org.apache.ranger.plugin.policyengine.RangerAccessResult Java Examples

The following examples show how to use org.apache.ranger.plugin.policyengine.RangerAccessResult. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TestRangerNiFiAuthorizer.java    From nifi with Apache License 2.0 6 votes vote down vote up
@Before
public void setup() {
    // have to initialize this system property before anything else
    File krb5conf = new File("src/test/resources/krb5.conf");
    assertTrue(krb5conf.exists());
    System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath());

    // rest the authentication to simple in case any tests set it to kerberos
    final Configuration securityConf = new Configuration();
    securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
    UserGroupInformation.setConfiguration(securityConf);

    configurationContext = createMockConfigContext();
    rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
    authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
    authorizer.onConfigured(configurationContext);

    assertFalse(UserGroupInformation.isSecurityEnabled());

    allowedResult = Mockito.mock(RangerAccessResult.class);
    when(allowedResult.getIsAllowed()).thenReturn(true);

    notAllowedResult = Mockito.mock(RangerAccessResult.class);
    when(notAllowedResult.getIsAllowed()).thenReturn(false);
}
 
Example #2
Source File: RangerGaianAuthorizer.java    From egeria with Apache License 2.0 6 votes vote down vote up
private boolean addCellValueTransformerAndCheckIfTransformed(QueryContext queryContext, String columnName) {

        logger.logDetail("==> addCellValueTransformerAndCheckIfTransformed(queryContext=" + queryContext + ", " + columnName + ")");
        String columnTransformer = columnName;
        List<String> columnTransformers = queryContext.getColumnTransformers();
        RangerAccessResult result = getRangerDataMaskResult(queryContext, columnName);
        boolean isDataMaskEnabled = isDataMaskEnabled(result);

        if (isDataMaskEnabled) {
            String transformer = getTransformer(result);
            String maskType = result.getMaskType();

            if (StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) {
                columnTransformer = NULL_MASK_TYPE;
            } else if (StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) {
                columnTransformer = getCustomMaskType(columnName, result);
            } else if (StringUtils.isNotEmpty(transformer)) {
                columnTransformer = transformer.replace("{col}", columnName);
            }
        }

        columnTransformers.add(columnTransformer);
        logger.logDetail("<== addCellValueTransformerAndCheckIfTransformed(queryContext=" + queryContext + ", " + columnName + "): " + isDataMaskEnabled);

        return isDataMaskEnabled;
    }
 
Example #3
Source File: RangerAuthorizer.java    From nifi-registry with Apache License 2.0 6 votes vote down vote up
@Override
public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) {
    final RangerAccessResult rangerResult;
    synchronized (resultLookup) {
        rangerResult = resultLookup.remove(request);
    }

    if (rangerResult != null && rangerResult.getIsAudited()) {
        AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult);

        // update the event with the originally requested resource
        event.setResourceType(RANGER_NIFI_REG_RESOURCE_NAME);
        event.setResourcePath(request.getRequestedResource().getIdentifier());

        defaultAuditHandler.logAuthzAudit(event);
    }
}
 
Example #4
Source File: TestRangerNiFiAuthorizer.java    From localization_nifi with Apache License 2.0 6 votes vote down vote up
@Before
public void setup() {
    // have to initialize this system property before anything else
    File krb5conf = new File("src/test/resources/krb5.conf");
    assertTrue(krb5conf.exists());
    System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath());

    // rest the authentication to simple in case any tests set it to kerberos
    final Configuration securityConf = new Configuration();
    securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
    UserGroupInformation.setConfiguration(securityConf);

    configurationContext = createMockConfigContext();
    rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
    authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
    authorizer.onConfigured(configurationContext);

    assertFalse(UserGroupInformation.isSecurityEnabled());

    allowedResult = Mockito.mock(RangerAccessResult.class);
    when(allowedResult.getIsAllowed()).thenReturn(true);

    notAllowedResult = Mockito.mock(RangerAccessResult.class);
    when(notAllowedResult.getIsAllowed()).thenReturn(false);
}
 
