You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2021/11/30 16:37:37 UTC
[ranger] 01/02: RANGER-3518: Limit the query size stored in Audit logs
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit a7b527bbd0df8ba86eee7b3fdc65b470bbbc17fa
Author: Mahesh Bandal <ma...@gmail.com>
AuthorDate: Fri Nov 19 15:26:13 2021 +0530
RANGER-3518: Limit the query size stored in Audit logs
Signed-off-by: pradeep <pr...@apache.org>
---
.../hive/authorizer/RangerHiveAuditHandler.java | 20 ++++++++++++++-
.../hive/authorizer/RangerHiveAuthorizer.java | 30 +++++++++++-----------
2 files changed, 34 insertions(+), 16 deletions(-)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
index 5c04bdb..742aeca 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
@@ -26,6 +26,7 @@ import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
@@ -43,7 +44,9 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
public static final String ACCESS_TYPE_ROWFILTER = "ROW_FILTER";
public static final String ACTION_TYPE_METADATA_OPERATION = "METADATA OPERATION";
public static final String URL_RESOURCE_TYPE = "url";
-
+ public static final String CONF_AUDIT_QUERY_REQUEST_SIZE = "xasecure.audit.solr.limit.query.req.size";
+ public static final int DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE = Integer.MAX_VALUE;
+ private int requestQuerySize;
Collection<AuthzAuditEvent> auditEvents = null;
boolean deniedExists = false;
@@ -54,6 +57,13 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
public RangerHiveAuditHandler() {
super();
+ requestQuerySize = DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE;
+ }
+
+ public RangerHiveAuditHandler(Configuration config) {
+ super(config);
+ requestQuerySize = config.getInt(CONF_AUDIT_QUERY_REQUEST_SIZE, DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE);
+ requestQuerySize = (requestQuerySize < 1) ? DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE : requestQuerySize;
}
AuthzAuditEvent createAuditEvent(RangerAccessResult result, String accessType, String resourcePath) {
@@ -67,6 +77,14 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
if (URL_RESOURCE_TYPE.equals(resourceType)) {
resourcePathComputed = getURLPathString(resource, resourcePathComputed);
}
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("requestQuerySize = " + requestQuerySize);
+ }
+ if (StringUtils.isNotBlank(request.getRequestData()) && request.getRequestData().length()>requestQuerySize) {
+ auditEvent.setRequestData(request.getRequestData().substring(0, requestQuerySize));
+ } else {
+ auditEvent.setRequestData(request.getRequestData());
+ }
auditEvent.setAccessType(accessType);
auditEvent.setResourcePath(resourcePathComputed);
auditEvent.setResourceType("@" + resourceType); // to be consistent with earlier release
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 2be4424..dc6e2eb 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -194,7 +194,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
if(LOG.isDebugEnabled()) {
LOG.debug(" ==> RangerHiveAuthorizer.createRole()");
}
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
String currentUserName = getGrantorUsername(adminGrantor);
List<String> roleNames = Arrays.asList(roleName);
List<String> userNames = Arrays.asList(currentUserName);
@@ -237,7 +237,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
LOG.debug("RangerHiveAuthorizer.dropRole()");
}
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
UserGroupInformation ugi = getCurrentUserGroupInfo();
boolean result = false;
@@ -284,7 +284,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
List<String> ret = new ArrayList<String>();
String user = ugi.getShortUserName();
List<String> userNames = Arrays.asList(user);
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
try {
if (LOG.isDebugEnabled()) {
LOG.debug("<== getCurrentRoleNames() for user " + user);
@@ -349,7 +349,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
LOG.debug("==> RangerHiveAuthorizer.getAllRoles()");
}
List<String> ret = new ArrayList<>();
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
List<String> userNames = null;
boolean result = false;
@@ -407,7 +407,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
List<HiveRoleGrant> ret = new ArrayList<>();
List<String> roleNames = Arrays.asList(roleName);
List<String> userNames = null;
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
boolean result = false;
if (hivePlugin == null) {
@@ -471,7 +471,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
List<HiveRoleGrant> ret = new ArrayList<>();
List<String> principalInfo = null;
List<String> userNames = null;
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
boolean result = false;
if (hivePlugin == null) {
@@ -538,7 +538,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
LOG.debug("RangerHiveAuthorizerBase.grantRole()");
boolean result = false;
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
String username = getGrantorUsername(grantorPrinc);
List<String> principals = new ArrayList<>();
try {
@@ -615,7 +615,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
boolean result = false;
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
String grantorUserName = getGrantorUsername(grantorPrinc);
List<String> principals = new ArrayList<>();
@@ -714,7 +714,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
}
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
try {
List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
@@ -755,7 +755,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
}
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
try {
List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
@@ -796,7 +796,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
throw new HiveAccessControlException("Permission denied: user information not available");
}
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
RangerPerfTracer perf = null;
@@ -1125,7 +1125,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
RangerPerfTracer perf = null;
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.filterListCmdObjects()");
@@ -1341,7 +1341,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
String ret = null;
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
try {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
@@ -1382,7 +1382,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
boolean ret = false;
String columnTransformer = columnName;
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
try {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
@@ -3014,7 +3014,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
try {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user " + user + ", userGroups: " + groups);