You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2015/05/18 00:12:23 UTC
incubator-ranger git commit: Revert "RANGER-246 - Kafka authorization
plugin"
Repository: incubator-ranger
Updated Branches:
refs/heads/master aff40741d -> 33ec87ec6
Revert "RANGER-246 - Kafka authorization plugin"
This reverts commit a5f8531a17558cfc75e2ad216816f272705898cf.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/33ec87ec
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/33ec87ec
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/33ec87ec
Branch: refs/heads/master
Commit: 33ec87ec660e447b16bce4d6181b4ed877c572c2
Parents: aff4074
Author: sneethiraj <sn...@apache.org>
Authored: Sun May 17 18:12:00 2015 -0400
Committer: sneethiraj <sn...@apache.org>
Committed: Sun May 17 18:12:00 2015 -0400
----------------------------------------------------------------------
.gitignore | 1 -
.../service-defs/ranger-servicedef-kafka.json | 12 +-
plugin-kafka/pom.xml | 103 +++++-----
.../kafka/authorizer/RangerKafkaAuthorizer.java | 201 +------------------
.../kafka/client/ServiceKafkaClient.java | 2 +
pom.xml | 11 +-
6 files changed, 71 insertions(+), 259 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/33ec87ec/.gitignore
----------------------------------------------------------------------
diff --git a/.gitignore b/.gitignore
index 7f41f0c..dd4e2c2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,4 +7,3 @@
.project
/target/
winpkg/target
-.DS_Store
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/33ec87ec/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
index d19b10c..9928c5d 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
@@ -59,9 +59,15 @@
},
{
"itemId": 7,
- "name":"kafka_admin",
- "label":"Kafka Admin"
+ "name":"replicate",
+ "label":"Replicate"
+ },
+ {
+ "itemId": 8,
+ "name":"connect",
+ "label":"Connect"
}
+
],
"configs":[
{
@@ -91,7 +97,7 @@
"name":"commonNameForCertificate",
"type":"string",
"mandatory":false,
- "label":"Ranger Plugin SSL CName"
+ "label":"Common Name for Certificate"
}
],
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/33ec87ec/plugin-kafka/pom.xml
----------------------------------------------------------------------
diff --git a/plugin-kafka/pom.xml b/plugin-kafka/pom.xml
index afee47d..e9ea265 100644
--- a/plugin-kafka/pom.xml
+++ b/plugin-kafka/pom.xml
@@ -1,51 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor
- license agreements. See the NOTICE file distributed with this work for additional
- information regarding copyright ownership. The ASF licenses this file to
- You under the Apache License, Version 2.0 (the "License"); you may not use
- this file except in compliance with the License. You may obtain a copy of
- the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required
- by applicable law or agreed to in writing, software distributed under the
- License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
- OF ANY KIND, either express or implied. See the License for the specific
- language governing permissions and limitations under the License. -->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <groupId>security_plugins.ranger-kafka-plugin</groupId>
- <artifactId>ranger-kafka-plugin</artifactId>
- <name>KAFKA Security Plugin</name>
- <description>KAFKA Security Plugin</description>
- <packaging>jar</packaging>
- <properties>
- <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
- </properties>
- <parent>
- <groupId>org.apache.ranger</groupId>
- <artifactId>ranger</artifactId>
- <version>0.5.0</version>
- <relativePath>..</relativePath>
- </parent>
- <dependencies>
- <dependency>
- <groupId>security_plugins.ranger-plugins-common</groupId>
- <artifactId>ranger-plugins-common</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>security_plugins.ranger-plugins-audit</groupId>
- <artifactId>ranger-plugins-audit</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.ranger</groupId>
- <artifactId>credentialbuilder</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.kafka</groupId>
- <artifactId>kafka_2.10</artifactId>
- <version>${kafka.version}</version>
- </dependency>
- </dependencies>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>security_plugins.ranger-kafka-plugin</groupId>
+ <artifactId>ranger-kafka-plugin</artifactId>
+ <name>KAFKA Security Plugin</name>
