This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 8b963d304c77f7daf86131a514f1744a44b485b1 Author: Madhan Neethiraj <[email protected]> AuthorDate: Sun Apr 5 17:09:47 2020 -0700 RANGER-2780: updated RangerBasePlugin to support audit-excluded-users --- .../hadoop/config/RangerPluginConfig.java | 39 +++ .../ranger/plugin/policyengine/PolicyEngine.java | 63 ----- .../plugin/policyengine/RangerPolicyEngine.java | 4 - .../policyengine/RangerPolicyEngineImpl.java | 175 +++++++++---- .../ranger/plugin/service/RangerBasePlugin.java | 20 +- .../plugin/policyengine/TestPolicyEngine.java | 36 ++- ...icyengine_audit_exclude_users_groups_roles.json | 283 +++++++++++++++++++++ 7 files changed, 486 insertions(+), 134 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java index cea6842..89a31cc 100644 --- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java +++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java @@ -19,6 +19,7 @@ package org.apache.ranger.authorization.hadoop.config; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.log4j.Logger; @@ -27,6 +28,9 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import java.io.File; import java.net.URL; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; public class RangerPluginConfig extends RangerConfiguration { @@ -43,6 +47,11 @@ public class RangerPluginConfig extends RangerConfiguration { private final boolean useForwardedIPAddress; private final String[] trustedProxyAddresses; private final String propertyPrefix; + private Set<String> auditExcludedUsers = Collections.emptySet(); + private Set<String> auditExcludedGroups = Collections.emptySet(); + private Set<String> auditExcludedRoles = Collections.emptySet(); + private Set<String> superUsers = Collections.emptySet(); + private Set<String> superGroups = Collections.emptySet(); public RangerPluginConfig(String serviceType, String serviceName, String appId, String clusterName, String clusterType, RangerPolicyEngineOptions policyEngineOptions) { @@ -143,6 +152,36 @@ public class RangerPluginConfig extends RangerConfiguration { return policyEngineOptions; } + public void setAuditExcludedUsersGroupsRoles(Set<String> users, Set<String> groups, Set<String> roles) { + auditExcludedUsers = CollectionUtils.isEmpty(users) ? Collections.emptySet() : new HashSet<>(users); + auditExcludedGroups = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(groups); + auditExcludedRoles = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(roles); + } + + public void setSuperUsersGroups(Set<String> users, Set<String> groups) { + superUsers = CollectionUtils.isEmpty(users) ? Collections.emptySet() : new HashSet<>(users); + superGroups = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(groups); + } + + public boolean isAuditExcludedUser(String userName) { + return auditExcludedUsers.contains(userName); + } + + public boolean hasAuditExcludedGroup(Set<String> userGroups) { + return userGroups != null && userGroups.size() > 0 && auditExcludedGroups.size() > 0 && CollectionUtils.containsAny(userGroups, auditExcludedGroups); + } + + public boolean hasAuditExcludedRole(Set<String> userRoles) { + return userRoles != null && userRoles.size() > 0 && auditExcludedRoles.size() > 0 && CollectionUtils.containsAny(userRoles, auditExcludedRoles); + } + + public boolean isSuperUser(String userName) { + return superUsers.contains(userName); + } + + public boolean hasSuperGroup(Set<String> userGroups) { + return userGroups != null && userGroups.size() > 0 && superGroups.size() > 0 && CollectionUtils.containsAny(userGroups, superGroups); + } private void addResourcesForServiceType(String serviceType) { String auditCfg = "ranger-" + serviceType + "-audit.xml"; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index bc80677..297d02f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -33,7 +33,6 @@ import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicyDelta; @@ -64,9 +63,6 @@ public class PolicyEngine { private boolean useForwardedIPAddress; private String[] trustedProxyAddresses; private boolean isPreCleaned = false; - private final Set<String> auditExcludeUsers; - private final Set<String> auditExcludeGroups; - private final Set<String> auditExcludeRoles; public boolean getUseForwardedIPAddress() { @@ -115,18 +111,6 @@ public class PolicyEngine { public