org.apache.ranger.plugin.policyengine.RangerAccessResult Java Examples

@Before
public void setup() {
    // have to initialize this system property before anything else
    File krb5conf = new File("src/test/resources/krb5.conf");
    assertTrue(krb5conf.exists());
    System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath());

    // rest the authentication to simple in case any tests set it to kerberos
    final Configuration securityConf = new Configuration();
    securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
    UserGroupInformation.setConfiguration(securityConf);

    configurationContext = createMockConfigContext();
    rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
    authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
    authorizer.onConfigured(configurationContext);

    assertFalse(UserGroupInformation.isSecurityEnabled());

    allowedResult = Mockito.mock(RangerAccessResult.class);
    when(allowedResult.getIsAllowed()).thenReturn(true);

    notAllowedResult = Mockito.mock(RangerAccessResult.class);
    when(notAllowedResult.getIsAllowed()).thenReturn(false);
}
 

private boolean addCellValueTransformerAndCheckIfTransformed(QueryContext queryContext, String columnName) {

        logger.logDetail("==> addCellValueTransformerAndCheckIfTransformed(queryContext=" + queryContext + ", " + columnName + ")");
        String columnTransformer = columnName;
        List<String> columnTransformers = queryContext.getColumnTransformers();
        RangerAccessResult result = getRangerDataMaskResult(queryContext, columnName);
        boolean isDataMaskEnabled = isDataMaskEnabled(result);

        if (isDataMaskEnabled) {
            String transformer = getTransformer(result);
            String maskType = result.getMaskType();

            if (StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) {
                columnTransformer = NULL_MASK_TYPE;
            } else if (StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) {
                columnTransformer = getCustomMaskType(columnName, result);
            } else if (StringUtils.isNotEmpty(transformer)) {
                columnTransformer = transformer.replace("{col}", columnName);
            }
        }

        columnTransformers.add(columnTransformer);
        logger.logDetail("<== addCellValueTransformerAndCheckIfTransformed(queryContext=" + queryContext + ", " + columnName + "): " + isDataMaskEnabled);

        return isDataMaskEnabled;
    }
 

@Override
public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) {
    final RangerAccessResult rangerResult;
    synchronized (resultLookup) {
        rangerResult = resultLookup.remove(request);
    }

    if (rangerResult != null && rangerResult.getIsAudited()) {
        AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult);

        // update the event with the originally requested resource
        event.setResourceType(RANGER_NIFI_REG_RESOURCE_NAME);
        event.setResourcePath(request.getRequestedResource().getIdentifier());

        defaultAuditHandler.logAuthzAudit(event);
    }
}
 

@Before
public void setup() {
    // have to initialize this system property before anything else
    File krb5conf = new File("src/test/resources/krb5.conf");
    assertTrue(krb5conf.exists());
    System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath());

    // rest the authentication to simple in case any tests set it to kerberos
    final Configuration securityConf = new Configuration();
    securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
    UserGroupInformation.setConfiguration(securityConf);

    configurationContext = createMockConfigContext();
    rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
    authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
    authorizer.onConfigured(configurationContext);

    assertFalse(UserGroupInformation.isSecurityEnabled());

    allowedResult = Mockito.mock(RangerAccessResult.class);
    when(allowedResult.getIsAllowed()).thenReturn(true);

    notAllowedResult = Mockito.mock(RangerAccessResult.class);
    when(notAllowedResult.getIsAllowed()).thenReturn(false);
}
 

@Override
public void processResult(RangerAccessResult result) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerYarnAuditHandler.logAudit(" + result + ")");
	}

	if(! isAuditEnabled && result.getIsAudited()) {
		isAuditEnabled = true;
	}

	auditEvent = super.getAuthzEvents(result);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerYarnAuditHandler.logAudit(" + result + "): " + auditEvent);
	}
}
 

@Override
public void processResult(RangerAccessResult result) {
	if(! result.getIsAudited()) {
		return;
	}

	if  (skipFilterOperationAuditing(result)) {
		return;
	}

	AuthzAuditEvent auditEvent = createAuditEvent(result);

	if(auditEvent != null) {
		addAuthzAuditEvent(auditEvent);
	}
}
 

@Override
public void processResult(RangerAccessResult result) {
    if (denyExists) { // nothing more to do, if a deny already encountered
        return;
    }

