Repository: ranger Updated Branches: refs/heads/master b70479c4f -> 1e77fa2a4
RANGER-1781: Policy model update to support restricted access-types based on selected resource(Initialize isValidLeaf attribute in new/existing installation and new/updated service definition) Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/1e77fa2a Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/1e77fa2a Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/1e77fa2a Branch: refs/heads/master Commit: 1e77fa2a4be3425f97d5711ebb0de5db8258c618 Parents: b70479c Author: Abhay Kulkarni <[email protected]> Authored: Tue Nov 28 17:31:37 2017 -0800 Committer: Abhay Kulkarni <[email protected]> Committed: Tue Nov 28 17:31:37 2017 -0800 ---------------------------------------------------------------------- .../validation/RangerServiceDefHelper.java | 25 ++- .../org/apache/ranger/biz/ServiceDBStore.java | 6 + ...pdateForResourceSpecificAccesses_J10012.java | 173 +++++++++++++++++++ 3 files changed, 199 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/1e77fa2a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java index 486a39c..6cb55c2 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java @@ -162,7 +162,11 @@ public class RangerServiceDefHelper { } _delegate = delegate; } - + + public void patchServiceDefWithDefaultValues() { + _delegate.patchServiceDefWithDefaultValues(); + } + /** * for a resource definition as follows: * @@ -297,7 +301,21 @@ public class RangerServiceDefHelper { LOG.debug(message); } } - + + public void patchServiceDefWithDefaultValues() { + for(int policyType : RangerPolicy.POLICY_TYPES) { + Set<List<RangerResourceDef>> resourceHierarchies = getResourceHierarchies(policyType); + for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) { + for (int index = 0; index < resourceHierarchy.size(); index++) { + RangerResourceDef resourceDef = resourceHierarchy.get(index); + if (!Boolean.TRUE.equals(resourceDef.getIsValidLeaf())) { + resourceDef.setIsValidLeaf(index == resourceHierarchy.size()-1); + } + } + } + } + } + public Set<List<RangerResourceDef>> getResourceHierarchies(Integer policyType) { if(policyType == null) { policyType = RangerPolicy.POLICY_TYPE_ACCESS; @@ -403,9 +421,6 @@ public class RangerServiceDefHelper { LOG.error("Error in path: sink node:[" + sink + "] is not leaf node"); ret = false; break; - } else if (sinkResourceDef.getIsValidLeaf() == null) { - LOG.info("Setting sink ResourceDef's isValidLeaf from null to 'true'"); - sinkResourceDef.setIsValidLeaf(true); } } } else { http://git-wip-us.apache.org/repos/asf/ranger/blob/1e77fa2a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 956b605..9d8f5d2 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -369,6 +369,9 @@ public class ServiceDBStore extends AbstractServiceStore { List<RangerAccessTypeDef> rowFilterAccessTypes = rowFilterDef == null || rowFilterDef.getAccessTypes() == null ? new ArrayList<RangerAccessTypeDef>() : rowFilterDef.getAccessTypes(); List<RangerResourceDef> rowFilterResources = rowFilterDef == null || rowFilterDef.getResources() == null ? new ArrayList<RangerResourceDef>() : rowFilterDef.getResources(); + RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef, false); + defHelper.patchServiceDefWithDefaultValues(); + // While creating, value of version should be 1. serviceDef.setVersion(Long.valueOf(1)); @@ -625,6 +628,9 @@ public class ServiceDBStore extends AbstractServiceStore { RangerDataMaskDef dataMaskDef = serviceDef.getDataMaskDef(); RangerRowFilterDef rowFilterDef = serviceDef.getRowFilterDef(); + RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef, false); + defHelper.patchServiceDefWithDefaultValues(); + serviceDef.setCreateTime(existing.getCreateTime()); serviceDef.setGuid(existing.getGuid()); serviceDef.setVersion(existing.getVersion()); http://git-wip-us.apache.org/repos/asf/ranger/blob/1e77fa2a/security-admin/src/main/java/org/apache/ranger/patch/PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.java new file mode 100644 index 0000000..f13e107 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.java @@ -0,0 +1,173 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ranger.patch; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.log4j.Logger; +import org.apache.ranger.biz.RangerBizUtil; +import org.apache.ranger.biz.ServiceDBStore; +import org.apache.ranger.common.JSONUtil; +import