This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 75bd661410ad6e4463e7aad68622cf4ca7aac5a0 Author: Dhaval Shah <[email protected]> AuthorDate: Wed Jan 29 17:57:46 2020 +0530 RANGER-2712 : Revisit privileges for rangerlookup user in default policies Signed-off-by: Pradeep <[email protected]> --- .../ranger/plugin/service/RangerBaseService.java | 15 ++++----- .../ranger/services/hbase/RangerServiceHBase.java | 34 ++++++++++++++++++++ .../ranger/services/hdfs/RangerServiceHdfs.java | 12 +++++++ .../ranger/services/hive/RangerServiceHive.java | 10 ++++++ .../ranger/services/knox/RangerServiceKnox.java | 29 +++++++++++++++++ .../ranger/services/atlas/RangerServiceAtlas.java | 11 +++++++ .../ranger/services/kafka/RangerServiceKafka.java | 14 ++++++++ .../ranger/services/kms/RangerServiceKMS.java | 11 +++++++ .../nifi/registry/RangerServiceNiFiRegistry.java | 35 ++++++++++++++++++++ .../ranger/services/nifi/RangerServiceNiFi.java | 37 ++++++++++++++++++++++ .../ranger/services/ozone/RangerServiceOzone.java | 28 ++++++++++++++++ .../ranger/services/solr/RangerServiceSolr.java | 29 +++++++++++++++++ .../ranger/services/yarn/RangerServiceYarn.java | 14 ++++++++ 13 files changed, 270 insertions(+), 9 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java index 23f5a22..336911a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java @@ -65,11 +65,16 @@ public abstract class RangerBaseService { protected Map<String, String> configs; protected String serviceName; protected String serviceType; + protected String lookUpUser; - private final RangerAdminConfig config; + protected final RangerAdminConfig config; public RangerBaseService() { this.config = RangerAdminConfig.getInstance(); + String authType = config.get(RANGER_AUTH_TYPE,"simple"); + String lookupPrincipal = config.get(LOOKUP_PRINCIPAL); + String lookupKeytab = config.get(LOOKUP_KEYTAB); + lookUpUser = getLookupUser(authType, lookupPrincipal, lookupKeytab); } public void init(RangerServiceDef serviceDef, RangerService service) { @@ -433,15 +438,7 @@ public abstract class RangerBaseService { } } } - String authType = config.get(RANGER_AUTH_TYPE,"simple"); - String lookupPrincipal = config.get(LOOKUP_PRINCIPAL); - String lookupKeytab = config.get(LOOKUP_KEYTAB); - String lookUpUser = getLookupUser(authType, lookupPrincipal, lookupKeytab); - - if (StringUtils.isNotBlank(lookUpUser)) { - uniqueUsers.add(lookUpUser); - } ret.addAll(uniqueUsers); return ret; } diff --git a/hbase-agent/src/main/java/org/apache/ranger/services/hbase/RangerServiceHBase.java b/hbase-agent/src/main/java/org/apache/ranger/services/hbase/RangerServiceHBase.java index 01b97ea..74188d2 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/services/hbase/RangerServiceHBase.java +++ b/hbase-agent/src/main/java/org/apache/ranger/services/hbase/RangerServiceHBase.java @@ -19,22 +19,29 @@ package org.apache.ranger.services.hbase; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; import org.apache.ranger.plugin.client.HadoopException; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.services.hbase.client.HBaseResourceMgr; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; public class RangerServiceHBase extends RangerBaseService { private static final Log LOG = LogFactory.getLog(RangerServiceHBase.class); + public static final String ACCESS_TYPE_READ = "read"; + public static final String ACCESS_TYPE_CREATE = "create"; public RangerServiceHBase() { super(); @@ -46,6 +53,33 @@ public class RangerServiceHBase extends RangerBaseService { } @Override + public List<RangerPolicy> getDefaultRangerPolicies() throws Exception { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerServiceHbase.getDefaultRangerPolicies()"); + } + + List<RangerPolicy> ret = super.getDefaultRangerPolicies(); + for (RangerPolicy defaultPolicy : ret) { + if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) { + List<RangerPolicy.RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicy.RangerPolicyItemAccess>(); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ)); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_CREATE)); + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(accessListForLookupUser); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerServiceHbase.getDefaultRangerPolicies()"); + } + return ret; + } + + + @Override public Map<String,Object> validateConfig() throws Exception { Map<String, Object> ret = new HashMap<String, Object>(); diff --git