Example #5
Source File: RangerYarnAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public void processResult(RangerAccessResult result) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerYarnAuditHandler.logAudit(" + result + ")");
	}

	if(! isAuditEnabled && result.getIsAudited()) {
		isAuditEnabled = true;
	}

	auditEvent = super.getAuthzEvents(result);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerYarnAuditHandler.logAudit(" + result + "): " + auditEvent);
	}
}
 
Example #6
Source File: RangerHiveAuditHandler.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public void processResult(RangerAccessResult result) {
	if(! result.getIsAudited()) {
		return;
	}

	if  (skipFilterOperationAuditing(result)) {
		return;
	}

	AuthzAuditEvent auditEvent = createAuditEvent(result);

	if(auditEvent != null) {
		addAuthzAuditEvent(auditEvent);
	}
}
 
Example #7
Source File: RangerAtlasAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public void processResult(RangerAccessResult result) {
    if (denyExists) { // nothing more to do, if a deny already encountered
        return;
    }

    AuthzAuditEvent auditEvent = super.getAuthzEvents(result);

    if (auditEvent != null) {
        // audit event might have list of entity-types and classification-types; overwrite with the values in original request
        if (resourcePath != null) {
            auditEvent.setResourcePath(resourcePath);
        }

        if (!result.getIsAllowed()) {
            denyExists = true;

            auditEvents.clear();
        }

        auditEvents.put(auditEvent.getPolicyId() + auditEvent.getAccessType(), auditEvent);
    }
}
 
Example #8
Source File: RangerKmsAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName, String clientIp) {
 if(LOG.isDebugEnabled()) {
	LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + " , "+keyName+")");
}
boolean ret = false;
RangerKMSPlugin plugin = kmsPlugin;
String rangerAccessType = getRangerAccessType(type);
AccessControlList blacklist = blacklistedAcls.get(type);
   ret = (blacklist == null) || !blacklist.isUserInList(ugi);
   if(!ret){
   	LOG.debug("Operation "+rangerAccessType+" blocked in the blacklist for user "+ugi.getUserName());
   }
		
if(plugin != null && ret) {				
	RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi, clientIp);
	RangerAccessResult result = plugin.isAccessAllowed(request);
	ret = result != null && result.getIsAllowed();
}

if(LOG.isDebugEnabled()) {
	LOG.debug("<== RangerkmsAuthorizer.hasAccess(" + type + ", " + ugi +  " , "+keyName+ "): " + ret);
}

return ret;
}
 
Example #9
Source File: HbaseAuditHandlerImpl.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public AuthzAuditEvent getAuthzEvents(RangerAccessResult result) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> HbaseAuditHandlerImpl.getAuthzEvents(" + result + ")");
	}

	resetResourceForAudit(result.getAccessRequest());
	AuthzAuditEvent event = super.getAuthzEvents(result);
	// first accumulate last set of events and then capture these as the most recent ones
	if (_mostRecentEvent != null) {
		LOG.debug("getAuthzEvents: got one event from default audit handler");
		_allEvents.add(_mostRecentEvent);
	} else {
		LOG.debug("getAuthzEvents: no event produced by default audit handler");
	}
	_mostRecentEvent = event;

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> getAuthzEvents: mostRecentEvent:" + _mostRecentEvent);
	}
	// We return null because we don't want default audit handler to audit anything!
	if(LOG.isDebugEnabled()) {
		LOG.debug("<== HbaseAuditHandlerImpl.getAuthzEvents(" + result + "): null");
	}
	return null;
}
 
Example #10
Source File: RangerSystemAccessControl.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public Optional<ViewExpression> getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) {
  RangerPrestoAccessRequest request = createAccessRequest(createResource(tableName), context, PrestoAccessType.SELECT);
  RangerAccessResult result = getRowFilterResult(request);

  ViewExpression viewExpression = null;
  if (isRowFilterEnabled(result)) {
    String filter = result.getFilterExpr();
    viewExpression = new ViewExpression(
      context.getIdentity().getUser(),
      Optional.of(tableName.getCatalogName()),
      Optional.of(tableName.getSchemaTableName().getSchemaName()),
      filter
    );
  }
  return Optional.ofNullable(viewExpression);
}
 
