
-
+	public static final String CONF_AUDIT_QUERY_REQUEST_SIZE = "xasecure.audit.solr.limit.query.req.size";
+	public static final int DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE = Integer.MAX_VALUE;
+	private int requestQuerySize;
 	Collection<AuthzAuditEvent> auditEvents  = null;
 	boolean                     deniedExists = false;
 
@@ -54,6 +57,13 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
 
 	public RangerHiveAuditHandler() {
 		super();
+		requestQuerySize = DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE;
+	}
+
+	public RangerHiveAuditHandler(Configuration config) {
+		super(config);
+		requestQuerySize = config.getInt(CONF_AUDIT_QUERY_REQUEST_SIZE, DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE);
+		requestQuerySize = (requestQuerySize < 1) ? DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE : requestQuerySize;
 	}
 
 	AuthzAuditEvent createAuditEvent(RangerAccessResult result, String accessType, String resourcePath) {
@@ -67,6 +77,14 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
 		if (URL_RESOURCE_TYPE.equals(resourceType)) {
 			resourcePathComputed = getURLPathString(resource, resourcePathComputed);
 		}
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("requestQuerySize = " + requestQuerySize);
+		}
+		if (StringUtils.isNotBlank(request.getRequestData()) && request.getRequestData().length()>requestQuerySize) {
+			auditEvent.setRequestData(request.getRequestData().substring(0, requestQuerySize));
+		} else {
+			auditEvent.setRequestData(request.getRequestData());
+		}
 		auditEvent.setAccessType(accessType);
 		auditEvent.setResourcePath(resourcePathComputed);
 		auditEvent.setResourceType("@" + resourceType); // to be consistent with earlier release
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 2be4424..dc6e2eb 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -194,7 +194,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug(" ==> RangerHiveAuthorizer.createRole()");
 		}
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 		String currentUserName = getGrantorUsername(adminGrantor);
 		List<String> roleNames     = Arrays.asList(roleName);
 		List<String> userNames     = Arrays.asList(currentUserName);
@@ -237,7 +237,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 			LOG.debug("RangerHiveAuthorizer.dropRole()");
 		}
 
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 
 		UserGroupInformation ugi       = getCurrentUserGroupInfo();
 		boolean	             result    = false;
@@ -284,7 +284,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		List<String> ret = new ArrayList<String>();
 		String user = ugi.getShortUserName();
 		List<String> userNames = Arrays.asList(user);
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 		try {
 			if (LOG.isDebugEnabled()) {
 				LOG.debug("<== getCurrentRoleNames() for user " + user);
@@ -349,7 +349,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 			LOG.debug("==> RangerHiveAuthorizer.getAllRoles()");
 		}
 		List<String>           ret          = new ArrayList<>();
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 		List<String> 		   userNames    = null;
 		boolean	               result       = false;
 
@@ -407,7 +407,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		List<HiveRoleGrant>    ret          = new ArrayList<>();
 		List<String>	       roleNames    = Arrays.asList(roleName);
 		List<String>           userNames    = null;
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 		boolean	               result       = false;
 
 		if (hivePlugin == null) {
@@ -471,7 +471,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		List<HiveRoleGrant>     ret           = new ArrayList<>();
 		List<String> 			principalInfo = null;
 		List<String>            userNames     = null;
-		RangerHiveAuditHandler  auditHandler  = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler  auditHandler  = new RangerHiveAuditHandler(hivePlugin.getConfig());
 		boolean	       		    result        = false;
 
 		if (hivePlugin == null) {
@@ -538,7 +538,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		LOG.debug("RangerHiveAuthorizerBase.grantRole()");
 
 		boolean	               result       = false;
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 		String 				   username     = getGrantorUsername(grantorPrinc);
 		List<String> 		   principals   = new ArrayList<>();
 		try {
@@ -615,7 +615,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 
 		boolean result = false;
 
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 
 		String 		  grantorUserName = getGrantorUsername(grantorPrinc);
 		List<String>  principals      = new ArrayList<>();
@@ -714,7 +714,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 			throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
 		}
 
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 
 		try {
 			List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
@@ -755,7 +755,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 			throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
 		}
 
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 
 		try {
 			List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
@@ -796,7 +796,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 			throw new HiveAccessControlException("Permission denied: user information not available");
 		}
 
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 
 		RangerPerfTracer perf = null;
 
@@ -1125,7 +1125,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 
 		RangerPerfTracer perf = null;
 
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 
 		if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
 			perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.filterListCmdObjects()");
@@ -1341,7 +1341,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 
 		String ret = null;
 
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 
 		try {
 			HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
@@ -1382,7 +1382,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		boolean ret = false;
 		String columnTransformer = columnName;
 
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 
 		try {
 			HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
@@ -3014,7 +3014,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		String user = ugi.getShortUserName();
 		Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
 
-		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
 		try {
 			if (LOG.isDebugEnabled()) {
 				LOG.debug("==> RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user " + user + ", userGroups: " + groups);