You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ve...@apache.org on 2015/04/24 19:45:51 UTC
incubator-ranger git commit: RANGER-426 : Fix Ranger KMS policy not
matching the right resource name
Repository: incubator-ranger
Updated Branches:
refs/heads/master 214f51eff -> 20baa3f88
RANGER-426 : Fix Ranger KMS policy not matching the right resource name
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/20baa3f8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/20baa3f8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/20baa3f8
Branch: refs/heads/master
Commit: 20baa3f8886defa60411d30152977428b4de8b5f
Parents: 214f51e
Author: Gautam Borad <gb...@gmail.com>
Authored: Fri Apr 24 17:20:06 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Fri Apr 24 13:45:23 2015 -0400
----------------------------------------------------------------------
.../service-defs/ranger-servicedef-kms.json | 4 +-
.../kms/authorizer/RangerKmsAuthorizer.java | 55 ++++--
.../ranger/services/kms/client/KMSClient.java | 175 +++++++++----------
security-admin/scripts/db_setup.py | 2 +-
.../main/webapp/scripts/views/kms/KmsKeyForm.js | 1 -
5 files changed, 127 insertions(+), 110 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/20baa3f8/agents-common/src/main/resources/service-defs/ranger-servicedef-kms.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-kms.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-kms.json
index f4174d8..e0a723b 100755
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-kms.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-kms.json
@@ -9,9 +9,9 @@
"name": "keyname",
"type": "string",
"level": 1,
- "mandatory": false,
+ "mandatory": true,
"lookupSupported": true,
- "recursiveSupported": true,
+ "recursiveSupported": false,
"label": "Key Name",
"description": "Key Name"
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/20baa3f8/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
index d945201..1ba462a 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
@@ -1,4 +1,3 @@
-
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
@@ -46,6 +45,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
+import org.mortbay.log.Log;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -153,7 +153,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
if(plugin != null && ret) {
- RangerKMSAccessRequest request = new RangerKMSAccessRequest(rangerAccessType, ugi);
+ RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi);
RangerAccessResult result = plugin.isAccessAllowed(request);
ret = result == null ? false : result.getIsAllowed();
}
@@ -164,18 +164,49 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
return ret;
}
+
+ public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + " , "+keyName+")");
+ }
+
+ boolean ret = false;
+ RangerKMSPlugin plugin = kmsPlugin;
+ String rangerAccessType = getRangerAccessType(type);
+ AccessControlList blacklist = blacklistedAcls.get(type);
+ ret = (blacklist == null) || !blacklist.isUserInList(ugi);
+ if(!ret){
+ LOG.debug("Operation "+rangerAccessType+" blocked in the blacklist for user "+ugi.getUserName());
+ }
+
+ if(plugin != null && ret) {
+ RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi);
+ RangerAccessResult result = plugin.isAccessAllowed(request);
+ ret = result == null ? false : result.getIsAllowed();
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerkmsAuthorizer.hasAccess(" + type + ", " + ugi + " , "+keyName+ "): " + ret);
+ }
+
+ return ret;
+ }
@Override
public void assertAccess(Type aclType, UserGroupInformation ugi, KMSOp operation, String key)
throws AccessControlException {
- if (!KMSWebApp.getACLs().hasAccess(aclType, ugi)) {
- KMSWebApp.getUnauthorizedCallsMeter().mark();
- KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
- throw new AuthorizationException(String.format(
- (key != null) ? UNAUTHORIZED_MSG_WITH_KEY
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerKmsAuthorizer.assertAccess(" + key + ", " + ugi +", " + aclType + ")");
+ }
+ key = (key == null)?"":key;
+ if (!hasAccess(aclType, ugi, key)) {
+ KMSWebApp.getUnauthorizedCallsMeter().mark();
+ KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
+ throw new AuthorizationException(String.format(
+ (key != null) ? UNAUTHORIZED_MSG_WITH_KEY
: UNAUTHORIZED_MSG_WITHOUT_KEY,
- ugi.getShortUserName(), operation, key));
- }
+ ugi.getShortUserName(), operation, key));
+ }
}
@Override
@@ -300,13 +331,13 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
