This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch RANGER-3923 in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/RANGER-3923 by this push: new a4566be26 RANGER-4378: updated implied-grants handling to use RangerServiceDefHelper new 50242093a Merge branch 'master' into RANGER-3923 a4566be26 is described below commit a4566be266755cae13d70f7c8d3e9e61d1e6b46a Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Mon Oct 2 03:38:31 2023 -0700 RANGER-4378: updated implied-grants handling to use RangerServiceDefHelper --- .../model/validation/RangerServiceDefHelper.java | 32 ++++++++++++++++++++++ .../ranger/plugin/policyengine/PolicyEngine.java | 27 ++++-------------- 2 files changed, 38 insertions(+), 21 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java index 4e287f9a4..c1388abc2 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java @@ -36,6 +36,7 @@ import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -311,6 +312,10 @@ public class RangerServiceDefHelper { return _delegate.getWildcardEnabledResourceDef(resourceName, policyType); } + public Map<String, Collection<String>> getImpliedAccessGrants() { + return _delegate.getImpliedAccessGrants(); + } + /** * Not designed for public access. Package level only for testability. */ @@ -323,6 +328,7 @@ public class RangerServiceDefHelper { final boolean _checkForCycles; final boolean _valid; final List<String> _orderedResourceNames; + final Map<String, Collection<String>> _impliedGrants; final static Set<List<RangerResourceDef>> EMPTY_RESOURCE_HIERARCHY = Collections.unmodifiableSet(new HashSet<List<RangerResourceDef>>()); @@ -352,6 +358,8 @@ public class RangerServiceDefHelper { } } + _impliedGrants = computeImpliedGrants(); + if (isValid) { _orderedResourceNames = buildSortedResourceNames(); } else { @@ -611,6 +619,30 @@ public class RangerServiceDefHelper { return this._orderedResourceNames; } + Map<String, Collection<String>> getImpliedAccessGrants() { return _impliedGrants; } + + private Map<String, Collection<String>> computeImpliedGrants() { + Map<String, Collection<String>> ret = new HashMap<>(); + + if (_serviceDef != null && CollectionUtils.isNotEmpty(_serviceDef.getAccessTypes())) { + for (RangerAccessTypeDef accessTypeDef : _serviceDef.getAccessTypes()) { + if (CollectionUtils.isNotEmpty(accessTypeDef.getImpliedGrants())) { + Collection<String> impliedAccessGrants = ret.get(accessTypeDef.getName()); + + if(impliedAccessGrants == null) { + impliedAccessGrants = new HashSet<>(); + + ret.put(accessTypeDef.getName(), impliedAccessGrants); + } + + impliedAccessGrants.addAll(accessTypeDef.getImpliedGrants()); + } + } + } + + return ret; + } + private static class ResourceNameLevel implements Comparable<ResourceNameLevel> { private String resourceName; private int level; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index 4a5406301..04f010a03 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -36,6 +36,7 @@ import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicyDelta; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper; import org.apache.ranger.plugin.model.validation.RangerZoneResourceMatcher; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; @@ -488,33 +489,17 @@ public class PolicyEngine { } static private void buildImpliedAccessGrants(RangerServiceDef serviceDef) { - Map<String, Collection<String>> ret = null; - - if (serviceDef != null && !CollectionUtils.isEmpty(serviceDef.getAccessTypes())) { - for (RangerServiceDef.RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) { - if (!CollectionUtils.isEmpty(accessTypeDef.getImpliedGrants())) { - if (ret == null) { - ret = new HashMap<>(); - } - - Collection<String> impliedGrants = ret.get(accessTypeDef.getName()); - - if (impliedGrants == null) { - impliedGrants = new HashSet<>(); - - ret.put(accessTypeDef.getName(), impliedGrants); - } - - impliedGrants.addAll(accessTypeDef.getImpliedGrants()); - } - } + if (serviceDef != null) { + RangerServiceDefHelper helper = new RangerServiceDefHelper(serviceDef, false); if (impliedAccessGrants == null) { impliedAccessGrants = Collections.synchronizedMap(new HashMap<>()); } - impliedAccessGrants.put(serviceDef.getName(), ret); + + impliedAccessGrants.put(serviceDef.getName(), helper.getImpliedAccessGrants()); } } + private Set<String> getMatchedZonesForResourceAndChildren(Map<String, ?> resource, RangerAccessResource accessResource) { if (LOG.isDebugEnabled()) { LOG.debug("==> PolicyEngine.getMatchedZonesForResourceAndChildren(" + resource + ", " + accessResource + ")");