Example #11
Source File: RangerNiFiAuthorizer.java    From nifi with Apache License 2.0 6 votes vote down vote up
@Override
public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) {
    final RangerAccessResult rangerResult;
    synchronized (resultLookup) {
        rangerResult = resultLookup.remove(request);
    }

    if (rangerResult != null && rangerResult.getIsAudited()) {
        AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult);

        // update the event with the originally requested resource
        event.setResourceType(RANGER_NIFI_RESOURCE_NAME);
        event.setResourcePath(request.getRequestedResource().getIdentifier());

        defaultAuditHandler.logAuthzAudit(event);
    }
}
 
Example #12
Source File: RangerKmsAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
/**
 * First Check if user is in ACL for the KMS operation, if yes, then
 * return true if user is not present in any configured blacklist for
 * the operation
 * @param type KMS Operation
 * @param ugi UserGroupInformation of user
 * @return true is user has access
 */
@Override
public boolean hasAccess(Type type, UserGroupInformation ugi, String clientIp) {
 if(LOG.isDebugEnabled()) {
	LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + ")");
}
 RangerPerfTracer perf = null;

 if(RangerPerfTracer.isPerfTraceEnabled(PERF_KMSAUTH_REQUEST_LOG)) {
  perf = RangerPerfTracer.getPerfTracer(PERF_KMSAUTH_REQUEST_LOG, "RangerKmsAuthorizer.hasAccess(type=" + type + ")");
 }
boolean ret = false;
RangerKMSPlugin plugin = kmsPlugin;
String rangerAccessType = getRangerAccessType(type);
AccessControlList blacklist = blacklistedAcls.get(type);
   ret = (blacklist == null) || !blacklist.isUserInList(ugi);
   if(!ret){
   	LOG.debug("Operation "+rangerAccessType+" blocked in the blacklist for user "+ugi.getUserName());
   }
		
if(plugin != null && ret) {				
	RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi, clientIp);
	RangerAccessResult result = plugin.isAccessAllowed(request);
	ret = result != null && result.getIsAllowed();
}
RangerPerfTracer.log(perf);
if(LOG.isDebugEnabled()) {
	LOG.debug("<== RangerkmsAuthorizer.hasAccess(" + type + ", " + ugi + "): " + ret);
}

return ret;
}
 
Example #13
Source File: RangerSystemAccessControl.java    From ranger with Apache License 2.0 5 votes vote down vote up
/** FILTERING AND DATA MASKING **/

  private RangerAccessResult getDataMaskResult(RangerPrestoAccessRequest request) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("==> getDataMaskResult(request=" + request + ")");
    }

    RangerAccessResult ret = rangerPlugin.evalDataMaskPolicies(request, null);

    if(LOG.isDebugEnabled()) {
      LOG.debug("<== getDataMaskResult(request=" + request + "): ret=" + ret);
    }

    return ret;
  }
 
Example #14
Source File: RangerSystemAccessControl.java    From ranger with Apache License 2.0 5 votes vote down vote up
private boolean hasPermission(RangerPrestoResource resource, SystemSecurityContext context, PrestoAccessType accessType) {
  boolean ret = false;

  RangerPrestoAccessRequest request = createAccessRequest(resource, context, accessType);

  RangerAccessResult result = rangerPlugin.isAccessAllowed(request);
  if (result != null && result.getIsAllowed()) {
    ret = true;
  }

  return ret;
}
 
Example #15
Source File: RangerGaianAuthorizer.java    From egeria with Apache License 2.0 5 votes vote down vote up
private String getCustomMaskType(String columnName, RangerAccessResult result) {
    String maskedValue = result.getMaskedValue();

    if (maskedValue == null) {
        return NULL_MASK_TYPE;
    } else {
        return maskedValue.replace("{col}", columnName);
    }
}
 