+ <description>KAFKA Security Plugin</description>
+ <packaging>jar</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+ <parent>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger</artifactId>
+ <version>0.5.0</version>
+ <relativePath>..</relativePath>
+ </parent>
+ <dependencies>
+ <dependency>
+ <groupId>security_plugins.ranger-plugins-common</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>security_plugins.ranger-plugins-audit</groupId>
+ <artifactId>ranger-plugins-audit</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>credentialbuilder</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.kafka</groupId>
+ <artifactId>kafka_2.10</artifactId>
+ <version>${kafka.version}</version>
+ </dependency>
+ </dependencies>
</project>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/33ec87ec/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
index 4689957..40c2204 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
@@ -1,3 +1,4 @@
+
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
@@ -19,208 +20,14 @@
package org.apache.ranger.authorization.kafka.authorizer;
-import java.util.Date;
-
-import kafka.security.auth.Acl;
-import kafka.security.auth.Authorizer;
-import kafka.security.auth.KafkaPrincipal;
-import kafka.security.auth.Operation;
-import kafka.security.auth.Resource;
-import kafka.security.auth.ResourceType;
-import kafka.server.KafkaConfig;
-import kafka.network.RequestChannel.Session;
-
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.apache.ranger.authorization.utils.StringUtil;
-import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult;
-import org.apache.ranger.plugin.service.RangerBasePlugin;
-
-import scala.collection.immutable.HashSet;
-import scala.collection.immutable.Set;
-
-public class RangerKafkaAuthorizer implements Authorizer {
- private static final Log logger = LogFactory
- .getLog(RangerKafkaAuthorizer.class);
-
- public static final String KEY_TOPIC = "topic";
- public static final String KEY_CLUSTER = "cluster";
- public static final String KEY_CONSUMER_GROUP = "consumer_group";
-
- public static final String ACCESS_TYPE_READ = "read";
- public static final String ACCESS_TYPE_WRITE = "write";
- public static final String ACCESS_TYPE_CREATE = "create";
- public static final String ACCESS_TYPE_DELETE = "delete";
- public static final String ACCESS_TYPE_ALTER = "alter";
- public static final String ACCESS_TYPE_DESCRIBE = "describe";
- public static final String ACCESS_TYPE_KAFKA_ADMIN = "kafka_admin";
-
- private static volatile RangerBasePlugin rangerPlugin = null;
-
- public RangerKafkaAuthorizer() {
- if (rangerPlugin == null) {
- rangerPlugin = new RangerBasePlugin("kafka", "kafka");
- }
- }
-
- /*
- * (non-Javadoc)
- *
- * @see kafka.security.auth.Authorizer#initialize(kafka.server.KafkaConfig)
- */
- @Override
- public void initialize(KafkaConfig kafkaConfig) {
- rangerPlugin.init();
- RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
-
- rangerPlugin.setResultProcessor(auditHandler);
- }
-
- // TODO: Fix this after Session is fixed
- // @Override
- public boolean authorize(Session session, Operation operation,
- Resource resource) {
-
- String userName = null;
- java.util.Set<String> userGroups = getGroupsForUser(userName);
- String ip = null;
- Date eventTime = StringUtil.getUTCDate();
- String accessType = mapToRangerAccessType(operation);
- if (accessType == null) {
- logger.fatal("Unsupported access type. session=" + session
- + ", operation=" + operation + ", resource=" + resource);
- return false;
- }
- String action = accessType;
-
- RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
- rangerRequest.setUser(userName);
- rangerRequest.setUserGroups(userGroups);
- rangerRequest.setClientIPAddress(ip);
- rangerRequest.setAccessTime(eventTime);
-
- RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
-
- if (resource.resourceType().equals(ResourceType.TOPIC)) {
- rangerResource.setValue(KEY_TOPIC, resource.name());
- } else if (resource.resourceType().equals(ResourceType.CLUSTER)) {
- rangerResource.setValue(KEY_CLUSTER, resource.name());
- } else if (resource.resourceType().equals(ResourceType.GROUP)) {
- rangerResource.setValue(KEY_CONSUMER_GROUP, resource.name());
- } else {
- logger.fatal("Unsupported resourceType=" + resource.resourceType());
- return false;
- }
-
- rangerRequest.setResource(rangerResource);
