This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit a7b527bbd0df8ba86eee7b3fdc65b470bbbc17fa Author: Mahesh Bandal <maheshbanda...@gmail.com> AuthorDate: Fri Nov 19 15:26:13 2021 +0530 RANGER-3518: Limit the query size stored in Audit logs Signed-off-by: pradeep <prad...@apache.org> --- .../hive/authorizer/RangerHiveAuditHandler.java | 20 ++++++++++++++- .../hive/authorizer/RangerHiveAuthorizer.java | 30 +++++++++++----------- 2 files changed, 34 insertions(+), 16 deletions(-) diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index 5c04bdb..742aeca 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -26,6 +26,7 @@ import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.ranger.audit.model.AuthzAuditEvent; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; @@ -43,7 +44,9 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { public static final String ACCESS_TYPE_ROWFILTER = "ROW_FILTER"; public static final String ACTION_TYPE_METADATA_OPERATION = "METADATA OPERATION"; public static final String URL_RESOURCE_TYPE = "url"; - + public static final String CONF_AUDIT_QUERY_REQUEST_SIZE = "xasecure.audit.solr.limit.query.req.size"; + public static final int DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE = Integer.MAX_VALUE; + private int requestQuerySize; Collection<AuthzAuditEvent> auditEvents = null; boolean deniedExists = false; @@ -54,6 +57,13 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { public RangerHiveAuditHandler() { super(); + requestQuerySize = DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE; + } + + public RangerHiveAuditHandler(Configuration config) { + super(config); + requestQuerySize = config.getInt(CONF_AUDIT_QUERY_REQUEST_SIZE, DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE); + requestQuerySize = (requestQuerySize < 1) ? DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE : requestQuerySize; } AuthzAuditEvent createAuditEvent(RangerAccessResult result, String accessType, String resourcePath) { @@ -67,6 +77,14 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { if (URL_RESOURCE_TYPE.equals(resourceType)) { resourcePathComputed = getURLPathString(resource, resourcePathComputed); } + if(LOG.isDebugEnabled()) { + LOG.debug("requestQuerySize = " + requestQuerySize); + } + if (StringUtils.isNotBlank(request.getRequestData()) && request.getRequestData().length()>requestQuerySize) { + auditEvent.setRequestData(request.getRequestData().substring(0, requestQuerySize)); + } else { + auditEvent.setRequestData(request.getRequestData()); + } auditEvent.setAccessType(accessType); auditEvent.setResourcePath(resourcePathComputed); auditEvent.setResourceType("@" + resourceType); // to be consistent with earlier release diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 2be4424..dc6e2eb 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -194,7 +194,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { if(LOG.isDebugEnabled()) { LOG.debug(" ==> RangerHiveAuthorizer.createRole()"); } - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); String currentUserName = getGrantorUsername(adminGrantor); List<String> roleNames = Arrays.asList(roleName); List<String> userNames = Arrays.asList(currentUserName); @@ -237,7 +237,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { LOG.debug("RangerHiveAuthorizer.dropRole()"); } - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); UserGroupInformation ugi = getCurrentUserGroupInfo(); boolean result = false; @@ -284,7 +284,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { List<String> ret = new ArrayList<String>(); String user = ugi.getShortUserName(); List<String> userNames = Arrays.asList(user); - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); try { if (LOG.isDebugEnabled()) { LOG.debug("<== getCurrentRoleNames() for user " + user); @@ -349,7 +349,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { LOG.debug("==> RangerHiveAuthorizer.getAllRoles()"); } List<String> ret = new ArrayList<>(); - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); List<String> userNames = null; boolean result = false; @@ -407,7 +407,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { List<HiveRoleGrant> ret = new ArrayList<>(); List<String> roleNames = Arrays.asList(roleName); List<String> userNames = null; - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); boolean result = false; if (hivePlugin == null) { @@ -471,7 +471,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { List<HiveRoleGrant> ret = new ArrayList<>(); List<String> principalInfo = null; List<String> userNames = null; - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); boolean result = false; if (hivePlugin == null) { @@ -538,7 +538,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { LOG.debug("RangerHiveAuthorizerBase.grantRole()"); boolean result = false; - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); String username = getGrantorUsername(grantorPrinc); List<String> principals = new ArrayList<>(); try { @@ -615,7 +615,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { boolean result = false; - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); String grantorUserName = getGrantorUsername(grantorPrinc); List<String> principals = new ArrayList<>(); @@ -714,7 +714,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control."); } - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); try { List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject)); @@ -755,7 +755,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control."); } - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); try { List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject)); @@ -796,7 +796,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { throw new HiveAccessControlException("Permission denied: user information not available"); } - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); RangerPerfTracer perf = null; @@ -1125,7 +1125,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { RangerPerfTracer perf = null; - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.filterListCmdObjects()"); @@ -1341,7 +1341,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { String ret = null; - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); try { HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext(); @@ -1382,7 +1382,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { boolean ret = false; String columnTransformer = columnName; - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); try { HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext(); @@ -3014,7 +3014,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { String user = ugi.getShortUserName(); Set<String> groups = Sets.newHashSet(ugi.getGroupNames()); - RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); try { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user " + user + ", userGroups: " + groups);