Repository: ranger Updated Branches: refs/heads/master e0c1e355a -> 7985dd473
http://git-wip-us.apache.org/repos/asf/ranger/blob/7985dd47/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java index f414d2e..274028e 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java @@ -72,9 +72,9 @@ public class TestRangerServiceDefHelper { RangerResourceDef UDF = createResourceDef("UDF", "Database"); RangerResourceDef Table = createResourceDef("Table", "Database"); RangerResourceDef Column = createResourceDef("Column", "Table"); - RangerResourceDef Table_Atrribute = createResourceDef("Table-Attribute", "Table"); + RangerResourceDef Table_Attribute = createResourceDef("Table-Attribute", "Table"); // order of resources in list sould not matter - List<RangerResourceDef> resourceDefs = Lists.newArrayList(Column, Database, Table, Table_Atrribute, UDF); + List<RangerResourceDef> resourceDefs = Lists.newArrayList(Column, Database, Table, Table_Attribute, UDF); // stuff this into a service-def when(_serviceDef.getResources()).thenReturn(resourceDefs); // now assert the behavior @@ -86,7 +86,7 @@ public class TestRangerServiceDefHelper { assertTrue(hierarchies.contains(hierarchy)); hierarchy = Lists.newArrayList(Database, Table, Column); assertTrue(hierarchies.contains(hierarchy)); - hierarchy = Lists.newArrayList(Database, Table, Table_Atrribute); + hierarchy = Lists.newArrayList(Database, Table, Table_Attribute); assertTrue(hierarchies.contains(hierarchy)); } @@ -144,7 +144,7 @@ public class TestRangerServiceDefHelper { expectedHierarchies.add(Lists.newArrayList("database", "table", "column")); expectedHierarchies.add(Lists.newArrayList("namespace", "package")); expectedHierarchies.add(Lists.newArrayList("namespace", "function")); - + for (List<RangerResourceDef> aHierarchy : hierarchies) { List<String> resourceNames = _helper.getAllResourceNamesOrdered(aHierarchy); assertTrue(expectedHierarchies.contains(resourceNames)); @@ -185,7 +185,7 @@ public class TestRangerServiceDefHelper { expectedHierarchies.add(Lists.newArrayList("server")); expectedHierarchies.add(Lists.newArrayList("namespace", "package")); expectedHierarchies.add(Lists.newArrayList("namespace", "function")); - + for (List<RangerResourceDef> aHierarchy : hierarchies) { List<String> resourceNames = _helper.getAllResourceNamesOrdered(aHierarchy); assertTrue(expectedHierarchies.contains(resourceNames)); @@ -227,14 +227,108 @@ public class TestRangerServiceDefHelper { _helper = new RangerServiceDefHelper(_serviceDef); assertTrue("Didn't get a delegate different than what was put in the cache", newDelegate == _helper._delegate); } - + + @Test + public void test_getResourceHierarchies_with_leaf_specification() { + /* + * Leaf Spec for resources: + * Database: non-leaf + * UDF: Not-specified + * Table: Leaf + * Column: Leaf + * Table-Attribute: Leaf + * + * Create a service-def with following resource graph + * + * Database -> UDF + * | + * v + * Table -> Column + * | + * v + * Table-Attribute + * + * It contains following hierarchies + * - [ Database UDF] + * - [ Database Table Column ] + * - [ Database Table ] + * - [ Database Table Table-Attribute ] + */ + RangerResourceDef Database = createResourceDef("Database", "", false); + RangerResourceDef UDF = createResourceDef("UDF", "Database"); + RangerResourceDef Table = createResourceDef("Table", "Database", true); + RangerResourceDef Column = createResourceDef("Column", "Table", true); + RangerResourceDef Table_Attribute = createResourceDef("Table-Attribute", "Table", true); + // order of resources in list should not matter + List<RangerResourceDef> resourceDefs = Lists.newArrayList(Column, Database, Table, Table_Attribute, UDF); + // stuff this into a service-def + when(_serviceDef.getResources()).thenReturn(resourceDefs); + // now assert the behavior + _helper = new RangerServiceDefHelper(_serviceDef); + assertTrue(_helper.isResourceGraphValid()); + Set<List<RangerResourceDef>> hierarchies = _helper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS); + // there should be + List<RangerResourceDef> hierarchy = Lists.newArrayList(Database, UDF); + assertTrue(hierarchies.contains(hierarchy)); + hierarchy = Lists.newArrayList(Database, Table, Column); + assertTrue(hierarchies.contains(hierarchy)); + hierarchy = Lists.newArrayList(Database, Table, Table_Attribute); + assertTrue(hierarchies.contains(hierarchy)); + hierarchy = Lists.newArrayList(Database, Table); + assertTrue(hierarchies.contains(hierarchy)); + hierarchy = Lists.newArrayList(Database); + assertFalse(hierarchies.contains(hierarchy)); + } + + @Test + public void test_invalid_resourceHierarchies_with_leaf_specification() { + /* + * Leaf Spec for resources: + * Database: non-leaf + * UDF: Not-specified + * Table: Leaf + * Column: non-Leaf + * Table-Attribute: Leaf + * + * Create a service-def with following resource graph + * + * Database -> UDF + * | + * v + * Table -> Column + * | + * v + * Table-Attribute + * + * It should fail as the hierarchy is invalid ("Error in path: sink node:[Column] is not leaf node") + * + */ + RangerResourceDef Database = createResourceDef("Database", "", false); + RangerResourceDef UDF = createResourceDef("UDF", "Database"); + RangerResourceDef Table = createResourceDef("Table", "Database", true); + RangerResourceDef Column = createResourceDef("Column", "Table", false); + RangerResourceDef Table_Attribute = createResourceDef("Table-Attribute", "Table", true); + // order of resources in list should not matter + List<RangerResourceDef> resourceDefs = Lists.newArrayList(Column, Database, Table, Table_Attribute, UDF); + // stuff this into a service-def + when(_serviceDef.getResources()).thenReturn(resourceDefs); + // now assert the behavior + _helper = new RangerServiceDefHelper(_serviceDef); + assertFalse(_helper.isResourceGraphValid()); + } + RangerResourceDef createResourceDef(String name, String parent) { - RangerResourceDef resourceDef = mock(RangerResourceDef.class); - when(resourceDef.getName()).thenReturn(name); - when(resourceDef.getParent()).thenReturn(parent); - return resourceDef; + return createResourceDef(name, parent, null); } + RangerResourceDef createResourceDef(String name, String parent, Boolean isValidLeaf) { + RangerResourceDef resourceDef = mock(RangerResourceDef.class); + when(resourceDef.getName()).thenReturn(name); + when(resourceDef.getParent()).thenReturn(parent); + when(resourceDef.getIsValidLeaf()).thenReturn(isValidLeaf); + return resourceDef; + } + Date getLastMonth() { Calendar cal = GregorianCalendar.getInstance(); cal.add( Calendar.MONTH, 1); http://git-wip-us.apache.org/repos/asf/ranger/blob/7985dd47/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/ValidationTestUtils.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/ValidationTestUtils.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/ValidationTestUtils.java index 3b0711b..a6ca4fe 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/ValidationTestUtils.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/ValidationTestUtils.java @@ -275,6 +275,7 @@ public class ValidationTestUtils { when(aDef.getRecursiveSupported()).thenReturn(isRecursiveSupported); when(aDef.getParent()).thenReturn(parent); when(aDef.getLevel()).thenReturn(level); + when(aDef.getIsValidLeaf()).thenReturn(null); } defs.add(aDef); } http://git-wip-us.apache.org/repos/asf/ranger/blob/7985dd47/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index bdbb823..6f389e4 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -151,7 +151,11 @@ public class TestPolicyEngine { " <name>ranger.plugin.tag.attr.additional.date.formats</name>\n" + " <value>abcd||xyz||yyyy/MM/dd'T'HH:mm:ss.SSS'Z'</value>\n" + " </property>\n" + - "</configuration>\n"); + " <property>\n" + + " <name>ranger.plugin.use-cache-for-service-def-helper</name>\n" + + " <value>false</value>\n" + + " </property>\n" + + "</configuration>\n"); writer.close(); RangerConfiguration config = RangerConfiguration.getInstance(); http://git-wip-us.apache.org/repos/asf/ranger/blob/7985dd47/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java index 3458c26..f6732eb 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java @@ -74,8 +74,9 @@ public class TestDefaultPolicyResourceMatcherForPolicy { @Test