You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/06/02 06:24:10 UTC
[ranger] branch ranger-2.2 updated: RANGER-3294:AccessResult
attribute with isAudited as false not filtered in Ranger Audit Filter
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new e05098f RANGER-3294:AccessResult attribute with isAudited as false not filtered in Ranger Audit Filter
e05098f is described below
commit e05098fc9bb2a54b8713e5e4d9fc9e9c6bcb3655
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Tue Jun 1 13:40:44 2021 -0700
RANGER-3294:AccessResult attribute with isAudited as false not filtered in Ranger Audit Filter
---
.../hadoop/config/RangerPluginConfig.java | 10 +++++++
.../policyengine/RangerPolicyEngineImpl.java | 8 +++++
.../ranger/plugin/service/RangerBasePlugin.java | 5 ++++
.../authorization/hadoop/RangerHdfsAuthorizer.java | 4 ++-
.../ranger/services/hdfs/HDFSRangerTest.java | 35 +++++++++++-----------
.../services/hdfs/RangerHdfsAuthorizerTest.java | 6 +++-
.../resources/hdfs_version_3.0/hdfs-policies.json | 2 +-
.../src/test/resources/ranger-hdfs-security.xml | 8 +++++
.../yarn/authorizer/RangerYarnAuthorizer.java | 8 +++--
9 files changed, 62 insertions(+), 24 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
index 7b34f77..3e35709 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
@@ -47,6 +47,7 @@ public class RangerPluginConfig extends RangerConfiguration {
private final boolean useForwardedIPAddress;
private final String[] trustedProxyAddresses;
private final String propertyPrefix;
+ private boolean isFallbackSupported;
private Set<String> auditExcludedUsers = Collections.emptySet();
private Set<String> auditExcludedGroups = Collections.emptySet();
private Set<String> auditExcludedRoles = Collections.emptySet();
@@ -128,6 +129,7 @@ public class RangerPluginConfig extends RangerConfiguration {
this.clusterType = sourcePluginConfig.getClusterType();
this.useForwardedIPAddress = sourcePluginConfig.isUseForwardedIPAddress();
this.trustedProxyAddresses = sourcePluginConfig.getTrustedProxyAddresses();
+ this.isFallbackSupported = sourcePluginConfig.getIsFallbackSupported();
this.policyEngineOptions = sourcePluginConfig.getPolicyEngineOptions();
@@ -165,6 +167,14 @@ public class RangerPluginConfig extends RangerConfiguration {
return propertyPrefix;
}
+ public boolean getIsFallbackSupported() {
+ return isFallbackSupported;
+ }
+
+ public void setIsFallbackSupported(boolean isFallbackSupported) {
+ this.isFallbackSupported = isFallbackSupported;
+ }
+
public RangerPolicyEngineOptions getPolicyEngineOptions() {
return policyEngineOptions;
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index ecfc9ad..5ffd38f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -713,6 +713,10 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
} else if (isAllowedByTags) {
ret.setIsAllowed(true);
}
+ if (!ret.getIsAllowed() &&
+ !getIsFallbackSupported()) {
+ ret.setIsAccessDetermined(true);
+ }
}
if (ret.getIsAllowed()) {
@@ -1175,6 +1179,10 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
+ private boolean getIsFallbackSupported() {
+ return policyEngine.getPluginContext().getConfig().getIsFallbackSupported();
+ }
+
private static class ServiceConfig {
private final Set<String> auditExcludedUsers;
private final Set<String> auditExcludedGroups;
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 4d7fb6c..115a576 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -89,6 +89,7 @@ public class RangerBasePlugin {
setSuperUsersAndGroups(superUsers, superGroups);
setAuditExcludedUsersGroupsRoles(auditExcludeUsers, auditExcludeGroups, auditExcludeRoles);
+ setIsFallbackSupported(pluginConfig.getBoolean(pluginConfig.getPropertyPrefix() + ".is.fallback.supported", false));
RangerScriptExecutionContext.init(pluginConfig);
@@ -166,6 +167,10 @@ public class RangerBasePlugin {
pluginConfig.setSuperUsersGroups(users, groups);
}
+ public void setIsFallbackSupported(boolean isFallbackSupported) {
+ pluginConfig.setIsFallbackSupported(isFallbackSupported);
+ }
+
