You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ve...@apache.org on 2015/05/29 16:16:35 UTC
incubator-ranger git commit: RANGER-510 : Client IP not getting
populated for KMS in audit
Repository: incubator-ranger
Updated Branches:
refs/heads/master f0a8931a8 -> dda7a165c
RANGER-510 : Client IP not getting populated for KMS in audit
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/dda7a165
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/dda7a165
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/dda7a165
Branch: refs/heads/master
Commit: dda7a165c5a7c80d13023c91a095a373a6dd3e70
Parents: f0a8931
Author: Gautam Borad <gb...@gmail.com>
Authored: Fri May 29 12:11:11 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Fri May 29 10:16:55 2015 -0400
----------------------------------------------------------------------
.../hadoop/crypto/key/kms/server/KMS.java | 68 ++++++++++----------
.../hadoop/crypto/key/kms/server/KMSACLs.java | 6 +-
.../kms/server/KeyAuthorizationKeyProvider.java | 5 +-
.../crypto/key/kms/server/TestKMSACLs.java | 11 ++--
.../kms/authorizer/RangerKmsAuthorizer.java | 30 +++------
5 files changed, 57 insertions(+), 63 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
index 5575eab..404b710 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
@@ -30,6 +30,7 @@ import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type;
import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;
+import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
@@ -39,6 +40,7 @@ import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@@ -74,13 +76,13 @@ public class KMS {
}
private void assertAccess(Type aclType, UserGroupInformation ugi,
- KMSOp operation) throws AccessControlException {
- KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, null);
+ KMSOp operation, String clientIp) throws AccessControlException {
+ KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, null, clientIp);
}
private void assertAccess(Type aclType, UserGroupInformation ugi,
- KMSOp operation, String key) throws AccessControlException {
- KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, key);
+ KMSOp operation, String key, String clientIp) throws AccessControlException {
+ KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, key, clientIp);
}
private static KeyProvider.KeyVersion removeKeyMaterial(
@@ -99,12 +101,12 @@ public class KMS {
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@SuppressWarnings("unchecked")
- public Response createKey(Map jsonKey) throws Exception {
+ public Response createKey(Map jsonKey, @Context HttpServletRequest request) throws Exception {
KMSWebApp.getAdminCallsMeter().mark();
UserGroupInformation user = HttpUserGroupInformation.get();
final String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
- KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
- assertAccess(Type.CREATE, user, KMSOp.CREATE_KEY, name);
+ KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
+ assertAccess(Type.CREATE, user, KMSOp.CREATE_KEY, name, request.getRemoteAddr());
String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD);
final String material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD))
@@ -115,7 +117,7 @@ public class KMS {
jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD);
if (material != null) {
assertAccess(Type.SET_KEY_MATERIAL, user,
- KMSOp.CREATE_KEY, name);
+ KMSOp.CREATE_KEY, name, request.getRemoteAddr());
}
final KeyProvider.Options options = new KeyProvider.Options(
KMSWebApp.getConfiguration());
@@ -144,7 +146,7 @@ public class KMS {
kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" +
(material != null) + " Description:" + description);
- if (!KMSWebApp.getACLs().hasAccess(Type.GET, user)) {
+ if (!KMSWebApp.getACLs().hasAccess(Type.GET, user, request.getRemoteAddr())) {
keyVersion = removeKeyMaterial(keyVersion);
}
Map json = KMSServerJSONUtils.toJSON(keyVersion);
@@ -158,11 +160,11 @@ public class KMS {
@DELETE
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
- public Response deleteKey(@PathParam("name") final String name)
+ public Response deleteKey(@PathParam("name") final String name, @Context HttpServletRequest request)
throws Exception {
KMSWebApp.getAdminCallsMeter().mark();
UserGroupInformation user = HttpUserGroupInformation.get();
- assertAccess(Type.DELETE, user, KMSOp.DELETE_KEY, name);
+ assertAccess(Type.DELETE, user, KMSOp.DELETE_KEY, name, request.getRemoteAddr());
KMSClientProvider.checkNotEmpty(name, "name");
user.doAs(new PrivilegedExceptionAction<Void>() {
@@ -184,16 +186,16 @@ public class KMS {
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response rolloverKey(@PathParam("name") final String name,
