Repository: ranger Updated Branches: refs/heads/ranger-1 0a10ea8b3 -> ee10b9fd1
RANGER-2184 - Update RangerAtlas authorization to authorize add/update/remove of relationships Signed-off-by: Mehul Parikh <me...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/ee10b9fd Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/ee10b9fd Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/ee10b9fd Branch: refs/heads/ranger-1 Commit: ee10b9fd1a78e5614c69c39ce43986dbef5ec798 Parents: 0a10ea8 Author: nixonrodrigues <ni...@apache.org> Authored: Tue Aug 7 19:27:14 2018 +0530 Committer: Mehul Parikh <me...@apache.org> Committed: Fri Aug 10 19:21:38 2018 +0530 ---------------------------------------------------------------------- .../atlas/authorizer/RangerAtlasAuthorizer.java | 83 ++++++++++++++++++-- .../services/atlas/RangerServiceAtlas.java | 48 +++++++++++ .../atlas/authorizer/RangerAtlasAuthorizer.java | 25 ++++++ 3 files changed, 149 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/ee10b9fd/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java index aa815b2..29d66b0 100644 --- a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java +++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java @@ -24,6 +24,8 @@ import org.apache.atlas.authorize.AtlasAdminAccessRequest; import org.apache.atlas.authorize.AtlasAuthorizationException; import org.apache.atlas.authorize.AtlasEntityAccessRequest; import org.apache.atlas.authorize.AtlasSearchResultScrubRequest; +import org.apache.atlas.authorize.AtlasRelationshipAccessRequest; + import org.apache.atlas.authorize.AtlasTypeAccessRequest; import org.apache.atlas.authorize.AtlasAuthorizer; import org.apache.atlas.authorize.AtlasPrivilege; @@ -44,15 +46,10 @@ import org.apache.ranger.plugin.service.RangerBasePlugin; import org.apache.ranger.plugin.util.RangerPerfTracer; import org.apache.ranger.services.atlas.RangerServiceAtlas; -import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_CATEGORY; -import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_NAME; -import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_TYPE; -import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_CLASSIFICATION; -import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_ID; -import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_SERVICE; - import java.util.*; +import static org.apache.ranger.services.atlas.RangerServiceAtlas.*; + public class RangerAtlasAuthorizer implements AtlasAuthorizer { private static final Log LOG = LogFactory.getLog(RangerAtlasAuthorizer.class); @@ -203,6 +200,78 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer { return ret; } + public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException { + if (LOG.isDebugEnabled()) { + LOG.debug("==> isAccessAllowed(" + request + ")"); + } + + boolean ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")"); + } + + final String action = request.getAction() != null ? request.getAction().getType() : null; + final Set<String> end1EntityTypeAndSuperTypes = request.getEnd1EntityTypeAndAllSuperTypes(); + final Set<String> end1Classifications = new HashSet<>(request.getEnd1EntityClassifications()); + final String end1EntityId = request.getEnd1EntityId(); + + final Set<String> end2EntityTypeAndSuperTypes = request.getEnd2EntityTypeAndAllSuperTypes(); + final Set<String> end2Classifications = new HashSet<>(request.getEnd2EntityClassifications()); + final String end2EntityId = request.getEnd2EntityId(); + + + String relationShipType = request.getRelationshipType(); + + RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(); + + RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups()); + rangerRequest.setClientIPAddress(request.getClientIPAddress()); + rangerRequest.setAccessTime(request.getAccessTime()); + rangerRequest.setClusterName(getClusterName()); + rangerRequest.setAction(action); + + + rangerResource.setValue(RESOURCE_RELATIONSHIP_TYPE, relationShipType); + + + Set<String> classificationsWithSuperTypesEnd1 = new HashSet(); + + for (String classificationToAuthorize : end1Classifications) { + classificationsWithSuperTypesEnd1.addAll(request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize)); + } + + rangerResource.setValue(RESOURCE_END_ONE_ENTITY_TYPE, end1EntityTypeAndSuperTypes); + rangerResource.setValue(RESOURCE_END_ONE_ENTITY_CLASSIFICATION, classificationsWithSuperTypesEnd1); + rangerResource.setValue(RESOURCE_END_ONE_ENTITY_ID, end1EntityId); + + + Set<String> classificationsWithSuperTypesEnd2 = new HashSet(); + + for (String classificationToAuthorize : end2Classifications) { + classificationsWithSuperTypesEnd2.addAll(request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize)); + } + + rangerResource.setValue(RESOURCE_END_TWO_ENTITY_TYPE, end2EntityTypeAndSuperTypes); + rangerResource.setValue(RESOURCE_END_TWO_ENTITY_CLASSIFICATION, classificationsWithSuperTypesEnd2); + rangerResource.setValue(RESOURCE_END_TWO_ENTITY_ID, end2EntityId); + + ret = checkAccess(rangerRequest); + + } finally { + RangerPerfTracer.log(perf); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== isAccessAllowed(" + request + "): " + ret); + } + + return ret; + } + + @Override public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException { if (LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/ranger/blob/ee10b9fd/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java ---------------------------------------------------------------------- diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java index 0ee2627..c9f77c6 100644 --- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java +++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java @@ -60,6 +60,19 @@ public class RangerServiceAtlas extends RangerBaseService { public static final String RESOURCE_ENTITY_TYPE = "entity-type"; public static final String RESOURCE_ENTITY_CLASSIFICATION = "entity-classification"; public static final String RESOURCE_ENTITY_ID = "entity"; + + public static final String RESOURCE_RELATIONSHIP_TYPE = "relationship-type"; + + public static final String RESOURCE_END_ONE_ENTITY_TYPE = "end-one-entity-type"; + public static final String RESOURCE_END_ONE_ENTITY_CLASSIFICATION = "end-one-entity-classification"; + public static final String RESOURCE_END_ONE_ENTITY_ID = "end-one-entity"; + + public static final String RESOURCE_END_TWO_ENTITY_TYPE = "end-two-entity-type"; + public static final String RESOURCE_END_TWO_ENTITY_CLASSIFICATION = "end-two-entity-classification"; + public static final String RESOURCE_END_TWO_ENTITY_ID = "end-two-entity"; + + + public static final String CONFIG_REST_ADDRESS = "atlas.rest.address"; public static final String CONFIG_USERNAME = "username"; public static final String CONFIG_PASSWORD = "password"; @@ -230,6 +243,8 @@ public class RangerServiceAtlas extends RangerBaseService { } break; + case RESOURCE_END_ONE_ENTITY_TYPE: + case RESOURCE_END_TWO_ENTITY_TYPE: case RESOURCE_ENTITY_TYPE: { refreshTypesDefs(); @@ -237,6 +252,8 @@ public class RangerServiceAtlas extends RangerBaseService { } break; + case RESOURCE_END_ONE_ENTITY_CLASSIFICATION: + case RESOURCE_END_TWO_ENTITY_CLASSIFICATION: case RESOURCE_ENTITY_CLASSIFICATION: { refreshTypesDefs(); @@ -255,6 +272,37 @@ public class RangerServiceAtlas extends RangerBaseService { } break; + case RESOURCE_RELATIONSHIP_TYPE: { + refreshTypesDefs(); + addIfStartsWithAndNotExcluded(ret, typesDef.get(TYPE_RELATIONSHIP), userInput, currentValues); + + } + break; + + case RESOURCE_END_ONE_ENTITY_ID: { + + List<String> searchTypes = lookupContext.getResources().get(RESOURCE_END_ONE_ENTITY_TYPE); + + if (searchTypes != null && searchTypes.size() == 1) { + List<String> values = searchEntities(userInput, searchTypes.get(0)); + + addIfStartsWithAndNotExcluded(ret, values, userInput, currentValues); + } + + } + break; + + case RESOURCE_END_TWO_ENTITY_ID: { + List<String> searchTypes = lookupContext.getResources().get(RESOURCE_END_TWO_ENTITY_TYPE); + + if (searchTypes != null && searchTypes.size() == 1) { + List<String> values = searchEntities(userInput, searchTypes.get(0)); + + addIfStartsWithAndNotExcluded(ret, values, userInput, currentValues); + } + } + break; + default: { ret.add(lookupContext.getResourceName()); } http://git-wip-us.apache.org/repos/asf/ranger/blob/ee10b9fd/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java ---------------------------------------------------------------------- diff --git a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java index 609dddb..b50fdcf 100644 --- a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java +++ b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java @@ -22,6 +22,7 @@ package org.apache.ranger.authorization.atlas.authorizer; import org.apache.atlas.authorize.AtlasAdminAccessRequest; import org.apache.atlas.authorize.AtlasEntityAccessRequest; import org.apache.atlas.authorize.AtlasSearchResultScrubRequest; +import org.apache.atlas.authorize.AtlasRelationshipAccessRequest; import org.apache.atlas.authorize.AtlasTypeAccessRequest; import org.apache.atlas.authorize.AtlasAuthorizationException; import org.apache.atlas.authorize.AtlasAuthorizer; @@ -176,6 +177,30 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer { return ret; } + + @Override + public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException { + if (isDebugEnabled) { + LOG.debug("==> isAccessAllowed(AtlasTypeAccessRequest)"); + } + + final boolean ret; + + try { + activatePluginClassLoader(); + + ret = rangerAtlasAuthorizerImpl.isAccessAllowed(request); + } finally { + deactivatePluginClassLoader(); + } + + if (isDebugEnabled) { + LOG.debug("<== isAccessAllowed(AtlasTypeAccessRequest): " + ret); + } + + return ret; + } + @Override public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException { if (isDebugEnabled) {