You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2018/06/29 14:38:23 UTC
ranger git commit: RANGER-2143: updated Atlas authorizer with addtion
of scrubSearchResults() method
Repository: ranger
Updated Branches:
refs/heads/master da29d1929 -> 3c18a99c2
RANGER-2143: updated Atlas authorizer with addtion of scrubSearchResults() method
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/3c18a99c
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/3c18a99c
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/3c18a99c
Branch: refs/heads/master
Commit: 3c18a99c2ca5b0a5302d0b646438be2990ee6c34
Parents: da29d19
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu Jun 28 00:31:15 2018 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Fri Jun 29 00:21:28 2018 -0700
----------------------------------------------------------------------
.../atlas/authorizer/RangerAtlasAuthorizer.java | 199 ++++++++++++-------
.../services/atlas/RangerServiceAtlas.java | 11 +-
pom.xml | 2 +-
.../atlas/authorizer/RangerAtlasAuthorizer.java | 20 ++
4 files changed, 158 insertions(+), 74 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/3c18a99c/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index 8d56f14..aa815b2 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -23,10 +23,15 @@ package org.apache.ranger.authorization.atlas.authorizer;
import org.apache.atlas.authorize.AtlasAdminAccessRequest;
import org.apache.atlas.authorize.AtlasAuthorizationException;
import org.apache.atlas.authorize.AtlasEntityAccessRequest;
+import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
import org.apache.atlas.authorize.AtlasTypeAccessRequest;
import org.apache.atlas.authorize.AtlasAuthorizer;
import org.apache.atlas.authorize.AtlasPrivilege;
+import org.apache.atlas.model.discovery.AtlasSearchResult;
+import org.apache.atlas.model.instance.AtlasEntityHeader;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.audit.model.AuthzAuditEvent;
@@ -37,8 +42,8 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.RangerPerfTracer;
+import org.apache.ranger.services.atlas.RangerServiceAtlas;
-import static org.apache.atlas.authorize.AtlasPrivilege.ENTITY_READ_CLASSIFICATION;
import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_CATEGORY;
import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_NAME;
import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_TYPE;
@@ -130,7 +135,7 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
LOG.debug("==> isAccessAllowed(" + request + ")");
}
- boolean ret = false;
+ boolean ret = true;
RangerPerfTracer perf = null;
RangerAtlasAuditHandler auditHandler = null;
@@ -144,81 +149,15 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
auditHandler = new RangerAtlasAuditHandler(request, getServiceDef());
}
- final String action = request.getAction() != null ? request.getAction().getType() : null;
- final Set<String> entityTypes = request.getEntityTypeAndAllSuperTypes();
- final String entityId = request.getEntityId();
- final String classification = request.getClassification() != null ? request.getClassification().getTypeName() : null;
- final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
-
- rangerRequest.setAccessType(action);
- rangerRequest.setAction(action);
- rangerRequest.setUser(request.getUser());
- rangerRequest.setUserGroups(request.getUserGroups());
- rangerRequest.setClientIPAddress(request.getClientIPAddress());
- rangerRequest.setAccessTime(request.getAccessTime());
- rangerRequest.setClusterName(getClusterName());
-
- final Set<String> classificationsToAuthorize;
-
- if (classification != null) {
- if (request.getEntityClassifications() == null) {
- classificationsToAuthorize = Collections.singleton(classification);
- } else {
- classificationsToAuthorize = new HashSet<>(request.getEntityClassifications());
-
- classificationsToAuthorize.add(classification);
- }
- } else {
- classificationsToAuthorize = request.getEntityClassifications();
- }
-
- // authorize entity access, without considering authorization on entities classification
- RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
-
- rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes);
- rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, Collections.<String>emptySet());