- Map jsonMaterial) throws Exception {
+ Map jsonMaterial, @Context HttpServletRequest request) throws Exception {
KMSWebApp.getAdminCallsMeter().mark();
UserGroupInformation user = HttpUserGroupInformation.get();
- assertAccess(Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name);
+ assertAccess(Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name, request.getRemoteAddr());
KMSClientProvider.checkNotEmpty(name, "name");
final String material = (String)
jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD);
if (material != null) {
assertAccess(Type.SET_KEY_MATERIAL, user,
- KMSOp.ROLL_NEW_VERSION, name);
+ KMSOp.ROLL_NEW_VERSION, name, request.getRemoteAddr());
}
KeyProvider.KeyVersion keyVersion = user.doAs(
@@ -212,7 +214,7 @@ public class KMS {
kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
(material != null) + " NewVersion:" + keyVersion.getVersionName());
- if (!KMSWebApp.getACLs().hasAccess(Type.GET, user)) {
+ if (!KMSWebApp.getACLs().hasAccess(Type.GET, user, request.getRemoteAddr())) {
keyVersion = removeKeyMaterial(keyVersion);
}
Map json = KMSServerJSONUtils.toJSON(keyVersion);
@@ -223,12 +225,12 @@ public class KMS {
@Path(KMSRESTConstants.KEYS_METADATA_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response getKeysMetadata(@QueryParam(KMSRESTConstants.KEY)
- List<String> keyNamesList) throws Exception {
+ List<String> keyNamesList, @Context HttpServletRequest request) throws Exception {
KMSWebApp.getAdminCallsMeter().mark();
UserGroupInformation user = HttpUserGroupInformation.get();
final String[] keyNames = keyNamesList.toArray(
new String[keyNamesList.size()]);
- assertAccess(Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA);
+ assertAccess(Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA, request.getRemoteAddr());
KeyProvider.Metadata[] keysMeta = user.doAs(
new PrivilegedExceptionAction<KeyProvider.Metadata[]>() {
@@ -247,10 +249,10 @@ public class KMS {
@GET
@Path(KMSRESTConstants.KEYS_NAMES_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
- public Response getKeyNames() throws Exception {
+ public Response getKeyNames(@Context HttpServletRequest request) throws Exception {
KMSWebApp.getAdminCallsMeter().mark();
UserGroupInformation user = HttpUserGroupInformation.get();
- assertAccess(Type.GET_KEYS, user, KMSOp.GET_KEYS);
+ assertAccess(Type.GET_KEYS, user, KMSOp.GET_KEYS, request.getRemoteAddr());
List<String> json = user.doAs(
new PrivilegedExceptionAction<List<String>>() {
@@ -267,21 +269,21 @@ public class KMS {
@GET
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
- public Response getKey(@PathParam("name") String name)
+ public Response getKey(@PathParam("name") String name, @Context HttpServletRequest request)
throws Exception {
- return getMetadata(name);
+ return getMetadata(name, request);
}
@GET
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
KMSRESTConstants.METADATA_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
- public Response getMetadata(@PathParam("name") final String name)
+ public Response getMetadata(@PathParam("name") final String name, @Context HttpServletRequest request)
throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(name, "name");
KMSWebApp.getAdminCallsMeter().mark();
- assertAccess(Type.GET_METADATA, user, KMSOp.GET_METADATA, name);
+ assertAccess(Type.GET_METADATA, user, KMSOp.GET_METADATA, name, request.getRemoteAddr());
KeyProvider.Metadata metadata = user.doAs(
new PrivilegedExceptionAction<KeyProvider.Metadata>() {
@@ -301,12 +303,12 @@ public class KMS {
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
- public Response getCurrentVersion(@PathParam("name") final String name)
+ public Response getCurrentVersion(@PathParam("name") final String name, @Context HttpServletRequest request)
throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(name, "name");
KMSWebApp.getKeyCallsMeter().mark();
- assertAccess(Type.GET, user, KMSOp.GET_CURRENT_KEY, name);
+ assertAccess(Type.GET, user, KMSOp.GET_CURRENT_KEY, name, request.getRemoteAddr());
KeyVersion keyVersion = user.doAs(
new PrivilegedExceptionAction<KeyVersion>() {
@@ -329,11 +331,11 @@ public class KMS {
@Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}")
@Produces(MediaType.APPLICATION_JSON)
public Response getKeyVersion(
- @PathParam("versionName") final String versionName) throws Exception {
+ @PathParam("versionName") final String versionName, @Context HttpServletRequest request) throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(versionName, "versionName");
KMSWebApp.getKeyCallsMeter().mark();
- assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSION);
+ assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSION, request.getRemoteAddr());
KeyVersion keyVersion = user.doAs(
new PrivilegedExceptionAction<KeyVersion>() {
@@ -360,7 +362,7 @@ public class KMS {
@PathParam("name") final String name,
@QueryParam(KMSRESTConstants.EEK_OP) String edekOp,
@DefaultValue("1")
- @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys)
+ @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys, @Context HttpServletRequest request)
throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(name, "name");
@@ -368,7 +370,7 @@ public class KMS {
Object retJSON;
if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) {
- assertAccess(Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name);
+ assertAccess(Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name, request.getRemoteAddr());
final List<EncryptedKeyVersion> retEdeks =
new LinkedList<EncryptedKeyVersion>();
@@ -412,7 +414,7 @@ public class KMS {
public Response decryptEncryptedKey(
@PathParam("versionName") final String versionName,
@QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
- Map jsonPayload)
+ Map jsonPayload, @Context HttpServletRequest request)
throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(versionName, "versionName");
@@ -425,7 +427,7 @@ public class KMS {
(String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
Object retJSON;
if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
- assertAccess(Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
+ assertAccess(Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName, request.getRemoteAddr());
KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
final byte[] iv = Base64.decodeBase64(ivStr);
KMSClientProvider.checkNotNull(encMaterialStr,
@@ -461,12 +463,12 @@ public class KMS {
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
KMSRESTConstants.VERSIONS_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
- public Response getKeyVersions(@PathParam("name") final String name)
+ public Response getKeyVersions(@PathParam("name") final String name, @Context HttpServletRequest request)
throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(name, "name");
KMSWebApp.getKeyCallsMeter().mark();
- assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSIONS, name);
+ assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSIONS, name, request.getRemoteAddr());
List<KeyVersion> ret = user.doAs(
new PrivilegedExceptionAction<List<KeyVersion>>() {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
index dc09709..ff2f6d9 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
@@ -195,7 +195,7 @@ public class KMSACLs implements Runnable, KeyACLs {
* @return true is user has access
*/
@Override
- public boolean hasAccess(Type type, UserGroupInformation ugi) {
+ public boolean hasAccess(Type type, UserGroupInformation ugi, String clientIp) {
boolean access = acls.get(type).isUserAllowed(ugi);
if (access) {
AccessControlList blacklist = blacklistedAcls.get(type);
@@ -206,9 +206,9 @@ public class KMSACLs implements Runnable, KeyACLs {
@Override
public void assertAccess(Type aclType,
- UserGroupInformation ugi, KMSOp operation, String key)
+ UserGroupInformation ugi, KMSOp operation, String key, String clientIp)
throws AccessControlException {
- if (!KMSWebApp.getACLs().hasAccess(aclType, ugi)) {
+ if (!KMSWebApp.getACLs().hasAccess(aclType, ugi, clientIp)) {
KMSWebApp.getUnauthorizedCallsMeter().mark();
KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
throw new AuthorizationException(String.format(
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
index 1e43dac..201ecbb 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
@@ -27,6 +27,7 @@ import java.util.Map;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.kms.server.KMS.KMSOp;
+import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;
@@ -86,10 +87,10 @@ public class KeyAuthorizationKeyProvider extends KeyProviderCryptoExtension {
public void stopReloader();
- public boolean hasAccess(KMSACLsType.Type aclType, UserGroupInformation ugi);
+ public boolean hasAccess(KMSACLsType.Type aclType, UserGroupInformation ugi, String clientIp);
public void assertAccess(KMSACLsType.Type aclType, UserGroupInformation ugi,
- KMSOp operation, String key) throws AccessControlException;
+ KMSOp operation, String key, String clientIp) throws AccessControlException;
}
private final KeyProviderCryptoExtension provider;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
----------------------------------------------------------------------
diff --git a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
index 12945d7..2e1cacc 100644