class RangerKMSAccessRequest extends RangerAccessRequestImpl {
- public RangerKMSAccessRequest(String accessType, UserGroupInformation ugi) {
- super.setResource(new RangerKMSResource("kms"));
+ public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi) {
+ super.setResource(new RangerKMSResource(keyName));
super.setAccessType(accessType);
super.setUser(ugi.getShortUserName());
super.setUserGroups(Sets.newHashSet(ugi.getGroupNames()));
super.setAccessTime(StringUtil.getUTCDate());
- super.setClientIPAddress(getRemoteIp());
+ super.setClientIPAddress(getRemoteIp());
super.setAction(accessType);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/20baa3f8/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
index 6c69196..60e9bd3 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
@@ -23,8 +23,6 @@ import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.concurrent.Callable;
-import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import org.apache.log4j.Logger;
@@ -72,93 +70,87 @@ public class KMSClient {
LOG.debug("Getting Kms Key list for keyNameMatching : " + keyNameMatching);
}
final String errMsg = errMessage;
-
- Callable<List<String>> kmsKeyListGetter = new Callable<List<String>>() {
- @Override
- public List<String> call() {
-
- List<String> lret = new ArrayList<String>();
- String keyLists = KMS_LIST_API_ENDPOINT.replaceAll(Pattern.quote("${userName}"), username);
- String uri = provider + (provider.endsWith("/") ? keyLists : ("/" + keyLists));
-
- Client client = null ;
- ClientResponse response = null ;
+ List<String> lret = new ArrayList<String>();
+ String keyLists = KMS_LIST_API_ENDPOINT.replaceAll(Pattern.quote("${userName}"), username);
+ String uri = provider + (provider.endsWith("/") ? keyLists : ("/" + keyLists));
+ Client client = null ;
+ ClientResponse response = null ;
- try {
- client = Client.create() ;
-
- WebResource webResource = client.resource(uri);
-
- response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("getKeyList():calling " + uri);
- }
-
- if (response != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getKeyList():response.getStatus()= " + response.getStatus());
- }
- if (response.getStatus() == 200) {
- String jsonString = response.getEntity(String.class);
- Gson gson = new GsonBuilder().setPrettyPrinting().create();
- @SuppressWarnings("unchecked")
- List<String> keys = gson.fromJson(jsonString, List.class) ;
- if (keys != null) {
- for ( String key : keys) {
- if ( existingKeyList != null && existingKeyList.contains(key)) {
- continue;
- }
- if (keyNameMatching == null || keyNameMatching.isEmpty() || key.startsWith(keyNameMatching)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getKeyList():Adding kmsKey " + key);
- }
- lret.add(key) ;
- }
+ try {
+ client = Client.create() ;
+
+ WebResource webResource = client.resource(uri);
+
+ response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getKeyList():calling " + uri);
+ }
+
+ if (response != null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getKeyList():response.getStatus()= " + response.getStatus());
+ }
+ if (response.getStatus() == 200) {
+ String jsonString = response.getEntity(String.class);
+ Gson gson = new GsonBuilder().setPrettyPrinting().create();
+ @SuppressWarnings("unchecked")
+ List<String> keys = gson.fromJson(jsonString, List.class) ;
+ if (keys != null) {
+ for ( String key : keys) {
+ if ( existingKeyList != null && existingKeyList.contains(key)) {
+ continue;
+ }
+ if (keyNameMatching == null || keyNameMatching.isEmpty() || key.startsWith(keyNameMatching)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getKeyList():Adding kmsKey " + key);
+ }
+ lret.add(key) ;
}
- }
- }else if (response.getStatus() == 401) {
- LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list");
- return lret;
- }else if (response.getStatus() == 403) {
- LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list");
- return lret;
- }else {
- LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list");
- String jsonString = response.getEntity(String.class);
- LOG.info(jsonString);
- lret = null;
- }
- }else {
- String msgDesc = "Unable to get a valid response for "
- + "expected mime type : [" + EXPECTED_MIME_TYPE
- + "] URL : " + uri + " - got null response.";
- LOG.error(msgDesc);
- HadoopException hdpException = new HadoopException(msgDesc);
- hdpException.generateResponseDataMap(false, msgDesc, msgDesc + errMsg, null, null);
- throw hdpException;
- }