- rangerRequest.setAccessType(accessType);
- rangerRequest.setAction(action);
- rangerRequest.setRequestData(resource.name());
-
- RangerAccessResult result = rangerPlugin.isAccessAllowed(rangerRequest);
- return result.getIsAllowed();
- }
-
- /*
- * (non-Javadoc)
- *
- * @see
- * kafka.security.auth.Authorizer#addAcls(scala.collection.immutable.Set,
- * kafka.security.auth.Resource)
- */
- @Override
- public void addAcls(Set<Acl> acls, Resource resource) {
- logger.error("addAcls() is not supported by Ranger for Kafka");
- }
-
- /*
- * (non-Javadoc)
- *
- * @see
- * kafka.security.auth.Authorizer#removeAcls(scala.collection.immutable.Set,
- * kafka.security.auth.Resource)
- */
- @Override
- public boolean removeAcls(Set<Acl> acls, Resource resource) {
- logger.error("removeAcls() is not supported by Ranger for Kafka");
- return false;
- }
-
- /*
- * (non-Javadoc)
- *
- * @see
- * kafka.security.auth.Authorizer#removeAcls(kafka.security.auth.Resource)
- */
- @Override
- public boolean removeAcls(Resource resource) {
- logger.error("removeAcls() is not supported by Ranger for Kafka");
- return false;
- }
-
- /*
- * (non-Javadoc)
- *
- * @see kafka.security.auth.Authorizer#getAcls(kafka.security.auth.Resource)
- */
- @Override
- public Set<Acl> getAcls(Resource resource) {
- Set<Acl> aclList = new HashSet<Acl>();
- logger.error("getAcls() is not supported by Ranger for Kafka");
- return aclList;
- }
+public class RangerKafkaAuthorizer /*KafkaAuthorizationPlugin*/ {
- /*
- * (non-Javadoc)
- *
- * @see
- * kafka.security.auth.Authorizer#getAcls(kafka.security.auth.KafkaPrincipal
- * )
- */
- @Override
- public Set<Acl> getAcls(KafkaPrincipal principal) {
- Set<Acl> aclList = new HashSet<Acl>();
- logger.error("getAcls() is not supported by Ranger for Kafka");
- return aclList;
- }
+ private static final Log LOG = LogFactory.getLog(RangerKafkaAuthorizer.class);
- /**
- * @param userName
- * @return
- */
- private java.util.Set<String> getGroupsForUser(String userName) {
- if (userName == null) {
- return null;
- }
+ //private static volatile RangerKafkaPlugin kafkaPlugin = null;
- // TODO: Need to implement this method
- return null;
- }
- /**
- * @param operation
- * @return
- */
- private String mapToRangerAccessType(Operation operation) {
- if (operation.equals(Operation.READ)) {
- return ACCESS_TYPE_READ;
- } else if (operation.equals(Operation.WRITE)) {
- return ACCESS_TYPE_WRITE;
- } else if (operation.equals(Operation.CREATE)) {
- return ACCESS_TYPE_CREATE;
- } else if (operation.equals(Operation.DELETE)) {
- return ACCESS_TYPE_DELETE;
- } else if (operation.equals(Operation.ALTER)) {
- return ACCESS_TYPE_ALTER;
- } else if (operation.equals(Operation.DESCRIBE)) {
- return ACCESS_TYPE_DESCRIBE;
- } else if (operation.equals(Operation.CLUSTER_ACTION)) {
- return ACCESS_TYPE_KAFKA_ADMIN;
- }
- return null;
- }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/33ec87ec/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
index 5cca619..a62bd95 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
@@ -22,8 +22,10 @@ package org.apache.ranger.services.kafka.client;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
+import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/33ec87ec/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index d26fe5d..0b5608a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -87,8 +87,8 @@
<module>hive-agent</module>
<module>knox-agent</module>
<module>storm-agent</module>
+ <module>plugin-kafka</module>
<!-- <module>plugin-solr</module> -->
- <!-- <module>plugin-kafka</module> -->
<module>plugin-yarn</module>
<module>ranger_solrj</module>
<module>security-admin</module>
@@ -148,8 +148,7 @@
<jersey-bundle.version>1.17.1</jersey-bundle.version>
<jersey-client.version>2.6</jersey-client.version>
<junit.version>4.11</junit.version>
- <!-- <kafka.version>0.8.2.0</kafka.version> -->
- <kafka.version>0.8.2.2.3.0.0-1860</kafka.version>
+ <kafka.version>0.8.2.0</kafka.version>
<mockito.version>1.8.4</mockito.version>
<hamcrest-version>1.3</hamcrest-version>
<knox.gateway.version>0.5.0</knox.gateway.version>
@@ -225,12 +224,6 @@
<module>plugin-solr</module>
</modules>
</profile>
- <profile>
- <id>kafka-security</id>
- <modules>
- <module>plugin-kafka</module>
- </modules>
- </profile>
</profiles>
<distributionManagement>
<repository>