- rangerResource.setValue(RESOURCE_ENTITY_ID, entityId);
-
- rangerRequest.setResource(rangerResource);
-
- ret = checkAccess(rangerRequest, auditHandler);
-
-
- if (ret && CollectionUtils.isNotEmpty(classificationsToAuthorize)) {
- final AtlasPrivilege classificationPrivilege = ENTITY_READ_CLASSIFICATION;
-
- rangerRequest.setAccessType(classificationPrivilege.getType());
- rangerRequest.setAction(rangerRequest.getAccessType());
-
- // check authorization for each classification
- for (String classificationToAuthorize : classificationsToAuthorize) {
- rangerResource = new RangerAccessResourceImpl();
-
- rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes);
- rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize));
- rangerResource.setValue(RESOURCE_ENTITY_ID, entityId);
-
- rangerRequest.setResource(rangerResource);
-
- ret = checkAccess(rangerRequest, auditHandler);
-
- if (!ret) {
- break;
- }
- }
- }
-
+ ret = isAccessAllowed(request, auditHandler);
} finally {
- if(auditHandler!=null) {
- auditHandler.flushAudit();
- }
-
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
}
+
return ret;
}
@@ -264,6 +203,49 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
return ret;
}
+ @Override
+ public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> scrubSearchResults(" + request + ")");
+ }
+
+ RangerPerfTracer perf = null;
+
+ try {
+ if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.scrubSearchResults(" + request + ")");
+ }
+
+ final AtlasSearchResult result = request.getSearchResult();
+
+ if (CollectionUtils.isNotEmpty(result.getEntities())) {
+ for (AtlasEntityHeader entity : result.getEntities()) {
+ checkAccessAndScrub(entity, request);
+ }
+ }
+
+ if (CollectionUtils.isNotEmpty(result.getFullTextResult())) {
+ for (AtlasSearchResult.AtlasFullTextResult fullTextResult : result.getFullTextResult()) {
+ if (fullTextResult != null) {
+ checkAccessAndScrub(fullTextResult.getEntity(), request);
+ }
+ }
+ }
+
+ if (MapUtils.isNotEmpty(result.getReferredEntities())) {
+ for (AtlasEntityHeader entity : result.getReferredEntities().values()) {
+ checkAccessAndScrub(entity, request);
+ }
+ }
+ } finally {
+ RangerPerfTracer.log(perf);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== scrubSearchResults(): " + request);
+ }
+ }
+
private String getClusterName() {
RangerBasePlugin plugin = atlasPlugin;
@@ -276,6 +258,71 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
return plugin != null ? plugin.getServiceDef() : null;
}
+ private boolean isAccessAllowed(AtlasEntityAccessRequest request, RangerAtlasAuditHandler auditHandler) throws AtlasAuthorizationException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> isAccessAllowed(" + request + ")");
+ }
+
+ boolean ret = true;
+
+ try {
+ final String action = request.getAction() != null ? request.getAction().getType() : null;
+ final Set<String> entityTypes = request.getEntityTypeAndAllSuperTypes();
+ final String entityId = request.getEntityId();
+ final String classification = request.getClassification() != null ? request.getClassification().getTypeName() : null;
+ final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
+ final RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
+
+ rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes);
+ rangerResource.setValue(RESOURCE_ENTITY_ID, entityId);
+
+ rangerRequest.setAccessType(action);
+ rangerRequest.setAction(action);
+ rangerRequest.setUser(request.getUser());
+ rangerRequest.setUserGroups(request.getUserGroups());
+ rangerRequest.setClientIPAddress(request.getClientIPAddress());
+ rangerRequest.setAccessTime(request.getAccessTime());
+ rangerRequest.setClusterName(getClusterName());
+ rangerRequest.setResource(rangerResource);
+
+ if (StringUtils.isNotEmpty(classification)) {
+ rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classification));
+
+ ret = checkAccess(rangerRequest, auditHandler);
+ }
+
+ if (ret) {
+ if (CollectionUtils.isNotEmpty(request.getEntityClassifications())) {
+ // check authorization for each classification
+ for (String classificationToAuthorize : request.getEntityClassifications()) {
+ rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize));
+
