ATLAS-1671: fix for missing client IP in Ranger audit log for Atlas authorizations

Signed-off-by: Madhan Neethiraj <madhan@apache.org>

ATLAS-1671: fix for missing client IP in Ranger audit log for Atlas authorizations
d6e40806 · nixonrodrigues · Madhan Neethiraj · b86e8591 · d6e40806 · d6e40806
Commit d6e40806 authored Mar 17, 2017 by nixonrodrigues Committed by Madhan Neethiraj Mar 20, 2017
5 changed files
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
@@ -40,11 +40,11 @@ public class AtlasAccessRequest {

    public AtlasAccessRequest(HttpServletRequest request, String user, Set<String> userGroups) {
        this(AtlasAuthorizationUtils.getAtlasResourceType(request.getServletPath()), "*", AtlasAuthorizationUtils
-            .getAtlasAction(request.getMethod()), user, userGroups);
+            .getAtlasAction(request.getMethod()), user, userGroups,AtlasAuthorizationUtils.getRequestIpAddress(request));
    }

    public AtlasAccessRequest(Set<AtlasResourceTypes> resourceType, String resource, AtlasActionTypes action,
-        String user, Set<String> userGroups) {
+        String user, Set<String> userGroups, String clientIPAddress) {
        if (isDebugEnabled) {
            LOG.debug("==> AtlasAccessRequestImpl-- Initializing AtlasAccessRequest");
        }
@@ -56,7 +56,7 @@ public class AtlasAccessRequest {

        // set remaining fields to default value
        setAccessTime(null);
-        setClientIPAddress(null);
+        setClientIPAddress(clientIPAddress);
    }

    public Set<AtlasResourceTypes> getResourceTypes() {

--- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
@@ -18,6 +18,7 @@

 package org.apache.atlas.authorize.simple;

+import javax.servlet.http.HttpServletRequest;
 import org.apache.atlas.AtlasClient;
 import org.apache.atlas.authorize.AtlasActionTypes;
 import org.apache.atlas.authorize.AtlasResourceTypes;
@@ -27,7 +28,8 @@ import org.apache.atlas.authorize.AtlasAccessRequest;
 import org.apache.atlas.authorize.AtlasAuthorizerFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-
+import java.net.InetAddress;
+import java.net.UnknownHostException;
 import java.util.HashSet;
 import java.util.Objects;
 import java.util.Set;
@@ -53,7 +55,7 @@ public class AtlasAuthorizationUtils {
        String[] split = contextPath.split("/", 3);

        String api = split[0];
-        if(Pattern.matches("v\\d", api)) {
+        if (Pattern.matches("v\\d", api)) {
            api = split[1];
        }

