This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch RANGER-5061_master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 5c6f87bf293faeeff2619a9e1aad0de1efd88e4f Author: Dineshkumar Yadav <[email protected]> AuthorDate: Sat Jan 4 00:20:24 2025 +0530 RANGER-5061: checkstyle compliance updates - security-admin module for org.apache.ranger.amazon and org.apache.ranger.authentication (#490) --- .../cloudwatch/CloudWatchAccessAuditsService.java | 506 ++++++++++----------- .../ranger/amazon/cloudwatch/CloudWatchMgr.java | 83 ++-- .../ranger/amazon/cloudwatch/CloudWatchUtil.java | 468 ++++++++++--------- .../unix/jaas/RoleUserAuthorityGranter.java | 26 +- 4 files changed, 554 insertions(+), 529 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchAccessAuditsService.java b/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchAccessAuditsService.java index 06a21a3c2..f15076427 100644 --- a/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchAccessAuditsService.java +++ b/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchAccessAuditsService.java @@ -19,11 +19,8 @@ package org.apache.ranger.amazon.cloudwatch; -import java.io.UnsupportedEncodingException; -import java.util.ArrayList; -import java.util.List; -import java.util.Map; - +import com.amazonaws.services.logs.AWSLogs; +import com.amazonaws.services.logs.model.FilteredLogEvent; import org.apache.commons.collections.CollectionUtils; import org.apache.ranger.audit.model.AuthzAuditEvent; import org.apache.ranger.audit.provider.MiscUtil; @@ -43,257 +40,256 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Service; -import com.amazonaws.services.logs.AWSLogs; -import com.amazonaws.services.logs.model.FilteredLogEvent; +import java.io.UnsupportedEncodingException; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; @Service @Scope("singleton") public class CloudWatchAccessAuditsService extends org.apache.ranger.AccessAuditsService { - private static final Logger LOGGER = LoggerFactory.getLogger(CloudWatchAccessAuditsService.class); - - @Autowired - CloudWatchMgr cloudWatchMgr; - - @Autowired - CloudWatchUtil cloudWatchUtil; - - @Autowired - JSONUtil jsonUtil; - - public VXAccessAuditList searchXAccessAudits(SearchCriteria searchCriteria) { - - final boolean hiveQueryVisibility = PropertiesUtil.getBooleanProperty("ranger.audit.hive.query.visibility", true); - AWSLogs client = cloudWatchMgr.getClient(); - if (client == null) { - LOGGER.warn("CloudWatch client is null, so not running the query."); - throw restErrorUtil.createRESTException("Error connecting to cloudwatch", MessageEnums.ERROR_SYSTEM); - } - - List<VXAccessAudit> xAccessAuditList = new ArrayList<VXAccessAudit>(); - Map<String, Object> paramList = searchCriteria.getParamList(); - updateUserExclusion(paramList); - - List<FilteredLogEvent> result; - try { - result = cloudWatchUtil.searchResources(client, searchCriteria, searchFields, sortFields); - } catch (Exception e) { - LOGGER.warn(String.format("CloudWatch query failed: %s", e.getMessage())); - throw restErrorUtil.createRESTException("Error querying search engine", MessageEnums.ERROR_SYSTEM); - } - - VXAccessAuditList returnList = new VXAccessAuditList(); - if (result != null && CollectionUtils.isNotEmpty(result)) { - int recordCount = 0; - int endIndex = result.size() - 1; - endIndex = endIndex - searchCriteria.getStartIndex() < 0 ? endIndex : endIndex - searchCriteria.getStartIndex(); - for (int index = endIndex; recordCount < searchCriteria.getMaxRows() && index >=0 ; index--) { - FilteredLogEvent event = result.get(index); - AuthzAuditEvent auditEvent = null; - try { - auditEvent = MiscUtil.fromJson(event.getMessage(), AuthzAuditEvent.class); - } catch (Exception ex) { - LOGGER.error("Error while parsing json data" , ex); - } - VXAccessAudit vXAccessAudit = populateViewBean(auditEvent); - if (vXAccessAudit != null) { - String serviceType = vXAccessAudit.getServiceType(); - boolean isHive = "hive".equalsIgnoreCase(serviceType); - if (!hiveQueryVisibility && isHive) { - vXAccessAudit.setRequestData(null); - } else if (isHive) { - String accessType = vXAccessAudit.getAccessType(); - if ("grant".equalsIgnoreCase(accessType) || "revoke".equalsIgnoreCase(accessType)) { - String requestData = vXAccessAudit.getRequestData(); - if (requestData != null) { - try { - vXAccessAudit.setRequestData(java.net.URLDecoder.decode(requestData, "UTF-8")); - } catch (UnsupportedEncodingException e) { - LOGGER.warn("Error while encoding request data: " + requestData, e); - } - } else { - LOGGER.warn("Error in request data of audit from cloudwatch. AuditData: "+ vXAccessAudit.toString()); - } - } - } - } - xAccessAuditList.add(vXAccessAudit); - recordCount++; - } - returnList.setResultSize(result.size()); - returnList.setTotalCount(result.size()); - } - - returnList.setPageSize(searchCriteria.getMaxRows()); - returnList.setStartIndex(searchCriteria.getStartIndex()); - returnList.setVXAccessAudits(xAccessAuditList); - return returnList; - } - - public void setRestErrorUtil(RESTErrorUtil restErrorUtil) { - this.restErrorUtil = restErrorUtil; - } - - public VXLong getXAccessAuditSearchCount(SearchCriteria searchCriteria) { - long count = 100; - VXLong vXLong = new VXLong(); - vXLong.setValue(count); - return vXLong; - } - - private VXAccessAudit populateViewBean(AuthzAuditEvent auditEvent) { - VXAccessAudit accessAudit = new VXAccessAudit(); - - Object value = null; - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("doc=" + auditEvent.toString()); - } - - value = auditEvent.getEventId(); - if (value != null) { - accessAudit.setId((long) value.hashCode()); - accessAudit.setEventId(value.toString()); - } - - value = auditEvent.getClusterName(); - if (value != null) { - accessAudit.setClusterName(value.toString()); - } - - value = auditEvent.getZoneName(); - if (value != null) { - accessAudit.setZoneName(value.toString()); - } - - value = auditEvent.getAgentHostname(); - if (value != null) { - accessAudit.setAgentHost(value.toString()); - } - - value = auditEvent.getPolicyVersion(); - if (value != null) { - accessAudit.setPolicyVersion(MiscUtil.toLong(value)); - } - - value = auditEvent.getAccessType(); - if (value != null) { - accessAudit.setAccessType(value.toString()); - } - - value = auditEvent.getAclEnforcer(); - if (value != null) { - accessAudit.setAclEnforcer(value.toString()); - } - - value = auditEvent.getAgentId(); - if (value != null) { - accessAudit.setAgentId(value.toString()); - } - - value = auditEvent.getRepositoryName(); - if (value != null) { - accessAudit.setRepoName(value.toString()); - XXService xxService = daoManager.getXXService().findByName(accessAudit.getRepoName()); - - if(xxService != null) { - accessAudit.setRepoDisplayName(xxService.getDisplayName()); - } - } - - value = auditEvent.getSessionId(); - if (value != null) { - accessAudit.setSessionId(value.toString()); - } - - value = auditEvent.getUser(); - if (value != null) { - accessAudit.setRequestUser(value.toString()); - } - - value = auditEvent.getRequestData(); - if (value != null) { - accessAudit.setRequestData(value.toString()); - } - value = auditEvent.getResourcePath(); - if (value != null) { - accessAudit.setResourcePath(value.toString()); - } - - value = auditEvent.getClientIP(); - if (value != null) { - accessAudit.setClientIP(value.toString()); - } - - value = auditEvent.getAccessResult(); - if (value != null) { - accessAudit.setAccessResult(MiscUtil.toInt(value)); - } - - value = auditEvent.getPolicyId(); - if (value != null) { - accessAudit.setPolicyId(MiscUtil.toLong(value)); - } - - value = auditEvent.getRepositoryType(); - if (value != null) { - accessAudit.setRepoType(MiscUtil.toInt(value)); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById((long) accessAudit.getRepoType()); - if (xServiceDef != null) { - accessAudit.setServiceType(xServiceDef.getName()); - accessAudit.setServiceTypeDisplayName(xServiceDef.getDisplayName()); - } - } - - value = auditEvent.getResourceType(); - if (value != null) { - accessAudit.setResourceType(value.toString()); - } - - value = auditEvent.getResultReason(); - if (value != null) { - accessAudit.setResultReason(value.toString()); - } - - value = auditEvent.getAction(); - if (value != null) { - accessAudit.setAction(value.toString()); - } - - value = auditEvent.getEventTime(); - if (value != null) { - accessAudit.setEventTime(MiscUtil.toLocalDate(value)); - } - - value = auditEvent.getSeqNum(); - if (value != null) { - accessAudit.setSequenceNumber(MiscUtil.toLong(value)); - } - - value = auditEvent.getEventCount(); - if (value != null) { - accessAudit.setEventCount(MiscUtil.toLong(value)); - } - - value = auditEvent.getEventDurationMS(); - if (value != null) { - accessAudit.setEventDuration(MiscUtil.toLong(value)); - } - - value = auditEvent.getTags(); - if (value != null) { - accessAudit.setTags(value.toString()); - } - - value = auditEvent.getDatasets(); - if (value != null) { - accessAudit.setDatasets(value.toString()); - } - - value = auditEvent.getProjects(); - if (value != null) { - accessAudit.setProjects(value.toString()); - } - - return accessAudit; - } - -} \ No newline at end of file + private static final Logger LOGGER = LoggerFactory.getLogger(CloudWatchAccessAuditsService.class); + + @Autowired + CloudWatchMgr cloudWatchMgr; + + @Autowired + CloudWatchUtil cloudWatchUtil; + + @Autowired + JSONUtil jsonUtil; + + public VXAccessAuditList searchXAccessAudits(SearchCriteria searchCriteria) { + final boolean hiveQueryVisibility = PropertiesUtil.getBooleanProperty("ranger.audit.hive.query.visibility", true); + AWSLogs client = cloudWatchMgr.getClient(); + + if (client == null) { + LOGGER.warn("CloudWatch client is null, so not running the query."); + + throw restErrorUtil.createRESTException("Error connecting to cloudwatch", MessageEnums.ERROR_SYSTEM); + } + + List<VXAccessAudit> xAccessAuditList = new ArrayList<VXAccessAudit>(); + Map<String, Object> paramList = searchCriteria.getParamList(); + + updateUserExclusion(paramList); + + List<FilteredLogEvent> result; + + try { + result = cloudWatchUtil.searchResources(client, searchCriteria, searchFields, sortFields); + } catch (Exception e) { + LOGGER.warn("CloudWatch query failed: {}", e.getMessage()); + + throw restErrorUtil.createRESTException("Error querying search engine", MessageEnums.ERROR_SYSTEM); + } + + VXAccessAuditList returnList = new VXAccessAuditList(); + + if (CollectionUtils.isNotEmpty(result)) { + int recordCount = 0; + int endIndex = result.size() - 1; + + endIndex = endIndex - searchCriteria.getStartIndex() < 0 ? endIndex : endIndex - searchCriteria.getStartIndex(); + + for (int index = endIndex; recordCount < searchCriteria.getMaxRows() && index >= 0; index--) { + FilteredLogEvent event = result.get(index); + AuthzAuditEvent auditEvent = null; + + try { + auditEvent = MiscUtil.fromJson(event.getMessage(), AuthzAuditEvent.class); + } catch (Exception ex) { + LOGGER.error("Error while parsing json data", ex); + } + + VXAccessAudit vXAccessAudit = populateViewBean(auditEvent); + + if (vXAccessAudit != null) { + String serviceType = vXAccessAudit.getServiceType(); + boolean isHive = "hive".equalsIgnoreCase(serviceType); + + if (!hiveQueryVisibility && isHive) { + vXAccessAudit.setRequestData(null); + } else if (isHive) { + String accessType = vXAccessAudit.getAccessType(); + + if ("grant".equalsIgnoreCase(accessType) || "revoke".equalsIgnoreCase(accessType)) { + String requestData = vXAccessAudit.getRequestData(); + + if (requestData != null) { + try { + vXAccessAudit.setRequestData(java.net.URLDecoder.decode(requestData, "UTF-8")); + } catch (UnsupportedEncodingException e) { + LOGGER.warn("Error while encoding request data:{}", requestData, e); + } + } else { + LOGGER.warn("Error in request data of audit from cloudwatch. AuditData:{} ", vXAccessAudit); + } + } + } + } + + xAccessAuditList.add(vXAccessAudit); + + recordCount++; + } + + returnList.setResultSize(result.size()); + returnList.setTotalCount(result.size()); + } + + returnList.setPageSize(searchCriteria.getMaxRows()); + returnList.setStartIndex(searchCriteria.getStartIndex()); + returnList.setVXAccessAudits(xAccessAuditList); + + return returnList; + } + + public void setRestErrorUtil(RESTErrorUtil restErrorUtil) { + this.restErrorUtil = restErrorUtil; + } + + public VXLong getXAccessAuditSearchCount(SearchCriteria searchCriteria) { + long count = 100; + VXLong vXLong = new VXLong(); + + vXLong.setValue(count); + + return vXLong; + } + + private VXAccessAudit populateViewBean(AuthzAuditEvent auditEvent) { + LOGGER.debug("doc= {}", auditEvent); + + VXAccessAudit accessAudit = new VXAccessAudit(); + Object value; + + value = auditEvent.getEventId(); + if (value != null) { + accessAudit.setId((long) value.hashCode()); + accessAudit.setEventId(value.toString()); + } + + value = auditEvent.getClusterName(); + if (value != null) { + accessAudit.setClusterName(value.toString()); + } + + value = auditEvent.getZoneName(); + if (value != null) { + accessAudit.setZoneName(value.toString()); + } + + value = auditEvent.getAgentHostname(); + if (value != null) { + accessAudit.setAgentHost(value.toString()); + } + + value = auditEvent.getPolicyVersion(); + if (value != null) { + accessAudit.setPolicyVersion(MiscUtil.toLong(value)); + } + + value = auditEvent.getAccessType(); + if (value != null) { + accessAudit.setAccessType(value.toString()); + } + + value = auditEvent.getAclEnforcer(); + if (value != null) { + accessAudit.setAclEnforcer(value.toString()); + } + + value = auditEvent.getAgentId(); + if (value != null) { + accessAudit.setAgentId(value.toString()); + } + + value = auditEvent.getRepositoryName(); + if (value != null) { + accessAudit.setRepoName(value.toString()); + + XXService xxService = daoManager.getXXService().findByName(accessAudit.getRepoName()); + + if (xxService != null) { + accessAudit.setRepoDisplayName(xxService.getDisplayName()); + } + } + + value = auditEvent.getSessionId(); + if (value != null) { + accessAudit.setSessionId(value.toString()); + } + + value = auditEvent.getUser(); + if (value != null) { + accessAudit.setRequestUser(value.toString()); + } + + value = auditEvent.getRequestData(); + if (value != null) { + accessAudit.setRequestData(value.toString()); + } + value = auditEvent.getResourcePath(); + if (value != null) { + accessAudit.setResourcePath(value.toString()); + } + + value = auditEvent.getClientIP(); + if (value != null) { + accessAudit.setClientIP(value.toString()); + } + + accessAudit.setAccessResult(auditEvent.getAccessResult()); + accessAudit.setPolicyId(auditEvent.getPolicyId()); + accessAudit.setRepoType(auditEvent.getRepositoryType()); + + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById((long) accessAudit.getRepoType()); + + if (xServiceDef != null) { + accessAudit.setServiceType(xServiceDef.getName()); + accessAudit.setServiceTypeDisplayName(xServiceDef.getDisplayName()); + } + + value = auditEvent.getResourceType(); + if (value != null) { + accessAudit.setResourceType(value.toString()); + } + + value = auditEvent.getResultReason(); + if (value != null) { + accessAudit.setResultReason(value.toString()); + } + + value = auditEvent.getAction(); + if (value != null) { + accessAudit.setAction(value.toString()); + } + + value = auditEvent.getEventTime(); + if (value != null) { + accessAudit.setEventTime(MiscUtil.toLocalDate(value)); + } + + accessAudit.setSequenceNumber(auditEvent.getSeqNum()); + accessAudit.setEventCount(auditEvent.getEventCount()); + accessAudit.setEventDuration(auditEvent.getEventDurationMS()); + + value = auditEvent.getTags(); + if (value != null) { + accessAudit.setTags(value.toString()); + } + + value = auditEvent.getDatasets(); + if (value != null) { + accessAudit.setDatasets(value.toString()); + } + + value = auditEvent.getProjects(); + if (value != null) { + accessAudit.setProjects(value.toString()); + } + + return accessAudit; + } +} diff --git a/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchMgr.java b/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchMgr.java index 4dcc6b2b8..ba08c6f40 100644 --- a/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchMgr.java @@ -19,60 +19,65 @@ package org.apache.ranger.amazon.cloudwatch; -import static org.apache.ranger.audit.destination.AmazonCloudWatchAuditDestination.CONFIG_PREFIX; -import static org.apache.ranger.audit.destination.AmazonCloudWatchAuditDestination.PROP_REGION; - +import com.amazonaws.services.logs.AWSLogs; +import com.amazonaws.services.logs.AWSLogsClientBuilder; import org.apache.commons.lang.StringUtils; import org.apache.ranger.common.PropertiesUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Component; -import com.amazonaws.services.logs.AWSLogs; -import com.amazonaws.services.logs.AWSLogsClientBuilder; +import static org.apache.ranger.audit.destination.AmazonCloudWatchAuditDestination.CONFIG_PREFIX; +import static org.apache.ranger.audit.destination.AmazonCloudWatchAuditDestination.PROP_REGION; /** * This class initializes the CloudWatch client - * */ @Component public class CloudWatchMgr { + private static final Logger LOGGER = LoggerFactory.getLogger(CloudWatchMgr.class); + + private AWSLogs client; + private String regionName; + + public AWSLogs getClient() { + AWSLogs me = client; + + if (me == null) { + me = connect(); + } + + return me; + } + + synchronized AWSLogs connect() { + AWSLogs me = client; + + if (me == null) { + synchronized (CloudWatchMgr.class) { + me = client; - private static final Logger LOGGER = LoggerFactory.getLogger(CloudWatchMgr.class); + if (me == null) { + try { + me = newClient(); + client = me; + } catch (Throwable t) { + LOGGER.error("Can't connect to CloudWatch region:{} ", regionName, t); + } + } + } + } - private AWSLogs client = null; - private String regionName; + return me; + } - synchronized void connect() { - if (client == null) { - synchronized (CloudWatchMgr.class) { - if (client == null) { - regionName = PropertiesUtil.getProperty(CONFIG_PREFIX + "." + PROP_REGION); - try { - client = newClient(); - } catch (Throwable t) { - LOGGER.error("Can't connect to CloudWatch region: " + regionName, t); - } - } - } - } - } + private AWSLogs newClient() { + regionName = PropertiesUtil.getProperty(CONFIG_PREFIX + "." + PROP_REGION); - public AWSLogs getClient() { - if (client == null) { - synchronized (CloudWatchMgr.class) { - if (client == null) { - connect(); - } - } - } - return client; - } + if (StringUtils.isBlank(regionName)) { + return AWSLogsClientBuilder.standard().build(); + } - private AWSLogs newClient() { - if (StringUtils.isBlank(regionName)) { - return AWSLogsClientBuilder.standard().build(); - } - return AWSLogsClientBuilder.standard().withRegion(regionName).build(); - } + return AWSLogsClientBuilder.standard().withRegion(regionName).build(); + } } diff --git a/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchUtil.java b/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchUtil.java index b7d3cad97..ffe43582f 100644 --- a/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchUtil.java @@ -19,241 +19,267 @@ package org.apache.ranger.amazon.cloudwatch; -import static org.apache.ranger.audit.destination.AmazonCloudWatchAuditDestination.CONFIG_PREFIX; -import static org.apache.ranger.audit.destination.AmazonCloudWatchAuditDestination.PROP_LOG_GROUP_NAME; -import static org.apache.ranger.audit.destination.AmazonCloudWatchAuditDestination.PROP_LOG_STREAM_PREFIX; - -import java.text.SimpleDateFormat; -import java.util.ArrayList; -import java.util.Calendar; -import java.util.Collection; -import java.util.Date; -import java.util.List; -import java.util.TimeZone; - +import com.amazonaws.services.logs.AWSLogs; +import com.amazonaws.services.logs.model.FilterLogEventsRequest; +import com.amazonaws.services.logs.model.FilterLogEventsResult; +import com.amazonaws.services.logs.model.FilteredLogEvent; import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.lang.time.DateUtils; import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang.time.DateUtils; import org.apache.ranger.common.PropertiesUtil; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.SearchField; import org.apache.ranger.common.SearchField.SEARCH_TYPE; import org.apache.ranger.common.SortField; -import org.apache.ranger.common.StringUtil; import org.apache.solr.client.solrj.util.ClientUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; -import com.amazonaws.services.logs.AWSLogs; -import com.amazonaws.services.logs.model.FilterLogEventsRequest; -import com.amazonaws.services.logs.model.FilterLogEventsResult; -import com.amazonaws.services.logs.model.FilteredLogEvent; +import java.text.SimpleDateFormat; +import java.util.ArrayList; +import java.util.Calendar; +import java.util.Collection; +import java.util.Date; +import java.util.List; +import java.util.TimeZone; + +import static org.apache.ranger.audit.destination.AmazonCloudWatchAuditDestination.CONFIG_PREFIX; +import static org.apache.ranger.audit.destination.AmazonCloudWatchAuditDestination.PROP_LOG_GROUP_NAME; +import static org.apache.ranger.audit.destination.AmazonCloudWatchAuditDestination.PROP_LOG_STREAM_PREFIX; @Component public class CloudWatchUtil { - private static final Logger LOGGER = LoggerFactory.getLogger(CloudWatchUtil.class); - - @Autowired - StringUtil stringUtil; - - String dateFormateStr = "yyyy-MM-dd'T'HH:mm:ss'Z'"; - SimpleDateFormat dateFormat = new SimpleDateFormat(dateFormateStr); - private String logGroupName; - private String logStreamPrefix; - - public CloudWatchUtil() { - logGroupName = PropertiesUtil.getProperty(CONFIG_PREFIX + "." + PROP_LOG_GROUP_NAME, "ranger_audits"); - logStreamPrefix = PropertiesUtil.getProperty(CONFIG_PREFIX + "." + PROP_LOG_STREAM_PREFIX, ""); - String timeZone = PropertiesUtil.getProperty("ranger.cloudwatch.timezone"); - if (timeZone != null) { - LOGGER.info("Setting timezone to " + timeZone); - try { - dateFormat.setTimeZone(TimeZone.getTimeZone(timeZone)); - } catch (Throwable t) { - LOGGER.error("Error setting timezone. TimeZone = " + timeZone); - } - } - } - - public List<FilteredLogEvent> searchResources(AWSLogs client, SearchCriteria searchCriteria, - List<SearchField> searchFields, List<SortField> sortFieldList) { - List<FilteredLogEvent> result = new ArrayList<FilteredLogEvent>(); - try { - String nextToken = null; - FilterLogEventsRequest filterLogEventsRequest = getFilterLogEventsRequest(client, searchCriteria, searchFields); - boolean done = false; - //TODO: Improve response time - //This approach is slow as cloudwatch