public void testDefaultPolicyResourceMatcherForPolicy() throws Exception { - String[] tests = { "/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json", - "/resourcematcher/test_defaultpolicyresourcematcher_for_hdfs_policy.json"}; + String[] tests = { "/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json", + "/resourcematcher/test_defaultpolicyresourcematcher_for_hdfs_policy.json", + "/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json"}; runTestsFromResourceFiles(tests); } http://git-wip-us.apache.org/repos/asf/ranger/blob/7985dd47/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json index 6c0d9b4..cba7a21 100644 --- a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json +++ b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json @@ -815,12 +815,12 @@ , { "name": "MATCH for parent 'default'", - "type": "ancestorMatch", + "type": "anyMatch", "resource": { "elements": {"database": "default"} }, "evalContext": {}, - "result": true + "result": false } ] } http://git-wip-us.apache.org/repos/asf/ranger/blob/7985dd47/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json new file mode 100644 index 0000000..6b774f8 --- /dev/null +++ b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json @@ -0,0 +1,335 @@ +{ + "serviceDef": { + "name": "hive", + "id": 3, + "resources": [ + { + "name": "database", + "level": 1, + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Database", + "description": "Hive Database" + }, + { + "name": "table", + "level": 2, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Table", + "description": "Hive Table" + }, + { + "name": "udf", + "level": 2, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive UDF", + "description": "Hive UDF" + }, + { + "name": "column", + "level": 3, + "parent": "table", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Column", + "description": "Hive Column" + } + ], + "accessTypes": [ + { + "name": "select", + "label": "Select" + }, + { + "name": "update", + "label": "Update" + }, + { + "name": "create", + "label": "Create" + }, + { + "name": "drop", + "label": "Drop" + }, + { + "name": "alter", + "label": "Alter" + }, + { + "name": "index", + "label": "Index" + }, + { + "name": "lock", + "label": "Lock" + }, + { + "name": "all", + "label": "All" + } + ] + }, + "testCases": [ + { + "name": "database=*:table=*:column:demo", + "policyResources": { + "database": {"values": ["*"]}, + "table": {"values": ["*"]}, + "column":{"values":["demo"]} + }, + "tests": [ + { + "name": "Exact match for 'tmp:*:demo' policy", + "type": "exactMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["tmp"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["demo"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + } + ] + }, + { + "name": "database=finance:table=tax:column:refund", + "policyResources": { + "database": {"values": ["finance"]}, + "table": {"values": ["tax"]}, + "column":{"values":["refund"]} + }, + "tests": [ + { + "name": "Ancestor match for 'finance,hr,tmp*:tax,employee,tmp*' policy", + "type": "descendantMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + }, + { + "name": "No match for '*:*:*' policy", + "type": "anyMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : false + } + ] + }, + { + "name": "database=hr:table=*:column:refund", + "policyResources": { + "database": {"values": ["hr"]}, + "table": {"values": ["*"]}, + "column":{"values":["refund"]} + }, + "tests": [ + { + "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", + "type": "exactMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + } + , + { + "name": "No match for 'finance,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", + "type": "anyMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "tmp*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : false + } + ] + }, + { + "name": "database=hr:table=*:column:*", + "policyResources": { + "database": {"values": ["hr"]}, + "table": {"values": ["*"]}, + "column":{"values":["*"]} + }, + "tests": [ + { + "name": "Ancestor match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", + "type": "ancestorMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + }, + { + "name": "Ancestor match for 'finance,hr,tmp*' policy", + "type": "anyMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : false + }, + { + "name": "No match for 'finance,hr,tmp*::*,salary,tmp*' policy", + "type": "ancestorMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + } + ] + } + ] +} http://git-wip-us.apache.org/repos/asf/ranger/blob/7985dd47/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java index 47b0fcf..4c9f635 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java @@ -140,18 +140,18 @@ public class RangerServiceHdfs extends RangerBaseService { } } - try { - // we need to create one policy for keyadmin user for audit to HDFS - RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef); - for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) { - RangerPolicy policy = getPolicyForKMSAudit(aHierarchy); - if (policy != null) { - ret.add(policy); - } - } - } catch (Exception e) { - LOG.error("Error creating policy for keyadmin for audit to HDFS : " + service.getName(), e); - } + try { + // we need to create one policy for keyadmin user for audit to HDFS + RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef); + for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) { + RangerPolicy policy = getPolicyForKMSAudit(aHierarchy); + if (policy != null) { + ret.add(policy); + } + } + } catch (Exception e) { + LOG.error("Error creating policy for keyadmin for audit to HDFS : " + service.getName(), e); + } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerServiceHdfs.getDefaultRangerPolicies() : " + ret); @@ -159,62 +159,60 @@ public class RangerServiceHdfs extends RangerBaseService { return ret; } - private RangerPolicy getPolicyForKMSAudit(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception { - - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerServiceHdfs.getPolicyForKMSAudit()"); - } - - RangerPolicy policy = new RangerPolicy(); - - policy.setIsEnabled(true); - policy.setVersion(1L); - policy.setName(AUDITTOHDFS_POLICY_NAME); - policy.setService(service.getName()); - policy.setDescription("Policy for " + AUDITTOHDFS_POLICY_NAME); - policy.setIsAuditEnabled(true); - policy.setResources(createKMSAuditResource(resourceHierarchy)); - - List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>(); - //Create policy item for keyadmin - RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem(); - List<String> userKeyAdmin = new ArrayList<String>(); - userKeyAdmin.add("keyadmin"); - policyItem.setUsers(userKeyAdmin); - policyItem.setAccesses(getAndAllowAllAccesses()); - policyItem.setDelegateAdmin(false); - - policyItems.add(policyItem); - policy.setPolicyItems(policyItems); - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerServiceHdfs.getPolicyForKMSAudit()" + policy); - } - - return policy; - } - - private Map<String, RangerPolicy.RangerPolicyResource> createKMSAuditResource(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerServiceHdfs.createKMSAuditResource()"); - } - Map<String, RangerPolicy.RangerPolicyResource> resourceMap = new HashMap<>(); - - for (RangerServiceDef.RangerResourceDef resourceDef : resourceHierarchy) { - RangerPolicy.RangerPolicyResource polRes = new RangerPolicy.RangerPolicyResource(); - - polRes.setIsExcludes(false); - polRes.setIsRecursive(resourceDef.getRecursiveSupported()); - polRes.setValue(AUDITTOHDFS_KMS_PATH); - - resourceMap.put(resourceDef.getName(), polRes); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerServiceHdfs.createKMSAuditResource():" + resourceMap); - } - return resourceMap; - } + private RangerPolicy getPolicyForKMSAudit(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception { + + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerServiceHdfs.getPolicyForKMSAudit()"); + } + + RangerPolicy policy = new RangerPolicy(); + + policy.setIsEnabled(true); + policy.setVersion(1L); + policy.setName(AUDITTOHDFS_POLICY_NAME); + policy.setService(service.getName()); + policy.setDescription("Policy for " + AUDITTOHDFS_POLICY_NAME); + policy.setIsAuditEnabled(true); + policy.setResources(createKMSAuditResource(resourceHierarchy)); + + List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>(); + //Create