This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch RANGER-3923 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 55d2e6bfcbc02825aa5d23f38adad11f7ea1eea9 Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Mon Oct 2 12:15:44 2023 -0700 RANGER-4445: new REST endpoints for dataset policies --- .../apache/ranger/plugin/model/RangerService.java | 66 +--- .../model/validation/RangerServiceValidator.java | 83 ++--- .../ranger/plugin/store/AbstractGdsStore.java | 25 -- .../ranger/plugin/store/AbstractPredicateUtil.java | 34 -- .../ranger/plugin/store/AbstractServiceStore.java | 3 +- .../org/apache/ranger/plugin/store/GdsStore.java | 34 +- .../ranger/plugin/store/ServicePredicateUtil.java | 77 ----- .../ranger/plugin/util/RangerPerfTracer.java | 28 +- .../ranger/services/gds/RangerServiceGds.java | 58 +--- .../service-defs/ranger-servicedef-gds.json | 16 +- .../apache_ranger/client/ranger_gds_client.py | 80 ++++- .../main/python/apache_ranger/model/ranger_base.py | 2 + .../src/main/python/sample_gds_client.py | 14 + .../optimized/current/ranger_core_db_mysql.sql | 32 +- .../optimized/current/ranger_core_db_postgres.sql | 36 ++- .../java/org/apache/ranger/biz/GdsDBStore.java | 353 ++++++++++++++++++++- .../java/org/apache/ranger/biz/RangerBizUtil.java | 8 + .../java/org/apache/ranger/biz/ServiceDBStore.java | 53 +--- .../java/org/apache/ranger/biz/ServiceMgr.java | 6 - .../org/apache/ranger/common/AppConstants.java | 7 +- .../org/apache/ranger/db/RangerDaoManagerBase.java | 2 + .../apache/ranger/db/XXGdsDatasetPolicyMapDao.java | 85 +++++ .../apache/ranger/db/XXGdsProjectPolicyMapDao.java | 85 +++++ .../java/org/apache/ranger/db/XXPolicyDao.java | 33 ++ .../java/org/apache/ranger/db/XXServiceDao.java | 23 +- .../ranger/entity/XXGdsDatasetPolicyMap.java | 106 +++++++ .../ranger/entity/XXGdsProjectPolicyMap.java | 106 +++++++ .../org/apache/ranger/entity/XXServiceBase.java | 24 +- .../apache/ranger/entity/XXServiceVersionInfo.java | 29 +- .../main/java/org/apache/ranger/rest/GdsREST.java | 316 +++++++++++++++++- .../java/org/apache/ranger/rest/ServiceREST.java | 61 +++- .../ranger/security/context/RangerAPIList.java | 2 + .../service/RangerServiceDefServiceBase.java | 4 +- .../ranger/service/RangerServiceService.java | 7 - .../ranger/service/RangerServiceServiceBase.java | 26 +- .../main/resources/META-INF/jpa_named_queries.xml | 31 +- 36 files changed, 1405 insertions(+), 550 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java index e79c5d8e3..0cb58bae0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java @@ -49,16 +49,13 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri private Date policyUpdateTime; private Long tagVersion; private Date tagUpdateTime; - private String gdsService; - private Long gdsVersion; - private Date gdsUpdateTime; /** * @param */ public RangerService() { - this(null, null, null, null, null, null); + this(null, null, null, null, null); } /** @@ -69,24 +66,12 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri * @param tagService */ public RangerService(String type, String name, String description, String tagService, Map<String, String> configs) { - this(type, name, description, tagService, null, configs); - } - - /** - * @param type - * @param name - * @param description - * @param configs - * @param tagService - */ - public RangerService(String type, String name, String description, String tagService, String gdsService, Map<String, String> configs) { super(); setType(type); setName(name); setDescription(description); setTagService(tagService); - setGdsService(gdsService); setConfigs(configs); } @@ -106,9 +91,6 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri setPolicyUpdateTime(other.getPolicyUpdateTime()); setTagVersion(other.getTagVersion()); setTagUpdateTime(other.getTagUpdateTime()); - setGdsService(other.getGdsService()); - setGdsVersion(other.getGdsVersion()); - setGdsUpdateTime(other.getGdsUpdateTime()); } /** @@ -260,49 +242,6 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri this.tagUpdateTime = tagUpdateTime; } - /** - * @return the gdsService - */ - public String getGdsService() { - return gdsService; - } - - /** - * @param gdsService the gdsServiceName to set - */ - public void setGdsService(String gdsService) { - this.gdsService = gdsService; - } - - /** - * @return the gdsVersion - */ - public Long getGdsVersion() { - return gdsVersion; - } - - /** - * @param gdsVersion the gdsVersion to set - */ - public void setGdsVersion(Long gdsVersion) { - this.gdsVersion = gdsVersion; - } - - - /** - * @return the gdsUpdateTime - */ - public Date getGdsUpdateTime() { - return gdsUpdateTime; - } - - /** - * @param gdsUpdateTime the gdsUpdateTime to set - */ - public void setGdsUpdateTime(Date gdsUpdateTime) { - this.gdsUpdateTime = gdsUpdateTime; - } - @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -338,9 +277,6 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri sb.append("tagVersion={").append(tagVersion).append("} "); sb.append("tagUpdateTime={").append(tagUpdateTime).append("} "); - sb.append("gdsService={").append(gdsService).append("} "); - sb.append("gdsVersion={").append(gdsVersion).append("} "); - sb.append("gdsUpdateTime={").append(gdsUpdateTime).append("} "); sb.append("}"); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceValidator.java index a9ad08a48..5521146b9 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceValidator.java @@ -268,76 +268,41 @@ public class RangerServiceValidator extends RangerValidator { } } String tagServiceName = service.getTagService(); - String gdsServiceName = service.getGdsService(); - if (StringUtils.equals(type, EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) { - if (StringUtils.isNotBlank(tagServiceName)) { - failures.add(new ValidationFailureDetailsBuilder() - .field("tag_service") - .isSemanticallyIncorrect() - .becauseOf("tag service cannot be part of a tag service") - .build()); - valid = false; - } - - if (StringUtils.isNotBlank(gdsServiceName)) { - failures.add(new ValidationFailureDetailsBuilder() - .field("gds_service") - .isSemanticallyIncorrect() - .becauseOf("tag service cannot be part of a gds service") - .build()); - valid = false; - } + if (StringUtils.isNotBlank(tagServiceName) && StringUtils.equals(type, EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) { + failures.add(new ValidationFailureDetailsBuilder() + .field("tag_service") + .isSemanticallyIncorrect() + .becauseOf("tag service cannot be part of a tag service") + .build()); + valid = false; } - if (StringUtils.equals(type, EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME)) { - if (StringUtils.isNotBlank(tagServiceName)) { - failures.add(new ValidationFailureDetailsBuilder() - .field("tag_service") - .isSemanticallyIncorrect() - .becauseOf("gds service cannot be linked to a tag service") - .build()); - valid = false; - } - - if (StringUtils.isNotBlank(gdsServiceName)) { - failures.add(new ValidationFailureDetailsBuilder() - .field("gds_service") - .isSemanticallyIncorrect() - .becauseOf("gds service cannot be linked to a gds service") - .build()); - valid = false; - } + if (StringUtils.isNotBlank(tagServiceName) && StringUtils.equals(type, EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME)) { + failures.add(new ValidationFailureDetailsBuilder() + .field("tag_service") + .isSemanticallyIncorrect() + .becauseOf("gds service cannot be linked to a tag service") + .build()); + valid = false; } - boolean needToEnsureTagServiceType = false; - boolean needToEnsureGdsServiceType = false; + boolean needToEnsureServiceType = false; if (action == Action.UPDATE) { RangerService otherService = getService(name); String otherTagServiceName = otherService == null ? null : otherService.getTagService(); - String otherGdsServiceName = otherService == null ? null : otherService.getGdsService(); if (StringUtils.isNotBlank(tagServiceName)) { if (!StringUtils.equals(tagServiceName, otherTagServiceName)) { - needToEnsureTagServiceType = true; - } - } - - if (StringUtils.isNotBlank(gdsServiceName)) { - if (!StringUtils.equals(gdsServiceName, otherGdsServiceName)) { - needToEnsureGdsServiceType = true; + needToEnsureServiceType = true; } } } else { // action == Action.CREATE if (StringUtils.isNotBlank(tagServiceName)) { - needToEnsureTagServiceType = true; - } - - if (StringUtils.isNotBlank(gdsServiceName)) { - needToEnsureGdsServiceType = true; + needToEnsureServiceType = true; } } - if (needToEnsureTagServiceType) { + if (needToEnsureServiceType) { RangerService maybeTagService = getService(tagServiceName); if (maybeTagService == null || !StringUtils.equals(maybeTagService.getType(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) { failures.add(new ValidationFailureDetailsBuilder() @@ -348,18 +313,6 @@ public class RangerServiceValidator extends RangerValidator { valid = false; } } - - if (needToEnsureGdsServiceType) { - RangerService gdsService = getService(gdsServiceName); - if (gdsService == null || !StringUtils.equals(gdsService.getType(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME)) { - failures.add(new ValidationFailureDetailsBuilder() - .field("gds_service") - .isSemanticallyIncorrect() - .becauseOf("gds service name does not refer to existing gds service:" + gdsServiceName) - .build()); - valid = false; - } - } } if(LOG.isDebugEnabled()) { diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractGdsStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractGdsStore.java index 91f598bd4..7b3677e30 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractGdsStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractGdsStore.java @@ -26,34 +26,9 @@ import org.apache.ranger.plugin.model.RangerGds.RangerDataShareInDataset; import org.apache.ranger.plugin.model.RangerGds.RangerProject; import org.apache.ranger.plugin.model.RangerGds.RangerSharedResource; import org.apache.ranger.plugin.util.SearchFilter; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; public abstract class AbstractGdsStore implements GdsStore { - private static final Logger LOG = LoggerFactory.getLogger(AbstractGdsStore.class); - - protected ServiceStore svcStore; - - @Override - public void init() throws Exception { - LOG.info("==> AbstractGdsStore.init()"); - - LOG.info("<== AbstractGdsStore.init()"); - } - - @Override - public void setServiceStore(ServiceStore svcStore) { - LOG.info("==> AbstractGdsStore.setServiceStore()"); - - this.svcStore = svcStore; - - LOG.info("<== AbstractGdsStore.setServiceStore()"); - } - - @Override - public ServiceStore getServiceStore() { return svcStore; } - @Override public RangerDataset createDataset(RangerDataset dataset) throws Exception { return null; } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java index 0c47515ef..07c561506 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java @@ -91,7 +91,6 @@ public class AbstractPredicateUtil { addPredicateForIsEnabled(filter.getParam(SearchFilter.IS_ENABLED), predicates); addPredicateForIsRecursive(filter.getParam(SearchFilter.IS_RECURSIVE), predicates); addPredicateForTagServiceName(filter.getParam(SearchFilter.TAG_SERVICE_NAME), predicates); - addPredicateForGdsServiceName(filter.getParam(SearchFilter.GDS_SERVICE_NAME), predicates); // addPredicateForTagServiceId(filter.getParam(SearchFilter.TAG_SERVICE_ID), predicates); // not supported addPredicateForUserName(filter.getParam(SearchFilter.USER), predicates); addPredicateForGroupName(filter.getParam(SearchFilter.GROUP), predicates); @@ -858,39 +857,6 @@ public class AbstractPredicateUtil { return ret; } - private Predicate addPredicateForGdsServiceName(final String gdsServiceName, List<Predicate> predicates) { - if(StringUtils.isEmpty(gdsServiceName)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerService) { - RangerService service = (RangerService)object; - - ret = StringUtils.equals(gdsServiceName, service.getGdsService()); - } else { - ret = true; - } - - return ret; - } - }; - - if(ret != null) { - predicates.add(ret); - } - - return ret; - } - private Predicate addPredicateForResourceSignature(String signature, List<Predicate> predicates) { Predicate ret = createPredicateForResourceSignature(signature); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java index 8632dd6bc..dc786a457 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java @@ -275,7 +275,8 @@ public abstract class AbstractServiceStore implements ServiceStore { } private void updateTagServiceDefForUpdatingAccessTypes(RangerServiceDef serviceDef) throws Exception { - if (StringUtils.equals(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) { + if (StringUtils.equals(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME) || + StringUtils.equals(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME)) { return; } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/GdsStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/GdsStore.java index 8c56ec1ff..2dadf2cd4 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/GdsStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/GdsStore.java @@ -25,20 +25,16 @@ import org.apache.ranger.plugin.model.RangerGds.RangerDataset; import org.apache.ranger.plugin.model.RangerGds.RangerDatasetInProject; import org.apache.ranger.plugin.model.RangerGds.RangerProject; import org.apache.ranger.plugin.model.RangerGds.RangerSharedResource; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.util.SearchFilter; +import java.util.List; + /** * Interface to backing store for Data share model objects */ public interface GdsStore { - void