org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor Java Examples
The following examples show how to use
org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 6 votes |
|
public void revokeAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.revokeAccess(" + request + ")");
}
boolean isSuccess = false;
try {
RangerPolicyEngine policyEngine = this.policyEngine;
if (policyEngine != null) {
request.setZoneName(policyEngine.getUniquelyMatchedZoneName(request));
}
getAdminClient().revokeAccess(request);
isSuccess = true;
} finally {
auditGrantRevoke(request, "revoke", isSuccess, resultProcessor);
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.revokeAccess(" + request + ")");
}
}
Example #2
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 6 votes |
|
public void grantAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.grantAccess(" + request + ")");
}
boolean isSuccess = false;
try {
RangerPolicyEngine policyEngine = this.policyEngine;
if (policyEngine != null) {
request.setZoneName(policyEngine.getUniquelyMatchedZoneName(request));
}
getAdminClient().grantAccess(request);
isSuccess = true;
} finally {
auditGrantRevoke(request, "grant", isSuccess, resultProcessor);
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.grantAccess(" + request + ")");
}
}
Example #3
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
public void dropRole(String execUser, String roleName, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.dropRole(" + roleName + ")");
}
getAdminClient().dropRole(execUser, roleName);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.dropRole(" + roleName + ")");
}
}
Example #4
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) {
if(request != null && resultProcessor != null) {
RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl();
accessRequest.setResource(new RangerAccessResourceImpl(StringUtil.toStringObjectMap(request.getResource())));
accessRequest.setUser(request.getGrantor());
accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
accessRequest.setAction(action);
accessRequest.setClientIPAddress(request.getClientIPAddress());
accessRequest.setClientType(request.getClientType());
accessRequest.setRequestData(request.getRequestData());
accessRequest.setSessionId(request.getSessionId());
// call isAccessAllowed() to determine if audit is enabled or not
RangerAccessResult accessResult = isAccessAllowed(accessRequest, null);
if(accessResult != null && accessResult.getIsAudited()) {
accessRequest.setAccessType(action);
accessResult.setIsAllowed(isSuccess);
if(! isSuccess) {
accessResult.setPolicyId(-1);
}
resultProcessor.processResult(accessResult);
}
}
}
Example #5
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
public void revokeRole(GrantRevokeRoleRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.revokeRole(" + request + ")");
}
getAdminClient().revokeRole(request);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.revokeRole(" + request + ")");
}
}
Example #6
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
public void grantRole(GrantRevokeRoleRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.grantRole(" + request + ")");
}
getAdminClient().grantRole(request);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.grantRole(" + request + ")");
}
}
Example #7
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
public RangerRole getRole(String execUser, String roleName, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.getPrincipalsForRole(" + roleName + ")");
}
final RangerRole ret = getAdminClient().getRole(execUser, roleName);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.getPrincipalsForRole(" + roleName + ")");
}
return ret;
}
Example #8
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
public List<String> getAllRoles(String execUser, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.getAllRoles()");
}
final List<String> ret = getAdminClient().getAllRoles(execUser);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.getAllRoles()");
}
return ret;
}
Example #9
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
public List<String> getUserRoles(String execUser, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.getUserRoleNames(" + execUser + ")");
}
final List<String> ret = getAdminClient().getUserRoles(execUser);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.getUserRoleNames(" + execUser + ")");
}
return ret;
}
Example #10
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
public RangerRole createRole(RangerRole request, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.createRole(" + request + ")");
}
RangerRole ret = getAdminClient().createRole(request);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.createRole(" + request + ")");
}
return ret;
}
Example #11
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, resultProcessor);
}
return null;
}
Example #12
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, resultProcessor);
}
return null;
}
Example #13
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAccessResultProcessor resultProcessor) {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
return policyEngine.evaluatePolicies(requests, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
}
return null;
}
Example #14
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 5 votes |
|
public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
}
return null;
}
Example #15
| Source File: RangerNiFiAuthorizer.java From localization_nifi with Apache License 2.0 | 4 votes |
|
@Override
public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
final String identity = request.getIdentity();
final String resourceIdentifier = request.getResource().getIdentifier();
// if a ranger admin identity was provided, and it equals the identity making the request,
// and the request is to retrieve the resources, then allow it through
if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
&& resourceIdentifier.equals(RESOURCES_RESOURCE)) {
return AuthorizationResult.approved();
}
final String clientIp;
if (request.getUserContext() != null) {
clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
} else {
clientIp = null;
}
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
rangerRequest.setResource(resource);
rangerRequest.setAction(request.getAction().name());
rangerRequest.setAccessType(request.getAction().name());
rangerRequest.setUser(identity);
rangerRequest.setAccessTime(new Date());
if (!StringUtils.isBlank(clientIp)) {
rangerRequest.setClientIPAddress(clientIp);
}
// for a direct access request use the default audit handler so we generate audit logs
// for non-direct access provide a null result processor so no audit logs get generated
final RangerAccessResultProcessor resultProcessor = request.isAccessAttempt() ? defaultAuditHandler : null;
final RangerAccessResult result = nifiPlugin.isAccessAllowed(rangerRequest, resultProcessor);
if (result != null && result.getIsAllowed()) {
return AuthorizationResult.approved();
} else {
// if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
// given resource, or if it was because a policy exists but not for the given user or action
final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier());
if (doesPolicyExist) {
final String reason = result == null ? null : result.getReason();
if (reason != null) {
logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
}
// a policy does exist for the resource so we were really denied access here
return AuthorizationResult.denied(request.getExplanationSupplier().get());
} else {
// a policy doesn't exist so return resource not found so NiFi can work back up the resource hierarchy
return AuthorizationResult.resourceNotFound();
}
}
}
Example #16
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 4 votes |
|
public RangerAccessResultProcessor getResultProcessor() {
return this.resultProcessor;
}
Example #17
| Source File: RangerBasePlugin.java From ranger with Apache License 2.0 | 4 votes |
|
public void setResultProcessor(RangerAccessResultProcessor resultProcessor) {
this.resultProcessor = resultProcessor;
}
