This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 4a92117 RANGER-3147: enhance resource-trie to enable finding
evaluators for a given resource and its children - Part 3
4a92117 is described below
commit 4a92117d0e40a6b386996d0addd0d8b3b23bed7b
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Fri Apr 2 10:53:03 2021 -0700
RANGER-3147: enhance resource-trie to enable finding evaluators for a given
resource and its children - Part 3
---
.../plugin/policyengine/RangerResourceTrie.java | 2 +
.../resourcematcher/RangerPathResourceMatcher.java | 28 ++++++-
.../policyengine/test_policyengine_aws.json | 94 ++++++++++++++++++++++
3 files changed, 120 insertions(+), 4 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index 2db1db0..7c37e05 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -1149,6 +1149,8 @@ public class RangerResourceTrie<T extends
RangerPolicyResourceEvaluator> {
}
void collectChildEvaluators(Character sep, int startIdx, Set<U>
childEvaluators) {
+ setupIfNeeded(getParent());
+
final int sepPos = startIdx < str.length() ? str.indexOf(sep,
startIdx) : -1;
if (sepPos == -1) { // ex: startIdx=5, path(str)=/tmp/test, path(a
child) could be: /tmp/test.txt, /tmp/test/, /tmp/test/a, /tmp/test/a/b
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index c60e7bc..43297d6 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -283,6 +283,9 @@ public class RangerPathResourceMatcher extends
RangerDefaultResourceMatcher {
}
@Override
boolean isMatch(String resourceValue, Map<String, Object>
evalContext) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
StringResourceMatcher.isMatch(resourceValue=" + resourceValue + ",
evalContext=" + evalContext + ")");
+ }
String expandedValue = getExpandedValue(evalContext);
boolean ret = function.apply(resourceValue,
expandedValue);
if (!ret) {
@@ -298,6 +301,9 @@ public class RangerPathResourceMatcher extends
RangerDefaultResourceMatcher {
}
}
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
StringResourceMatcher.isMatch(resourceValue=" + resourceValue + ",
expandedValue=" + expandedValue + ") : result:[" + ret + "]");
+ }
return ret;
}
@@ -314,6 +320,9 @@ public class RangerPathResourceMatcher extends
RangerDefaultResourceMatcher {
}
@Override
boolean isMatch(String resourceValue, Map<String, Object>
evalContext) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
WildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ",
evalContext=" + evalContext + ")");
+ }
String expandedValue = getExpandedValue(evalContext);
boolean ret = function.apply(resourceValue,
expandedValue, ioCase);
if (!ret) {
@@ -329,6 +338,9 @@ public class RangerPathResourceMatcher extends
RangerDefaultResourceMatcher {
}
}
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
WildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ",
expandedValue=" + expandedValue + ") : result:[" + ret + "]");
+ }
return ret;
}
}
@@ -344,6 +356,9 @@ public class RangerPathResourceMatcher extends
RangerDefaultResourceMatcher {
}
@Override
boolean isMatch(String resourceValue, Map<String, Object>
evalContext) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RecursiveWildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ",
evalContext=" + evalContext + ")");
+ }
String expandedValue = getExpandedValue(evalContext);
boolean ret = function.apply(resourceValue,
expandedValue, pathSeparatorChar, ioCase);
if (!ret) {
@@ -359,6 +374,9 @@ public class RangerPathResourceMatcher extends
RangerDefaultResourceMatcher {
}
}
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RecursiveWildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ",
expandedValue=" + expandedValue + ") : result:[" + ret + "]");
+ }
return ret;
}
}
@@ -386,6 +404,9 @@ public class RangerPathResourceMatcher extends
RangerDefaultResourceMatcher {
@Override
boolean isMatch(String resourceValue, Map<String, Object>
evalContext) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RecursivePathResourceMatcher.isMatch(resourceValue=" + resourceValue + ",
evalContext=" + evalContext + ")");
+ }
final String noSeparator;
if (getNeedsDynamicEval()) {
String expandedPolicyValue =
getExpandedValue(evalContext);
@@ -414,14 +435,13 @@ public class RangerPathResourceMatcher extends
RangerDefaultResourceMatcher {
resourceValue =
resourceValue.substring(0, resourceValue.length() - 1);
}
ret =
primaryFunction.apply(resourceValue, shorterExpandedValue);
- if (!ret) {
- final String
shortedExpandedValueWithSeparator = getNeedsDynamicEval() ?
