This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 6cd9e7b RANGER-2654: removed static
RangerBasePlugin.servicePluginMap; moved bunch of members from RangerBasePlugin
to RangerPluginConfig
6cd9e7b is described below
commit 6cd9e7b9efe7a799ce4d5c3faa6d1d9491dcf1c1
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Tue Nov 26 23:02:12 2019 -0800
RANGER-2654: removed static RangerBasePlugin.servicePluginMap; moved bunch
of members from RangerBasePlugin to RangerPluginConfig
---
.../hadoop/config/RangerAuditConfig.java | 10 +-
.../hadoop/config/RangerPluginConfig.java | 124 +++++++-
.../RangerAbstractContextEnricher.java | 38 ++-
.../contextenricher/RangerAdminTagRetriever.java | 7 +-
.../plugin/contextenricher/RangerTagEnricher.java | 8 +-
.../ranger/plugin/policyengine/PolicyEngine.java | 24 +-
.../plugin/policyengine/RangerPluginContext.java | 71 +----
.../plugin/policyengine/RangerPolicyEngine.java | 2 +-
.../policyengine/RangerPolicyEngineImpl.java | 10 +-
.../policyengine/RangerPolicyRepository.java | 107 +++----
.../ranger/plugin/service/RangerAuthContext.java | 36 +--
.../ranger/plugin/service/RangerBasePlugin.java | 348 ++++++++-------------
.../org/apache/ranger/plugin/store/RoleStore.java | 2 +-
.../apache/ranger/plugin/util/PolicyRefresher.java | 105 ++++---
.../ranger/plugin/util/RangerRESTClient.java | 23 +-
.../ranger/plugin/util/RangerRolesProvider.java | 72 ++---
.../apache/ranger/plugin/util/RangerRolesUtil.java | 26 +-
.../ranger/plugin/policyengine/TestPolicyACLs.java | 5 +-
.../plugin/policyengine/TestPolicyEngine.java | 35 ++-
.../policyengine/TestPolicyEngineComparison.java | 10 +-
.../plugin/policyengine/TestRangerAuthContext.java | 23 +-
.../authorization/hbase/TestPolicyEngine.java | 5 +-
.../apache/ranger/policyengine/PerfTestEngine.java | 5 +-
.../RangerPolicyEnginePerformanceTest.java | 5 +-
.../org/apache/ranger/biz/RangerPolicyAdmin.java | 2 +-
.../apache/ranger/biz/RangerPolicyAdminCache.java | 31 +-
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 53 ++--
.../java/org/apache/ranger/biz/RoleDBStore.java | 6 +-
.../org/apache/ranger/common/RangerRoleCache.java | 61 ++--
.../main/java/org/apache/ranger/rest/RoleREST.java | 20 +-
.../org/apache/ranger/audit/TestAuditQueue.java | 2 +-
.../java/org/apache/ranger/biz/TestPolicyDb.java | 5 +-
32 files changed, 640 insertions(+), 641 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerAuditConfig.java
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerAuditConfig.java
index 70928be..d6ba00a 100644
---
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerAuditConfig.java
+++
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerAuditConfig.java
@@ -27,19 +27,23 @@ public class RangerAuditConfig extends RangerConfiguration {
private final boolean initSuccess;
public RangerAuditConfig() {
+ this("standalone");
+ }
+
+ public RangerAuditConfig(String serviceName) {
super();
- initSuccess = addAuditResources();
+ initSuccess = addAuditResources(serviceName);
}
public boolean isInitSuccess() { return initSuccess; }
- private boolean addAuditResources() {
+ private boolean addAuditResources(String serviceName) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> addAuditResources()");
}
- String defaultCfg = "ranger-standalone-audit.xml";
+ String defaultCfg = "ranger-" + serviceName + "-audit.xml";
boolean ret = true;
diff --git
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
index 78e8533..0e097e0 100644
---
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
+++
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
@@ -19,19 +19,128 @@
package org.apache.ranger.authorization.hadoop.config;
+import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.log4j.Logger;
+import org.apache.ranger.authorization.utils.StringUtil;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import java.io.File;
import java.net.URL;
+
public class RangerPluginConfig extends RangerConfiguration {
private static final Logger LOG =
Logger.getLogger(RangerPluginConfig.class);
- public RangerPluginConfig(String serviceType) {
+ private static final char RANGER_TRUSTED_PROXY_IPADDRESSES_SEPARATOR_CHAR
= ',';
+
+ private final String serviceType;
+ private final String serviceName;
+ private final String appId;
+ private final String clusterName;
+ private final String clusterType;
+ private final RangerPolicyEngineOptions policyEngineOptions;
+ private final boolean useForwardedIPAddress;
+ private final String[] trustedProxyAddresses;
+ private final String propertyPrefix;
+
+
+ public RangerPluginConfig(String serviceType, String serviceName, String
appId, String clusterName, String clusterType, RangerPolicyEngineOptions
policyEngineOptions) {
super();
addResourcesForServiceType(serviceType);
+
+ this.serviceType = serviceType;
+ this.appId = StringUtils.isEmpty(appId) ? appId : serviceType;
+ this.propertyPrefix = "ranger.plugin." + serviceType;
+ this.serviceName = StringUtils.isEmpty(serviceName) ?
this.get(propertyPrefix + ".service.name") : serviceName;
+
+ addResourcesForServiceName(this.serviceType, this.serviceName);
+
+ String trustedProxyAddressString = this.get(propertyPrefix +
".trusted.proxy.ipaddresses");
+
+ if (StringUtil.isEmpty(clusterName)) {
+ clusterName = this.get(propertyPrefix + ".access.cluster.name",
"");
+
+ if (StringUtil.isEmpty(clusterName)) {
+ clusterName = this.get(propertyPrefix +
".ambari.cluster.name", "");
+ }
+ }
+
+ if (StringUtil.isEmpty(clusterType)) {
+ clusterType = this.get(propertyPrefix + ".access.cluster.type",
"");
+
+ if (StringUtil.isEmpty(clusterType)) {
+ clusterType = this.get(propertyPrefix +
".ambari.cluster.type", "");
+ }
+ }
+
+ this.clusterName = clusterName;
+ this.clusterType = clusterType;
+ this.useForwardedIPAddress = this.getBoolean(propertyPrefix +
".use.x-forwarded-for.ipaddress", false);
+ this.trustedProxyAddresses =
StringUtils.split(trustedProxyAddressString,
RANGER_TRUSTED_PROXY_IPADDRESSES_SEPARATOR_CHAR);
+
+ if (trustedProxyAddresses != null) {
+ for (int i = 0; i < trustedProxyAddresses.length; i++) {
+ trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(propertyPrefix + ".use.x-forwarded-for.ipaddress:" +
useForwardedIPAddress);
+ LOG.debug(propertyPrefix + ".trusted.proxy.ipaddresses:[" +
StringUtils.join(trustedProxyAddresses, ", ") + "]");
+ }
+
+ if (useForwardedIPAddress &&
StringUtils.isBlank(trustedProxyAddressString)) {
+ LOG.warn("Property " + propertyPrefix +
".use.x-forwarded-for.ipaddress" + " is set to true, and Property " +
propertyPrefix + ".trusted.proxy.ipaddresses" + " is not set");
+ LOG.warn("Ranger plugin will trust RemoteIPAddress and treat first
X-Forwarded-Address in the access-request as the clientIPAddress");
+ }
+
+ if (policyEngineOptions == null) {
+ policyEngineOptions = new RangerPolicyEngineOptions();
+
+ policyEngineOptions.configureForPlugin(this, propertyPrefix);
+ }
+
+ this.policyEngineOptions = policyEngineOptions;
+
+ LOG.info(policyEngineOptions);
+ }
+
+ public String getServiceType() {
+ return serviceType;
+ }
+
+ public String getAppId() {
+ return appId;
+ }
+
+ public String getServiceName() {
+ return serviceName;
+ }
+
+ public String getClusterName() {
+ return clusterName;
+ }
+
+ public String getClusterType() {
+ return clusterType;
+ }
+
+ public boolean isUseForwardedIPAddress() {
+ return useForwardedIPAddress;
+ }
+
+ public String[] getTrustedProxyAddresses() {
+ return trustedProxyAddresses;
+ }
+
+ public String getPropertyPrefix() {
+ return propertyPrefix;
+ }
+
+ public RangerPolicyEngineOptions getPolicyEngineOptions() {
+ return policyEngineOptions;
}
@@ -53,6 +162,19 @@ public class RangerPluginConfig extends RangerConfiguration
{
}
}
+ // load service specific config overrides, if config files are available
+ private void addResourcesForServiceName(String serviceType, String
serviceName) {
+ if (StringUtils.isNotBlank(serviceType) &&
StringUtils.isNotBlank(serviceName)) {
+ String serviceAuditCfg = "ranger-" + serviceType + "-" +
serviceName + "-audit.xml";
+ String serviceSecurityCfg = "ranger-" + serviceType + "-" +
serviceName + "-security.xml";
+ String serviceSslCfg = "ranger-" + serviceType + "-" +
serviceName + "-policymgr-ssl.xml";
+
+ addResourceIfReadable(serviceAuditCfg);
+ addResourceIfReadable(serviceSecurityCfg);
+ addResourceIfReadable(serviceSslCfg);
+ }
+ }
+
private void addSecurityResource(String serviceType) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> addSecurityResource(Service Type: " + serviceType );
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
index f6e8328..99d97cc 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
@@ -43,10 +43,10 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
private static final Log LOG =
LogFactory.getLog(RangerAbstractContextEnricher.class);
protected RangerContextEnricherDef enricherDef;
- protected String serviceName;
- protected String appId;
- protected RangerServiceDef serviceDef;
- private RangerPluginContext pluginContext;
+ protected String serviceName;
+ protected String appId;
+ protected RangerServiceDef serviceDef;
+ private RangerPluginContext pluginContext;
@Override
public void setEnricherDef(RangerContextEnricherDef enricherDef) {
@@ -166,6 +166,8 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
}
public RangerAuthContext getAuthContext() {
+ RangerPluginContext pluginContext = this.pluginContext;
+
return pluginContext != null ? pluginContext.getAuthContext() :
null;
}
@@ -173,9 +175,16 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
this.pluginContext = pluginContext;
}
- public String getConfig(String configName, String defaultValue) {
- String ret = defaultValue;
+ public void notifyAuthContextChanged() {
+ RangerPluginContext pluginContext = this.pluginContext;
+
+ if (pluginContext != null) {
+ pluginContext.notifyAuthContextChanged();
+ }
+ }
+ public String getConfig(String configName, String defaultValue) {
+ String ret = defaultValue;
Configuration config = pluginContext != null ?
pluginContext.getConfig() : null;
if (config != null) {
@@ -186,8 +195,7 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
}
public int getIntConfig(String configName, int defaultValue) {
- int ret = defaultValue;
-
+ int ret = defaultValue;
Configuration config = pluginContext != null ?
pluginContext.getConfig() : null;
if (config != null) {
@@ -198,8 +206,7 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
}
public boolean getBooleanConfig(String configName, boolean
defaultValue) {
- boolean ret = defaultValue;
-
+ boolean ret = defaultValue;
Configuration config = pluginContext != null ?
pluginContext.getConfig() : null;
if (config != null) {
@@ -243,8 +250,8 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
}
public long getLongOption(String name, long defaultValue) {
- long ret = defaultValue;
- String val = getOption(name);
+ long ret = defaultValue;
+ String val = getOption(name);
if(val != null) {
ret = Long.parseLong(val);
@@ -255,15 +262,13 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
public Properties readProperties(String fileName) {
Properties ret = null;
-
InputStream inStr = null;
URL fileURL = null;
-
- File f = new File(fileName);
+ File f = new File(fileName);
if (f.exists() && f.isFile() && f.canRead()) {
try {
- inStr = new FileInputStream(f);
+ inStr = new FileInputStream(f);
fileURL = f.toURI().toURL();
} catch (FileNotFoundException exception) {
LOG.error("Error processing input file:" +
fileName + " or no privilege for reading file " + fileName, exception);
@@ -279,6 +284,7 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
if (fileURL == null) {
fileURL =
ClassLoader.getSystemClassLoader().getResource(fileName);
+
if (fileURL == null &&
!fileName.startsWith("/")) {
fileURL =
ClassLoader.getSystemClassLoader().getResource("/" + fileName);
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java
index 632a573..e4b19c3 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java
@@ -39,12 +39,9 @@ public class RangerAdminTagRetriever extends
RangerTagRetriever {
public void init(Map<String, String> options) {
if (StringUtils.isNotBlank(serviceName) && serviceDef != null
&& StringUtils.isNotBlank(appId)) {
- String propertyPrefix = "ranger.plugin." +
serviceDef.getName();
-
- RangerPluginConfig config = new
RangerPluginConfig(serviceDef.getName());
-
- adminClient =
RangerBasePlugin.createAdminClient(serviceName, appId, propertyPrefix, config);
+ RangerPluginConfig config = new
RangerPluginConfig(serviceDef.getName(), serviceName, appId, null, null, null);
+ adminClient =
RangerBasePlugin.createAdminClient(config);
} else {
LOG.error("FATAL: Cannot find service/serviceDef to use
for retrieving tags. Will NOT be able to retrieve tags.");
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index 95a0bed..7e03690 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -40,7 +40,6 @@ import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatche
import org.apache.ranger.plugin.util.DownloadTrigger;
import org.apache.ranger.plugin.util.DownloaderTask;
import org.apache.ranger.plugin.service.RangerAuthContext;
-import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.RangerServiceNotFoundException;
@@ -582,14 +581,11 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
}
RangerAuthContext authContext = getAuthContext();
+
if (authContext != null) {
authContext.addOrReplaceRequestContextEnricher(this,
enrichedServiceTags);
- Map<String, RangerBasePlugin> servicePluginMap =
RangerBasePlugin.getServicePluginMap();
- RangerBasePlugin plugin = servicePluginMap != null ?
