Google Git
Sign in
apache / ranger / 3cba16886cd78a35c61f02ebd1ed4bc8a3767d47 / . / agents-common / src / main / java / org / apache / ranger / plugin / service / RangerBasePlugin.java
blob: f5cdddf83efe41f0ff10919abe31413aa0ba527d [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ranger.plugin.service;
import java.util.*;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.admin.client.RangerAdminRESTClient;
import org.apache.ranger.audit.provider.AuditHandler;
import org.apache.ranger.audit.provider.AuditProviderFactory;
import org.apache.ranger.audit.provider.StandAloneAuditProviderFactory;
import org.apache.ranger.authorization.hadoop.config.RangerAuditConfig;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.conditionevaluator.RangerScriptExecutionContext;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.contextenricher.RangerTagEnricher;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.util.*;
public class RangerBasePlugin {
private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class);
private final RangerPluginConfig pluginConfig;
private final RangerPluginContext pluginContext;
private final Map<String, LogHistory> logHistoryList = new Hashtable<>();
private final int logInterval = 30000; // 30 seconds
private final DownloadTrigger accessTrigger = new DownloadTrigger();
private PolicyRefresher refresher;
private RangerPolicyEngine policyEngine;
private RangerAuthContext currentAuthContext;
private RangerAccessResultProcessor resultProcessor;
private RangerRoles roles;
public RangerBasePlugin(String serviceType, String appId) {
this(new RangerPluginConfig(serviceType, null, appId, null, null, null));
}
public RangerBasePlugin(RangerPluginConfig pluginConfig) {
this.pluginConfig = pluginConfig;
this.pluginContext = new RangerPluginContext(pluginConfig);
RangerScriptExecutionContext.init(pluginConfig);
}
public static AuditHandler getAuditProvider(String serviceName) {
AuditProviderFactory providerFactory = RangerBasePlugin.getAuditProviderFactory(serviceName);
AuditHandler ret = providerFactory.getAuditProvider();
return ret;
}
public String getServiceType() {
return pluginConfig.getServiceType();
}
public String getAppId() {
return pluginConfig.getAppId();
}
public RangerPluginConfig getConfig() {
return pluginConfig;
}
public String getClusterName() {
return pluginConfig.getClusterName();
}
public RangerAuthContext getCurrentRangerAuthContext() { return currentAuthContext; }
// For backward compatibility
public RangerAuthContext createRangerAuthContext() { return currentAuthContext; }
public RangerRoles getRoles() {
return this.roles;
}
public void setRoles(RangerRoles roles) {
this.roles = roles;
RangerPolicyEngine policyEngine = this.policyEngine;
if (policyEngine != null) {
policyEngine.setRoles(roles);
}
pluginContext.notifyAuthContextChanged();
}
public RangerServiceDef getServiceDef() {
RangerPolicyEngine policyEngine = this.policyEngine;
return policyEngine != null ? policyEngine.getServiceDef() : null;
}
public int getServiceDefId() {
RangerServiceDef serviceDef = getServiceDef();
return serviceDef != null && serviceDef.getId() != null ? serviceDef.getId().intValue() : -1;
}
public String getServiceName() {
return pluginConfig.getServiceName();
}
public AuditProviderFactory getAuditProviderFactory() { return RangerBasePlugin.getAuditProviderFactory(getServiceName()); }
public void init() {
cleanup();
AuditProviderFactory providerFactory = AuditProviderFactory.getInstance();
if (!providerFactory.isInitDone()) {
if (pluginConfig.getProperties() != null) {
providerFactory.init(pluginConfig.getProperties(), getAppId());
} else {
LOG.error("Audit subsystem is not initialized correctly. Please check audit configuration. ");
LOG.error("No authorization audits will be generated. ");
}
}
refresher = new PolicyRefresher(this);
refresher.setDaemon(true);
refresher.startRefresher();
}
public void setPolicies(ServicePolicies policies) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> setPolicies(" + policies + ")");
}
// guard against catastrophic failure during policy engine Initialization or
try {
RangerPolicyEngine oldPolicyEngine = this.policyEngine;
ServicePolicies servicePolicies = null;
boolean isValid = true;
boolean usePolicyDeltas = false;
if (policies == null) {
policies = getDefaultSvcPolicies();
if (policies == null) {
LOG.error("Could not get default Service Policies");
isValid = false;
}
} else {
if (policies.getPolicies() != null && policies.getPolicyDeltas() != null) {
LOG.error("Invalid servicePolicies: Both policies and policy-deltas cannot be null OR both of them cannot be non-null");
isValid = false;
