Merge pull request #129 from ing-bank/feature/bucketPolicies

enable checking ranger policies for create/delete buckets
ing-bank · Apr 14, 2020 · da21d01 · da21d01
2 parents 088efcf + 610ef9a
commit da21d01
Show file tree

Hide file tree

Showing 7 changed files with 30 additions and 17 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -19,10 +19,10 @@ services:
     command: demo
 
   postgres-server:
-    image: wbaa/rokku-dev-apache-ranger-postgres:0.0.17
+    image: wbaa/rokku-dev-apache-ranger-postgres:0.0.21
 
   ranger-admin:
-    image: wbaa/rokku-dev-apache-ranger:0.0.19
+    image: wbaa/rokku-dev-apache-ranger:0.0.21
     stdin_open: true
     tty: true
     depends_on:
@@ -48,7 +48,7 @@ services:
       - "mariadb"
 
   keycloak:
-    image: wbaa/rokku-dev-keycloak:0.0.7
+    image: wbaa/rokku-dev-keycloak:0.0.8
     environment:
       - KEYCLOAK_USER=admin
       - KEYCLOAK_PASSWORD=admin

diff --git a/src/it/scala/com/ing/wbaa/rokku/proxy/provider/AuthorizationProviderRangerItTest.scala b/src/it/scala/com/ing/wbaa/rokku/proxy/provider/AuthorizationProviderRangerItTest.scala
@@ -32,6 +32,14 @@ class AuthorizationProviderRangerItTest extends AsyncWordSpec with Diagrams {
     UserAssumeRole("")
   )
 
+  val adminUser = User(
+    UserName("rokkuadmin"),
+    Set.empty,
+    AwsAccessKey("accesskey"),
+    AwsSecretKey("secretkey"),
+    UserAssumeRole("")
+  )
+
   val clientIPAddress = RemoteAddress(InetAddress.getByName("1.7.8.9"), Some(1234))
   val unauthorizedIPAddress = RemoteAddress(InetAddress.getByName("1.2.3.4"), Some(1234))
   val headerIPs = HeaderIPs(
@@ -107,17 +115,27 @@ class AuthorizationProviderRangerItTest extends AsyncWordSpec with Diagrams {
           accessType = Read(), clientIPAddress = clientIPAddress, headerIPs = headerIPs), user))
       }
 
-      "does authorize allow-create-buckets set to true" in withAuthorizationProviderRanger(new RangerSettings(testSystem.settings.config) {
-        override val createBucketsEnabled: Boolean = true
+      "does authorize creating bucket for an admin" in withAuthorizationProviderRanger(new RangerSettings(testSystem.settings.config) {
       }) { apr =>
         assert(apr.isUserAuthorizedForRequest(s3Request.copy(s3Object = None, accessType = Write(),
-          clientIPAddress = clientIPAddress, headerIPs = headerIPs), user))
+          clientIPAddress = clientIPAddress, headerIPs = headerIPs), adminUser))
       }
 
-      "does authorize delete buckets set to true" in withAuthorizationProviderRanger(new RangerSettings(testSystem.settings.config) {
-        override val createBucketsEnabled: Boolean = true
+      "does authorize deleting bucket for an admin" in withAuthorizationProviderRanger(new RangerSettings(testSystem.settings.config) {
       }) { apr =>
         assert(apr.isUserAuthorizedForRequest(s3Request.copy(s3Object = None, accessType = Delete(),
+          clientIPAddress = clientIPAddress, headerIPs = headerIPs), adminUser))
+      }
+
+      "does not authorize creating bucket for a user" in withAuthorizationProviderRanger(new RangerSettings(testSystem.settings.config) {
+      }) { apr =>
+        assert(!apr.isUserAuthorizedForRequest(s3Request.copy(s3Object = None, accessType = Write(),
+          clientIPAddress = clientIPAddress, headerIPs = headerIPs), user))
+      }
+
+      "does not authorize deleting bucket for a user" in withAuthorizationProviderRanger(new RangerSettings(testSystem.settings.config) {
+      }) { apr =>
+        assert(!apr.isUserAuthorizedForRequest(s3Request.copy(s3Object = None, accessType = Delete(),
           clientIPAddress = clientIPAddress, headerIPs = headerIPs), user))
       }
 

