Repository: ranger Updated Branches: refs/heads/ranger-1.0 889999a1f -> e9085bc37
RANGER-2066: Hbase column family access is authorized by a tagged column in the column family Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/e9085bc3 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/e9085bc3 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/e9085bc3 Branch: refs/heads/ranger-1.0 Commit: e9085bc3721abb22d812ff11f2fd8345449a3b28 Parents: 889999a Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Fri Apr 13 12:12:32 2018 -0700 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Fri Apr 13 12:12:32 2018 -0700 ---------------------------------------------------------------------- .../contextenricher/RangerTagEnricher.java | 4 +- ...angerDefaultDataMaskPolicyItemEvaluator.java | 7 +-- .../RangerDefaultPolicyEvaluator.java | 52 +++++++++++++------- .../RangerDefaultPolicyItemEvaluator.java | 17 ++----- ...ngerDefaultRowFilterPolicyItemEvaluator.java | 7 +-- .../policyevaluator/RangerPolicyEvaluator.java | 3 ++ .../RangerPolicyItemEvaluator.java | 3 +- .../test_policyengine_tag_hive.json | 14 +++++- 8 files changed, 60 insertions(+), 47 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/e9085bc3/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index 415d4a4..37c91a5 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -321,16 +321,18 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { if (request.isAccessTypeAny()) { isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { - isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT; + isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else { isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR; } + if (isMatched) { if (ret == null) { ret = new HashSet<>(); } ret.addAll(getTagsForServiceResource(enrichedServiceTags.getServiceTags(), resourceMatcher.getServiceResource(), matchType)); } + } } } http://git-wip-us.apache.org/repos/asf/ranger/blob/e9085bc3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java index 349ab36..bbb450c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java @@ -44,17 +44,14 @@ public class RangerDefaultDataMaskPolicyItemEvaluator extends RangerDefaultPolic } @Override - public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, Long policyId) { + public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) { RangerPolicyItemDataMaskInfo dataMaskInfo = getDataMaskInfo(); if (dataMaskInfo != null) { - result.setIsAllowed(true); - result.setIsAccessDetermined(true); - result.setMaskType(dataMaskInfo.getDataMaskType()); result.setMaskCondition(dataMaskInfo.getConditionExpr()); result.setMaskedValue(dataMaskInfo.getValueExpr()); - result.setPolicyId(policyId); + policyEvaluator.updateAccessResult(result, matchType, true, getComments()); } } http://git-wip-us.apache.org/repos/asf/ranger/blob/e9085bc3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index ab4a9d2..a4164a2 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -167,28 +167,21 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) { RangerPolicyResourceMatcher.MatchType matchType; - final boolean isMatched; if (RangerTagAccessRequest.class.isInstance(request)) { matchType = ((RangerTagAccessRequest) request).getMatchType(); - if (matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT - && !request.isAccessTypeAny() - && request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { - if (LOG.isDebugEnabled()) { - LOG.debug("Setting matchType from DESCENDANT to SELF, so that any DENY policy-items will take effect."); - } - matchType = RangerPolicyResourceMatcher.MatchType.SELF; - } - isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else { matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE; - if (request.isAccessTypeAny()) { - isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; - } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { - isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; - } else { - isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR; - } + } + + final boolean isMatched; + + if (request.isAccessTypeAny()) { + isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; + } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { + isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; + } else { + isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR; } if (isMatched) { @@ -370,15 +363,36 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } + @Override + public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, boolean isAllowed, String reason) { + + if (!isAllowed) { + if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT || !result.getAccessRequest().isAccessTypeAny()) { + result.setIsAllowed(false); + result.setPolicyId(getId()); + result.setReason(reason); + } + } else { + if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT || result.getAccessRequest().isAccessTypeAny()) { + if (!result.getIsAllowed()) { // if access is not yet allowed by another policy + result.setIsAllowed(true); + result.setPolicyId(getId()); + result.setReason(reason); + } + } + } + } + protected void evaluatePolicyItems(RangerAccessRequest request, RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult result) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")"); } - RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, result); if(matchedPolicyItem != null) { - matchedPolicyItem.updateAccessResult(result, matchType, getPolicy().getId()); + if (matchedPolicyItem != null) { + matchedPolicyItem.updateAccessResult(this, result, matchType); + } } if(LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/ranger/blob/e9085bc3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java index 9564565..a32322b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java @@ -350,21 +350,10 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv } @Override - public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, Long policyId) { - if(getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) { - if(matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT) { - result.setIsAllowed(false); - result.setPolicyId(policyId); - result.setReason(getComments()); - } - } else { - if(! result.getIsAllowed()) { // if access is not yet allowed by another policy - result.setIsAllowed(true); - result.setPolicyId(policyId); - result.setReason(getComments()); - } - } + public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) { + policyEvaluator.updateAccessResult(result, matchType, getPolicyItemType() != RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY, getComments()); } + RangerPolicyConditionDef getConditionDef(String conditionName) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyItemEvaluator.getConditionDef(" + conditionName + ")"); http://git-wip-us.apache.org/repos/asf/ranger/blob/e9085bc3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java index cacae5a..1f1fdb8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java @@ -43,15 +43,12 @@ public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPoli } @Override - public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, Long policyId) { + public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) { RangerPolicyItemRowFilterInfo rowFilterInfo = getRowFilterInfo(); if (rowFilterInfo != null) { - result.setIsAllowed(true); - result.setIsAccessDetermined(true); - result.setFilterExpr(rowFilterInfo.getFilterExpr()); - result.setPolicyId(policyId); + policyEvaluator.updateAccessResult(result, matchType, true, getComments()); } } } http://git-wip-us.apache.org/repos/asf/ranger/blob/e9085bc3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index 7a890b8..eb6ad92 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -34,6 +34,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator; +import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; public interface RangerPolicyEvaluator extends RangerPolicyResourceEvaluator { @@ -79,6 +80,8 @@ public interface RangerPolicyEvaluator extends RangerPolicyResourceEvaluator { boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType); + void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, boolean isAllowed, String reason); + void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAccessInfo result); class PolicyEvalOrderComparator implements Comparator<RangerPolicyEvaluator>, Serializable { http://git-wip-us.apache.org/repos/asf/ranger/blob/e9085bc3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java index e486403..a6e24c6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java @@ -65,6 +65,5 @@ public interface RangerPolicyItemEvaluator { return Integer.compare(me.getEvalOrder(), other.getEvalOrder()); } } - void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, Long policyId); - + void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType); } http://git-wip-us.apache.org/repos/asf/ranger/blob/e9085bc3/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json index 11f31e3..71ee724 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json @@ -39,7 +39,10 @@ "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, "policyItems":[ {"accesses":[{"type":"all","isAllowed":true}],"users":["hive", "user1", "user2"],"groups":["public"],"delegateAdmin":false} - ] + ], + "allowExceptions":[ + {"accesses":[{"type":"all","isAllowed":true}],"users":["testuser"],"groups":[],"delegateAdmin":false} + ] }, {"id":102,"name":"db=*, udf=*: audit-all-access","isEnabled":true,"isAuditEnabled":true, "resources":{"database":{"values":["*"]},"udf":{"values":["*"]}}, @@ -219,6 +222,15 @@ }, "tests":[ + {"name":"DENY 'select ssn from employee.personal;' for testuser using EXPIRES_ON tag with DESCENDANT match", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, + "accessType":"select","user":"testuser","userGroups":[],"requestData":"select ssn from employee.personal;' for testuser", + + "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", \"attributes\":{\"expiry_date\":\"2026-06-15T15:05:15.000Z\"}, \"matchType\":\"DESCENDANT\"}]"} + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + }, {"name":"ALLOW 'select ssn from employee.personal;' for user1 using EXPIRES_ON tag", "request":{ "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}},
