/*
* (non-Javadoc)
*
* @see org.apache.solr.security.SolrAuthorizationPlugin#init(java.util.Map)
*/
@Override
public void init(Map<String, Object> initInfo) {
logger.info("init()");
try {
solrPlugin.init();
useProxyIP = RangerConfiguration.getInstance().getBoolean(PROP_USE_PROXY_IP, useProxyIP);
proxyIPHeader = RangerConfiguration.getInstance().get(PROP_PROXY_IP_HEADER, proxyIPHeader);
} catch (Throwable t) {
logger.fatal("Error init", t);
}
}
RangerPolicyRepository(ServicePolicies servicePolicies, RangerPolicyEngineOptions options) {
super();
serviceName = servicePolicies.getServiceName();
serviceDef = servicePolicies.getServiceDef();
policies = Collections.unmodifiableList(servicePolicies.getPolicies());
policyVersion =
servicePolicies.getPolicyVersion() != null
? servicePolicies.getPolicyVersion().longValue()
: -1;
List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>();
if (!options.disableContextEnrichers
&& !CollectionUtils.isEmpty(serviceDef.getContextEnrichers())) {
for (RangerServiceDef.RangerContextEnricherDef enricherDef :
serviceDef.getContextEnrichers()) {
if (enricherDef == null) {
continue;
}
RangerContextEnricher contextEnricher = buildContextEnricher(enricherDef);
if (contextEnricher != null) {
contextEnrichers.add(contextEnricher);
}
}
}
this.contextEnrichers = Collections.unmodifiableList(contextEnrichers);
List<RangerPolicyEvaluator> policyEvaluators = new ArrayList<RangerPolicyEvaluator>();
for (RangerPolicy policy : servicePolicies.getPolicies()) {
if (!policy.getIsEnabled()) {
continue;
}
RangerPolicyEvaluator evaluator = buildPolicyEvaluator(policy, serviceDef, options);
if (evaluator != null) {
policyEvaluators.add(evaluator);
}
}
Collections.sort(policyEvaluators);
this.policyEvaluators = Collections.unmodifiableList(policyEvaluators);
String propertyName = "ranger.plugin." + serviceName + ".policyengine.auditcachesize";
if (options.cacheAuditResults) {
int auditResultCacheSize =
RangerConfiguration.getInstance()
.getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE);
accessAuditCache =
Collections.synchronizedMap(new CacheMap<String, Boolean>(auditResultCacheSize));
} else {
accessAuditCache = null;
}
}
@Override
public void init(String serviceName, String appId, String configPropertyPrefix) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerAdminJersey2RESTClient.init(" + configPropertyPrefix + ")");
}
_serviceName = serviceName;
_pluginId = _utils.getPluginId(serviceName, appId);
_baseUrl = _utils.getPolicyRestUrl(configPropertyPrefix);
_sslConfigFileName = _utils.getSsslConfigFileName(configPropertyPrefix);
_isSSL = _utils.isSsl(_baseUrl);
_restClientConnTimeOutMs =
RangerConfiguration.getInstance()
.getInt(configPropertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
_restClientReadTimeOutMs =
RangerConfiguration.getInstance()
.getInt(configPropertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
LOG.info(
"Init params: "
+ String.format(
"Base URL[%s], SSL Congig filename[%s], ServiceName=[%s]",
_baseUrl, _sslConfigFileName, _serviceName));
_client = getClient();
_client.property(ClientProperties.CONNECT_TIMEOUT, _restClientConnTimeOutMs);
_client.property(ClientProperties.READ_TIMEOUT, _restClientReadTimeOutMs);
if (LOG.isDebugEnabled()) {
LOG.debug(
"<== RangerAdminJersey2RESTClient.init("
+ configPropertyPrefix
+ "): "
+ _client.toString());
}
}
@BeforeClass
public static void setUpBeforeClass() throws Exception {
gsonBuilder =
new GsonBuilder()
.setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
.setPrettyPrinting()
.registerTypeAdapter(RangerAccessRequest.class, new RangerAccessRequestDeserializer())
.registerTypeAdapter(RangerAccessResource.class, new RangerResourceDeserializer())
.create();
// For setting up auditProvider
Properties auditProperties = new Properties();
String AUDIT_PROPERTIES_FILE = "xasecure-audit.properties";
File propFile = new File(AUDIT_PROPERTIES_FILE);
if (propFile.exists()) {
System.out.println("Loading Audit properties file" + AUDIT_PROPERTIES_FILE);
auditProperties.load(new FileInputStream(propFile));
} else {
System.out.println("Audit properties file missing: " + AUDIT_PROPERTIES_FILE);
auditProperties.setProperty(
"xasecure.audit.jpa.javax.persistence.jdbc.url",
"jdbc:mysql://node-1:3306/xasecure_audit");
auditProperties.setProperty("xasecure.audit.jpa.javax.persistence.jdbc.user", "xalogger");
auditProperties.setProperty("xasecure.audit.jpa.javax.persistence.jdbc.password", "xalogger");
auditProperties.setProperty(