--- a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
+++ b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
@@ -25,17 +25,19 @@ import org.junit.Test;
public class TestKMSACLs {
+ String ipAddress = "192.168.90.1";
+
@Test
public void testDefaults() {
KMSACLs acls = new KMSACLs(new Configuration(false));
for (Type type : Type.values()) {
Assert.assertTrue(acls.hasAccess(type,
- UserGroupInformation.createRemoteUser("foo")));
+ UserGroupInformation.createRemoteUser("foo"), ipAddress));
}
}
@Test
- public void testCustom() {
+ public void testCustom() {
Configuration conf = new Configuration(false);
for (Type type : Type.values()) {
conf.set(type.getAclConfigKey(), type.toString() + " ");
@@ -43,10 +45,9 @@ public class TestKMSACLs {
KMSACLs acls = new KMSACLs(conf);
for (Type type : Type.values()) {
Assert.assertTrue(acls.hasAccess(type,
- UserGroupInformation.createRemoteUser(type.toString())));
+ UserGroupInformation.createRemoteUser(type.toString()), ipAddress));
Assert.assertFalse(acls.hasAccess(type,
- UserGroupInformation.createRemoteUser("foo")));
+ UserGroupInformation.createRemoteUser("foo"), ipAddress));
}
}
-
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
index eb2081d..3407a1d 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
@@ -20,6 +20,7 @@
package org.apache.ranger.authorization.kms.authorizer;
import java.net.InetAddress;
+import java.net.UnknownHostException;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.Executors;
@@ -138,11 +139,10 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
* @return true is user has access
*/
@Override
- public boolean hasAccess(Type type, UserGroupInformation ugi) {
+ public boolean hasAccess(Type type, UserGroupInformation ugi, String clientIp) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + ")");
}
-
boolean ret = false;
RangerKMSPlugin plugin = kmsPlugin;
String rangerAccessType = getRangerAccessType(type);
@@ -153,7 +153,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
if(plugin != null && ret) {
- RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi);
+ RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi, clientIp);
RangerAccessResult result = plugin.isAccessAllowed(request);
ret = result == null ? false : result.getIsAllowed();
}
@@ -165,11 +165,10 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
return ret;
}
- public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName) {
+ public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName, String clientIp) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + " , "+keyName+")");
}
-
boolean ret = false;
RangerKMSPlugin plugin = kmsPlugin;
String rangerAccessType = getRangerAccessType(type);
@@ -180,7 +179,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
if(plugin != null && ret) {
- RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi);
+ RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi, clientIp);
RangerAccessResult result = plugin.isAccessAllowed(request);
ret = result == null ? false : result.getIsAllowed();
}
@@ -193,13 +192,13 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
@Override
- public void assertAccess(Type aclType, UserGroupInformation ugi, KMSOp operation, String key)
+ public void assertAccess(Type aclType, UserGroupInformation ugi, KMSOp operation, String key, String clientIp)
throws AccessControlException {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKmsAuthorizer.assertAccess(" + key + ", " + ugi +", " + aclType + ")");
}
key = (key == null)?"":key;
- if (!hasAccess(aclType, ugi, key)) {
+ if (!hasAccess(aclType, ugi, key, clientIp)) {
KMSWebApp.getUnauthorizedCallsMeter().mark();
KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
throw new AuthorizationException(String.format(
@@ -217,7 +216,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")");
}
-
+
return true;
}
@@ -331,22 +330,13 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
class RangerKMSAccessRequest extends RangerAccessRequestImpl {
- public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi) {
+ public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi, String clientIp) {
super.setResource(new RangerKMSResource(keyName));
super.setAccessType(accessType);
super.setUser(ugi.getShortUserName());
super.setUserGroups(Sets.newHashSet(ugi.getGroupNames()));
super.setAccessTime(StringUtil.getUTCDate());
- super.setClientIPAddress(getRemoteIp());
+ super.setClientIPAddress(clientIp);
super.setAction(accessType);
}
-
- private static String getRemoteIp() {
- String ret = null ;
- InetAddress ip = Server.getRemoteIp() ;
- if (ip != null) {
- ret = ip.getHostAddress();
- }
- return ret ;
- }
}