public RangerServiceDef getServiceDef() {
RangerPolicyEngine policyEngine = this.policyEngine;
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 98a6431..bef6b17 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -835,7 +835,9 @@ class RangerHdfsPlugin extends RangerBasePlugin {
RangerHdfsPlugin.fileNameExtensionSeparator = config.get(RangerHdfsAuthorizer.RANGER_FILENAME_EXTENSION_SEPARATOR_PROP, RangerHdfsAuthorizer.DEFAULT_FILENAME_EXTENSION_SEPARATOR);
- this.hadoopAuthEnabled = config.getBoolean(RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_PROP, RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_DEFAULT);
+ this.hadoopAuthEnabled = config.getBoolean(RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_PROP, RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_DEFAULT);
+ config.setIsFallbackSupported(this.hadoopAuthEnabled);
+
this.optimizeSubAccessAuthEnabled = config.getBoolean(RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_PROP, RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_DEFAULT);
this.randomizedWildcardPathName = RangerPathResourceMatcher.WILDCARD_ASTERISK + random + RangerPathResourceMatcher.WILDCARD_ASTERISK;
this.hadoopModuleName = config.get(RangerHadoopConstants.AUDITLOG_HADOOP_MODULE_ACL_NAME_PROP , RangerHadoopConstants.DEFAULT_HADOOP_MODULE_ACL_NAME);
diff --git a/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/HDFSRangerTest.java b/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/HDFSRangerTest.java
index c5fe8a3..2c41465 100644
--- a/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/HDFSRangerTest.java
+++ b/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/HDFSRangerTest.java
@@ -34,10 +34,9 @@ import org.apache.hadoop.fs.RemoteIterator;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.hadoop.ipc.RemoteException;
+import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer;
-import org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException;
import org.junit.Assert;
/**
@@ -142,9 +141,9 @@ public class HDFSRangerTest {
try {
fs.append(file);
Assert.fail("Failure expected on an incorrect permission");
- } catch (RemoteException ex) {
+ } catch (AccessControlException ex) {
// expected
- Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+ Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
}
fs.close();
@@ -224,9 +223,9 @@ public class HDFSRangerTest {
RemoteIterator<LocatedFileStatus> iter = fs.listFiles(file.getParent(), false);
Assert.assertTrue(iter.hasNext());
Assert.fail("Failure expected on an incorrect permission");
- } catch (RemoteException ex) {
+ } catch (AccessControlException ex) {
// expected
- Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+ Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
}
fs.close();
@@ -310,9 +309,9 @@ public class HDFSRangerTest {
try {
fs.open(file);
Assert.fail("Failure expected on an incorrect permission");
- } catch (RemoteException ex) {
+ } catch (AccessControlException ex) {
// expected
- Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+ Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
}
fs.close();
@@ -334,9 +333,9 @@ public class HDFSRangerTest {
try {
fs.open(file);
Assert.fail("Failure expected on an incorrect permission");
- } catch (RemoteException ex) {
+ } catch (AccessControlException ex) {
// expected
- Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+ Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
}
fs.close();
@@ -438,9 +437,9 @@ public class HDFSRangerTest {
try {
fs.open(file);
Assert.fail("Failure expected on an incorrect permission");
- } catch (RemoteException ex) {
+ } catch (AccessControlException ex) {
// expected
- Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+ Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
}
fs.close();
@@ -477,9 +476,9 @@ public class HDFSRangerTest {
try {
fs.open(file);
Assert.fail("Failure expected on an incorrect permission");
- } catch (RemoteException ex) {
+ } catch (AccessControlException ex) {
// expected
- Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+ Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