servicePluginMap.get(getServiceName()) : null;
- if (plugin != null) {
- plugin.contextChanged();
- }
+ notifyAuthContextChanged();
}
if (LOG.isDebugEnabled()) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index a41d2c8..a75a6c6 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -83,7 +83,7 @@ public class PolicyEngine {
public long getRoleVersion() { return
this.pluginContext.getAuthContext().getRoleVersion(); }
- public void setRangerRoles(RangerRoles rangerRoles) {
this.pluginContext.getAuthContext().setRangerRoles(rangerRoles); }
+ public void setRoles(RangerRoles roles) {
this.pluginContext.getAuthContext().setRoles(roles); }
public String getServiceName() {
return policyRepository.getServiceName();
@@ -183,15 +183,15 @@ public class PolicyEngine {
return ret;
}
- public PolicyEngine(String appId, ServicePolicies servicePolicies,
RangerPolicyEngineOptions options, RangerPluginContext pluginContext,
RangerRoles roles) {
+ public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext
pluginContext, RangerRoles roles) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> PolicyEngine(" + appId + ", " + servicePolicies +
", " + options + ", " + pluginContext + ")");
+ LOG.debug("==> PolicyEngine(" + ", " + servicePolicies + ", " +
pluginContext + ")");
}
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG,
"RangerPolicyEngine.init(appId=" + appId + ",hashCode=" +
Integer.toHexString(System.identityHashCode(this)) + ")");
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG,
"RangerPolicyEngine.init(hashCode=" +
Integer.toHexString(System.identityHashCode(this)) + ")");
long freeMemory = Runtime.getRuntime().freeMemory();
long totalMemory = Runtime.getRuntime().totalMemory();
@@ -199,19 +199,17 @@ public class PolicyEngine {
PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory
- freeMemory) + ", Free memory:" + freeMemory);
}
- if (options == null) {
- options = new RangerPolicyEngineOptions();
- }
-
this.pluginContext = pluginContext;
this.pluginContext.setAuthContext(new RangerAuthContext(null, roles));
+ RangerPolicyEngineOptions options =
pluginContext.getConfig().getPolicyEngineOptions();
+
if(StringUtils.isBlank(options.evaluatorType) ||
StringUtils.equalsIgnoreCase(options.evaluatorType,
RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO)) {
options.evaluatorType =
RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
}
- policyRepository = new RangerPolicyRepository(appId, servicePolicies,
options, this.pluginContext);
+ policyRepository = new RangerPolicyRepository(servicePolicies,
this.pluginContext);
ServicePolicies.TagPolicies tagPolicies =
servicePolicies.getTagPolicies();
@@ -224,7 +222,7 @@ public class PolicyEngine {
LOG.debug("PolicyEngine : Building tag-policy-repository for
tag-service " + tagPolicies.getServiceName());
}
- tagPolicyRepository = new RangerPolicyRepository(appId,
tagPolicies, options, this.pluginContext, servicePolicies.getServiceDef(),
servicePolicies.getServiceName());
+ tagPolicyRepository = new RangerPolicyRepository(tagPolicies,
this.pluginContext, servicePolicies.getServiceDef(),
servicePolicies.getServiceName());
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("PolicyEngine : No tag-policy-repository for service
" + servicePolicies.getServiceName());
@@ -253,7 +251,7 @@ public class PolicyEngine {
buildZoneTrie(servicePolicies);
for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> zone :
servicePolicies.getSecurityZones().entrySet()) {
- RangerPolicyRepository policyRepository = new
RangerPolicyRepository(appId, servicePolicies, options, this.pluginContext,
zone.getKey());
+ RangerPolicyRepository policyRepository = new
RangerPolicyRepository(servicePolicies, this.pluginContext, zone.getKey());
zonePolicyRepositories.put(zone.getKey(), policyRepository);
}
@@ -637,7 +635,7 @@ public class PolicyEngine {
servicePolicies.getSecurityZones().get(zoneName).setPolicies(policies);
- policyRepository = new
RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies,
other.policyRepository.getOptions(), this.pluginContext, zoneName);
+ policyRepository = new
RangerPolicyRepository(servicePolicies, this.pluginContext, zoneName);
} else {
policyRepository = new
RangerPolicyRepository(otherRepository, zoneDeltas, policyVersion);
}
@@ -680,7 +678,7 @@ public class PolicyEngine {
servicePolicies.getTagPolicies().setPolicies(tagPolicies);
- this.tagPolicyRepository = new
RangerPolicyRepository(other.policyRepository.getAppId(),
servicePolicies.getTagPolicies(), other.policyRepository.getOptions(),
this.pluginContext, servicePolicies.getServiceDef(),
servicePolicies.getServiceName());
+ this.tagPolicyRepository = new
RangerPolicyRepository(servicePolicies.getTagPolicies(), this.pluginContext,
servicePolicies.getServiceDef(), servicePolicies.getServiceName());
} else {
this.tagPolicyRepository = new
RangerPolicyRepository(other.tagPolicyRepository,
defaultZoneDeltasForTagPolicies, policyVersion);
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
index 31a07c5..a8e7600 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
@@ -19,87 +19,42 @@
package org.apache.ranger.plugin.policyengine;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
-import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.service.RangerAuthContext;
-import org.apache.ranger.plugin.service.RangerBasePlugin;
+import org.apache.ranger.plugin.service.RangerAuthContextListener;
public class RangerPluginContext {
- private static final Log LOG =
LogFactory.getLog(RangerBasePlugin.class);
+ private final RangerPluginConfig config;
+ private RangerAuthContext authContext;
+ private RangerAuthContextListener authContextListener;
- private final RangerPluginConfig config;
- private final String clusterName;
- private final String clusterType;
- private RangerAuthContext authContext;
- public RangerPluginContext(String serviceType) {
- this(serviceType, new RangerPluginConfig(serviceType));
- }
-
- public RangerPluginContext(String serviceType, String clusterName,
String clusterType) {
- this.config = new RangerPluginConfig(serviceType);
- this.clusterName = clusterName;
- this.clusterType = clusterType;
- }
-
- public RangerPluginContext(String serviceType, RangerPluginConfig
config) {
- this.config = config;
- this.clusterName = findClusterName(config, serviceType);
- this.clusterType = findClusterType(config, serviceType);
+ public RangerPluginContext(RangerPluginConfig config) {
+ this.config = config;
}
public RangerPluginConfig getConfig() { return config; }
public String getClusterName() {
- return clusterName;
+ return config.getClusterName();
}
public String getClusterType() {
- return clusterType;
+ return config.getClusterType();
}
public RangerAuthContext getAuthContext() { return authContext; }
public void setAuthContext(RangerAuthContext authContext) {
this.authContext = authContext; }
- private static String findClusterName(RangerPluginConfig config, String
serviceType) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==>
RangerPluginContext.findClusterName(serviceType=" + serviceType + ")");
- }
+ public void setAuthContextListener(RangerAuthContextListener
authContextListener) { this.authContextListener = authContextListener; }
- String propertyPrefix = "ranger.plugin." + serviceType;
- String clusterName = config.get(propertyPrefix +
".access.cluster.name", "");
+ public void notifyAuthContextChanged() {
+ RangerAuthContextListener authContextListener =
this.authContextListener;
- if (StringUtil.isEmpty(clusterName)){
- clusterName = config.get(propertyPrefix +
".ambari.cluster.name", "");
+ if (authContextListener != null) {
+ authContextListener.contextChanged();
}
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerPluginContext.findClusterName(serviceType=" + serviceType + "): ret=" +
clusterName);
- }
-
- return clusterName;
- }
-
- private static String findClusterType(RangerPluginConfig config, String
serviceType) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==>
RangerPluginContext.findClusterType(serviceType=" + serviceType + ")");
- }
-
- String propertyPrefix = "ranger.plugin." + serviceType;
- String clusterType = config.get(propertyPrefix +
".access.cluster.type", "");
-
- if (StringUtil.isEmpty(clusterType)){
- clusterType = config.get(propertyPrefix +
".ambari.cluster.type", "");
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerPluginContext.findClusterType(serviceType=" + serviceType + "): ret=" +
clusterType);
- }
-
- return clusterType;
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 2ea5ecf..50313bc 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -51,7 +51,7 @@ public interface RangerPolicyEngine {
long getRoleVersion();
- void setRangerRoles(RangerRoles rangerRoles);
+ void setRoles(RangerRoles roles);
RangerAccessResult evaluatePolicies(RangerAccessRequest request, int
policyType, RangerAccessResultProcessor resultProcessor);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index dff54ac..a55c62f 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -73,10 +73,10 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
return ret;
}
- public RangerPolicyEngineImpl(String appId, ServicePolicies
servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext
pluginContext, RangerRoles roles) {
- policyEngine = new PolicyEngine(appId, servicePolicies,
options, pluginContext, roles);
+ public RangerPolicyEngineImpl(ServicePolicies servicePolicies,
RangerPluginContext pluginContext, RangerRoles roles) {
+ policyEngine = new PolicyEngine(servicePolicies, pluginContext,
roles);
-
policyEngine.getPluginContext().getAuthContext().setRangerRoles(roles);
+
policyEngine.getPluginContext().getAuthContext().setRoles(roles);
requestProcessor = new
RangerDefaultRequestProcessor(policyEngine);
}
@@ -485,8 +485,8 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
public long getRoleVersion() { return policyEngine.getRoleVersion(); }
@Override
- public void setRangerRoles(RangerRoles rangerRoles) {
- policyEngine.setRangerRoles(rangerRoles);
+ public void setRoles(RangerRoles roles) {
+ policyEngine.setRoles(roles);
}
@Override
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index d2d1722..197c30f 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -62,44 +62,28 @@ public class RangerPolicyRepository {
AUDIT_ALL, AUDIT_NONE, AUDIT_DEFAULT
}
- static private final class AuditInfo {
- final boolean isAudited;
- final long auditPolicyId;
-
- AuditInfo(boolean isAudited, long auditPolicyId) {
- this.isAudited = isAudited;
- this.auditPolicyId = auditPolicyId;
- }
- long getAuditPolicyId() {
- return this.auditPolicyId;
- }
- boolean getIsAudited() {
- return isAudited;
- }
- }
-
- private final String serviceName;
- private final String zoneName;
- private final String appId;
- private final RangerPolicyEngineOptions options;
- private final RangerPluginContext pluginContext;
- private final RangerServiceDef serviceDef;
- private final List<RangerPolicy> policies;
- private final long policyVersion;
- private final List<RangerContextEnricher> contextEnrichers;
- private final AuditModeEnum auditModeEnum;
- private final Map<String, AuditInfo> accessAuditCache;
- private final String componentServiceName;
- private final RangerServiceDef componentServiceDef;
- private final Map<String, RangerResourceTrie> policyResourceTrie;
- private final Map<String, RangerResourceTrie> dataMaskResourceTrie;
- private final Map<String, RangerResourceTrie> rowFilterResourceTrie;
+ private final String serviceName;
+ private final String zoneName;
+ private final String appId;
+ private final RangerPolicyEngineOptions options;
+ private final RangerPluginContext pluginContext;
+ private final RangerServiceDef serviceDef;
+ private final List<RangerPolicy> policies;
+ private final long policyVersion;
+ private final List<RangerContextEnricher> contextEnrichers;
+ private final AuditModeEnum auditModeEnum;
+ private final Map<String, AuditInfo> accessAuditCache;
+ private final String componentServiceName;
+ private final RangerServiceDef componentServiceDef;
+ private final Map<String, RangerResourceTrie> policyResourceTrie;
+ private final Map<String, RangerResourceTrie> dataMaskResourceTrie;
+ private final Map<String, RangerResourceTrie> rowFilterResourceTrie;
private List<RangerPolicyEvaluator> policyEvaluators;
private List<RangerPolicyEvaluator> dataMaskPolicyEvaluators;
private List<RangerPolicyEvaluator> rowFilterPolicyEvaluators;
private Map<Long, RangerPolicyEvaluator> policyEvaluatorsMap;
private boolean isContextEnrichersShared =
false;
- private boolean isPreCleaned = false;
+ private boolean isPreCleaned =
false;
RangerPolicyRepository(final RangerPolicyRepository other, final
List<RangerPolicyDelta> deltas, long policyVersion) {
this.serviceName = other.serviceName;
@@ -265,21 +249,19 @@ public class RangerPolicyRepository {
this.policyVersion = policyVersion;
}
- RangerPolicyRepository(String appId, ServicePolicies servicePolicies,
RangerPolicyEngineOptions options, RangerPluginContext pluginContext) {
- this(appId, servicePolicies, options, pluginContext, null);
+ RangerPolicyRepository(ServicePolicies servicePolicies,
RangerPluginContext pluginContext) {
+ this(servicePolicies, pluginContext, null);
}
- RangerPolicyRepository(String appId, ServicePolicies servicePolicies,
RangerPolicyEngineOptions options, RangerPluginContext pluginContext, String
zoneName) {
+ RangerPolicyRepository(ServicePolicies servicePolicies,
RangerPluginContext pluginContext, String zoneName) {
super();
this.componentServiceName = this.serviceName =
servicePolicies.getServiceName();
- this.componentServiceDef = this.serviceDef =
ServiceDefUtil.normalize(servicePolicies.getServiceDef());
-
- this.zoneName = zoneName;
-
- this.appId = appId;
- this.options = new RangerPolicyEngineOptions(options);
- this.pluginContext = pluginContext;
+ this.componentServiceDef = this.serviceDef =
ServiceDefUtil.normalize(servicePolicies.getServiceDef());
+ this.zoneName = zoneName;
+ this.appId = pluginContext.getConfig().getAppId();
+ this.options = new
RangerPolicyEngineOptions(pluginContext.getConfig().getPolicyEngineOptions());
+ this.pluginContext = pluginContext;
if (StringUtils.isEmpty(zoneName)) {
this.policies =
Collections.unmodifiableList(servicePolicies.getPolicies());
@@ -336,24 +318,20 @@ public class RangerPolicyRepository {
}
}
- RangerPolicyRepository(String appId, ServicePolicies.TagPolicies
tagPolicies, RangerPolicyEngineOptions options, RangerPluginContext
pluginContext,
+ RangerPolicyRepository(ServicePolicies.TagPolicies tagPolicies,
RangerPluginContext pluginContext,
RangerServiceDef componentServiceDef, String
componentServiceName) {
super();
- this.serviceName = tagPolicies.getServiceName();
+ this.serviceName = tagPolicies.getServiceName();
this.componentServiceName = componentServiceName;
-
- this.zoneName = null;
-
- this.serviceDef =
ServiceDefUtil.normalizeAccessTypeDefs(ServiceDefUtil.normalize(tagPolicies.getServiceDef()),
componentServiceDef.getName());
- this.componentServiceDef = componentServiceDef;
-
- this.appId = appId;
- this.options = options;
- this.pluginContext = pluginContext;
-
- this.policies =
Collections.unmodifiableList(normalizeAndPrunePolicies(tagPolicies.getPolicies(),
componentServiceDef.getName()));
- this.policyVersion = tagPolicies.getPolicyVersion() != null ?