RangerPluginContext getPluginContext() { return pluginContext; } - public Set<String> getAuditExcludeUsers() { - return auditExcludeUsers; - } - - public Set<String> getAuditExcludeGroups() { - return auditExcludeGroups; - } - - public Set<String> getAuditExcludeRoles() { - return auditExcludeRoles; - } - @Override public String toString() { return toString(new StringBuilder()).toString(); @@ -177,45 +161,6 @@ public class PolicyEngine { return resourceZoneTrie; } - public RangerAccessResult createAccessResult(RangerAccessRequest request, int policyType) { - RangerAccessResult ret = new RangerAccessResult(policyType, getServiceName(), getPolicyRepository().getServiceDef(), request); - - switch (getPolicyRepository().getAuditModeEnum()) { - case AUDIT_ALL: - ret.setIsAudited(true); - break; - - case AUDIT_NONE: - ret.setIsAudited(false); - break; - - default: - if (CollectionUtils.isEmpty(getPolicyRepository().getPolicies()) && getTagPolicyRepository() == null) { - ret.setIsAudited(true); - } - - break; - } - if (isAuditExcludedRequest(request)) { - ret.setIsAudited(false); - } - return ret; - } - - private boolean isAuditExcludedRequest(RangerAccessRequest request) { - boolean ret = getAuditExcludeUsers().contains(request.getUser()); - - if (!ret && CollectionUtils.isNotEmpty(getAuditExcludeGroups())) { - ret = CollectionUtils.containsAny(getAuditExcludeGroups(), request.getUserGroups()); - } - - if (!ret && CollectionUtils.isNotEmpty(getAuditExcludeRoles())) { - Set<String> roles = this.pluginContext.getAuthContext().getRolesForUserAndGroups(request.getUser(), request.getUserGroups()); - ret = CollectionUtils.containsAny(getAuditExcludeRoles(), roles); - } - return ret; - } - public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles) { if (LOG.isDebugEnabled()) { LOG.debug("==> PolicyEngine(" + ", " + servicePolicies + ", " + pluginContext + ")"); @@ -290,10 +235,6 @@ public class PolicyEngine { } } - this.auditExcludeUsers = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_USERS)) : new HashSet<String>(); - this.auditExcludeGroups = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_GROUPS)) : new HashSet<String>(); - this.auditExcludeRoles = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES)) : new HashSet<String>(); - RangerPerfTracer.log(perf); if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) { @@ -622,10 +563,6 @@ public class PolicyEngine { this.trustedProxyAddresses = other.trustedProxyAddresses; this.pluginContext = other.pluginContext; - this.auditExcludeUsers = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_USERS)) : new HashSet<String>(); - this.auditExcludeGroups = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_GROUPS)) : new HashSet<String>(); - this.auditExcludeRoles = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES)) : new HashSet<String>(); - long policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1L; List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>(); List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies = new ArrayList<>(); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index c673169..fdec9ca 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -51,10 +51,6 @@ public interface RangerPolicyEngine { void setTrustedProxyAddresses(String[] trustedProxyAddresses); - void setSuperUsersAndGroups(Set<String> users, Set<String> groups); - - boolean isSuperUser(String userName, Set<String> userGroups); - RangerServiceDef getServiceDef(); long getPolicyVersion(); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index c68e22d..6140549 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -24,6 +24,7 @@ import org.apache.commons.collections.ListUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.contextenricher.RangerTagForEval; import org.apache.ranger.plugin.model.RangerPolicy; @@ -59,11 +60,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { private final PolicyEngine policyEngine; private final RangerAccessRequestProcessor requestProcessor; - private final Set<String> svcCfgSuperUsers; - private final Set<String> svcCfgSuperGroups; - private Set<String> superUsers; - private Set<String> superGroups; - private boolean isEmptySupers = true; + private final ServiceConfig serviceConfig; static public RangerPolicyEngine getPolicyEngine(final RangerPolicyEngineImpl