a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java index f89d14b..5354636 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java @@ -19,6 +19,7 @@ package org.apache.ranger.services.hdfs; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -27,6 +28,8 @@ import org.apache.commons.lang.StringUtils; import org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer; import org.apache.ranger.plugin.client.HadoopException; import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; @@ -43,6 +46,7 @@ public class RangerServiceHdfs extends RangerBaseService { private static final Log LOG = LogFactory.getLog(RangerServiceHdfs.class); private static final String AUDITTOHDFS_KMS_PATH = "/ranger/audit/kms"; private static final String AUDITTOHDFS_POLICY_NAME = "kms-audit-path"; + public static final String ACCESS_TYPE_READ = "read"; public RangerServiceHdfs() { super(); @@ -116,6 +120,14 @@ public class RangerServiceHdfs extends RangerBaseService { for (RangerPolicy defaultPolicy : ret) { if(defaultPolicy.getName().contains("all")){ + if (StringUtils.isNotBlank(lookUpUser)) { + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_READ))); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } + RangerPolicy.RangerPolicyResource pathPolicyResource = defaultPolicy.getResources().get(pathResourceName); if (pathPolicyResource != null) { List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources(); diff --git a/hive-agent/src/main/java/org/apache/ranger/services/hive/RangerServiceHive.java b/hive-agent/src/main/java/org/apache/ranger/services/hive/RangerServiceHive.java index dc6ba63..dbec221 100644 --- a/hive-agent/src/main/java/org/apache/ranger/services/hive/RangerServiceHive.java +++ b/hive-agent/src/main/java/org/apache/ranger/services/hive/RangerServiceHive.java @@ -36,6 +36,7 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.services.hive.client.HiveResourceMgr; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -49,6 +50,7 @@ public class RangerServiceHive extends RangerBaseService { public static final String RESOURCE_COLUMN = "column"; public static final String ACCESS_TYPE_CREATE = "create"; public static final String ACCESS_TYPE_SELECT = "select"; + public static final String ACCESS_TYPE_READ = "read"; public static final String ACCESS_TYPE_ALL = "all"; public static final String WILDCARD_ASTERISK = "*"; @@ -124,6 +126,14 @@ public class RangerServiceHive extends RangerBaseService { for (RangerPolicy defaultPolicy : ret) { final Map<String, RangerPolicyResource> policyResources = defaultPolicy.getResources(); + if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) { + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_READ))); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } + if (policyResources.size() == 1 && hasWildcardAsteriskResource(policyResources, RESOURCE_DATABASE)) { // policy for all databases RangerPolicyItem policyItemPublic = new RangerPolicyItem(); diff --git a/knox-agent/src/main/java/org/apache/ranger/services/knox/RangerServiceKnox.java b/knox-agent/src/main/java/org/apache/ranger/services/knox/RangerServiceKnox.java index b72e776..5ca7fcd 100644 --- a/knox-agent/src/main/java/org/apache/ranger/services/knox/RangerServiceKnox.java +++ b/knox-agent/src/main/java/org/apache/ranger/services/knox/RangerServiceKnox.java @@ -19,21 +19,27 @@ package org.apache.ranger.services.knox; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.services.knox.client.KnoxResourceMgr; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; public class RangerServiceKnox extends RangerBaseService { private static final Log LOG = LogFactory.getLog(RangerServiceKnox.class); + public static final String ACCESS_TYPE_ALLOW = "allow"; public RangerServiceKnox() { super(); @@ -66,6 +72,29 @@ public class RangerServiceKnox extends RangerBaseService { } @Override + public List<RangerPolicy> getDefaultRangerPolicies() throws Exception { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerServiceKnox.getDefaultRangerPolicies()"); + } + + List<RangerPolicy> ret = super.getDefaultRangerPolicies(); + for (RangerPolicy defaultPolicy : ret) { + if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) { + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_ALLOW))); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerServiceKnox.getDefaultRangerPolicies()"); + } + return ret; + } + + @Override public List<String> lookupResource(ResourceLookupContext context) throws Exception { List<String> ret = new