This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 4096838 RANGER-2404: Delegate-admin permission granted by policy
needs to be effective only within the zone to which the policy belongs
4096838 is described below
commit 4096838b60be4190ee9223369f6b27d93eb1190d
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Sat Apr 27 09:58:21 2019 -0700
RANGER-2404: Delegate-admin permission granted by policy needs to be
effective only within the zone to which the policy belongs
---
.../policyengine/RangerPolicyEngineCache.java | 122 +++++++++++++++++++--
.../RangerPolicyEngineCacheForEngineOptions.java | 7 +-
.../policyengine/RangerPolicyEngineImpl.java | 6 +-
.../java/org/apache/ranger/rest/ServiceREST.java | 111 ++++---------------
4 files changed, 142 insertions(+), 104 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
index c1a7977..99b2ab3 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
@@ -19,21 +19,29 @@
package org.apache.ranger.plugin.policyengine;
+import java.util.ArrayList;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicyDelta;
+import org.apache.ranger.plugin.model.RangerSecurityZone;
+import org.apache.ranger.plugin.store.SecurityZoneStore;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.ServicePolicies;
-class RangerPolicyEngineCache {
+public class RangerPolicyEngineCache {
private static final Log LOG =
LogFactory.getLog(RangerPolicyEngineCache.class);
private final Map<String, RangerPolicyEngine> policyEngineCache = new
HashMap<String, RangerPolicyEngine>();
- synchronized final RangerPolicyEngine getPolicyEngine(String
serviceName, ServiceStore svcStore, RangerPolicyEngineOptions options) {
+ synchronized final RangerPolicyEngine getPolicyEngine(String
serviceName, ServiceStore svcStore, SecurityZoneStore zoneStore,
RangerPolicyEngineOptions options) {
RangerPolicyEngine ret = null;
if(serviceName != null) {
@@ -45,13 +53,17 @@ class RangerPolicyEngineCache {
try {
ServicePolicies policies =
svcStore.getServicePoliciesIfUpdated(serviceName, policyVersion, false);
- if(policies != null) {
- if(ret == null) {
- ret =
addPolicyEngine(policies, options);
- } else
if(policies.getPolicyVersion() != null &&
!policies.getPolicyVersion().equals(policyVersion)) {
- ret =
updatePolicyEngine(ret, policies, options);
+ if (policies != null &&
policies.getPolicyVersion() != null &&
!policies.getPolicyVersion().equals(policyVersion)) {
+ ServicePolicies
updatedServicePolicies = policies;
+ if (zoneStore != null) {
+ Map<String,
RangerSecurityZone.RangerSecurityZoneService> securityZones =
zoneStore.getSecurityZonesForService(serviceName);
+ if
(MapUtils.isNotEmpty(securityZones)) {
+
updatedServicePolicies = getUpdatedServicePoliciesForZones(policies,
securityZones);
+ }
}
+ ret = ret == null ?
addPolicyEngine(updatedServicePolicies, options) : updatePolicyEngine(ret,
updatedServicePolicies, options);
}
+
} catch(Exception excp) {
LOG.error("getPolicyEngine(" +
serviceName + "): failed to get latest policies from service-store", excp);
}
@@ -90,4 +102,100 @@ class RangerPolicyEngineCache {
return ret;
}
+
+ public static ServicePolicies
getUpdatedServicePoliciesForZones(ServicePolicies servicePolicies, Map<String,
RangerSecurityZone.RangerSecurityZoneService> securityZones) {
+
+ final ServicePolicies ret;
+
+ if (MapUtils.isNotEmpty(securityZones)) {
+ ret = new ServicePolicies();
+ ret.setServiceDef(servicePolicies.getServiceDef());
+ ret.setServiceId(servicePolicies.getServiceId());
+ ret.setServiceName(servicePolicies.getServiceName());
+ ret.setAuditMode(servicePolicies.getAuditMode());
+
ret.setPolicyVersion(servicePolicies.getPolicyVersion());
+
ret.setPolicyUpdateTime(servicePolicies.getPolicyUpdateTime());
+
+ Map<String, ServicePolicies.SecurityZoneInfo>
securityZonesInfo = new HashMap<>();
+