}
fs.close();
@@ -501,9 +500,9 @@ public class HDFSRangerTest {
try {
fs.open(file);
Assert.fail("Failure expected on an incorrect permission");
- } catch (RemoteException ex) {
+ } catch (AccessControlException ex) {
// expected
- Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+ Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
}
fs.close();
@@ -525,9 +524,9 @@ public class HDFSRangerTest {
try {
fs.open(file);
Assert.fail("Failure expected on an incorrect permission");
- } catch (RemoteException ex) {
+ } catch (AccessControlException ex) {
// expected
- Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName()));
+ Assert.assertTrue(AccessControlException.class.getName().equals(ex.getClass().getName()));
}
fs.close();
diff --git a/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java b/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
index e96ea5c..66ba071 100644
--- a/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
+++ b/hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
@@ -197,6 +197,10 @@ public class RangerHdfsAuthorizerTest {
" <name>hdfs.version</name>\n" +
" <value>hdfs_version_3.0</value>\n" +
" </property>\n" +
+ " <property>\n" +
+ " <name>xasecure.add-hadoop-authorization</name>\n" +
+ " <value>true</value>\n" +
+ " </property>\n" +
"</configuration>\n");
}
@@ -206,7 +210,7 @@ public class RangerHdfsAuthorizerTest {
Assert.fail("Cannot create hdfs-version-site file:[" + exception.getMessage() + "]");
}
- AccessControlEnforcer accessControlEnforcer = Mockito.mock(AccessControlEnforcer.class);
+ AccessControlEnforcer accessControlEnforcer = null;
rangerControlEnforcer = authorizer.getExternalAccessControlEnforcer(accessControlEnforcer);
}
diff --git a/hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json b/hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json
index a3fd968..ba36c8c 100644
--- a/hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json
+++ b/hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json
@@ -240,7 +240,7 @@
"/tmp/tmpdir4", "/tmp/tmpdir5"
],
"isExcludes": false,
- "isRecursive": false
+ "isRecursive": true
}
},
"policyItems": [],
diff --git a/hdfs-agent/src/test/resources/ranger-hdfs-security.xml b/hdfs-agent/src/test/resources/ranger-hdfs-security.xml
index 2c7f22f..f59e939 100644
--- a/hdfs-agent/src/test/resources/ranger-hdfs-security.xml
+++ b/hdfs-agent/src/test/resources/ranger-hdfs-security.xml
@@ -50,4 +50,12 @@
</description>
</property>
+ <property>
+ <name>xasecure.add-hadoop-authorization</name>
+ <value>true</value>
+ <description>
+ Enable fallback to Hadoop Acl
+ </description>
+ </property>
+
</configuration>
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
index 1f96582..36fb7c0 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
@@ -36,6 +36,7 @@ import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.yarn.security.*;
import org.apache.hadoop.yarn.security.PrivilegedEntity.EntityType;
import org.apache.ranger.audit.model.AuthzAuditEvent;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
@@ -86,9 +87,10 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
}
}
- this.yarnAuthEnabled = yarnPlugin.getConfig().getBoolean(RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_PROP, RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_DEFAULT);
- this.yarnModuleName = yarnPlugin.getConfig().get(RangerHadoopConstants.AUDITLOG_YARN_MODULE_ACL_NAME_PROP , RangerHadoopConstants.DEFAULT_YARN_MODULE_ACL_NAME);
-
+ RangerPluginConfig pluginConfig = yarnPlugin.getConfig();
+ this.yarnAuthEnabled = pluginConfig.getBoolean(RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_PROP, RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_DEFAULT);
+ this.yarnModuleName = pluginConfig.get(RangerHadoopConstants.AUDITLOG_YARN_MODULE_ACL_NAME_PROP, RangerHadoopConstants.DEFAULT_YARN_MODULE_ACL_NAME);
+ pluginConfig.setIsFallbackSupported(this.yarnAuthEnabled);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerYarnAuthorizer.init()");