View pivilege event creator
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/bd9abb8c Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/bd9abb8c Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/bd9abb8c Branch: refs/heads/audit_logging Commit: bd9abb8c5d31efd830ca8ac04ca74700125464ed Parents: f514800 Author: Daniel Gergely <dgerg...@hortonworks.com> Authored: Thu Feb 18 16:38:08 2016 +0100 Committer: Toader, Sebastian <stoa...@hortonworks.com> Committed: Thu Mar 24 13:06:45 2016 +0100 ---------------------------------------------------------------------- ...ClusterPrivilegeChangeRequestAuditEvent.java | 4 +- .../ViewPrivilegeChangeRequestAuditEvent.java | 138 +++++++++++++++++++ .../eventcreator/ViewPrivilegeEventCreator.java | 133 ++++++++++++++++++ .../server/controller/ControllerModule.java | 2 + 4 files changed, 276 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/bd9abb8c/ambari-server/src/main/java/org/apache/ambari/server/audit/request/ClusterPrivilegeChangeRequestAuditEvent.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/ClusterPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/ClusterPrivilegeChangeRequestAuditEvent.java index 883b1e3..34b44e3 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/ClusterPrivilegeChangeRequestAuditEvent.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/ClusterPrivilegeChangeRequestAuditEvent.java @@ -55,7 +55,9 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent { roleSet.addAll(groups.keySet()); builder.append(", Roles("); - builder.append(System.lineSeparator()); + if(!users.isEmpty() || !groups.isEmpty()) { + builder.append(System.lineSeparator()); + } List<String> lines = new LinkedList<String>(); http://git-wip-us.apache.org/repos/asf/ambari/blob/bd9abb8c/ambari-server/src/main/java/org/apache/ambari/server/audit/request/ViewPrivilegeChangeRequestAuditEvent.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/ViewPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/ViewPrivilegeChangeRequestAuditEvent.java new file mode 100644 index 0000000..c71df18 --- /dev/null +++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/ViewPrivilegeChangeRequestAuditEvent.java @@ -0,0 +1,138 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ambari.server.audit.request; + +import java.util.HashSet; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.apache.commons.lang.StringUtils; + +public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent { + + public static class ViewPrivilegeChangeRequestAuditEventBuilder extends RequestAuditEventBuilder<ViewPrivilegeChangeRequestAuditEvent, ViewPrivilegeChangeRequestAuditEventBuilder> { + + private Map<String, List<String>> users; + private Map<String, List<String>> groups; + + private String name; + + private String type; + + private String version; + + + public ViewPrivilegeChangeRequestAuditEventBuilder() { + super.withOperation("View permission change"); + } + + @Override + protected ViewPrivilegeChangeRequestAuditEvent newAuditEvent() { + return new ViewPrivilegeChangeRequestAuditEvent(this); + } + + /** + * Appends to the event the details of the incoming request. + * @param builder builder for the audit event details. + */ + @Override + protected void buildAuditMessage(StringBuilder builder) { + super.buildAuditMessage(builder); + + builder.append(", Type(") + .append(type) + .append("), Version(") + .append(version) + .append("), Name(") + .append(name) + .append(")"); + + Set<String> roleSet = new HashSet<String>(); + roleSet.addAll(users.keySet()); + roleSet.addAll(groups.keySet()); + + builder.append(", Permissions("); + if(!users.isEmpty() || !groups.isEmpty()) { + builder.append(System.lineSeparator()); + } + + List<String> lines = new LinkedList<String>(); + + for(String role : roleSet) { + lines.add(role + ": "); + if(users.get(role) != null && !users.get(role).isEmpty()) { + lines.add(" Users: " + StringUtils.join(users.get(role), ", ")); + } + if(groups.get(role) != null && !groups.get(role).isEmpty()) { + lines.add(" Groups: " + StringUtils.join(groups.get(role), ", ")); + } + } + + builder.append(StringUtils.join(lines,System.lineSeparator())); + + builder.append(")"); + } + + public ViewPrivilegeChangeRequestAuditEventBuilder withName(String name) { + this.name = name; + return this; + } + + public ViewPrivilegeChangeRequestAuditEventBuilder withType(String type) { + this.type = type; + return this; + } + + public ViewPrivilegeChangeRequestAuditEventBuilder withVersion(String version) { + this.version = version; + return this; + } + + public ViewPrivilegeChangeRequestAuditEventBuilder withUsers(Map<String, List<String>> users) { + this.users = users; + return this; + } + + public ViewPrivilegeChangeRequestAuditEventBuilder withGroups(Map<String, List<String>> groups) { + this.groups = groups; + return this; + } + } + + protected ViewPrivilegeChangeRequestAuditEvent() { + } + + /** + * {@inheritDoc} + */ + protected ViewPrivilegeChangeRequestAuditEvent(ViewPrivilegeChangeRequestAuditEventBuilder builder) { + super(builder); + } + + /** + * Returns an builder for {@link ViewPrivilegeChangeRequestAuditEvent} + * @return a builder instance + */ + public static ViewPrivilegeChangeRequestAuditEventBuilder builder() { + return new