mneethiraj commented on code in PR #448:
URL: https://github.com/apache/ranger/pull/448#discussion_r1881453989
##########
storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java:
##########
@@ -31,155 +27,129 @@
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.util.RangerPerfTracer;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-
import org.apache.storm.Config;
import org.apache.storm.security.auth.IAuthorizer;
import org.apache.storm.security.auth.ReqContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import java.security.Principal;
+import java.util.Map;
+import java.util.Set;
public class RangerStormAuthorizer implements IAuthorizer {
+ private static final Logger LOG =
LoggerFactory.getLogger(RangerStormAuthorizer.class);
- private static final Logger LOG =
LoggerFactory.getLogger(RangerStormAuthorizer.class);
+ private static final Logger PERF_STORMAUTH_REQUEST_LOG =
RangerPerfTracer.getPerfLogger("stormauth.request");
+ private static final String STORM_CLIENT_JASS_CONFIG_SECTION =
"StormClient";
+ static final Set<String> noAuthzOperations =
Sets.newHashSet("getNimbusConf", "getClusterInfo");
- private static final Logger PERF_STORMAUTH_REQUEST_LOG =
RangerPerfTracer.getPerfLogger("stormauth.request");
+ private static volatile StormRangerPlugin plugin;
- private static final String STORM_CLIENT_JASS_CONFIG_SECTION =
"StormClient";
+ /**
+ * Invoked once immediately after construction
+ *
+ * @param aStormConfigMap Storm configuration
+ */
+
+ @Override
+ public void prepare(Map aStormConfigMap) {
+ StormRangerPlugin me = plugin;
+
+ if (me == null) {
+ synchronized (RangerStormAuthorizer.class) {
+ me = plugin;
- private static volatile StormRangerPlugin plugin = null;
+ if (me == null) {
+ try {
+
MiscUtil.setUGIFromJAASConfig(STORM_CLIENT_JASS_CONFIG_SECTION);
+ LOG.info("LoginUser={}", MiscUtil.getUGILoginUser());
+ } catch (Throwable t) {
+ LOG.error("Error while setting UGI for Storm
Plugin...", t);
+ }
- static final Set<String> noAuthzOperations = Sets.newHashSet(new
String[] { "getNimbusConf", "getClusterInfo" });
+ LOG.info("Creating StormRangerPlugin");
- /**
+ plugin = new StormRangerPlugin();
+ plugin.init();
+ }
+ }
+ }
+ }
+
+ /**
* permit() method is invoked for each incoming Thrift request.
+ *
* @param aRequestContext request context includes info about
* @param aOperationName operation name
* @param aTopologyConfigMap configuration of targeted topology
* @return true if the request is authorized, false if reject
*/
-
- @Override
- public boolean permit(ReqContext aRequestContext, String
aOperationName, Map aTopologyConfigMap) {
-
- boolean accessAllowed = false;
- boolean isAuditEnabled = false;
-
- String topologyName = null;
-
- RangerPerfTracer perf = null;
-
- try {
-
-
if(RangerPerfTracer.isPerfTraceEnabled(PERF_STORMAUTH_REQUEST_LOG)) {
- perf =
RangerPerfTracer.getPerfTracer(PERF_STORMAUTH_REQUEST_LOG,
"RangerStormAuthorizer.permit()");
- }
-
- topologyName = (aTopologyConfigMap == null ? "" :
(String)aTopologyConfigMap.get(Config.TOPOLOGY_NAME));
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("[req "+ aRequestContext.requestID()+
"] Access "
- + " from: [" + aRequestContext.remoteAddress()
+ "]"
- + " user: [" + aRequestContext.principal() +
"],"
- + " op: [" + aOperationName + "],"
- + "topology: [" + topologyName + "]");
-
- if (aTopologyConfigMap != null) {
- for(Object keyObj :
aTopologyConfigMap.keySet()) {
- Object valObj =
aTopologyConfigMap.get(keyObj);
- LOG.debug("TOPOLOGY CONFIG MAP
[" + keyObj + "] => [" + valObj + "]");
- }
- }
- else {
- LOG.debug("TOPOLOGY CONFIG MAP is
passed as null.");
- }
- }
-
- if(noAuthzOperations.contains(aOperationName)) {
- accessAllowed = true;
- } else if(plugin == null) {
- LOG.info("Ranger plugin not initialized yet!
Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit
Enabled:" + isAuditEnabled);
- } else {
- String userName = null;
- String[] groups = null;
-
- Principal user = aRequestContext.principal();
-
- if (user != null) {
- userName = user.getName();
- if (userName != null) {
- UserGroupInformation ugi =
UserGroupInformation.createRemoteUser(userName);
- userName =
ugi.getShortUserName();
- groups = ugi.getGroupNames();
- if (LOG.isDebugEnabled()) {
- LOG.debug("User found
from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" +
StringUtil.toString(groups) + "]");
- }
- }
- }
-
-
- if (userName != null) {
- String clientIp =
(aRequestContext.remoteAddress() == null ? null :
aRequestContext.remoteAddress().getHostAddress() );
- RangerAccessRequest accessRequest =
plugin.buildAccessRequest(userName, groups, clientIp, topologyName,
aOperationName);
- RangerAccessResult result =
plugin.isAccessAllowed(accessRequest);
- accessAllowed = result != null &&
result.getIsAllowed();
- isAuditEnabled = result != null &&
result.getIsAudited();
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("User found from
principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]:
verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" +
accessAllowed + "], Audit Enabled:" + isAuditEnabled);
- }
- }
- else {
- LOG.info("NULL User found from
principal [" + user + "]: Skipping authorization; allowedFlag => [" +
accessAllowed + "], Audit Enabled:" + isAuditEnabled);
- }
- }
- }
- catch(Throwable t) {
- LOG.error("RangerStormAuthorizer found this exception",
t);
- }
- finally {
- RangerPerfTracer.log(perf);
- if (LOG.isDebugEnabled()) {
- LOG.debug("[req "+ aRequestContext.requestID()+
"] Access "
- + " from: [" + aRequestContext.remoteAddress()
+ "]"
- + " user: [" + aRequestContext.principal() +
"],"
- + " op: [" + aOperationName + "],"
- + "topology: [" + topologyName + "] => returns
[" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
- }
- }
-
- return accessAllowed;
- }
-
- /**
- * Invoked once immediately after construction
- * @param aStormConfigMap Storm configuration
- */
-
- @Override
- public void prepare(Map aStormConfigMap) {
- StormRangerPlugin me = plugin;
-
- if (me == null) {
- synchronized(RangerStormAuthorizer.class) {
- me = plugin;
-
- if (me == null) {
- try {
-
MiscUtil.setUGIFromJAASConfig(STORM_CLIENT_JASS_CONFIG_SECTION);
- LOG.info("LoginUser=" +
MiscUtil.getUGILoginUser());
- } catch (Throwable t) {
- LOG.error("Error while setting
UGI for Storm Plugin...", t);
- }
-
- LOG.info("Creating StormRangerPlugin");
-
- plugin = new StormRangerPlugin();
- plugin.init();
- }
- }
- }
- }
+ @Override
+ public boolean permit(ReqContext aRequestContext, String aOperationName,
Map aTopologyConfigMap) {
+ boolean accessAllowed = false;
+ boolean isAuditEnabled = false;
+ String topologyName = null;
+ RangerPerfTracer perf = null;
+
+ try {
+ if
(RangerPerfTracer.isPerfTraceEnabled(PERF_STORMAUTH_REQUEST_LOG)) {
+ perf =
RangerPerfTracer.getPerfTracer(PERF_STORMAUTH_REQUEST_LOG,
"RangerStormAuthorizer.permit()");
+ }
+
+ topologyName = (aTopologyConfigMap == null ? "" : (String)
aTopologyConfigMap.get(Config.TOPOLOGY_NAME));
+
+ LOG.debug("[req {}] Access from: [{}] user: [{}], op:
[{}],topology: [{}]", aRequestContext.requestID(),
aRequestContext.remoteAddress(), aRequestContext.principal(), aOperationName,
topologyName);
+
+ if (aTopologyConfigMap != null) {
+ for (Object keyObj : aTopologyConfigMap.keySet()) {
+ Object valObj = aTopologyConfigMap.get(keyObj);
+ LOG.debug("TOPOLOGY CONFIG MAP [{}] => [{}]", keyObj,
valObj);
+ }
+ } else {
+ LOG.debug("TOPOLOGY CONFIG MAP is passed as null.");
+ }
+
+ if (noAuthzOperations.contains(aOperationName)) {
+ accessAllowed = true;
+ } else if (plugin == null) {
+ LOG.info("Ranger plugin not initialized yet! Skipping
authorization; allowedFlag => [{}], Audit Enabled:{}", accessAllowed,
isAuditEnabled);
+ } else {
+ String userName = null;
+ String[] groups = null;
+
+ Principal user = aRequestContext.principal();
+
+ if (user != null) {
+ userName = user.getName();
+ if (userName != null) {
+ UserGroupInformation ugi =
UserGroupInformation.createRemoteUser(userName);
+ userName = ugi.getShortUserName();
+ groups = ugi.getGroupNames();
+ LOG.debug("User found from principal [{}] =>
user:[{}], groups:[{}]", user.getName(), userName, StringUtil.toString(groups));
Review Comment:
To avoid overhead of StringUtil.toString(groups) I suggest surrounding this
call to LOG.debug() with isDebugEnabled().
Review other such occurrences as well and update.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