Example #16
Source File: RangerGaianAuthorizer.java    From egeria with Apache License 2.0 5 votes vote down vote up
private String getTransformer(RangerAccessResult result) {
    RangerServiceDef.RangerDataMaskTypeDef maskTypeDef = result.getMaskTypeDef();

    if (maskTypeDef != null) {
        return maskTypeDef.getTransformer();
    }

    return null;
}
 
Example #17
Source File: RangerSystemAccessControl.java    From ranger with Apache License 2.0 5 votes vote down vote up
private RangerAccessResult getRowFilterResult(RangerPrestoAccessRequest request) {
  if(LOG.isDebugEnabled()) {
    LOG.debug("==> getRowFilterResult(request=" + request + ")");
  }

  RangerAccessResult ret = rangerPlugin.evalRowFilterPolicies(request, null);

  if(LOG.isDebugEnabled()) {
    LOG.debug("<== getRowFilterResult(request=" + request + "): ret=" + ret);
  }

  return ret;
}
 
Example #18
Source File: RangerDefaultRowFilterPolicyItemEvaluator.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
	RangerPolicyItemRowFilterInfo rowFilterInfo = getRowFilterInfo();

	if (result.getFilterExpr() == null && rowFilterInfo != null) {
		result.setFilterExpr(rowFilterInfo.getFilterExpr());
		policyEvaluator.updateAccessResult(result, matchType, true, getComments());
	}
}
 
Example #19
Source File: RangerDefaultPolicyEvaluator.java    From ranger with Apache License 2.0 5 votes vote down vote up
protected RangerPolicyItemEvaluator getMatchingPolicyItem(RangerAccessRequest request, RangerAccessResult result) {
	RangerPolicyItemEvaluator ret = null;

	Integer policyType = getPolicy().getPolicyType();
	if (policyType == null) {
		policyType = RangerPolicy.POLICY_TYPE_ACCESS;
	}

	switch (policyType) {
		case RangerPolicy.POLICY_TYPE_ACCESS: {
			ret = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators);

			if(ret == null && !result.getIsAccessDetermined()) { // a deny policy could have set isAllowed=true, but in such case it wouldn't set isAccessDetermined=true
				ret = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators);
			}
			break;
		}
		case RangerPolicy.POLICY_TYPE_DATAMASK: {
			ret = getMatchingPolicyItem(request, dataMaskEvaluators);
			break;
		}
		case RangerPolicy.POLICY_TYPE_ROWFILTER: {
			ret = getMatchingPolicyItem(request, rowFilterEvaluators);
			break;
		}
		default:
			break;
	}

	return ret;
}
 
Example #20
Source File: RangerDefaultPolicyEvaluator.java    From ranger with Apache License 2.0 5 votes vote down vote up
protected void evaluatePolicyItems(RangerAccessRequest request, RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult result) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")");
	}
	if (useAclSummaryForEvaluation && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
		if (LOG.isDebugEnabled()) {
			LOG.debug("Using ACL Summary for access evaluation. PolicyId=[" + getId() + "]");
		}
		Integer accessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(),  request.getAccessType());
		if (accessResult != null) {
			updateAccessResult(result, matchType, accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED), null);
		}
	} else {
		if (LOG.isDebugEnabled()) {
			LOG.debug("Using policyItemEvaluators for access evaluation. PolicyId=[" + getId() + "]");
		}

		RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, result);

		if (matchedPolicyItem != null) {
			matchedPolicyItem.updateAccessResult(this, result, matchType);
		} else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) && !request.isAccessTypeAny()) {
			updateAccessResult(result, RangerPolicyResourceMatcher.MatchType.NONE, false, "matched deny-all-else policy");
		}
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")");
	}
}
 
Example #21
Source File: RangerDefaultPolicyEvaluator.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, boolean isAllowed, String reason) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getId() + ")");
	}
	if (!isAllowed) {
		if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT || !result.getAccessRequest().isAccessTypeAny()) {
			result.setIsAllowed(false);
			result.setPolicyPriority(getPolicyPriority());
			result.setPolicyId(getId());
			result.setReason(reason);
			result.setPolicyVersion(getPolicy().getVersion());
		}
	} else {
		if (!result.getIsAllowed()) { // if access is not yet allowed by another policy
			if (matchType != RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
				result.setIsAllowed(true);
				result.setPolicyPriority(getPolicyPriority());
				result.setPolicyId(getId());
				result.setReason(reason);
				result.setPolicyVersion(getPolicy().getVersion());
			}
		}
	}
	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getId() + ")");
	}
}
 