ArrayList<String>(); diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java index 77a626e..e6b8456 100644 --- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java +++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java @@ -155,8 +155,10 @@ public class RangerServiceAtlas extends RangerBaseService { List<RangerPolicy> ret = super.getDefaultRangerPolicies(); String adminUser = getStringConfig("atlas.admin.user", ADMIN_USERNAME_DEFAULT); String tagSyncUser = getStringConfig("atlas.rangertagsync.user", TAGSYNC_USERNAME_DEFAULT); + boolean relationshipTypeAllowPublic = getBooleanConfig("atlas.default-policy.relationship-type.allow.public", true); + for (RangerPolicy defaultPolicy : ret) { final Map<String, RangerPolicyResource> policyResources = defaultPolicy.getResources(); @@ -185,6 +187,15 @@ public class RangerServiceAtlas extends RangerBaseService { } } + if (defaultPolicy.getName().contains("all") + && policyResources.containsKey(RangerServiceAtlas.RESOURCE_ENTITY_TYPE) + && StringUtils.isNotBlank(lookUpUser)) { + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_ENTITY_READ))); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } } //4.add new policy for public group with entity-read, entity-create, entity-update, entity-delete for __AtlasUserProfile, __AtlasUserSavedSearch entity type diff --git a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java index cf5da97..4e7163a 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java @@ -19,12 +19,15 @@ package org.apache.ranger.services.kafka; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; import org.apache.commons.lang.StringUtils; import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.service.RangerBaseService; @@ -38,6 +41,7 @@ import static org.apache.ranger.plugin.policyengine.RangerPolicyEngine.GROUP_PUB public class RangerServiceKafka extends RangerBaseService { private static final Log LOG = LogFactory.getLog(RangerServiceKafka.class); + public static final String ACCESS_TYPE_CONSUME = "consume"; public RangerServiceKafka() { super(); @@ -120,6 +124,16 @@ public class RangerServiceKafka extends RangerBaseService { } } } + for (RangerPolicy defaultPolicy : ret) { + if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) { + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(Collections.singletonList( + new RangerPolicyItemAccess(ACCESS_TYPE_CONSUME))); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } + } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerServiceKafka.getDefaultRangerPolicies() "); diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java index 96ab449..d33d608 100644 --- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java +++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java @@ -18,6 +18,7 @@ package org.apache.ranger.services.kms; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -25,6 +26,8 @@ import java.util.Map; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.services.kms.client.KMSResourceMgr; @@ -39,6 +42,7 @@ public class RangerServiceKMS extends RangerBaseService { public static final String ACCESS_TYPE_DECRYPT_EEK = "decrypteek"; public static final String ACCESS_TYPE_GENERATE_EEK = "generateeek"; public static final String ACCESS_TYPE_GET_METADATA = "getmetadata"; + public static final String ACCESS_TYPE_GET = "get"; public RangerServiceKMS() { super(); @@ -124,6 +128,13 @@ public class RangerServiceKMS extends RangerBaseService { } for (RangerPolicy defaultPolicy : ret) { + if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) { + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_GET))); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } List<RangerPolicy.RangerPolicyItem> policyItems = defaultPolicy.getPolicyItems(); for (RangerPolicy.RangerPolicyItem item : policyItems) { diff --git a/plugin-nifi-registry/src/main/java/org/apache/ranger/services/nifi/registry/RangerServiceNiFiRegistry.java b/plugin-nifi-registry/src/main/java/org/apache/ranger/services/nifi/registry/RangerServiceNiFiRegistry.java index 21587c7..7bcfb7b 100644 --- a/plugin-nifi-registry/src/main/java/org/apache/ranger/services/nifi/registry/RangerServiceNiFiRegistry.java +++ b/plugin-nifi-registry/src/main/java/org/apache/ranger/services/nifi/registry/RangerServiceNiFiRegistry.java @@ -18,13 +18,19 @@ */ package org.apache.ranger.services.nifi.registry; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.services.nifi.registry.client.NiFiRegistryClient; import