Java Code Examples for org.apache.ranger.plugin.policyengine.RangerAccessRequest#getResource()

private boolean isAuditingNeeded(final RangerAccessResult result) {
    boolean                  ret       = true;
    RangerAccessRequest      request   = result.getAccessRequest();
    RangerAccessResourceImpl resource  = (RangerAccessResourceImpl) request.getResource();
    String resourceName                = (String) resource.getValue(RangerSolrAuthorizer.KEY_COLLECTION);
    String requestUser                 = request.getUser();
    if (resourceName != null && resourceName.equals(RANGER_AUDIT_COLLECTION) && excludeUsers.contains(requestUser)) {
       ret = false;
    }
    return ret;
}
 

@Override
public void processResult(RangerAccessResult result) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerHdfsAuditHandler.logAudit(" + result + ")");
	}

	if(! isAuditEnabled && result.getIsAudited()) {
		isAuditEnabled = true;
	}

	if (auditEvent == null) {
		auditEvent = super.getAuthzEvents(result);
	}

	if (auditEvent != null) {
		RangerAccessRequest request = result.getAccessRequest();
		RangerAccessResource resource = request.getResource();
		String resourcePath = resource != null ? resource.getAsString() : null;

		// Overwrite fields in original auditEvent
		auditEvent.setEventTime(request.getAccessTime() != null ? request.getAccessTime() : new Date());
		auditEvent.setAccessType(request.getAction());
		auditEvent.setResourcePath(this.pathToBeValidated);
		auditEvent.setResultReason(resourcePath);

		auditEvent.setAccessResult((short) (result.getIsAllowed() ? 1 : 0));
		auditEvent.setPolicyId(result.getPolicyId());
		auditEvent.setPolicyVersion(result.getPolicyVersion());

		Set<String> tags = getTags(request);
		if (tags != null) {
			auditEvent.setTags(tags);
		}
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerHdfsAuditHandler.logAudit(" + result + "): " + auditEvent);
	}
}
 

AuthzAuditEvent createAuditEvent(RangerAccessResult result) {

		AuthzAuditEvent ret = null;

		RangerAccessRequest  request  = result.getAccessRequest();
		RangerAccessResource resource = request.getResource();
		String               resourcePath = resource != null ? resource.getAsString() : null;
		int                  policyType = result.getPolicyType();

		if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK && result.isMaskEnabled()) {
		    ret = createAuditEvent(result, result.getMaskType(), resourcePath);
        } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
            ret = createAuditEvent(result, ACCESS_TYPE_ROWFILTER, resourcePath);
		} else if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
			String accessType = null;

			if (request instanceof RangerHiveAccessRequest) {
				RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest) request;

				accessType = hiveRequest.getHiveAccessType().toString();

				String action = request.getAction();
				if (ACTION_TYPE_METADATA_OPERATION.equals(action)) {
					accessType = ACTION_TYPE_METADATA_OPERATION;
				}
			}

			if (StringUtils.isEmpty(accessType)) {
				accessType = request.getAccessType();
			}

			ret = createAuditEvent(result, accessType, resourcePath);
		}

		return ret;
	}
 

private boolean isAuditingNeeded(final RangerAccessResult result) {
    boolean ret = true;
    boolean 			    isAllowed = result.getIsAllowed();
    RangerAccessRequest request = result.getAccessRequest();
    RangerAccessResourceImpl resource = (RangerAccessResourceImpl) request.getResource();
    String resourceName 			  = (String) resource.getValue(RangerKafkaAuthorizer.KEY_CLUSTER);
    if (resourceName != null) {
        if (request.getAccessType().equalsIgnoreCase(RangerKafkaAuthorizer.ACCESS_TYPE_CREATE) && !isAllowed) {
            ret = false;
        }
    }
    return ret;
}
 

private boolean isOwnerMatch(RangerAccessRequest request) {
    boolean ret = false;

    if (hasResourceOwner) {
        RangerAccessResource accessedResource = request.getResource();
        String resourceOwner = accessedResource != null ? accessedResource.getOwnerUser() : null;
        String user = request.getUser();

        if (user != null && resourceOwner != null && user.equals(resourceOwner)) {
            ret = true;
        }
    }

    return ret;
}
 

private boolean matchUserGroupAndOwner(RangerAccessRequest request) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerDefaultPolicyItemEvaluator.matchUserGroupAndOwner(" + request + ")");
	}

	boolean ret = false;