init() throws Exception; - - void setServiceStore(ServiceStore svcStore); - - ServiceStore getServiceStore(); - - RangerDataset createDataset(RangerDataset dataset) throws Exception; RangerDataset updateDataset(RangerDataset dataset) throws Exception; @@ -53,6 +49,18 @@ public interface GdsStore { PList<RangerDataset> searchDatasets(SearchFilter filter) throws Exception; + RangerPolicy addDatasetPolicy(Long datasetId, RangerPolicy policy) throws Exception; + + RangerPolicy updateDatasetPolicy(Long datasetId, RangerPolicy policy) throws Exception; + + void deleteDatasetPolicy(Long datasetId, Long policyId) throws Exception; + + void deleteDatasetPolicies(Long datasetId) throws Exception; + + RangerPolicy getDatasetPolicy(Long datasetId, Long policyId) throws Exception; + + List<RangerPolicy> getDatasetPolicies(Long datasetId) throws Exception; + RangerProject createProject(RangerProject dataset) throws Exception; @@ -68,6 +76,18 @@ public interface GdsStore { PList<RangerProject> searchProjects(SearchFilter filter) throws Exception; + RangerPolicy addProjectPolicy(Long projectId, RangerPolicy policy) throws Exception; + + RangerPolicy updateProjectPolicy(Long projectId, RangerPolicy policy) throws Exception; + + void deleteProjectPolicy(Long projectId, Long policyId) throws Exception; + + void deleteProjectPolicies(Long projectId) throws Exception; + + RangerPolicy getProjectPolicy(Long projectId, Long policyId) throws Exception; + + List<RangerPolicy> getProjectPolicies(Long projectId) throws Exception; + RangerDataShare createDataShare(RangerDataShare dataShare) throws Exception; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServicePredicateUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServicePredicateUtil.java index 26c5dd7e3..757dc6719 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServicePredicateUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServicePredicateUtil.java @@ -44,8 +44,6 @@ public class ServicePredicateUtil extends AbstractPredicateUtil { addPredicateForServiceId(filter.getParam(SearchFilter.SERVICE_ID), predicates); addPredicateForTagSeviceName(filter.getParam(SearchFilter.TAG_SERVICE_NAME), predicates); addPredicateForTagSeviceId(filter.getParam(SearchFilter.TAG_SERVICE_ID), predicates); - addPredicateForGdsSeviceName(filter.getParam(SearchFilter.GDS_SERVICE_NAME), predicates); - addPredicateForGdsSeviceId(filter.getParam(SearchFilter.GDS_SERVICE_ID), predicates); } private String getServiceType(String serviceName) { @@ -232,79 +230,4 @@ public class ServicePredicateUtil extends AbstractPredicateUtil { return ret; } - - private Predicate addPredicateForGdsSeviceName(final String gdsServiceName, List<Predicate> predicates) { - if(StringUtils.isEmpty(gdsServiceName)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerService) { - RangerService service = (RangerService)object; - - ret = StringUtils.equals(gdsServiceName, service.getGdsService()); - } else { - ret = true; - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForGdsSeviceId(final String gdsServiceId, List<Predicate> predicates) { - if(StringUtils.isEmpty(gdsServiceId)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerService) { - RangerService service = (RangerService)object; - - if(! StringUtils.isEmpty(service.getGdsService())) { - RangerService gdsService = null; - - try { - gdsService = serviceStore.getServiceByName(service.getGdsService()); - } catch(Exception excp) { - } - - ret = gdsService != null && gdsService.getId() != null && StringUtils.equals(gdsServiceId, gdsService.getId().toString()); - } - } else { - ret = true; - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java index 3c985c62c..5078d3668 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java @@ -46,19 +46,25 @@ public class RangerPerfTracer { } public static RangerPerfTracer getPerfTracer(Logger logger, String tag) { - String data = ""; - String realTag = ""; - - if (tag != null) { - int indexOfTagEndMarker = StringUtils.indexOf(tag, tagEndMarker); - if (indexOfTagEndMarker != -1) { - realTag = StringUtils.substring(tag, 0, indexOfTagEndMarker); - data = StringUtils.substring(tag, indexOfTagEndMarker); - } else { - realTag = tag; + if (logger.isDebugEnabled()) { + String data = ""; + String realTag = ""; + + if (tag != null) { + int indexOfTagEndMarker = StringUtils.indexOf(tag, tagEndMarker); + + if (indexOfTagEndMarker != -1) { + realTag = StringUtils.substring(tag, 0, indexOfTagEndMarker); + data = StringUtils.substring(tag, indexOfTagEndMarker); + } else { + realTag = tag; + } } + + return RangerPerfTracerFactory.getPerfTracer(logger, realTag, data); + } else { + return null; } - return RangerPerfTracerFactory.getPerfTracer(logger, realTag, data); } public static RangerPerfTracer getPerfTracer(Logger logger, String tag, String data) { diff --git a/agents-common/src/main/java/org/apache/ranger/services/gds/RangerServiceGds.java b/agents-common/src/main/java/org/apache/ranger/services/gds/RangerServiceGds.java index 0f03c5a31..c67d3d3b7 100644 --- a/agents-common/src/main/java/org/apache/ranger/services/gds/RangerServiceGds.java +++ b/agents-common/src/main/java/org/apache/ranger/services/gds/RangerServiceGds.java @@ -19,31 +19,21 @@ package org.apache.ranger.services.gds; -import org.apache.commons.io.FilenameUtils; -import org.apache.commons.lang.StringUtils; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; -import org.apache.ranger.plugin.store.GdsStore; -import org.apache.ranger.plugin.store.PList; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; - public class RangerServiceGds extends RangerBaseService { private static final Logger LOG = LoggerFactory.getLogger(RangerServiceGds.class); - public static final String RESOURCE_NAME_DATASET = "dataset"; - public static final String RESOURCE_NAME_PROJECT = "project"; - - private GdsStore gdsStore; - public RangerServiceGds() { super(); } @@ -53,10 +43,6 @@ public class RangerServiceGds extends RangerBaseService { super.init(serviceDef, service); } - public void setGdsStore(GdsStore gdsStore) { - this.gdsStore = gdsStore; - } - @Override public Map<String,Object> validateConfig() throws Exception { if(LOG.isDebugEnabled()) { @@ -80,48 +66,10 @@ public class RangerServiceGds extends RangerBaseService { LOG.debug("==> RangerServiceGds.lookupResource(" + context + ")"); } - List<String> ret = new ArrayList<>(); - String resourceType = context != null ? context.getResourceName() : null; - List<String> valuesToExclude = null; - List<String> resourceNames = null; - - if (StringUtils.equals(resourceType, RESOURCE_NAME_DATASET)) { - PList<String> datasets = gdsStore != null ? gdsStore.getDatasetNames(null) : null; - - resourceNames = datasets != null ? datasets.getList() : null; - valuesToExclude = context.getResources() != null ? context.getResources().get(RESOURCE_NAME_DATASET) : null; - } else if (StringUtils.equals(resourceType, RESOURCE_NAME_PROJECT)) { - PList<String> projects = gdsStore != null ? gdsStore.getProjectNames(null) : null; - - resourceNames = projects != null ? projects.getList() : null; - valuesToExclude = context.getResources() != null ? context.getResources().get(RESOURCE_NAME_PROJECT) : null; - } - - if (resourceNames != null) { - if (valuesToExclude != null) { - resourceNames.removeAll(valuesToExclude); - } - - String valueToMatch = context.getUserInput(); - - if (StringUtils.isNotEmpty(valueToMatch)) { - if (!valueToMatch.endsWith("*")) { - valueToMatch += "*"; - } - - for (String resourceName : resourceNames) { - if (FilenameUtils.wildcardMatch(resourceName, valueToMatch)) { - ret.add(resourceName); - } - } - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerServiceGds.lookupResource(): {} count={}", resourceType, ret.size()); + LOG.debug("<== RangerServiceGds.lookupResource()"); } - return ret; + return Collections.emptyList(); } } diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-gds.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-gds.json index 06049183c..da6c0bcdf 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-gds.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-gds.json @@ -10,35 +10,35 @@ "resources": [ { "itemId": 1, - "name": "dataset", + "name": "dataset-id", "type": "string", "level": 1, "parent": "", "mandatory": true, - "lookupSupported": true, + "lookupSupported": false, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": false, "ignoreCase": false }, "uiHint": "{ \"singleValue\": true }", - "label": "Dataset", - "description": "Dataset" + "label": "Dataset ID", + "description": "Dataset ID" }, { "itemId": 2, - "name": "project", + "name": "project-id", "type": "string", "level": 1, "parent": "", "mandatory": true, - "lookupSupported": true, + "lookupSupported": false, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": false, "ignoreCase": false }, "uiHint": "{ \"singleValue\": true }", - "label": "Project", - "description": "Project" + "label": "Project ID", + "description": "Project ID" } ], diff --git a/intg/src/main/python/apache_ranger/client/ranger_gds_client.py b/intg/src/main/python/apache_ranger/client/ranger_gds_client.py index ea42b3e2a..3751252c2 100644 --- a/intg/src/main/python/apache_ranger/client/ranger_gds_client.py +++ b/intg/src/main/python/apache_ranger/client/ranger_gds_client.py @@ -65,12 +65,36 @@ class RangerGdsClient: def find_datasets(self, filter=None): resp = self.client_http.call_api(RangerGdsClient.FIND_DATASETS, filter) - return PList.type_coerce_plist(resp, RangerDataset) + return PList(resp).type_coerce_list(RangerDataset) def get_dataset_names(self, filter=None): resp = self.client_http.call_api(RangerGdsClient.GET_DATASET_NAMES, filter) - return PList.type_coerce_plist(resp, str) + return PList(resp).type_coerce_list(str) + + def add_dataset_policy(self, datasetId, policy): + resp = self.client_http.call_api(RangerGdsClient.ADD_DATASET_POLICY.format_path({ 'id': datasetId }), request_data=policy) + + return type_coerce(resp, RangerPolicy) + + def update_dataset_policy(self, datasetId, policy): + resp = self.client_http.call_api(RangerGdsClient.UPDATE_DATASET_POLICY.format_path({ 'id': datasetId, 'policyId': policy.id }), request_data=policy) + + return type_coerce(resp, RangerPolicy) + + def delete_dataset_policy(self, datasetId, policyId): + self.client_http.call_api(RangerGdsClient.DELETE_DATASET_POLICY.format_path({ 'id': datasetId, 'policyId': policyId })) + + def get_dataset_policy(self, datasetId, policyId): + resp = self.client_http.call_api(RangerGdsClient.GET_DATASET_POLICY.format_path({ 'id': datasetId, 'policyId': policyId })) + + return type_coerce(resp, RangerPolicy) + + def get_dataset_policies(self, datasetId): + resp = self.client_http.call_api(RangerGdsClient.GET_DATASET_POLICIES.format_path({ 'id': datasetId })) + + return type_coerce_list(resp, RangerPolicy) + def create_project(self, project): resp = self.client_http.call_api(RangerGdsClient.CREATE_PROJECT, request_data=project) @@ -93,12 +117,36 @@ class RangerGdsClient: def find_projects(self, filter=None): resp = self.client_http.call_api(RangerGdsClient.FIND_PROJECTS, filter) - return PList.type_coerce_plist(resp, RangerDataset) + return PList(resp).type_coerce_list(RangerDataset) def get_project_names(self, filter=None): resp = self.client_http.call_api(RangerGdsClient.GET_PROJECT_NAMES, filter) - return PList.type_coerce_plist(resp, str) + return PList(resp).type_coerce_list(str) + + def add_project_policy(self, projectId, policy): + resp = self.client_http.call_api(RangerGdsClient.ADD_PROJECT_POLICY.format_path({ 'id': projectId }), request_data=policy) + + return type_coerce(resp, RangerPolicy) + + def update_project_policy(self, projectId, policy): + resp = self.client_http.call_api(RangerGdsClient.UPDATE_PROJECT_POLICY.format_path({ 'id': projectId, 'policyId': policy.id }), request_data=policy) + + return type_coerce(resp, RangerPolicy) + + def delete_project_policy(self, projectId, policyId): + self.client_http.call_api(RangerGdsClient.DELETE_PROJECT_POLICY.format_path({ 'id': projectId, 'policyId': policyId })) + + def get_project_policy(self, projectId, policyId): + resp = self.client_http.call_api(RangerGdsClient.GET_PROJECT_POLICY.format_path({ 'id': projectId, 'policyId': policyId })) + + return type_coerce(resp, RangerPolicy) + + def get_project_policies(self, projectId): + resp = self.client_http.call_api(RangerGdsClient.GET_PROJECT_POLICIES.format_path({ 'id': projectId })) + + return type_coerce_list(resp, RangerPolicy) + def create_data_share(self, data_share): resp = self.client_http.call_api(RangerGdsClient.CREATE_DATA_SHARE, request_data=data_share) @@ -121,7 +169,7 @@ class RangerGdsClient: def find_data_shares(self, filter=None): resp = self.client_http.call_api(RangerGdsClient.FIND_DATA_SHARES, filter) - return PList.type_coerce_plist(resp, RangerDataShare) + return PList(resp).type_coerce_list(RangerDataShare) def add_shared_resource(self, resource): resp = self.client_http.call_api(RangerGdsClient.ADD_SHARED_RESOURCE, request_data=resource) @@ -144,7 +192,8 @@ class RangerGdsClient: def find_shared_resources(self, filter=None): resp = self.client_http.call_api(RangerGdsClient.FIND_SHARED_RESOURCES, filter) - return PList.type_coerce_plist(resp, RangerSharedResource) + return PList(resp).type_coerce_list(RangerSharedResource) + def add_data_share_in_dataset(self, dshid): resp = self.client_http.call_api(RangerGdsClient.ADD_DATA_SHARE_IN_DATASET, request_data=dshid) @@ -167,7 +216,8 @@ class RangerGdsClient: def