You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/09/26 22:34:23 UTC
incubator-ranger git commit: RANGER-1169: global audit settings
specified by Ranger configuration parameters should always be honored by the
plug-ins
Repository: incubator-ranger
Updated Branches:
refs/heads/master 74959da16 -> f2c3040a0
RANGER-1169: global audit settings specified by Ranger configuration parameters should always be honored by the plug-ins
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/f2c3040a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/f2c3040a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/f2c3040a
Branch: refs/heads/master
Commit: f2c3040a0af472cef1a41e13f5b15a34b31b0f04
Parents: 74959da
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Tue Sep 6 15:54:46 2016 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Sep 26 15:21:10 2016 -0700
----------------------------------------------------------------------
.../policyengine/RangerPolicyEngineImpl.java | 13 ++++++-
.../policyengine/RangerPolicyRepository.java | 37 +++++---------------
.../ranger/plugin/service/RangerBasePlugin.java | 10 ------
.../hbase/AuthorizationSession.java | 27 +-------------
4 files changed, 21 insertions(+), 66 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f2c3040a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index e5e7e82..346453e 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -184,7 +184,18 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
@Override
public RangerAccessResult createAccessResult(RangerAccessRequest request) {
- return new RangerAccessResult(this.getServiceName(), policyRepository.getServiceDef(), request);
+ RangerAccessResult ret = new RangerAccessResult(this.getServiceName(), policyRepository.getServiceDef(), request);
+ switch (policyRepository.getAuditModeEnum()) {
+ case AUDIT_ALL:
+ ret.setIsAudited(true);
+ break;
+ case AUDIT_NONE:
+ ret.setIsAudited(false);
+ break;
+ default:
+ break;
+ }
+ return ret;
}
@Override
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f2c3040a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 51cad3a..ad9b23d 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -50,7 +50,7 @@ class RangerPolicyRepository {
private static final Log PERF_CONTEXTENRICHER_INIT_LOG = RangerPerfTracer.getPerfLogger("contextenricher.init");
- private enum AuditModeEnum {
+ enum AuditModeEnum {
AUDIT_ALL, AUDIT_NONE, AUDIT_DEFAULT
}
@@ -239,6 +239,7 @@ class RangerPolicyRepository {
return rowFilterResourceTrie == null || StringUtils.isEmpty(resourceStr) ? getRowFilterPolicyEvaluators() : getPolicyEvaluators(rowFilterResourceTrie, resource);
}
+ AuditModeEnum getAuditModeEnum() { return auditModeEnum; }
private List<RangerPolicyEvaluator> getPolicyEvaluators(Map<String, RangerResourceTrie> resourceTrie, RangerAccessResource resource) {
List<RangerPolicyEvaluator> ret = null;
@@ -629,40 +630,18 @@ class RangerPolicyRepository {
LOG.debug("==> RangerPolicyRepository.setAuditEnabledFromCache()");
}
- final boolean auditResult;
- final boolean foundInCache;
-
- switch (auditModeEnum) {
- case AUDIT_ALL:
- auditResult = true;
- foundInCache = true;
- break;
- case AUDIT_NONE:
- auditResult = false;
- foundInCache = true;
- break;
- default:
- AuditInfo auditInfo = accessAuditCache != null ? accessAuditCache.get(request.getResource().getAsString()) : null;
- if (auditInfo != null) {
- auditResult = auditInfo.getIsAudited();
- result.setAuditPolicyId(auditInfo.getAuditPolicyId());
- foundInCache = true;
- } else {
- auditResult = false;
- foundInCache = false;
- }
- break;
- }
+ final AuditInfo auditInfo = accessAuditCache != null ? accessAuditCache.get(request.getResource().getAsString()) : null;
- if (foundInCache) {
- result.setIsAudited(auditResult);
+ if (auditInfo != null) {
+ result.setIsAudited(auditInfo.getIsAudited());
+ result.setAuditPolicyId(auditInfo.getAuditPolicyId());
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyRepository.setAuditEnabledFromCache()");
+ LOG.debug("<== RangerPolicyRepository.setAuditEnabledFromCache():" + (auditInfo != null));
}
- return foundInCache;
+ return auditInfo != null;
}
void storeAuditEnabledInCache(RangerAccessRequest request, RangerAccessResult result) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f2c3040a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 8e984df..172cb2f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -291,16 +291,6 @@ public class RangerBasePlugin {
return null;
}
- public RangerAccessResult createAccessResult(RangerAccessRequest request) {
- RangerPolicyEngine policyEngine = this.policyEngine;
-
- if(policyEngine != null) {
- return policyEngine.createAccessResult(request);
- }
-
- return null;
- }
-
public void grantAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAdminRESTClient.grantAccess(" + request + ")");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f2c3040a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
index 3c31c09..48b1b11 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
@@ -347,22 +347,7 @@ public class AuthorizationSession {
}
/**
- * Hand creates a result object and set it on the request for cases where we need not go to policy manager.
- * @return
- */
- AuthorizationSession knownPatternAllowedNotAudited(String reason) {
- _result = buildResult(true, false, reason);
- return this;
- }
-
- AuthorizationSession knownPatternDisallowedNotAudited(String reason) {
- _result = buildResult(false, false, reason);
-
- return this;
- }
-
- /**
- * This method could potentially null out an earlier audit handler -- which effectively would suppress audits.
+ * This method could potentially null out an earlier audit handler -- which effectively would suppress audits.
* @param anAuditHandler
* @return
*/
@@ -371,16 +356,6 @@ public class AuthorizationSession {
return this;
}
- RangerAccessResult buildResult(boolean allowed, boolean audited, String reason) {
- RangerAccessResult result = _authorizer.createAccessResult(_request);
- if (result != null) {
- result.setIsAllowed(allowed);
- result.setReason(reason);
- result.setIsAudited(audited);
- }
- return result;
- }
-
AuthorizationSession resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope scope) {
_resourceMatchingScope = scope;
return this;