doesn't provide timestamp based sorting in descending order - do { - if (nextToken != null) { - filterLogEventsRequest = filterLogEventsRequest.withNextToken(nextToken); - } - - FilterLogEventsResult response = client.filterLogEvents(filterLogEventsRequest); - if (response != null) { - if (CollectionUtils.isNotEmpty(response.getEvents())) { - //To handle outofmemory issue, max 10k records are stored in the list - if (result.size() > 10000) { - result.clear(); - } - result.addAll(response.getEvents()); - } else { - done = true; - break; - } - // check if token is the same - if (response.getNextToken().equals(nextToken)) { - done = true; - break; - } - // save new token - nextToken = response.getNextToken(); - if (nextToken == null) { - done = true; - break; - } - } - } while (!done); - LOGGER.info("Successfully got CloudWatch log events!"); - } catch (Exception e) { - LOGGER.error("Error searching records from CloudWatch", e); - } - return result; - } - - public FilterLogEventsRequest getFilterLogEventsRequest(AWSLogs client, SearchCriteria searchCriteria, - List<SearchField> searchFields) { - FilterLogEventsRequest filterLogEventsRequest = null; - StringBuilder filterPattern = new StringBuilder(""); - Date fromDate = null; - Date toDate = null; - - if (searchCriteria.getParamList() != null) { - List<String> filterExpr = new ArrayList<String>(); - - for (SearchField searchField : searchFields) { - Object paramValue = searchCriteria.getParamValue(searchField.getClientFieldName()); - if (paramValue == null || paramValue.toString().isEmpty()) { - continue; - } - - String fieldName = searchField.getFieldName(); - if (searchField.getDataType() == SearchField.DATA_TYPE.DATE) { - if (!(paramValue instanceof Date)) { - LOGGER.error("Search field is not a Java Date Object, paramValue = " + paramValue); - } else { - if (searchField.getSearchType() == SEARCH_TYPE.GREATER_EQUAL_THAN || searchField.getSearchType() == SEARCH_TYPE.GREATER_THAN) { - fromDate = (Date) paramValue; - } else if (searchField.getSearchType() == SEARCH_TYPE.LESS_EQUAL_THAN || searchField.getSearchType() == SEARCH_TYPE.LESS_THAN) { - toDate = (Date) paramValue; - } - } - } else if (paramValue instanceof Collection) { - String fq = orList(fieldName, (Collection<?>) paramValue); - if (StringUtils.isNotBlank(fq)) { - filterExpr.add(fq); - } - } else { - String fq = null; - if (searchField.getSearchType() == SEARCH_TYPE.PARTIAL) { - fq = setFieldForPartialSearch(fieldName, paramValue); - } else { - fq = setField(fieldName, paramValue); - } - if (StringUtils.isNotBlank(fq)) { - filterExpr.add(fq); - } - } - } - - if (fromDate == null) { - fromDate = DateUtils.truncate(new Date(), Calendar.DAY_OF_MONTH); - } - if (toDate == null) { - Date today = DateUtils.truncate(new Date(), Calendar.DAY_OF_MONTH); - toDate = DateUtils.addDays(today, 1); - } - - // Syntax : { ($.user.id = 1) && ($.users[0].email = "[email protected]") } - if (CollectionUtils.isNotEmpty(filterExpr)) { - String strExpr = ""; - int count = -1; - for (String fq : filterExpr) { - count++; - if (count > 0) { - strExpr += " &&"; - } - strExpr = strExpr.concat("(" + fq + ")"); - } - if (strExpr.endsWith("&&")) { - strExpr = strExpr.substring(0, strExpr.length() - 3); - } - if (StringUtils.isNotBlank(strExpr)) { - filterPattern.append("{" + strExpr + "}"); - } - } - } - - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("filterExpression for cloudwatch request " + filterPattern.toString()); - } - - // Add FilterPattern which will only fetch logs required - filterLogEventsRequest = new FilterLogEventsRequest() - .withLogGroupName(logGroupName) - .withStartTime(fromDate.getTime()) - .withEndTime(toDate.getTime()) - .withFilterPattern(filterPattern.toString()); - - if (StringUtils.isNotBlank(logStreamPrefix)) { - filterLogEventsRequest.setLogStreamNamePrefix(logStreamPrefix); - } - - return filterLogEventsRequest; - } - - //Syntax { $.user.email = "[email protected]" || $.coordinates[0][1] = nonmatch && $.actions[2] = nomatch } - private String orList(String fieldName, Collection<?