find_data_share_in_datasets(self, filter=None): resp = self.client_http.call_api(RangerGdsClient.FIND_DATA_SHARE_IN_DATASETS, filter) - return PList.type_coerce_plist(resp, RangerDataShareInDataset) + return PList(resp).type_coerce_list(RangerDataShareInDataset) + def add_dataset_in_project(self, dip): resp = self.client_http.call_api(RangerGdsClient.ADD_DATASET_IN_PROJECT, request_data=dip) @@ -190,7 +240,7 @@ class RangerGdsClient: def find_dataset_in_projects(self, filter=None): resp = self.client_http.call_api(RangerGdsClient.FIND_DATASET_IN_PROJECTS, filter) - return PList.type_coerce_plist(resp, RangerDatasetInProject) + return PList(resp).type_coerce_list(RangerDatasetInProject) # URIs @@ -198,9 +248,13 @@ class RangerGdsClient: URI_DATASET = URI_GDS + "/dataset" URI_DATASET_BY_ID = URI_DATASET + "/{id}" URI_DATASET_NAMES = URI_DATASET + "/names" + URI_DATASET_POLICY = URI_DATASET_BY_ID + "/policy" + URI_DATASET_POLICY_ID = URI_DATASET_POLICY + "/{policyId}" URI_PROJECT = URI_GDS + "/project" URI_PROJECT_BY_ID = URI_PROJECT + "/{id}" URI_PROJECT_NAMES = URI_PROJECT + "/names" + URI_PROJECT_POLICY = URI_PROJECT_BY_ID + "/policy" + URI_PROJECT_POLICY_ID = URI_PROJECT_POLICY + "/{policyId}" URI_DATA_SHARE = URI_GDS + "/datashare" URI_DATA_SHARE_BY_ID = URI_DATA_SHARE + "/{id}" URI_SHARED_RESOURCE = URI_GDS + "/resource" @@ -221,6 +275,11 @@ class RangerGdsClient: GET_DATASET_BY_ID = API(URI_DATASET_BY_ID, HttpMethod.GET, HTTPStatus.OK) FIND_DATASETS = API(URI_DATASET, HttpMethod.GET, HTTPStatus.OK) GET_DATASET_NAMES = API(URI_DATASET_NAMES, HttpMethod.GET, HTTPStatus.OK) + ADD_DATASET_POLICY = API(URI_DATASET_POLICY, HttpMethod.POST, HTTPStatus.OK) + UPDATE_DATASET_POLICY = API(URI_DATASET_POLICY_ID, HttpMethod.PUT, HTTPStatus.OK) + DELETE_DATASET_POLICY = API(URI_DATASET_POLICY_ID, HttpMethod.DELETE, HTTPStatus.NO_CONTENT) + GET_DATASET_POLICY = API(URI_DATASET_POLICY_ID, HttpMethod.GET, HTTPStatus.OK) + GET_DATASET_POLICIES = API(URI_DATASET_POLICY, HttpMethod.GET, HTTPStatus.OK) CREATE_PROJECT = API(URI_PROJECT, HttpMethod.POST, HTTPStatus.OK) UPDATE_PROJECT_BY_ID = API(URI_PROJECT_BY_ID, HttpMethod.PUT, HTTPStatus.OK) @@ -228,6 +287,11 @@ class RangerGdsClient: GET_PROJECT_BY_ID = API(URI_PROJECT_BY_ID, HttpMethod.GET, HTTPStatus.OK) FIND_PROJECTS = API(URI_PROJECT, HttpMethod.GET, HTTPStatus.OK) GET_PROJECT_NAMES = API(URI_PROJECT_NAMES, HttpMethod.GET, HTTPStatus.OK) + ADD_PROJECT_POLICY = API(URI_PROJECT_POLICY, HttpMethod.POST, HTTPStatus.OK) + UPDATE_PROJECT_POLICY = API(URI_PROJECT_POLICY_ID, HttpMethod.PUT, HTTPStatus.OK) + DELETE_PROJECT_POLICY = API(URI_PROJECT_POLICY_ID, HttpMethod.DELETE, HTTPStatus.NO_CONTENT) + GET_PROJECT_POLICY = API(URI_PROJECT_POLICY_ID, HttpMethod.GET, HTTPStatus.OK) + GET_PROJECT_POLICIES = API(URI_PROJECT_POLICY, HttpMethod.GET, HTTPStatus.OK) CREATE_DATA_SHARE = API(URI_DATA_SHARE, HttpMethod.POST, HTTPStatus.OK) UPDATE_DATA_SHARE_BY_ID = API(URI_DATA_SHARE_BY_ID, HttpMethod.PUT, HTTPStatus.OK) diff --git a/intg/src/main/python/apache_ranger/model/ranger_base.py b/intg/src/main/python/apache_ranger/model/ranger_base.py index 2cb06b8bd..3b792ff7d 100644 --- a/intg/src/main/python/apache_ranger/model/ranger_base.py +++ b/intg/src/main/python/apache_ranger/model/ranger_base.py @@ -93,3 +93,5 @@ class PList(RangerBase): def type_coerce_list(self, elemType): self.list = type_coerce_list(self.list, elemType) + + return self diff --git a/ranger-examples/sample-client/src/main/python/sample_gds_client.py b/ranger-examples/sample-client/src/main/python/sample_gds_client.py index 1b0d7a93f..890b2a2d8 100644 --- a/ranger-examples/sample-client/src/main/python/sample_gds_client.py +++ b/ranger-examples/sample-client/src/main/python/sample_gds_client.py @@ -131,6 +131,13 @@ dshid_2.validitySchedule = { 'startTime': '2023/02/01', 'endTime': '2023/03/01' dshid_2 = gds.update_data_share_in_dataset(dshid_2.id, dshid_2) print(f' updated data_share_in_dataset: {dshid_2}') +print(f'Adding policy for dataset {dataset_1.name}: ') +policy = gds.add_dataset_policy(dataset_1.id, RangerPolicy({ 'name': dataset_1.name })) +print(f' added policy for dataset {dataset_1.name}: {policy}') + +policies = gds.get_dataset_policies(dataset_1.id) +print(f' policies for dataset {dataset_1.name}: {policies}') + d1_in_p1 = RangerDatasetInProject({ 'datasetId': dataset_1.id, 'projectId': project_1.id, 'status': GdsShareStatus.GRANTED, 'validitySchedule': { 'startTime': '2023/01/01', 'endTime': '2023/04/01' }}) d1_in_p2 = RangerDatasetInProject({ 'datasetId': dataset_1.id, 'projectId': project_2.id, 'status': GdsShareStatus.GRANTED, 'validitySchedule': { 'startTime': '2023/01/01', 'endTime': '2023/04/01' }}) @@ -153,6 +160,13 @@ d2_in_p2.status = GdsShareStatus.GRANTED d2_in_p2 = gds.update_dataset_in_project(d2_in_p2.id, d2_in_p2) print(f' updated dataset_in_project: {d2_in_p2}') +print(f'Adding policy for project {project_1.name}: ') +policy = gds.add_project_policy(project_1.id, RangerPolicy({ 'name': project_1.name })) +print(f' added policy for project {project_1.name}: {policy}') + +policies = gds.get_project_policies(project_1.id) +print(f' policies for project {project_1.name}: {policies}') + print(f'Removing dataset_in_project: id={d1_in_p1.id}') gds.remove_dataset_in_project(d1_in_p1.id) diff --git a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql index e71facf8e..331c97027 100755 --- a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql +++ b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql @@ -92,6 +92,8 @@ DROP TABLE IF EXISTS `xa_access_audit`; DROP TABLE IF EXISTS `x_portal_user_role`; DROP TABLE IF EXISTS `x_portal_user`; DROP TABLE IF EXISTS `x_db_version_h`; +DROP TABLE IF EXISTS `x_gds_dataset_policy_map`; +DROP TABLE IF EXISTS `x_gds_project_policy_map`; DROP TABLE IF EXISTS `x_gds_dataset_in_project`; DROP TABLE IF EXISTS `x_gds_data_share_in_dataset`; DROP TABLE IF EXISTS `x_gds_shared_resource`; @@ -564,7 +566,6 @@ CREATE TABLE `x_service` ( `tag_service` BIGINT DEFAULT NULL NULL, `tag_version` BIGINT DEFAULT 0 NOT NULL, `tag_update_time` DATETIME DEFAULT NULL NULL, -`gds_service` BIGINT DEFAULT NULL NULL, primary key (`id`), UNIQUE KEY `X_service_name` (`name`), KEY `x_service_added_by_id` (`added_by_id`), @@ -575,8 +576,7 @@ KEY `x_service_type` (`type`), CONSTRAINT `x_service_FK_added_by_id` FOREIGN KEY (`added_by_id`) REFERENCES `x_portal_user` (`id`), CONSTRAINT `x_service_FK_upd_by_id` FOREIGN KEY (`upd_by_id`) REFERENCES `x_portal_user` (`id`), CONSTRAINT `x_service_FK_type` FOREIGN KEY (`type`) REFERENCES `x_service_def` (`id`), -CONSTRAINT `x_service_FK_tag_service` FOREIGN KEY (`tag_service`) REFERENCES `x_service` (`id`), -CONSTRAINT `x_service_FK_gds_service` FOREIGN KEY (`gds_service`) REFERENCES `x_service` (`id`) +CONSTRAINT `x_service_FK_tag_service` FOREIGN KEY (`tag_service`) REFERENCES `x_service` (`id`) )ROW_FORMAT=DYNAMIC; CREATE TABLE IF NOT EXISTS `x_security_zone`( @@ -1249,8 +1249,6 @@ CREATE TABLE `x_service_version_info` ( `tag_update_time` datetime NULL DEFAULT NULL, `role_version` bigint(20) NOT NULL DEFAULT 0, `role_update_time` datetime NULL DEFAULT NULL, -`gds_version` bigint(20) DEFAULT 0 NOT NULL, -`gds_update_time` datetime DEFAULT NULL NULL, `version` bigint(20) NOT NULL DEFAULT '1', primary key (`id`), CONSTRAINT `x_service_version_info_FK_service_id` FOREIGN KEY (`service_id`) REFERENCES `x_service` (`id`) @@ -1872,6 +1870,30 @@ CREATE INDEX `x_gds_dip_guid` ON `x_gds_dataset_in_project`(`guid`); CREATE INDEX `x_gds_dip_dataset_id` ON `x_gds_dataset_in_project`(`dataset_id`); CREATE INDEX `x_gds_dip_project_id` ON `x_gds_dataset_in_project`(`project_id`); +CREATE TABLE `x_gds_dataset_policy_map`( + `id` BIGINT(20) NOT NULL AUTO_INCREMENT + , `dataset_id` BIGINT(20) NOT NULL + , `policy_id` BIGINT(20) NOT NULL + , PRIMARY KEY(`id`) + , UNIQUE KEY `x_gds_dpm_UK_dataset_id_policy_id`(`dataset_id`, `policy_id`) + , CONSTRAINT `x_gds_dpm_FK_dataset_id` FOREIGN KEY(`dataset_id`) REFERENCES `x_gds_dataset`(`id`) + , CONSTRAINT `x_gds_dpm_FK_policy_id` FOREIGN KEY(`policy_id`) REFERENCES `x_policy`(`id`) +); +CREATE INDEX `x_gds_dpm_dataset_id` ON `x_gds_dataset_policy_map`(`dataset_id`); +CREATE INDEX `x_gds_dpm_policy_id` ON `x_gds_dataset_policy_map`(`policy_id`); + +CREATE TABLE `x_gds_project_policy_map`( + `id` BIGINT(20) NOT NULL AUTO_INCREMENT + , `project_id` BIGINT(20) NOT NULL + , `policy_id` BIGINT(20) NOT NULL + , PRIMARY KEY(`id`) + , UNIQUE KEY `x_gds_ppm_UK_project_id_policy_id`(`project_id`, `policy_id`) + , CONSTRAINT `x_gds_ppm_FK_project_id` FOREIGN KEY(`project_id`) REFERENCES `x_gds_project`(`id`) + , CONSTRAINT `x_gds_ppm_FK_policy_id` FOREIGN KEY(`policy_id`) REFERENCES `x_policy`(`id`) +); +CREATE INDEX `x_gds_ppm_project_id` ON `x_gds_project_policy_map`(`project_id`); +CREATE INDEX `x_gds_ppm_policy_id` ON `x_gds_project_policy_map`(`policy_id`); + DELIMITER $$ DROP PROCEDURE if exists insertRangerPrerequisiteEntries $$ diff --git a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql index 8536f651e..a0e6c55cc 100755 --- a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql +++ b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql @@ -90,6 +90,8 @@ DROP TABLE IF EXISTS xa_access_audit CASCADE; DROP TABLE IF EXISTS x_portal_user_role CASCADE; DROP TABLE IF EXISTS x_portal_user CASCADE; DROP TABLE IF EXISTS x_db_version_h CASCADE; +DROP TABLE IF EXISTS x_gds_dataset_policy_map; +DROP TABLE IF EXISTS x_gds_project_policy_map; DROP TABLE IF EXISTS x_gds_dataset CASCADE; DROP TABLE IF EXISTS x_gds_project CASCADE; DROP TABLE IF EXISTS x_gds_data_share CASCADE; @@ -575,14 +577,12 @@ is_enabled BOOLEAN DEFAULT '0' NOT NULL, tag_service BIGINT DEFAULT NULL NULL, tag_version BIGINT DEFAULT 0 NOT NULL, tag_update_time TIMESTAMP DEFAULT NULL NULL, -gds_service BIGINT DEFAULT NULL NULL, primary key(id), CONSTRAINT x_service_name UNIQUE(name), CONSTRAINT x_service_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES x_portal_user(id), CONSTRAINT x_service_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES x_portal_user(id), CONSTRAINT x_service_FK_type FOREIGN KEY(type) REFERENCES x_service_def(id), -CONSTRAINT x_service_FK_tag_service FOREIGN KEY (tag_service) REFERENCES x_service(id), -CONSTRAINT x_service_FK_gds_service FOREIGN KEY (gds_service) REFERENCES x_service(id) +CONSTRAINT x_service_FK_tag_service FOREIGN KEY (tag_service) REFERENCES x_service(id) ); CREATE SEQUENCE x_security_zone_seq; @@ -1196,8 +1196,6 @@ tag_version bigint NOT NULL DEFAULT '0', tag_update_time TIMESTAMP DEFAULT NULL, role_version bigint NOT NULL DEFAULT '0', role_update_time TIMESTAMP DEFAULT NULL, -gds_version bigint NOT NULL DEFAULT '0', -gds_update_time TIMESTAMP DEFAULT NULL, version bigint NOT NULL DEFAULT '1', primary key (id), CONSTRAINT x_service_version_info_service_id FOREIGN KEY (service_id) REFERENCES x_service (id) @@ -1869,6 +1867,34 @@ CREATE INDEX x_gds_dip_dataset_id ON x_gds_dataset_in_project(dataset_id); CREATE INDEX x_gds_dip_project_id ON x_gds_dataset_in_project(project_id); commit; +CREATE SEQUENCE x_gds_dataset_policy_map_seq; +CREATE TABLE x_gds_dataset_policy_map( + id BIGINT NOT NULL DEFAULT nextval('x_gds_dataset_policy_map_seq'::regclass) + , dataset_id BIGINT NOT NULL + , policy_id BIGINT NOT NULL + , PRIMARY KEY(id) + , CONSTRAINT x_gds_dpm_FK_dataset_id FOREIGN KEY(dataset_id) REFERENCES x_gds_dataset(id) + , CONSTRAINT x_gds_dpm_FK_policy_id FOREIGN KEY(policy_id) REFERENCES x_policy(id) + , CONSTRAINT x_gds_dpm_UK_dataset_id_policy_id UNIQUE(dataset_id, policy_id) +); +CREATE INDEX x_gds_dpm_dataset_id ON x_gds_dataset_policy_map(dataset_id); +CREATE INDEX x_gds_dpm_policy_id ON x_gds_dataset_policy_map(policy_id); +commit; + +CREATE SEQUENCE x_gds_project_policy_map_seq; +CREATE TABLE x_gds_project_policy_map( + id BIGINT NOT NULL DEFAULT nextval('x_gds_project_policy_map_seq'::regclass) + , project_id BIGINT NOT NULL + , policy_id BIGINT NOT NULL + , PRIMARY KEY(id) + , CONSTRAINT x_gds_ppm_FK_project_id FOREIGN KEY(project_id) REFERENCES x_gds_project(id) + , CONSTRAINT x_gds_ppm_FK_policy_id FOREIGN KEY(policy_id) REFERENCES x_policy(id) + , CONSTRAINT x_gds_ppm_UK_project_id_policy_id UNIQUE(project_id, policy_id) +); +CREATE INDEX x_gds_ppm_project_id ON x_gds_project_policy_map(project_id); +CREATE INDEX x_gds_ppm_policy_id ON x_gds_project_policy_map(policy_id); +commit; + CREATE INDEX x_tag_change_log_IDX_service_id ON x_tag_change_log(service_id); CREATE INDEX x_tag_change_log_IDX_tag_version ON x_tag_change_log(service_tags_version); diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java index 05705cd92..a1f5ef6fe 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java @@ -34,8 +34,10 @@ import org.apache.ranger.db.XXGdsProjectDao; import org.apache.ranger.entity.XXGdsDataShareInDataset; import org.apache.ranger.entity.XXGdsDataset; import org.apache.ranger.entity.XXGdsDatasetInProject; +import org.apache.ranger.entity.XXGdsDatasetPolicyMap; import org.apache.ranger.entity.XXPolicy; import org.apache.ranger.entity.XXGdsProject; +import org.apache.ranger.entity.XXGdsProjectPolicyMap; import org.apache.ranger.plugin.model.RangerDatasetHeader.RangerDatasetHeaderInfo; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerGds.GdsPermission; @@ -51,6 +53,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerPrincipal.PrincipalType; import org.apache.ranger.plugin.store.AbstractGdsStore; import org.apache.ranger.plugin.store.PList; +import