} else if (policies.getPolicies() != null) {
usePolicyDeltas = false;
} else if (policies.getPolicyDeltas() != null) {
// Rebuild policies from deltas
RangerPolicyEngineImpl policyEngine = (RangerPolicyEngineImpl) oldPolicyEngine;
servicePolicies = ServicePolicies.applyDelta(policies, policyEngine);
if (servicePolicies != null) {
usePolicyDeltas = true;
} else {
isValid = false;
LOG.error("Could not apply deltas=" + Arrays.toString(policies.getPolicyDeltas().toArray()));
}
} else {
LOG.error("Should not get here!!");
isValid = false;
}
}
if (isValid) {
RangerPolicyEngine newPolicyEngine = null;
boolean isPolicyEngineShared = false;
if (!usePolicyDeltas) {
if (LOG.isDebugEnabled()) {
LOG.debug("policies are not null. Creating engine from policies");
}
newPolicyEngine = new RangerPolicyEngineImpl(policies, pluginContext, roles);
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("policy-deltas are not null");
}
if (CollectionUtils.isNotEmpty(policies.getPolicyDeltas()) || MapUtils.isNotEmpty(policies.getSecurityZones())) {
if (LOG.isDebugEnabled()) {
LOG.debug("Non empty policy-deltas found. Cloning engine using policy-deltas");
}
if (oldPolicyEngine != null) {
RangerPolicyEngineImpl oldPolicyEngineImpl = (RangerPolicyEngineImpl) oldPolicyEngine;
newPolicyEngine = RangerPolicyEngineImpl.getPolicyEngine(oldPolicyEngineImpl, policies);
}
if (newPolicyEngine != null) {
if (LOG.isDebugEnabled()) {
LOG.debug("Applied policyDeltas=" + Arrays.toString(policies.getPolicyDeltas().toArray()) + ")");
}
isPolicyEngineShared = true;
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Failed to apply policyDeltas=" + Arrays.toString(policies.getPolicyDeltas().toArray()) + "), Creating engine from policies");
LOG.debug("Creating new engine from servicePolicies:[" + servicePolicies + "]");
}
newPolicyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Empty policy-deltas. No need to change policy engine");
}
}
}
if (newPolicyEngine != null) {
if (!isPolicyEngineShared) {
newPolicyEngine.setUseForwardedIPAddress(pluginConfig.isUseForwardedIPAddress());
newPolicyEngine.setTrustedProxyAddresses(pluginConfig.getTrustedProxyAddresses());
}
this.policyEngine = newPolicyEngine;
this.currentAuthContext = pluginContext.getAuthContext();
pluginContext.notifyAuthContextChanged();
if (oldPolicyEngine != null) {
((RangerPolicyEngineImpl) oldPolicyEngine).releaseResources();
}
if (this.refresher != null) {
this.refresher.saveToCache(usePolicyDeltas ? servicePolicies : policies);
}
}
} else {
LOG.error("Returning without saving policies to cache. Leaving current policy engine as-is");
}
} catch (Exception e) {
LOG.error("setPolicies: policy engine initialization failed! Leaving current policy engine as-is. Exception : ", e);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== setPolicies(" + policies + ")");
}
}
public void cleanup() {
PolicyRefresher refresher = this.refresher;
this.policyEngine = null;
this.refresher = null;
if (refresher != null) {
refresher.stopRefresher();
}
}
public void setResultProcessor(RangerAccessResultProcessor resultProcessor) {
this.resultProcessor = resultProcessor;
}
public RangerAccessResultProcessor getResultProcessor() {
return this.resultProcessor;
}
public RangerAccessResult isAccessAllowed(RangerAccessRequest request) {
return isAccessAllowed(request, resultProcessor);
}
public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests) {
return isAccessAllowed(requests, resultProcessor);
}
public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
}
return null;
}
public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAccessResultProcessor resultProcessor) {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
return policyEngine.evaluatePolicies(requests, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
}
return null;
}
public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, resultProcessor);
}
return null;
}
public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, resultProcessor);
}
return null;
}
public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request) {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
return policyEngine.getResourceAccessInfo(request);
}
return null;
}
public RangerResourceACLs getResourceACLs(RangerAccessRequest request) {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
return policyEngine.getResourceACLs(request);
}
return null;
}
public Set<String> getRolesFromUserAndGroups(String user, Set<String> groups) {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
return policyEngine.getRolesFromUserAndGroups(user, groups);
}
return null;
}
