in plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java [126:300]
public AuthorizationResponse authorize(AuthorizationContext context) {
boolean isDenied = false;
try {
if (logger.isDebugEnabled()) {
logger.debug("==> RangerSolrAuthorizer.authorize()");
logAuthorizationContext(context);
}
RangerSolrAuditHandler auditHandler = new RangerSolrAuditHandler(solrPlugin.getConfig());
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(RangerSolrConstants.PERF_SOLRAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(RangerSolrConstants.PERF_SOLRAUTH_REQUEST_LOG, "RangerSolrAuthorizer.authorize()");
}
String userName = getUserName(context);
Set<String> userGroups = getGroupsForUser(userName);
String ip = null;
Date eventTime = new Date();
// Set the IP
if (useProxyIP) {
ip = context.getHttpHeader(proxyIPHeader);
}
if (ip == null) {
ip = context.getHttpHeader("REMOTE_ADDR");
}
if (ip == null) {
ip = context.getRemoteAddr();
}
// Create the list of requests for access check.
// We are going to build a list of ranger requests which represent the requested privileges.
// At the end will we iterate this list and invoke Ranger to check for privileges.
List<RangerAccessRequestImpl> rangerRequests = new ArrayList<>();
// The following logic is taken from Sentry See in SentrySolrPluginImpl.java.
if (context.getHandler() instanceof PermissionNameProvider) {
PermissionNameProvider.Name perm = ((PermissionNameProvider) context.getHandler()).getPermissionName(context);
switch (perm) {
case READ_PERM:
case UPDATE_PERM: {
RangerSolrConstants.AccessType accessType = (perm == PermissionNameProvider.Name.READ_PERM) ? RangerSolrConstants.AccessType.QUERY : RangerSolrConstants.AccessType.UPDATE;
for (CollectionRequest req : context.getCollectionRequests()) {
rangerRequests.add(createRequest(userName, userGroups, ip, eventTime, context, RangerSolrConstants.ResourceType.COLLECTION, req.collectionName, accessType));
}
break;
}
case SECURITY_EDIT_PERM: {
rangerRequests.add(createAdminRequest(userName, userGroups, ip, eventTime, context, RangerSolrConstants.AdminType.SECURITY, RangerSolrConstants.AccessType.UPDATE));
break;
}
case SECURITY_READ_PERM: {
rangerRequests.add(createAdminRequest(userName, userGroups, ip, eventTime, context, RangerSolrConstants.AdminType.SECURITY, RangerSolrConstants.AccessType.QUERY));
break;
}
case CORE_READ_PERM:
case CORE_EDIT_PERM:
case COLL_READ_PERM:
case COLL_EDIT_PERM: {
RangerSolrConstants.AdminType adminType = (perm == PermissionNameProvider.Name.COLL_READ_PERM || perm == PermissionNameProvider.Name.COLL_EDIT_PERM)
? RangerSolrConstants.AdminType.COLLECTIONS : RangerSolrConstants.AdminType.CORES;
RangerSolrConstants.AccessType accessType = (perm == PermissionNameProvider.Name.COLL_READ_PERM || perm == PermissionNameProvider.Name.CORE_READ_PERM)
? RangerSolrConstants.AccessType.QUERY : RangerSolrConstants.AccessType.UPDATE;
// add admin permissions to the ranger request list
rangerRequests.add(createAdminRequest(userName, userGroups, ip, eventTime, context, adminType, accessType));
// add collection level permissions to the ranger request list
Map<String, RangerSolrConstants.AccessType> collectionsForAdminOpMap = SolrAuthzUtil.getCollectionsForAdminOp(context);
String finalIp = ip;
collectionsForAdminOpMap.forEach((k, v) -> rangerRequests.add(createRequest(userName, userGroups, finalIp, eventTime, context, RangerSolrConstants.ResourceType.COLLECTION, k, v)));
break;
}
case CONFIG_EDIT_PERM: {
for (String s : SolrAuthzUtil.getConfigAuthorizables(context)) {
rangerRequests.add(createRequest(userName, userGroups, ip, eventTime, context, RangerSolrConstants.ResourceType.CONFIG, s, RangerSolrConstants.AccessType.UPDATE));
}
break;
}
case CONFIG_READ_PERM: {
for (String s : SolrAuthzUtil.getConfigAuthorizables(context)) {
rangerRequests.add(createRequest(userName, userGroups, ip, eventTime, context, RangerSolrConstants.ResourceType.CONFIG, s, RangerSolrConstants.AccessType.QUERY));
}
break;
}
case SCHEMA_EDIT_PERM: {
for (String s : SolrAuthzUtil.getSchemaAuthorizables(context)) {
rangerRequests.add(createRequest(userName, userGroups, ip, eventTime, context, RangerSolrConstants.ResourceType.SCHEMA, s, RangerSolrConstants.AccessType.UPDATE));
}
break;
}
case SCHEMA_READ_PERM: {
for (String s : SolrAuthzUtil.getSchemaAuthorizables(context)) {
rangerRequests.add(createRequest(userName, userGroups, ip, eventTime, context, RangerSolrConstants.ResourceType.SCHEMA, s, RangerSolrConstants.AccessType.QUERY));
}
break;
}
case METRICS_HISTORY_READ_PERM:
case METRICS_READ_PERM: {
rangerRequests.add(createAdminRequest(userName, userGroups, ip, eventTime, context, RangerSolrConstants.AdminType.METRICS, RangerSolrConstants.AccessType.QUERY));
break;
}
case AUTOSCALING_READ_PERM:
case AUTOSCALING_HISTORY_READ_PERM: {
rangerRequests.add(createAdminRequest(userName, userGroups, ip, eventTime, context, RangerSolrConstants.AdminType.AUTOSCALING, RangerSolrConstants.AccessType.QUERY));
break;
}
case AUTOSCALING_WRITE_PERM: {
rangerRequests.add(createAdminRequest(userName, userGroups, ip, eventTime, context, RangerSolrConstants.AdminType.AUTOSCALING, RangerSolrConstants.AccessType.UPDATE));
break;
}
case ALL: {
logger.debug("Not adding anything to the requested privileges, since permission is ALL");
}
}
} else {
logger.warn("Request Handler: {} is not an instance of PermissionNameProvider and so we are not able to authenticate the request. Check SOLR-11623 for more information.", context.getHandler().getClass().getName());
}
/*
* The switch-case statement above handles all possible permission types. Some of the request handlers
* in SOLR do not implement PermissionNameProvider interface and hence are incapable to providing the
* type of permission to be enforced for this request. This is a design limitation (or a bug) on the SOLR
* side. Until that issue is resolved, Solr/Sentry plugin needs to return OK for such requests.
* Ref: SOLR-11623
*/
logger.debug("rangerRequests.size()={}", rangerRequests.size());
try {
// Let's check the access for each request/resource
for (RangerAccessRequestImpl rangerRequest : rangerRequests) {
RangerAccessResult result = solrPlugin.isAccessAllowed(rangerRequest, auditHandler);
logger.debug("rangerRequest = {}", result);
if (result == null || !result.getIsAllowed()) {
isDenied = true;
break;
}
}
} finally {
auditHandler.flushAudit();
RangerPerfTracer.log(perf);
}
} catch (Throwable t) {
isDenied = true;
MiscUtil.logErrorMessageByInterval(logger, t.getMessage(), t);
}
AuthorizationResponse response;
if (isDenied) {
response = new AuthorizationResponse(403);
} else {
response = new AuthorizationResponse(200);
}
logger.debug("<== RangerSolrAuthorizer.authorize() result: {} Response : {}", isDenied, response.getMessage());
return response;
}