This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b7a2902 RANGER-2772: Adding the functionality of merging the policy -
Part 3
b7a2902 is described below
commit b7a2902939f0d5ae64ead9fde539e76a766238a2
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Thu Apr 23 19:38:33 2020 -0700
RANGER-2772: Adding the functionality of merging the policy - Part 3
---
.../java/org/apache/ranger/rest/ServiceREST.java | 53 ++++++++++-------
.../org/apache/ranger/rest/ServiceRESTUtil.java | 68 +++++++++++++++++-----
2 files changed, 88 insertions(+), 33 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 82e67e6..1bdee86 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -83,6 +83,7 @@ import org.apache.ranger.common.ServiceUtil;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.common.db.RangerTransactionSynchronizationAdapter;
import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXPolicy;
import org.apache.ranger.entity.XXPolicyExportAudit;
import org.apache.ranger.entity.XXSecurityZone;
import org.apache.ranger.entity.XXSecurityZoneRefService;
@@ -97,6 +98,7 @@ import
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
+import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -1661,7 +1663,13 @@ public class ServiceREST {
}
boolean
updateIfExists=("true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_UPDATE_IF_EXISTS))))
? true : false ;
boolean mergeIfExists =
"true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_MERGE_IF_EXISTS)))
? true : false;
- if(updateIfExists || mergeIfExists) {
+
+ if (mergeIfExists && updateIfExists) {
+ LOG.warn("Cannot use both
updateIfExists and mergeIfExists for a createPolicy. mergeIfExists will
override updateIfExists for policy :[" + policy.getName() + "]");
+ }
+ if (mergeIfExists) {
+ ret = applyPolicy(policy, request);
+ } else if(updateIfExists) {
RangerPolicy existingPolicy = null;
String serviceName =
request.getParameter(PARAM_SERVICE_NAME);
if (serviceName == null) {
@@ -1699,20 +1707,11 @@ public class ServiceREST {
}
try {
if (existingPolicy != null) {
- if (updateIfExists) {
-
policy.setId(existingPolicy.getId());
- ret =
updatePolicy(policy);
- } else
if(mergeIfExists){
-
ServiceRESTUtil.mergeExactMatchPolicyForResource(existingPolicy, policy);
- ret =
updatePolicy(existingPolicy);
- }
+
policy.setId(existingPolicy.getId());
+ ret =
updatePolicy(policy);
}
} catch (Exception excp){
- if(updateIfExists) {
-
LOG.error("updatePolicy(" + policy + ") failed", excp);
- }else if(mergeIfExists) {
- LOG.error("updatePolicy
for merge (" + existingPolicy + ") failed", excp);
- }
+ LOG.error("updatePolicy(" +
policy + ") failed", excp);
throw
restErrorUtil.createRESTException(excp.getMessage());
}
}
@@ -1775,17 +1774,31 @@ public class ServiceREST {
RangerPolicy ret = null;
if (policy != null &&
StringUtils.isNotBlank(policy.getService())) {
+
try {
- // Check if applied policy contains any
conditions
- if
(ServiceRESTUtil.containsRangerCondition(policy)) {
- LOG.error("Applied policy contains
condition(s); not supported:" + policy);
- throw new Exception("Applied policy
contains condition(s); not supported:" + policy);
- }
- String user = request.getRemoteUser();
- RangerPolicy existingPolicy =
getExactMatchPolicyForResource(policy, StringUtils.isNotBlank(user) ? user
:"admin");
+ final RangerPolicy existingPolicy;
+ String signature
= (new RangerPolicyResourceSignature(policy)).getSignature();
+ List<RangerPolicy>
policiesWithMatchingSignature =
svcStore.getPoliciesByResourceSignature(policy.getService(), signature, true);
+
+ if
(CollectionUtils.isNotEmpty(policiesWithMatchingSignature)) {
+ if
(policiesWithMatchingSignature.size() == 1) {
+ existingPolicy =
policiesWithMatchingSignature.get(0);
+ } else {
+ throw new Exception("Multiple
policies with matching policy-signature are found. Cannot determine target for
applying policy");
+ }
+ } else {
+ existingPolicy = null;
+ }
if (existingPolicy == null) {
+ if
(StringUtils.isNotEmpty(policy.getName())) {
+ XXPolicy dbPolicy =