other, final ServicePolicies servicePolicies) { @@ -81,29 +78,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles) { - this(servicePolicies, pluginContext, roles, null, null); - } - - public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles, Set<String> superUsers, Set<String> superGroups) { - policyEngine = new PolicyEngine(servicePolicies, pluginContext, roles); - - policyEngine.getPluginContext().getAuthContext().setRoles(roles); - + policyEngine = new PolicyEngine(servicePolicies, pluginContext, roles); + serviceConfig = new ServiceConfig(servicePolicies.getServiceConfig()); requestProcessor = new RangerDefaultRequestProcessor(policyEngine); - - Map<String, String> svcConfig = servicePolicies.getServiceConfig(); - String cfgSuperUsers = null; - String cfgSuperGroups = null; - - if (svcConfig != null) { - cfgSuperUsers = svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_USERS); - cfgSuperGroups = svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_GROUPS); - } - - svcCfgSuperUsers = StringUtils.isNotBlank(cfgSuperUsers) ? StringUtil.toSet(cfgSuperUsers) : Collections.emptySet(); - svcCfgSuperGroups = StringUtils.isNotBlank(cfgSuperGroups) ? StringUtil.toSet(cfgSuperGroups) : Collections.emptySet(); - - setSuperUsersAndGroups(superUsers, superGroups); } @Override @@ -497,21 +474,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } @Override - public void setSuperUsersAndGroups(Set<String> users, Set<String> groups) { - this.superUsers = users == null ? Collections.emptySet() : users; - this.superGroups = groups == null ? Collections.emptySet() : groups; - this.isEmptySupers = CollectionUtils.isEmpty(superUsers) && CollectionUtils.isEmpty(svcCfgSuperUsers) && - CollectionUtils.isEmpty(superGroups) && CollectionUtils.isEmpty(svcCfgSuperGroups); - } - - @Override - public boolean isSuperUser(String userName, Set<String> userGroups) { - return !isEmptySupers && (superUsers.contains(userName) || svcCfgSuperUsers.contains(userName) || - CollectionUtils.containsAny(superGroups, userGroups) || - CollectionUtils.containsAny(svcCfgSuperGroups, userGroups)); - } - - @Override public RangerServiceDef getServiceDef() { return policyEngine.getServiceDef(); } @@ -574,12 +536,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } private RangerPolicyEngineImpl(final PolicyEngine policyEngine, RangerPolicyEngineImpl other) { - this.policyEngine = policyEngine; - this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine); - this.svcCfgSuperUsers = new HashSet<>(other.svcCfgSuperUsers); - this.svcCfgSuperGroups = new HashSet<>(other.svcCfgSuperGroups); - this.superUsers = new HashSet<>(other.superUsers); - this.superGroups = new HashSet<>(other.superGroups); + this.policyEngine = policyEngine; + this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine); + this.serviceConfig = new ServiceConfig(other.serviceConfig); } private RangerAccessResult zoneAwareAccessEvaluationWithNoAudit(RangerAccessRequest request, int policyType) { @@ -623,7 +582,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } final Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date(); - final RangerAccessResult ret = policyEngine.createAccessResult(request, policyType); + final RangerAccessResult ret = createAccessResult(request, policyType); final boolean isSuperUser = isSuperUser(request.getUser(), request.getUserGroups()); // for superusers, set access as allowed @@ -751,7 +710,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerTagForEval tag = policyEvaluator.getTag(); RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request); - RangerAccessResult tagEvalResult = policyEngine.createAccessResult(tagEvalRequest, policyType); + RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest, policyType); if (LOG.isDebugEnabled()) { LOG.debug("RangerPolicyEngineImpl.evaluateTagPolicies: Evaluating policies for tag (" + tag.getType() + ")"); @@ -798,4 +757,120 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("<== RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ", " + result + ")"); } } + + private RangerAccessResult createAccessResult(RangerAccessRequest request, int policyType) { + RangerPolicyRepository repository = policyEngine.getPolicyRepository(); + RangerAccessResult ret = new RangerAccessResult(policyType, repository.getServiceName(), repository.getServiceDef(), request); + + switch (repository.getAuditModeEnum()) { + case AUDIT_ALL: + ret.setIsAudited(true); + break; + + case AUDIT_NONE: + ret.setIsAudited(false); + break; + + default: + if (CollectionUtils.isEmpty(repository.getPolicies()) && policyEngine.getTagPolicyRepository() == null) { + ret.setIsAudited(true); + } + + break; + } + + if (isAuditExcludedUser(request.getUser(), request.getUserGroups(), RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext()))) { + ret.setIsAudited(false); + } + + return ret; + } + + private boolean isAuditExcludedUser(String userName, Set<String> userGroups, Set<String> userRoles) { + boolean ret = serviceConfig.isAuditExcludedUser(userName); + + if (!ret) { + RangerPluginConfig pluginConfig = policyEngine.getPluginContext().getConfig(); + + ret = pluginConfig.isAuditExcludedUser(userName); + + if (!ret && userGroups != null && userGroups.size() > 0) { + ret = serviceConfig.hasAuditExcludedGroup(userGroups) || pluginConfig.hasAuditExcludedGroup(userGroups); + } + + if (!ret && userRoles != null && userRoles.size() > 0) { + ret = serviceConfig.hasAuditExcludedRole(userRoles) || pluginConfig.hasAuditExcludedRole(userRoles); + } + } + + return ret; + } + + private boolean isSuperUser(String userName, Set<String> userGroups) { + boolean ret = serviceConfig.isSuperUser(userName); + + if (!ret) { + RangerPluginConfig pluginConfig = policyEngine.getPluginContext().getConfig(); + + ret = pluginConfig.isSuperUser(userName); + + if (!ret && userGroups != null && userGroups.size() > 0) { + ret = serviceConfig.hasSuperGroup(userGroups) || pluginConfig.hasSuperGroup(userGroups); + } + } + + return ret; + } + + private static class ServiceConfig { + private final Set<String> auditExcludedUsers; + private final Set<String> auditExcludedGroups; + private final Set<String> auditExcludedRoles; + private final Set<String> superUsers; + private final Set<String> superGroups; + + public ServiceConfig(Map<String, String> svcConfig) { + if (svcConfig != null) { + auditExcludedUsers = StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_USERS)); + auditExcludedGroups = StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_GROUPS)); + auditExcludedRoles = StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES)); + superUsers = StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_USERS)); + superGroups = StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_GROUPS)); + } else { + auditExcludedUsers = Collections.emptySet(); + auditExcludedGroups = Collections.emptySet(); + auditExcludedRoles = Collections.emptySet(); + superUsers = Collections.emptySet(); + superGroups = Collections.emptySet(); + } + } + + public ServiceConfig(ServiceConfig other) { + auditExcludedUsers = other == null || CollectionUtils.isEmpty(other.auditExcludedUsers) ? Collections.emptySet() : new HashSet<>(other.auditExcludedUsers); + auditExcludedGroups = other == null || CollectionUtils.isEmpty(other.auditExcludedGroups) ? Collections.emptySet() : new HashSet<>(other.auditExcludedGroups); + auditExcludedRoles = other == null || CollectionUtils.isEmpty(other.auditExcludedRoles) ? Collections.emptySet() : new HashSet<>(other.auditExcludedRoles); + superUsers = other == null || CollectionUtils.isEmpty(other.superUsers) ? Collections.emptySet() : new HashSet<>(other.superUsers); + superGroups = other == null || CollectionUtils.isEmpty(other.superGroups) ? Collections.emptySet() : new HashSet<>(other.superGroups); + } + + public boolean isAuditExcludedUser(String userName) { + return auditExcludedUsers.contains(userName); + } + + public boolean hasAuditExcludedGroup(Set<String> userGroups) { + return userGroups != null && userGroups.size() > 0 && auditExcludedGroups.size() > 0 && CollectionUtils.containsAny(userGroups, auditExcludedGroups); + } + + public boolean hasAuditExcludedRole(Set<String> userRoles) { + return userRoles != null && userRoles.size() > 0 && auditExcludedRoles.size() > 0 && CollectionUtils.containsAny(userRoles, auditExcludedRoles); + } + + public boolean isSuperUser(String userName) { + return superUsers.contains(userName); + } + + public boolean hasSuperGroup(Set<String> userGroups) { + return userGroups != null && userGroups.size() > 0 && superGroups.size() > 0 && CollectionUtils.containsAny(userGroups, superGroups); + } + } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index b5e18ba..41b2492 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -56,7 +56,6 @@ import org.apache.ranger.plugin.util.