This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 552d93c Ranger-2467-similar to clusterName custom condition, add
clusterType custom condition
552d93c is described below
commit 552d93c7da27f245847a9557c3b5779e05f78a4d
Author: mateenmansoori <[email protected]>
AuthorDate: Fri Jun 28 15:07:24 2019 +0530
Ranger-2467-similar to clusterName custom condition, add clusterType custom
condition
Signed-off-by: Pradeep <[email protected]>
---
.../RangerAccessedFromClusterTypeCondition.java | 65 +++++++++++++++++++++
.../RangerAccessedNotFromClusterTypeCondition.java | 66 ++++++++++++++++++++++
.../plugin/policyengine/RangerAccessRequest.java | 2 +
.../policyengine/RangerAccessRequestImpl.java | 10 ++++
.../policyengine/RangerAccessRequestReadOnly.java | 3 +
.../plugin/policyengine/RangerPluginContext.java | 28 +++++++++
.../policyengine/RangerPolicyEngineImpl.java | 1 +
.../ranger/plugin/service/RangerAuthContext.java | 1 +
.../ranger/plugin/policyengine/TestPolicyACLs.java | 1 +
.../ranger/plugin/policyengine/TestPolicyDb.java | 1 +
.../plugin/policyengine/TestPolicyEngine.java | 1 +
.../authorization/hbase/TestPolicyEngine.java | 1 +
.../hive/authorizer/RangerHiveAccessRequest.java | 1 +
13 files changed, 181 insertions(+)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterTypeCondition.java
b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterTypeCondition.java
new file mode 100644
index 0000000..50a92bd
--- /dev/null
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterTypeCondition.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+public class RangerAccessedFromClusterTypeCondition extends
RangerAbstractConditionEvaluator{
+ private static final Log LOG =
LogFactory.getLog(RangerAccessedFromClusterTypeCondition.class);
+
+ private boolean isAlwaysTrue = false;
+
+ @Override
+ public void init() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAccessedFromClusterTypeCondition.init(" + condition + ")");
+ }
+
+ super.init();
+
+ isAlwaysTrue = CollectionUtils.isEmpty(condition.getValues());
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAccessedFromClusterTypeCondition.init(" + condition + ")");
+ }
+ }
+ @Override
+ public boolean isMatched(RangerAccessRequest request) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAccessedFromClusterTypeCondition.isMatched(" + condition + ")");
+ }
+
+ final boolean ret;
+
+ if (isAlwaysTrue || request.getClusterType() == null) {
+ ret = isAlwaysTrue;
+ } else {
+ ret =
condition.getValues().contains(request.getClusterType());
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAccessedFromClusterTypeCondition.isMatched(" + condition + "): " + ret);
+ }
+
+ return ret;
+ }
+
+}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterTypeCondition.java
b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterTypeCondition.java
new file mode 100644
index 0000000..eb6c45c
--- /dev/null
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterTypeCondition.java
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+
+public class RangerAccessedNotFromClusterTypeCondition extends
RangerAbstractConditionEvaluator{
+ private static final Log LOG =
LogFactory.getLog(RangerAccessedNotFromClusterTypeCondition.class);
+
+ private boolean isAlwaysTrue = false;
+
+ @Override
+ public void init() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAccessedNotFromClusterTypeCondition.init(" + condition + ")");
+ }
+
+ super.init();
+
+ isAlwaysTrue = CollectionUtils.isEmpty(condition.getValues());
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAccessedNotFromClusterTypeCondition.init(" + condition + ")");
+ }
+ }
+
+ @Override
+ public boolean isMatched(RangerAccessRequest request) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAccessedNotFromClusterTypeCondition.isMatched(" + condition + ")");
+ }
+
+ final boolean ret;
+
+ if (isAlwaysTrue || request.getClusterType() == null) {
+ ret = true;
+ } else {
+ ret =
!condition.getValues().contains(request.getClusterType());
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAccessedNotFromClusterTypeCondition.isMatched(" + condition + "): " +
ret);
+ }
+
+ return ret;
+ }
+}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
index cb06d26..89d585a 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
@@ -55,6 +55,8 @@ public interface RangerAccessRequest {
String getClusterName();
+ String getClusterType();
+
Map<String, Object> getContext();
RangerAccessRequest getReadOnlyCopy();
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index 1f2f8ea..0ccca21 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -48,6 +48,7 @@ public class RangerAccessRequestImpl implements
RangerAccessRequest {
private String sessionId;
private Map<String, Object> context;
private String clusterName;
+ private String clusterType;
private boolean isAccessTypeAny;
private boolean isAccessTypeDelegatedAdmin;
@@ -212,6 +213,14 @@ public class RangerAccessRequestImpl implements
RangerAccessRequest {
this.clusterName = clusterName;
}
+ public String getClusterType() {
+ return clusterType;
+ }
+
+ public void setClusterType(String clusterType) {
+ this.clusterType = clusterType;
+ }
+
public void setResourceMatchingScope(ResourceMatchingScope scope) {
this.resourceMatchingScope = scope; }
public void setContext(Map<String, Object> context) {
@@ -290,6 +299,7 @@ public class RangerAccessRequestImpl implements
RangerAccessRequest {
sb.append("sessionId={").append(sessionId).append("} ");
sb.append("resourceMatchingScope={").append(resourceMatchingScope).append("} ");
sb.append("clusterName={").append(clusterName).append("} ");
