RANGER-5312: add authz-embedded module

authz-embedded/pom.xml

@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.apache.ranger</groupId>
+        <artifactId>ranger</artifactId>
+        <version>3.0.0-SNAPSHOT</version>
+        <relativePath>..</relativePath>
+    </parent>
+
+    <artifactId>authz-embedded</artifactId>
+    <description>Ranger Authorization - Embedded</description>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>${commons.lang3.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.ranger</groupId>
+            <artifactId>ranger-audit-dest-hdfs</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.ranger</groupId>
+            <artifactId>ranger-audit-dest-solr</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.ranger</groupId>
+            <artifactId>ranger-authz-api</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.ranger</groupId>
+            <artifactId>ranger-plugins-common</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <version>${junit.jupiter.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-engine</artifactId>
+            <version>${junit.jupiter.version}</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>

authz-embedded/src/conf/ranger-authz-embedded.properties

@@ -0,0 +1,55 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+ranger.authz.init.services=dev_hdfs,dev_hive,dev_kafka
+
+# Default service name for each service type - used when authz requests don't specify service name
+ranger.authz.servicetype.hdfs.default.service=dev_hdfs
+ranger.authz.servicetype.ozone.default.service=dev_ozone
+ranger.authz.servicetype.hive.default.service=dev_hive
+ranger.authz.servicetype.hbase.default.service=dev_hbase
+ranger.authz.servicetype.trino.default.service=dev_trino
+ranger.authz.servicetype.kafka.default.service=dev_kafka
+
+# Default endpoint to retrieve policy information
+ranger.authz.default.policy.source.impl=org.apache.ranger.admin.client.RangerAdminRESTClient
+ranger.authz.default.policy.rest.url=http://localhost:6080
+ranger.authz.default.policy.rest.ssl.config.file=/etc/hive/conf/ranger-policymgr-ssl.xml
+ranger.authz.default.policy.rest.client.connection.timeoutMs=120000
+ranger.authz.default.policy.rest.client.read.timeoutMs=30000
+ranger.authz.default.policy.pollIntervalMs=30000
+ranger.authz.default.policy.cache.dir=/etc/ranger/policycache
+
+# Audit configurations
+#  Audit destination: HDFS
+ranger.authz.audit.destination.hdfs=enabled
+ranger.authz.audit.destination.hdfs.dir=hdfs://nameservice1/ranger/audit
+ranger.authz.audit.destination.hdfs.subdir=%app-type%/%time:yyyyMMdd%
+ranger.authz.audit.destination.hdfs.filename.format=ranger_audit_%hostname%.log
+ranger.authz.audit.destination.hdfs.file.rollover.sec=86400
+
+#  Audit destination: Solr
+ranger.authz.audit.destination.solr=enabled
+ranger.authz.audit.destination.solr.urls=http://localhost:8983/solr
+ranger.authz.audit.destination.solr.zookeepers=
+ranger.authz.audit.destination.solr.collection=ranger_audits
+
+#  Audit destination: Log4j
+ranger.authz.audit.destination.log4j=enabled
+ranger.authz.audit.destination.log4j.logger=ranger_audit
+

authz-embedded/src/main/java/org/apache/ranger/authz/embedded/RangerAuthzAuditHandler.java

@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.authz.embedded;
+
+import org.apache.ranger.audit.model.AuthzAuditEvent;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+public class RangerAuthzAuditHandler extends RangerDefaultAuditHandler implements AutoCloseable {
+    private final RangerBasePlugin            plugin;
+    private final Collection<AuthzAuditEvent> auditEvents = new ArrayList<>();
+    private       boolean                     deniedExists;
+
+    public RangerAuthzAuditHandler(RangerBasePlugin plugin) {
+        super();
+
+        this.plugin = plugin;
+    }
+
+    @Override
+    public void processResult(RangerAccessResult result) {
+        AuthzAuditEvent auditEvent = getAuthzEvents(result);
+
+        // in case denied access, log only the first denied access; ignore all others
+        if (auditEvent != null && !deniedExists) {
+            auditEvent.setAgentId(plugin.getAppId());
+
+            if (result.getIsAccessDetermined() && !result.getIsAllowed()) {
+                deniedExists = true;
+
+                auditEvents.clear();
+            }
+
+            auditEvents.add(auditEvent);
+        }
+    }
+
+    @Override
+    public void processResults(Collection<RangerAccessResult> results) {
+        results.forEach(this::processResult);
+    }
+
+    @Override
+    public void close() {
+        auditEvents.forEach(super::logAuthzAudit);
+    }
+}

authz-embedded/src/main/java/org/apache/ranger/authz/embedded/RangerAuthzConfig.java