*; public class RangerBasePlugin { private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class); - private final RangerPluginConfig pluginConfig; private final RangerPluginContext pluginContext; private final Map<String, LogHistory> logHistoryList = new Hashtable<>(); @@ -67,8 +66,6 @@ public class RangerBasePlugin { private RangerAuthContext currentAuthContext; private RangerAccessResultProcessor resultProcessor; private RangerRoles roles; - private Set<String> superUsers = Collections.emptySet(); - private Set<String> superGroups = Collections.emptySet(); public RangerBasePlugin(String serviceType, String appId) { @@ -130,15 +127,12 @@ public class RangerBasePlugin { pluginContext.notifyAuthContextChanged(); } - public void setSuperUsersAndGroups(Set<String> users, Set<String> groups) { - this.superUsers = users == null ? Collections.emptySet() : users; - this.superGroups = groups == null ? Collections.emptySet() : groups; - - RangerPolicyEngine policyEngine = this.policyEngine; + public void setAuditExcludedUsersGroupsRoles(Set<String> users, Set<String> groups, Set<String> roles) { + pluginConfig.setAuditExcludedUsersGroupsRoles(users, groups, roles); + } - if (policyEngine != null) { - policyEngine.setSuperUsersAndGroups(this.superUsers, this.superGroups); - } + public void setSuperUsersAndGroups(Set<String> users, Set<String> groups) { + pluginConfig.setSuperUsersGroups(users, groups); } public RangerServiceDef getServiceDef() { @@ -230,7 +224,7 @@ public class RangerBasePlugin { LOG.debug("Creating engine from policies"); } - newPolicyEngine = new RangerPolicyEngineImpl(policies, pluginContext, roles, superUsers, superGroups); + newPolicyEngine = new RangerPolicyEngineImpl(policies, pluginContext, roles); } else { if (LOG.isDebugEnabled()) { LOG.debug("policy-deltas are not null"); @@ -259,7 +253,7 @@ public class RangerBasePlugin { LOG.debug("Creating new engine from servicePolicies:[" + servicePolicies + "]"); } - newPolicyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles, superUsers, superGroups); + newPolicyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles); } } else { if (LOG.isDebugEnabled()) { diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 8811f2a..26c7dfb 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -408,6 +408,13 @@ public class TestPolicyEngine { runTestsFromResourceFiles(resourceFiles); } + @Test + public void testPolicyEngine_auditExcludeUsersGroupsRoles() { + String[] resourceFiles = {"/policyengine/test_policyengine_audit_exclude_users_groups_roles.json"}; + + runTestsFromResourceFiles(resourceFiles); + } + private void runTestsFromResourceFiles(String[] resourceNames) { for(String resourceName : resourceNames) { InputStream inStream = this.getClass().getResourceAsStream(resourceName); @@ -462,6 +469,7 @@ public class TestPolicyEngine { Map<String, Set<String>> userRoleMapping = testCase.userRoles; Map<String, Set<String>> groupRoleMapping = testCase.groupRoles; + Map<String, Set<String>> roleRoleMapping = testCase.roleRoles; if (userRoleMapping != null) { for (Map.Entry<String, Set<String>> userRole : userRoleMapping.entrySet()) { String user = userRole.getKey(); @@ -482,26 +490,42 @@ public class TestPolicyEngine { RangerRole.RoleMember groupRoleMember = new RangerRole.RoleMember(group, true); List<RangerRole.RoleMember> groupRoleMembers = Arrays.asList(groupRoleMember); for (String grpRole : groupRoles) { - RangerRole rangerGroupRole = new RangerRole(grpRole, grpRole, null, groupRoleMembers, null); + RangerRole rangerGroupRole = new RangerRole(grpRole, grpRole, null, null, groupRoleMembers); rolesSet.add(rangerGroupRole); } } } + if (roleRoleMapping != null) { + for (Map.Entry<String, Set<String>> roleRole : roleRoleMapping.entrySet()) { + String role = roleRole.getKey(); + Set<String> roleRoles = roleRole.getValue(); + RangerRole.RoleMember roleRoleMember = new RangerRole.RoleMember(role, true); + List<RangerRole.RoleMember> roleRoleMembers = Arrays.asList(roleRoleMember); + for (String rleRole : roleRoles) { + RangerRole rangerRoleRole = new