"xasecure.audit.jpa.javax.persistence.jdbc.driver", "com.mysql.jdbc.Driver");
auditProperties.setProperty(
"xasecure.audit.is.enabled", "false"); // Set this to true to enable audit logging
auditProperties.setProperty("xasecure.audit.log4j.is.enabled", "false");
auditProperties.setProperty("xasecure.audit.log4j.is.async", "false");
auditProperties.setProperty("xasecure.audit.log4j.async.max.queue.size", "100000");
auditProperties.setProperty("xasecure.audit.log4j.async.max.flush.interval.ms", "30000");
auditProperties.setProperty("xasecure.audit.db.is.enabled", "false");
auditProperties.setProperty("xasecure.audit.db.is.async", "false");
auditProperties.setProperty("xasecure.audit.db.async.max.queue.size", "100000");
auditProperties.setProperty("xasecure.audit.db.async.max.flush.interval.ms", "30000");
auditProperties.setProperty("xasecure.audit.db.batch.size", "100");
}
AuditProviderFactory.getInstance()
.init(auditProperties, "hdfs"); // second parameter does not matter for v2
AuditHandler provider = AuditProviderFactory.getAuditProvider();
System.out.println("provider=" + provider.toString());
File file = File.createTempFile("ranger-admin-test-site", ".xml");
file.deleteOnExit();
FileOutputStream outStream = new FileOutputStream(file);
OutputStreamWriter writer = new OutputStreamWriter(outStream);
/*
// For setting up TestTagProvider
writer.write("<configuration>\n" +
" <property>\n" +
" <name>ranger.plugin.tag.policy.rest.url</name>\n" +
" <value>http://os-def:6080</value>\n" +
" </property>\n" +
" <property>\n" +
" <name>ranger.externalurl</name>\n" +
" <value>http://os-def:6080</value>\n" +
" </property>\n" +
"</configuration>\n");
*/
writer.write(
"<configuration>\n"
+
/*
// For setting up TestTagProvider
" <property>\n" +
" <name>ranger.plugin.tag.policy.rest.url</name>\n" +
" <value>http://os-def:6080</value>\n" +
" </property>\n" +
" <property>\n" +
" <name>ranger.externalurl</name>\n" +
" <value>http://os-def:6080</value>\n" +
" </property>\n" +
*/
// For setting up x-forwarded-for for Hive
" <property>\n"
+ " <name>ranger.plugin.hive.use.x-forwarded-for.ipaddress</name>\n"
+ " <value>true</value>\n"
+ " </property>\n"
+ " <property>\n"
+ " <name>ranger.plugin.hive.trusted.proxy.ipaddresses</name>\n"
+ " <value>255.255.255.255; 128.101.101.101;128.101.101.99</value>\n"
+ " </property>\n"
+ "</configuration>\n");
writer.close();
RangerConfiguration config = RangerConfiguration.getInstance();
config.addResource(new org.apache.hadoop.fs.Path(file.toURI()));
}
private void runTests(InputStreamReader reader, String testName) {
PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
assertTrue(
"invalid input: " + testName,
testCase != null
&& testCase.serviceDef != null
&& testCase.policies != null
&& testCase.tests != null);
ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setServiceName(testCase.serviceName);
servicePolicies.setServiceDef(testCase.serviceDef);
servicePolicies.setPolicies(testCase.policies);
if (null != testCase.tagPolicyInfo) {
ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
servicePolicies.setTagPolicies(tagPolicies);
}
RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
policyEngineOptions.disableTagPolicyEvaluation = false;
boolean useForwardedIPAddress =
RangerConfiguration.getInstance()
.getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
String trustedProxyAddressString =
RangerConfiguration.getInstance().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
if (trustedProxyAddresses != null) {
for (int i = 0; i < trustedProxyAddresses.length; i++) {
trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
}
}
policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
RangerAccessRequest request = null;
for (TestData test : testCase.tests) {
request = test.request;
if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS)
|| request
.getContext()
.containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
// Create a new AccessRequest
RangerAccessRequestImpl newRequest =
new RangerAccessRequestImpl(
request.getResource(),
request.getAccessType(),
request.getUser(),
request.getUserGroups());
newRequest.setClientType(request.getClientType());
newRequest.setAccessTime(request.getAccessTime());
newRequest.setAction(request.getAction());
newRequest.setRemoteIPAddress(request.getRemoteIPAddress());
newRequest.setForwardedAddresses(request.getForwardedAddresses());
newRequest.setRequestData(request.getRequestData());
newRequest.setSessionId(request.getSessionId());