- } catch (HadoopException he) {
- throw he;
- }catch (Throwable t) {
- String msgDesc = "Exception while getting Kms Key List. URL : " + uri;
- HadoopException hdpException = new HadoopException(msgDesc, t);
- LOG.error(msgDesc, t);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
- throw hdpException;
- } finally {
- if (response != null) {
- response.close();
- }
-
- if (client != null) {
- client.destroy();
- }
+ }
+ }
+ }else if (response.getStatus() == 401) {
+ LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list");
+ return lret;
+ }else if (response.getStatus() == 403) {
+ LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list");
+ return lret;
+ }else {
+ LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list");
+ String jsonString = response.getEntity(String.class);
+ LOG.info(jsonString);
+ lret = null;
}
- return lret ;
+ }else {
+ String msgDesc = "Unable to get a valid response for "
+ + "expected mime type : [" + EXPECTED_MIME_TYPE
+ + "] URL : " + uri + " - got null response.";
+ LOG.error(msgDesc);
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc, msgDesc + errMsg, null, null);
+ lret = null;
+ throw hdpException;
+ }
+ } catch (HadoopException he) {
+ lret = null;
+ throw he;
+ }catch (Throwable t) {
+ String msgDesc = "Exception while getting Kms Key List. URL : " + uri;
+ HadoopException hdpException = new HadoopException(msgDesc, t);
+ LOG.error(msgDesc, t);
+ hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
+ lret = null;
+ throw hdpException;
+ } finally {
+ if (response != null) {
+ response.close();
}
- } ;
- return null;
+
+ if (client != null) {
+ client.destroy();
+ }
+ }
+ return lret ;
}
public static HashMap<String, Object> testConnection(String serviceName, Map<String, String> configs) {
@@ -170,11 +162,9 @@ public class KMSClient {
KMSClient kmsClient = getKmsClient(serviceName, configs);
strList = getKmsKey(kmsClient, "", null);
-
if (strList != null) {
connectivityStatus = true;
}
-
if (connectivityStatus) {
String successMsg = "TestConnection Successful";
BaseClient.generateResponseDataMap(connectivityStatus, successMsg,
@@ -230,7 +220,7 @@ public class KMSClient {
}
if (keyName != null) {
- String finalkmsKeyName = (keyName == null) ? "": keyName.trim();
+ String finalkmsKeyName = keyName.trim();
resultList = kmsClient.getKeyList(finalkmsKeyName,existingKeyName);
if (resultList != null) {
if (LOG.isDebugEnabled()) {
@@ -239,19 +229,16 @@ public class KMSClient {
}
}
} catch (HadoopException he) {
+ resultList = null;
throw he;
} catch (Exception e) {
String msgDesc = "Unable to get a valid response from the provider";
LOG.error(msgDesc, e);
HadoopException hdpException = new HadoopException(msgDesc);
hdpException.generateResponseDataMap(false, msgDesc, msgDesc + errMsg, null, null);
+ resultList = null;
throw hdpException;
}
return resultList;
- }
-
- public static <T> T timedTask(Callable<T> callableObj, long timeout,
- TimeUnit timeUnit) throws Exception {
- return callableObj.call();
- }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/20baa3f8/security-admin/scripts/db_setup.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py
index 3e40505..16a5ff3 100644
--- a/security-admin/scripts/db_setup.py
+++ b/security-admin/scripts/db_setup.py
@@ -953,7 +953,7 @@ class SqlServerConf(BaseDB):
query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c \;" %(version,db_user,xa_db_host,db_user,xa_db_host)
ret = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
- query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', now(), '%s@%s', now(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host)
+ query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host)
ret = subprocess.call(query)
if ret == 0:
log("[I] java patch "+ className +" applied", "info")
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/20baa3f8/security-admin/src/main/webapp/scripts/views/kms/KmsKeyForm.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/kms/KmsKeyForm.js b/security-admin/src/main/webapp/scripts/views/kms/KmsKeyForm.js
old mode 100644
new mode 100755
index f6ed100..25b2691
--- a/security-admin/src/main/webapp/scripts/views/kms/KmsKeyForm.js
+++ b/security-admin/src/main/webapp/scripts/views/kms/KmsKeyForm.js
@@ -84,7 +84,6 @@ define(function(require){
if(this.model.has('versions')){
this.fields.cipher.$el.show();
this.fields.length.$el.show();
- this.fields.material.$el.show();
this.fields.description.editor.$el.attr('disabled',true);
}
},