RangerRole(rleRole, rleRole, null, null, null, roleRoleMembers); + rolesSet.add(rangerRoleRole); + } + } + } + roles.setRangerRoles(rolesSet); RangerPolicyEngineOptions policyEngineOptions = pluginContext.getConfig().getPolicyEngineOptions(); policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true; - RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles, testCase.superUsers, testCase.superGroups); + pluginContext.getConfig().setSuperUsersGroups(testCase.superUsers, testCase.superGroups); + pluginContext.getConfig().setAuditExcludedUsersGroupsRoles(testCase.auditExcludedUsers, testCase.auditExcludedGroups, testCase.auditExcludedRoles); + + RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles); policyEngine.setUseForwardedIPAddress(useForwardedIPAddress); policyEngine.setTrustedProxyAddresses(trustedProxyAddresses); policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false; - RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles, testCase.superUsers, testCase.superGroups); + RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles); policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress); policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses); @@ -672,6 +696,7 @@ public class TestPolicyEngine { public Map<String, ServicePolicies.SecurityZoneInfo> securityZones; public Map<String, Set<String>> userRoles; public Map<String, Set<String>> groupRoles; + public Map<String, Set<String>> roleRoles; public String auditMode; public List<TestData> tests; public Map<String, String> serviceConfig; @@ -679,7 +704,10 @@ public class TestPolicyEngine { public List<TestData> updatedTests; public Set<String> superUsers; public Set<String> superGroups; - + public Set<String> auditExcludedUsers; + public Set<String> auditExcludedGroups; + public Set<String> auditExcludedRoles; + class TestData { public String name; public RangerAccessRequest request; diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_audit_exclude_users_groups_roles.json b/agents-common/src/test/resources/policyengine/test_policyengine_audit_exclude_users_groups_roles.json new file mode 100644 index 0000000..191a7d0 --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_audit_exclude_users_groups_roles.json @@ -0,0 +1,283 @@ +{ + "serviceName":"hivedev", + + "original-serviceDef":{ + "name":"hive", + "id":3, + "resources":[ + {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Database","description":"Hive Database"}, + {"name":"url","level":1,"mandatory":true,"lookupSupported":false,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"URL","description":"URL"}, + {"name":"hiveservice","level":1,"mandatory":true,"lookupSupported":false,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HiveService","description":"HiveService"}, + {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Table","description":"Hive Table"}, + {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"}, + {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Column","description":"Hive Column"} + ], + "accessTypes":[ + {"name":"select","label":"Select"}, + {"name":"update","label":"Update"}, + {"name":"create","label":"Create"}, + {"name":"drop","label":"Drop"}, + {"name":"alter","label":"Alter"}, + {"name":"index","label":"Index"}, + {"name":"lock","label":"Lock"}, + {"name":"read","label":"Read"}, + {"name":"write","label":"Write"}, + {"name":"repladmin","label":"ReplAdmin"}, + {"name":"serviceadmin","label":"ServiceAdmin"}, + {"name":"all","label":"All", + "impliedGrants": ["select", "update", "create", "drop", "alter", "index", "lock", "read", "write", "repladmin", "serviceadmin"] + } + ] + }, + + "serviceDef": { + "id":3, + "name": "hive", + "implClass": "org.apache.ranger.services.hive.RangerServiceHive", + "label": "Hive Server2", + "description": "Hive Server2", + "guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c", + + "resources": [ + {"itemId": 1, "name": "database", "type": "string", "level": 10, "parent": "", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Hive Database", "description": "Hive Database", "isValidLeaf": true}, + {"itemId": 2, "name": "table", "type": "string", "level": 20, "parent": "database", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Hive Table", "description": "Hive Table", "isValidLeaf": true}, + {"itemId": 3, "name": "udf", "type": "string", "level": 