Example #22
Source File: RangerKylinAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public boolean checkPermission(String user, List<String> groups, String entityType, String entityUuid,
		Permission permission) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKylinAuthorizer.checkPermission( user=" + user + ", groups=" + groups
				+ ", entityType=" + entityType + ", entityUuid=" + entityUuid + ", permission=" + permission + ")");
	}

	boolean ret = false;

	if (kylinPlugin != null) {
		String projectName = null;
		KylinConfig kylinConfig = KylinConfig.getInstanceFromEnv();
		if (AclEntityType.PROJECT_INSTANCE.equals(entityType)) {
			ProjectInstance projectInstance = ProjectManager.getInstance(kylinConfig).getPrjByUuid(entityUuid);
			if (projectInstance != null) {
				projectName = projectInstance.getName();
			} else {
				if (LOG.isWarnEnabled()) {
					LOG.warn("Could not find kylin project for given uuid=" + entityUuid);
				}
			}
		}

		String accessType = ExternalAclProvider.transformPermission(permission);
		RangerKylinAccessRequest request = new RangerKylinAccessRequest(projectName, user, groups, accessType,
				clientIPAddress);

		RangerAccessResult result = kylinPlugin.isAccessAllowed(request);
		if (result != null && result.getIsAllowed()) {
			ret = true;
		}
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKylinAuthorizer.checkPermission(): result=" + ret);
	}

	return ret;
}
 
Example #23
Source File: RangerElasticsearchAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public boolean checkPermission(String user, List<String> groups, String index, String action,
		String clientIPAddress) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerElasticsearchAuthorizer.checkPermission( user=" + user + ", groups=" + groups
				+ ", index=" + index + ", action=" + action + ", clientIPAddress=" + clientIPAddress + ")");
	}

	boolean ret = false;

	if (elasticsearchPlugin != null) {
		if (null == groups) {
			groups = new ArrayList <>(MiscUtil.getGroupsForRequestUser(user));
		}
		String privilege = IndexPrivilegeUtils.getPrivilegeFromAction(action);
		RangerElasticsearchAccessRequest request = new RangerElasticsearchAccessRequest(user, groups, index,
				privilege, clientIPAddress);

		RangerAccessResult result = elasticsearchPlugin.isAccessAllowed(request);
		if (result != null && result.getIsAllowed()) {
			ret = true;
		}
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerElasticsearchAuthorizer.checkPermission(): result=" + ret);
	}

	return ret;
}
 
Example #24
Source File: RangerGaianAuthorizer.java    From egeria with Apache License 2.0 5 votes vote down vote up
private RangerAccessResult getRangerDataMaskResult(QueryContext queryContext, String columnName) {
    GaianResourceType objectType = GaianResourceType.COLUMN;
    RangerGaianResource resource = new RangerGaianResource(objectType, queryContext.getSchema(), queryContext.getTableName(), columnName);
    String user = queryContext.getUser();
    Set<String> groups = queryContext.getUserGroups();
    RangerGaianAccessRequest request = new RangerGaianAccessRequest(resource, queryContext.getActionType(), user, groups);

    return gaianPlugin.evalDataMaskPolicies(request, new RangerDefaultAuditHandler());
}
 
Example #25
Source File: RangerAtlasAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
private boolean checkAccess(RangerAccessRequestImpl request, RangerAtlasAuditHandler auditHandler) {
    boolean          ret    = false;
    RangerBasePlugin plugin = atlasPlugin;

    if (plugin != null) {
        RangerAccessResult result = plugin.isAccessAllowed(request, auditHandler);

        ret = result != null && result.getIsAllowed();
    } else {
        LOG.warn("RangerAtlasPlugin not initialized. Access blocked!!!");
    }

    return ret;
}
 
Example #26
Source File: RangerAtlasAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
private boolean checkAccess(RangerAccessRequestImpl request) {
    boolean          ret    = false;
    RangerBasePlugin plugin = atlasPlugin;

    if (plugin != null) {
        RangerAccessResult result = plugin.isAccessAllowed(request);