tagPolicies.getPolicyVersion() : -1;
+ this.zoneName = null;
+ this.serviceDef =
ServiceDefUtil.normalizeAccessTypeDefs(ServiceDefUtil.normalize(tagPolicies.getServiceDef()),
componentServiceDef.getName());
+ this.componentServiceDef = componentServiceDef;
+ this.appId = pluginContext.getConfig().getAppId();
+ this.options = new
RangerPolicyEngineOptions(pluginContext.getConfig().getPolicyEngineOptions());
+ this.pluginContext = pluginContext;
+ this.policies =
Collections.unmodifiableList(normalizeAndPrunePolicies(tagPolicies.getPolicies(),
componentServiceDef.getName()));
+ this.policyVersion = tagPolicies.getPolicyVersion() != null ?
tagPolicies.getPolicyVersion() : -1;
String auditMode = tagPolicies.getAuditMode();
@@ -1421,4 +1399,19 @@ public class RangerPolicyRepository {
return ret;
}
+ static private final class AuditInfo {
+ final boolean isAudited;
+ final long auditPolicyId;
+
+ AuditInfo(boolean isAudited, long auditPolicyId) {
+ this.isAudited = isAudited;
+ this.auditPolicyId = auditPolicyId;
+ }
+ long getAuditPolicyId() {
+ return this.auditPolicyId;
+ }
+ boolean getIsAudited() {
+ return isAudited;
+ }
+ }
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
index eed6432..81b1971 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
@@ -23,13 +23,10 @@ import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
-import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.RangerRolesUtil;
-import java.util.Collection;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
@@ -37,16 +34,13 @@ import java.util.concurrent.ConcurrentHashMap;
public class RangerAuthContext {
private final Map<RangerContextEnricher, Object> requestContextEnrichers;
- private RangerRolesUtil rangerRolesUtil;
+ private RangerRolesUtil rolesUtil;
- public RangerAuthContext(Map<RangerContextEnricher, Object>
requestContextEnrichers) {
- this.requestContextEnrichers = requestContextEnrichers != null ?
requestContextEnrichers : new ConcurrentHashMap<>();
- }
public RangerAuthContext(Map<RangerContextEnricher, Object>
requestContextEnrichers, RangerRoles roles) {
this.requestContextEnrichers = requestContextEnrichers != null ?
requestContextEnrichers : new ConcurrentHashMap<>();
- setRangerRoles(roles);
+ setRoles(roles);
}
public Map<RangerContextEnricher, Object> getRequestContextEnrichers() {
@@ -63,14 +57,14 @@ public class RangerAuthContext {
requestContextEnrichers.remove(enricher);
}
- public void setRangerRoles(RangerRoles rangerRoles) {
- this.rangerRolesUtil = rangerRoles != null ? new
RangerRolesUtil(rangerRoles) : new RangerRolesUtil(null);
+ public void setRoles(RangerRoles roles) {
+ this.rolesUtil = roles != null ? new RangerRolesUtil(roles) : new
RangerRolesUtil(null);
}
public Set<String> getRolesForUserAndGroups(String user, Set<String>
groups) {
- RangerRolesUtil rangerRolesUtil = this.rangerRolesUtil;
- Map<String, Set<String>> userRoleMapping =
rangerRolesUtil.getUserRoleMapping();
- Map<String, Set<String>> groupRoleMapping =
rangerRolesUtil.getGroupRoleMapping();
+ RangerRolesUtil rolesUtil = this.rolesUtil;
+ Map<String, Set<String>> userRoleMapping =
rolesUtil.getUserRoleMapping();
+ Map<String, Set<String>> groupRoleMapping =
rolesUtil.getGroupRoleMapping();
Set<String> allRoles = new HashSet<>();
if (MapUtils.isNotEmpty(userRoleMapping) &&
StringUtils.isNotEmpty(user)) {
@@ -102,19 +96,5 @@ public class RangerAuthContext {
return allRoles;
}
- public long getRoleVersion() { return
this.rangerRolesUtil.getRoleVersion(); }
-
- // For backward compatibility
- public RangerResourceACLs getResourceACLs(RangerAccessRequest request) {
- // Invoke getResourceACLs on the first service in this plugin
- Collection<RangerBasePlugin> plugins =
RangerBasePlugin.getServicePluginMap().values();
-
- if (plugins.size() > 0) {
- RangerBasePlugin[] array = plugins.toArray(new
RangerBasePlugin[0]);
-
- return array[0].getResourceACLs(request);
- } else {
- return null;
- }
- }
+ public long getRoleVersion() { return this.rolesUtil.getRoleVersion(); }
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 186cf19..70670c3 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -20,15 +20,11 @@
package org.apache.ranger.plugin.service;
import java.util.*;
-import java.util.concurrent.BlockingQueue;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.LinkedBlockingQueue;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.conf.Configuration;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.admin.client.RangerAdminRESTClient;
import org.apache.ranger.audit.provider.AuditHandler;
@@ -51,7 +47,6 @@ import
org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
@@ -61,98 +56,51 @@ import org.apache.ranger.plugin.util.*;
public class RangerBasePlugin {
private static final Log LOG =
LogFactory.getLog(RangerBasePlugin.class);
- public static final char
RANGER_TRUSTED_PROXY_IPADDRESSES_SEPARATOR_CHAR = ',';
-
- private static Map<String, RangerBasePlugin> servicePluginMap = new
ConcurrentHashMap<>();
-
- private final String serviceType;
- private final String appId;
- private final RangerPluginConfig config;
- private final RangerPolicyEngineOptions policyEngineOptions = new
RangerPolicyEngineOptions();
- private final BlockingQueue<DownloadTrigger> policyDownloadQueue = new
LinkedBlockingQueue<>();
- private final DownloadTrigger accessTrigger = new
DownloadTrigger();
- private final Map<String, LogHistory> logHistoryList = new
Hashtable<String, RangerBasePlugin.LogHistory>();
- private final int logInterval =
30000; // 30 seconds
- private String serviceName;
- private String clusterName;
- private PolicyRefresher refresher;
- private RangerPolicyEngine policyEngine;
- private RangerPluginContext rangerPluginContext;
- private RangerAuthContext currentAuthContext;
- private RangerAccessResultProcessor resultProcessor;
- private boolean useForwardedIPAddress;
- private String[] trustedProxyAddresses;
- private Timer policyDownloadTimer;
- private Timer policyEngineRefreshTimer;
- private RangerAuthContextListener authContextListener;
- private AuditProviderFactory auditProviderFactory;
- private RangerRoles rangerRoles;
-
- public static Map<String, RangerBasePlugin> getServicePluginMap() {
- return servicePluginMap;
- }
-
- public static AuditHandler getAuditProvider(String serviceName) {
- AuditHandler ret = null;
-
- boolean useStandaloneAuditProvider = false;
- if (StringUtils.isNotEmpty(serviceName)) {
- RangerBasePlugin plugin =
RangerBasePlugin.getServicePluginMap().get(serviceName);
- if (plugin != null) {
- if (plugin.getAuditProviderFactory() != null) {
- ret =
plugin.getAuditProviderFactory().getAuditProvider();
- } else {
- LOG.error("NULL AuditProviderFactory
for serviceName:[" + serviceName + "]");
- }
- } else {
- useStandaloneAuditProvider = true;
- }
- } else {
- useStandaloneAuditProvider = true;
- }
+ private final RangerPluginConfig pluginConfig;
+ private final RangerPluginContext pluginContext;
+ private final Map<String, LogHistory> logHistoryList = new
Hashtable<>();
+ private final int logInterval = 30000; // 30
seconds
+ private final DownloadTrigger accessTrigger = new
DownloadTrigger();
+ private PolicyRefresher refresher;
+ private RangerPolicyEngine policyEngine;
+ private RangerAuthContext currentAuthContext;
+ private RangerAccessResultProcessor resultProcessor;
+ private RangerRoles roles;
- if (useStandaloneAuditProvider) {
- StandAloneAuditProviderFactory factory =
StandAloneAuditProviderFactory.getInstance();
- if (factory.isInitDone()) {
- ret = factory.getAuditProvider();
- } else {
- RangerAuditConfig conf = new
RangerAuditConfig();
+ public RangerBasePlugin(String serviceType, String appId) {
+ this(new RangerPluginConfig(serviceType, null, appId, null,
null, null));
+ }
- if (conf.isInitSuccess()) {
- factory.init(conf.getProperties(),
"StandAlone");
+ public RangerBasePlugin(RangerPluginConfig pluginConfig) {
+ this.pluginConfig = pluginConfig;
+ this.pluginContext = new RangerPluginContext(pluginConfig);
- ret = factory.getAuditProvider();
- }
- }
- }
-
- return ret;
+ RangerScriptExecutionContext.init(pluginConfig);
}
- public RangerBasePlugin(String serviceType, String appId) {
- this.serviceType = serviceType;
- this.appId = appId;
- this.config = new RangerPluginConfig(serviceType);
+ public static AuditHandler getAuditProvider(String serviceName) {
+ AuditProviderFactory providerFactory =
RangerBasePlugin.getAuditProviderFactory(serviceName);
+ AuditHandler ret =
providerFactory.getAuditProvider();
- RangerScriptExecutionContext.init(config);
+ return ret;
}
public String getServiceType() {
- return serviceType;
+ return pluginConfig.getServiceType();
}
public String getAppId() {
- return appId;
+ return pluginConfig.getAppId();
}
public RangerPluginConfig getConfig() {
- return config;
+ return pluginConfig;
}
public String getClusterName() {
- return clusterName;
+ return pluginConfig.getClusterName();
}
public RangerAuthContext getCurrentRangerAuthContext() { return
currentAuthContext; }
@@ -160,21 +108,18 @@ public class RangerBasePlugin {
// For backward compatibility
public RangerAuthContext createRangerAuthContext() { return
currentAuthContext; }
- public void setClusterName(String clusterName) {
- this.clusterName = clusterName;
+ public RangerRoles getRoles() {
+ return this.roles;
}
- public RangerRoles getRangerRoles() {
- return this.rangerRoles;
- }
-
- public void setRangerRoles(RangerRoles rangerRoles) {
- this.rangerRoles = rangerRoles;
+ public void setRoles(RangerRoles roles) {
+ this.roles = roles;
RangerPolicyEngine policyEngine = this.policyEngine;
- policyEngine.setRangerRoles(rangerRoles);
- contextChanged();
+ policyEngine.setRoles(roles);
+
+ pluginContext.notifyAuthContextChanged();
}
public RangerServiceDef getServiceDef() {
@@ -190,78 +135,24 @@ public class RangerBasePlugin {
}
public String getServiceName() {
- return serviceName;
+ return pluginConfig.getServiceName();
}
- public AuditProviderFactory getAuditProviderFactory() { return
auditProviderFactory; }
+ public AuditProviderFactory getAuditProviderFactory() { return
RangerBasePlugin.getAuditProviderFactory(getServiceName()); }
public void init() {
cleanup();
- String propertyPrefix = "ranger.plugin." + serviceType;
- long pollingIntervalMs = config.getLong(propertyPrefix +
".policy.pollIntervalMs", 30 * 1000);
- String cacheDir = config.get(propertyPrefix +
".policy.cache.dir");
- serviceName = config.get(propertyPrefix + ".service.name");
- clusterName = config.get(propertyPrefix +
".access.cluster.name", "");
- if(StringUtil.isEmpty(clusterName)){
- clusterName = config.get(propertyPrefix +
".ambari.cluster.name", "");
- }
- useForwardedIPAddress = config.getBoolean(propertyPrefix +
".use.x-forwarded-for.ipaddress", false);
- String trustedProxyAddressString = config.get(propertyPrefix +
".trusted.proxy.ipaddresses");
- trustedProxyAddresses =
StringUtils.split(trustedProxyAddressString,
RANGER_TRUSTED_PROXY_IPADDRESSES_SEPARATOR_CHAR);
- if (trustedProxyAddresses != null) {
- for (int i = 0; i < trustedProxyAddresses.length; i++) {
- trustedProxyAddresses[i] =
trustedProxyAddresses[i].trim();
- }
- }
- if (LOG.isDebugEnabled()) {
- LOG.debug(propertyPrefix +
".use.x-forwarded-for.ipaddress:" + useForwardedIPAddress);
- LOG.debug(propertyPrefix +
".trusted.proxy.ipaddresses:[" + StringUtils.join(trustedProxyAddresses, ", ")
+ "]");
- }
-
- if (useForwardedIPAddress &&
StringUtils.isBlank(trustedProxyAddressString)) {
- LOG.warn("Property " + propertyPrefix +
".use.x-forwarded-for.ipaddress" + " is set to true, and Property "
- + propertyPrefix +
".trusted.proxy.ipaddresses" + " is not set");
- LOG.warn("Ranger plugin will trust RemoteIPAddress and
treat first X-Forwarded-Address in the access-request as the clientIPAddress");
- }
-
- if (config.getProperties() != null) {
- auditProviderFactory = new AuditProviderFactory();
- auditProviderFactory.init(config.getProperties(),
appId);
+ if (pluginConfig.getProperties() != null) {
+
AuditProviderFactory.getInstance().init(pluginConfig.getProperties(),
getAppId());
} else {
LOG.error("Audit subsystem is not initialized
correctly. Please check audit configuration. ");
LOG.error("No authorization audits will be generated.