	String user = request.getUser();
	Set<String> userGroups = request.getUserGroups();

	RangerAccessResource accessedResource = request.getResource();
	String resourceOwner = accessedResource != null ? accessedResource.getOwnerUser() : null;

	if (!ret) {
		Set<String> roles = null;
		if (CollectionUtils.isNotEmpty(policyItem.getRoles())) {
			roles = RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext());
		}
		ret = matchUserGroupAndOwner(user, userGroups, roles, resourceOwner);
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerDefaultPolicyItemEvaluator.matchUserGroupAndOwner(" + request + "): " + ret);
	}

	return ret;
}
 

private void setResourceServiceDef(RangerAccessRequest request) {
    RangerAccessResource resource = request.getResource();

    if (resource.getServiceDef() == null) {
        if (resource instanceof RangerMutableResource) {
            RangerMutableResource mutable = (RangerMutableResource) resource;
            mutable.setServiceDef(policyEngine.getServiceDef());
        }
    }
}
 

private void resetResourceForAudit(RangerAccessRequest request) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> HbaseAuditHandlerImpl.resetResourceForAudit(" + request + ")");
	}
	if (request != null && request.getResource() instanceof RangerHBaseResource) {
		RangerHBaseResource hbaseResource = (RangerHBaseResource) request.getResource();
		hbaseResource.resetValue(RangerHBaseResource.KEY_TABLE);
	}
	if(LOG.isDebugEnabled()) {
		LOG.debug("<== HbaseAuditHandlerImpl.resetResourceForAudit(" + request + ")");
	}
}
 

AuthzAuditEvent createAuditEvent(RangerAccessResult result, String accessType, String resourcePath) {
	RangerAccessRequest  request      = result.getAccessRequest();
	RangerAccessResource resource     = request.getResource();
	String               resourceType = resource != null ? resource.getLeafName() : null;

	AuthzAuditEvent auditEvent = super.getAuthzEvents(result);

	auditEvent.setAccessType(accessType);
	auditEvent.setResourcePath(resourcePath);
	auditEvent.setResourceType("@" + resourceType); // to be consistent with earlier release

	if (request instanceof RangerHiveAccessRequest && resource instanceof RangerHiveResource) {
		RangerHiveAccessRequest hiveAccessRequest = (RangerHiveAccessRequest) request;
		RangerHiveResource hiveResource = (RangerHiveResource) resource;
		HiveAccessType hiveAccessType = hiveAccessRequest.getHiveAccessType();

		if (hiveAccessType == HiveAccessType.USE && hiveResource.getObjectType() == HiveObjectType.DATABASE && StringUtils.isBlank(hiveResource.getDatabase())) {
			// this should happen only for SHOWDATABASES
			auditEvent.setTags(null);
		}

		if (hiveAccessType == HiveAccessType.REPLADMIN ) {
			// In case of REPL commands Audit should show what REPL Command instead of REPLADMIN access type
			String context = request.getRequestData();
				String replAccessType = getReplCmd(context);
				auditEvent.setAccessType(replAccessType);
		}

		if (hiveAccessType == HiveAccessType.SERVICEADMIN) {
			String hiveOperationType = request.getAction();
			String commandStr = request.getRequestData();
			if (HiveOperationType.KILL_QUERY.name().equalsIgnoreCase(hiveOperationType)) {
				String queryId = getServiceAdminQueryId(commandStr);
				if (!StringUtils.isEmpty(queryId)) {
					auditEvent.setRequestData(queryId);
				}
				commandStr = getServiceAdminCmd(commandStr);
				if (StringUtils.isEmpty(commandStr)) {
					commandStr = hiveAccessType.name();
				}
			}
			auditEvent.setAccessType(commandStr);
		}