        ret = result != null && result.getIsAllowed();
    } else {
        LOG.warn("RangerAtlasPlugin not initialized. Access blocked!!!");
    }

    return ret;
}
 
Example #27
Source File: RangerKafkaAuditHandler.java    From ranger with Apache License 2.0 5 votes vote down vote up
private boolean isAuditingNeeded(final RangerAccessResult result) {
    boolean ret = true;
    boolean 			    isAllowed = result.getIsAllowed();
    RangerAccessRequest request = result.getAccessRequest();
    RangerAccessResourceImpl resource = (RangerAccessResourceImpl) request.getResource();
    String resourceName 			  = (String) resource.getValue(RangerKafkaAuthorizer.KEY_CLUSTER);
    if (resourceName != null) {
        if (request.getAccessType().equalsIgnoreCase(RangerKafkaAuthorizer.ACCESS_TYPE_CREATE) && !isAllowed) {
            ret = false;
        }
    }
    return ret;
}
 
Example #28
Source File: RangerKafkaAuditHandler.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public void processResult(RangerAccessResult result) {
    // If Cluster Resource Level Topic Creation is not Allowed we don't audit.
    // Subsequent call from Kafka for Topic Creation at Topic resource Level will be audited.
    if (!isAuditingNeeded(result)) {
        return;
    }
    auditEvent = super.getAuthzEvents(result);
}
 
Example #29
Source File: TestRangerAuthorizer.java    From nifi-registry with Apache License 2.0 5 votes vote down vote up
private void setup(final NiFiRegistryProperties registryProperties,
                  final UserGroupProvider userGroupProvider,
                  final AuthorizerConfigurationContext configurationContext) {
    // have to initialize this system property before anything else
    File krb5conf = new File("src/test/resources/krb5.conf");
    assertTrue(krb5conf.exists());
    System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath());

    // rest the authentication to simple in case any tests set it to kerberos
    final Configuration securityConf = new Configuration();
    securityConf.set(RangerAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
    UserGroupInformation.setConfiguration(securityConf);

    rangerBasePlugin = mock(RangerBasePluginWithPolicies.class);
    authorizer = new MockRangerAuthorizer(rangerBasePlugin);

    final UserGroupProviderLookup userGroupProviderLookup = mock(UserGroupProviderLookup.class);
    when(userGroupProviderLookup.getUserGroupProvider(eq("user-group-provider"))).thenReturn(userGroupProvider);

    final AuthorizerInitializationContext initializationContext = mock(AuthorizerInitializationContext.class);
    when(initializationContext.getUserGroupProviderLookup()).thenReturn(userGroupProviderLookup);

    authorizer.setRegistryProperties(registryProperties);
    authorizer.initialize(initializationContext);
    authorizer.onConfigured(configurationContext);

    assertFalse(UserGroupInformation.isSecurityEnabled());

    allowedResult = mock(RangerAccessResult.class);
    when(allowedResult.getIsAllowed()).thenReturn(true);

    notAllowedResult = mock(RangerAccessResult.class);
    when(notAllowedResult.getIsAllowed()).thenReturn(false);
}
 
Example #30
Source File: RangerSqoopAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public void checkPrivileges(MPrincipal principal, List<MPrivilege> privileges) throws SqoopException {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerSqoopAuthorizer.checkPrivileges( principal=" + principal + ", privileges="
				+ privileges + ")");
	}

	if (CollectionUtils.isEmpty(privileges)) {
		if (LOG.isDebugEnabled()) {
			LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges() return because privileges is empty.");
		}
		return;
	}

	RangerSqoopPlugin plugin = sqoopPlugin;

	if (plugin != null) {
		for (MPrivilege privilege : privileges) {
			RangerSqoopAccessRequest request = new RangerSqoopAccessRequest(principal, privilege, clientIPAddress);

			RangerAccessResult result = plugin.isAccessAllowed(request);
			if (result != null && !result.getIsAllowed()) {
				throw new SqoopException(SecurityError.AUTH_0014, "principal=" + principal
						+ " does not have privileges for : " + privilege);
			}
		}
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges() success without exception.");
	}
}