org.apache.ranger.plugin.store.ServiceStore; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.service.RangerGdsDataShareService; import org.apache.ranger.service.RangerGdsDataShareInDatasetService; @@ -86,6 +89,14 @@ import static org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil.EMBEDDED_SE public class GdsDBStore extends AbstractGdsStore { private static final Logger LOG = LoggerFactory.getLogger(GdsDBStore.class); + public static final String RESOURCE_NAME_DATASET_ID = "dataset-id"; + public static final String RESOURCE_NAME_PROJECT_ID = "project-id"; + + public static final String NOT_AUTHORIZED_FOR_DATASET_POLICIES = "User is not authorized to manage policies for this dataset"; + public static final String NOT_AUTHORIZED_TO_VIEW_DATASET_POLICIES = "User is not authorized to view policies for this dataset"; + public static final String NOT_AUTHORIZED_FOR_PROJECT_POLICIES = "User is not authorized to manage policies for this dataset"; + public static final String NOT_AUTHORIZED_TO_VIEW_PROJECT_POLICIES = "User is not authorized to view policies for this dataset"; + @Autowired RangerGdsValidator validator; @@ -122,6 +133,9 @@ public class GdsDBStore extends AbstractGdsStore { @Autowired RangerBizUtil bizUtil; + @Autowired + ServiceStore svcStore; + @Autowired RESTErrorUtil restErrorUtil; @@ -210,6 +224,7 @@ public class GdsDBStore extends AbstractGdsStore { validator.validateDelete(datasetId, existing); + deleteDatasetPolicies(existing); datasetService.delete(existing); datasetService.createObjectHistory(null, existing, RangerServiceService.OPERATION_DELETE_CONTEXT); @@ -225,7 +240,6 @@ public class GdsDBStore extends AbstractGdsStore { RangerDataset ret = datasetService.read(datasetId); - if (ret != null && !validator.hasPermission(ret.getAcl(), GdsPermission.VIEW)) { throw new Exception("no permission on dataset id=" + datasetId); } @@ -281,9 +295,9 @@ public class GdsDBStore extends AbstractGdsStore { public PList<RangerDataset> searchDatasets(SearchFilter filter) throws Exception { LOG.debug("==> searchDatasets({})", filter); - PList<RangerDataset> ret = getUnscrubbedDatasets(filter); - List<RangerDataset> datasets = ret.getList(); - GdsPermission gdsPermission = getGdsPermissionFromFilter(filter); + PList<RangerDataset> ret = getUnscrubbedDatasets(filter); + List<RangerDataset> datasets = ret.getList(); + GdsPermission gdsPermission = getGdsPermissionFromFilter(filter); for (RangerDataset dataset : datasets) { if (gdsPermission.equals(GdsPermission.LIST)) { @@ -296,6 +310,137 @@ public class GdsDBStore extends AbstractGdsStore { return ret; } + @Override + public RangerPolicy addDatasetPolicy(Long datasetId, RangerPolicy policy) throws Exception { + LOG.debug("==> addDatasetPolicy({}, {})", datasetId, policy); + + RangerDataset dataset = datasetService.read(datasetId); + + if (!validator.hasPermission(dataset.getAcl(), GdsPermission.POLICY_ADMIN)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_FOR_DATASET_POLICIES); + } + + prepareDatasetPolicy(dataset, policy); + + RangerPolicy ret = svcStore.createPolicy(policy); + + daoMgr.getXXGdsDatasetPolicyMap().create(new XXGdsDatasetPolicyMap(datasetId, ret.getId())); + + LOG.debug("<== addDatasetPolicy({}, {}): ret={}", datasetId, policy, ret); + + return ret; + } + + @Override + public RangerPolicy updateDatasetPolicy(Long datasetId, RangerPolicy policy) throws Exception { + LOG.debug("==> updateDatasetPolicy({}, {})", datasetId, policy); + + RangerDataset dataset = datasetService.read(datasetId); + + if (!validator.hasPermission(dataset.getAcl(), GdsPermission.POLICY_ADMIN)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_FOR_DATASET_POLICIES); + } + + XXGdsDatasetPolicyMap existing = daoMgr.getXXGdsDatasetPolicyMap().getDatasetPolicyMap(datasetId, policy.getId()); + + if (existing == null) { + throw new Exception("no policy exists: datasetId=" + datasetId + ", policyId=" + policy.getId()); + } + + prepareDatasetPolicy(dataset, policy); + + RangerPolicy ret = svcStore.updatePolicy(policy); + + LOG.debug("<== updateDatasetPolicy({}, {}): ret={}", datasetId, policy, ret); + + return ret; + } + + @Override + public void deleteDatasetPolicy(Long datasetId, Long policyId) throws Exception { + LOG.debug("==> deleteDatasetPolicy({}, {})", datasetId, policyId); + + RangerDataset dataset = datasetService.read(datasetId); + + if (!validator.hasPermission(dataset.getAcl(), GdsPermission.POLICY_ADMIN)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_FOR_DATASET_POLICIES); + } + + XXGdsDatasetPolicyMap existing = daoMgr.getXXGdsDatasetPolicyMap().getDatasetPolicyMap(datasetId, policyId); + + if (existing == null) { + throw new Exception("no policy exists: datasetId=" + datasetId + ", policyId=" + policyId); + } + + RangerPolicy policy = svcStore.getPolicy(policyId); + + daoMgr.getXXGdsDatasetPolicyMap().remove(existing); + svcStore.deletePolicy(policy); + + LOG.debug("<== deleteDatasetPolicy({}, {})", datasetId, policyId); + } + + @Override + public void deleteDatasetPolicies(Long datasetId) throws Exception { + LOG.debug("==> deleteDatasetPolicies({})", datasetId); + + RangerDataset dataset = datasetService.read(datasetId); + + deleteDatasetPolicies(dataset); + + LOG.debug("<== deleteDatasetPolicy({})", datasetId); + } + + @Override + public RangerPolicy getDatasetPolicy(Long datasetId, Long policyId) throws Exception { + LOG.debug("==> getDatasetPolicy({}, {})", datasetId, policyId); + + RangerDataset dataset = datasetService.read(datasetId); + + if (!validator.hasPermission(dataset.getAcl(), GdsPermission.AUDIT)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_DATASET_POLICIES); + } + + XXGdsDatasetPolicyMap existing = daoMgr.getXXGdsDatasetPolicyMap().getDatasetPolicyMap(datasetId, policyId); + + if (existing == null) { + throw new Exception("no policy exists: datasetId=" + datasetId + ", policyId=" + policyId); + } + + RangerPolicy ret = svcStore.getPolicy(policyId); + + LOG.debug("<== getDatasetPolicy({}, {}): ret={}", datasetId, policyId, ret); + + return ret; + } + + @Override + public List<RangerPolicy> getDatasetPolicies(Long datasetId) throws Exception { + LOG.debug("==> getDatasetPolicies({})", datasetId); + + List<RangerPolicy> ret = null; + + RangerDataset dataset = datasetService.read(datasetId); + + if (!validator.hasPermission(dataset.getAcl(), GdsPermission.AUDIT)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_DATASET_POLICIES); + } + + List<Long> policyIds = daoMgr.getXXGdsDatasetPolicyMap().getDatasetPolicyIds(datasetId); + + if (policyIds != null) { + ret = new ArrayList<>(policyIds.size()); + + for (Long policyId : policyIds) { + ret.add(svcStore.getPolicy(policyId)); + } + } + + LOG.debug("<== getDatasetPolicies({}): ret={}", datasetId, ret); + + return ret; + } + @Override public RangerProject createProject(RangerProject project) throws Exception { LOG.debug("==> createProject({})", project); @@ -356,6 +501,7 @@ public class GdsDBStore extends AbstractGdsStore { validator.validateDelete(projectId, existing); + deleteProjectPolicies(existing); projectService.delete(existing); projectService.createObjectHistory(null, existing, RangerServiceService.OPERATION_DELETE_CONTEXT); @@ -445,6 +591,137 @@ public class GdsDBStore extends AbstractGdsStore { return ret; } + @Override + public RangerPolicy addProjectPolicy(Long projectId, RangerPolicy policy) throws Exception { + LOG.debug("==> addProjectPolicy({}, {})", projectId, policy); + + RangerProject project = projectService.read(projectId); + + if (!validator.hasPermission(project.getAcl(), GdsPermission.POLICY_ADMIN)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_FOR_PROJECT_POLICIES); + } + + prepareProjectPolicy(project, policy); + + RangerPolicy ret = svcStore.createPolicy(policy); + + daoMgr.getXXGdsProjectPolicyMap().create(new XXGdsProjectPolicyMap(projectId, ret.getId())); + + LOG.debug("<== addProjectPolicy({}, {}): ret={}", projectId, policy, ret); + + return ret; + } + + @Override + public RangerPolicy updateProjectPolicy(Long projectId, RangerPolicy policy) throws Exception { + LOG.debug("==> updateProjectPolicy({}, {})", projectId, policy); + + RangerProject project = projectService.read(projectId); + + if (!validator.hasPermission(project.getAcl(), GdsPermission.POLICY_ADMIN)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_FOR_PROJECT_POLICIES); + } + + XXGdsProjectPolicyMap existing = daoMgr.getXXGdsProjectPolicyMap().getProjectPolicyMap(projectId, policy.getId()); + + if (existing == null) { + throw new Exception("no policy exists: projectId=" + projectId + ", policyId=" + policy.getId()); + } + + prepareProjectPolicy(project, policy); + + RangerPolicy ret = svcStore.updatePolicy(policy); + + LOG.debug("<== updateProjectPolicy({}, {}): ret={}", projectId, policy, ret); + + return ret; + } + + @Override + public void deleteProjectPolicy(Long projectId, Long policyId) throws Exception { + LOG.debug("==> deleteProjectPolicy({}, {})", projectId, policyId); + + RangerProject project = projectService.read(projectId); + + if (!validator.hasPermission(project.getAcl(), GdsPermission.POLICY_ADMIN)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_FOR_DATASET_POLICIES); + } + + XXGdsProjectPolicyMap existing = daoMgr.getXXGdsProjectPolicyMap().getProjectPolicyMap(projectId, policyId); + + if (existing == null) { + throw new Exception("no policy exists: projectId=" + projectId + ", policyId=" + policyId); + } + + RangerPolicy policy = svcStore.getPolicy(policyId); + + daoMgr.getXXGdsProjectPolicyMap().remove(existing); + svcStore.deletePolicy(policy); + + LOG.debug("<== deleteProjectPolicy({}, {})", projectId, policyId); + } + + @Override + public void deleteProjectPolicies(Long projectId) throws Exception { + LOG.debug("==> deleteProjectPolicies({})", projectId); + + RangerProject project = projectService.read(projectId); + + deleteProjectPolicies(project); + + LOG.debug("<== deleteProjectPolicy({})", projectId); + } + + @Override + public RangerPolicy getProjectPolicy(Long projectId, Long policyId) throws Exception { + LOG.debug("==> getProjectPolicy({}, {})", projectId, policyId); + + RangerProject project = projectService.read(projectId); + + if (!validator.hasPermission(project.getAcl(), GdsPermission.AUDIT)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_DATASET_POLICIES); + } + + XXGdsProjectPolicyMap existing = daoMgr.getXXGdsProjectPolicyMap().getProjectPolicyMap(projectId, policyId); + + if (existing == null) { + throw new Exception("no policy exists: projectId=" + projectId + ", policyId=" + policyId); + } + + RangerPolicy ret = svcStore.getPolicy(policyId); + + LOG.debug("<== getProjectPolicy({}, {}): ret={}", projectId, policyId, ret); + + return ret; + } + + @Override + public List<RangerPolicy> getProjectPolicies(Long projectId) throws Exception { + LOG.debug("==> getProjectPolicies({})", projectId); + + List<RangerPolicy> ret = null; + + RangerProject project = projectService.read(projectId); + + if (!validator.hasPermission(project.getAcl(), GdsPermission.AUDIT)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_DATASET_POLICIES); + } + + List<Long> policyIds = daoMgr.getXXGdsProjectPolicyMap().getProjectPolicyIds(projectId); + + if (policyIds != null) { + ret = new ArrayList<>(policyIds.size()); + + for (Long policyId : policyIds) { + ret.add(svcStore.getPolicy(policyId)); + } + } + + LOG.debug("<== getProjectPolicies({}): ret={}", projectId, ret); + + return ret; + } + @Override public RangerDataShare createDataShare(RangerDataShare dataShare) throws Exception { @@ -1049,4 +1326,72 @@ public class GdsDBStore extends AbstractGdsStore { } } } + + private void prepareDatasetPolicy(RangerDataset dataset, RangerPolicy policy) { + policy.setName("DATASET: " + dataset.getName() + "@" + System.currentTimeMillis()); + policy.setDescription("Policy for dataset: " + dataset.getName()); + policy.setServiceType(EMBEDDED_SERVICEDEF_GDS_NAME); + policy.setService(ServiceDBStore.GDS_SERVICE_NAME); + policy.setZoneName(null); + policy.setResources(Collections.singletonMap(RESOURCE_NAME_DATASET_ID, new RangerPolicyResource(dataset.getId().toString()))); + policy.setPolicyType(RangerPolicy.POLICY_TYPE_ACCESS); + policy.setPolicyPriority(RangerPolicy.POLICY_PRIORITY_NORMAL); + policy.setAllowExceptions(Collections.emptyList()); + policy.setDenyPolicyItems(Collections.emptyList()); + policy.setDenyExceptions(Collections.emptyList()); + policy.setDataMaskPolicyItems(Collections.emptyList()); + policy.setRowFilterPolicyItems(Collections.emptyList()); + policy.setIsDenyAllElse(Boolean.FALSE); + } + + private void prepareProjectPolicy(RangerProject project, RangerPolicy policy) { + policy.setName("PROJECT: " + project.getName() + "@" + System.currentTimeMillis()); + policy.setDescription("Policy for project: " + project.getName()); + policy.setServiceType(EMBEDDED_SERVICEDEF_GDS_NAME); + policy.setService(ServiceDBStore.GDS_SERVICE_NAME); + policy.setZoneName(null); + policy.setResources(Collections.singletonMap(RESOURCE_NAME_PROJECT_ID, new RangerPolicyResource(project.getId().toString()))); + policy.setPolicyType(RangerPolicy.POLICY_TYPE_ACCESS); + policy.setPolicyPriority(RangerPolicy.POLICY_PRIORITY_NORMAL); + policy.setAllowExceptions(Collections.emptyList()); + policy.setDenyPolicyItems(Collections.emptyList()); + policy.setDenyExceptions(Collections.emptyList()); + policy.setDataMaskPolicyItems(Collections.emptyList()); + policy.setRowFilterPolicyItems(Collections.emptyList()); + policy.setIsDenyAllElse(Boolean.FALSE); + } + + private void