@@ -0,0 +1,137 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.authz.embedded;
+
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.Properties;
+
+public class RangerAuthzConfig {
+    public static final String PROP_PREFIX_INIT_SERVICES = "ranger.authz.init.services";
+    public static final String PROP_PREFIX_DEFAULT       = "ranger.authz.default.";
+    public static final String PROP_PREFIX_AUDIT         = "ranger.authz.audit.";
+    public static final String PROP_PREFIX_SERVICE       = "ranger.authz.service.";
+    public static final String PROP_PREFIX_SERVICE_TYPE  = "ranger.authz.servicetype.";
+
+    private final Properties properties;
+
+    public RangerAuthzConfig(Properties properties) {
+        this.properties = properties;
+    }
+
+    public String[] getInitServices() {
+        String initServices = properties.getProperty(PROP_PREFIX_INIT_SERVICES);
+
+        if (StringUtils.isBlank(initServices)) {
+            return new String[0];
+        }
+
+        return initServices.split(",");
+    }
+
+    public Properties getAuditProperties() {
+        Properties ret = new Properties();
+
+        for (String propName : properties.stringPropertyNames()) {
+            if (propName.startsWith(PROP_PREFIX_AUDIT)) {
+                String propValue      = properties.getProperty(propName);
+                String propSuffix     = propName.substring(PROP_PREFIX_AUDIT.length());
+                String pluginPropName = "xasecure.audit." + propSuffix;
+
+                ret.setProperty(pluginPropName, propValue);
+            }
+        }
+
+        return ret;
+    }
+
+    public Properties getServiceProperties(String serviceName, String serviceType) {
+        Properties ret = new Properties();
+
+        if (StringUtils.isBlank(serviceType)) {
+            serviceType = getServiceTypeForService(serviceName);
+        }
+
+        String pluginPropPrefix = "ranger.plugin." + serviceType + ".";
+
+        // collect default properties
+        for (String propName : properties.stringPropertyNames()) {
+            if (propName.startsWith(PROP_PREFIX_DEFAULT)) {
+                String propValue      = properties.getProperty(propName);
+                String propSuffix     = propName.substring(PROP_PREFIX_DEFAULT.length());
+                String pluginPropName = pluginPropPrefix + propSuffix;
+
+                ret.setProperty(pluginPropName, propValue);
+            }
+        }
+
+        // collect service-type level properties
+        if (StringUtils.isNotBlank(serviceType)) {
+            String svcTypePropPrefix = PROP_PREFIX_SERVICE_TYPE + serviceType + ".";
+
+            for (String propName : properties.stringPropertyNames()) {
+                if (propName.startsWith(svcTypePropPrefix)) {
+                    String propValue      = properties.getProperty(propName);
+                    String propSuffix     = propName.substring(svcTypePropPrefix.length());
+                    String pluginPropName = pluginPropPrefix + propSuffix;
+
+                    ret.setProperty(pluginPropName, propValue);
+                }
+            }
+        }
+
+        // collect service-level properties
+        String svcPropPrefix = PROP_PREFIX_SERVICE + serviceName + ".";
+
+        for (String propName : properties.stringPropertyNames()) {
+            if (propName.startsWith(svcPropPrefix)) {
+                String propValue      = properties.getProperty(propName);
+                String propSuffix     = propName.substring(svcPropPrefix.length());
+                String pluginPropName = pluginPropPrefix + propSuffix;
+
+                ret.setProperty(pluginPropName, propValue);
+            }
+        }
+
+        return ret;
+    }
+
+    public String getServiceTypeForService(String serviceName) {
+        return properties.getProperty(PROP_PREFIX_SERVICE + serviceName + ".servicetype");
+    }
+
+    public String getDefaultServiceNameForServiceType(String serviceType) {
+        return properties.getProperty(PROP_PREFIX_SERVICE_TYPE + serviceType + ".default.service");
+    }
+
+    /*
+    private void collectPluginProperties(String prefix, Properties serviceProps) {
+        for (String propName : properties.stringPropertyNames()) {
+            if (propName.startsWith(prefix)) {
+                String propValue = properties.getProperty(propName);
+
+                String pluginPropName = propName.substring(prefix.length());
+
+                serviceProps.setProperty(pluginPropName, propValue);
+            }
+        }
+    }
+     */
+}