daoManager.getXXPolicy().findByPolicyName(policy.getName());
+ if (dbPolicy != null) {
+
policy.setName(policy.getName() + System.currentTimeMillis());
+ }
+ }
+
ret = createPolicy(policy, null);
} else {
ServiceRESTUtil.processApplyPolicy(existingPolicy, policy);
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
index 640d3c3..76cf92c 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
@@ -215,16 +215,54 @@ public class ServiceRESTUtil {
LOG.debug("==> ServiceRESTUtil.processApplyPolicy()");
}
- processApplyPolicyForItemType(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.ALLOW);
- processApplyPolicyForItemType(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.DENY);
- processApplyPolicyForItemType(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
- processApplyPolicyForItemType(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.DENY_EXCEPTIONS);
+ // Check if applied policy or existing policy contains any
conditions
+ if (ServiceRESTUtil.containsRangerCondition(existingPolicy) ||
ServiceRESTUtil.containsRangerCondition(appliedPolicy)) {
+ LOG.info("Applied policy [" + appliedPolicy + "] or
existing policy [" + existingPolicy + "] contains condition(s). Combining two
policies.");
+ combinePolicy(existingPolicy, appliedPolicy);
+
+ } else {
+
+ processApplyPolicyForItemType(existingPolicy,
appliedPolicy, POLICYITEM_TYPE.ALLOW);
+ processApplyPolicyForItemType(existingPolicy,
appliedPolicy, POLICYITEM_TYPE.DENY);
+ processApplyPolicyForItemType(existingPolicy,
appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
+ processApplyPolicyForItemType(existingPolicy,
appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS);
+ }
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceRESTUtil.processApplyPolicy()");
}
}
+ static private void combinePolicy(RangerPolicy existingPolicy,
RangerPolicy appliedPolicy) {
+
+ List<RangerPolicy.RangerPolicyItem> appliedPolicyItems;
+
+ // Combine allow policy-items
+ appliedPolicyItems = appliedPolicy.getPolicyItems();
+ if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+
existingPolicy.getPolicyItems().addAll(appliedPolicyItems);
+ }
+
+ // Combine deny policy-items
+ appliedPolicyItems = appliedPolicy.getDenyPolicyItems();
+ if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+
existingPolicy.getDenyPolicyItems().addAll(appliedPolicyItems);
+ }
+
+ // Combine allow-exception policy-items
+ appliedPolicyItems = appliedPolicy.getAllowExceptions();
+ if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+
existingPolicy.getAllowExceptions().addAll(appliedPolicyItems);
+ }
+
+ // Combine deny-exception policy-items
+ appliedPolicyItems = appliedPolicy.getDenyExceptions();
+ if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+
existingPolicy.getDenyExceptions().addAll(appliedPolicyItems);
+ }
+
+ }
+
static private void processApplyPolicyForItemType(RangerPolicy
existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==>
ServiceRESTUtil.processApplyPolicyForItemType()");
@@ -1029,17 +1067,21 @@ public class ServiceRESTUtil {
}
if (policy != null) {
- List<RangerPolicy.RangerPolicyItem> allItems = new
ArrayList<RangerPolicy.RangerPolicyItem>();
+ if (CollectionUtils.isNotEmpty(policy.getConditions()))
{
+ ret = true;
+ } else {
+ List<RangerPolicy.RangerPolicyItem> allItems =
new ArrayList<RangerPolicy.RangerPolicyItem>();
- allItems.addAll(policy.getPolicyItems());
- allItems.addAll(policy.getDenyPolicyItems());
- allItems.addAll(policy.getAllowExceptions());
- allItems.addAll(policy.getDenyExceptions());
+ allItems.addAll(policy.getPolicyItems());
+ allItems.addAll(policy.getDenyPolicyItems());
+ allItems.addAll(policy.getAllowExceptions());
+ allItems.addAll(policy.getDenyExceptions());
- for (RangerPolicy.RangerPolicyItem policyItem :
allItems) {
- if (!policyItem.getConditions().isEmpty()) {
- ret = true;
- break;
+ for (RangerPolicy.RangerPolicyItem policyItem :
allItems) {
+ if
(!policyItem.getConditions().isEmpty()) {
+ ret = true;
+ break;
+ }
}
}
}
