Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "Update - 20220929" #2

Merged
merged 1 commit into from
Jun 10, 2023
Merged

Revert "Update - 20220929" #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 0 additions & 39 deletions agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -786,45 +786,6 @@ public static void authWithKerberos(String keytab, String principal,

}

public static void loginWithKeyTab(String keytab, String principal, String nameRules) {
if (logger.isDebugEnabled()) {
logger.debug("==> MiscUtil.loginWithKeyTab() keytab= " + keytab + "principal= " + principal + "nameRules= " + nameRules);
}

if (keytab == null || principal == null) {
logger.error("Failed to login as keytab or principal is null!");
return;
}

String[] spnegoPrincipals;
UserGroupInformation ugi;

try {
if (principal.equals("*")) {
spnegoPrincipals = KerberosUtil.getPrincipalNames(keytab, Pattern.compile("HTTP/.*"));
if (spnegoPrincipals.length == 0) {
logger.error("No principals found in keytab= " + keytab);
}
} else {
spnegoPrincipals = new String[] { principal };
}

if (nameRules != null) {
KerberosName.setRules(nameRules);
}

logger.info("Creating UGI from keytab directly. keytab= " + keytab + ", principal= " + spnegoPrincipals[0]);
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0], keytab);
MiscUtil.setUGILoginUser(ugi, null);
} catch (Exception e) {
logger.error("Failed to login with given keytab= " + keytab + "principal= " + principal + "nameRules= " + nameRules, e);
}

if (logger.isDebugEnabled()) {
logger.debug("<== MiscUtil.loginWithKeyTab()");
}
}

static class LogHistory {
long lastLogTime = 0;
int counter = 0;
Expand Down
16 changes: 0 additions & 16 deletions agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.util.*;
import org.slf4j.Logger;
Expand All @@ -35,8 +34,6 @@ public abstract class AbstractRangerAdminClient implements RangerAdminClient {

protected Gson gson;

private boolean forceNonKerberos = false;

@Override
public void init(String serviceName, String appId, String configPropertyPrefix, Configuration config) {
Gson gson = null;
Expand All @@ -48,7 +45,6 @@ public void init(String serviceName, String appId, String configPropertyPrefix,
}

this.gson = gson;
this.forceNonKerberos = config.getBoolean(configPropertyPrefix + ".forceNonKerberos", false);
}

@Override
Expand Down Expand Up @@ -120,16 +116,4 @@ public List<String> getTagTypes(String tagTypePattern) throws Exception {
public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, long lastActivationTimeInMillis) throws Exception {
return null;
}

public boolean isKerberosEnabled(UserGroupInformation user) {
final boolean ret;

if (forceNonKerberos) {
ret = false;
} else {
ret = user != null && UserGroupInformation.isSecurityEnabled() && user.hasKerberosCredentials();
}

return ret;
}
}
34 changes: 17 additions & 17 deletions agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ public RangerRole createRole(final RangerRole request) throws Exception {

ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
boolean isSecureMode = isKerberosEnabled(user);
boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
String relativeURL = RangerRESTUtils.REST_URL_SERVICE_CREATE_ROLE;

Map <String, String> queryParams = new HashMap<String, String> ();
Expand Down Expand Up @@ -239,7 +239,7 @@ public void dropRole(final String execUser, final String roleName) throws Except

ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
boolean isSecureMode = isKerberosEnabled(user);
boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();

Map<String, String> queryParams = new HashMap<String, String>();
queryParams.put(RangerRESTUtils.SERVICE_NAME_PARAM, serviceNameUrlParam);
Expand Down Expand Up @@ -294,7 +294,7 @@ public List<String> getUserRoles(final String execUser) throws Exception {
String emptyString = "";
ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
boolean isSecureMode = isKerberosEnabled(user);
boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USER_ROLES + execUser;

if (isSecureMode) {
Expand Down Expand Up @@ -349,7 +349,7 @@ public List<String> getAllRoles(final String execUser) throws Exception {
String emptyString = "";
ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
boolean isSecureMode = isKerberosEnabled(user);
boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ALL_ROLES;

Map<String, String> queryParams = new HashMap<String, String>();
Expand Down Expand Up @@ -407,7 +407,7 @@ public RangerRole getRole(final String execUser, final String roleName) throws E
RangerRole ret = null;
ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
boolean isSecureMode = isKerberosEnabled(user);
boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ROLE_INFO + roleName;

Map<String, String> queryParams = new HashMap<String, String>();
Expand Down Expand Up @@ -465,7 +465,7 @@ public void grantRole(final GrantRevokeRoleRequest request) throws Exception {

ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
boolean isSecureMode = isKerberosEnabled(user);
boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GRANT_ROLE + serviceNameUrlParam;

if (isSecureMode) {
Expand Down Expand Up @@ -513,7 +513,7 @@ public void revokeRole(final GrantRevokeRoleRequest request) throws Exception {

ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
boolean isSecureMode = isKerberosEnabled(user);
boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
String relativeURL = RangerRESTUtils.REST_URL_SERVICE_REVOKE_ROLE + serviceNameUrlParam;

if (isSecureMode) {
Expand Down Expand Up @@ -561,7 +561,7 @@ public void grantAccess(final GrantRevokeRequest request) throws Exception {

ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
boolean isSecureMode = isKerberosEnabled(user);
boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();

Map<String, String> queryParams = new HashMap<String, String>();
queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
Expand Down Expand Up @@ -613,7 +613,7 @@ public void revokeAccess(final GrantRevokeRequest request) throws Exception {

ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
boolean isSecureMode = isKerberosEnabled(user);
boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();

Map<String, String> queryParams = new HashMap<String, String>();
queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
Expand Down Expand Up @@ -704,7 +704,7 @@ public List<String> getTagTypes(String pattern) throws Exception {
List<String> ret = null;
String emptyString = "";
UserGroupInformation user = MiscUtil.getUGILoginUser();
boolean isSecureMode = isKerberosEnabled(user);
boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();

Map<String, String> queryParams = new HashMap<String, String>();
queryParams.put(RangerRESTUtils.SERVICE_NAME_PARAM, serviceNameUrlParam);
Expand Down Expand Up @@ -755,7 +755,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon

final RangerUserStore ret;
final UserGroupInformation user = MiscUtil.getUGILoginUser();
final boolean isSecureMode = isKerberosEnabled(user);
final boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
final ClientResponse response;

Map<String, String> queryParams = new HashMap<String, String>();
Expand Down Expand Up @@ -838,7 +838,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCred(final long lastKnown
final ServicePolicies ret;

final UserGroupInformation user = MiscUtil.getUGILoginUser();
final boolean isSecureMode = isKerberosEnabled(user);
final boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
final ClientResponse response = getRangerAdminPolicyDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode);

if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) {
Expand Down Expand Up @@ -888,7 +888,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCookie(final long lastKno
final ServicePolicies ret;

final UserGroupInformation user = MiscUtil.getUGILoginUser();
final boolean isSecureMode = isKerberosEnabled(user);
final boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
final ClientResponse response = getRangerAdminPolicyDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode);

if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) {
Expand Down Expand Up @@ -1016,7 +1016,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCred(final long lastKnownVersion,
final ServiceTags ret;

final UserGroupInformation user = MiscUtil.getUGILoginUser();
final boolean isSecureMode = isKerberosEnabled(user);
final boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
final ClientResponse response = getRangerAdminTagDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode);

if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) {
Expand Down Expand Up @@ -1070,7 +1070,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCookie(final long lastKnownVersio
final ServiceTags ret;

final UserGroupInformation user = MiscUtil.getUGILoginUser();
final boolean isSecureMode = isKerberosEnabled(user);
final boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
final ClientResponse response = getRangerAdminTagDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode);

if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) {
Expand Down Expand Up @@ -1198,7 +1198,7 @@ private RangerRoles getRolesIfUpdatedWithCred(final long lastKnownRoleVersion, f
final RangerRoles ret;

final UserGroupInformation user = MiscUtil.getUGILoginUser();
final boolean isSecureMode = isKerberosEnabled(user);
final boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
final ClientResponse response = getRangerRolesDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis, user, isSecureMode);

if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) {
Expand Down Expand Up @@ -1253,7 +1253,7 @@ private RangerRoles getRolesIfUpdatedWithCookie(final long lastKnownRoleVersion,
final RangerRoles ret;

final UserGroupInformation user = MiscUtil.getUGILoginUser();
final boolean isSecureMode = isKerberosEnabled(user);
final boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
final ClientResponse response = getRangerRolesDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis, user, isSecureMode);

if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) {
Expand Down
59 changes: 24 additions & 35 deletions ...ts-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.RangerPolicyResourceEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType;
import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
Expand Down Expand Up @@ -312,43 +311,39 @@ public RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer r
MatchType matchType = tagMatchTypeMap.get(evaluator.getPolicyId());

boolean isMatched = false;
boolean isConditionalMatch = false;

if (matchType == null) {
for (RangerPolicyResourceEvaluator resourceEvaluator : evaluator.getResourceEvaluators()) {
RangerPolicyResourceMatcher matcher = resourceEvaluator.getPolicyResourceMatcher();
matchType = resourceEvaluator.getPolicyResourceMatcher().getMatchType(request.getResource(), request.getContext());