+ ret = checkAccess(rangerRequest, auditHandler);
+
+ if (!ret) {
+ break;
+ }
+ }
+ } else {
+ rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, RangerServiceAtlas.ENTITY_NOT_CLASSIFIED);
+
+ ret = checkAccess(rangerRequest, auditHandler);
+ }
+ }
+
+ } finally {
+ if(auditHandler != null) {
+ auditHandler.flushAudit();
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
+ }
+
+ return ret;
+ }
+
private boolean checkAccess(RangerAccessRequestImpl request) {
boolean ret = false;
RangerBasePlugin plugin = atlasPlugin;
@@ -306,6 +353,18 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
return ret;
}
+ private void checkAccessAndScrub(AtlasEntityHeader entity, AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException {
+ if (entity != null && request != null) {
+ final AtlasEntityAccessRequest entityAccessRequest = new AtlasEntityAccessRequest(request.getTypeRegistry(), AtlasPrivilege.ENTITY_READ, entity, request.getUser(), request.getUserGroups());
+
+ entityAccessRequest.setClientIPAddress(request.getClientIPAddress());
+
+ if (!isAccessAllowed(entityAccessRequest, null)) {
+ scrubEntityHeader(entity);
+ }
+ }
+ }
+
class RangerAtlasPlugin extends RangerBasePlugin {
RangerAtlasPlugin() {
super("atlas", "atlas");
http://git-wip-us.apache.org/repos/asf/ranger/blob/3c18a99c/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
index aba4b8c..d4c196e 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
@@ -60,6 +60,7 @@ public class RangerServiceAtlas extends RangerBaseService {
public static final String CONFIG_REST_ADDRESS = "atlas.rest.address";
public static final String CONFIG_USERNAME = "username";
public static final String CONFIG_PASSWORD = "password";
+ public static final String ENTITY_NOT_CLASSIFIED = "_NOT_CLASSIFIED";
private static final String TYPE_ENTITY = "entity";
private static final String TYPE_CLASSIFICATION = "classification";
@@ -501,12 +502,16 @@ public class RangerServiceAtlas extends RangerBaseService {
}
void addIfStartsWithAndNotExcluded(List<String> list, List<String> values, String prefix, List<String> excludeList) {
- if (values == null || list == null) {
+ if (list == null) {
return;
}
- for (String value : values) {
- addIfStartsWithAndNotExcluded(list, value, prefix, excludeList);
+ if (values == null) {
+ addIfStartsWithAndNotExcluded(list, ENTITY_NOT_CLASSIFIED, prefix, excludeList);
+ } else {
+ for (String value : values) {
+ addIfStartsWithAndNotExcluded(list, value, prefix, excludeList);
+ }
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/3c18a99c/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 0795210..f18e6bc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -127,7 +127,7 @@
<apacheds.version>2.0.0-M22</apacheds.version>
<asm.all.version>3.2</asm.all.version>
<aspectj.version>1.8.2</aspectj.version>
- <atlas.version>1.0.0</atlas.version>
+ <atlas.version>2.0.0-SNAPSHOT</atlas.version>
<atlas.guava.version>14.0</atlas.guava.version>
<atlas.gson.version>2.5</atlas.gson.version>
<atlas.jackson.version>2.9.2</atlas.jackson.version>
http://git-wip-us.apache.org/repos/asf/ranger/blob/3c18a99c/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index 9302bdd..609dddb 100644
--- a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -21,6 +21,7 @@ package org.apache.ranger.authorization.atlas.authorizer;
import org.apache.atlas.authorize.AtlasAdminAccessRequest;
import org.apache.atlas.authorize.AtlasEntityAccessRequest;
+import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
import org.apache.atlas.authorize.AtlasTypeAccessRequest;
import org.apache.atlas.authorize.AtlasAuthorizationException;
import org.apache.atlas.authorize.AtlasAuthorizer;
@@ -175,6 +176,25 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
return ret;
}
+ @Override
+ public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException {
+ if (isDebugEnabled) {
+ LOG.debug("==> scrubSearchResults(" + request + ")");
+ }
+
+ try {
+ activatePluginClassLoader();
+
+ rangerAtlasAuthorizerImpl.scrubSearchResults(request);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("<== scrubSearchResults(): " + request);
+ }
+ }
+
private void activatePluginClassLoader() {
if(rangerPluginClassLoader != null) {
rangerPluginClassLoader.activate();