public RangerRole createRole(RangerRole request, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.createRole(" + request + ")");
}
RangerRole ret = getAdminClient().createRole(request);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.createRole(" + request + ")");
}
return ret;
}
public void dropRole(String execUser, String roleName, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.dropRole(" + roleName + ")");
}
getAdminClient().dropRole(execUser, roleName);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.dropRole(" + roleName + ")");
}
}
public List<String> getUserRoles(String execUser, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.getUserRoleNames(" + execUser + ")");
}
final List<String> ret = getAdminClient().getUserRoles(execUser);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.getUserRoleNames(" + execUser + ")");
}
return ret;
}
public List<String> getAllRoles(String execUser, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.getAllRoles()");
}
final List<String> ret = getAdminClient().getAllRoles(execUser);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.getAllRoles()");
}
return ret;
}
public RangerRole getRole(String execUser, String roleName, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.getPrincipalsForRole(" + roleName + ")");
}
final RangerRole ret = getAdminClient().getRole(execUser, roleName);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.getPrincipalsForRole(" + roleName + ")");
}
return ret;
}
public void grantRole(GrantRevokeRoleRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.grantRole(" + request + ")");
}
getAdminClient().grantRole(request);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.grantRole(" + request + ")");
}
}
public void revokeRole(GrantRevokeRoleRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.revokeRole(" + request + ")");
}
getAdminClient().revokeRole(request);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.revokeRole(" + request + ")");
}
}
public void grantAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.grantAccess(" + request + ")");
}
boolean isSuccess = false;
try {
RangerPolicyEngine policyEngine = this.policyEngine;
if (policyEngine != null) {
request.setZoneName(policyEngine.getMatchedZoneName(request));
}
getAdminClient().grantAccess(request);
isSuccess = true;
} finally {
auditGrantRevoke(request, "grant", isSuccess, resultProcessor);
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.grantAccess(" + request + ")");
}
}
public void revokeAccess(GrantRevokeRequest request, RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.revokeAccess(" + request + ")");
}
boolean isSuccess = false;
try {
RangerPolicyEngine policyEngine = this.policyEngine;
if (policyEngine != null) {
request.setZoneName(policyEngine.getMatchedZoneName(request));
}
getAdminClient().revokeAccess(request);
isSuccess = true;
} finally {
auditGrantRevoke(request, "revoke", isSuccess, resultProcessor);
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.revokeAccess(" + request + ")");
}
}
public void registerAuthContextEventListener(RangerAuthContextListener authContextListener) {
this.pluginContext.setAuthContextListener(authContextListener);
}
public static RangerAdminClient createAdminClient(RangerPluginConfig pluginConfig) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.createAdminClient(" + pluginConfig.getServiceName() + ", " + pluginConfig.getAppId() + ", " + pluginConfig.getPropertyPrefix() + ")");
}
RangerAdminClient ret = null;
String propertyName = pluginConfig.getPropertyPrefix() + ".policy.source.impl";
String policySourceImpl = pluginConfig.get(propertyName);
if(StringUtils.isEmpty(policySourceImpl)) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("Value for property[%s] was null or empty. Unexpected! Will use policy source of type[%s]", propertyName, RangerAdminRESTClient.class.getName()));
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("Value for property[%s] was [%s].", propertyName, policySourceImpl));
}
try {
@SuppressWarnings("unchecked")
Class<RangerAdminClient> adminClass = (Class<RangerAdminClient>)Class.forName(policySourceImpl);
ret = adminClass.newInstance();
} catch (Exception excp) {
LOG.error("failed to instantiate policy source of type '" + policySourceImpl + "'. Will use policy source of type '" + RangerAdminRESTClient.class.getName() + "'", excp);
}
}
if(ret == null) {
ret = new RangerAdminRESTClient();
}
ret.init(pluginConfig.getServiceName(), pluginConfig.getAppId(), pluginConfig.getPropertyPrefix(), pluginConfig);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerBasePlugin.createAdminClient(" + pluginConfig.getServiceName() + ", " + pluginConfig.getAppId() + ", " + pluginConfig.getPropertyPrefix() + "): policySourceImpl=" + policySourceImpl + ", client=" + ret);