");
- auditProviderFactory = null;
}
- rangerPluginContext = new RangerPluginContext(serviceType,
config);
-
- policyEngineOptions.configureForPlugin(config, propertyPrefix);
-
- LOG.info(policyEngineOptions);
-
- servicePluginMap.put(serviceName, this);
-
- RangerAdminClient admin = createAdminClient(serviceName, appId,
propertyPrefix, config);
-
- RangerRolesProvider rangerRolesProvider = new
RangerRolesProvider(serviceType, appId, serviceName, admin, cacheDir, config);
-
- refresher = new PolicyRefresher(this, serviceType, appId,
serviceName, admin, policyDownloadQueue, cacheDir, rangerRolesProvider);
+ refresher = new PolicyRefresher(this);
refresher.setDaemon(true);
refresher.startRefresher();
-
- policyDownloadTimer = new Timer("policyDownloadTimer", true);
-
- try {
- policyDownloadTimer.schedule(new
DownloaderTask(policyDownloadQueue), pollingIntervalMs, pollingIntervalMs);
- if (LOG.isDebugEnabled()) {
- LOG.debug("Scheduled policyDownloadRefresher to
download policies every " + pollingIntervalMs + " milliseconds");
- }
- } catch (IllegalStateException exception) {
- LOG.error("Error scheduling policyDownloadTimer:",
exception);
- LOG.error("*** Policies will NOT be downloaded every "
+ pollingIntervalMs + " milliseconds ***");
- policyDownloadTimer = null;
- }
}
public void setPolicies(ServicePolicies policies) {
@@ -278,28 +169,35 @@ public class RangerBasePlugin {
if (policies == null) {
policies = getDefaultSvcPolicies();
+
if (policies == null) {
LOG.error("Could not get default
Service Policies");
+
isValid = false;
}
} else {
if (policies.getPolicies() != null &&
policies.getPolicyDeltas() != null) {
LOG.error("Invalid servicePolicies:
Both policies and policy-deltas cannot be null OR both of them cannot be
non-null");
+
isValid = false;
} else if (policies.getPolicies() != null) {
usePolicyDeltas = false;
} else if (policies.getPolicyDeltas() != null) {
// Rebuild policies from deltas
RangerPolicyEngineImpl policyEngine =
(RangerPolicyEngineImpl) oldPolicyEngine;
+
servicePolicies =
ServicePolicies.applyDelta(policies, policyEngine);
+
if (servicePolicies != null) {
usePolicyDeltas = true;
} else {
isValid = false;
+
LOG.error("Could not apply
deltas=" + Arrays.toString(policies.getPolicyDeltas().toArray()));
}
} else {
LOG.error("Should not get here!!");
+
isValid = false;
}
}
@@ -312,30 +210,37 @@ public class RangerBasePlugin {
if (LOG.isDebugEnabled()) {
LOG.debug("policies are not
null. Creating engine from policies");
}
- newPolicyEngine = new
RangerPolicyEngineImpl(appId, policies, policyEngineOptions,
rangerPluginContext, rangerRoles);
+
+ newPolicyEngine = new
RangerPolicyEngineImpl(policies, pluginContext, roles);
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("policy-deltas are
not null");
}
+
if
(CollectionUtils.isNotEmpty(policies.getPolicyDeltas()) ||
MapUtils.isNotEmpty(policies.getSecurityZones())) {
if (LOG.isDebugEnabled()) {
LOG.debug("Non empty
policy-deltas found. Cloning engine using policy-deltas");
}
+
if (oldPolicyEngine != null) {
RangerPolicyEngineImpl
oldPolicyEngineImpl = (RangerPolicyEngineImpl) oldPolicyEngine;
+
newPolicyEngine =
RangerPolicyEngineImpl.getPolicyEngine(oldPolicyEngineImpl, policies);
}
+
if (newPolicyEngine != null) {
if
(LOG.isDebugEnabled()) {
LOG.debug("Applied policyDeltas=" +
Arrays.toString(policies.getPolicyDeltas().toArray()) + ")");
}
+
isPolicyEngineShared =
true;
} else {
if
(LOG.isDebugEnabled()) {
LOG.debug("Failed to apply policyDeltas=" +
Arrays.toString(policies.getPolicyDeltas().toArray()) + "), Creating engine
from policies");
LOG.debug("Creating new engine from servicePolicies:[" + servicePolicies + "]");
}
- newPolicyEngine = new
RangerPolicyEngineImpl(appId, servicePolicies, policyEngineOptions,
rangerPluginContext, rangerRoles);
+
+ newPolicyEngine = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
}
} else {
if (LOG.isDebugEnabled()) {
@@ -345,20 +250,20 @@ public class RangerBasePlugin {
}
if (newPolicyEngine != null) {
-
if (!isPolicyEngineShared) {
-
newPolicyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
-
newPolicyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
+
newPolicyEngine.setUseForwardedIPAddress(pluginConfig.isUseForwardedIPAddress());
+
newPolicyEngine.setTrustedProxyAddresses(pluginConfig.getTrustedProxyAddresses());
}
- this.policyEngine = newPolicyEngine;
- this.currentAuthContext =
rangerPluginContext.getAuthContext();
+ this.policyEngine =
newPolicyEngine;
+ this.currentAuthContext =
pluginContext.getAuthContext();
- contextChanged();
+
pluginContext.notifyAuthContextChanged();
if (oldPolicyEngine != null) {
((RangerPolicyEngineImpl)
oldPolicyEngine).releaseResources();
}
+
if (this.refresher != null) {
this.refresher.saveToCache(usePolicyDeltas ? servicePolicies : policies);
}
@@ -376,45 +281,15 @@ public class RangerBasePlugin {
}
}
- public void contextChanged() {
- RangerAuthContextListener authContextListener =
this.authContextListener;
-
- if (authContextListener != null) {
- authContextListener.contextChanged();
- }
- }
-
public void cleanup() {
-
PolicyRefresher refresher = this.refresher;
- Timer policyEngineRefreshTimer = this.policyEngineRefreshTimer;
-
- Timer policyDownloadTimer = this.policyDownloadTimer;
-
- String serviceName = this.serviceName;
-
- this.serviceName = null;
this.policyEngine = null;
this.refresher = null;
- this.policyEngineRefreshTimer = null;
- this.policyDownloadTimer = null;
if (refresher != null) {
refresher.stopRefresher();
}
-
- if (policyDownloadTimer != null) {
- policyDownloadTimer.cancel();
- }
-
- if (policyEngineRefreshTimer != null) {
- policyEngineRefreshTimer.cancel();
- }
-
- if (serviceName != null) {
- servicePluginMap.remove(serviceName);
- }
}
public void setResultProcessor(RangerAccessResultProcessor
resultProcessor) {
@@ -520,6 +395,7 @@ public class RangerBasePlugin {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.dropRole(" + roleName +
")");
}
+
getAdminClient().dropRole(execUser, roleName);
if(LOG.isDebugEnabled()) {
@@ -531,6 +407,7 @@ public class RangerBasePlugin {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.getUserRoleNames(" +
execUser + ")");
}
+
final List<String> ret =
getAdminClient().getUserRoles(execUser);
if(LOG.isDebugEnabled()) {
@@ -543,6 +420,7 @@ public class RangerBasePlugin {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.getAllRoles()");
}
+
final List<String> ret = getAdminClient().getAllRoles(execUser);
if(LOG.isDebugEnabled()) {
@@ -555,6 +433,7 @@ public class RangerBasePlugin {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.getPrincipalsForRole("
+ roleName + ")");
}
+
final RangerRole ret = getAdminClient().getRole(execUser,
roleName);
if(LOG.isDebugEnabled()) {
@@ -567,6 +446,7 @@ public class RangerBasePlugin {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.grantRole(" + request +
")");
}
+
getAdminClient().grantRole(request);
if(LOG.isDebugEnabled()) {
@@ -578,6 +458,7 @@ public class RangerBasePlugin {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.revokeRole(" + request
+ ")");
}
+
getAdminClient().revokeRole(request);
if(LOG.isDebugEnabled()) {
@@ -589,9 +470,12 @@ public class RangerBasePlugin {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.grantAccess(" + request
+ ")");
}
- boolean isSuccess = false;
+
+ boolean isSuccess = false;
try {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
if (policyEngine != null) {
request.setZoneName(policyEngine.getMatchedZoneName(request));
}
@@ -612,9 +496,12 @@ public class RangerBasePlugin {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.revokeAccess(" +
request + ")");
}
- boolean isSuccess = false;
+
+ boolean isSuccess = false;
try {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
if (policyEngine != null) {
request.setZoneName(policyEngine.getMatchedZoneName(request));
}
@@ -632,22 +519,17 @@ public class RangerBasePlugin {
}
public void registerAuthContextEventListener(RangerAuthContextListener
authContextListener) {
- this.authContextListener = authContextListener;
- }
-
- public void
unregisterAuthContextEventListener(RangerAuthContextListener
authContextListener) {
- this.authContextListener = null;
+ this.pluginContext.setAuthContextListener(authContextListener);
}
- public static RangerAdminClient createAdminClient(String
rangerServiceName, String applicationId, String propertyPrefix, Configuration
config) {
+ public static RangerAdminClient createAdminClient(RangerPluginConfig
pluginConfig) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerBasePlugin.createAdminClient(" +
rangerServiceName + ", " + applicationId + ", " + propertyPrefix + ")");
+ LOG.debug("==> RangerBasePlugin.createAdminClient(" +
pluginConfig.getServiceName() + ", " + pluginConfig.getAppId() + ", " +
pluginConfig.getPropertyPrefix() + ")");
}
- RangerAdminClient ret = null;
-
- String propertyName = propertyPrefix + ".policy.source.impl";
- String policySourceImpl = config.get(propertyName);
+ RangerAdminClient ret = null;
+ String propertyName =
pluginConfig.getPropertyPrefix() + ".policy.source.impl";
+ String policySourceImpl =
pluginConfig.get(propertyName);
if(StringUtils.isEmpty(policySourceImpl)) {
if (LOG.isDebugEnabled()) {
@@ -657,6 +539,7 @@ public class RangerBasePlugin {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("Value for property[%s]
was [%s].", propertyName, policySourceImpl));
}
+
try {
@SuppressWarnings("unchecked")
Class<RangerAdminClient> adminClass =
(Class<RangerAdminClient>)Class.forName(policySourceImpl);
@@ -671,10 +554,10 @@ public class RangerBasePlugin {
ret = new RangerAdminRESTClient();
}
- ret.init(rangerServiceName, applicationId, propertyPrefix,
config);
+ ret.init(pluginConfig.getServiceName(),
pluginConfig.getAppId(), pluginConfig.getPropertyPrefix(), pluginConfig);
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerBasePlugin.createAdminClient(" +
rangerServiceName + ", " + applicationId + ", " + propertyPrefix + "):
policySourceImpl=" + policySourceImpl + ", client=" + ret);
+ LOG.debug("<== RangerBasePlugin.createAdminClient(" +
pluginConfig.getServiceName() + ", " + pluginConfig.getAppId() + ", " +
pluginConfig.getPropertyPrefix() + "): policySourceImpl=" + policySourceImpl +
", client=" + ret);
}
return ret;
}
@@ -683,15 +566,23 @@ public class RangerBasePlugin {
if (LOG.isDebugEnabled()) {
LOG.debug("==> refreshPoliciesAndTags()");
}
+
try {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
// Synch-up policies
- long oldPolicyVersion =
this.policyEngine.getPolicyVersion();
- syncPoliciesWithAdmin(accessTrigger);
- long newPolicyVersion =
this.policyEngine.getPolicyVersion();
+ long oldPolicyVersion = policyEngine.getPolicyVersion();
+
+ refresher.syncPoliciesWithAdmin(accessTrigger);
+
+ policyEngine = this.policyEngine; // might be updated
in syncPoliciesWithAdmin()
+
+ long newPolicyVersion = policyEngine.getPolicyVersion();
if (oldPolicyVersion == newPolicyVersion) {
// Synch-up tags
RangerTagEnricher tagEnricher =
getTagEnricher();
+
if (tagEnricher != null) {
tagEnricher.syncTagsWithAdmin(accessTrigger);
}
@@ -699,20 +590,13 @@ public class RangerBasePlugin {
} catch (InterruptedException exception) {
LOG.error("Failed to update policy-engine, continuing
to use old policy-engine and/or tags", exception);
}
+
if (LOG.isDebugEnabled()) {
LOG.info("<== refreshPoliciesAndTags()");
}
}
- /*
- This API is provided only for unit testing
- */
-
- public void setPluginContext(RangerPluginContext pluginContext) {
- this.rangerPluginContext = pluginContext;
- }
-
private void auditGrantRevoke(GrantRevokeRequest request, String
action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) {
if(request != null && resultProcessor != null) {
RangerAccessRequestImpl accessRequest = new
RangerAccessRequestImpl();
@@ -745,29 +629,32 @@ public class RangerBasePlugin {
private RangerServiceDef getDefaultServiceDef() {
RangerServiceDef ret = null;
- if (StringUtils.isNotBlank(serviceType)) {
+ if (StringUtils.isNotBlank(getServiceType())) {
try {
- ret =
EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(serviceType);
+ ret =
EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(getServiceType());
} catch (Exception exp) {
- LOG.error("Could not get embedded service-def
for " + serviceType);
+ LOG.error("Could not get embedded service-def
for " + getServiceType());
}
}
return ret;
}
private ServicePolicies getDefaultSvcPolicies() {
- ServicePolicies ret = null;
-
+ ServicePolicies ret = null;
RangerServiceDef serviceDef = getServiceDef();
+
if (serviceDef == null) {
serviceDef = getDefaultServiceDef();
}
+
if (serviceDef != null) {
ret = new ServicePolicies();
+
ret.setServiceDef(serviceDef);
- ret.setServiceName(serviceName);
+ ret.setServiceName(getServiceName());
ret.setPolicies(new ArrayList<RangerPolicy>());
}
+
return ret;
}
@@ -797,22 +684,20 @@ public class RangerBasePlugin {
int counter;
}
- private void syncPoliciesWithAdmin(final DownloadTrigger token) throws
InterruptedException{
- policyDownloadQueue.put(token);
- token.waitForCompletion();
- }
-
private RangerTagEnricher getTagEnricher() {
- RangerTagEnricher ret = null;
+ RangerTagEnricher ret = null;
RangerAuthContext authContext = getCurrentRangerAuthContext();
+
if (authContext != null) {
Map<RangerContextEnricher, Object> contextEnricherMap =
authContext.getRequestContextEnrichers();
+
if (MapUtils.isNotEmpty(contextEnricherMap)) {
Set<RangerContextEnricher> contextEnrichers =
contextEnricherMap.keySet();
for (RangerContextEnricher enricher :
contextEnrichers) {
if (enricher instanceof
RangerTagEnricher) {
ret = (RangerTagEnricher)
enricher;
+
break;
}
}
@@ -831,4 +716,23 @@ public class RangerBasePlugin {
return admin;
}
+ private static AuditProviderFactory getAuditProviderFactory(String
serviceName) {
+ AuditProviderFactory ret = AuditProviderFactory.getInstance();
+
+ if (!ret.isInitDone()) {
+
LOG.warn("RangerBasePlugin.getAuditProviderFactory(serviceName=" + serviceName
+ "): audit not initialized yet. Will use stand-alone audit factory");
+
+ ret = StandAloneAuditProviderFactory.getInstance();
+
+ if (!ret.isInitDone()) {
+ RangerAuditConfig conf = new
RangerAuditConfig();
+
+ if (conf.isInitSuccess()) {
+ ret.init(conf.getProperties(),
"StandAlone");
+ }
+ }
+ }
+
+ return ret;
+ }
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java
b/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java
index 0cb8f02..7da43d5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java
@@ -45,7 +45,7 @@ public interface RoleStore {
List<String> getRoleNames(SearchFilter filter) throws Exception;
- RangerRoles getRangerRoles(String serviceName, Long lastKnownRoleVersion)
throws Exception;
+ RangerRoles getRoles(String serviceName, Long lastKnownRoleVersion) throws
Exception;
Long getRoleVersion(String serviceName);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
index 34de568..63a98f2 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
@@ -24,12 +24,15 @@ import java.io.FileReader;
import java.io.FileWriter;
import java.io.Reader;
import java.io.Writer;
+import java.util.Timer;
import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.LinkedBlockingQueue;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.RangerAdminClient;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import com.google.gson.Gson;
@@ -41,45 +44,44 @@ public class PolicyRefresher extends Thread {
private static final Log PERF_POLICYENGINE_INIT_LOG =
RangerPerfTracer.getPerfLogger("policyengine.init");
- private final RangerBasePlugin plugIn;
- private final String serviceType;
- private final String serviceName;
- private final RangerAdminClient rangerAdmin;
- private final BlockingQueue<DownloadTrigger> policyDownloadQueue;
- private final RangerRolesProvider rangerRolesProvider;
-
- private final String cacheFileName;
- private final String cacheDir;
- private final Gson gson;
- private final boolean disableCacheIfServiceNotFound;
-
- private long lastKnownVersion = -1L;
- private long lastActivationTimeInMillis;
- private boolean policiesSetInPlugin;
- private boolean serviceDefSetInPlugin;
-
- public PolicyRefresher(RangerBasePlugin plugIn, String serviceType,
String appId, String serviceName, RangerAdminClient rangerAdmin,
BlockingQueue<DownloadTrigger> policyDownloadQueue, String cacheDir,
RangerRolesProvider rangerRolesProvider) {
+ private final RangerBasePlugin plugIn;
+ private final String serviceType;
+ private final String serviceName;
+ private final RangerAdminClient rangerAdmin;
+ private final RangerRolesProvider rolesProvider;
+ private final long pollingIntervalMs;
+ private final String cacheFileName;
+ private final String cacheDir;
+ private final Gson gson;
+ private final boolean
disableCacheIfServiceNotFound;
+ private final BlockingQueue<DownloadTrigger> policyDownloadQueue = new
LinkedBlockingQueue<>();
+ private Timer policyDownloadTimer;
+ private long lastKnownVersion = -1L;
+ private long lastActivationTimeInMillis;
+ private boolean policiesSetInPlugin;
+ private boolean serviceDefSetInPlugin;
+
+
+ public PolicyRefresher(RangerBasePlugin plugIn) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> PolicyRefresher(serviceName=" +
serviceName + ").PolicyRefresher()");
+ LOG.debug("==> PolicyRefresher(serviceName=" +
plugIn.getServiceName() + ").PolicyRefresher()");
}
- this.plugIn = plugIn;
- this.serviceType = serviceType;
- this.serviceName = serviceName;
- this.rangerAdmin = rangerAdmin;
- this.policyDownloadQueue = policyDownloadQueue;
- this.rangerRolesProvider = rangerRolesProvider;
+ RangerPluginConfig pluginConfig = plugIn.getConfig();
+ String propertyPrefix =
pluginConfig.getPropertyPrefix();
- if(StringUtils.isEmpty(appId)) {
- appId = serviceType;
- }
+ this.plugIn = plugIn;
+ this.serviceType = plugIn.getServiceType();
+ this.serviceName = plugIn.getServiceName();
+ this.cacheDir = pluginConfig.get(propertyPrefix +
".policy.cache.dir");
+ String appId = StringUtils.isEmpty(plugIn.getAppId()) ?