+ sb.append("clusterType={").append(clusterType).append("} ");
sb.append("context={");
if(context != null) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
index d5563bd..ea42c82 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
@@ -96,4 +96,7 @@ public class RangerAccessRequestReadOnly implements
RangerAccessRequest {
@Override
public String getClusterName() { return source.getClusterName();
}
+ @Override
+ public String getClusterType() { return source.getClusterType();
}
+
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
index 36dcec1..e596b2a 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
@@ -29,9 +29,11 @@ public class RangerPluginContext {
private static final Log LOG =
LogFactory.getLog(RangerBasePlugin.class);
private String clusterName;
+ private String clusterType;
public RangerPluginContext(String serviceType){
this.clusterName = findClusterName(serviceType);
+ this.clusterType = findClusterType(serviceType);
}
public String getClusterName() {
@@ -42,6 +44,14 @@ public class RangerPluginContext {
this.clusterName = clusterName;
}
+ public String getClusterType() {
+ return clusterType;
+ }
+
+ public void setClusterType(String clusterType) {
+ this.clusterType = clusterType;
+ }
+
private String findClusterName(String serviceType) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerPluginContext.findClusterName ,
serviceType = " + serviceType);
@@ -60,4 +70,22 @@ public class RangerPluginContext {
return clusterName;
}
+ private String findClusterType(String serviceType) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPluginContext.findClusterType ,
serviceType = " + serviceType);
+ }
+
+ String propertyPrefix = "ranger.plugin." + serviceType;
+ String clusterType =
RangerConfiguration.getInstance().get(propertyPrefix + ".access.cluster.type",
"");
+ if(StringUtil.isEmpty(clusterType)){
+ clusterType =
RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.type",
"");
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPluginContext.findClusterType ");
+ }
+
+ return clusterType;
+ }
+
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 0edf149..daa62f4 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -427,6 +427,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if(rangerPluginContext != null) {
reqImpl.setClusterName(rangerPluginContext.getClusterName());
+
reqImpl.setClusterType(rangerPluginContext.getClusterType());
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
index 67c068b..02f3431 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
@@ -175,6 +175,7 @@ public class RangerAuthContext implements
RangerPolicyEngine {
reqImpl.extractAndSetClientIPAddress(getUseForwardedIPAddress(),
getTrustedProxyAddresses());
if(rangerPluginContext != null) {
reqImpl.setClusterName(rangerPluginContext.getClusterName());
+
reqImpl.setClusterType(rangerPluginContext.getClusterType());
}
}
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
index 33b26e0..6af6948 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
@@ -93,6 +93,7 @@ public class TestPolicyACLs {
RangerPolicyEngineOptions policyEngineOptions = new
RangerPolicyEngineOptions();
RangerPluginContext pluginContext = new
RangerPluginContext("hive");
pluginContext.setClusterName("cl1");
+ pluginContext.setClusterType("on-prem");
RangerPolicyEngine policyEngine = new
RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies,
policyEngineOptions, pluginContext);
for(PolicyACLsTests.TestCase.OneTest oneTest :
testCase.tests) {
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
index f373339..456d52c 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
@@ -117,6 +117,7 @@ public class TestPolicyDb {
policyEngineOptions.disableCustomConditions = true;
RangerPluginContext pluginContext = new
RangerPluginContext("hive");
pluginContext.setClusterName("cl1");
+ pluginContext.setClusterType("on-prem");
RangerPolicyEngine policyEngine = new
RangerPolicyEngineImpl("test-policydb", testCase.servicePolicies,
policyEngineOptions, pluginContext);
for(TestData test : testCase.tests) {
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index cce5129..d1e0c23 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -437,6 +437,7 @@ public class TestPolicyEngine {
}
RangerPluginContext pluginContext = new
RangerPluginContext("hive");
pluginContext.setClusterName("cl1");
+ pluginContext.setClusterType("on-prem");
RangerPolicyEngine policyEngine = new
RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions,
pluginContext);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
diff --git
a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
index 6dd81fa..919920d 100644
---
a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
+++
b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
@@ -105,6 +105,7 @@ public class TestPolicyEngine {
RangerPolicyEngineOptions policyEngineOptions = new
RangerPolicyEngineOptions();
RangerPluginContext pluginContext = new
RangerPluginContext("hive");
pluginContext.setClusterName("cl1");
+ pluginContext.setClusterType("on-prem");
RangerPolicyEngine policyEngine = new
RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions,
pluginContext);
RangerAccessResultProcessor auditHandler = new
RangerDefaultAuditHandler();
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
index ce5cf64..188f2b1 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
@@ -109,6 +109,7 @@ public class RangerHiveAccessRequest extends
RangerAccessRequestImpl {
ret.setContext(RangerAccessRequestUtil.copyContext(getContext()));
ret.accessType = accessType;
ret.setClusterName(getClusterName());
+ ret.setClusterType(getClusterType());
return ret;
}