+ if
(CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas())) {
+
+ List<RangerPolicy> allPolicies = new
ArrayList<>(servicePolicies.getPolicies());
+
+ for (Map.Entry<String,
RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet())
{
+
+ List<RangerPolicy> zonePolicies =
extractZonePolicies(allPolicies, entry.getKey());
+
+ if
(CollectionUtils.isNotEmpty(zonePolicies)) {
+
allPolicies.removeAll(zonePolicies);
+ }
+
+ ServicePolicies.SecurityZoneInfo
securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
+
securityZoneInfo.setZoneName(entry.getKey());
+
securityZoneInfo.setPolicies(zonePolicies);
+
securityZoneInfo.setResources(entry.getValue().getResources());
+
+
securityZoneInfo.setContainsAssociatedTagService(false);
+
+ securityZonesInfo.put(entry.getKey(),
securityZoneInfo);
+ }
+
+ ret.setPolicies(allPolicies);
+
ret.setTagPolicies(servicePolicies.getTagPolicies());
+ } else {
+ List<RangerPolicyDelta> allPolicyDeltas = new
ArrayList<>(servicePolicies.getPolicyDeltas());
+
+ for (Map.Entry<String,
RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet())
{
+
+ List<RangerPolicyDelta>
zonePolicyDeltas = extractZonePolicyDeltas(allPolicyDeltas, entry.getKey());
+
+ if
(CollectionUtils.isNotEmpty(zonePolicyDeltas)) {
+
allPolicyDeltas.removeAll(zonePolicyDeltas);
+ }
+
+ ServicePolicies.SecurityZoneInfo
securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
+
securityZoneInfo.setZoneName(entry.getKey());
+
securityZoneInfo.setPolicyDeltas(zonePolicyDeltas);
+
securityZoneInfo.setResources(entry.getValue().getResources());
+
+
securityZoneInfo.setContainsAssociatedTagService(false);
+
+ securityZonesInfo.put(entry.getKey(),
securityZoneInfo);
+ }
+
+ ret.setPolicyDeltas(allPolicyDeltas);
+ }
+ ret.setSecurityZones(securityZonesInfo);
+ } else {
+ ret = servicePolicies;
+ }
+
+ return ret;
+ }
+
+ private static List<RangerPolicy> extractZonePolicies(final
List<RangerPolicy> allPolicies, final String zoneName) {
+
+ final List<RangerPolicy> ret = new ArrayList<>();
+
+ for (RangerPolicy policy : allPolicies) {
+ if (policy.getIsEnabled() &&
StringUtils.equals(policy.getZoneName(), zoneName)) {
+ ret.add(policy);
+ }
+ }
+
+ return ret;
+ }
+
+ private static List<RangerPolicyDelta> extractZonePolicyDeltas(final
List<RangerPolicyDelta> allPolicyDeltas, final String zoneName) {
+
+ final List<RangerPolicyDelta> ret = new ArrayList<>();
+
+ for (RangerPolicyDelta delta : allPolicyDeltas) {
+ if (StringUtils.equals(delta.getZoneName(), zoneName)) {
+ ret.add(delta);
+ }
+ }
+
+ return ret;
+ }
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java
index ca6a2a3..5cd82d8 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java
@@ -19,6 +19,7 @@
package org.apache.ranger.plugin.policyengine;
+import org.apache.ranger.plugin.store.SecurityZoneStore;
import org.apache.ranger.plugin.store.ServiceStore;
import java.util.Collections;
@@ -46,6 +47,10 @@ public class RangerPolicyEngineCacheForEngineOptions {
}
public final RangerPolicyEngine getPolicyEngine(String serviceName,
ServiceStore svcStore, RangerPolicyEngineOptions options) {
+ return getPolicyEngine(serviceName, svcStore, null, options);
+ }
+
+ public final RangerPolicyEngine getPolicyEngine(String serviceName,
ServiceStore svcStore, SecurityZoneStore zoneStore, RangerPolicyEngineOptions
options) {
RangerPolicyEngineCache policyEngineCache;
@@ -56,7 +61,7 @@ public class RangerPolicyEngineCacheForEngineOptions {
policyEngineCacheForEngineOptions.put(options,
policyEngineCache);
}
}
- return policyEngineCache.getPolicyEngine(serviceName, svcStore,
options);
+ return policyEngineCache.getPolicyEngine(serviceName, svcStore,
zoneStore, options);
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 35fa534..365edcf 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -800,9 +800,8 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