org.apache.ranger.services.nifi.registry.client.NiFiRegistryConnectionMgr; +import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -34,6 +40,35 @@ import java.util.List; public class RangerServiceNiFiRegistry extends RangerBaseService { private static final Log LOG = LogFactory.getLog(RangerServiceNiFiRegistry.class); + public static final String ACCESS_TYPE_READ = "read"; + public static final String ACCESS_TYPE_WRITE = "write"; + public static final String ACCESS_TYPE_DELETE = "delete"; + + @Override + public List<RangerPolicy> getDefaultRangerPolicies() throws Exception { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerServiceNiFiRegistry.getDefaultRangerPolicies()"); + } + + List<RangerPolicy> ret = super.getDefaultRangerPolicies(); + for (RangerPolicy defaultPolicy : ret) { + if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) { + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + List<RangerPolicy.RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicy.RangerPolicyItemAccess>(); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ)); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_WRITE)); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_DELETE)); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(accessListForLookupUser); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerServiceNiFiRegistry.getDefaultRangerPolicies()"); + } + return ret; + } @Override public HashMap<String, Object> validateConfig() throws Exception { diff --git a/plugin-nifi/src/main/java/org/apache/ranger/services/nifi/RangerServiceNiFi.java b/plugin-nifi/src/main/java/org/apache/ranger/services/nifi/RangerServiceNiFi.java index 4f38f42..376530d 100644 --- a/plugin-nifi/src/main/java/org/apache/ranger/services/nifi/RangerServiceNiFi.java +++ b/plugin-nifi/src/main/java/org/apache/ranger/services/nifi/RangerServiceNiFi.java @@ -18,13 +18,19 @@ */ package org.apache.ranger.services.nifi; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.services.nifi.client.NiFiClient; import org.apache.ranger.services.nifi.client.NiFiConnectionMgr; +import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -34,6 +40,37 @@ import java.util.List; public class RangerServiceNiFi extends RangerBaseService { private static final Log LOG = LogFactory.getLog(RangerServiceNiFi.class); + public static final String ACCESS_TYPE_READ = "read"; + public static final String ACCESS_TYPE_WRITE = "write"; + public static final String ACCESS_TYPE_DELETE = "delete"; + + @Override + public List<RangerPolicy> getDefaultRangerPolicies() throws Exception { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerServiceNiFi.getDefaultRangerPolicies()"); + } + + List<RangerPolicy> ret = super.getDefaultRangerPolicies(); + for (RangerPolicy defaultPolicy : ret) { + if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) { + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + List<RangerPolicy.RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicy.RangerPolicyItemAccess>(); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ)); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_WRITE)); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_DELETE)); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(accessListForLookupUser); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerServiceNiFi.getDefaultRangerPolicies()"); + } + + return ret; + } @Override public HashMap<String, Object> validateConfig() throws Exception { diff --git a/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/RangerServiceOzone.java b/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/RangerServiceOzone.java index 25bffc4..e16b5db 100644 --- a/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/RangerServiceOzone.java +++ b/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/RangerServiceOzone.java @@ -19,17 +19,21 @@ package org.apache.ranger.services.ozone; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.client.HadoopException; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.services.ozone.client.OzoneResourceMgr; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -37,6 +41,13 @@ import java.util.Map; public class RangerServiceOzone extends RangerBaseService { private static final Log LOG = LogFactory.getLog(RangerServiceOzone.class); + public static final String ACCESS_TYPE_READ = "read"; + public static final String ACCESS_TYPE_WRITE = "write"; + public static final String ACCESS_TYPE_CREATE = "create"; + public static final String