    AuthzAuditEvent auditEvent = super.getAuthzEvents(result);

    if (auditEvent != null) {
        // audit event might have list of entity-types and classification-types; overwrite with the values in original request
        if (resourcePath != null) {
            auditEvent.setResourcePath(resourcePath);
        }

        if (!result.getIsAllowed()) {
            denyExists = true;

            auditEvents.clear();
        }

        auditEvents.put(auditEvent.getPolicyId() + auditEvent.getAccessType(), auditEvent);
    }
}
 

public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName, String clientIp) {
 if(LOG.isDebugEnabled()) {
	LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + " , "+keyName+")");
}
boolean ret = false;
RangerKMSPlugin plugin = kmsPlugin;
String rangerAccessType = getRangerAccessType(type);
AccessControlList blacklist = blacklistedAcls.get(type);
   ret = (blacklist == null) || !blacklist.isUserInList(ugi);
   if(!ret){
   	LOG.debug("Operation "+rangerAccessType+" blocked in the blacklist for user "+ugi.getUserName());
   }
		
if(plugin != null && ret) {				
	RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi, clientIp);
	RangerAccessResult result = plugin.isAccessAllowed(request);
	ret = result != null && result.getIsAllowed();
}

if(LOG.isDebugEnabled()) {
	LOG.debug("<== RangerkmsAuthorizer.hasAccess(" + type + ", " + ugi +  " , "+keyName+ "): " + ret);
}

return ret;
}
 

@Override
public AuthzAuditEvent getAuthzEvents(RangerAccessResult result) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> HbaseAuditHandlerImpl.getAuthzEvents(" + result + ")");
	}

	resetResourceForAudit(result.getAccessRequest());
	AuthzAuditEvent event = super.getAuthzEvents(result);
	// first accumulate last set of events and then capture these as the most recent ones
	if (_mostRecentEvent != null) {
		LOG.debug("getAuthzEvents: got one event from default audit handler");
		_allEvents.add(_mostRecentEvent);
	} else {
		LOG.debug("getAuthzEvents: no event produced by default audit handler");
	}
	_mostRecentEvent = event;

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> getAuthzEvents: mostRecentEvent:" + _mostRecentEvent);
	}
	// We return null because we don't want default audit handler to audit anything!
	if(LOG.isDebugEnabled()) {
		LOG.debug("<== HbaseAuditHandlerImpl.getAuthzEvents(" + result + "): null");
	}
	return null;
}
 

@Override
public Optional<ViewExpression> getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) {
  RangerPrestoAccessRequest request = createAccessRequest(createResource(tableName), context, PrestoAccessType.SELECT);
  RangerAccessResult result = getRowFilterResult(request);

  ViewExpression viewExpression = null;
  if (isRowFilterEnabled(result)) {
    String filter = result.getFilterExpr();
    viewExpression = new ViewExpression(
      context.getIdentity().getUser(),
      Optional.of(tableName.getCatalogName()),
      Optional.of(tableName.getSchemaTableName().getSchemaName()),
      filter
    );
  }
  return Optional.ofNullable(viewExpression);
}
 

@Override
public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) {
    final RangerAccessResult rangerResult;
    synchronized (resultLookup) {
        rangerResult = resultLookup.remove(request);
    }

    if (rangerResult != null && rangerResult.getIsAudited()) {
        AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult);

        // update the event with the originally requested resource
        event.setResourceType(RANGER_NIFI_RESOURCE_NAME);
        event.setResourcePath(request.getRequestedResource().getIdentifier());

        defaultAuditHandler.logAuthzAudit(event);
    }
}
 

/**
 * First Check if user is in ACL for the KMS operation, if yes, then
 * return true if user is not present in any configured blacklist for
 * the operation
 * @param type KMS Operation
 * @param ugi UserGroupInformation of user
 * @return true is user has access
 */
@Override
public boolean hasAccess(Type type, UserGroupInformation ugi, String clientIp) {
 if(LOG.isDebugEnabled()) {
	LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + ")");
}
 RangerPerfTracer perf = null;

 if(RangerPerfTracer.isPerfTraceEnabled(PERF_KMSAUTH_REQUEST_LOG)) {
  perf = RangerPerfTracer.getPerfTracer(PERF_KMSAUTH_REQUEST_LOG, "RangerKmsAuthorizer.hasAccess(type=" + type + ")");
 }
boolean ret = false;
RangerKMSPlugin plugin = kmsPlugin;
String rangerAccessType = getRangerAccessType(type);
AccessControlList blacklist = blacklistedAcls.get(type);
   ret = (blacklist == null) || !blacklist.isUserInList(ugi);
   if(!ret){
   	LOG.debug("Operation "+rangerAccessType+" blocked in the blacklist for user "+ugi.getUserName());
   }
		