matchedRepositories.add(policyRepository);
}
} else {
- // Search all security zones
+ // Search unzoned security zone
matchedRepositories.add(this.policyRepository);
-
matchedRepositories.addAll(this.policyRepositories.values());
}
for (RangerPolicyRepository policyRepository :
matchedRepositories) {
@@ -862,9 +861,8 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
matchedRepositories.add(policyRepository);
}
} else {
- // Search all security zones
+ // Search unzoned security zone
matchedRepositories.add(this.policyRepository);
-
matchedRepositories.addAll(this.policyRepositories.values());
}
for (RangerPolicyRepository policyRepository :
matchedRepositories) {
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index f17b65e..70088f9 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -92,7 +92,6 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
-import org.apache.ranger.plugin.model.RangerPolicyDelta;
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -104,6 +103,7 @@ import
org.apache.ranger.plugin.model.validation.RangerValidator.Action;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineCache;
import
org.apache.ranger.plugin.policyengine.RangerPolicyEngineCacheForEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.service.ResourceLookupContext;
@@ -2898,7 +2898,11 @@ public class ServiceREST {
logMsg = "No change since last update";
} else {
Map<String,
RangerSecurityZone.RangerSecurityZoneService> securityZones =
zoneStore.getSecurityZonesForService(serviceName);
- ServicePolicies updatedServicePolicies
= getUpdatedServicePoliciesForZones(servicePolicies, securityZones);
+ ServicePolicies updatedServicePolicies
= servicePolicies;
+ if (MapUtils.isNotEmpty(securityZones))
{
+ updatedServicePolicies =
RangerPolicyEngineCache.getUpdatedServicePoliciesForZones(servicePolicies,
securityZones);
+
patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies);
+ }
downloadedVersion =
updatedServicePolicies.getPolicyVersion();
if (lastKnownVersion == -1L ||
!supportsPolicyDeltas) {
ret =
filterServicePolicies(updatedServicePolicies);
@@ -3015,7 +3019,11 @@ public class ServiceREST {
logMsg = "No change since last
update";
} else {
Map<String,
RangerSecurityZone.RangerSecurityZoneService> securityZones =
zoneStore.getSecurityZonesForService(serviceName);
- ServicePolicies
updatedServicePolicies = getUpdatedServicePoliciesForZones(servicePolicies,
securityZones);
+ ServicePolicies
updatedServicePolicies = servicePolicies;
+ if
(MapUtils.isNotEmpty(securityZones)) {
+ updatedServicePolicies
= RangerPolicyEngineCache.getUpdatedServicePoliciesForZones(servicePolicies,
securityZones);
+
patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies);
+ }
downloadedVersion =
updatedServicePolicies.getPolicyVersion();
if (lastKnownVersion == -1L ||
!supportsPolicyDeltas) {
ret =
filterServicePolicies(updatedServicePolicies);
@@ -3530,7 +3538,7 @@ public class ServiceREST {
}
private RangerPolicyEngine getDelegatedAdminPolicyEngine(String
serviceName) {
- return
RangerPolicyEngineCacheForEngineOptions.getInstance().getPolicyEngine(serviceName,
svcStore, delegateAdminOptions);
+ return
RangerPolicyEngineCacheForEngineOptions.getInstance().getPolicyEngine(serviceName,
svcStore, zoneStore, delegateAdminOptions);
}
private RangerPolicyEngine getPolicySearchPolicyEngine(String
serviceName) throws Exception {
@@ -3811,19 +3819,9 @@ public class ServiceREST {
}
}
}
- private ServicePolicies
getUpdatedServicePoliciesForZones(ServicePolicies servicePolicies, Map<String,
RangerSecurityZone.RangerSecurityZoneService> securityZones) {
-
- final ServicePolicies ret;
-
- if (MapUtils.isNotEmpty(securityZones)) {
- ret = new ServicePolicies();
-