ACCESS_TYPE_LIST = "list"; + public static final String ACCESS_TYPE_DELETE = "delete"; + public static final String ACCESS_TYPE_ALL = "all"; + public RangerServiceOzone() { super(); @@ -102,6 +113,23 @@ public class RangerServiceOzone extends RangerBaseService { List<RangerPolicy> ret = super.getDefaultRangerPolicies(); + for (RangerPolicy defaultPolicy : ret) { + if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) { + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + List<RangerPolicy.RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicy.RangerPolicyItemAccess>(); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ)); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_WRITE)); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_CREATE)); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_LIST)); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_DELETE)); + accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_ALL)); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(accessListForLookupUser); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } + } + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerServiceOzone.getDefaultRangerPolicies() : " + ret); } diff --git a/plugin-solr/src/main/java/org/apache/ranger/services/solr/RangerServiceSolr.java b/plugin-solr/src/main/java/org/apache/ranger/services/solr/RangerServiceSolr.java index 6477af7..eb567b1 100644 --- a/plugin-solr/src/main/java/org/apache/ranger/services/solr/RangerServiceSolr.java +++ b/plugin-solr/src/main/java/org/apache/ranger/services/solr/RangerServiceSolr.java @@ -19,22 +19,28 @@ package org.apache.ranger.services.solr; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.services.solr.client.ServiceSolrClient; import org.apache.ranger.services.solr.client.ServiceSolrConnectionMgr; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; public class RangerServiceSolr extends RangerBaseService { private static final Log LOG = LogFactory.getLog(RangerServiceSolr.class); + public static final String ACCESS_TYPE_QUERY = "query"; public RangerServiceSolr() { super(); @@ -46,6 +52,29 @@ public class RangerServiceSolr extends RangerBaseService { } @Override + public List<RangerPolicy> getDefaultRangerPolicies() throws Exception { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerServiceSolr.getDefaultRangerPolicies()"); + } + + List<RangerPolicy> ret = super.getDefaultRangerPolicies(); + for (RangerPolicy defaultPolicy : ret) { + if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) { + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_QUERY))); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerServiceSolr.getDefaultRangerPolicies()"); + } + return ret; + } + + @Override public Map<String, Object> validateConfig() throws Exception { Map<String, Object> ret = new HashMap<String, Object>(); String serviceName = getServiceName(); diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java index 3e9dfbc..c1b60c0 100644 --- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java +++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java @@ -18,6 +18,7 @@ package org.apache.ranger.services.yarn; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -26,16 +27,20 @@ import org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizer; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.services.yarn.client.YarnResourceMgr; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; public class RangerServiceYarn extends RangerBaseService { private static final Log LOG = LogFactory.getLog(RangerServiceYarn.class); + public static final String ACCESS_TYPE_SUBMIT_APP = "submit-app"; public RangerServiceYarn() { super(); @@ -102,6 +107,15 @@ public class RangerServiceYarn extends RangerBaseService { for (RangerPolicy defaultPolicy : ret) { if(defaultPolicy.getName().contains("all")){ RangerPolicy.RangerPolicyResource queuePolicyResource = defaultPolicy.getResources().get(queueResourceName); + + if (StringUtils.isNotBlank(lookUpUser)) { + RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); + policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); + policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_SUBMIT_APP))); + policyItemForLookupUser.setDelegateAdmin(false); + defaultPolicy.getPolicyItems().add(policyItemForLookupUser); + } + if (queuePolicyResource != null) { List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources(); RangerServiceDef.RangerResourceDef queueResourceDef = null;