policy item for keyadmin + RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem(); + List<String> userKeyAdmin = new ArrayList<String>(); + userKeyAdmin.add("keyadmin"); + policyItem.setUsers(userKeyAdmin); + policyItem.setAccesses(getAllowedAccesses(policy.getResources())); + policyItem.setDelegateAdmin(false); + + policyItems.add(policyItem); + policy.setPolicyItems(policyItems); + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerServiceHdfs.getPolicyForKMSAudit()" + policy); + } + + return policy; + } + + private Map<String, RangerPolicy.RangerPolicyResource> createKMSAuditResource(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerServiceHdfs.createKMSAuditResource()"); + } + Map<String, RangerPolicy.RangerPolicyResource> resourceMap = super.createDefaultPolicyResource(resourceHierarchy); + + RangerPolicy.RangerPolicyResource pathResource = resourceMap.get(RangerHdfsAuthorizer.KEY_RESOURCE_PATH); + + if (pathResource != null) { + pathResource.setValue(AUDITTOHDFS_KMS_PATH); + } else { + LOG.error("Internal error: Could not find RangerPolicyResource corresponding to " + RangerHdfsAuthorizer.KEY_RESOURCE_PATH + " in default policy-resource"); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerServiceHdfs.createKMSAuditResource():" + resourceMap); + } + return resourceMap; + } } http://git-wip-us.apache.org/repos/asf/ranger/blob/7985dd47/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 89743ae..467cfff 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1862,28 +1862,41 @@ public class ServiceDBStore extends AbstractServiceStore { return createdPolicy; } - private boolean validatePolicyItem(List<RangerPolicyItem> policyItems) { - boolean isPolicyItemValid=true; - for (RangerPolicyItem policyItem : policyItems) { - if (policyItem != null) { - if (CollectionUtils.isEmpty(policyItem.getUsers()) - || (policyItem.getUsers() != null) && policyItem.getUsers().contains(null) - || (policyItem.getUsers().contains(""))) { - if (CollectionUtils.isEmpty(policyItem.getGroups()) - || (policyItem.getGroups() != null) && policyItem.getGroups().contains(null) - || (policyItem.getGroups().contains(""))) { - - isPolicyItemValid = false; - } - } - if (CollectionUtils.isEmpty(policyItem.getAccesses()) - || (policyItem.getAccesses() != null) && policyItem.getAccesses().contains(null)) { - isPolicyItemValid = false; - } - } - } - return isPolicyItemValid; - } + private boolean validatePolicyItems(List<? extends RangerPolicyItem> policyItems) { + + boolean isPolicyItemValid = true; + + if (CollectionUtils.isNotEmpty(policyItems)) { + for (RangerPolicyItem policyItem : policyItems) { + if (policyItem == null) { + isPolicyItemValid = false; + break; + } + + if (CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) { + isPolicyItemValid = false; + break; + } + + if (policyItem.getUsers() != null && (policyItem.getUsers().contains(null) || policyItem.getUsers().contains(""))) { + isPolicyItemValid = false; + break; + } + + if (policyItem.getGroups() != null && (policyItem.getGroups().contains(null) || policyItem.getGroups().contains(""))) { + isPolicyItemValid = false; + break; + } + + if (CollectionUtils.isEmpty(policyItem.getAccesses()) || policyItem.getAccesses().contains(null) || policyItem.getAccesses().contains("")) { + isPolicyItemValid = false; + break; + } + } + } + + return isPolicyItemValid; + } @Override public RangerPolicy updatePolicy(RangerPolicy policy) throws Exception { @@ -2547,8 +2560,6 @@ public class ServiceDBStore extends AbstractServiceStore { List<String> serviceCheckUsers = getServiceCheckUsers(createdService); - List<RangerPolicy.RangerPolicyItemAccess> allAccesses = svc.getAndAllowAllAccesses(); - List<RangerPolicy> defaultPolicies = svc.getDefaultRangerPolicies(); if (CollectionUtils.isNotEmpty(defaultPolicies)) { @@ -2556,25 +2567,34 @@ public class ServiceDBStore extends AbstractServiceStore { createDefaultPolicyUsersAndGroups(defaultPolicies); for (RangerPolicy defaultPolicy : defaultPolicies) { - List<RangerPolicyItem> policyItems = defaultPolicy.getPolicyItems(); - if (CollectionUtils.isNotEmpty(serviceCheckUsers) - && StringUtils.equalsIgnoreCase(defaultPolicy.getService(), createdService.getName())) { + if (CollectionUtils.isNotEmpty(serviceCheckUsers) && StringUtils.equalsIgnoreCase(defaultPolicy.getService(), createdService.getName())) { + RangerPolicyItem defaultAllowPolicyItem = CollectionUtils.isNotEmpty(defaultPolicy.getPolicyItems()) ? defaultPolicy.getPolicyItems().get(0) : null; - RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem(); + if (defaultAllowPolicyItem == null) { + LOG.error("There is no allow-policy-item in the default-policy:[" + defaultPolicy + "]"); + } else { + RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem(); - policyItem.setUsers(serviceCheckUsers); - policyItem.setAccesses(allAccesses); - policyItem.setDelegateAdmin(true); + policyItem.setUsers(serviceCheckUsers); + policyItem.setAccesses(defaultAllowPolicyItem.getAccesses()); + policyItem.setDelegateAdmin(true); - defaultPolicy.getPolicyItems().add(policyItem); + defaultPolicy.getPolicyItems().add(policyItem); + } } - boolean isPolicyItemValid=validatePolicyItem(policyItems); - if (isPolicyItemValid) { - createPolicy(defaultPolicy); - } else { - LOG.warn("Default policy won't be created,since policyItems not valid-either users/groups not present or access not present in policy."); - } + boolean isPolicyItemValid = validatePolicyItems(defaultPolicy.getPolicyItems()) + && validatePolicyItems(defaultPolicy.getDenyPolicyItems()) + && validatePolicyItems(defaultPolicy.getAllowExceptions()) + && validatePolicyItems(defaultPolicy.getDenyExceptions()) + && validatePolicyItems(defaultPolicy.getDataMaskPolicyItems()) + && validatePolicyItems(defaultPolicy.getRowFilterPolicyItems()); + + if (isPolicyItemValid) { + createPolicy(defaultPolicy); + } else { + LOG.warn("Default policy won't be created,since policyItems not valid-either users/groups not present or access not present in policy."); + } } } } http://git-wip-us.apache.org/repos/asf/ranger/blob/7985dd47/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java index ce9aa7e..a989c84 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java @@ -258,6 +258,7 @@ public class ServiceMgr { } private static Map<String, Class<RangerBaseService>> serviceTypeClassMap = new HashMap<String, Class<RangerBaseService>>(); + private static String RANGER_DEFAULT_SERVICE_NAME = "org.apache.ranger.plugin.service.RangerDefaultService"; @SuppressWarnings("unchecked") private Class<RangerBaseService> getClassForServiceType(RangerServiceDef serviceDef) throws Exception { @@ -282,18 +283,30 @@ public class ServiceMgr { if(LOG.isDebugEnabled()) { LOG.debug("ServiceMgr.getClassForServiceType(" + serviceType + "): service-class " + clsName + " not found in cache"); } + try { - URL[] pluginFiles = getPluginFilesForServiceType(serviceType); - URLClassLoader clsLoader = new URLClassLoader(pluginFiles, Thread.currentThread().getContextClassLoader()); + Class<?> cls; - try { - Class<?> cls = Class.forName(clsName, true, clsLoader); + if (StringUtils.isEmpty(clsName)) { + if (LOG.isDebugEnabled()) { + LOG.debug("No service-class configured for service-type:[" + serviceType + "], using RangerDefaultService"); + } + clsName = RANGER_DEFAULT_SERVICE_NAME; + + cls = Class.forName(clsName); + } else { + URL[] pluginFiles = getPluginFilesForServiceType(serviceType); + + URLClassLoader clsLoader = new URLClassLoader(pluginFiles, Thread.currentThread().getContextClassLoader()); + + cls = Class.forName(clsName, true, clsLoader); + } - ret = (Class<RangerBaseService>)cls; + ret = (Class<RangerBaseService>) cls; serviceTypeClassMap.put(serviceType, ret); - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("ServiceMgr.getClassForServiceType(" + serviceType + "): service-class " + clsName + " added to cache"); } } catch (Exception excp) { http://git-wip-us.apache.org/repos/asf/ranger/blob/7985dd47/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java index c2e7b76..5cbe47a 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java @@ -20,9 +20,12 @@ package org.apache.ranger.service; import