ret.setServiceDef(servicePolicies.getServiceDef());
-
ret.setServiceId(servicePolicies.getServiceId());
-
ret.setServiceName(servicePolicies.getServiceName());
-
ret.setAuditMode(servicePolicies.getAuditMode());
-
ret.setPolicyVersion(servicePolicies.getPolicyVersion());
-
ret.setPolicyUpdateTime(servicePolicies.getPolicyUpdateTime());
+ private void
patchAssociatedTagServiceInSecurityZoneInfos(ServicePolicies servicePolicies) {
+ if (servicePolicies != null &&
MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
// Get list of zones that associated
tag-service (if any) is associated with
List<String> zonesInAssociatedTagService = new
ArrayList<>();
@@ -3838,86 +3836,15 @@ public class ServiceREST {
LOG.warn("Could not get service
associated with [" + tagServiceName + "]", exception);
}
}
+ if
(CollectionUtils.isNotEmpty(zonesInAssociatedTagService)) {
+ for (Map.Entry<String,
ServicePolicies.SecurityZoneInfo> entry :
servicePolicies.getSecurityZones().entrySet()) {
+ String zoneName =
entry.getKey();
+
ServicePolicies.SecurityZoneInfo securityZoneInfo = entry.getValue();
- Map<String, ServicePolicies.SecurityZoneInfo>
securityZonesInfo = new HashMap<>();
-
- if
(CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas())) {
-
- List<RangerPolicy> allPolicies = new
ArrayList<>(servicePolicies.getPolicies());
-
- for (Map.Entry<String,
RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet())
{
-
- List<RangerPolicy> zonePolicies
= extractZonePolicies(allPolicies, entry.getKey());
-
- if
(CollectionUtils.isNotEmpty(zonePolicies)) {
-
allPolicies.removeAll(zonePolicies);
- }
-
-
ServicePolicies.SecurityZoneInfo securityZoneInfo = new
ServicePolicies.SecurityZoneInfo();
-
securityZoneInfo.setZoneName(entry.getKey());
-
securityZoneInfo.setPolicies(zonePolicies);
-
securityZoneInfo.setResources(entry.getValue().getResources());
-
-
securityZoneInfo.setContainsAssociatedTagService(zonesInAssociatedTagService.contains(entry.getKey()));
-
-
securityZonesInfo.put(entry.getKey(), securityZoneInfo);
- }
-
- ret.setPolicies(allPolicies);
-
ret.setTagPolicies(servicePolicies.getTagPolicies());
- } else {
- List<RangerPolicyDelta> allPolicyDeltas
= new ArrayList<>(servicePolicies.getPolicyDeltas());
-
- for (Map.Entry<String,
RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet())
{
-
- List<RangerPolicyDelta>
zonePolicyDeltas = extractZonePolicyDeltas(allPolicyDeltas, entry.getKey());
-
- if
(CollectionUtils.isNotEmpty(zonePolicyDeltas)) {
-
allPolicyDeltas.removeAll(zonePolicyDeltas);
- }
-
-
ServicePolicies.SecurityZoneInfo securityZoneInfo = new
ServicePolicies.SecurityZoneInfo();
-
securityZoneInfo.setZoneName(entry.getKey());
-
securityZoneInfo.setPolicyDeltas(zonePolicyDeltas);
-
securityZoneInfo.setResources(entry.getValue().getResources());
-
-
securityZonesInfo.put(entry.getKey(), securityZoneInfo);
+
securityZoneInfo.setContainsAssociatedTagService(zonesInAssociatedTagService.contains(zoneName));
}
-
- ret.setPolicyDeltas(allPolicyDeltas);
}
- ret.setSecurityZones(securityZonesInfo);
- } else {
- ret = servicePolicies;
}
-
- return ret;
- }
-
- private static List<RangerPolicy> extractZonePolicies(final
List<RangerPolicy> allPolicies, final String zoneName) {
-
- final List<RangerPolicy> ret = new ArrayList<>();
-
- for (RangerPolicy policy : allPolicies) {
- if (policy.getIsEnabled() &&
StringUtils.equals(policy.getZoneName(), zoneName)) {
- ret.add(policy);
- }
- }
-
- return ret;
- }
-
- private static List<RangerPolicyDelta>
extractZonePolicyDeltas(final List<RangerPolicyDelta> allPolicyDeltas, final
String zoneName) {
-
- final List<RangerPolicyDelta> ret = new ArrayList<>();
-
- for (RangerPolicyDelta delta : allPolicyDeltas) {
- if (StringUtils.equals(delta.getZoneName(),
zoneName)) {
- ret.add(delta);
- }
- }
-
- return ret;
}
}
