Repository: ranger Updated Branches: refs/heads/master a8b4976de -> b7c425945
RANGER-1578: Ranger plugins should use default service-def when it fails to obtain from Ranger Admin or cache Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/b7c42594 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/b7c42594 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/b7c42594 Branch: refs/heads/master Commit: b7c425945bd5323e20ccb690bc7bccb1397727fa Parents: a8b4976 Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Fri May 12 17:13:22 2017 -0700 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Fri May 12 17:13:22 2017 -0700 ---------------------------------------------------------------------- .../policyengine/RangerPolicyEngineImpl.java | 3 ++ .../ranger/plugin/service/RangerBasePlugin.java | 37 +++++++++++++++++++- .../plugin/store/EmbeddedServiceDefsUtil.java | 3 +- .../ranger/plugin/util/PolicyRefresher.java | 7 ++++ .../hive/authorizer/RangerHiveAuthorizer.java | 4 +-- 5 files changed, 49 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/b7c42594/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 508ef93..433c5de 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -193,6 +193,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { ret.setIsAudited(false); break; default: + if (CollectionUtils.isEmpty(policyRepository.getPolicies()) && tagPolicyRepository == null) { + ret.setIsAudited(true); + } break; } return ret; http://git-wip-us.apache.org/repos/asf/ranger/blob/b7c42594/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 5b13a2f..13900c6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -19,6 +19,7 @@ package org.apache.ranger.plugin.service; +import java.util.ArrayList; import java.util.Collection; import java.util.Hashtable; import java.util.Map; @@ -31,6 +32,7 @@ import org.apache.commons.logging.LogFactory; import org.apache.ranger.admin.client.RangerAdminClient; import org.apache.ranger.admin.client.RangerAdminRESTClient; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; @@ -43,6 +45,7 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; import org.apache.ranger.plugin.policyengine.RangerRowFilterResult; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.PolicyRefresher; import org.apache.ranger.plugin.util.ServicePolicies; @@ -180,6 +183,9 @@ public class RangerBasePlugin { RangerPolicyEngine oldPolicyEngine = this.policyEngine; if (policies == null) { + policies = getDefaultSvcPolicies(); + } + if (policies == null) { this.policyEngine = null; } else { RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(appId, policies, policyEngineOptions); @@ -421,7 +427,36 @@ public class RangerBasePlugin { } } } - + + public RangerServiceDef getDefaultServiceDef() { + RangerServiceDef ret = null; + + if (StringUtils.isNotBlank(serviceType)) { + try { + ret = EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(serviceType); + } catch (Exception exp) { + LOG.error("Could not get embedded service-def for " + serviceType); + } + } + return ret; + } + + private ServicePolicies getDefaultSvcPolicies() { + ServicePolicies ret = null; + + RangerServiceDef serviceDef = getServiceDef(); + if (serviceDef == null) { + serviceDef = getDefaultServiceDef(); + } + if (serviceDef != null) { + ret = new ServicePolicies(); + ret.setServiceDef(serviceDef); + ret.setServiceName(serviceName); + ret.setPolicies(new ArrayList<RangerPolicy>()); + } + return ret; + } + public boolean logErrorMessage(String message) { LogHistory log = logHistoryList.get(message); if (log == null) { http://git-wip-us.apache.org/repos/asf/ranger/blob/b7c42594/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java index 295272d..0bc09f6 100755 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java @@ -100,6 +100,7 @@ public class EmbeddedServiceDefsUtil { /** Private constructor to restrict instantiation of this singleton utility class. */ private EmbeddedServiceDefsUtil() { + gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z").setPrettyPrinting().create(); } public static EmbeddedServiceDefsUtil instance() { @@ -112,8 +113,6 @@ public class EmbeddedServiceDefsUtil { try { createEmbeddedServiceDefs = RangerConfiguration.getInstance().getBoolean(PROPERTY_CREATE_EMBEDDED_SERVICE_DEFS, true); - gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z").setPrettyPrinting().create(); - supportedServiceDefs =getSupportedServiceDef(); /* * Maintaining the following service-def create-order is critical for the http://git-wip-us.apache.org/repos/asf/ranger/blob/b7c42594/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java index c5a4244..b5b4f16 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java @@ -54,6 +54,7 @@ public class PolicyRefresher extends Thread { private long lastKnownVersion = -1L; private long lastActivationTimeInMillis; private boolean policiesSetInPlugin; + private boolean serviceDefSetInPlugin; public PolicyRefresher(RangerBasePlugin plugIn, String serviceType, String appId, String serviceName, RangerAdminClient rangerAdmin, long pollingIntervalMs, String cacheDir) { if(LOG.isDebugEnabled()) { @@ -222,6 +223,11 @@ public class PolicyRefresher extends Thread { policiesSetInPlugin = true; setLastActivationTimeInMillis(System.currentTimeMillis()); lastKnownVersion = svcPolicies.getPolicyVersion(); + } else { + if (!policiesSetInPlugin && !serviceDefSetInPlugin) { + plugIn.setPolicies(null); + serviceDefSetInPlugin = true; + } } } catch (RangerServiceNotFoundException snfe) { if (disableCacheIfServiceNotFound) { @@ -229,6 +235,7 @@ public class PolicyRefresher extends Thread { plugIn.setPolicies(null); setLastActivationTimeInMillis(System.currentTimeMillis()); lastKnownVersion = -1; + serviceDefSetInPlugin = true; } } catch (Exception excp) { LOG.error("Encountered unexpected exception, ignoring..", excp); http://git-wip-us.apache.org/repos/asf/ranger/blob/b7c42594/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 8f6311e..0117886 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -409,9 +409,9 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } } - if(result != null && !result.getIsAllowed()) { + if(result == null || !result.getIsAllowed()) { String path = resource.getAsString(); - path = buildPathForException(path,hiveOpType); + path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType); throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, request.getHiveAccessType().name(), path)); }