> valueList) { - if (valueList == null || valueList.isEmpty()) { - return null; - } - String expr = ""; - int count = -1; - for (Object value : valueList) { - count++; - if (count > 0) { - expr += " || "; - } - expr += setField(fieldName, value); - } - return expr; - } - - private String setField(String fieldName, Object value) { - if (value == null || StringUtils.isBlank(value.toString())) { - return null; - } - if (value instanceof Integer || value instanceof Long) { - if (fieldName.startsWith("-")) { - fieldName = fieldName.substring(1); - return "$." + fieldName + " != " + ClientUtils.escapeQueryChars(value.toString().trim().toLowerCase()); - } - return "$." + fieldName + " = " + ClientUtils.escapeQueryChars(value.toString().trim().toLowerCase()); - } - if (fieldName.startsWith("-")) { - fieldName = fieldName.substring(1); - return "$." + fieldName + " != \"" + ClientUtils.escapeQueryChars(value.toString().trim().toLowerCase()) + "\""; - } - return "$." + fieldName + " = \"" + ClientUtils.escapeQueryChars(value.toString().trim().toLowerCase()) + "\""; - } - - private String setFieldForPartialSearch(String fieldName, Object value) { - if (value == null || StringUtils.isBlank(value.toString())) { - return null; - } - return "$." + fieldName + "= \"*" + ClientUtils.escapeQueryChars(value.toString().trim().toLowerCase()) + "*\""; - } + private static final Logger LOGGER = LoggerFactory.getLogger(CloudWatchUtil.class); + + String dateFormateStr = "yyyy-MM-dd'T'HH:mm:ss'Z'"; + SimpleDateFormat dateFormat = new SimpleDateFormat(dateFormateStr); + + private final String logGroupName; + private final String logStreamPrefix; + + public CloudWatchUtil() { + logGroupName = PropertiesUtil.getProperty(CONFIG_PREFIX + "." + PROP_LOG_GROUP_NAME, "ranger_audits"); + logStreamPrefix = PropertiesUtil.getProperty(CONFIG_PREFIX + "." + PROP_LOG_STREAM_PREFIX, ""); + + String timeZone = PropertiesUtil.getProperty("ranger.cloudwatch.timezone"); + + if (timeZone != null) { + LOGGER.info("Setting timezone to {}", timeZone); + + try { + dateFormat.setTimeZone(TimeZone.getTimeZone(timeZone)); + } catch (Throwable t) { + LOGGER.error("Error setting timezone. TimeZone ={} ", timeZone); + } + } + } + + public List<FilteredLogEvent> searchResources(AWSLogs client, SearchCriteria searchCriteria, List<SearchField> searchFields, List<SortField> sortFieldList) { + List<FilteredLogEvent> result = new ArrayList<FilteredLogEvent>(); + + try { + String nextToken = null; + FilterLogEventsRequest filterLogEventsRequest = getFilterLogEventsRequest(client, searchCriteria, searchFields); + boolean done = false; + + //TODO: Improve response time + //This approach is slow as cloudwatch doesn't provide timestamp based sorting in descending order + do { + if (nextToken != null) { + filterLogEventsRequest = filterLogEventsRequest.withNextToken(nextToken); + } + + FilterLogEventsResult response = client.filterLogEvents(filterLogEventsRequest); + + if (response != null) { + if (CollectionUtils.isNotEmpty(response.getEvents())) { + //To handle outofmemory issue, max 10k records are stored in the list + if (result.size() > 10000) { + result.clear(); + } + + result.addAll(response.getEvents()); + } else { + done = true; + break; + } + + // check if token is the same + if (response.getNextToken().equals(nextToken)) { + done = true; + break; + } + + // save new token + nextToken = response.getNextToken(); + + if (nextToken == null) { + done = true; + break; + } + } + } + while (!done); + + LOGGER.info("Successfully got CloudWatch log events!"); + } catch (Exception e) { + LOGGER.error("Error searching records from CloudWatch", e); + } + + return result; + } + + public FilterLogEventsRequest getFilterLogEventsRequest(AWSLogs client, SearchCriteria searchCriteria, List<SearchField> searchFields) { + StringBuilder filterPattern = new StringBuilder(); + Date fromDate = null; + Date toDate = null; + + if (searchCriteria.getParamList() != null) { + List<String> filterExpr = new ArrayList<String>(); + + for (SearchField searchField : searchFields) { + Object paramValue = searchCriteria.getParamValue(searchField.getClientFieldName()); + + if (paramValue == null || paramValue.toString().isEmpty()) { + continue; + } + + String fieldName = searchField.getFieldName(); + + if (searchField.getDataType() == SearchField.DATA_TYPE.DATE) { + if (!(paramValue instanceof Date)) { + LOGGER.error("Search field is not a Java Date Object, paramValue = {}", paramValue); + } else { + if (searchField.getSearchType() == SEARCH_TYPE.GREATER_EQUAL_THAN || searchField.getSearchType() == SEARCH_TYPE.GREATER_THAN) { + fromDate = (Date) paramValue; + } else if (searchField.getSearchType() == SEARCH_TYPE.LESS_EQUAL_THAN || searchField.getSearchType() == SEARCH_TYPE.LESS_THAN) { + toDate = (Date) paramValue; + } + } + } else if (paramValue instanceof Collection) { + String fq = orList(fieldName, (Collection<?