serviceType : plugIn.getAppId();
String cacheFilename = String.format("%s_%s.json", appId,
serviceName);
+
cacheFilename = cacheFilename.replace(File.separatorChar, '_');
cacheFilename = cacheFilename.replace(File.pathSeparatorChar,
'_');
this.cacheFileName = cacheFilename;
- this.cacheDir = cacheDir;
Gson gson = null;
try {
@@ -87,10 +89,12 @@ public class PolicyRefresher extends Thread {
} catch(Throwable excp) {
LOG.fatal("PolicyRefresher(): failed to create
GsonBuilder object", excp);
}
- this.gson = gson;
- String propertyPrefix = "ranger.plugin." + serviceType;
- disableCacheIfServiceNotFound =
plugIn.getConfig().getBoolean(propertyPrefix +
".disable.cache.if.servicenotfound", true);
+ this.gson = gson;
+ this.disableCacheIfServiceNotFound =
pluginConfig.getBoolean(propertyPrefix + ".disable.cache.if.servicenotfound",
true);
+ this.rangerAdmin =
RangerBasePlugin.createAdminClient(pluginConfig);
+ this.rolesProvider = new
RangerRolesProvider(getServiceType(), appId, getServiceName(), rangerAdmin,
cacheDir, pluginConfig);
+ this.pollingIntervalMs =
pluginConfig.getLong(propertyPrefix + ".policy.pollIntervalMs", 30 * 1000);
if(LOG.isDebugEnabled()) {
LOG.debug("<== PolicyRefresher(serviceName=" +
serviceName + ").PolicyRefresher()");
@@ -138,6 +142,22 @@ public class PolicyRefresher extends Thread {
loadPolicy();
super.start();
+
+ policyDownloadTimer = new Timer("policyDownloadTimer", true);
+
+ try {
+ policyDownloadTimer.schedule(new
DownloaderTask(policyDownloadQueue), pollingIntervalMs, pollingIntervalMs);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Scheduled policyDownloadRefresher to
download policies every " + pollingIntervalMs + " milliseconds");
+ }
+ } catch (IllegalStateException exception) {
+ LOG.error("Error scheduling policyDownloadTimer:",
exception);
+ LOG.error("*** Policies will NOT be downloaded every "
+ pollingIntervalMs + " milliseconds ***");
+
+ policyDownloadTimer = null;
+ }
+
}
public void stopRefresher() {
@@ -145,9 +165,17 @@ public class PolicyRefresher extends Thread {
try {
super.join();
- } catch (InterruptedException excp) {
- LOG.warn("PolicyRefresher(serviceName=" + serviceName + "):
error while waiting for thread to exit", excp);
- }
+ } catch (InterruptedException excp) {
+ LOG.warn("PolicyRefresher(serviceName=" + serviceName +
"): error while waiting for thread to exit", excp);
+ }
+
+ Timer policyDownloadTimer = this.policyDownloadTimer;
+
+ this.policyDownloadTimer = null;
+
+ if (policyDownloadTimer != null) {
+ policyDownloadTimer.cancel();
+ }
}
public void run() {
@@ -173,6 +201,11 @@ public class PolicyRefresher extends Thread {
}
}
+ public void syncPoliciesWithAdmin(DownloadTrigger token) throws
InterruptedException {
+ policyDownloadQueue.put(token);
+ token.waitForCompletion();
+ }
+
private void loadPolicy() {
if(LOG.isDebugEnabled()) {
@@ -437,7 +470,7 @@ public class PolicyRefresher extends Thread {
}
//Load the Ranger UserGroup Roles
- rangerRolesProvider.loadUserGroupRoles(plugIn);
+ rolesProvider.loadUserGroupRoles(plugIn);
if(LOG.isDebugEnabled()) {
LOG.debug("<== PolicyRefresher(serviceName=" +
serviceName + ").loadRoles()");
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
index 0e1808f..0f44a5d 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
@@ -102,25 +102,24 @@ public class RangerRESTClient {
private String mTrustStoreAlias;
private String mTrustStoreFile;
private String mTrustStoreType;
-
private Gson gsonBuilder;
- private volatile Client client;
+ private int mRestClientConnTimeOutMs;
+ private int mRestClientReadTimeOutMs;
+ private int lastKnownActiveUrlIndex;
- private int mRestClientConnTimeOutMs;
- private int mRestClientReadTimeOutMs;
-
- private int lastKnownActiveUrlIndex;
private final List<String> configuredURLs;
- private final Configuration config;
+
+ private volatile Client client;
public RangerRESTClient(String url, String sslConfigFileName,
Configuration config) {
mUrl = url;
mSslConfigFileName = sslConfigFileName;
- this.configuredURLs = getURLs(mUrl);
- this.config = config;
- this.setLastKnownActiveUrlIndex((new
Random()).nextInt(getConfiguredURLs().size()));
- init();
+ configuredURLs = getURLs(mUrl);
+
+ setLastKnownActiveUrlIndex((new
Random()).nextInt(getConfiguredURLs().size()));
+
+ init(config);
}
public String getUrl() {
@@ -234,7 +233,7 @@ public class RangerRESTClient {
client = null;
}
- private void init() {
+ private void init(Configuration config) {
try {
gsonBuilder = new
GsonBuilder().setDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ").create();
} catch(Throwable excp) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesProvider.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesProvider.java
index 1e2d74d..46bfde2 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesProvider.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesProvider.java
@@ -120,12 +120,12 @@ public class RangerRolesProvider {
try {
//load userGroupRoles from ranger admin
- RangerRoles rangerRoles = loadUserGroupRolesFromAdmin();
+ RangerRoles roles = loadUserGroupRolesFromAdmin();
- if (rangerRoles == null) {
+ if (roles == null) {
//if userGroupRoles fetch from ranger Admin
Fails, load from cache
if (!rangerUserGroupRolesSetInPlugin) {
- rangerRoles =
loadUserGroupRolesFromCache();
+ roles = loadUserGroupRolesFromCache();
}
}
@@ -135,21 +135,21 @@ public class RangerRolesProvider {
PERF_POLICYENGINE_INIT_LOG.debug("In-Use
memory: " + (totalMemory - freeMemory) + ", Free memory:" + freeMemory);
}
- if (rangerRoles != null) {
- plugIn.setRangerRoles(rangerRoles);
+ if (roles != null) {
+ plugIn.setRoles(roles);
rangerUserGroupRolesSetInPlugin = true;
setLastActivationTimeInMillis(System.currentTimeMillis());
- lastKnownRoleVersion =
rangerRoles.getRoleVersion();
+ lastKnownRoleVersion = roles.getRoleVersion();
} else {
if (!rangerUserGroupRolesSetInPlugin &&
!serviceDefSetInPlugin) {
- plugIn.setRangerRoles(null);
+ plugIn.setRoles(null);
serviceDefSetInPlugin = true;
}
}
} catch (RangerServiceNotFoundException snfe) {
if (disableCacheIfServiceNotFound) {
disableCache();
- plugIn.setRangerRoles(null);
+ plugIn.setRoles(null);
setLastActivationTimeInMillis(System.currentTimeMillis());
lastKnownRoleVersion = -1L;
serviceDefSetInPlugin = true;
@@ -171,7 +171,7 @@ public class RangerRolesProvider {
LOG.debug("==> RangerRolesProvider(serviceName=" +
serviceName + ").loadUserGroupRolesFromAdmin()");
}
- RangerRoles rangerRoles = null;
+ RangerRoles roles;
RangerPerfTracer perf = null;
@@ -180,13 +180,13 @@ public class RangerRolesProvider {
}
try {
- rangerRoles =
rangerAdmin.getRolesIfUpdated(lastKnownRoleVersion, lastActivationTimeInMillis);
+ roles =
rangerAdmin.getRolesIfUpdated(lastKnownRoleVersion, lastActivationTimeInMillis);
- boolean isUpdated = rangerRoles != null;
+ boolean isUpdated = roles != null;
if(isUpdated) {
- long newVersion = rangerRoles.getRoleVersion()
== null ? -1 : rangerRoles.getRoleVersion().longValue();
- saveToCache(rangerRoles);
+ long newVersion = roles.getRoleVersion() ==
null ? -1 : roles.getRoleVersion().longValue();
+ saveToCache(roles);
LOG.info("RangerRolesProvider(serviceName=" +
serviceName + "): found updated version. lastKnownRoleVersion=" +
lastKnownRoleVersion + "; newVersion=" + newVersion );
} else {
if(LOG.isDebugEnabled()) {
@@ -194,11 +194,11 @@ public class RangerRolesProvider {
}
}
} catch (RangerServiceNotFoundException snfe) {
- LOG.error("RangerRolesProvider(serviceName=" +
serviceName + "): failed to find service. Will clean up local cache of
rangerRoles (" + lastKnownRoleVersion + ")", snfe);
+ LOG.error("RangerRolesProvider(serviceName=" +
serviceName + "): failed to find service. Will clean up local cache of roles ("
+ lastKnownRoleVersion + ")", snfe);
throw snfe;
} catch (Exception excp) {
- LOG.error("RangerRolesProvider(serviceName=" +
serviceName + "): failed to refresh rangerRoles. Will continue to use last
known version of rangerRoles (" + "lastKnowRoleVersion= " +
lastKnownRoleVersion, excp);
- rangerRoles = null;
+ LOG.error("RangerRolesProvider(serviceName=" +
serviceName + "): failed to refresh roles. Will continue to use last known
version of roles (" + "lastKnowRoleVersion= " + lastKnownRoleVersion, excp);
+ roles = null;
}
RangerPerfTracer.log(perf);
@@ -207,12 +207,12 @@ public class RangerRolesProvider {
LOG.debug("<== RangerRolesProvider(serviceName=" +
serviceName + " serviceType= " + serviceType + "
).loadUserGroupRolesFromAdmin()");
}
- return rangerRoles;
+ return roles;
}
private RangerRoles loadUserGroupRolesFromCache() {
- RangerRoles rangerRoles = null;
+ RangerRoles roles = null;
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerRolesProvider(serviceName=" +
serviceName + ").loadUserGroupRolesFromCache()");
@@ -232,16 +232,16 @@ public class RangerRolesProvider {
try {
reader = new FileReader(cacheFile);
- rangerRoles = gson.fromJson(reader,
RangerRoles.class);
+ roles = gson.fromJson(reader,
RangerRoles.class);
- if (rangerRoles != null) {
- if (!StringUtils.equals(serviceName,
rangerRoles.getServiceName())) {
- LOG.warn("ignoring unexpected
serviceName '" + rangerRoles.getServiceName() + "' in cache file '" +
cacheFile.getAbsolutePath() + "'");
+ if (roles != null) {
+ if (!StringUtils.equals(serviceName,
roles.getServiceName())) {
+ LOG.warn("ignoring unexpected
serviceName '" + roles.getServiceName() + "' in cache file '" +
cacheFile.getAbsolutePath() + "'");
-
rangerRoles.setServiceName(serviceName);
+
roles.setServiceName(serviceName);
}
- lastKnownRoleVersion =
rangerRoles.getRoleVersion() == null ? -1 :
rangerRoles.getRoleVersion().longValue();
+ lastKnownRoleVersion =
roles.getRoleVersion() == null ? -1 : roles.getRoleVersion().longValue();
}
} catch (Exception excp) {
LOG.error("failed to load userGroupRoles from
cache file " + cacheFile.getAbsolutePath(), excp);
@@ -257,27 +257,27 @@ public class RangerRolesProvider {
}
}
} else {
- rangerRoles = new RangerRoles();
- rangerRoles.setServiceName(serviceName);
- rangerRoles.setRoleVersion(-1L);
- rangerRoles.setRoleUpdateTime(new Date());
- rangerRoles.setRangerRoles(new HashSet<>());
- saveToCache(rangerRoles);
+ roles = new RangerRoles();
+ roles.setServiceName(serviceName);
+ roles.setRoleVersion(-1L);
+ roles.setRoleUpdateTime(new Date());
+ roles.setRangerRoles(new HashSet<>());
+ saveToCache(roles);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerRolesProvider(serviceName=" +
serviceName + ").RangerRolesProvider()");
}
- return rangerRoles;
+ return roles;
}
- public void saveToCache(RangerRoles rangerRoles) {
+ public void saveToCache(RangerRoles roles) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerRolesProvider(serviceName=" +
serviceName + ").saveToCache()");
}
- if(rangerRoles != null) {
+ if(roles != null) {
File cacheFile = null;
if (cacheDir != null) {
// Create the cacheDir if it doesn't already
exist
@@ -307,9 +307,9 @@ public class RangerRolesProvider {
try {
writer = new FileWriter(cacheFile);
- gson.toJson(rangerRoles, writer);
+ gson.toJson(roles, writer);
} catch (Exception excp) {
- LOG.error("failed to save rangerRoles
to cache file '" + cacheFile.getAbsolutePath() + "'", excp);
+ LOG.error("failed to save roles to
cache file '" + cacheFile.getAbsolutePath() + "'", excp);
} finally {
if(writer != null) {
try {
@@ -323,7 +323,7 @@ public class RangerRolesProvider {
RangerPerfTracer.log(perf);
}
} else {
- LOG.info("rangerRoles is null. Nothing to save in
cache");
+ LOG.info("roles is null. Nothing to save in cache");
}
if(LOG.isDebugEnabled()) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
index aa2cda6..0268e2f 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
@@ -34,13 +34,13 @@ public class RangerRolesUtil {
private final Map<String, Set<String>> userRoleMapping = new HashMap<>();
private final Map<String, Set<String>> groupRoleMapping = new HashMap<>();
- public RangerRolesUtil(RangerRoles rangerRoles) {
- if (rangerRoles != null) {
- roleVersion = rangerRoles.getRoleVersion();
+ public RangerRolesUtil(RangerRoles roles) {
+ if (roles != null) {
+ roleVersion = roles.getRoleVersion();
- if (CollectionUtils.isNotEmpty(rangerRoles.getRangerRoles())) {
- for (RangerRole role : rangerRoles.getRangerRoles()) {
- Set<RangerRole> containedRoles =
getAllContainedRoles(rangerRoles.getRangerRoles(), role);
+ if (CollectionUtils.isNotEmpty(roles.getRangerRoles())) {
+ for (RangerRole role : roles.getRangerRoles()) {
+ Set<RangerRole> containedRoles =
getAllContainedRoles(roles.getRangerRoles(), role);
buildMap(userRoleMapping, role, containedRoles, true);
buildMap(groupRoleMapping, role, containedRoles, false);
@@ -61,24 +61,24 @@ public class RangerRolesUtil {
return this.groupRoleMapping;
}
- private Set<RangerRole> getAllContainedRoles(Set<RangerRole> rangerRoles,
RangerRole role) {
+ private Set<RangerRole> getAllContainedRoles(Set<RangerRole> roles,
RangerRole role) {
Set<RangerRole> allRoles = new HashSet<>();
allRoles.add(role);
- addContainedRoles(allRoles, rangerRoles, role);