if(plugin != null && ret) {				
	RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi, clientIp);
	RangerAccessResult result = plugin.isAccessAllowed(request);
	ret = result != null && result.getIsAllowed();
}
RangerPerfTracer.log(perf);
if(LOG.isDebugEnabled()) {
	LOG.debug("<== RangerkmsAuthorizer.hasAccess(" + type + ", " + ugi + "): " + ret);
}

return ret;
}
 

/** FILTERING AND DATA MASKING **/

  private RangerAccessResult getDataMaskResult(RangerPrestoAccessRequest request) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("==> getDataMaskResult(request=" + request + ")");
    }

    RangerAccessResult ret = rangerPlugin.evalDataMaskPolicies(request, null);

    if(LOG.isDebugEnabled()) {
      LOG.debug("<== getDataMaskResult(request=" + request + "): ret=" + ret);
    }

    return ret;
  }
 

private boolean hasPermission(RangerPrestoResource resource, SystemSecurityContext context, PrestoAccessType accessType) {
  boolean ret = false;

  RangerPrestoAccessRequest request = createAccessRequest(resource, context, accessType);

  RangerAccessResult result = rangerPlugin.isAccessAllowed(request);
  if (result != null && result.getIsAllowed()) {
    ret = true;
  }

  return ret;
}
 

private String getCustomMaskType(String columnName, RangerAccessResult result) {
    String maskedValue = result.getMaskedValue();

    if (maskedValue == null) {
        return NULL_MASK_TYPE;
    } else {
        return maskedValue.replace("{col}", columnName);
    }
}
 

private String getTransformer(RangerAccessResult result) {
    RangerServiceDef.RangerDataMaskTypeDef maskTypeDef = result.getMaskTypeDef();

    if (maskTypeDef != null) {
        return maskTypeDef.getTransformer();
    }

    return null;
}
 

private RangerAccessResult getRowFilterResult(RangerPrestoAccessRequest request) {
  if(LOG.isDebugEnabled()) {
    LOG.debug("==> getRowFilterResult(request=" + request + ")");
  }

  RangerAccessResult ret = rangerPlugin.evalRowFilterPolicies(request, null);

  if(LOG.isDebugEnabled()) {
    LOG.debug("<== getRowFilterResult(request=" + request + "): ret=" + ret);
  }

  return ret;
}
 

@Override
public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
	RangerPolicyItemRowFilterInfo rowFilterInfo = getRowFilterInfo();

	if (result.getFilterExpr() == null && rowFilterInfo != null) {
		result.setFilterExpr(rowFilterInfo.getFilterExpr());
		policyEvaluator.updateAccessResult(result, matchType, true, getComments());
	}
}
 

protected RangerPolicyItemEvaluator getMatchingPolicyItem(RangerAccessRequest request, RangerAccessResult result) {
	RangerPolicyItemEvaluator ret = null;

	Integer policyType = getPolicy().getPolicyType();
	if (policyType == null) {
		policyType = RangerPolicy.POLICY_TYPE_ACCESS;
	}

	switch (policyType) {
		case RangerPolicy.POLICY_TYPE_ACCESS: {
			ret = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators);

			if(ret == null && !result.getIsAccessDetermined()) { // a deny policy could have set isAllowed=true, but in such case it wouldn't set isAccessDetermined=true
				ret = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators);
			}
			break;
		}
		case RangerPolicy.POLICY_TYPE_DATAMASK: {
			ret = getMatchingPolicyItem(request, dataMaskEvaluators);
			break;
		}
		case RangerPolicy.POLICY_TYPE_ROWFILTER: {
			ret = getMatchingPolicyItem(request, rowFilterEvaluators);
			break;
		}
		default:
			break;
	}

	return ret;
}
 

protected void evaluatePolicyItems(RangerAccessRequest request, RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult result) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")");
	}
	if (useAclSummaryForEvaluation && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
		if (LOG.isDebugEnabled()) {
			LOG.debug("Using ACL Summary for access evaluation. PolicyId=[" + getId() + "]");
		}
		Integer accessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(),  request.getAccessType());
		if (accessResult != null) {
			updateAccessResult(result, matchType, accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED), null);
		}
	} else {
		if (LOG.isDebugEnabled()) {
			LOG.debug("Using policyItemEvaluators for access evaluation. PolicyId=[" + getId() + "]");
		}

		RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, result);

		if (matchedPolicyItem != null) {
			matchedPolicyItem.updateAccessResult(this, result, matchType);
		} else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) && !request.isAccessTypeAny()) {
			updateAccessResult(result, RangerPolicyResourceMatcher.MatchType.NONE, false, "matched deny-all-else policy");
		}
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")");
	}
}
 

@Override
public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, boolean isAllowed, String reason) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getId() + ")");
	}
	if (!isAllowed) {
		if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT || !result.getAccessRequest().isAccessTypeAny()) {
			result.setIsAllowed(false);
			result.setPolicyPriority(getPolicyPriority());
			result.setPolicyId(getId());
			result.setReason(reason);
			result.setPolicyVersion(getPolicy().getVersion());
		}
	} else {
		if (!result.getIsAllowed()) { // if access is not yet allowed by another policy
			if (matchType != RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
				result.setIsAllowed(true);
				result.setPolicyPriority(getPolicyPriority());
				result.setPolicyId(getId());
				result.setReason(reason);
				result.setPolicyVersion(getPolicy().getVersion());
			}
		}
	}
	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getId() + ")");
	}
}
 

@Override
public boolean checkPermission(String user, List<String> groups, String entityType, String entityUuid,
		Permission permission) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKylinAuthorizer.checkPermission( user=" + user + ", groups=" + groups
				+ ", entityType=" + entityType + ", entityUuid=" + entityUuid + ", permission=" + permission + ")");
	}

	boolean ret = false;

	if (kylinPlugin != null) {
		String projectName = null;
		KylinConfig kylinConfig = KylinConfig.getInstanceFromEnv();
		if (AclEntityType.PROJECT_INSTANCE.equals(entityType)) {
			ProjectInstance projectInstance = ProjectManager.getInstance(kylinConfig).getPrjByUuid(entityUuid);
			if (projectInstance != null) {
				projectName = projectInstance.getName();
			} else {
				if (LOG.isWarnEnabled()) {
					LOG.warn("Could not find kylin project for given uuid=" + entityUuid);
				}
			}
		}

		String accessType = ExternalAclProvider.transformPermission(permission);
		RangerKylinAccessRequest request = new RangerKylinAccessRequest(projectName, user, groups, accessType,
				clientIPAddress);

		RangerAccessResult result = kylinPlugin.isAccessAllowed(request);
		if (result != null && result.getIsAllowed()) {
			ret = true;
		}
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKylinAuthorizer.checkPermission(): result=" + ret);
	}

	return ret;
}
 

@Override
public boolean checkPermission(String user, List<String> groups, String index, String action,
		String clientIPAddress) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerElasticsearchAuthorizer.checkPermission( user=" + user + ", groups=" + groups
				+ ", index=" + index + ", action=" + action + ", clientIPAddress=" + clientIPAddress + ")");
	}

	boolean ret = false;

	if (elasticsearchPlugin != null) {
		if (null == groups) {
			groups = new ArrayList <>(MiscUtil.getGroupsForRequestUser(user));
		}
		String privilege = IndexPrivilegeUtils.getPrivilegeFromAction(action);
		RangerElasticsearchAccessRequest request = new RangerElasticsearchAccessRequest(user, groups, index,
				privilege, clientIPAddress);

		RangerAccessResult result = elasticsearchPlugin.isAccessAllowed(request);
		if (result != null && result.getIsAllowed()) {
			ret = true;
		}
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerElasticsearchAuthorizer.checkPermission(): result=" + ret);
	}

	return ret;
}
 

private RangerAccessResult getRangerDataMaskResult(QueryContext queryContext, String columnName) {
    GaianResourceType objectType = GaianResourceType.COLUMN;
    RangerGaianResource resource = new RangerGaianResource(objectType, queryContext.getSchema(), queryContext.getTableName(), columnName);
    String user = queryContext.getUser();
    Set<String> groups = queryContext.getUserGroups();
    RangerGaianAccessRequest request = new RangerGaianAccessRequest(resource, queryContext.getActionType(), user, groups);

    return gaianPlugin.evalDataMaskPolicies(request, new RangerDefaultAuditHandler());
}
 