java.io.Serializable; import java.util.ArrayList; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Map; +import java.util.Set; +import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -55,6 +58,9 @@ public abstract class RangerServiceDefServiceBase<T extends XXServiceDefBase, V extends RangerBaseModelService<T, V> { private static final Log LOG = LogFactory.getLog(RangerServiceDefServiceBase.class); + private static final String OPTION_RESOURCE_ACCESS_TYPE_RESTRICTIONS = "__accessTypeRestrictions"; + private static final String OPTION_RESOURCE_IS_VALID_LEAF = "__isValidLeaf"; + @Autowired RangerAuditFields rangerAuditFields; @@ -207,10 +213,12 @@ public abstract class RangerServiceDefServiceBase<T extends XXServiceDefBase, V xObj.setImplclassname(vObj.getImplClass()); xObj.setLabel(vObj.getLabel()); xObj.setDescription(vObj.getDescription()); - xObj.setDefOptions(mapToJsonString(vObj.getOptions())); xObj.setRbkeylabel(vObj.getRbKeyLabel()); xObj.setRbkeydescription(vObj.getRbKeyDescription()); xObj.setIsEnabled(vObj.getIsEnabled()); + + xObj.setDefOptions(mapToJsonString(vObj.getOptions())); + return xObj; } @@ -293,7 +301,25 @@ public abstract class RangerServiceDefServiceBase<T extends XXServiceDefBase, V xObj.setRecursivesupported(vObj.getRecursiveSupported()); xObj.setExcludessupported(vObj.getExcludesSupported()); xObj.setMatcher(vObj.getMatcher()); - xObj.setMatcheroptions(mapToJsonString(vObj.getMatcherOptions())); + + String accessTypeRestrictions = objectToJson((HashSet<String>)vObj.getAccessTypeRestrictions()); + String isValidLeaf = objectToJson(vObj.getIsValidLeaf()); + Map<String, String> matcherOptions = vObj.getMatcherOptions(); + + if (StringUtils.isNotBlank(accessTypeRestrictions)) { + matcherOptions.put(OPTION_RESOURCE_ACCESS_TYPE_RESTRICTIONS, accessTypeRestrictions); + } else { + matcherOptions.remove(OPTION_RESOURCE_ACCESS_TYPE_RESTRICTIONS); + } + + if (StringUtils.isNotBlank(isValidLeaf)) { + matcherOptions.put(OPTION_RESOURCE_IS_VALID_LEAF, isValidLeaf); + } else { + matcherOptions.remove(OPTION_RESOURCE_IS_VALID_LEAF); + } + + xObj.setMatcheroptions(mapToJsonString(matcherOptions)); + xObj.setValidationRegEx(vObj.getValidationRegEx()); xObj.setValidationMessage(vObj.getValidationMessage()); xObj.setUiHint(vObj.getUiHint()); @@ -317,7 +343,30 @@ public abstract class RangerServiceDefServiceBase<T extends XXServiceDefBase, V vObj.setRecursiveSupported(xObj.getRecursivesupported()); vObj.setExcludesSupported(xObj.getExcludessupported()); vObj.setMatcher(xObj.getMatcher()); - vObj.setMatcherOptions(jsonStringToMap(xObj.getMatcheroptions())); + + Map<String, String> matcherOptions = jsonStringToMap(xObj.getMatcheroptions()); + + if (MapUtils.isNotEmpty(matcherOptions)) { + String optionAccessTypeRestrictions = matcherOptions.remove(OPTION_RESOURCE_ACCESS_TYPE_RESTRICTIONS); + String optionIsValidLeaf = matcherOptions.remove(OPTION_RESOURCE_IS_VALID_LEAF); + + if (StringUtils.isNotBlank(optionAccessTypeRestrictions)) { + Set<String> accessTypeRestrictions = new HashSet<>(); + + accessTypeRestrictions = jsonToObject(optionAccessTypeRestrictions, accessTypeRestrictions.getClass()); + + vObj.setAccessTypeRestrictions(accessTypeRestrictions); + } + + if (StringUtils.isNotBlank(optionIsValidLeaf)) { + Boolean isValidLeaf = jsonToObject(optionIsValidLeaf, Boolean.class); + + vObj.setIsValidLeaf(isValidLeaf); + } + } + + vObj.setMatcherOptions(matcherOptions); + vObj.setValidationRegEx(xObj.getValidationRegEx()); vObj.setValidationMessage(xObj.getValidationMessage()); vObj.setUiHint(xObj.getUiHint()); @@ -326,7 +375,7 @@ public abstract class RangerServiceDefServiceBase<T extends XXServiceDefBase, V vObj.setRbKeyLabel(xObj.getRbkeylabel()); vObj.setRbKeyDescription(xObj.getRbkeydescription()); vObj.setRbKeyValidationMessage(xObj.getRbKeyValidationMessage()); - + XXResourceDef parent = daoMgr.getXXResourceDef().getById(xObj.getParent()); String parentName = (parent != null) ? parent.getName() : null; vObj.setParent(parentName); @@ -641,4 +690,5 @@ public abstract class RangerServiceDefServiceBase<T extends XXServiceDefBase, V return ret; } + }