deleteDatasetPolicies(RangerDataset dataset) throws Exception { + if (!validator.hasPermission(dataset.getAcl(), GdsPermission.POLICY_ADMIN)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_FOR_DATASET_POLICIES); + } + + List<XXGdsDatasetPolicyMap> existingMaps = daoMgr.getXXGdsDatasetPolicyMap().getDatasetPolicyMaps(dataset.getId()); + + if (existingMaps != null) { + for (XXGdsDatasetPolicyMap existing : existingMaps) { + RangerPolicy policy = svcStore.getPolicy(existing.getPolicyId()); + + daoMgr.getXXGdsDatasetPolicyMap().remove(existing); + svcStore.deletePolicy(policy); + } + } + } + + private void deleteProjectPolicies(RangerProject project) throws Exception { + if (!validator.hasPermission(project.getAcl(), GdsPermission.POLICY_ADMIN)) { + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_FOR_PROJECT_POLICIES); + } + + List<XXGdsProjectPolicyMap> existingMaps = daoMgr.getXXGdsProjectPolicyMap().getProjectPolicyMaps(project.getId()); + + if (existingMaps != null) { + for (XXGdsProjectPolicyMap existing : existingMaps) { + RangerPolicy policy = svcStore.getPolicy(existing.getPolicyId()); + + daoMgr.getXXGdsProjectPolicyMap().remove(existing); + svcStore.deletePolicy(policy); + } + } + } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java index 136a1309b..5534c8056 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java @@ -1587,4 +1587,12 @@ public class RangerBizUtil { throw restErrorUtil.generateRESTException(vXResponse); } } + + public boolean isGdsServiceDef(XXDBBase xxdbBase) { + return (xxdbBase instanceof XXServiceDef) && EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME.equals(((XXServiceDef) xxdbBase).getName()); + } + + public boolean isGdsService(XXDBBase xxdbBase) { + return (xxdbBase instanceof XXService) && EmbeddedServiceDefsUtil.instance().getGdsServiceDefId() == ((XXService) xxdbBase).getType(); + } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index f2de83e20..d3fe7f6b9 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -27,6 +27,7 @@ import java.net.UnknownHostException; import java.text.DateFormat; import java.text.SimpleDateFormat; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.Comparator; @@ -245,6 +246,7 @@ public class ServiceDBStore extends AbstractServiceStore { private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user"; public static final String SERVICE_ADMIN_USERS = "service.admin.users"; public static final String SERVICE_ADMIN_GROUPS = "service.admin.groups"; + public static final String GDS_SERVICE_NAME = "_gds"; private static boolean isRolesDownloadedByService = false; @@ -1720,43 +1722,6 @@ public class ServiceDBStore extends AbstractServiceStore { hasTagServiceValueChanged = true; } - boolean hasGdsServiceValueChanged = false; - Long existingGdsServiceId = existing.getGdsService(); - String newGdsServiceName = service.getGdsService(); // null/empty for old clients; blank string to remove existing association - Long newGdsServiceId = null; - - if (StringUtils.isEmpty(newGdsServiceName)) { // old client; don't update existing gdsService - if (existingGdsServiceId != null) { - newGdsServiceName = getServiceName(existingGdsServiceId); - - service.setGdsService(newGdsServiceName); - - LOG.info("ServiceDBStore.updateService(id=" + service.getId() + "; name=" + service.getName() + "): gdsService is null; using existing gdsService '" + newGdsServiceName + "'"); - } - } - - if (StringUtils.isNotBlank(newGdsServiceName)) { - RangerService tmp = getServiceByName(newGdsServiceName); - - if (tmp == null || !EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME.equals(tmp.getType())) { - if (LOG.isDebugEnabled()) { - LOG.debug("ServiceDBStore.updateService() - " + newGdsServiceName + " does not refer to a valid gds service.(" + service + ")"); - } - - throw restErrorUtil.createRESTException("Invalid gds service name " + newGdsServiceName, MessageEnums.ERROR_CREATING_OBJECT); - } else { - newGdsServiceId = tmp.getId(); - } - } - - if (existingGdsServiceId == null) { - if (newGdsServiceId != null) { - hasGdsServiceValueChanged = true; - } - } else if (!existingGdsServiceId.equals(newGdsServiceId)) { - hasGdsServiceValueChanged = true; - } - boolean hasIsEnabledChanged = !existing.getIsenabled().equals(service.getIsEnabled()); List<XXServiceConfigMap> dbConfigMaps = daoMgr.getXXServiceConfigMap().findByServiceId(service.getId()); @@ -1774,7 +1739,7 @@ public class ServiceDBStore extends AbstractServiceStore { service.setVersion(existing.getVersion()); service = svcService.update(service); - if (hasTagServiceValueChanged || hasGdsServiceValueChanged || hasIsEnabledChanged || hasServiceConfigForPluginChanged) { + if (hasTagServiceValueChanged || hasIsEnabledChanged || hasServiceConfigForPluginChanged) { updatePolicyVersion(service, RangerPolicyDelta.CHANGE_TYPE_SERVICE_CHANGE, null,false); } } @@ -2977,7 +2942,7 @@ public class ServiceDBStore extends AbstractServiceStore { copy.setGdsPolicies(null); } - List<RangerPolicy> copyPolicies = ret.getPolicies() != null ? new ArrayList<>(ret.getPolicies()) : null; + List<RangerPolicy> copyPolicies = ret.getPolicies() != null ? new ArrayList<>(ret.getPolicies()) : null; List<RangerPolicyDelta> copyPolicyDeltas = ret.getPolicyDeltas() != null ? new ArrayList<>(ret.getPolicyDeltas()) : null; copy.setPolicies(copyPolicies); @@ -3091,9 +3056,7 @@ public class ServiceDBStore extends AbstractServiceStore { tagServiceDbObj = daoMgr.getXXService().getById(serviceDbObj.getTagService()); } - if (serviceDbObj.getGdsService() != null) { - gdsServiceDbObj = daoMgr.getXXService().getById(serviceDbObj.getGdsService()); - } + gdsServiceDbObj = daoMgr.getXXService().findByName(GDS_SERVICE_NAME); if (tagServiceDbObj != null) { tagServiceDef = getServiceDef(tagServiceDbObj.getType()); @@ -3120,7 +3083,7 @@ public class ServiceDBStore extends AbstractServiceStore { ServiceDefUtil.normalizeAccessTypeDefs(gdsServiceDef, serviceType); - gdsServiceVersionInfoDbObj = daoMgr.getXXServiceVersionInfo().findByServiceId(serviceDbObj.getGdsService()); + gdsServiceVersionInfoDbObj = daoMgr.getXXServiceVersionInfo().findByServiceName(GDS_SERVICE_NAME); if (gdsServiceVersionInfoDbObj == null) { LOG.warn("serviceVersionInfo does not exist. name=" + gdsServiceDbObj.getName()); @@ -3774,7 +3737,7 @@ public class ServiceDBStore extends AbstractServiceStore { boolean isGdsService = serviceDbObj.getType() == EmbeddedServiceDefsUtil.instance().getGdsServiceDefId(); if (isTagService || isGdsService) { - List<Long> referringServiceIds = isTagService ? serviceDao.findIdsByTagServiceId(serviceId) : serviceDao.findIdsByGdsServiceId(serviceId); + List<Long> referringServiceIds = isTagService ? serviceDao.findIdsByTagServiceId(serviceId) : serviceDao.findIdsExcludingServiceTypes(Arrays.asList(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME, EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME)); for (Long referringServiceId : referringServiceIds) { Runnable policyVersionUpdater = new ServiceVersionUpdater(daoManager, referringServiceId, VERSION_TYPE.POLICY_VERSION, policy != null ? policy.getZoneName() : null, policyDeltaType, policy); @@ -3853,8 +3816,6 @@ public class ServiceDBStore extends AbstractServiceStore { serviceVersionInfoDbObj.setTagUpdateTime(now); serviceVersionInfoDbObj.setRoleVersion(nextVersion); serviceVersionInfoDbObj.setRoleUpdateTime(now); - serviceVersionInfoDbObj.setGdsVersion(nextVersion); - serviceVersionInfoDbObj.setGdsUpdateTime(now); serviceVersionUpdater.version = nextVersion; serviceVersionInfoDao.create(serviceVersionInfoDbObj); diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java index 15fc1cb44..7e071ba0e 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java @@ -52,7 +52,6 @@ import org.apache.ranger.plugin.store.ServiceStore; import org.apache.ranger.plugin.util.RangerRoles; import org.apache.ranger.plugin.util.RangerRolesUtil; import org.apache.ranger.service.RangerServiceService; -import org.apache.ranger.services.gds.RangerServiceGds; import org.apache.ranger.services.tag.RangerServiceTag; import org.apache.ranger.view.VXMessage; import org.apache.ranger.view.VXResponse; @@ -87,9 +86,6 @@ public class ServiceMgr { @Autowired TagDBStore tagStore; - @Autowired - GdsDBStore gdsStore; - @Autowired RoleDBStore rolesStore; @@ -349,8 +345,6 @@ public class ServiceMgr { if(ret instanceof RangerServiceTag) { ((RangerServiceTag)ret).setTagStore(tagStore); - } else if (ret instanceof RangerServiceGds) { - ((RangerServiceGds)ret).setGdsStore(gdsStore); } } else { LOG.warn("ServiceMgr.getRangerServiceByService(" + service + "): could not find service class '" diff --git a/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java b/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java index db0a80aef..7886a7a27 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java +++ b/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java @@ -644,13 +644,14 @@ public class AppConstants extends RangerCommonEnums { public static final int CLASS_TYPE_GDS_DATA_SHARE = 1064; public static final int CLASS_TYPE_GDS_SHARED_RESOURCE = 1065; public static final int CLASS_TYPE_GDS_DATA_SHARE_IN_DATASET = 1066; - public static final int CLASS_TYPE_GDS_DATA_SHARE_IN_PROJECT = 1067; - public static final int CLASS_TYPE_GDS_DATASET_IN_PROJECT = 1068; + public static final int CLASS_TYPE_GDS_DATASET_IN_PROJECT = 1067; + public static final int CLASS_TYPE_GDS_DATASET_POLICY_MAP = 1068; + public static final int CLASS_TYPE_GDS_PROJECT_POLICY_MAP = 1069; /** * Max value for enum ClassTypes_MAX */ - public static final int ClassTypes_MAX = 1062; + public static final int ClassTypes_MAX = 1069; /*************************************************************** diff --git a/security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java b/security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java index 4ffde84bd..08bcfd57b 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java +++ b/security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java @@ -330,5 +330,7 @@ public abstract class RangerDaoManagerBase { public XXGdsSharedResourceDao getXXGdsSharedResource() { return new XXGdsSharedResourceDao(this); } public XXGdsDataShareInDatasetDao getXXGdsDataShareInDataset() { return new XXGdsDataShareInDatasetDao(this); } public XXGdsDatasetInProjectDao getXXGdsDatasetInProject() { return new XXGdsDatasetInProjectDao(this); } + public XXGdsDatasetPolicyMapDao getXXGdsDatasetPolicyMap() { return new XXGdsDatasetPolicyMapDao(this); } + public XXGdsProjectPolicyMapDao getXXGdsProjectPolicyMap() { return new XXGdsProjectPolicyMapDao(this); } } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGdsDatasetPolicyMapDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGdsDatasetPolicyMapDao.java new file mode 100644 index 000000000..f28d3a5ec --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/db/XXGdsDatasetPolicyMapDao.java @@ -0,0 +1,85 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.db; + +import org.apache.ranger.common.db.BaseDao; +import org.apache.ranger.entity.XXGdsDatasetPolicyMap; +import org.springframework.stereotype.Service; + +import javax.persistence.NoResultException; +import java.util.Collections; +import java.util.List; + + +@Service +public class XXGdsDatasetPolicyMapDao extends BaseDao<XXGdsDatasetPolicyMap> { + public XXGdsDatasetPolicyMapDao(RangerDaoManagerBase daoManager) { + super(daoManager); + } + + public XXGdsDatasetPolicyMap getDatasetPolicyMap(Long datasetId, Long policyId) { + XXGdsDatasetPolicyMap ret = null; + + if (datasetId != null && policyId != null) { + try { + ret = getEntityManager().createNamedQuery("XXGdsDatasetPolicyMap.getDatasetPolicyMap", tClass) + .setParameter("datasetId", datasetId) + .setParameter("policyId", policyId) + .getSingleResult(); + } catch (NoResultException e) { + // ignore + } + } + + return ret; + } + + public List<XXGdsDatasetPolicyMap> getDatasetPolicyMaps(Long datasetId) { + List<XXGdsDatasetPolicyMap> ret = Collections.emptyList(); + + if (datasetId != null) { + try { + ret = getEntityManager().createNamedQuery("XXGdsDatasetPolicyMap.getDatasetPolicyMaps", tClass) + .setParameter("datasetId", datasetId) + .getResultList(); + } catch (NoResultException e) { + // ignore + } + } + + return ret; + } + + public List<Long> getDatasetPolicyIds(Long datasetId) { + List<Long> ret = Collections.emptyList(); + + if (datasetId != null) { + try { + ret = getEntityManager().createNamedQuery("XXGdsDatasetPolicyMap.getDatasetPolicyIds", Long.class) + .setParameter("datasetId", datasetId) + .getResultList(); + } catch (NoResultException e) { + // ignore + } + } + + return ret; + } +} diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGdsProjectPolicyMapDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGdsProjectPolicyMapDao.java new file mode 100644 index 000000000..4cfd03db2 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/db/XXGdsProjectPolicyMapDao.java @@ -0,0 +1,85 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.db; + +import org.apache.ranger.common.db.BaseDao; +import org.apache.ranger.entity.XXGdsProjectPolicyMap; +import org.springframework.stereotype.Service; + +import javax.persistence.NoResultException; +import java.util.Collections; +import java.util.List; + + +@Service +public class XXGdsProjectPolicyMapDao extends BaseDao<XXGdsProjectPolicyMap> { + public XXGdsProjectPolicyMapDao(RangerDaoManagerBase daoManager) { + super(daoManager); + } + + public XXGdsProjectPolicyMap getProjectPolicyMap(Long projectId, Long