This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b0ae138ce RANGER-4378: updated implied-grants handling to use
RangerServiceDefHelper
b0ae138ce is described below
commit b0ae138ce7d55a0e1f75702a432af6124b832a08
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Mon Oct 2 03:38:31 2023 -0700
RANGER-4378: updated implied-grants handling to use RangerServiceDefHelper
---
.../model/validation/RangerServiceDefHelper.java | 32 ++++++++++++++++++++++
.../ranger/plugin/policyengine/PolicyEngine.java | 27 ++++--------------
2 files changed, 38 insertions(+), 21 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
index 4e287f9a4..c1388abc2 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
@@ -36,6 +36,7 @@ import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -311,6 +312,10 @@ public class RangerServiceDefHelper {
return _delegate.getWildcardEnabledResourceDef(resourceName,
policyType);
}
+ public Map<String, Collection<String>> getImpliedAccessGrants() {
+ return _delegate.getImpliedAccessGrants();
+ }
+
/**
* Not designed for public access. Package level only for testability.
*/
@@ -323,6 +328,7 @@ public class RangerServiceDefHelper {
final boolean _checkForCycles;
final boolean _valid;
final List<String> _orderedResourceNames;
+ final Map<String, Collection<String>> _impliedGrants;
final static Set<List<RangerResourceDef>>
EMPTY_RESOURCE_HIERARCHY = Collections.unmodifiableSet(new
HashSet<List<RangerResourceDef>>());
@@ -352,6 +358,8 @@ public class RangerServiceDefHelper {
}
}
+ _impliedGrants = computeImpliedGrants();
+
if (isValid) {
_orderedResourceNames =
buildSortedResourceNames();
} else {
@@ -611,6 +619,30 @@ public class RangerServiceDefHelper {
return this._orderedResourceNames;
}
+ Map<String, Collection<String>> getImpliedAccessGrants() {
return _impliedGrants; }
+
+ private Map<String, Collection<String>> computeImpliedGrants() {
+ Map<String, Collection<String>> ret = new HashMap<>();
+
+ if (_serviceDef != null &&
CollectionUtils.isNotEmpty(_serviceDef.getAccessTypes())) {
+ for (RangerAccessTypeDef accessTypeDef :
_serviceDef.getAccessTypes()) {
+ if
(CollectionUtils.isNotEmpty(accessTypeDef.getImpliedGrants())) {
+ Collection<String>
impliedAccessGrants = ret.get(accessTypeDef.getName());
+
+ if(impliedAccessGrants == null)
{
+ impliedAccessGrants =
new HashSet<>();
+
+
ret.put(accessTypeDef.getName(), impliedAccessGrants);
+ }
+
+
impliedAccessGrants.addAll(accessTypeDef.getImpliedGrants());
+ }
+ }
+ }
+
+ return ret;
+ }
+
private static class ResourceNameLevel implements
Comparable<ResourceNameLevel> {
private String resourceName;
private int level;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index 4a5406301..04f010a03 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -36,6 +36,7 @@ import
org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
import org.apache.ranger.plugin.model.validation.RangerZoneResourceMatcher;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
@@ -488,33 +489,17 @@ public class PolicyEngine {
}
static private void buildImpliedAccessGrants(RangerServiceDef serviceDef) {
- Map<String, Collection<String>> ret = null;
-
- if (serviceDef != null &&
!CollectionUtils.isEmpty(serviceDef.getAccessTypes())) {
- for (RangerServiceDef.RangerAccessTypeDef accessTypeDef :
serviceDef.getAccessTypes()) {
- if
(!CollectionUtils.isEmpty(accessTypeDef.getImpliedGrants())) {
- if (ret == null) {
- ret = new HashMap<>();
- }
-
- Collection<String> impliedGrants =
ret.get(accessTypeDef.getName());
-
- if (impliedGrants == null) {
- impliedGrants = new HashSet<>();
-
- ret.put(accessTypeDef.getName(), impliedGrants);
- }
-
- impliedGrants.addAll(accessTypeDef.getImpliedGrants());
- }
- }
+ if (serviceDef != null) {
+ RangerServiceDefHelper helper = new
RangerServiceDefHelper(serviceDef, false);
if (impliedAccessGrants == null) {
impliedAccessGrants = Collections.synchronizedMap(new
HashMap<>());
}
- impliedAccessGrants.put(serviceDef.getName(), ret);
+
+ impliedAccessGrants.put(serviceDef.getName(),
helper.getImpliedAccessGrants());
}
}
+
private Set<String> getMatchedZonesForResourceAndChildren(Map<String, ?>
resource, RangerAccessResource accessResource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==>
PolicyEngine.getMatchedZonesForResourceAndChildren(" + resource + ", " +
accessResource + ")");
