Repository: ranger
Updated Branches:
  refs/heads/ranger-1.1 646dd764b -> 92ffcf04f


RANGER-2184 - Update RangerAtlas authorization to authorize add/update/remove 
of relationships

Signed-off-by: Mehul Parikh <me...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/92ffcf04
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/92ffcf04
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/92ffcf04

Branch: refs/heads/ranger-1.1
Commit: 92ffcf04f2339da22505cd91c91abb3e224d67fe
Parents: 646dd76
Author: nixonrodrigues <ni...@apache.org>
Authored: Tue Aug 7 19:27:14 2018 +0530
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Aug 9 14:46:38 2018 +0530

----------------------------------------------------------------------
 .../atlas/authorizer/RangerAtlasAuthorizer.java | 83 ++++++++++++++++++--
 .../services/atlas/RangerServiceAtlas.java      | 48 +++++++++++
 .../atlas/authorizer/RangerAtlasAuthorizer.java | 25 ++++++
 3 files changed, 149 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/92ffcf04/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git 
a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
 
b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index aa815b2..29d66b0 100644
--- 
a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ 
b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -24,6 +24,8 @@ import org.apache.atlas.authorize.AtlasAdminAccessRequest;
 import org.apache.atlas.authorize.AtlasAuthorizationException;
 import org.apache.atlas.authorize.AtlasEntityAccessRequest;
 import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
+import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
+
 import org.apache.atlas.authorize.AtlasTypeAccessRequest;
 import org.apache.atlas.authorize.AtlasAuthorizer;
 import org.apache.atlas.authorize.AtlasPrivilege;
@@ -44,15 +46,10 @@ import org.apache.ranger.plugin.service.RangerBasePlugin;
 import org.apache.ranger.plugin.util.RangerPerfTracer;
 import org.apache.ranger.services.atlas.RangerServiceAtlas;
 
-import static 
org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_CATEGORY;
-import static 
org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_NAME;
-import static 
org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_TYPE;
-import static 
org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_CLASSIFICATION;
-import static 
org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_ID;
-import static 
org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_SERVICE;
-
 import java.util.*;
 
+import static org.apache.ranger.services.atlas.RangerServiceAtlas.*;
+
 
 public class RangerAtlasAuthorizer implements AtlasAuthorizer {
     private static final Log LOG      = 
LogFactory.getLog(RangerAtlasAuthorizer.class);
@@ -203,6 +200,78 @@ public class RangerAtlasAuthorizer implements 
AtlasAuthorizer {
         return ret;
     }
 
+    public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) 
throws AtlasAuthorizationException {
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("==> isAccessAllowed(" + request + ")");
+        }
+
+        boolean ret;
+        RangerPerfTracer perf = null;
+
+        try {
+            if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+                perf = RangerPerfTracer.getPerfTracer(PERF_LOG, 
"RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
+            }
+
+            final String      action                      = 
request.getAction() != null ? request.getAction().getType() : null;
+            final Set<String> end1EntityTypeAndSuperTypes = 
request.getEnd1EntityTypeAndAllSuperTypes();
+            final Set<String> end1Classifications         = new 
HashSet<>(request.getEnd1EntityClassifications());
+            final String      end1EntityId                = 
request.getEnd1EntityId();
+
+            final Set<String> end2EntityTypeAndSuperTypes = 
request.getEnd2EntityTypeAndAllSuperTypes();
+            final Set<String> end2Classifications         = new 
HashSet<>(request.getEnd2EntityClassifications());
+            final String      end2EntityId                = 
request.getEnd2EntityId();
+
+
+            String relationShipType = request.getRelationshipType();
+
+            RangerAccessResourceImpl rangerResource = new 
RangerAccessResourceImpl();
+
+            RangerAccessRequestImpl rangerRequest = new 
RangerAccessRequestImpl(rangerResource, action, request.getUser(), 
request.getUserGroups());
+            rangerRequest.setClientIPAddress(request.getClientIPAddress());
+            rangerRequest.setAccessTime(request.getAccessTime());
+            rangerRequest.setClusterName(getClusterName());
+            rangerRequest.setAction(action);
+
+
+            rangerResource.setValue(RESOURCE_RELATIONSHIP_TYPE, 
relationShipType);
+
+
+            Set<String> classificationsWithSuperTypesEnd1 = new HashSet();
+
+            for (String classificationToAuthorize : end1Classifications) {
+                
classificationsWithSuperTypesEnd1.addAll(request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize));
+            }
+
+            rangerResource.setValue(RESOURCE_END_ONE_ENTITY_TYPE, 
end1EntityTypeAndSuperTypes);
+            rangerResource.setValue(RESOURCE_END_ONE_ENTITY_CLASSIFICATION, 
classificationsWithSuperTypesEnd1);
+            rangerResource.setValue(RESOURCE_END_ONE_ENTITY_ID, end1EntityId);
+
+
+            Set<String> classificationsWithSuperTypesEnd2 = new HashSet();
+
+            for (String classificationToAuthorize : end2Classifications) {
+                
classificationsWithSuperTypesEnd2.addAll(request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize));
+            }
+
+            rangerResource.setValue(RESOURCE_END_TWO_ENTITY_TYPE, 
end2EntityTypeAndSuperTypes);
+            rangerResource.setValue(RESOURCE_END_TWO_ENTITY_CLASSIFICATION, 
classificationsWithSuperTypesEnd2);
+            rangerResource.setValue(RESOURCE_END_TWO_ENTITY_ID, end2EntityId);
+
+            ret = checkAccess(rangerRequest);
+
+        } finally {
+            RangerPerfTracer.log(perf);
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
+        }
+
+        return ret;
+    }
+
+
     @Override
     public void scrubSearchResults(AtlasSearchResultScrubRequest request) 
throws AtlasAuthorizationException {
         if (LOG.isDebugEnabled()) {

