This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch RANGER-3923 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit f80b8c148098aa647f3fc2d7c0841150e247d086 Merge: d5dc40c8c 00fd78a9b Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Wed Sep 27 21:40:36 2023 -0700 Merge branch 'master' into RANGER-3923 agents-common/dev-support/spotbugsIncludeFile.xml | 64 ++++++++++++ .../apache/ranger/plugin/model/RangerPolicy.java | 4 + .../ranger/plugin/policyengine/PolicyEngine.java | 44 +++++++++ .../policyengine/RangerRequestScriptEvaluator.java | 25 +++-- .../plugin/policyengine/RangerResourceTrie.java | 12 ++- .../RangerAbstractPolicyItemEvaluator.java | 59 ++++++++++++ .../RangerAuditPolicyEvaluator.java | 2 +- .../RangerDefaultPolicyEvaluator.java | 25 ++++- .../RangerDefaultPolicyItemEvaluator.java | 107 ++++++++++++--------- .../RangerDefaultRowFilterPolicyItemEvaluator.java | 9 +- .../RangerOptimizedPolicyEvaluator.java | 106 ++++++++++++++------ .../policyevaluator/RangerPolicyEvaluator.java | 43 +++++++-- .../policyevaluator/RangerPolicyItemEvaluator.java | 1 + .../plugin/resourcematcher/ResourceMatcher.java | 4 + .../ranger/plugin/service/RangerBasePlugin.java | 91 +----------------- .../apache/ranger/plugin/util/JavaScriptEdits.java | 77 +++++++++++++++ .../apache/ranger/plugin/util/PolicyRefresher.java | 66 +++++++++++-- .../plugin/util/RangerSecurityZoneHelper.java | 14 +-- .../apache/ranger/plugin/util/ServicePolicies.java | 72 ++++++++++++++ .../ranger/plugin/util/JavaScriptEditsTest.java | 45 +++++++++ pom.xml | 2 +- .../java/org/apache/ranger/biz/ServiceDBStore.java | 7 +- .../ranger/common/RangerServicePoliciesCache.java | 44 +++++++++ .../org/apache/ranger/service/XGroupService.java | 2 +- .../org/apache/ranger/service/XUserService.java | 2 +- .../react-webapp/src/components/Editable.jsx | 16 +-- .../react-webapp/src/components/XATableLayout.jsx | 9 +- .../main/webapp/react-webapp/src/styles/style.css | 3 +- .../main/webapp/react-webapp/src/utils/XAEnums.js | 13 +++ .../main/webapp/react-webapp/src/utils/fetchAPI.js | 2 +- .../src/views/AuditEvent/AdminLogs/UserLogs.jsx | 6 +- .../src/views/AuditEvent/PluginStatusLogs.jsx | 9 +- .../src/views/Encryption/KeyManager.jsx | 72 +++++++------- .../src/views/PermissionsModule/EditPermission.jsx | 61 +++++++----- .../views/PolicyListing/AddUpdatePolicyForm.jsx | 2 +- .../src/views/SecurityZone/SecurityZoneForm.jsx | 74 ++++++++------ .../src/views/ServiceManager/ServiceDefinition.jsx | 21 +++- .../src/views/ServiceManager/ServiceForm.jsx | 79 +++++++-------- .../views/ServiceManager/ServiceViewDetails.jsx | 23 ++++- .../UserGroupRoleListing/SyncSourceDetails.jsx | 4 +- .../groups_details/GroupListing.jsx | 3 +- .../role_details/RoleListing.jsx | 8 +- .../users_details/UserFormComp.jsx | 26 ++--- .../users_details/UserListing.jsx | 3 +- 44 files changed, 956 insertions(+), 405 deletions(-) diff --cc agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java index 96610e2eb,9051a8ce4..1d3a16ea0 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java @@@ -100,10 -100,10 +100,10 @@@ public class RangerAuditPolicyEvaluato } @Override - protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef) { - super.preprocessPolicy(policy, serviceDef); + protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { + super.preprocessPolicy(policy, serviceDef, options); - Map<String, Collection<String>> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants(); + Map<String, Collection<String>> impliedAccessGrants = PolicyEngine.getImpliedAccessGrants(serviceDef); if (impliedAccessGrants == null || impliedAccessGrants.isEmpty()) { return; diff --cc agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 821f34631,bf7ebe86a..3ea36322e --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@@ -1153,8 -1165,9 +1165,9 @@@ public class RangerDefaultPolicyEvaluat if(policy == null || (!hasAllow() && !hasDeny()) || serviceDef == null) { return; } + /* - Map<String, Collection<String>> impliedAccessGrants = getImpliedAccessGrants(serviceDef); + Map<String, Collection<String>> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants(); if(impliedAccessGrants == null || impliedAccessGrants.isEmpty()) { return; diff --cc agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java index deaf524b1,dd64a6767..225f8526b --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java @@@ -619,17 -468,69 +625,83 @@@ public class ServicePolicies implement return ret; } + static public GdsPolicies copyHeader(GdsPolicies source, String componentServiceName) { + GdsPolicies ret = new GdsPolicies(); + + ret.setServiceName(source.getServiceName()); + ret.setServiceId(source.getServiceId()); + ret.setPolicyVersion(source.getPolicyVersion()); + ret.setAuditMode(source.getAuditMode()); + ret.setServiceDef(ServiceDefUtil.normalizeAccessTypeDefs(source.getServiceDef(), componentServiceName)); + ret.setPolicyUpdateTime(source.getPolicyUpdateTime()); + ret.setPolicies(Collections.emptyList()); + + return ret; + } ++ + public static ServicePolicies applyDelta(final ServicePolicies servicePolicies, RangerPolicyEngineImpl policyEngine) { + ServicePolicies ret = copyHeader(servicePolicies); + + List<RangerPolicy> oldResourcePolicies = policyEngine.getResourcePolicies(); + List<RangerPolicy> oldTagPolicies = policyEngine.getTagPolicies(); + + List<RangerPolicy> newResourcePolicies = RangerPolicyDeltaUtil.applyDeltas(oldResourcePolicies, servicePolicies.getPolicyDeltas(), servicePolicies.getServiceDef().getName()); + + ret.setPolicies(newResourcePolicies); + + final List<RangerPolicy> newTagPolicies; + if (servicePolicies.getTagPolicies() != null) { + if (LOG.isDebugEnabled()) { + LOG.debug("applyingDeltas for tag policies"); + } + newTagPolicies = RangerPolicyDeltaUtil.applyDeltas(oldTagPolicies, servicePolicies.getPolicyDeltas(), servicePolicies.getTagPolicies().getServiceDef().getName()); + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("No need to apply deltas for tag policies"); + } + newTagPolicies = oldTagPolicies; + } + + if (LOG.isDebugEnabled()) { + LOG.debug("New tag policies:[" + Arrays.toString(newTagPolicies.toArray()) + "]"); + } + + if (ret.getTagPolicies() != null) { + ret.getTagPolicies().setPolicies(newTagPolicies); + } + + if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) { + Map<String, SecurityZoneInfo> newSecurityZones = new HashMap<>(); + + for (Map.Entry<String, SecurityZoneInfo> entry : servicePolicies.getSecurityZones().entrySet()) { + String zoneName = entry.getKey(); + SecurityZoneInfo zoneInfo = entry.getValue(); + + List<RangerPolicy> zoneResourcePolicies = policyEngine.getResourcePolicies(zoneName); + // There are no separate tag-policy-repositories for each zone + + if (LOG.isDebugEnabled()) { + LOG.debug("Applying deltas for security-zone:[" + zoneName + "]"); + } + + final List<RangerPolicy> newZonePolicies = RangerPolicyDeltaUtil.applyDeltas(zoneResourcePolicies, zoneInfo.getPolicyDeltas(), servicePolicies.getServiceDef().getName()); + + if (LOG.isDebugEnabled()) { + LOG.debug("New resource policies for security-zone:[" + zoneName + "], zoneResourcePolicies:[" + Arrays.toString(newZonePolicies.toArray())+ "]"); + } + + SecurityZoneInfo newZoneInfo = new SecurityZoneInfo(); + + newZoneInfo.setZoneName(zoneName); + newZoneInfo.setResources(zoneInfo.getResources()); + newZoneInfo.setPolicies(newZonePolicies); + + newSecurityZones.put(zoneName, newZoneInfo); + } + + ret.setSecurityZones(newSecurityZones); + } + + return ret; + } }