>) paramValue); + + if (StringUtils.isNotBlank(fq)) { + filterExpr.add(fq); + } + } else { + String fq; + + if (searchField.getSearchType() == SEARCH_TYPE.PARTIAL) { + fq = setFieldForPartialSearch(fieldName, paramValue); + } else { + fq = setField(fieldName, paramValue); + } + + if (StringUtils.isNotBlank(fq)) { + filterExpr.add(fq); + } + } + } + + if (fromDate == null) { + fromDate = DateUtils.truncate(new Date(), Calendar.DAY_OF_MONTH); + } + + if (toDate == null) { + Date today = DateUtils.truncate(new Date(), Calendar.DAY_OF_MONTH); + + toDate = DateUtils.addDays(today, 1); + } + + // Syntax : { ($.user.id = 1) && ($.users[0].email = "[email protected]") } + if (CollectionUtils.isNotEmpty(filterExpr)) { + String strExpr = ""; + int count = -1; + + for (String fq : filterExpr) { + count++; + + if (count > 0) { + strExpr += " &&"; + } + + strExpr = strExpr.concat("(" + fq + ")"); + } + + if (strExpr.endsWith("&&")) { + strExpr = strExpr.substring(0, strExpr.length() - 3); + } + + if (StringUtils.isNotBlank(strExpr)) { + filterPattern.append("{" + strExpr + "}"); + } + } + } + + LOGGER.debug("filterExpression for cloudwatch request {}", filterPattern); + + // Add FilterPattern which will only fetch logs required + FilterLogEventsRequest filterLogEventsRequest = new FilterLogEventsRequest() + .withLogGroupName(logGroupName) + .withStartTime(fromDate.getTime()) + .withEndTime(toDate.getTime()) + .withFilterPattern(filterPattern.toString()); + + if (StringUtils.isNotBlank(logStreamPrefix)) { + filterLogEventsRequest.setLogStreamNamePrefix(logStreamPrefix); + } + + return filterLogEventsRequest; + } + + //Syntax { $.user.email = "[email protected]" || $.coordinates[0][1] = nonmatch && $.actions[2] = nomatch } + private String orList(String fieldName, Collection<?> valueList) { + if (valueList == null || valueList.isEmpty()) { + return null; + } + + String expr = ""; + int count = -1; + + for (Object value : valueList) { + count++; + + if (count > 0) { + expr += " || "; + } + + expr += setField(fieldName, value); + } + + return expr; + } + + private String setField(String fieldName, Object value) { + if (value == null || StringUtils.isBlank(value.toString())) { + return null; + } + + if (value instanceof Integer || value instanceof Long) { + if (fieldName.startsWith("-")) { + fieldName = fieldName.substring(1); + + return "$." + fieldName + " != " + ClientUtils.escapeQueryChars(value.toString().trim().toLowerCase()); + } + + return "$." + fieldName + " = " + ClientUtils.escapeQueryChars(value.toString().trim().toLowerCase()); + } + + if (fieldName.startsWith("-")) { + fieldName = fieldName.substring(1); + + return "$." + fieldName + " != \"" + ClientUtils.escapeQueryChars(value.toString().trim().toLowerCase()) + "\""; + } + + return "$." + fieldName + " = \"" + ClientUtils.escapeQueryChars(value.toString().trim().toLowerCase()) + "\""; + } + + private String setFieldForPartialSearch(String fieldName, Object value) { + if (value == null || StringUtils.isBlank(value.toString())) { + return null; + } + return "$." + fieldName + "= \"*" + ClientUtils.escapeQueryChars(value.toString().trim().toLowerCase()) + "*\""; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/authentication/unix/jaas/RoleUserAuthorityGranter.java b/security-admin/src/main/java/org/apache/ranger/authentication/unix/jaas/RoleUserAuthorityGranter.java index b10ac1bf1..6f6404fec 100644 --- a/security-admin/src/main/java/org/apache/ranger/authentication/unix/jaas/RoleUserAuthorityGranter.java +++ b/security-admin/src/main/java/org/apache/ranger/authentication/unix/jaas/RoleUserAuthorityGranter.java @@ -17,24 +17,22 @@ * under the License. */ - package org.apache.ranger.authentication.unix.jaas; +package org.apache.ranger.authentication.unix.jaas; + +import org.springframework.security.authentication.jaas.AuthorityGranter; import java.security.Principal; import java.util.Collections; import java.util.Set; -import org.springframework.security.authentication.jaas.AuthorityGranter; - public class RoleUserAuthorityGranter implements AuthorityGranter { - - @Override - public Set<String> grant(Principal principal) { - if (principal instanceof UnixGroupPrincipal) { - Collections.singleton(principal.getName()); - } - else { - Collections.singleton("ROLE_USER"); - } - return null; - } + @Override + public Set<String> grant(Principal principal) { + if (principal instanceof UnixGroupPrincipal) { + Collections.singleton(principal.getName()); + } else { + Collections.singleton("ROLE_USER"); + } + return null; + } }