@@ -98,16 +100,16 @@ public class AtlasAuthorizationUtils {
     * @param contextPath
     * @return set of AtlasResourceTypes types api mapped with AtlasResourceTypes.TYPE eg :- /api/atlas/types/*
     *
-     *         gremlin discovery,admin,graph apis are mapped with AtlasResourceTypes.OPERATION eg :-/api/atlas/admin/*
-     *         /api/atlas/discovery/search/gremlin /api/atlas/graph/*
+     * gremlin discovery,admin,graph apis are mapped with AtlasResourceTypes.OPERATION eg :-/api/atlas/admin/*
+     * /api/atlas/discovery/search/gremlin /api/atlas/graph/*
+     *
+     * entities,lineage and discovery apis are mapped with AtlasResourceTypes.ENTITY eg :- /api/atlas/lineage/hive/table/*
+     * /api/atlas/entities/{guid}* /api/atlas/discovery/*
     *
-     *         entities,lineage and discovery apis are mapped with AtlasResourceTypes.ENTITY eg :- /api/atlas/lineage/hive/table/*
-     *         /api/atlas/entities/{guid}* /api/atlas/discovery/*
-     * 
-     *         taxonomy API are also mapped to AtlasResourceTypes.TAXONOMY & AtlasResourceTypes.ENTITY and its terms APIs have
-     *         added AtlasResourceTypes.TERM associations.
+     * taxonomy API are also mapped to AtlasResourceTypes.TAXONOMY & AtlasResourceTypes.ENTITY and its terms APIs have
+     * added AtlasResourceTypes.TERM associations.
     *
-     *         unprotected types are mapped with AtlasResourceTypes.UNKNOWN, access to these are allowed.
+     * unprotected types are mapped with AtlasResourceTypes.UNKNOWN, access to these are allowed.
     */
    public static Set<AtlasResourceTypes> getAtlasResourceType(String contextPath) {
        Set<AtlasResourceTypes> resourceTypes = new HashSet<>();
@@ -123,7 +125,7 @@ public class AtlasAuthorizationUtils {
                || api.startsWith("graph")) {
            resourceTypes.add(AtlasResourceTypes.OPERATION);
        } else if (api.startsWith("entities") || api.startsWith("lineage") ||
-                api.startsWith("discovery") || api.startsWith("entity")  || api.startsWith("search")) {
+                api.startsWith("discovery") || api.startsWith("entity") || api.startsWith("search")) {
            resourceTypes.add(AtlasResourceTypes.ENTITY);
        } else if (api.startsWith("taxonomies")) {
            resourceTypes.add(AtlasResourceTypes.TAXONOMY);
@@ -134,7 +136,7 @@ public class AtlasAuthorizationUtils {
            }
        } else {
            LOG.error("Unable to find Atlas Resource corresponding to : {}\nSetting {}"
-                , api, AtlasResourceTypes.UNKNOWN.name());
+                    , api, AtlasResourceTypes.UNKNOWN.name());
            resourceTypes.add(AtlasResourceTypes.UNKNOWN);
        }

@@ -144,13 +146,13 @@ public class AtlasAuthorizationUtils {
        return resourceTypes;
    }

-    public static boolean isAccessAllowed(AtlasResourceTypes resourcetype, AtlasActionTypes actionType, String userName, Set<String> groups) {
+    public static boolean isAccessAllowed(AtlasResourceTypes resourcetype, AtlasActionTypes actionType, String userName, Set<String> groups, HttpServletRequest request) {
        AtlasAuthorizer authorizer = null;
        boolean isaccessAllowed = false;

        Set<AtlasResourceTypes> resourceTypes = new HashSet<>();
        resourceTypes.add(resourcetype);
-        AtlasAccessRequest atlasRequest = new AtlasAccessRequest(resourceTypes, "*", actionType, userName, groups);
+        AtlasAccessRequest atlasRequest = new AtlasAccessRequest(resourceTypes, "*", actionType, userName, groups, AtlasAuthorizationUtils.getRequestIpAddress(request));
        try {
            authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer();
            if (authorizer != null) {
@@ -162,4 +164,17 @@ public class AtlasAuthorizationUtils {

        return isaccessAllowed;
    }
+
+    public static String getRequestIpAddress(HttpServletRequest httpServletRequest) {
+        try {
+            InetAddress inetAddr = InetAddress.getByName(httpServletRequest.getRemoteAddr());
+
+            String ip = inetAddr.getHostAddress();
+
+            return ip;
+        } catch (UnknownHostException ex) {
+            LOG.error("Error occured when retrieving IP address", ex);
+            return "";
+        }
+    }
 }
--- a/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java
+++ b/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java
@@ -60,7 +60,7 @@ public class SimpleAtlasAuthorizerTest {
        userGroups.add("grp3");
        try {
            AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
-                    resource, action, user, userGroups);
+                    resource, action, user, userGroups,"127.0.0.1");
            SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
                    .getAtlasAuthorizer();