policyId) { + XXGdsProjectPolicyMap ret = null; + + if (projectId != null && policyId != null) { + try { + ret = getEntityManager().createNamedQuery("XXGdsProjectPolicyMap.getProjectPolicyMap", tClass) + .setParameter("projectId", projectId) + .setParameter("policyId", policyId) + .getSingleResult(); + } catch (NoResultException e) { + // ignore + } + } + + return ret; + } + + public List<XXGdsProjectPolicyMap> getProjectPolicyMaps(Long projectId) { + List<XXGdsProjectPolicyMap> ret = Collections.emptyList(); + + if (projectId != null) { + try { + ret = getEntityManager().createNamedQuery("XXGdsProjectPolicyMap.getProjectPolicyMaps", tClass) + .setParameter("projectId", projectId) + .getResultList(); + } catch (NoResultException e) { + // ignore + } + } + + return ret; + } + + public List<Long> getProjectPolicyIds(Long projectId) { + List<Long> ret = Collections.emptyList(); + + if (projectId != null) { + try { + ret = getEntityManager().createNamedQuery("XXGdsProjectPolicyMap.getProjectPolicyIds", Long.class) + .setParameter("projectId", projectId) + .getResultList(); + } catch (NoResultException e) { + // ignore + } + } + + return ret; + } +} diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java index 9ff7f0a68..c65b961fc 100755 --- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java @@ -434,4 +434,37 @@ public class XXPolicyDao extends BaseDao<XXPolicy> { return ret; } + + public XXPolicy getProjectPolicy(Long projectId, Long policyId) { + XXPolicy ret = null; + + if (projectId != null && policyId != null) { + try { + ret = getEntityManager().createNamedQuery("XXPolicy.getProjectPolicy", tClass) + .setParameter("projectId", projectId) + .setParameter("policyId", policyId) + .getSingleResult(); + } catch (NoResultException e) { + // ignore + } + } + + return ret; + } + + public List<XXPolicy> getProjectPolicies(Long projectId) { + List<XXPolicy> ret = Collections.emptyList(); + + if (projectId != null) { + try { + ret = getEntityManager().createNamedQuery("XXPolicy.getProjectPolicies", tClass) + .setParameter("projectId", projectId) + .getResultList(); + } catch (NoResultException e) { + // ignore + } + } + + return ret; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java index efe7d4bcc..c0f9d5c4e 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java @@ -126,19 +126,6 @@ public class XXServiceDao extends BaseDao<XXService> { return ret != null ? ret : Collections.emptyList(); } - public List<Long> findIdsByGdsServiceId(Long gdsServiceId) { - List<Long> ret = null; - - try { - ret = getEntityManager().createNamedQuery("XXService.findIdsByGdsServiceId", Long.class) - .setParameter("gdsServiceId", gdsServiceId).getResultList(); - } catch (NoResultException e) { - // ignre - } - - return ret != null ? ret : Collections.emptyList(); - } - public XXService findAssociatedTagService(String serviceName) { try { return getEntityManager().createNamedQuery("XXService.findAssociatedTagService", tClass) @@ -167,6 +154,16 @@ public class XXServiceDao extends BaseDao<XXService> { updateSequence("X_SERVICE_SEQ", maxId + 1); } + public List<Long> findIdsExcludingServiceTypes(List<String> excludedServiceTypes) { + try { + return getEntityManager().createNamedQuery("XXService.findIdsExcludingServiceTypes", Long.class) + .setParameter("excludedServiceTypes", excludedServiceTypes) + .getResultList(); + } catch (NoResultException e) { + return new ArrayList<>(); + } + } + public List<Long> getAllServiceIds() { try { return getEntityManager().createNamedQuery("XXService.getAllServiceIds", Long.class) diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXGdsDatasetPolicyMap.java b/security-admin/src/main/java/org/apache/ranger/entity/XXGdsDatasetPolicyMap.java new file mode 100644 index 000000000..2d79c94c3 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXGdsDatasetPolicyMap.java @@ -0,0 +1,106 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.entity; + +import org.apache.ranger.common.AppConstants; + +import javax.persistence.*; +import javax.xml.bind.annotation.XmlRootElement; +import java.io.Serializable; +import java.util.Objects; + +@Entity +@Cacheable +@Table(name="x_gds_dataset_policy_map") +@XmlRootElement +public class XXGdsDatasetPolicyMap implements Serializable { + private static final long serialVersionUID = 1L; + + @Id + @SequenceGenerator(name = "X_GDS_DATASET_POLICY_MAP_SEQ", sequenceName = "X_GDS_DATASET_POLICY_MAP_SEQ", allocationSize = 1) + @GeneratedValue(strategy = GenerationType.AUTO, generator = "X_GDS_DATASET_POLICY_MAP_SEQ") + @Column(name = "id") + protected Long id; + + @Column(name = "dataset_id") + protected Long datasetId; + + @Column(name = "policy_id") + protected Long policyId; + + public XXGdsDatasetPolicyMap() { } + + public XXGdsDatasetPolicyMap(Long datasetId, Long policyId) { + setDatasetId(datasetId); + setPolicyId(policyId); + } + + public void setId(Long id) { this.id = id; } + + public Long getId() { return id; } + + public Long getDatasetId() { return datasetId; } + + public void setDatasetId(Long datasetId) { this.datasetId = datasetId; } + + public Long getPolicyId() { return policyId; } + + public void setPolicyId(Long policyId) { this.policyId = policyId; } + + public int getMyClassType() { return AppConstants.CLASS_TYPE_GDS_DATASET_POLICY_MAP; } + + @Override + public int hashCode() { + return Objects.hash(id, datasetId, policyId); + } + + @Override + public boolean equals(Object obj) { + if (this == obj) { + return true; + } else if (getClass() != obj.getClass()) { + return false; + } else if (!super.equals(obj)) { + return false; + } + + XXGdsDatasetPolicyMap other = (XXGdsDatasetPolicyMap) obj; + + return Objects.equals(id, other.id) && + Objects.equals(datasetId, other.datasetId) && + Objects.equals(policyId, other.policyId); + } + + @Override + public String toString() { + return toString(new StringBuilder()).toString(); + } + + public StringBuilder toString(StringBuilder sb) { + sb.append("XXGdsDatasetPolicyMap={ ") + .append(super.toString() + "} ") + .append("id={").append(id).append("} ") + .append("datasetId={").append(datasetId).append("} ") + .append("policyId={").append(policyId).append("} ") + .append(" }"); + + return sb; + } +} diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXGdsProjectPolicyMap.java b/security-admin/src/main/java/org/apache/ranger/entity/XXGdsProjectPolicyMap.java new file mode 100644 index 000000000..e7f1358ad --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXGdsProjectPolicyMap.java @@ -0,0 +1,106 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.entity; + +import org.apache.ranger.common.AppConstants; + +import javax.persistence.*; +import javax.xml.bind.annotation.XmlRootElement; +import java.io.Serializable; +import java.util.Objects; + +@Entity +@Cacheable +@Table(name="x_gds_project_policy_map") +@XmlRootElement +public class XXGdsProjectPolicyMap implements Serializable { + private static final long serialVersionUID = 1L; + + @Id + @SequenceGenerator(name = "X_GDS_PROJECT_POLICY_MAP_SEQ", sequenceName = "X_GDS_PROJECT_POLICY_MAP_SEQ", allocationSize = 1) + @GeneratedValue(strategy = GenerationType.AUTO, generator = "X_GDS_PROJECT_POLICY_MAP_SEQ") + @Column(name = "id") + protected Long id; + + @Column(name = "project_id") + protected Long projectId; + + @Column(name = "policy_id") + protected Long policyId; + + public XXGdsProjectPolicyMap() { } + + public XXGdsProjectPolicyMap(Long projectId, Long policyId) { + setProjectId(projectId); + setPolicyId(policyId); + } + + public void setId(Long id) { this.id = id; } + + public Long getId() { return id; } + + public Long getProjectId() { return projectId; } + + public void setProjectId(Long projectId) { this.projectId = projectId; } + + public Long getPolicyId() { return policyId; } + + public void setPolicyId(Long policyId) { this.policyId = policyId; } + + public int getMyClassType() { return AppConstants.CLASS_TYPE_GDS_PROJECT_POLICY_MAP; } + + @Override + public int hashCode() { + return Objects.hash(id, projectId, policyId); + } + + @Override + public boolean equals(Object obj) { + if (this == obj) { + return true; + } else if (getClass() != obj.getClass()) { + return false; + } else if (!super.equals(obj)) { + return false; + } + + XXGdsProjectPolicyMap other = (XXGdsProjectPolicyMap) obj; + + return Objects.equals(id, other.id) && + Objects.equals(projectId, other.projectId) && + Objects.equals(policyId, other.policyId); + } + + @Override + public String toString() { + return toString(new StringBuilder()).toString(); + } + + public StringBuilder toString(StringBuilder sb) { + sb.append("XXGdsProjectPolicyMap={ ") + .append(super.toString() + "} ") + .append("id={").append(id).append("} ") + .append("projectId={").append(projectId).append("} ") + .append("policyId={").append(policyId).append("} ") + .append(" }"); + + return sb; + } +} diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXServiceBase.java b/security-admin/src/main/java/org/apache/ranger/entity/XXServiceBase.java index 682e66dd8..2abc391fe 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXServiceBase.java @@ -85,9 +85,6 @@ public abstract class XXServiceBase extends XXDBBase { @Column(name = "tag_service") protected Long tagService; - @Column(name = "gds_service") - protected Long gdsService; - /** * policyVersion of the XXService * <ul> @@ -246,24 +243,6 @@ public abstract class XXServiceBase extends XXDBBase { return this.tagService; } - /** - * This method sets the value to the member attribute <b> gdsService</b> . - * - * @param gdsService - Value to set member attribute <b> gdsService</b> - */ - public void setGdsService(Long gdsService) { - this.gdsService = gdsService; - } - - /** - * Returns the value for the member attribute <b>gdsService</b> - * - * @return Long - value of member attribute <b>gdsService</b> . - */ - public Long getGdsService() { - return this.gdsService; - } - /** * This method sets the value to the member attribute <b> policyVersion</b> * . You cannot set null to the attribute. @@ -409,7 +388,6 @@ public abstract class XXServiceBase extends XXDBBase { Objects.equals(tagService, other.tagService) && Objects.equals(tagVersion, other.tagVersion) && Objects.equals(tagUpdateTime, other.tagUpdateTime) && - Objects.equals(gdsService, other.gdsService) && Objects.equals(type, other.type) && Objects.equals(version, other.version) && Objects.equals(guid, other.guid); @@ -426,7 +404,7 @@ public abstract class XXServiceBase extends XXDBBase { @Override public String toString() { return "XXServiceBase [" + super.toString() + " guid=" + guid + ", version=" + version + ", type=" + type - + ", name=" + name +", displayName=" + displayName + ", tagService=" + tagService + ", gdsService=" + gdsService + ", policyVersion=" + policyVersion + ", policyUpdateTime=" + policyUpdateTime + + ", name=" + name +", displayName=" + displayName + ", tagService=" + tagService + ", policyVersion=" + policyVersion + ", policyUpdateTime=" + policyUpdateTime + ", tagVersion=" + tagVersion + ", tagUpdateTime=" + tagUpdateTime + ", description=" + description + ", isEnabled=" + isEnabled + "]"; } diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java b/security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java index 54fe0f5b7..04f030b35 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java @@ -76,13 +76,6 @@ public class XXServiceVersionInfo implements java.io.Serializable { @Column(name="role_update_time" ) protected Date roleUpdateTime = DateUtil.getUTCDate(); - @Column(name = "gds_version") - protected Long gdsVersion; - - @Temporal(TemporalType.TIMESTAMP) - @Column(name = "gds_update_time") - protected Date gdsUpdateTime; - @Version @Column(name = "version") protected Long version; @@ -173,22 +166,6 @@ public class XXServiceVersionInfo implements java.io.Serializable { return this.roleUpdateTime; } - public void setGdsVersion(Long gdsVersion) { - this.gdsVersion = gdsVersion; - } - - public Long getGdsVersion() { - return this.gdsVersion; - } - - public void setGdsUpdateTime(Date gdsUpdateTime) { - this.gdsUpdateTime = gdsUpdateTime; - } - - public Date getGdsUpdateTime() { - return this.gdsUpdateTime; - } - /** * This return the bean content in string format * @return formatedStr @@ -205,8 +182,6 @@ public class XXServiceVersionInfo implements java.io.Serializable { str += "tagUpdateTime={" + tagUpdateTime + "} "; str += "setRoleVersion={" + roleVersion + "}" ; str += "setRoleUpdateTime={" + roleUpdateTime + "}" ; - str += "gdsVersion={" + gdsVersion + "}" ; - str += "gdsUpdateTime={" + gdsUpdateTime + "}" ; str += "}"; return str; } @@ -235,9 +210,7 @@ public class XXServiceVersionInfo implements java.io.Serializable { Objects.equals(tagVersion, other.tagVersion) && Objects.equals(tagUpdateTime, other.tagUpdateTime) && Objects.equals(roleVersion, other.roleVersion) && - Objects.equals(roleUpdateTime, other.roleUpdateTime) && - Objects.equals(gdsVersion, other.gdsVersion) && - Objects.equals(gdsUpdateTime, other.gdsUpdateTime); + Objects.equals(roleUpdateTime, other.roleUpdateTime); } return ret; diff --git a/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java b/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java index f827c754d..b7ef9b86a 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java @@ -23,18 +23,24 @@ import org.apache.commons.lang.StringUtils; import org.apache.ranger.biz.GdsDBStore; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.RangerSearchUtil; +import org.apache.ranger.plugin.model.RangerDatasetHeader.RangerDatasetHeaderInfo; import org.apache.ranger.plugin.model.RangerGds.RangerDataset; import org.apache.ranger.plugin.model.RangerGds.RangerDatasetInProject; import org.apache.ranger.plugin.model.RangerGds.RangerDataShareInDataset; import org.apache.ranger.plugin.model.RangerGds.RangerDataShare; import org.apache.ranger.plugin.model.RangerGds.RangerProject; import org.apache.ranger.plugin.model.RangerGds.RangerSharedResource; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.store.PList; import org.apache.ranger.plugin.util.RangerPerfTracer; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.security.context.RangerAPIList; +import org.apache.ranger.service.RangerGdsDatasetInProjectService; +import org.apache.ranger.service.RangerGdsDataShareInDatasetService; +import org.apache.ranger.service.RangerGdsDataShareService; import org.apache.ranger.service.RangerGdsDatasetService; -import org.apache.ranger.plugin.model.RangerDatasetHeader.RangerDatasetHeaderInfo; +import org.apache.ranger.service.RangerGdsProjectService; +import org.apache.ranger.service.RangerGdsSharedResourceService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -48,6 +54,7 @@ import org.springframework.transaction.annotation.Transactional; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.