Repository: ranger Updated Branches: refs/heads/master 2cc88970b -> d9f54d72c
RANGER-1834: row filter policies are not being returned by policy search Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/d9f54d72 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/d9f54d72 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/d9f54d72 Branch: refs/heads/master Commit: d9f54d72ca7eec9eeeb4f12f5ebfa71b61b2acc0 Parents: 2cc8897 Author: Abhay Kulkarni <[email protected]> Authored: Wed Oct 11 17:06:22 2017 -0700 Committer: Abhay Kulkarni <[email protected]> Committed: Sat Oct 14 17:03:02 2017 -0700 ---------------------------------------------------------------------- .../RangerDefaultPolicyResourceMatcher.java | 52 ++++++++++--------- .../RangerPolicyResourceMatcher.java | 2 + .../org/apache/ranger/biz/ServiceDBStore.java | 54 ++++++++++---------- 3 files changed, 57 insertions(+), 51 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/d9f54d72/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java index 2566a4b..e8d85c5 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java @@ -46,7 +46,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyResourceMatcher.class); protected RangerServiceDef serviceDef; - protected RangerPolicy policy; + protected int policyType; protected Map<String, RangerPolicyResource> policyResources; private Map<String, RangerResourceMatcher> allMatchers; @@ -58,7 +58,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM @Override public void setServiceDef(RangerServiceDef serviceDef) { if (isInitialized) { - LOG.warn("RangerDefaultPolicyResourceMatcher(policyId=" + getPolicyId() + "): already initialized. init() must be done again after updating serviceDef"); + LOG.warn("RangerDefaultPolicyResourceMatcher is already initialized. init() must be done again after updating serviceDef"); } this.serviceDef = serviceDef; @@ -67,20 +67,30 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM @Override public void setPolicy(RangerPolicy policy) { if (isInitialized) { - LOG.warn("RangerDefaultPolicyResourceMatcher(policyId=" + getPolicyId() + "): already initialized. init() must be done again after updating policy"); + LOG.warn("RangerDefaultPolicyResourceMatcher is already initialized. init() must be done again after updating policy"); + } + + if (policy == null) { + setPolicyResources(null, RangerPolicy.POLICY_TYPE_ACCESS); + } else { + setPolicyResources(policy.getResources(), policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType()); } - this.policy = policy; - this.policyResources = (policy == null ? null : policy.getResources()); } @Override public void setPolicyResources(Map<String, RangerPolicyResource> policyResources) { if (isInitialized) { - LOG.warn("RangerDefaultPolicyResourceMatcher(policyId=" + getPolicyId() + "): already initialized. init() must be done again after updating policy-resources"); + LOG.warn("RangerDefaultPolicyResourceMatcher is already initialized. init() must be done again after updating policy-resources"); } + setPolicyResources(policyResources, RangerPolicy.POLICY_TYPE_ACCESS); + } + + @Override + public void setPolicyResources(Map<String, RangerPolicyResource> policyResources, int policyType) { this.policyResources = policyResources; + this.policyType = policyType; } @Override @@ -89,7 +99,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM @Override public void init() { if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyResourceMatcher(policyId=" + getPolicyId() + ").init()"); + LOG.debug("==> RangerDefaultPolicyResourceMatcher.init()"); } allMatchers = null; @@ -105,7 +115,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM if (policyResources != null && !policyResources.isEmpty() && serviceDef != null) { serviceDefHelper = new RangerServiceDefHelper(serviceDef, useCache); - Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(getPolicyType(), policyResources.keySet()); + Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, policyResources.keySet()); int validHierarchiesCount = 0; for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) { @@ -124,7 +134,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } if (foundGapsInResourceSpecs) { - LOG.warn("RangerDefaultPolicyResourceMatcher(policyId=" + getPolicyId() + ").init(): gaps found in policyResources, skipping hierarchy:[" + resourceHierarchies + "]"); + LOG.warn("RangerDefaultPolicyResourceMatcher.init(): gaps found in policyResources, skipping hierarchy:[" + resourceHierarchies + "]"); } else { validHierarchiesCount++; @@ -151,7 +161,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM if (policyResource == null) { if (LOG.isDebugEnabled()) { - LOG.debug("RangerDefaultPolicyResourceMatcher(policyId=" + getPolicyId() + ").init(): no matcher created for " + resourceName + ". Continuing ..."); + LOG.debug("RangerDefaultPolicyResourceMatcher.init(): no matcher created for " + resourceName + ". Continuing ..."); } continue; @@ -166,7 +176,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM allMatchers.put(resourceName, matcher); } else { - LOG.error("RangerDefaultPolicyResourceMatcher(policyId=" + getPolicyId() + ").init(): failed to find matcher for resource " + resourceName); + LOG.error("RangerDefaultPolicyResourceMatcher.init(): failed to find matcher for resource " + resourceName); allMatchers = null; errorText = "no matcher found for resource " + resourceName; @@ -200,13 +210,13 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } } - LOG.error("RangerDefaultPolicyResourceMatcher(policyId=" + getPolicyId() + ").init() failed: " + errorText + " (serviceDef=" + serviceDefName + ", policyResourceKeys=" + keysString.toString()); + LOG.error("RangerDefaultPolicyResourceMatcher.init() failed: " + errorText + " (serviceDef=" + serviceDefName + ", policyResourceKeys=" + keysString.toString()); } else { isInitialized = true; } if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyResourceMatcher(policyId=" + getPolicyId() + ").init(): ret=" + isInitialized); + LOG.debug("<== RangerDefaultPolicyResourceMatcher.init(): ret=" + isInitialized); } } @@ -323,15 +333,11 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM @Override public boolean isMatch(RangerPolicy policy, MatchScope scope, Map<String, Object> evalContext) { - return isMatch(policy.getResources(), scope, false, evalContext); - } - - private int getPolicyType() { - return policy != null && policy.getPolicyType() != null ? policy.getPolicyType() : RangerPolicy.POLICY_TYPE_ACCESS; - } - - private Long getPolicyId() { - return policy != null ? policy.getId() : null; + if (policy.getPolicyType() == policyType) { + return isMatch(policy.getResources(), scope, false, evalContext); + } else { + return false; + } } boolean isMatch(Map<String, RangerPolicyResource> resources, MatchScope scope, boolean mustMatchAllPolicyValues, Map<String, Object> evalContext) { @@ -511,7 +517,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM List<RangerResourceDef> ret = null; if (CollectionUtils.isNotEmpty(resourceKeys)) { - Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper == null ? Collections.EMPTY_SET : serviceDefHelper.getResourceHierarchies(getPolicyType(), resourceKeys); + Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper == null ? Collections.EMPTY_SET : serviceDefHelper.getResourceHierarchies(policyType, resourceKeys); // pick the shortest hierarchy for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) { http://git-wip-us.apache.org/repos/asf/ranger/blob/d9f54d72/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java index b4dc2c5..9cc4bd6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java @@ -37,6 +37,8 @@ public interface RangerPolicyResourceMatcher { void setPolicyResources(Map<String, RangerPolicyResource> policyResources); + void setPolicyResources(Map<String, RangerPolicyResource> policyResources, int policyType); + void init(); RangerServiceDef getServiceDef(); http://git-wip-us.apache.org/repos/asf/ranger/blob/d9f54d72/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 467cfff..e433f08 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -59,7 +59,6 @@ import org.apache.ranger.common.RangerCommonEnums; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; -import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.util.PasswordUtils; import org.apache.ranger.common.JSONUtil; @@ -2333,48 +2332,47 @@ public class ServiceDBStore extends AbstractServiceStore { String policyTypeStr = filter.getParam(SearchFilter.POLICY_TYPE); - int policyType = RangerPolicy.POLICY_TYPE_ACCESS; + List<Integer> policyTypes = new ArrayList<>(); if (StringUtils.isNotBlank(policyTypeStr)) { - policyType = Integer.parseInt(policyTypeStr); - } - - Set<List<RangerResourceDef>> validResourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, filterResources.keySet()); - - if (LOG.isDebugEnabled()) { - LOG.debug("Found " + validResourceHierarchies.size() + " valid resource hierarchies for key-set " + filterResources.keySet()); + policyTypes.add(Integer.parseInt(policyTypeStr)); + } else { + policyTypes.add(RangerPolicy.POLICY_TYPE_ACCESS); + policyTypes.add(RangerPolicy.POLICY_TYPE_DATAMASK); + policyTypes.add(RangerPolicy.POLICY_TYPE_ROWFILTER); } - List<List<RangerResourceDef>> resourceHierarchies = new ArrayList<List<RangerResourceDef>>(validResourceHierarchies); - - for (List<RangerResourceDef> validResourceHierarchy : resourceHierarchies) { + for (Integer policyType : policyTypes) { + Set<List<RangerResourceDef>> validResourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, filterResources.keySet()); if (LOG.isDebugEnabled()) { - LOG.debug("validResourceHierarchy:[" + validResourceHierarchy + "]"); + LOG.debug("Found " + validResourceHierarchies.size() + " valid resource hierarchies for key-set " + filterResources.keySet()); } - Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>(); - - for (RangerResourceDef resourceDef : validResourceHierarchy) { + List<List<RangerResourceDef>> resourceHierarchies = new ArrayList<List<RangerResourceDef>>(validResourceHierarchies); - String resourceValue = filterResources.get(resourceDef.getName()); + for (List<RangerResourceDef> validResourceHierarchy : resourceHierarchies) { - if (StringUtils.isBlank(resourceValue)) { - resourceValue = RangerAbstractResourceMatcher.WILDCARD_ASTERISK; + if (LOG.isDebugEnabled()) { + LOG.debug("validResourceHierarchy:[" + validResourceHierarchy + "]"); } - policyResources.put(resourceDef.getName(), new RangerPolicyResource(resourceValue, false, resourceDef.getRecursiveSupported())); - } + Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>(); - RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher(); - matcher.setServiceDef(serviceDef); - matcher.setPolicyResources(policyResources); - matcher.init(); + for (RangerResourceDef resourceDef : validResourceHierarchy) { + policyResources.put(resourceDef.getName(), new RangerPolicyResource(filterResources.get(resourceDef.getName()), false, resourceDef.getRecursiveSupported())); + } - ret.add(matcher); + RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher(); + matcher.setServiceDef(serviceDef); + matcher.setPolicyResources(policyResources, policyType); + matcher.init(); - if (LOG.isDebugEnabled()) { - LOG.debug("Added matcher:[" + matcher + "]"); + ret.add(matcher); + + if (LOG.isDebugEnabled()) { + LOG.debug("Added matcher:[" + matcher + "]"); + } } }
