This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 4bb0d67 RANGER-2484: Improve import API to merge the policies if
resources are exactly same
4bb0d67 is described below
commit 4bb0d6758aadc242d596935453ded02b71b71893
Author: Pradeep <[email protected]>
AuthorDate: Wed Jun 26 12:01:06 2019 +0530
RANGER-2484: Improve import API to merge the policies if resources are
exactly same
---
.../java/org/apache/ranger/rest/ServiceREST.java | 42 +++++++++-
.../org/apache/ranger/rest/ServiceRESTUtil.java | 97 ++++++++++++++++++++++
2 files changed, 137 insertions(+), 2 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index bb5e397..171d73b 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -157,6 +157,7 @@ public class ServiceREST {
final static public String PARAM_SERVICE_TYPE = "serviceType";
final static public String PARAM_POLICY_NAME = "policyName";
final static public String PARAM_UPDATE_IF_EXISTS = "updateIfExists";
+ final static public String PARAM_IGNORE_POLICY_NAME =
"ignorePolicyName";
public static final String Allowed_User_List_For_Download =
"policy.download.auth.users";
public static final String Allowed_User_List_For_Grant_Revoke =
"policy.grantrevoke.auth.users";
@@ -2293,6 +2294,7 @@ public class ServiceREST {
private int createPolicesBasedOnPolicyMap(HttpServletRequest request,
Map<String, RangerPolicy> policiesMap,
List<String> serviceNameList, String updateIfExists,
int totalPolicyCreate) {
+ boolean ignorePolicyName=
"true".equalsIgnoreCase(StringUtils.trimToNull(request.getParameter(PARAM_IGNORE_POLICY_NAME)))
? true : false;
if (!CollectionUtils.sizeIsEmpty(policiesMap.entrySet())) {
for (Entry<String, RangerPolicy> entry :
policiesMap.entrySet()) {
RangerPolicy policy = entry.getValue();
@@ -2304,8 +2306,26 @@ public class ServiceREST {
if
(updateIfExists != null && !updateIfExists.isEmpty()){
request.setAttribute(PARAM_SERVICE_NAME, policy.getService());
request.setAttribute(PARAM_POLICY_NAME, policy.getName());
+
if(ignorePolicyName && !ServiceRESTUtil.containsRangerCondition(policy)) {
+
String user = request.getRemoteUser();
+
RangerPolicy existingPolicy;
+
try {
+
existingPolicy = getExactMatchPolicyForResource(policy,
StringUtils.isNotBlank(user) ? user :"admin");
+
} catch (Exception e) {
+
existingPolicy=null;
+
}
+
if (existingPolicy == null) {
+
createPolicy(policy, request);
+
} else {
+
ServiceRESTUtil.mergeExactMatchPolicyForResource(existingPolicy, policy);
+
updatePolicy(existingPolicy);
+
}
+
} else {
+
createPolicy(policy, request);
+
}
+ } else {
+
createPolicy(policy, request);
}
-
createPolicy(policy, request);
totalPolicyCreate = totalPolicyCreate + 1;
if
(LOG.isDebugEnabled()) {
LOG.debug("Policy " + policy.getName() + " created successfully.");
@@ -2321,8 +2341,26 @@ public class ServiceREST {
if (updateIfExists != null &&
!updateIfExists.isEmpty()){
request.setAttribute(PARAM_SERVICE_NAME, policy.getService());
request.setAttribute(PARAM_POLICY_NAME, policy.getName());
+ if(ignorePolicyName &&
!ServiceRESTUtil.containsRangerCondition(policy)) {
+ String user =
request.getRemoteUser();
+ RangerPolicy
existingPolicy;
+ try {
+
existingPolicy = getExactMatchPolicyForResource(policy,
StringUtils.isNotBlank(user) ? user :"admin");
+ } catch
(Exception e) {
+
existingPolicy=null;
+ }
+ if
(existingPolicy == null) {
+
createPolicy(policy, request);
+ } else {
+
ServiceRESTUtil.mergeExactMatchPolicyForResource(existingPolicy, policy);
+
updatePolicy(existingPolicy);
+ }
+ } else {
+
createPolicy(policy, request);
+ }
+ } else {
+ createPolicy(policy,
request);
}
- createPolicy(policy, request);
totalPolicyCreate =
totalPolicyCreate + 1;
if (LOG.isDebugEnabled()) {
LOG.debug("Policy " +
policy.getName() + " created successfully.");
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
index c49c426..2fb2ce6 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
@@ -252,6 +252,66 @@ public class ServiceRESTUtil {
}
}
+ static public void mergeExactMatchPolicyForResource(RangerPolicy
existingPolicy, RangerPolicy appliedPolicy) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
ServiceRESTUtil.mergeExactMatchPolicyForResource()");
+ }
+ mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.ALLOW);
+ mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.DENY);
+ mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
+ mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.DENY_EXCEPTIONS);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
ServiceRESTUtil.mergeExactMatchPolicyForResource()");
+ }
+ }
+
+ static private void mergeExactMatchPolicyForItemType(RangerPolicy
existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
ServiceRESTUtil.mergeExactMatchPolicyForItemType()");
+ }
+ List<RangerPolicy.RangerPolicyItem> appliedPolicyItems = null;
+ switch (policyItemType) {
+ case ALLOW:
+ appliedPolicyItems =
appliedPolicy.getPolicyItems();
+ break;
+ case DENY:
+ appliedPolicyItems =
appliedPolicy.getDenyPolicyItems();
+ break;
+ case ALLOW_EXCEPTIONS:
+ appliedPolicyItems =
appliedPolicy.getAllowExceptions();
+ break;
+ case DENY_EXCEPTIONS:
+ appliedPolicyItems =
appliedPolicy.getDenyExceptions();
+ break;
+ default:
+ LOG.warn("mergeExactMatchPolicyForItemType():
invalid policyItemType=" + policyItemType);
+ }
+
+ if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+
+ Set<String> users = new HashSet<String>();
+ Set<String> groups = new HashSet<String>();
+
+ Map<String, RangerPolicy.RangerPolicyItem[]>
userPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>();
+ Map<String, RangerPolicy.RangerPolicyItem[]>
groupPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>();
+
+ // Extract users and groups specified in appliedPolicy
items
+ extractUsersAndGroups(appliedPolicyItems, users,
groups);
+
+ // Split existing policyItems for users and groups
extracted from appliedPolicyItem into userPolicyItems and groupPolicyItems
+ splitExistingPolicyItems(existingPolicy, users,
userPolicyItems, groups, groupPolicyItems);
+ // Apply policyItems of given type in appliedPolicy to
policyItems extracted from existingPolicy
+ mergePolicyItems(appliedPolicyItems, policyItemType,
userPolicyItems, groupPolicyItems);
+ // Add modified/new policyItems back to existing policy
+ mergeProcessedPolicyItems(existingPolicy,
userPolicyItems, groupPolicyItems);
+ compactPolicy(existingPolicy);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
ServiceRESTUtil.mergeExactMatchPolicyForItemType()");
+ }
+ }
+
static private void
extractUsersAndGroups(List<RangerPolicy.RangerPolicyItem> policyItems,
Set<String> users, Set<String> groups) {
if (LOG.isDebugEnabled()) {
LOG.debug("==>
ServiceRESTUtil.extractUsersAndGroups()");
@@ -482,6 +542,43 @@ public class ServiceRESTUtil {
}
}
+ static private void
mergePolicyItems(List<RangerPolicy.RangerPolicyItem> appliedPolicyItems,
+ POLICYITEM_TYPE policyItemType, Map<String,
RangerPolicy.RangerPolicyItem[]> existingUserPolicyItems,
+ Map<String, RangerPolicy.RangerPolicyItem[]>
existingGroupPolicyItems) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceRESTUtil.mergePolicyItems()");
+ }
+ for (RangerPolicy.RangerPolicyItem policyItem :
appliedPolicyItems) {
+ List<String> users = policyItem.getUsers();
+ for (String user : users) {
+ RangerPolicy.RangerPolicyItem[] items =
existingUserPolicyItems.get(user);
+ if (items == null) {
+ // Should not get here
+ LOG.warn("Should not have come here..");
+ items = new
RangerPolicy.RangerPolicyItem[4];
+ existingUserPolicyItems.put(user,
items);
+ }
+ addPolicyItemForUser(items,
policyItemType.ordinal(), user, policyItem);
+ }
+ }
+
+ for (RangerPolicy.RangerPolicyItem policyItem :
appliedPolicyItems) {
+ List<String> groups = policyItem.getGroups();
+ for (String group : groups) {
+ RangerPolicy.RangerPolicyItem[] items =
existingGroupPolicyItems.get(group);
+ if (items == null) {
+ // Should not get here
+ items = new
RangerPolicy.RangerPolicyItem[4];
+ existingGroupPolicyItems.put(group,
items);
+ }
+ addPolicyItemForGroup(items,
policyItemType.ordinal(), group, policyItem);
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceRESTUtil.mergePolicyItems()");
+ }
+ }
+
static private void mergeProcessedPolicyItems(RangerPolicy
existingPolicy, Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems,
Map<String, RangerPolicy.RangerPolicyItem[]>
groupPolicyItems) {
if (LOG.isDebugEnabled()) {