@@ -103,7 +103,7 @@ public class SimpleAtlasAuthorizerTest {
        Set<String> userGroups = new HashSet<>();
        userGroups.add("grp1");
        AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
-                resource, action, user, userGroups);
+                resource, action, user, userGroups,"127.0.0.1");
        try {
            SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
                    .getAtlasAuthorizer();
@@ -146,7 +146,7 @@ public class SimpleAtlasAuthorizerTest {
        Set<String> userGroups = new HashSet<>();
        userGroups.add("grp1");
        AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
-                resource, action, user, userGroups);
+                resource, action, user, userGroups,"127.0.0.1");
        try {
            SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
                    .getAtlasAuthorizer();
@@ -188,7 +188,7 @@ public class SimpleAtlasAuthorizerTest {
        Set<String> userGroups = new HashSet<>();
        userGroups.add("grp3");
        AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
-                resource, action, user, userGroups);
+                resource, action, user, userGroups,"127.0.0.1");
        try {
            SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
                    .getAtlasAuthorizer();

--- a/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java
+++ b/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java
@@ -244,10 +244,11 @@ public class AdminResource {
                for (GrantedAuthority c : authorities) {
                    groups.add(c.getAuthority());
                }
+
                isEntityUpdateAccessAllowed = AtlasAuthorizationUtils.isAccessAllowed(AtlasResourceTypes.ENTITY,
-                        AtlasActionTypes.UPDATE, userName, groups);
+                        AtlasActionTypes.UPDATE, userName, groups, httpServletRequest);
                isEntityCreateAccessAllowed = AtlasAuthorizationUtils.isAccessAllowed(AtlasResourceTypes.ENTITY,
-                        AtlasActionTypes.CREATE, userName, groups);
+                        AtlasActionTypes.CREATE, userName, groups, httpServletRequest);
            }

            JSONObject responseData = new JSONObject();
@@ -313,7 +314,7 @@ public class AdminResource {

            AtlasExportResult result = exportService.run(exportSink, request, Servlets.getUserName(httpServletRequest),
                                                         Servlets.getHostName(httpServletRequest),
-                                                         Servlets.getRequestIpAddress(httpServletRequest));
+                                                         AtlasAuthorizationUtils.getRequestIpAddress(httpServletRequest));

            exportSink.close();

@@ -364,7 +365,7 @@ public class AdminResource {

            result = importService.run(zipSource, request, Servlets.getUserName(httpServletRequest),
                                       Servlets.getHostName(httpServletRequest),
-                                       Servlets.getRequestIpAddress(httpServletRequest));
+                                       AtlasAuthorizationUtils.getRequestIpAddress(httpServletRequest));
        } catch (Exception excp) {
            LOG.error("importData(binary) failed", excp);

@@ -398,7 +399,7 @@ public class AdminResource {

            result = importService.run(request, Servlets.getUserName(httpServletRequest),
                                       Servlets.getHostName(httpServletRequest),
-                                       Servlets.getRequestIpAddress(httpServletRequest));
+                                       AtlasAuthorizationUtils.getRequestIpAddress(httpServletRequest));
        } catch (Exception excp) {
            LOG.error("importFile() failed", excp);


--- a/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java
+++ b/webapp/src/main/java/org/apache/atlas/web/util/Servlets.java
@@ -26,7 +26,6 @@ import org.apache.commons.collections.MapUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.http.NameValuePair;
 import org.apache.http.client.utils.URLEncodedUtils;
 import org.codehaus.jettison.json.JSONException;
@@ -38,10 +37,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import java.io.IOException;
-import java.io.PrintWriter;
 import java.io.StringWriter;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
 import java.nio.charset.Charset;
 import java.util.HashMap;
 import java.util.List;
@@ -184,19 +180,6 @@ public final class Servlets {
        return StringEscapeUtils.escapeJson(inputStr);
    }

-    public static String getRequestIpAddress(HttpServletRequest httpServletRequest) {
-        try {
-            InetAddress inetAddr = InetAddress.getByName(httpServletRequest.getRemoteAddr());
-
-            String ip = inetAddr.getHostAddress();
-
-            return ip;
-        } catch(UnknownHostException ex) {
-            LOG.error("Error occured when retrieving IP address", ex);
-            return "";
-        }
-    }
-
    public static String getHostName(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getLocalName();
    }