20, "parent": "database", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Hive UDF", "description": "Hive UDF", "isValidLeaf": true}, + {"itemId": 4, "name": "column", "type": "string", "level": 30, "parent": "table", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Hive Column", "description": "Hive Column", "isValidLeaf": true}, + {"itemId": 5, "name": "url", "type": "string", "level": 10, "parent": "", "mandatory": true, "lookupSupported": false, "recursiveSupported": true, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher", "matcherOptions": { "wildCard":true, "ignoreCase":false }, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "URL", "description": "URL", "isValidLeaf": true} + ], + + "accessTypes": [ + {"itemId": 1, "name": "select", "label": "select"}, + {"itemId": 2, "name": "update", "label": "update"}, + {"itemId": 3, "name": "create", "label": "Create"}, + {"itemId": 4, "name": "drop", "label": "Drop"}, + {"itemId": 5, "name": "alter", "label": "Alter"}, + {"itemId": 6, "name": "index", "label": "Index"}, + {"itemId": 7, "name": "lock", "label": "Lock"}, + {"itemId": 8, "name": "all", "label": "All", + "impliedGrants": ["select", "update", "create", "drop", "alter", "index", "lock", "read", "write"]}, + {"itemId": 9, "name": "read", "label": "Read"}, + {"itemId": 10, "name": "write", "label": "Write"} + ], + + "configs": [ + {"itemId": 1, "name": "username", "type": "string", "mandatory": true, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Username"}, + {"itemId": 2, "name": "password", "type": "password", "mandatory": true, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Password"}, + {"itemId": 3, "name": "jdbc.driverClassName", "type": "string", "mandatory": true, "validationRegEx":"", "validationMessage": "", "uiHint":"", "defaultValue": "org.apache.hive.jdbc.HiveDriver"}, + {"itemId": 4, "name": "jdbc.url", "type": "string", "mandatory": true, "defaultValue": "", "validationRegEx":"", "validationMessage": "", "uiHint":""}, + {"itemId": 5, "name": "commonNameForCertificate", "type": "string", "mandatory": false, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Common Name for Certificate"} + ], + + "enums": [ + ], + + "contextEnrichers": [ + ], + + "policyConditions": [ + ] + }, + + "userRoles": { + "user-in-aer1": [ "aer1" ], + "user-in-aer2": [ "aer2" ], + "user-in-svc-cfg-aer1": [ "svc-cfg-aer1" ], + "user-in-svc-cfg-aer2": [ "svc-cfg-aer2" ] + }, + + "groupRoles": { + "group-in-aer1": [ "aer1" ], + "group-in-aer2": [ "aer2" ], + "group-in-svc-cfg-aer1": [ "svc-cfg-aer1" ], + "group-in-svc-cfg-aer2": [ "svc-cfg-aer2" ] + }, + + "roleRoles": { + "role-in-aer1": [ "aer1" ], + "role-in-aer2": [ "aer2" ], + "role-in-svc-cfg-aer1": [ "svc-cfg-aer1" ], + "role-in-svc-cfg-aer2": [ "svc-cfg-aer2" ] + }, + + "serviceConfig": { + "ranger.plugin.audit.exclude.users": "svc-cfg-aeu1, svc-cfg-aeu2", + "ranger.plugin.audit.exclude.groups": "svc-cfg-aeg1, svc-cfg-aeg2", + "ranger.plugin.audit.exclude.roles": "svc-cfg-aer1, svc-cfg-aer2" + }, + + "policies":[ + {"id":1,"name":"database=db-*,table=*,column=* - allow create to everyone, audit accesses","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["db-*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"create","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + ], + + "auditExcludedUsers": [ "aeu1", "aeu2" ], + "auditExcludedGroups": [ "aeg1", "aeg2" ], + "auditExcludedRoles": [ "aer1", "aer2" ], + + "tests":[ + {"name":"NO AUDIT 'create db-1.tbl-1;' for group-in-aer1", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-1"}}, + "accessType":"create","user":"user3","userGroups":["group-in-aer1"],"requestData":"create db-1.tbl-1;' for group-in-aer1" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1;' for aeu1", + "request":{ + "resource":{"elements":{"database":"db-1"}}, + "accessType":"create","user":"aeu1","requestData":"create db-1 for aeu1" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-2;' for aeu2", + "request":{ + "resource":{"elements":{"database":"db-2"}}, + "accessType":"create","user":"aeu2","requestData":"create db-2 for aeu2" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1;' for svc-cfg-aeu1", + "request":{ + "resource":{"elements":{"database":"db-1"}}, + "accessType":"create","user":"svc-cfg-aeu1","requestData":"create db-1 