+ addContainedRoles(allRoles, roles, role);
return allRoles;
}
- private void addContainedRoles(Set<RangerRole> allRoles, Set<RangerRole>
rangerRoles, RangerRole role) {
+ private void addContainedRoles(Set<RangerRole> allRoles, Set<RangerRole>
roles, RangerRole role) {
List<RangerRole.RoleMember> roleMembers = role.getRoles();
for (RangerRole.RoleMember roleMember : roleMembers) {
- RangerRole containedRole = getContainedRole(rangerRoles,
roleMember.getName());
+ RangerRole containedRole = getContainedRole(roles,
roleMember.getName());
if (containedRole!= null && !allRoles.contains(containedRole)) {
allRoles.add(containedRole);
- addContainedRoles(allRoles, rangerRoles, containedRole);
+ addContainedRoles(allRoles, roles, containedRole);
}
}
}
@@ -107,8 +107,8 @@ public class RangerRolesUtil {
}
}
- private RangerRole getContainedRole(Set<RangerRole> rangerRoles, String
role) {
- return (rangerRoles
+ private RangerRole getContainedRole(Set<RangerRole> roles, String role) {
+ return (roles
.stream()
.filter(containedRole -> role.equals(containedRole.getName()))
.findAny()
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
index 1109bdd..e9954c3 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
@@ -34,6 +34,7 @@ import com.google.gson.JsonElement;
import com.google.gson.JsonParseException;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.junit.After;
import org.junit.AfterClass;
@@ -91,8 +92,8 @@ public class TestPolicyACLs {
for(PolicyACLsTests.TestCase testCase : testCases.testCases) {
RangerPolicyEngineOptions policyEngineOptions = new
RangerPolicyEngineOptions();
- RangerPluginContext pluginContext = new
RangerPluginContext("hive", "cl1", "on-prem");
- RangerPolicyEngine policyEngine = new
RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies,
policyEngineOptions, pluginContext, null);
+ RangerPluginContext pluginContext = new
RangerPluginContext(new RangerPluginConfig("hive", null, "test-policy-acls",
"cl1", "on-prem", policyEngineOptions));
+ RangerPolicyEngine policyEngine = new
RangerPolicyEngineImpl(testCase.servicePolicies, pluginContext, null);
for(PolicyACLsTests.TestCase.OneTest oneTest :
testCase.tests) {
if(oneTest == null) {
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 28f7314..362f28e 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -31,6 +31,7 @@ import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.audit.provider.AuditHandler;
import org.apache.ranger.audit.provider.AuditProviderFactory;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.contextenricher.RangerServiceResourceMatcher;
import org.apache.ranger.plugin.contextenricher.RangerTagEnricher;
@@ -81,7 +82,7 @@ public class TestPolicyEngine {
@BeforeClass
public static void setUpBeforeClass() throws Exception {
- pluginContext = new RangerPluginContext("hive", "cl1",
"on-prem");
+ pluginContext = new RangerPluginContext(new
RangerPluginConfig("hive", null, "hive", "cl1", "on-prem", null));
gsonBuilder = new
GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSSZ")
.setPrettyPrinting()
@@ -120,7 +121,7 @@ public class TestPolicyEngine {
auditProperties.setProperty("xasecure.audit.db.batch.size", "100");
}
- AuditProviderFactory factory = new AuditProviderFactory();
+ AuditProviderFactory factory =
AuditProviderFactory.getInstance();
factory.init(auditProperties, "hdfs"); // second parameter does
not matter for v2
AuditHandler provider = factory.getAuditProvider();
@@ -437,12 +438,6 @@ public class TestPolicyEngine {
servicePolicies.setTagPolicies(tagPolicies);
}
- RangerPolicyEngineOptions policyEngineOptions = new
RangerPolicyEngineOptions();
-
- policyEngineOptions.disableTagPolicyEvaluation = false;
- policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary
= false;
- policyEngineOptions.optimizeTrieForRetrieval = false;
-
boolean useForwardedIPAddress =
pluginContext.getConfig().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress",
false);
String trustedProxyAddressString =
pluginContext.getConfig().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
String[] trustedProxyAddresses =
StringUtils.split(trustedProxyAddressString, ';');
@@ -452,10 +447,10 @@ public class TestPolicyEngine {
}
}
- RangerRoles rangerRoles = new RangerRoles();
- rangerRoles.setServiceName(testCase.serviceName);
- rangerRoles.setRoleVersion(-1L);
- Set<RangerRole> rangerRoleSet = new HashSet<>();
+ RangerRoles roles = new RangerRoles();
+ roles.setServiceName(testCase.serviceName);
+ roles.setRoleVersion(-1L);
+ Set<RangerRole> rolesSet = new HashSet<>();
Map<String, Set<String>> userRoleMapping = testCase.userRoles;
Map<String, Set<String>> groupRoleMapping = testCase.groupRoles;
@@ -467,7 +462,7 @@ public class TestPolicyEngine {
List<RangerRole.RoleMember> userRoleMembers =
Arrays.asList(userRoleMember);
for (String usrRole : userRoles) {
RangerRole rangerUserRole = new
RangerRole(usrRole, usrRole, null, userRoleMembers, null);
- rangerRoleSet.add(rangerUserRole);
+ rolesSet.add(rangerUserRole);
}
}
}
@@ -480,14 +475,20 @@ public class TestPolicyEngine {
List<RangerRole.RoleMember> groupRoleMembers =
Arrays.asList(groupRoleMember);
for (String grpRole : groupRoles) {
RangerRole rangerGroupRole = new
RangerRole(grpRole, grpRole, null, groupRoleMembers, null);
- rangerRoleSet.add(rangerGroupRole);
+ rolesSet.add(rangerGroupRole);
}
}
}
- rangerRoles.setRangerRoles(rangerRoleSet);
+ roles.setRangerRoles(rolesSet);
+
+ RangerPolicyEngineOptions policyEngineOptions =
pluginContext.getConfig().getPolicyEngineOptions();
+
+ policyEngineOptions.disableTagPolicyEvaluation = false;
+ policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary =
false;
+ policyEngineOptions.optimizeTrieForRetrieval = false;
- RangerPolicyEngineImpl policyEngine = new
RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions,
pluginContext, rangerRoles);
+ RangerPolicyEngineImpl policyEngine = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
@@ -495,7 +496,7 @@ public class TestPolicyEngine {
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary
= true;
policyEngineOptions.optimizeTrieForRetrieval = false;
- RangerPolicyEngineImpl policyEngineForResourceAccessInfo = new
RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions,
pluginContext, rangerRoles);
+ RangerPolicyEngineImpl policyEngineForResourceAccessInfo = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngineForResourceAccessInfo.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngineForResourceAccessInfo.setTrustedProxyAddresses(trustedProxyAddresses);
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineComparison.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineComparison.java
index 4ba0fa1..e204983 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineComparison.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineComparison.java
@@ -27,6 +27,7 @@ import com.google.gson.JsonDeserializationContext;
import com.google.gson.JsonDeserializer;
import com.google.gson.JsonElement;
import com.google.gson.JsonParseException;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.contextenricher.RangerTagEnricher;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.apache.ranger.plugin.util.ServiceTags;
@@ -122,9 +123,10 @@ public class TestPolicyEngineComparison {
boolean isTagsEqual = true;
if (myServicePolicies != null) {
- RangerPluginContext rangerPluginContext = new
RangerPluginContext(myServicePolicies.getServiceDef().getName());
- RangerPolicyEngineImpl myPolicyEngine = new
RangerPolicyEngineImpl("test-compare-my-engine", myServicePolicies, options,
rangerPluginContext, null);
- RangerPolicyEngineImpl otherPolicyEngine = new
RangerPolicyEngineImpl("test-compare-other-engine", otherServicePolicies,
options, rangerPluginContext, null);
+ RangerPluginContext myPluginContext = new
RangerPluginContext(new
RangerPluginConfig(myServicePolicies.getServiceDef().getName(), null,
"test-compare-my-tags", null, null, options));
+ RangerPluginContext otherPluginContext = new
RangerPluginContext(new
RangerPluginConfig(myServicePolicies.getServiceDef().getName(), null,
"test-compare-other-tags", null, null, options));
+ RangerPolicyEngineImpl myPolicyEngine = new
RangerPolicyEngineImpl(myServicePolicies, myPluginContext, null);
+ RangerPolicyEngineImpl otherPolicyEngine = new
RangerPolicyEngineImpl(otherServicePolicies, otherPluginContext, null);
isPolicyEnginesEqual =
TestPolicyEngine.compare(myPolicyEngine.getPolicyEngine(),
otherPolicyEngine.getPolicyEngine()) &&
TestPolicyEngine.compare(otherPolicyEngine.getPolicyEngine(),
myPolicyEngine.getPolicyEngine());
@@ -189,4 +191,4 @@ public class TestPolicyEngineComparison {
return gsonBuilder.fromJson(jsonObj,
RangerAccessResourceImpl.class);
}
}
-}
\ No newline at end of file
+}
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java
index 5bd3d23..c07a7ea 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java
@@ -28,6 +28,7 @@ import java.util.Map;
import org.apache.commons.collections.MapUtils;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
+import org.apache.ranger.plugin.contextenricher.RangerTagEnricher;
import org.apache.ranger.plugin.service.RangerAuthContext;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.ServicePolicies;
@@ -51,7 +52,6 @@ public class TestRangerAuthContext {
.create();
plugin = new RangerBasePlugin("hive", "TestRangerAuthContext");
- RangerBasePlugin.getServicePluginMap().put("hivedev", plugin);
}
@AfterClass
@@ -87,26 +87,27 @@ public class TestRangerAuthContext {
for(RangerAuthContextTests.TestCase testCase :
testCases.testCases) {
String testName = testCase.name;
- RangerPluginContext pluginContext = new
RangerPluginContext(testCase.servicePolicies.getServiceDef().getName());
- plugin.setPluginContext(pluginContext);
+
plugin.setPolicies(testCase.servicePolicies);
- RangerAuthContext ctx =
plugin.getCurrentRangerAuthContext();
+ RangerAuthContext ctx =
plugin.getCurrentRangerAuthContext();
Map<RangerContextEnricher, Object> contextEnrichers =
ctx.getRequestContextEnrichers();
+
assertTrue(fileName + "-" + testName + " - Empty
contextEnrichers", MapUtils.isNotEmpty(contextEnrichers) &&
contextEnrichers.size() == 2);
for (Map.Entry<RangerContextEnricher, Object> entry :
contextEnrichers.entrySet()) {
- String contextEnricherName =
entry.getKey().getName();
-
- if
(contextEnricherName.equals("ProjectProvider")) {
- assertTrue(fileName + "-" + testName +
" - Invalid contextEnricher", entry.getValue() instanceof
RangerContextEnricher);
- } else if
(contextEnricherName.equals("TagEnricher")) {
- assertFalse("- Invalid
contextEnricher", entry.getValue() instanceof RangerContextEnricher);
+ RangerContextEnricher enricher =
entry.getKey();
+ String enricherName =
enricher.getName();
+ Object enricherData =
entry.getValue();
+
+ if (enricherName.equals("ProjectProvider")) {
+ assertTrue(fileName + "-" + testName +
" - Invalid contextEnricher", enricherData instanceof RangerContextEnricher);
+ } else if (enricherName.equals("TagEnricher")) {
+ assertTrue("- Invalid contextEnricher",
(enricherData instanceof RangerTagEnricher || enricherData instanceof
RangerTagEnricher.EnrichedServiceTags));
} else {
assertTrue(fileName + "-" + testName +
" - Unexpected type of contextEnricher", false);
}
}
-
}
}
diff --git
a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
index c80e4b7..7710385 100644
---
a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
+++
b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
@@ -27,6 +27,7 @@ import java.io.InputStreamReader;
import java.lang.reflect.Type;
import java.util.List;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import
org.apache.ranger.authorization.hbase.TestPolicyEngine.PolicyEngineTestCase.TestData;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.model.RangerPolicy;
@@ -103,8 +104,8 @@ public class TestPolicyEngine {
servicePolicies.setPolicies(testCase.policies);
RangerPolicyEngineOptions policyEngineOptions = new
RangerPolicyEngineOptions();
- RangerPluginContext pluginContext = new
RangerPluginContext("hbase", "cl1", "on-prem");
- RangerPolicyEngine policyEngine = new
RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions,
pluginContext, null);
+ RangerPluginContext pluginContext = new
RangerPluginContext(new RangerPluginConfig("hbase", null, testName, "cl1",
"on-prem", policyEngineOptions));
+ RangerPolicyEngine policyEngine = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, null);
RangerAccessResultProcessor auditHandler = new
RangerDefaultAuditHandler(pluginContext.getConfig());
diff --git
a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
index 405880d..37ac9ea 100644
---
a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
+++
b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
@@ -23,6 +23,7 @@ import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.*;
@@ -72,9 +73,9 @@ public class PerfTestEngine {
servicePolicies = gsonBuilder.fromJson(reader,
ServicePolicies.class);
RangerServiceDef serviceDef =
servicePolicies.getServiceDef();
String serviceType = (serviceDef != null) ?