org.apache.ranger.common.RangerValidatorFactory; +import org.apache.ranger.common.StringUtil; +import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper; +import org.apache.ranger.service.RangerPolicyService; +import org.apache.ranger.service.XPermMapService; +import org.apache.ranger.service.XPolicyService; +import org.apache.ranger.util.CLIUtil; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; +import org.apache.ranger.entity.XXServiceDef; + +import java.util.List; +import java.util.Map; + +@Component +public class PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012 extends BaseLoader { + private static final Logger logger = Logger.getLogger(PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.class); + + @Autowired + RangerDaoManager daoMgr; + + @Autowired + ServiceDBStore svcDBStore; + + @Autowired + JSONUtil jsonUtil; + + @Autowired + RangerPolicyService policyService; + + @Autowired + StringUtil stringUtil; + + @Autowired + XPolicyService xPolService; + + @Autowired + XPermMapService xPermMapService; + + @Autowired + RangerBizUtil bizUtil; + + @Autowired + RangerValidatorFactory validatorFactory; + + @Autowired + ServiceDBStore svcStore; + + public static void main(String[] args) { + logger.info("main()"); + try { + PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012 loader = (PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012) CLIUtil.getBean(PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.class); + loader.init(); + while (loader.isMoreToProcess()) { + loader.load(); + } + logger.info("Load complete. Exiting!!!"); + System.exit(0); + } catch (Exception e) { + logger.error("Error loading", e); + System.exit(1); + } + } + + @Override + public void init() throws Exception { + // Do Nothing + } + + @Override + public void execLoad() { + logger.info("==> PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.execLoad()"); + try { + updateAllServiceDef(); + } catch (Exception e) { + logger.error("Error in PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.execLoad()", e); + } + logger.info("<== PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.execLoad()"); + } + + @Override + public void printStats() { + logger.info("PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012 data "); + } + + private void updateAllServiceDef() { + + List<XXServiceDef> allXXServiceDefs; + allXXServiceDefs = daoMgr.getXXServiceDef().getAll(); + + if (CollectionUtils.isNotEmpty(allXXServiceDefs)) { + + for (XXServiceDef xxServiceDef : allXXServiceDefs) { + + String serviceDefName = xxServiceDef.getName(); + + try { + String jsonStrPreUpdate = xxServiceDef.getDefOptions(); + Map<String, String> serviceDefOptionsPreUpdate = jsonUtil.jsonToMap(jsonStrPreUpdate); + String valueBeforeUpdate = serviceDefOptionsPreUpdate.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES); + + RangerServiceDef serviceDef = svcDBStore.getServiceDefByName(serviceDefName); + + if (serviceDef != null) { + logger.info("Started patching service-def:[" + serviceDefName + "]"); + + RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef, false); + defHelper.patchServiceDefWithDefaultValues(); + + svcStore.updateServiceDef(serviceDef); + + XXServiceDef dbServiceDef = daoMgr.getXXServiceDef().findByName(serviceDefName); + + if (dbServiceDef != null) { + String jsonStrPostUpdate = dbServiceDef.getDefOptions(); + Map<String, String> serviceDefOptionsPostUpdate = jsonUtil.jsonToMap(jsonStrPostUpdate); + String valueAfterUpdate = serviceDefOptionsPostUpdate.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES); + + if (!StringUtils.equals(valueBeforeUpdate, valueAfterUpdate)) { + if (StringUtils.isEmpty(valueBeforeUpdate)) { + serviceDefOptionsPostUpdate.remove(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES); + } else { + serviceDefOptionsPostUpdate.put(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES, valueBeforeUpdate); + } + dbServiceDef.setDefOptions(mapToJsonString(serviceDefOptionsPostUpdate)); + daoMgr.getXXServiceDef().update(dbServiceDef); + } + } + logger.info("Completed patching service-def:[" + serviceDefName + "]"); + } + } catch (Exception e) { + logger.error("Error while patching service-def:[" + serviceDefName + "]", e); + } + } + } + } + + private String mapToJsonString(Map<String, String> map) throws Exception { + String ret = null; + if(map != null) { + ret = jsonUtil.readMapToString(map); + } + return ret; + } +} +