for svc-cfg-aeu1" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-2;' for svc-cfg-aeu2", + "request":{ + "resource":{"elements":{"database":"db-2"}}, + "accessType":"create","user":"svc-cfg-aeu2","requestData":"create db-2 for svc-cfg-aeu2" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-1;' for user1 (in aeg1)", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-1"}}, + "accessType":"create","user":"user1","userGroups":["aeg1"],"requestData":"create db-1.tbl-1;' for user1 (in aeg1)" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-2;' for user2 (in aeg2)", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-2"}}, + "accessType":"create","user":"user2","userGroups":["aeg2"],"requestData":"create db-1.tbl-2;' for user2 (in aeg2)" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-1;' for user1 (in svc-cfg-aeg1)", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-1"}}, + "accessType":"create","user":"user1","userGroups":["svc-cfg-aeg1"],"requestData":"create db-1.tbl-1;' for user1 (in svc-cfg-aeg1)" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-2;' for user2 (in svc-cfg-aeg2)", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-2"}}, + "accessType":"create","user":"user2","userGroups":["svc-cfg-aeg2"],"requestData":"create db-1.tbl-2;' for user2 (in svc-cfg-aeg2)" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-1;' for user-in-aer1", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-1"}}, + "accessType":"create","user":"user-in-aer1","requestData":"create db-1.tbl-1;' for user1 (in aer1)" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-2;' for user-in-aer2", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-2"}}, + "accessType":"create","user":"user-in-aer2","requestData":"create db-1.tbl-2;' for user2 (in aer2)" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-1;' for user-in-svc-cfg-aer1", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-1"}}, + "accessType":"create","user":"user-in-svc-cfg-aer1","requestData":"create db-1.tbl-1;' for user1 (in svc-cfg-aer1)" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-2;' for user-in-svc-cfg-aer2", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-2"}}, + "accessType":"create","user":"user-in-svc-cfg-aer2","requestData":"create db-1.tbl-2;' for user2 (in svc-cfg-aer2)" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-1;' for group-in-aer1", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-1"}}, + "accessType":"create","user":"user3","userGroups":["group-in-aer1"],"requestData":"create db-1.tbl-1;' for group-in-aer1" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-2;' for group-in-aer2", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-2"}}, + "accessType":"create","user":"user3", "userGroups":["group-in-aer2"],"requestData":"create db-1.tbl-2;' for group-in-aer2" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-1;' for group-in-svc-cfg-aer1", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-1"}}, + "accessType":"create","user":"user3","userGroups":["group-in-svc-cfg-aer1"],"requestData":"create db-1.tbl-1;' for group-in-svc-cfg-aer1" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-2;' for group-in-svc-cfg-aer2", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-2"}}, + "accessType":"create","user":"user3", "userGroups":["group-in-svc-cfg-aer2"],"requestData":"create db-1.tbl-2;' for group-in-svc-cfg-aer2" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create db-1.tbl-2;' for group-in-svc-cfg-aer2", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-2"}}, + "accessType":"create","user":"user3", "userGroups":["group-in-svc-cfg-aer2"],"requestData":"create db-1.tbl-2;' for group-in-svc-cfg-aer2" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":1} + } + , + {"name":"AUDIT 'create db-1.tbl-3;' for user3", + "request":{ + "resource":{"elements":{"database":"db-1", "table":"tbl-3"}}, + "accessType":"create","user":"user3","userGroups":["users"],"requestData":"create db-1.tbl-3;' for user3" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":1} + } + , + {"name":"NO AUDIT 'create testdb;' for aeu1; no audit", + "request":{ + "resource":{"elements":{"database":"testdb"}}, + "accessType":"create","user":"aeu1","requestData":"create db-1 for aeu1" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + ] +} +