matchType = matcher.getMatchType(request.getResource(), request.getContext());
isMatched = isMatch(matchType, request.getResourceMatchingScope());
if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
isMatched = matchType != MatchType.NONE;
} else {
isMatched = matchType == MatchType.SELF || matchType == MatchType.SELF_AND_ALL_DESCENDANTS;
}

if (isMatched) {
isConditionalMatch = false;

break;
} else if (matcher.getNeedsDynamicEval() && !isConditionalMatch) {
MatchType dynWildCardMatch = resourceEvaluator.getMacrosReplaceWithWildcardMatcher(policyEngine).getMatchType(request.getResource(), request.getContext());

isConditionalMatch = isMatch(dynWildCardMatch, request.getResourceMatchingScope());
}
}
} else {
isMatched = isMatch(matchType, request.getResourceMatchingScope());
if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
isMatched = matchType != MatchType.NONE;
} else {
isMatched = matchType == MatchType.SELF || matchType == MatchType.SELF_AND_ALL_DESCENDANTS;
}
}

if (!isMatched && !isConditionalMatch) {
if (!isMatched) {
continue;
}

if (!isConditionalMatch) {
isConditionalMatch = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
}

if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
updateFromPolicyACLs(evaluator, isConditionalMatch, ret);
updateFromPolicyACLs(evaluator, policyIdForTemporalTags, ret);
} else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
updateRowFiltersFromPolicy(evaluator, isConditionalMatch, ret);
updateRowFiltersFromPolicy(evaluator, policyIdForTemporalTags, ret);
} else if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
updateDataMasksFromPolicy(evaluator, isConditionalMatch, ret);
updateDataMasksFromPolicy(evaluator, policyIdForTemporalTags, ret);
}
}

Expand Down Expand Up @@ -1177,13 +1172,15 @@ private boolean getIsFallbackSupported() {
return policyEngine.getPluginContext().getConfig().getIsFallbackSupported();
}

private void updateFromPolicyACLs(RangerPolicyEvaluator evaluator, boolean isConditional, RangerResourceACLs resourceACLs) {
private void updateFromPolicyACLs(RangerPolicyEvaluator evaluator, Set<Long> policyIdForTemporalTags, RangerResourceACLs resourceACLs) {
PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();

if (aclSummary == null) {
return;
}

boolean isConditional = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;

for (Map.Entry<String, Map<String, PolicyACLSummary.AccessResult>> userAccessInfo : aclSummary.getUsersAccessInfo().entrySet()) {
final String userName = userAccessInfo.getKey();

Expand Down Expand Up @@ -1251,10 +1248,12 @@ private void updateFromPolicyACLs(RangerPolicyEvaluator evaluator, boolean isCon
}
}

private void updateRowFiltersFromPolicy(RangerPolicyEvaluator evaluator, boolean isConditional, RangerResourceACLs resourceACLs) {
private void updateRowFiltersFromPolicy(RangerPolicyEvaluator evaluator, Set<Long> policyIdForTemporalTags, RangerResourceACLs resourceACLs) {
PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();

if (aclSummary != null) {
boolean isConditional = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;

for (RowFilterResult rowFilterResult : aclSummary.getRowFilters()) {
rowFilterResult = copyRowFilter(rowFilterResult);

Expand All @@ -1267,10 +1266,12 @@ private void updateRowFiltersFromPolicy(RangerPolicyEvaluator evaluator, boolean
}
}

private void updateDataMasksFromPolicy(RangerPolicyEvaluator evaluator, boolean isConditional, RangerResourceACLs resourceACLs) {
private void updateDataMasksFromPolicy(RangerPolicyEvaluator evaluator, Set<Long> policyIdForTemporalTags, RangerResourceACLs resourceACLs) {
PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();

if (aclSummary != null) {
boolean isConditional = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;

for (DataMaskResult dataMaskResult : aclSummary.getDataMasks()) {
dataMaskResult = copyDataMask(dataMaskResult);

Expand Down Expand Up @@ -1311,18 +1312,6 @@ private Set<String> copyStrings(Set<String> values) {
return values != null ? new HashSet<>(values) : null;
}

private boolean isMatch(MatchType matchType, RangerAccessRequest.ResourceMatchingScope matchingScope) {
final boolean ret;

if (matchingScope == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
ret = matchType != MatchType.NONE;
} else {
ret = matchType == MatchType.SELF || matchType == MatchType.SELF_AND_ALL_DESCENDANTS;
}

return ret;
}

private static class ServiceConfig {
private final Set<String> auditExcludedUsers;
private final Set<String> auditExcludedGroups;
Expand Down
Loading