private boolean checkAccess(RangerAccessRequestImpl request, RangerAtlasAuditHandler auditHandler) {
    boolean          ret    = false;
    RangerBasePlugin plugin = atlasPlugin;

    if (plugin != null) {
        RangerAccessResult result = plugin.isAccessAllowed(request, auditHandler);

        ret = result != null && result.getIsAllowed();
    } else {
        LOG.warn("RangerAtlasPlugin not initialized. Access blocked!!!");
    }

    return ret;
}
 

private boolean checkAccess(RangerAccessRequestImpl request) {
    boolean          ret    = false;
    RangerBasePlugin plugin = atlasPlugin;

    if (plugin != null) {
        RangerAccessResult result = plugin.isAccessAllowed(request);

        ret = result != null && result.getIsAllowed();
    } else {
        LOG.warn("RangerAtlasPlugin not initialized. Access blocked!!!");
    }

    return ret;
}
 

private boolean isAuditingNeeded(final RangerAccessResult result) {
    boolean ret = true;
    boolean 			    isAllowed = result.getIsAllowed();
    RangerAccessRequest request = result.getAccessRequest();
    RangerAccessResourceImpl resource = (RangerAccessResourceImpl) request.getResource();
    String resourceName 			  = (String) resource.getValue(RangerKafkaAuthorizer.KEY_CLUSTER);
    if (resourceName != null) {
        if (request.getAccessType().equalsIgnoreCase(RangerKafkaAuthorizer.ACCESS_TYPE_CREATE) && !isAllowed) {
            ret = false;
        }
    }
    return ret;
}
 

@Override
public void processResult(RangerAccessResult result) {
    // If Cluster Resource Level Topic Creation is not Allowed we don't audit.
    // Subsequent call from Kafka for Topic Creation at Topic resource Level will be audited.
    if (!isAuditingNeeded(result)) {
        return;
    }
    auditEvent = super.getAuthzEvents(result);
}
 

private void setup(final NiFiRegistryProperties registryProperties,
                  final UserGroupProvider userGroupProvider,
                  final AuthorizerConfigurationContext configurationContext) {
    // have to initialize this system property before anything else
    File krb5conf = new File("src/test/resources/krb5.conf");
    assertTrue(krb5conf.exists());
    System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath());

    // rest the authentication to simple in case any tests set it to kerberos
    final Configuration securityConf = new Configuration();
    securityConf.set(RangerAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
    UserGroupInformation.setConfiguration(securityConf);

    rangerBasePlugin = mock(RangerBasePluginWithPolicies.class);
    authorizer = new MockRangerAuthorizer(rangerBasePlugin);

    final UserGroupProviderLookup userGroupProviderLookup = mock(UserGroupProviderLookup.class);
    when(userGroupProviderLookup.getUserGroupProvider(eq("user-group-provider"))).thenReturn(userGroupProvider);

    final AuthorizerInitializationContext initializationContext = mock(AuthorizerInitializationContext.class);
    when(initializationContext.getUserGroupProviderLookup()).thenReturn(userGroupProviderLookup);

    authorizer.setRegistryProperties(registryProperties);
    authorizer.initialize(initializationContext);
    authorizer.onConfigured(configurationContext);

    assertFalse(UserGroupInformation.isSecurityEnabled());

    allowedResult = mock(RangerAccessResult.class);
    when(allowedResult.getIsAllowed()).thenReturn(true);

    notAllowedResult = mock(RangerAccessResult.class);
    when(notAllowedResult.getIsAllowed()).thenReturn(false);
}
 

@Override
public void checkPrivileges(MPrincipal principal, List<MPrivilege> privileges) throws SqoopException {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerSqoopAuthorizer.checkPrivileges( principal=" + principal + ", privileges="
				+ privileges + ")");
	}

	if (CollectionUtils.isEmpty(privileges)) {
		if (LOG.isDebugEnabled()) {
			LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges() return because privileges is empty.");
		}
		return;
	}

	RangerSqoopPlugin plugin = sqoopPlugin;

	if (plugin != null) {
		for (MPrivilege privilege : privileges) {
			RangerSqoopAccessRequest request = new RangerSqoopAccessRequest(principal, privilege, clientIPAddress);

			RangerAccessResult result = plugin.isAccessAllowed(request);
			if (result != null && !result.getIsAllowed()) {
				throw new SqoopException(SecurityError.AUTH_0014, "principal=" + principal
						+ " does not have privileges for : " + privilege);
			}
		}
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges() success without exception.");
	}
}