diff --git a/src/main/resources/application.conf b/src/main/resources/application.conf
@@ -6,7 +6,6 @@ rokku {
     }
     ranger {
         allow-list-buckets = ${?ALLOW_LIST_BUCKETS}
-        allow-create-buckets = ${?ALLOW_CREATE_BUCKETS}
         user-domain-postfix = ${?ROKKU_RANGER_USER_DOMAIN_POSTFIX}
         enabled-audit = ${?ROKKU_RANGER_ENABLED_AUDIT}
         role-prefix = ${?ROKKU_RANGER_ROLE_PREFIX}

diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf
@@ -13,7 +13,6 @@ rokku {
         service_type = "s3"
         app_id = "testservice"
         allow-list-buckets = true
-        allow-create-buckets = false
         user-domain-postfix = ""
         enabled-audit = false
         role-prefix = "role_"

diff --git a/src/main/scala/com/ing/wbaa/rokku/proxy/config/RangerSettings.scala b/src/main/scala/com/ing/wbaa/rokku/proxy/config/RangerSettings.scala
@@ -7,7 +7,6 @@ class RangerSettings(config: Config) extends Extension {
   val serviceType: String = config.getString("rokku.ranger.service_type")
   val appId: String = config.getString("rokku.ranger.app_id")
   val listBucketsEnabled: Boolean = config.getBoolean("rokku.ranger.allow-list-buckets")
-  val createBucketsEnabled: Boolean = config.getBoolean("rokku.ranger.allow-create-buckets")
   val userDomainPostfix: String = config.getString("rokku.ranger.user-domain-postfix")
   val auditEnabled: Boolean = config.getBoolean("rokku.ranger.enabled-audit")
   val rolePrefix: String = config.getString("rokku.ranger.role-prefix")

diff --git a/src/main/scala/com/ing/wbaa/rokku/proxy/handler/RequestHandlerS3Cache.scala b/src/main/scala/com/ing/wbaa/rokku/proxy/handler/RequestHandlerS3Cache.scala
@@ -86,8 +86,8 @@ trait RequestHandlerS3Cache extends HazelcastCache with RequestHandlerS3 with Ca
         }
       }.onComplete {
         case Failure(exception: ObjectTooBigException) => logger.debug("Object too big to be stored in cache {}", key, exception)
-        case Failure(exception)                       => logger.error("Cannot store object () in cache {}", key, exception)
-        case Success(value)                           => if (value.nonEmpty) putObject(key, value)
+        case Failure(exception)                        => logger.error("Cannot store object () in cache {}", key, exception)
+        case Success(value)                            => if (value.nonEmpty) putObject(key, value)
       }
     }
   }

diff --git a/src/main/scala/com/ing/wbaa/rokku/proxy/provider/AuthorizationProviderRanger.scala b/src/main/scala/com/ing/wbaa/rokku/proxy/provider/AuthorizationProviderRanger.scala
@@ -109,10 +109,8 @@ trait AuthorizationProviderRanger {
         true
 
       // create / delete bucket operation
-      case S3Request(_, Some(bucket), None, accessType, _, _, _) if (accessType.isInstanceOf[Write] || accessType.isInstanceOf[Delete]) && rangerSettings.createBucketsEnabled =>
-        logger.debug(s"Skipping ranger for creation/deletion of bucket with request: $request")
-        logger.info(s"bucket $bucket has been ${accessType.auditAction}")
-        true
+      case S3Request(_, Some(bucket), None, accessType, _, _, _) if (accessType.isInstanceOf[Write] || accessType.isInstanceOf[Delete]) =>
+        isAuthorisedByRanger("/")
 
       // list buckets
       case S3Request(_, None, None, accessType, _, _, _) if accessType.isInstanceOf[Read] && rangerSettings.listBucketsEnabled =>