http://git-wip-us.apache.org/repos/asf/ranger/blob/92ffcf04/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
----------------------------------------------------------------------
diff --git 
a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
 
b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
index 0ee2627..c9f77c6 100644
--- 
a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
+++ 
b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
@@ -60,6 +60,19 @@ public class RangerServiceAtlas extends RangerBaseService {
        public static final String RESOURCE_ENTITY_TYPE           = 
"entity-type";
        public static final String RESOURCE_ENTITY_CLASSIFICATION = 
"entity-classification";
        public static final String RESOURCE_ENTITY_ID             = "entity";
+
+       public static final String RESOURCE_RELATIONSHIP_TYPE =  
"relationship-type";
+
+       public static final String RESOURCE_END_ONE_ENTITY_TYPE = 
"end-one-entity-type";
+       public static final String RESOURCE_END_ONE_ENTITY_CLASSIFICATION = 
"end-one-entity-classification";
+       public static final String RESOURCE_END_ONE_ENTITY_ID = 
"end-one-entity";
+
+       public static final String RESOURCE_END_TWO_ENTITY_TYPE =  
"end-two-entity-type";
+       public static final String RESOURCE_END_TWO_ENTITY_CLASSIFICATION = 
"end-two-entity-classification";
+       public static final String RESOURCE_END_TWO_ENTITY_ID = 
"end-two-entity";
+
+
+
        public static final String CONFIG_REST_ADDRESS            = 
"atlas.rest.address";
        public static final String CONFIG_USERNAME                = "username";
        public static final String CONFIG_PASSWORD                = "password";
@@ -230,6 +243,8 @@ public class RangerServiceAtlas extends RangerBaseService {
                                }
                                break;
 
+                               case RESOURCE_END_ONE_ENTITY_TYPE:
+                               case RESOURCE_END_TWO_ENTITY_TYPE:
                                case RESOURCE_ENTITY_TYPE: {
                                        refreshTypesDefs();
 
@@ -237,6 +252,8 @@ public class RangerServiceAtlas extends RangerBaseService {
                                }
                                break;
 
+                               case RESOURCE_END_ONE_ENTITY_CLASSIFICATION:
+                               case RESOURCE_END_TWO_ENTITY_CLASSIFICATION:
                                case RESOURCE_ENTITY_CLASSIFICATION: {
                                        refreshTypesDefs();
 
@@ -255,6 +272,37 @@ public class RangerServiceAtlas extends RangerBaseService {
                                }
                                break;
 
+                               case RESOURCE_RELATIONSHIP_TYPE: {
+                                       refreshTypesDefs();
+                                       addIfStartsWithAndNotExcluded(ret, 
typesDef.get(TYPE_RELATIONSHIP), userInput, currentValues);
+
+                               }
+                               break;
+
+                               case RESOURCE_END_ONE_ENTITY_ID: {
+
+                                       List<String> searchTypes = 
lookupContext.getResources().get(RESOURCE_END_ONE_ENTITY_TYPE);
+
+                                       if (searchTypes != null && 
searchTypes.size() == 1) {
+                                               List<String> values = 
searchEntities(userInput, searchTypes.get(0));
+
+                                               
addIfStartsWithAndNotExcluded(ret, values, userInput, currentValues);
+                                       }
+
+                               }
+                               break;
+
+                               case RESOURCE_END_TWO_ENTITY_ID: {
+                                       List<String> searchTypes = 
lookupContext.getResources().get(RESOURCE_END_TWO_ENTITY_TYPE);
+
+                                       if (searchTypes != null && 
searchTypes.size() == 1) {
+                                               List<String> values = 
searchEntities(userInput, searchTypes.get(0));
+
+                                               
addIfStartsWithAndNotExcluded(ret, values, userInput, currentValues);
+                                       }
+                               }
+                               break;
+
                                default: {
                                        
ret.add(lookupContext.getResourceName());
                                }

http://git-wip-us.apache.org/repos/asf/ranger/blob/92ffcf04/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git 
a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
 
b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index 609dddb..b50fdcf 100644
--- 
a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ 
b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -22,6 +22,7 @@ package org.apache.ranger.authorization.atlas.authorizer;
 import org.apache.atlas.authorize.AtlasAdminAccessRequest;
 import org.apache.atlas.authorize.AtlasEntityAccessRequest;
 import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
+import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
 import org.apache.atlas.authorize.AtlasTypeAccessRequest;
 import org.apache.atlas.authorize.AtlasAuthorizationException;
 import org.apache.atlas.authorize.AtlasAuthorizer;
@@ -176,6 +177,30 @@ public class RangerAtlasAuthorizer implements 
AtlasAuthorizer {
                return ret;
        }
 
+
+       @Override
+       public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) 
throws AtlasAuthorizationException {
+               if (isDebugEnabled) {
+                       LOG.debug("==> 
isAccessAllowed(AtlasTypeAccessRequest)");
+               }
+
+               final boolean ret;
+
+               try {
+                       activatePluginClassLoader();
+
+                       ret = 
rangerAtlasAuthorizerImpl.isAccessAllowed(request);
+               } finally {
+                       deactivatePluginClassLoader();
+               }
+
+               if (isDebugEnabled) {
+                       LOG.debug("<== isAccessAllowed(AtlasTypeAccessRequest): 
" + ret);
+               }
+
+               return ret;
+       }
+
        @Override
        public void scrubSearchResults(AtlasSearchResultScrubRequest request) 
throws AtlasAuthorizationException {
                if (isDebugEnabled) {

Reply via email to