shorterExpandedValue + pathSeparatorChar : shorterExpandedValue;
- ret =
fallbackFunction.apply(resourceValue, shortedExpandedValueWithSeparator);
- }
}
}
}
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RecursivePathResourceMatcher.isMatch(resourceValue=" + resourceValue + ",
expandedValueWithoutTrailingSeparatorChar=" + noSeparator + ") : result:[" +
ret + "]");
+ }
return ret;
}
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_aws.json
b/agents-common/src/test/resources/policyengine/test_policyengine_aws.json
index 3e77506..118bef5 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_aws.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_aws.json
@@ -71,10 +71,104 @@
"policyItems":[
{"accesses":[{"type":"read","isAllowed":true},
{"type":"write","isAllowed":true},
{"type":"execute","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
]
+ },
+
+ {"id":100,"name":"allow-read-to-/tmp/{USER}}",
"isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/tmp/{USER}"],"isRecursive":true}},
+ "policyItems":[
+
{"accesses":[{"type":"read","isAllowed":true}],"users":["{USER}"],"groups":[],"delegateAdmin":false}
+ ]
+ },
+
{"id":200,"name":"allow-all-to-/tmp/{USER}/subdir}","isEnabled":true,"isAuditEnabled":true,
+
"resources":{"path":{"values":["/tmp/{USER}/subdir"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true},
{"type":"write","isAllowed":true},
{"type":"execute","isAllowed":true}],"users":["{USER}"],"groups":[],"delegateAdmin":false}
+ ]
+ },
+
{"id":300,"name":"allow-read-to-/user/dir}","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/user/dir"],"isRecursive":true}},
+ "policyItems":[
+
{"accesses":[{"type":"read","isAllowed":true}],"users":["scott"],"groups":[],"delegateAdmin":false}
+ ]
+ },
+
{"id":400,"name":"allow-all-to-/user/dir/subdir}","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/user/dir/subdir"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true},
{"type":"write","isAllowed":true},
{"type":"execute","isAllowed":true}],"users":["scott"],"groups":[],"delegateAdmin":false}
+ ]
+ },
+ {"id":500,"name":"allow-read-to-/user/{USER}/a*}",
"isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/user/{USER}/*"],"isRecursive":true}},
+ "policyItems":[
+
{"accesses":[{"type":"read","isAllowed":true}],"users":["{USER}"],"groups":[],"delegateAdmin":false}
+ ]
}
],
"tests":[
+ {"name":"ALLOW 'write /tmp/scott' for u=scott for scope SELF_OR_CHILD",
+ "request":{
+ "resource":{"elements":{"path":"/tmp/scott"}},
"resourceMatchingScope": "SELF_OR_CHILD",
+
"accessType":"write","user":"scott","userGroups":[],"requestData":"write
/tmp/scott"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId": 200}
+ },
+ {"name":"DENY 'ANY /tmp/scott' for u=joe for scope SELF_OR_CHILD",
+ "request":{
+ "resource":{"elements":{"path":"/tmp/scott"}},
"resourceMatchingScope": "SELF_OR_CHILD",
+ "accessType":"","user":"joe","userGroups":[],"requestData":"ANY
/tmp/scott"
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId": -1}
+ },
+ {"name":"ALLOW 'ANY /tmp/scott' for u=scott for scope SELF",
+ "request":{
+ "resource":{"elements":{"path":"/tmp/scott"}},
+ "accessType":"","user":"scott","userGroups":[],"requestData":"ANY
/tmp/scott"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId": 100}
+ },
+ {"name":"DENY 'ANY /tmp/scott' for u=joe for scope SELF",
+ "request":{
+ "resource":{"elements":{"path":"/tmp/scott"}},
+ "accessType":"","user":"joe","userGroups":[],"requestData":"ANY
/tmp/scott"
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId": -1}
+ },
+ {"name":"ALLOW 'write /user/dir' for u=scott for scope SELF_OR_CHILD",
+ "request":{
+ "resource":{"elements":{"path":"/user/dir"}}, "resourceMatchingScope":
"SELF_OR_CHILD",
+
"accessType":"write","user":"scott","userGroups":[],"requestData":"write
/user/dir"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId": 400}
+ },
+ {"name":"ALLOW 'ANY /user/dir' for u=scott for scope SELF",
+ "request":{
+ "resource":{"elements":{"path":"/user/dir"}},
+ "accessType":"","user":"scott","userGroups":[],"requestData":"ANY
/user/dir"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId": 300}
+ },
+ {"name":"DENY 'ANY /user/dir' for u=joe for scope SELF_OR_CHILD",
+ "request":{
+ "resource":{"elements":{"path":"/user/dir"}}, "resourceMatchingScope":
"SELF_OR_CHILD",
+ "accessType":"","user":"joe","userGroups":[],"requestData":"ANY
/user/dir"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId": -1}
+ },
+ {"name":"ALLOW 'read /user/scott' for u=scott for scope SELF_OR_CHILD",
+ "request":{
+ "resource":{"elements":{"path":"/user/scott"}},
"resourceMatchingScope": "SELF_OR_CHILD",
+ "accessType":"read","user":"scott","userGroups":[],"requestData":"read
/tmp/scott"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId": 500}
+ },
+ {"name":"DENY 'read /user/scott' for u=scott for scope SELF",
+ "request":{
+ "resource":{"elements":{"path":"/user/scott"}},
+ "accessType":"read","user":"scott","userGroups":[],"requestData":"read
/tmp/scott"
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId": -1}
+ },
{"name":"ALLOW 'ANY /' for u=user1",
"request":{
"resource":{"elements":{"path":"/"}}, "resourceMatchingScope":
"SELF_OR_CHILD",