}
return ret;
}
public void refreshPoliciesAndTags() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> refreshPoliciesAndTags()");
}
try {
RangerPolicyEngine policyEngine = this.policyEngine;
// Synch-up policies
long oldPolicyVersion = policyEngine.getPolicyVersion();
refresher.syncPoliciesWithAdmin(accessTrigger);
policyEngine = this.policyEngine; // might be updated in syncPoliciesWithAdmin()
long newPolicyVersion = policyEngine.getPolicyVersion();
if (oldPolicyVersion == newPolicyVersion) {
// Synch-up tags
RangerTagEnricher tagEnricher = getTagEnricher();
if (tagEnricher != null) {
tagEnricher.syncTagsWithAdmin(accessTrigger);
}
}
} catch (InterruptedException exception) {
LOG.error("Failed to update policy-engine, continuing to use old policy-engine and/or tags", exception);
}
if (LOG.isDebugEnabled()) {
LOG.info("<== refreshPoliciesAndTags()");
}
}
private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) {
if(request != null && resultProcessor != null) {
RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl();
accessRequest.setResource(new RangerAccessResourceImpl(StringUtil.toStringObjectMap(request.getResource())));
accessRequest.setUser(request.getGrantor());
accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
accessRequest.setAction(action);
accessRequest.setClientIPAddress(request.getClientIPAddress());
accessRequest.setClientType(request.getClientType());
accessRequest.setRequestData(request.getRequestData());
accessRequest.setSessionId(request.getSessionId());
// call isAccessAllowed() to determine if audit is enabled or not
RangerAccessResult accessResult = isAccessAllowed(accessRequest, null);
if(accessResult != null && accessResult.getIsAudited()) {
accessRequest.setAccessType(action);
accessResult.setIsAllowed(isSuccess);
if(! isSuccess) {
accessResult.setPolicyId(-1);
}
resultProcessor.processResult(accessResult);
}
}
}
private RangerServiceDef getDefaultServiceDef() {
RangerServiceDef ret = null;
if (StringUtils.isNotBlank(getServiceType())) {
try {
ret = EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(getServiceType());
} catch (Exception exp) {
LOG.error("Could not get embedded service-def for " + getServiceType());
}
}
return ret;
}
private ServicePolicies getDefaultSvcPolicies() {
ServicePolicies ret = null;
RangerServiceDef serviceDef = getServiceDef();
if (serviceDef == null) {
serviceDef = getDefaultServiceDef();
}
if (serviceDef != null) {
ret = new ServicePolicies();
ret.setServiceDef(serviceDef);
ret.setServiceName(getServiceName());
ret.setPolicies(new ArrayList<RangerPolicy>());
}
return ret;
}
public boolean logErrorMessage(String message) {
LogHistory log = logHistoryList.get(message);
if (log == null) {
log = new LogHistory();
logHistoryList.put(message, log);
}
if ((System.currentTimeMillis() - log.lastLogTime) > logInterval) {
log.lastLogTime = System.currentTimeMillis();
int counter = log.counter;
log.counter = 0;
if( counter > 0) {
message += ". Messages suppressed before: " + counter;
}
LOG.error(message);
return true;
} else {
log.counter++;
}
return false;
}
static private final class LogHistory {
long lastLogTime;
int counter;
}
private RangerTagEnricher getTagEnricher() {
RangerTagEnricher ret = null;
RangerAuthContext authContext = getCurrentRangerAuthContext();
if (authContext != null) {
Map<RangerContextEnricher, Object> contextEnricherMap = authContext.getRequestContextEnrichers();
if (MapUtils.isNotEmpty(contextEnricherMap)) {
Set<RangerContextEnricher> contextEnrichers = contextEnricherMap.keySet();
for (RangerContextEnricher enricher : contextEnrichers) {
if (enricher instanceof RangerTagEnricher) {
ret = (RangerTagEnricher) enricher;
break;
}
}
}
}
return ret;
}
private RangerAdminClient getAdminClient() throws Exception {
PolicyRefresher refresher = this.refresher;
RangerAdminClient admin = refresher == null ? null : refresher.getRangerAdminClient();
if(admin == null) {
throw new Exception("ranger-admin client is null");
}
return admin;
}
private static AuditProviderFactory getAuditProviderFactory(String serviceName) {
AuditProviderFactory ret = AuditProviderFactory.getInstance();
if (!ret.isInitDone()) {
LOG.warn("RangerBasePlugin.getAuditProviderFactory(serviceName=" + serviceName + "): audit not initialized yet. Will use stand-alone audit factory");
ret = StandAloneAuditProviderFactory.getInstance();
if (!ret.isInitDone()) {
RangerAuditConfig conf = new RangerAuditConfig();
if (conf.isInitSuccess()) {
ret.init(conf.getProperties(), "StandAlone");
}
}
}
return ret;
}
}