*; import javax.ws.rs.core.Context; +import java.util.List; @Path("gds") @Component @@ -63,6 +70,21 @@ public class GdsREST { @Autowired RangerGdsDatasetService datasetService; + @Autowired + RangerGdsProjectService projectService; + + @Autowired + RangerGdsDataShareService dataShareService; + + @Autowired + RangerGdsSharedResourceService sharedResourceService; + + @Autowired + RangerGdsDataShareInDatasetService dshidService; + + @Autowired + RangerGdsDatasetInProjectService dipService; + @Autowired RangerSearchUtil searchUtil; @@ -245,7 +267,7 @@ public class GdsREST { try { if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.searchDatasets()"); + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.listDatasetNames()"); } filter = searchUtil.getSearchFilter(request, datasetService.sortFields); @@ -279,10 +301,8 @@ public class GdsREST { SearchFilter filter = searchUtil.getSearchFilter(request, datasetService.sortFields); ret = gdsStore.getDatasetHeaders(filter); - } catch (WebApplicationException we) { - LOG.error("getDatasets() failed", we); - - throw restErrorUtil.createRESTException(we.getMessage()); + } catch (WebApplicationException excp) { + throw excp; } catch (Throwable ex) { LOG.error("getDatasets() failed", ex); @@ -294,6 +314,142 @@ public class GdsREST { return ret; } + @POST + @Path(("/dataset/{id}/policy")) + @Consumes({ "application/json" }) + @Produces({ "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DATASET_POLICY + "\")") + public RangerPolicy addDatasetPolicy(@PathParam("id") Long datasetId, RangerPolicy policy) { + LOG.debug("==> GdsREST.addDatasetPolicy({}, {})", datasetId, policy); + + RangerPolicy ret; + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.addDatasetPolicy()"); + + try { + ret = gdsStore.addDatasetPolicy(datasetId, policy); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("addDatasetPolicy({}) failed", datasetId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== GdsREST.addDatasetPolicy({}, {}): ret={}", datasetId, policy, ret); + + return ret; + } + + @PUT + @Path(("/dataset/{id}/policy/{policyId}")) + @Consumes({ "application/json" }) + @Produces({ "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DATASET_POLICY + "\")") + public RangerPolicy updateDatasetPolicy(@PathParam("id") Long datasetId, @PathParam("policyId") Long policyId, RangerPolicy policy) { + LOG.debug("==> GdsREST.updateDatasetPolicy({}, {})", datasetId, policy); + + RangerPolicy ret; + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.updateDatasetPolicy()"); + + try { + policy.setId(policyId); + ret = gdsStore.updateDatasetPolicy(datasetId, policy); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("updateDatasetPolicy({}) failed", datasetId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== GdsREST.updateDatasetPolicy({}, {}): ret={}", datasetId, policy, ret); + + return ret; + } + + @DELETE + @Path(("/dataset/{id}/policy/{policyId}")) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DATASET_POLICY + "\")") + public void deleteDatasetPolicy(@PathParam("id") Long datasetId, @PathParam("policyId") Long policyId) { + LOG.debug("==> GdsREST.deleteDatasetPolicy({}, {})", datasetId, policyId); + + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.deleteDatasetPolicy()"); + + try { + gdsStore.deleteDatasetPolicy(datasetId, policyId); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("deleteDatasetPolicy({}, {}) failed", datasetId, policyId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== GdsREST.deleteDatasetPolicy({}, {})", datasetId, policyId); + } + + @GET + @Path(("/dataset/{id}/policy/{policyId}")) + @Consumes({ "application/json" }) + @Produces({ "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DATASET_POLICY + "\")") + public RangerPolicy getDatasetPolicy(@PathParam("id") Long datasetId, @PathParam("policyId") Long policyId) { + LOG.debug("==> GdsREST.getDatasetPolicy({}, {})", datasetId, policyId); + + RangerPolicy ret; + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getDatasetPolicy()"); + + try { + ret = gdsStore.getDatasetPolicy(datasetId, policyId); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getDatasetPolicy({}, {}) failed", datasetId, policyId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== GdsREST.getDatasetPolicy({}, {}): ret={}", datasetId, policyId, ret); + + return ret; + } + + @GET + @Path(("/dataset/{id}/policy")) + @Consumes({ "application/json" }) + @Produces({ "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DATASET_POLICY + "\")") + public List<RangerPolicy> getDatasetPolicies(@PathParam("id") Long datasetId, @Context HttpServletRequest request) { + LOG.debug("==> GdsREST.getDatasetPolicies({})", datasetId); + + List<RangerPolicy> ret; + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getDatasetPolicies()"); + + try { + ret = gdsStore.getDatasetPolicies(datasetId); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getDatasetPolicies({}) failed", datasetId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== GdsREST.getDatasetPolicies({}): ret={}", datasetId, ret); + + return ret; + } + @POST @Path("/project") @Consumes({ "application/json" }) @@ -438,7 +594,7 @@ public class GdsREST { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.searchProjects()"); } - filter = searchUtil.getSearchFilter(request, datasetService.sortFields); + filter = searchUtil.getSearchFilter(request, projectService.sortFields); ret = gdsStore.searchProjects(filter); } catch(WebApplicationException excp) { @@ -472,7 +628,7 @@ public class GdsREST { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.searchProjects()"); } - filter = searchUtil.getSearchFilter(request, datasetService.sortFields); + filter = searchUtil.getSearchFilter(request, projectService.sortFields); ret = gdsStore.getProjectNames(filter); } catch(WebApplicationException excp) { @@ -490,6 +646,142 @@ public class GdsREST { return ret; } + @POST + @Path(("/project/{id}/policy")) + @Consumes({ "application/json" }) + @Produces({ "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.PROJECT_POLICY + "\")") + public RangerPolicy addProjectPolicy(@PathParam("id") Long projectId, RangerPolicy policy) { + LOG.debug("==> GdsREST.addProjectPolicy({}, {})", projectId, policy); + + RangerPolicy ret; + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.addProjectPolicy()"); + + try { + ret = gdsStore.addProjectPolicy(projectId, policy); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("addProjectPolicy({}) failed", projectId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== GdsREST.addProjectPolicy({}, {}): ret={}", projectId, policy, ret); + + return ret; + } + + @PUT + @Path(("/project/{id}/policy/{policyId}")) + @Consumes({ "application/json" }) + @Produces({ "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.PROJECT_POLICY + "\")") + public RangerPolicy updateProjectPolicy(@PathParam("id") Long projectId, @PathParam("policyId") Long policyId, RangerPolicy policy) { + LOG.debug("==> GdsREST.updateProjectPolicy({}, {})", projectId, policy); + + RangerPolicy ret; + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.updateProjectPolicy()"); + + try { + policy.setId(policyId); + ret = gdsStore.updateProjectPolicy(projectId, policy); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("updateProjectPolicy({}) failed", projectId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== GdsREST.updateProjectPolicy({}, {}): ret={}", projectId, policy, ret); + + return ret; + } + + @DELETE + @Path(("/project/{id}/policy/{policyId}")) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.PROJECT_POLICY + "\")") + public void deleteProjectPolicy(@PathParam("id") Long projectId, @PathParam("policyId") Long policyId) { + LOG.debug("==> GdsREST.deleteProjectPolicy({}, {})", projectId, policyId); + + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.deleteProjectPolicy()"); + + try { + gdsStore.deleteProjectPolicy(projectId, policyId); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("deleteProjectPolicy({}, {}) failed", projectId, policyId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== GdsREST.deleteProjectPolicy({}, {})", projectId, policyId); + } + + @GET + @Path(("/project/{id}/policy/{policyId}")) + @Consumes({ "application/json" }) + @Produces({ "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.PROJECT_POLICY + "\")") + public RangerPolicy getProjectPolicy(@PathParam("id") Long projectId, @PathParam("policyId") Long policyId) { + LOG.debug("==> GdsREST.getProjectPolicy({}, {})", projectId, policyId); + + RangerPolicy ret; + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getProjectPolicy()"); + + try { + ret = gdsStore.getProjectPolicy(projectId, policyId); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getProjectPolicy({}, {}) failed", projectId, policyId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== GdsREST.getProjectPolicy({}, {}): ret={}", projectId, policyId, ret); + + return ret; + } + + @GET + @Path(("/project/{id}/policy")) + @Consumes({ "application/json" }) + @Produces({ "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.PROJECT_POLICY + "\")") + public List<RangerPolicy> getProjectPolicies(@PathParam("id") Long projectId, @Context HttpServletRequest request) { + LOG.debug("==> GdsREST.getProjectPolicies({})", projectId); + + List<RangerPolicy> ret; + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getProjectPolicies()"); + + try { + ret = gdsStore.getProjectPolicies(projectId); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getProjectPolicies({}) failed", projectId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== GdsREST.getProjectPolicies({}): ret={}", projectId, ret); + + return ret; + } + @POST @Path("/datashare") @Consumes({ "application/json" }) @@ -637,7 +929,7 @@ public class GdsREST { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.searchDataShares()"); } - filter = searchUtil.getSearchFilter(request, datasetService.sortFields); + filter = searchUtil.getSearchFilter(request, dataShareService.sortFields); ret = gdsStore.searchDataShares(filter); } catch(WebApplicationException excp) { @@ -799,7 +1091,7 @@ public class GdsREST { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.searchSharedResources()"); } - filter = searchUtil.getSearchFilter(request, datasetService.sortFields); + filter = searchUtil.getSearchFilter(request, sharedResourceService.sortFields); ret = gdsStore.searchSharedResources(filter); } catch(WebApplicationException excp) { @@ -958,7 +1250,7 @@ public class GdsREST { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.searchDataShareInDatasets()"); } - filter = searchUtil.getSearchFilter(request, datasetService.sortFields); + filter = searchUtil.getSearchFilter(request, dshidService.sortFields); ret = gdsStore.searchDataShareInDatasets(filter); } catch(WebApplicationException excp) { @@ -1118,7 +1410,7 @@ public class GdsREST { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.searchDatasetInProjects()"); } - filter = searchUtil.getSearchFilter(request, datasetService.sortFields); + filter = searchUtil.getSearchFilter(request, dipService.sortFields); ret = gdsStore.searchDatasetInProjects(filter); } catch(WebApplicationException excp) { diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 28ab36bad..76e38241f 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -160,6 +160,8 @@ import com.google.gson.JsonSyntaxException; import com.sun.jersey.core.header.FormDataContentDisposition; import com.sun.jersey.multipart.FormDataParam; +import static org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME; + @Path("plugins") @Component @@ -779,7 +781,7 @@ public class ServiceREST { String serviceType = xxServiceDef != null ? xxServiceDef.getName() : null; if (!StringUtils.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME, serviceType) && - !StringUtils.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME, serviceType) && + !StringUtils.equals(EMBEDDED_SERVICEDEF_GDS_NAME, serviceType) && !StringUtils.