Map<String, Object> context = request.getContext();
String tagsJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
context.remove(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
if (!StringUtils.isEmpty(tagsJsonString)) {
try {
Type listType = new TypeToken<List<RangerTag>>() {}.getType();
List<RangerTag> tagList = gsonBuilder.fromJson(tagsJsonString, listType);
context.put(RangerAccessRequestUtil.KEY_CONTEXT_TAGS, tagList);
} catch (Exception e) {
System.err.println(
"TestPolicyEngine.runTests(): error parsing TAGS JSON string in file "
+ testName
+ ", tagsJsonString="
+ tagsJsonString
+ ", exception="
+ e);
}
} else if (request
.getContext()
.containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
String resourcesJsonString =
(String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
context.remove(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
if (!StringUtils.isEmpty(resourcesJsonString)) {
try {
/*
Reader stringReader = new StringReader(resourcesJsonString);
RangerRequestedResources resources = gsonBuilder.fromJson(stringReader, RangerRequestedResources.class);
*/
Type myType = new TypeToken<RangerRequestedResources>() {}.getType();
RangerRequestedResources resources =
gsonBuilder.fromJson(resourcesJsonString, myType);
context.put(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES, resources);
} catch (Exception e) {
System.err.println(
"TestPolicyEngine.runTests(): error parsing REQUESTED_RESOURCES string in file "
+ testName
+ ", resourcesJsonString="
+ resourcesJsonString
+ ", exception="
+ e);
}
}
}
newRequest.setContext(context);
// accessResource.ServiceDef is set here, so that we can skip call to
// policyEngine.preProcess() which
// sets the serviceDef in the resource AND calls enrichers. We dont want enrichers to be
// called when
// context already contains tags -- This may change when we want enrichers to enrich request
// in the
// presence of tags!!!
// Safe cast
RangerAccessResourceImpl accessResource = (RangerAccessResourceImpl) request.getResource();
accessResource.setServiceDef(testCase.serviceDef);
request = newRequest;
} else if (!request
.getContext()
.containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
policyEngine.preProcess(request);
}
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
if (test.result != null) {
RangerAccessResult expected = test.result;
RangerAccessResult result = policyEngine.isAccessAllowed(request, auditHandler);
assertNotNull("result was null! - " + test.name, result);
assertEquals(
"isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
assertEquals(
"isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
assertEquals(
"policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
}
if (test.dataMaskResult != null) {
RangerDataMaskResult expected = test.dataMaskResult;
RangerDataMaskResult result = policyEngine.evalDataMaskPolicies(request, auditHandler);
assertNotNull("result was null! - " + test.name, result);
assertEquals(
"maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType());
assertEquals(
"maskCondition mismatched! - " + test.name,
expected.getMaskCondition(),
result.getMaskCondition());
assertEquals(
"maskedValue mismatched! - " + test.name,
expected.getMaskedValue(),
result.getMaskedValue());
assertEquals(
"policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
}
if (test.rowFilterResult != null) {
RangerRowFilterResult expected = test.rowFilterResult;
RangerRowFilterResult result = policyEngine.evalRowFilterPolicies(request, auditHandler);
assertNotNull("result was null! - " + test.name, result);
assertEquals(
"filterExpr mismatched! - " + test.name,
expected.getFilterExpr(),
result.getFilterExpr());
assertEquals(
"policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
}
if (test.resourceAccessInfo != null) {
RangerResourceAccessInfo expected = new RangerResourceAccessInfo(test.resourceAccessInfo);
RangerResourceAccessInfo result = policyEngine.getResourceAccessInfo(test.request);
assertNotNull("result was null! - " + test.name, result);
assertEquals(
"allowedUsers mismatched! - " + test.name,
expected.getAllowedUsers(),
result.getAllowedUsers());
assertEquals(
"allowedGroups mismatched! - " + test.name,
expected.getAllowedGroups(),
result.getAllowedGroups());
assertEquals(
"deniedUsers mismatched! - " + test.name,
expected.getDeniedUsers(),
result.getDeniedUsers());
assertEquals(
"deniedGroups mismatched! - " + test.name,
expected.getDeniedGroups(),
result.getDeniedGroups());
}
}
}