ViewPrivilegeChangeRequestAuditEventBuilder(); + } + +} http://git-wip-us.apache.org/repos/asf/ambari/blob/bd9abb8c/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java new file mode 100644 index 0000000..7facd8d --- /dev/null +++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java @@ -0,0 +1,133 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ambari.server.audit.request.eventcreator; + +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.apache.ambari.server.api.services.Request; +import org.apache.ambari.server.api.services.Result; +import org.apache.ambari.server.api.services.ResultStatus; +import org.apache.ambari.server.audit.AuditEvent; +import org.apache.ambari.server.audit.request.AddViewInstanceRequestAuditEvent; +import org.apache.ambari.server.audit.request.ChangeViewInstanceRequestAuditEvent; +import org.apache.ambari.server.audit.request.DeleteViewInstanceRequestAuditEvent; +import org.apache.ambari.server.audit.request.RequestAuditEventCreator; +import org.apache.ambari.server.audit.request.ViewPrivilegeChangeRequestAuditEvent; +import org.apache.ambari.server.controller.spi.Resource; +import org.apache.ambari.server.controller.utilities.PropertyHelper; +import org.joda.time.DateTime; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.userdetails.User; + +/** + * This creator handles view privilege requests + * For resource type {@link Resource.Type#ViewInstance} + * and request types {@link Request.Type#PUT} + */ +public class ViewPrivilegeEventCreator implements RequestAuditEventCreator { + + /** + * Set of {@link Request.Type}s that are handled by this plugin + */ + private Set<Request.Type> requestTypes = new HashSet<Request.Type>(); + + { + requestTypes.add(Request.Type.PUT); + } + + /** + * {@inheritDoc} + */ + @Override + public Set<Request.Type> getRequestTypes() { + return requestTypes; + } + + /** + * {@inheritDoc} + */ + @Override + public Set<Resource.Type> getResourceTypes() { + return Collections.singleton(Resource.Type.ViewPrivilege); + } + + /** + * {@inheritDoc} + */ + @Override + public Set<ResultStatus.STATUS> getResultStatuses() { + return null; + } + + @Override + public AuditEvent createAuditEvent(Request request, Result result) { + String username = ((User) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername(); + + + Map<String, List<String>> users = getEntities(request, "USER"); + Map<String, List<String>> groups = getEntities(request, "GROUP"); + + return ViewPrivilegeChangeRequestAuditEvent.builder() + .withTimestamp(DateTime.now()) + .withRequestType(request.getRequestType()) + .withResultStatus(result.getStatus()) + .withUrl(request.getURI()) + .withRemoteIp(request.getRemoteAddress()) + .withUserName(username) + .withType(getProperty(request, PropertyHelper.getPropertyId("PrivilegeInfo", "view_name"))) + .withVersion(getProperty(request, PropertyHelper.getPropertyId("PrivilegeInfo", "version"))) + .withName(getProperty(request, PropertyHelper.getPropertyId("PrivilegeInfo", "instance_name"))) + .withUsers(users) + .withGroups(groups) + .build(); + + } + + private String getProperty(Request request, String properyId) { + if (!request.getBody().getPropertySets().isEmpty()) { + return String.valueOf(request.getBody().getPropertySets().iterator().next().get(properyId)); + } + return null; + } + + private Map<String, List<String>> getEntities(final Request request, final String type) { + Map<String, List<String>> entities = new HashMap<String, List<String>>(); + + for (Map<String, Object> propertyMap : request.getBody().getPropertySets()) { + String ptype = String.valueOf(propertyMap.get(PropertyHelper.getPropertyId("PrivilegeInfo", "principal_type"))); + if (type.equals(ptype)) { + String role = String.valueOf(propertyMap.get(PropertyHelper.getPropertyId("PrivilegeInfo", "permission_name"))); + String name = String.valueOf(propertyMap.get(PropertyHelper.getPropertyId("PrivilegeInfo", "principal_name"))); + if (!entities.containsKey(role)) { + entities.put(role, new LinkedList<String>()); + } + + entities.get(role).add(name); + } + } + return entities; + } + +} http://git-wip-us.apache.org/repos/asf/ambari/blob/bd9abb8c/ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java index b5e1a48..0ab435a 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java @@ -57,6 +57,7 @@ import org.apache.ambari.server.audit.request.eventcreator.ComponentEventCreator import org.apache.ambari.server.audit.request.eventcreator.ServiceEventCreator; import org.apache.ambari.server.audit.request.eventcreator.UserEventCreator; import org.apache.ambari.server.audit.request.eventcreator.ViewInstanceEventCreator; +import org.apache.ambari.server.audit.request.eventcreator.ViewPrivilegeEventCreator; import org.apache.ambari.server.checks.AbstractCheckDescriptor; import org.apache.ambari.server.checks.UpgradeCheckRegistry; import org.apache.ambari.server.configuration.Configuration; @@ -414,6 +415,7 @@ public class ControllerModule extends AbstractModule { auditLogEventCreatorBinder.addBinding().to(ServiceConfigDownloadEventCreator.class); auditLogEventCreatorBinder.addBinding().to(BlueprintEventCreator.class); auditLogEventCreatorBinder.addBinding().to(ViewInstanceEventCreator.class); + auditLogEventCreatorBinder.addBinding().to(ViewPrivilegeEventCreator.class); bind(RequestAuditLogger.class).to(RequestAuditLoggerImpl.class); }