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME , serviceType)) { createOrGetLinkedServices(service); } @@ -1270,6 +1272,7 @@ public class ServiceREST { if(policyUpdated) { policy.setZoneName(zoneName); + ensureAdminAccess(policy); svcStore.updatePolicy(policy); } else { LOG.error("processGrantRequest processing failed"); @@ -1310,6 +1313,7 @@ public class ServiceREST { policy.getPolicyItems().add(policyItem); policy.setZoneName(zoneName); + ensureAdminAccess(policy); svcStore.createPolicy(policy); } } catch(WebApplicationException excp) { @@ -1342,6 +1346,7 @@ public class ServiceREST { } RESTResponse ret = new RESTResponse(); RangerPerfTracer perf = null; + bizUtil.blockAuditorRoleUser(); if(grantRequest != null) { @@ -1387,6 +1392,9 @@ public class ServiceREST { if(policyUpdated) { policy.setZoneName(zoneName); + + ensureAdminAccess(policy); + svcStore.updatePolicy(policy); } else { LOG.error("processSecureGrantRequest processing failed"); @@ -1427,6 +1435,8 @@ public class ServiceREST { policy.getPolicyItems().add(policyItem); policy.setZoneName(zoneName); + ensureAdminAccess(policy); + svcStore.createPolicy(policy); } }else{ @@ -1463,6 +1473,7 @@ public class ServiceREST { RESTResponse ret = new RESTResponse(); RangerPerfTracer perf = null; + if(revokeRequest!=null){ if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) { @@ -1508,6 +1519,9 @@ public class ServiceREST { if(policyUpdated) { policy.setZoneName(zoneName); + + ensureAdminAccess(policy); + svcStore.updatePolicy(policy); } else { LOG.error("processRevokeRequest processing failed"); @@ -1544,6 +1558,7 @@ public class ServiceREST { } RESTResponse ret = new RESTResponse(); RangerPerfTracer perf = null; + bizUtil.blockAuditorRoleUser(); if (revokeRequest != null) { @@ -1590,6 +1605,9 @@ public class ServiceREST { if(policyUpdated) { policy.setZoneName(zoneName); + + ensureAdminAccess(policy); + svcStore.updatePolicy(policy); } else { LOG.error("processSecureRevokeRequest processing failed"); @@ -1634,6 +1652,7 @@ public class ServiceREST { if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createPolicy(policyName=" + policy.getName() + ")"); } + if(request != null) { boolean deleteIfExists=("true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_DELETE_IF_EXISTS)))) ? true : false ; if(deleteIfExists) { @@ -1713,7 +1732,6 @@ public class ServiceREST { RangerPolicy ret = null; if (policy != null && StringUtils.isNotBlank(policy.getService())) { - try { final RangerPolicy existingPolicy; @@ -1821,7 +1839,8 @@ public class ServiceREST { validator.validate(policy, Action.UPDATE, bizUtil.isAdmin() || isServiceAdmin(policy.getService()) || isZoneAdmin(policy.getZoneName())); ensureAdminAccess(policy); - bizUtil.blockAuditorRoleUser(); + bizUtil.blockAuditorRoleUser(); + ret = svcStore.updatePolicy(policy); } catch(WebApplicationException excp) { throw excp; @@ -3665,6 +3684,8 @@ public class ServiceREST { } void ensureAdminAccess(RangerPolicy policy) { + blockIfGdsService(policy.getService()); + boolean isAdmin = bizUtil.isAdmin(); boolean isKeyAdmin = bizUtil.isKeyAdmin(); String userName = bizUtil.getCurrentUserLoginId(); @@ -3709,6 +3730,14 @@ public class ServiceREST { } } + public void blockIfGdsService(String serviceName) { + String serviceType = daoManager.getXXServiceDef().findServiceDefTypeByServiceName(serviceName); + + if (EMBEDDED_SERVICEDEF_GDS_NAME.equals(serviceType)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, EMBEDDED_SERVICEDEF_GDS_NAME.toUpperCase() + " policies can't be managed via this API", true); + } + } + private RangerPolicyEngineOptions getDelegatedAdminPolicyEngineOptions() { RangerPolicyEngineOptions opts = new RangerPolicyEngineOptions(); @@ -4265,20 +4294,20 @@ public class ServiceREST { } }; - Runnable createAndLinkGdsServiceTask = new Runnable() { + Runnable createGdsServiceTask = new Runnable() { @Override public void run() { - final LinkedServiceCreator creator = new LinkedServiceCreator(resourceService.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME); + final LinkedServiceCreator creator = new LinkedServiceCreator(resourceService.getName(), EMBEDDED_SERVICEDEF_GDS_NAME, ServiceDBStore.GDS_SERVICE_NAME, true, false); creator.doCreateAndLinkService(); } }; rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(createAndLinkTagServiceTask); - rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(createAndLinkGdsServiceTask); + rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(createGdsServiceTask); if (LOG.isDebugEnabled()) { - LOG.debug("<== createOrGetTagService(resourceService=" + resourceService.getName() + ")"); + LOG.debug("<== createOrGetLinkedServices(resourceService=" + resourceService.getName() + ")"); } } @@ -4299,6 +4328,14 @@ public class ServiceREST { this.isAutoLink = config.getBoolean("ranger." + linkedServiceType + "service.auto.link", true); } + LinkedServiceCreator(@Nonnull String resourceServiceName, @Nonnull String linkedServiceType, String linkedServiceName, boolean autoCreate, boolean autoLink) { + this.resourceServiceName = resourceServiceName; + this.linkedServiceType = linkedServiceType; + this.linkedServiceName = linkedServiceName; + this.isAutoCreate = autoCreate; + this.isAutoLink = autoLink; + } + void doCreateAndLinkService() { if (LOG.isDebugEnabled()) { LOG.debug("==> doCreateAndLinkService()"); @@ -4379,16 +4416,6 @@ public class ServiceREST { RangerService service = svcStore.updateService(resourceService, null); - LOG.info("Updated resource-service:[" + service.getName() + "]"); - } - } else if (EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME.equals(linkedServiceType)) { - if (!StringUtils.equals(linkedService.getName(), resourceService.getGdsService())) { - resourceService.setGdsService(linkedService.getName()); - - LOG.info("Linking resource-service[" + resourceService.getName() + "] with gds-service [" + linkedService.getName() + "]"); - - RangerService service = svcStore.updateService(resourceService, null); - LOG.info("Updated resource-service:[" + service.getName() + "]"); } } diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java index b22208773..dede14dfd 100755 --- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java @@ -223,6 +223,7 @@ public class RangerAPIList { public static final String GET_DATASET = "GdsREST.getDataset"; public static final String SEARCH_DATASETS = "GdsREST.searchDatasets"; public static final String LIST_DATASET_NAMES = "GdsREST.listDatasetNames"; + public static final String DATASET_POLICY = "GdsREST.datasetPolicy"; public static final String CREATE_PROJECT = "GdsREST.createProject"; public static final String UPDATE_PROJECT = "GdsREST.updateProject"; @@ -230,6 +231,7 @@ public class RangerAPIList { public static final String GET_PROJECT = "GdsREST.getProject"; public static final String SEARCH_PROJECTS = "GdsREST.searchProjects"; public static final String LIST_PROJECT_NAMES = "GdsREST.listProjectNames"; + public static final String PROJECT_POLICY = "GdsREST.projectPolicy"; public static final String CREATE_DATA_SHARE = "GdsREST.createDataShare"; public static final String UPDATE_DATA_SHARE = "GdsREST.updateDataShare"; diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java index 2a28eeb63..0f0c97759 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java @@ -617,7 +617,9 @@ public abstract class RangerServiceDefServiceBase<T extends XXServiceDefBase, V List<T> permittedServiceDefs = new ArrayList<T>(); for (T xSvcDef : xSvcDefList) { if ((bizUtil.hasAccess(xSvcDef, null) || (bizUtil.isAdmin() && isAuditPage)) || ("true".equals(denyCondition))) { - permittedServiceDefs.add(xSvcDef); + if (!bizUtil.isGdsServiceDef(xSvcDef)) { + permittedServiceDefs.add(xSvcDef); + } } } if (!permittedServiceDefs.isEmpty()) { diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java index 8ec558881..9bf7868d0 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java @@ -267,11 +267,6 @@ public class RangerServiceService extends RangerServiceServiceBase<XXService, Ra RangerService oldService = this.populateViewBean(mObj); oldValue=oldService.getTagService(); } - } else if ("gdsService".equalsIgnoreCase(fieldName)) { - if(!StringUtils.isEmpty(oldValue) && !"null".equalsIgnoreCase(oldValue)){ - RangerService oldService = this.populateViewBean(mObj); - oldValue = oldService.getGdsService(); - } } if (oldValue == null || value.equalsIgnoreCase(oldValue)) { return null; @@ -348,8 +343,6 @@ public class RangerServiceService extends RangerServiceServiceBase<XXService, Ra serviceVersionInfo.setPolicyUpdateTime(now); serviceVersionInfo.setTagUpdateTime(now); serviceVersionInfo.setRoleUpdateTime(now); - serviceVersionInfo.setGdsVersion(1L); - serviceVersionInfo.setGdsUpdateTime(now); XXServiceVersionInfoDao serviceVersionInfoDao = daoMgr.getXXServiceVersionInfo(); diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java index 5c9591f63..fa23b96d7 100755 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java @@ -72,6 +72,7 @@ public abstract class RangerServiceServiceBase<T extends XXServiceBase, V extend xObj.setGuid(guid); XXServiceDef xServiceDef = daoMgr.getXXServiceDef().findByName(vObj.getType()); + if(xServiceDef == null) { throw restErrorUtil.createRESTException( "No ServiceDefinition found with name :" + vObj.getType(), @@ -92,27 +93,10 @@ public abstract class RangerServiceServiceBase<T extends XXServiceBase, V extend tagServiceId = xTagService.getId(); } - Long gdsServiceId = null; - String gdsServiceName = vObj.getGdsService(); - - if (StringUtils.isNotBlank(gdsServiceName)) { - XXService xGdsService = daoMgr.getXXService().findByName(gdsServiceName); - - if (xGdsService == null) { - throw restErrorUtil.createRESTException( - "No Service found with name :" + gdsServiceName, - MessageEnums.INVALID_INPUT_DATA); - } - - gdsServiceId = xGdsService.getId(); - } - xObj.setType(xServiceDef.getId()); xObj.setName(vObj.getName()); xObj.setDisplayName(vObj.getDisplayName()); xObj.setTagService(tagServiceId); - xObj.setGdsService(gdsServiceId); - if (OPERATION_CONTEXT == OPERATION_CREATE_CONTEXT) { xObj.setTagVersion(vObj.getTagVersion()); } @@ -125,7 +109,6 @@ public abstract class RangerServiceServiceBase<T extends XXServiceBase, V extend protected V mapEntityToViewBean(V vObj, T xObj) { XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(xObj.getType()); XXService xTagService = xObj.getTagService() != null ? daoMgr.getXXService().getById(xObj.getTagService()) : null; - XXService xGdsService = xObj.getGdsService() != null ? daoMgr.getXXService().getById(xObj.getGdsService()) : null; vObj.setType(xServiceDef.getName()); vObj.setGuid(xObj.getGuid()); vObj.setVersion(xObj.getVersion()); @@ -133,15 +116,12 @@ public abstract class RangerServiceServiceBase<T extends XXServiceBase, V extend vObj.setDisplayName(xObj.getDisplayName()); vObj.setDescription(xObj.getDescription()); vObj.setTagService(xTagService != null ? xTagService.getName() : null); - vObj.setGdsService(xGdsService != null ? xGdsService.getName() : null); XXServiceVersionInfo versionInfoObj = daoMgr.getXXServiceVersionInfo().findByServiceId(xObj.getId()); if (versionInfoObj != null) { vObj.setPolicyVersion(versionInfoObj.getPolicyVersion()); vObj.setTagVersion(versionInfoObj.getTagVersion()); vObj.setPolicyUpdateTime(versionInfoObj.getPolicyUpdateTime()); vObj.setTagUpdateTime(versionInfoObj.getTagUpdateTime()); - vObj.setGdsVersion(versionInfoObj.getGdsVersion()); - vObj.setGdsUpdateTime(versionInfoObj.getGdsUpdateTime()); } else { vObj.setPolicyVersion(xObj.getPolicyVersion()); vObj.setTagVersion(xObj.getTagVersion()); @@ -165,7 +145,9 @@ public abstract class RangerServiceServiceBase<T extends XXServiceBase, V extend for (T xSvc : xSvcList) { if(bizUtil.hasAccess(xSvc, null)){ - permittedServices.add(xSvc); + if (!bizUtil.isGdsService(xSvc)) { + permittedServices.add(xSvc); + } } } diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 41a9bfef6..be4bfee71 100755 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -694,8 +694,11 @@ <query>select obj.id from XXService obj where obj.tagService = :tagServiceId</query> </named-query> - <named-query name="XXService.findIdsByGdsServiceId"> - <query>select obj.id from XXService obj where obj.gdsService = :gdsServiceId</query> + <named-query name="XXService.findIdsExcludingServiceTypes"> + <query>SELECT obj.id + FROM XXService obj + JOIN XXServiceDef sd ON sd.id = obj.type + WHERE sd.name NOT IN :excludedServiceTypes</query> </named-query> <named-query name="XXService.findAssociatedTagService"> @@ -2263,4 +2266,28 @@ WHERE obj.datasetId = :datasetId GROUP BY obj.status</query> </named-query> + + <named-query name="XXGdsDatasetPolicyMap.getDatasetPolicyMap"> + <query>SELECT obj FROM XXGdsDatasetPolicyMap obj WHERE obj.datasetId = :datasetId AND obj.policyId = :policyId</query> + </named-query> + + <named-query name="XXGdsDatasetPolicyMap.getDatasetPolicyMaps"> + <query>SELECT obj FROM XXGdsDatasetPolicyMap obj WHERE obj.datasetId = :datasetId</query> + </named-query> + + <named-query name="XXGdsDatasetPolicyMap.getDatasetPolicyIds"> + <query>SELECT obj.policyId FROM XXGdsDatasetPolicyMap obj WHERE obj.datasetId = :datasetId</query> + </named-query> + + <named-query name="XXGdsProjectPolicyMap.getProjectPolicyMap"> + <query>SELECT obj FROM XXGdsProjectPolicyMap obj WHERE obj.projectId = :projectId AND obj.policyId = :policyId</query> + </named-query> + + <named-query name="XXGdsProjectPolicyMap.getProjectPolicyMaps"> + <query>SELECT obj FROM XXGdsProjectPolicyMap obj WHERE obj.projectId = :projectId</query> + </named-query> + + <named-query name="XXGdsProjectPolicyMap.getProjectPolicyIds"> + <query>SELECT obj.policyId FROM XXGdsProjectPolicyMap obj WHERE obj.projectId = :projectId</query> + </named-query> </entity-mappings>