		String action = request.getAction();
		if (hiveResource.getObjectType() == HiveObjectType.GLOBAL && isRoleOperation(action)) {
			auditEvent.setAccessType(action);
		}
	}

	return auditEvent;
}
 

@Override
public void preProcess(RangerAccessRequest request) {

    setResourceServiceDef(request);
    if (request instanceof RangerAccessRequestImpl) {
        RangerAccessRequestImpl reqImpl = (RangerAccessRequestImpl) request;

        if (reqImpl.getClientIPAddress() == null) {
            reqImpl.extractAndSetClientIPAddress(policyEngine.getUseForwardedIPAddress(), policyEngine.getTrustedProxyAddresses());
        }

        if(policyEngine.getPluginContext() != null) {
            if (reqImpl.getClusterName() == null) {
                reqImpl.setClusterName(policyEngine.getPluginContext().getClusterName());
            }

            if (reqImpl.getClusterType() == null) {
                reqImpl.setClusterType(policyEngine.getPluginContext().getClusterType());
            }
        }
    }

    RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), request.getUser());

    String owner = request.getResource() != null ? request.getResource().getOwnerUser() : null;

    if (StringUtils.isNotEmpty(owner)) {
        RangerAccessRequestUtil.setOwnerInContext(request.getContext(), owner);
    }

    Set<String> roles = request.getUserRoles();
    if (CollectionUtils.isEmpty(roles)) {
        roles = policyEngine.getPluginContext().getAuthContext().getRolesForUserAndGroups(request.getUser(), request.getUserGroups());
    }

    if (CollectionUtils.isNotEmpty(roles)) {
        RangerAccessRequestUtil.setCurrentUserRolesInContext(request.getContext(), roles);
    }

    enrich(request);
}
 

private Set<RangerTagForEval> findMatchingTags(final RangerAccessRequest request, EnrichedServiceTags dataStore) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerTagEnricher.findMatchingTags(" + request + ")");
	}

	// To minimize chance for race condition between Tag-Refresher thread and access-evaluation thread
	final EnrichedServiceTags enrichedServiceTags = dataStore != null ? dataStore : this.enrichedServiceTags;

	Set<RangerTagForEval> ret = null;

	RangerAccessResource resource = request.getResource();

	if ((resource == null || resource.getKeys() == null || resource.getKeys().isEmpty()) && request.isAccessTypeAny()) {
		ret = enrichedServiceTags.getTagsForEmptyResourceAndAnyAccess();
	} else {

		final List<RangerServiceResourceMatcher> serviceResourceMatchers = getEvaluators(resource, enrichedServiceTags);

		if (CollectionUtils.isNotEmpty(serviceResourceMatchers)) {

			for (RangerServiceResourceMatcher resourceMatcher : serviceResourceMatchers) {

				final RangerPolicyResourceMatcher.MatchType matchType = resourceMatcher.getMatchType(resource, request.getContext());

				final boolean isMatched;

				if (request.isAccessTypeAny()) {
					isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
				} else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
					isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
				} else {
					isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR;
				}

				if (isMatched) {
					if (ret == null) {
						ret = new HashSet<>();
					}
					ret.addAll(getTagsForServiceResource(enrichedServiceTags.getServiceTags(), resourceMatcher.getServiceResource(), matchType));
				}

			}
		}
	}

	if (CollectionUtils.isEmpty(ret)) {
		if (LOG.isDebugEnabled()) {
			LOG.debug("RangerTagEnricher.findMatchingTags(" + resource + ") - No tags Found ");
		}
	} else {
		if (LOG.isDebugEnabled()) {
			LOG.debug("RangerTagEnricher.findMatchingTags(" + resource + ") - " + ret.size() + " tags Found ");
		}
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerTagEnricher.findMatchingTags(" + request + ")");
	}

	return ret;
}