serviceDef.getName() : "";
- rangerPluginContext = new
RangerPluginContext(serviceType);
+ rangerPluginContext = new RangerPluginContext(new
RangerPluginConfig(serviceType, null, "perf-test", null, null,
policyEngineOptions));
rangerPluginContext.getConfig().addResource(configFileURL);
- policyEvaluationEngine = new
RangerPolicyEngineImpl("perf-test", servicePolicies, policyEngineOptions,
rangerPluginContext, null);
+ policyEvaluationEngine = new
RangerPolicyEngineImpl(servicePolicies, rangerPluginContext, null);
ret = true;
diff --git
a/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java
b/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java
index 684182b..187d202 100644
---
a/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java
+++
b/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java
@@ -32,6 +32,7 @@ import java.util.Set;
import java.util.concurrent.CountDownLatch;
import org.apache.commons.lang.text.StrSubstitutor;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
@@ -145,8 +146,8 @@ public class RangerPolicyEnginePerformanceTest {
public void policyEngineTest() throws InterruptedException {
List<RangerAccessRequest> requests =
requestsCache.getUnchecked(concurrency);
ServicePolicies servicePolicies =
servicePoliciesCache.getUnchecked(numberOfPolicies);
- RangerPluginContext pluginContext = new
RangerPluginContext("hive", "cl1", "on-prem");
- final RangerPolicyEngineImpl rangerPolicyEngine = new
RangerPolicyEngineImpl("perf-test", servicePolicies,
RangerPolicyFactory.createPolicyEngineOption(), pluginContext, null);
+ RangerPluginContext pluginContext = new RangerPluginContext(new
RangerPluginConfig("hive", null, "perf-test", "cl1", "on-prem",
RangerPolicyFactory.createPolicyEngineOption()));
+ final RangerPolicyEngineImpl rangerPolicyEngine = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, null);
for (int iterations = 0; iterations < WARM_UP__ITERATIONS;
iterations++) {
// using return value of 'isAccessAllowed' with a cheap
operation: System#identityHashCode so JIT wont remove it as dead code
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
index 0581741..29c3604 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
@@ -44,7 +44,7 @@ public interface RangerPolicyAdmin {
long getRoleVersion();
- void setRangerRoles(RangerRoles rangerRoles);
+ void setRoles(RangerRoles roles);
String getServiceName();
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
index 5cbb1b2..76dabb4 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
@@ -30,6 +30,7 @@ import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
import org.apache.ranger.plugin.model.RangerSecurityZone;
@@ -60,16 +61,16 @@ public class RangerPolicyAdminCache {
long policyVersion;
long roleVersion;
- RangerRoles rangerRoles;
+ RangerRoles roles;
boolean isRolesUpdated = true;
try {
if (ret == null) {
policyVersion = -1L;
roleVersion = -1L;
- rangerRoles =
roleStore.getRangerRoles(serviceName, roleVersion);
+ roles = roleStore.getRoles(serviceName,
roleVersion);
- if (rangerRoles == null) {
+ if (roles == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("There are no roles
in ranger-admin for service:" + serviceName + "]");
}
@@ -77,10 +78,10 @@ public class RangerPolicyAdminCache {
} else {
policyVersion = ret.getPolicyVersion();
roleVersion = ret.getRoleVersion();
- rangerRoles =
roleStore.getRangerRoles(serviceName, roleVersion);
+ roles = roleStore.getRoles(serviceName,
roleVersion);
- if (rangerRoles == null) { // No changes to
roles
- rangerRoles =
roleStore.getRangerRoles(serviceName, -1L);
+ if (roles == null) { // No changes to roles
+ roles =
roleStore.getRoles(serviceName, -1L);
isRolesUpdated = false;
}
}
@@ -91,7 +92,7 @@ public class RangerPolicyAdminCache {
if (policies.getPolicyVersion() != null &&
!policies.getPolicyVersion().equals(policyVersion)) {
ServicePolicies updatedServicePolicies
= getUpdatedServicePolicies(serviceName, policies, svcStore, zoneStore);
- ret = addOrUpdatePolicyAdmin(ret,
updatedServicePolicies, rangerRoles, options);
+ ret = addOrUpdatePolicyAdmin(ret,
updatedServicePolicies, roles, options);
} else {
LOG.error("policies object is null or
its version is null for getPolicyAdmin(" + serviceName + ") !!");
LOG.error("Returning old policy admin");
@@ -101,7 +102,7 @@ public class RangerPolicyAdminCache {
LOG.error("getPolicyAdmin(" +
serviceName + "): failed to get any policies from service-store");
} else {
if (isRolesUpdated) {
- ret.setRangerRoles(rangerRoles);
+ ret.setRoles(roles);
}
}
}
@@ -112,23 +113,23 @@ public class RangerPolicyAdminCache {
return ret;
}
- private RangerPolicyAdmin addOrUpdatePolicyAdmin(RangerPolicyAdmin
policyAdmin, ServicePolicies policies, RangerRoles rangerRoles,
RangerPolicyEngineOptions options) {
+ private RangerPolicyAdmin addOrUpdatePolicyAdmin(RangerPolicyAdmin
policyAdmin, ServicePolicies policies, RangerRoles roles,
RangerPolicyEngineOptions options) {
final RangerPolicyAdmin ret;
RangerPolicyAdminImpl oldPolicyAdmin =
(RangerPolicyAdminImpl) policyAdmin;
synchronized(this) {
if (oldPolicyAdmin == null ||
CollectionUtils.isEmpty(policies.getPolicyDeltas())) {
- ret = addPolicyAdmin(policies, rangerRoles,
options);
+ ret = addPolicyAdmin(policies, roles, options);
} else {
RangerPolicyAdmin updatedPolicyAdmin =
RangerPolicyAdminImpl.getPolicyAdmin(oldPolicyAdmin, policies);
if (updatedPolicyAdmin != null) {
-
updatedPolicyAdmin.setRangerRoles(rangerRoles);
+ updatedPolicyAdmin.setRoles(roles);
policyAdminCache.put(policies.getServiceName(), updatedPolicyAdmin);
ret = updatedPolicyAdmin;
} else {
- ret = addPolicyAdmin(policies,
rangerRoles, options);
+ ret = addPolicyAdmin(policies, roles,
options);
}
}
@@ -140,11 +141,11 @@ public class RangerPolicyAdminCache {
return ret;
}
- private RangerPolicyAdmin addPolicyAdmin(ServicePolicies policies,
RangerRoles rangerRoles, RangerPolicyEngineOptions options) {
+ private RangerPolicyAdmin addPolicyAdmin(ServicePolicies policies,
RangerRoles roles, RangerPolicyEngineOptions options) {
RangerServiceDef serviceDef =
policies.getServiceDef();
String serviceType = (serviceDef != null)
? serviceDef.getName() : "";
- RangerPluginContext rangerPluginContext = new
RangerPluginContext(serviceType);
- RangerPolicyAdmin ret = new
RangerPolicyAdminImpl("ranger-admin", policies, options, rangerPluginContext,
rangerRoles);
+ RangerPluginContext rangerPluginContext = new
RangerPluginContext(new RangerPluginConfig(serviceType, null, "ranger-admin",
null, null, options));
+ RangerPolicyAdmin ret = new
RangerPolicyAdminImpl(policies, rangerPluginContext, roles);
policyAdminCache.put(policies.getServiceName(), ret);
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index 390187b..5e93291 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -32,7 +32,6 @@ import
org.apache.ranger.plugin.policyengine.RangerAccessRequestProcessor;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerPolicyRepository;
import org.apache.ranger.plugin.policyengine.RangerTagResource;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
@@ -53,7 +52,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
private static final Log PERF_POLICYENGINE_REQUEST_LOG =
RangerPerfTracer.getPerfLogger("policyengine.request");
- private final PolicyEngine policyEngine;
+ private final PolicyEngine policyEngine;
private final RangerAccessRequestProcessor requestProcessor;
static public RangerPolicyAdmin getPolicyAdmin(final RangerPolicyAdminImpl
other, final ServicePolicies servicePolicies) {
@@ -61,20 +60,22 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
if (other != null && servicePolicies != null) {
PolicyEngine policyEngine =
other.policyEngine.cloneWithDelta(servicePolicies);
+
if (policyEngine != null) {
ret = new RangerPolicyAdminImpl(policyEngine);
}
}
+
return ret;
}
- RangerPolicyAdminImpl(String appId, ServicePolicies servicePolicies,
RangerPolicyEngineOptions options, RangerPluginContext rangerPluginContext,
RangerRoles rangerRoles) {
- policyEngine = new PolicyEngine(appId, servicePolicies, options,
rangerPluginContext, rangerRoles);
+ RangerPolicyAdminImpl(ServicePolicies servicePolicies, RangerPluginContext
pluginContext, RangerRoles roles) {
+ this.policyEngine = new PolicyEngine(servicePolicies,
pluginContext, roles);
this.requestProcessor = new
RangerDefaultRequestProcessor(policyEngine);
}
private RangerPolicyAdminImpl(final PolicyEngine policyEngine) {
- this.policyEngine = policyEngine;
+ this.policyEngine = policyEngine;
this.requestProcessor = new
RangerDefaultRequestProcessor(policyEngine);
}
@@ -83,8 +84,8 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyAdminImpl.isAccessAllowed(" + resource
+ ", " + user + ", " + userGroups + ", " + accessType + ")");
}
- boolean ret = false;
+ boolean ret = false;
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG))
{
@@ -94,7 +95,6 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
final RangerPolicyRepository matchedRepository =
policyEngine.getRepositoryForMatchedZone(resource);
if (matchedRepository != null) {
-
Set<String> roles = getRolesFromUserAndGroups(user, userGroups);
for (RangerPolicyEvaluator evaluator :
matchedRepository.getLikelyMatchPolicyEvaluators(resource,
RangerPolicy.POLICY_TYPE_ACCESS)) {
@@ -104,6 +104,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
if (LOG.isDebugEnabled()) {
LOG.debug("Access granted by policy:[" +
evaluator.getPolicy() + "]");
}
+
break;
}
}
@@ -125,8 +126,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
LOG.debug("==> RangerPolicyAdminImpl.isAccessAllowed(" +
policy.getId() + ", " + user + ", " + userGroups + ", " + roles + ", " +
accessType + ")");
}
- boolean ret = false;
-
+ boolean ret = false;
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG))
{
@@ -136,7 +136,6 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
final RangerPolicyRepository matchedRepository =
policyEngine.getRepositoryForMatchedZone(policy);
if (matchedRepository != null) {
-
for (RangerPolicyEvaluator evaluator :
matchedRepository.getPolicyEvaluators()) {
ret = evaluator.isAccessAllowed(policy, user, userGroups,
roles, accessType);
@@ -161,8 +160,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
LOG.debug("==> RangerPolicyAdminImpl.getExactMatchPolicies(" +
resource + ", " + evalContext + ")");
}
- List<RangerPolicy> ret = null;
-
+ List<RangerPolicy> ret = null;
RangerPolicyRepository policyRepository =
policyEngine.getRepositoryForMatchedZone(resource);
if (policyRepository != null) {
@@ -190,8 +188,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
LOG.debug("==> RangerPolicyAdminImpl.getExactMatchPolicies(" +
policy + ", " + evalContext + ")");
}
- List<RangerPolicy> ret = null;
-
+ List<RangerPolicy> ret = null;
RangerPolicyRepository policyRepository =
policyEngine.getRepositoryForMatchedZone(policy);
if (policyRepository != null) {
@@ -240,8 +237,8 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
public String getServiceName() { return policyEngine.getServiceName(); }
@Override
- public void setRangerRoles(RangerRoles rangerRoles) {
- policyEngine.setRangerRoles(rangerRoles);
+ public void setRoles(RangerRoles roles) {
+ policyEngine.setRoles(roles);
}
@Override
@@ -256,8 +253,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
LOG.debug("==>
RangerPolicyAdminImpl.isAccessAllowedByUnzonedPolicies(" + resources + ", " +
user + ", " + userGroups + ", " + accessType + ")");
}
- boolean ret = false;
-
+ boolean ret = false;
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG))
{
@@ -293,7 +289,6 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
List<RangerPolicy> ret = new ArrayList<>();
-
// TODO: run through evaluator in tagPolicyRepository as well
for (RangerPolicyEvaluator evaluator :
policyEngine.getPolicyRepository().getPolicyEvaluators()) {
RangerPolicy policy = evaluator.getPolicy();
@@ -323,36 +318,34 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
LOG.debug("==> RangerPolicyAdminImpl.getMatchingPolicies(" +
resource + ", " + accessType + ")");
}
- List<RangerPolicy> ret = new ArrayList<>();
-
+ List<RangerPolicy> ret = new ArrayList<>();
RangerAccessRequestImpl request = new
RangerAccessRequestImpl(resource, accessType, null, null);
- requestProcessor.preProcess(request);
- String zoneName = policyEngine.getMatchedZoneName(resource);
+ requestProcessor.preProcess(request);
+ String zoneName =
policyEngine.getMatchedZoneName(resource);
final RangerPolicyRepository matchedRepository =
policyEngine.getRepositoryForMatchedZone(resource);
if (matchedRepository != null) {
-
if
(policyEngine.hasTagPolicies(policyEngine.getTagPolicyRepository())) {
-
Set<RangerTagForEval> tags =
RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
if (CollectionUtils.isNotEmpty(tags)) {
-
final boolean useTagPoliciesFromDefaultZone =
!policyEngine.isResourceZoneAssociatedWithTagService(zoneName);
for (RangerTagForEval tag : tags) {
- RangerAccessResource tagResource = new
RangerTagResource(tag.getType(),
policyEngine.getTagPolicyRepository().getServiceDef());
+ RangerAccessResource tagResource = new
RangerTagResource(tag.getType(),
policyEngine.getTagPolicyRepository().getServiceDef());
List<RangerPolicyEvaluator> likelyEvaluators =
policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tagResource);
for (RangerPolicyEvaluator evaluator :
likelyEvaluators) {
String policyZoneName =
evaluator.getPolicy().getZoneName();
+
if (useTagPoliciesFromDefaultZone) {
if (StringUtils.isNotEmpty(policyZoneName)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Tag policy [zone:" +
policyZoneName + "] does not belong to default zone. Not evaluating this
policy:[" + evaluator.getPolicy() + "]");
}
+
continue;
}
} else {
@@ -360,10 +353,13 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
if (LOG.isDebugEnabled()) {
LOG.debug("Tag policy [zone:" +
policyZoneName + "] does not belong to the zone:[" + zoneName + "] of the
accessed resource. Not evaluating this policy:[" + evaluator.getPolicy() + "]");
}
+
continue;
}
}
+
RangerPolicyResourceMatcher matcher =
evaluator.getPolicyResourceMatcher();
+
if (matcher != null &&
(request.isAccessTypeAny() ?
matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.ANY, null)
: matcher.isMatch(tagResource, null))) {
ret.add(evaluator.getPolicy());
@@ -380,6 +376,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
for (RangerPolicyEvaluator evaluator : likelyEvaluators) {
RangerPolicyResourceMatcher matcher =
evaluator.getPolicyResourceMatcher();
+
if (matcher != null &&
(request.isAccessTypeAny() ?
matcher.isMatch(request.getResource(),
RangerPolicyResourceMatcher.MatchScope.ANY, null) :
matcher.isMatch(request.getResource(), null))) {
ret.add(evaluator.getPolicy());
@@ -392,8 +389,8 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyAdminImpl.getMatchingPolicies(" +
resource + ", " + accessType + ") : " + ret.size());
}
+
return ret;
}
-
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
index 99a0d3e..ec4615d 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
@@ -266,12 +266,12 @@ public class RoleDBStore implements RoleStore {
}
@Override
- public RangerRoles getRangerRoles(String serviceName, Long
lastKnownRoleVersion) throws Exception {
+ public RangerRoles getRoles(String serviceName, Long lastKnownRoleVersion)
throws Exception {
RangerRoles ret = null;
Long rangerRoleVersionInDB = getRoleVersion(serviceName);
if (LOG.isDebugEnabled()) {
- LOG.debug("==> RoleDBStore.getRangerRoles() lastKnownRoleVersion=
" + lastKnownRoleVersion + " rangerRoleVersionInDB= " + rangerRoleVersionInDB);
+ LOG.debug("==> RoleDBStore.getRoles() lastKnownRoleVersion= " +
lastKnownRoleVersion + " rangerRoleVersionInDB= " + rangerRoleVersionInDB);
}
if (rangerRoleVersionInDB != null) {
@@ -279,7 +279,7 @@ public class RoleDBStore implements RoleStore {
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<= RoleDBStore.getRangerRoles() lastKnownRoleVersion= "
+ lastKnownRoleVersion + " rangerRoleVersionInDB= " + rangerRoleVersionInDB + "
RangerRoles= " + ret);
+ LOG.debug("<= RoleDBStore.getRoles() lastKnownRoleVersion= " +
lastKnownRoleVersion + " rangerRoleVersionInDB= " + rangerRoleVersionInDB + "
RangerRoles= " + ret);
}
return ret;
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/RangerRoleCache.java
b/security-admin/src/main/java/org/apache/ranger/common/RangerRoleCache.java
index 4b17ef0..0b94c19 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/RangerRoleCache.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/RangerRoleCache.java
@@ -39,11 +39,12 @@ public class RangerRoleCache {
private static final int MAX_WAIT_TIME_FOR_UPDATE = 10;
- public static volatile RangerRoleCache sInstance = null;
- private final int waitTimeInSeconds;
- final ReentrantLock lock = new ReentrantLock();
+ private static volatile RangerRoleCache sInstance = null;
- RangerRoleCacheWrapper rangerRoleCacheWrapper = null;
+ private final int waitTimeInSeconds;
+ private final ReentrantLock lock = new ReentrantLock();
+
+ RangerRoleCacheWrapper roleCacheWrapper = null;
public static RangerRoleCache getInstance() {
if (sInstance == null) {
@@ -63,42 +64,43 @@ public class RangerRoleCache {
}
public RangerRoles getLatestRangerRoleOrCached(String serviceName,
RoleDBStore roleDBStore, Long lastKnownRoleVersion, Long rangerRoleVersionInDB)
throws Exception {
- RangerRoles ret = null;
+ final RangerRoles ret;
if (lastKnownRoleVersion == null ||
!lastKnownRoleVersion.equals(rangerRoleVersionInDB)) {
- rangerRoleCacheWrapper = new RangerRoleCacheWrapper();
- ret =
rangerRoleCacheWrapper.getLatestRangerRoles(serviceName, roleDBStore,
lastKnownRoleVersion, rangerRoleVersionInDB);
+ roleCacheWrapper = new RangerRoleCacheWrapper();
+ ret =
roleCacheWrapper.getLatestRangerRoles(serviceName, roleDBStore,
lastKnownRoleVersion, rangerRoleVersionInDB);
} else if (lastKnownRoleVersion.equals(rangerRoleVersionInDB)) {
ret = null;
} else {
- ret = rangerRoleCacheWrapper.getRangerRoles();
+ ret = roleCacheWrapper.getRoles();
}
return ret;
}
private class RangerRoleCacheWrapper {
- RangerRoles rangerRoles;
- Long rangerRoleVersion;
+ RangerRoles roles;
+ Long rolesVersion;
RangerRoleCacheWrapper() {
- this.rangerRoles = null;
- this.rangerRoleVersion = -1L;
+ this.roles = null;
+ this.rolesVersion = -1L;
}
- public RangerRoles getRangerRoles() {
- return this.rangerRoles;
+ public RangerRoles getRoles() {
+ return this.roles;
}
- public Long getRangerRoleVersion() {
- return this.rangerRoleVersion;
+ public Long getRolesVersion() {
+ return this.rolesVersion;
}
- public RangerRoles getLatestRangerRoles(String serviceName,
RoleDBStore roleDBStore, Long lastKnownRoleVersion, Long rangerRoleVersionInDB)
throws Exception {
- RangerRoles ret = null;
- boolean lockResult = false;
+ public RangerRoles getLatestRangerRoles(String serviceName,
RoleDBStore roleDBStore, Long lastKnownRoleVersion, Long rolesVersionInDB)
throws Exception {
+ RangerRoles ret = null;
+ boolean lockResult = false;
+
if (LOG.isDebugEnabled()) {
- LOG.debug("==>
RangerRoleCache.getLatestRangerRoles(ServiceName= " + serviceName + "
lastKnownRoleVersion= " + lastKnownRoleVersion + " rangerRoleVersionInDB= " +
rangerRoleVersionInDB + ")");
+ LOG.debug("==>
RangerRoleCache.getLatestRangerRoles(ServiceName= " + serviceName + "
lastKnownRoleVersion= " + lastKnownRoleVersion + " rolesVersionInDB= " +
rolesVersionInDB + ")");
}
try {
@@ -106,17 +108,19 @@ public class RangerRoleCache {
if (lockResult) {
// We are getting all the Roles to be
downloaded for now. Should do downloades for each service based on what roles
are there in the policies.
- SearchFilter searchFilter = null;
- final Set<RangerRole> rangerRoleInDB =
new HashSet<>(roleDBStore.getRoles(searchFilter));
+ SearchFilter searchFilter =
null;
+ final Set<RangerRole> rolesInDB =
new HashSet<>(roleDBStore.getRoles(searchFilter));
Date updateTime = new Date();
- if (rangerRoleInDB != null) {
+ if (rolesInDB != null) {
ret = new RangerRoles();
-
ret.setRangerRoles(rangerRoleInDB);
+
+ ret.setRangerRoles(rolesInDB);
ret.setRoleUpdateTime(updateTime);
-
ret.setRoleVersion(rangerRoleVersionInDB);
- rangerRoleVersion =
rangerRoleVersionInDB;
+
ret.setRoleVersion(rolesVersionInDB);
+
+ rolesVersion = rolesVersionInDB;
} else {
LOG.error("Could not get Ranger
Roles from database ...");
}
@@ -124,7 +128,7 @@ public class RangerRoleCache {
if (LOG.isDebugEnabled()) {
LOG.debug("Could not get lock
in [" + waitTimeInSeconds + "] seconds, returning cached RangerRoles");
}
- ret = getRangerRoles();
+ ret = getRoles();
}
} catch (InterruptedException exception) {
LOG.error("RangerRoleCache.getLatestRangerRoles:lock got interrupted..",
exception);
@@ -135,8 +139,9 @@ public class RangerRoleCache {
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerRoleCache.getLatestRangerRoles(ServiceName= " + serviceName + "
lastKnownRoleVersion= " + lastKnownRoleVersion + " rangerRoleVersionInDB= " +
rangerRoleVersionInDB + " RangerRoles= " + ret + ")");
+ LOG.debug("<==
RangerRoleCache.getLatestRangerRoles(ServiceName= " + serviceName + "
lastKnownRoleVersion= " + lastKnownRoleVersion + " rolesVersionInDB= " +
rolesVersionInDB + " RangerRoles= " + ret + ")");
}
+
return ret;
}
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
index fdda883..9b225a3 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
@@ -730,15 +730,15 @@ public class RoleREST {
lastKnownRoleVersion = Long.valueOf(-1);
}
try {
- RangerRoles rangerRoles =
roleStore.getRangerRoles(serviceName, lastKnownRoleVersion);
- if (rangerRoles == null) {
+ RangerRoles roles = roleStore.getRoles(serviceName,
lastKnownRoleVersion);
+ if (roles == null) {
downloadedVersion = lastKnownRoleVersion;
httpCode = HttpServletResponse.SC_NOT_MODIFIED;
logMsg = "No change since last update";
} else {
- downloadedVersion = rangerRoles.getRoleVersion();
- rangerRoles.setServiceName(serviceName);
- ret = rangerRoles;
+ downloadedVersion = roles.getRoleVersion();
+ roles.setServiceName(serviceName);
+ ret = roles;
httpCode = HttpServletResponse.SC_OK;
logMsg = "Returning RangerRoles =>" + (ret.toString());
}
@@ -827,15 +827,15 @@ public class RoleREST {
}
if (isAllowed) {
- RangerRoles rangerRoles =
roleStore.getRangerRoles(serviceName, lastKnownRoleVersion);
- if (rangerRoles == null) {
+ RangerRoles roles = roleStore.getRoles(serviceName,
lastKnownRoleVersion);
+ if (roles == null) {
downloadedVersion = lastKnownRoleVersion;
httpCode = HttpServletResponse.SC_NOT_MODIFIED;
logMsg = "No change since last update";
} else {
- downloadedVersion = rangerRoles.getRoleVersion();
- rangerRoles.setServiceName(serviceName);
- ret = rangerRoles;
+ downloadedVersion = roles.getRoleVersion();
+ roles.setServiceName(serviceName);
+ ret = roles;
httpCode = HttpServletResponse.SC_OK;
logMsg = "Returning RangerRoles =>" + (ret.toString());
}
diff --git
a/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java
b/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java
index cb0dcc4..4562e7a 100644
--- a/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java
+++ b/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java
@@ -192,7 +192,7 @@ public class TestAuditQueue {
props.put(propPrefix + "." + BaseAuditHandler.PROP_CLASS_NAME,
TestConsumer.class.getName());
- AuditProviderFactory factory = new AuditProviderFactory();
+ AuditProviderFactory factory =
AuditProviderFactory.getInstance();
factory.init(props, "test");
AuditQueue queue = (AuditQueue) factory.getAuditProvider();
BaseAuditHandler consumer = (BaseAuditHandler)
queue.getConsumer();
diff --git
a/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
index 9ac7f24..7416fe4 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
@@ -29,6 +29,7 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -118,8 +119,8 @@ public class TestPolicyDb {
policyEngineOptions.disableContextEnrichers = true;
policyEngineOptions.disableCustomConditions = true;
- RangerPluginContext pluginContext = new
RangerPluginContext("hive", "cl1", "on-prem");
- RangerPolicyAdmin policyAdmin = new
RangerPolicyAdminImpl("test-policydb", testCase.servicePolicies,
policyEngineOptions, pluginContext, null);
+ RangerPluginContext pluginContext = new RangerPluginContext(new
RangerPluginConfig("hive", null, "test-policydb", "cl1", "on-prem",
policyEngineOptions));
+ RangerPolicyAdmin policyAdmin = new
RangerPolicyAdminImpl(testCase.servicePolicies, pluginContext, null);
for(TestData test : testCase.tests) {
boolean expected = test.result;
