This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new c49ed48d1 RANGER-4484: security-zone names should be made available in
context
c49ed48d1 is described below
commit c49ed48d131c2bc39a1da3c6d8173a12c299baa8
Author: Madhan Neethiraj <mad...@apache.org>
AuthorDate: Wed Oct 18 15:49:15 2023 -0700
RANGER-4484: security-zone names should be made available in context
---
.../ranger/plugin/policyengine/PolicyEngine.java | 10 +++---
.../policyengine/RangerPolicyEngineImpl.java | 6 ++--
.../policyengine/RangerRequestScriptEvaluator.java | 12 ++++++++
.../service/RangerDefaultRequestProcessor.java | 4 +++
.../plugin/util/RangerAccessRequestUtil.java | 36 ++++++++++++++++++++++
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 2 +-
6 files changed, 61 insertions(+), 9 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index 3373dbae9..063b685d0 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -408,13 +408,13 @@ public class PolicyEngine {
}
public String getUniquelyMatchedZoneName(Map<String, ?> resourceAsMap) {
- String ret = null;
Set<String> matchedZones =
getMatchedZonesForResourceAndChildren(resourceAsMap,
convertToAccessResource(resourceAsMap));
- if (CollectionUtils.isNotEmpty(matchedZones) && matchedZones.size() ==
1) {
- String[] matchedZonesArray = new String[1];
- matchedZones.toArray(matchedZonesArray);
- ret = matchedZonesArray[0];
+ String ret = (matchedZones != null &&
matchedZones.size() == 1) ? matchedZones.iterator().next() : null;
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getUniquelyMatchedZoneName(" + resourceAsMap + "):
matchedZones=" + matchedZones + ", ret=" + ret);
}
+
return ret;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index fd78fd8e0..12f8a1705 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -273,7 +273,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
requestProcessor.preProcess(request);
- String zoneName =
policyEngine.getUniquelyMatchedZoneName(request.getResource().getAsMap());
+ String zoneName =
RangerAccessRequestUtil.getResourceZoneNameFromContext(request.getContext());
if (LOG.isDebugEnabled()) {
LOG.debug("zoneName:[" + zoneName + "]");
@@ -556,7 +556,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
requestProcessor.preProcess(request);
RangerResourceAccessInfo ret = new
RangerResourceAccessInfo(request);
- Set<String> zoneNames =
policyEngine.getMatchedZonesForResourceAndChildren(request.getResource());
+ Set<String> zoneNames =
RangerAccessRequestUtil.getResourceZoneNamesFromContext(request.getContext());
if (LOG.isDebugEnabled()) {
LOG.debug("zoneNames:[" + zoneNames + "]");
@@ -633,7 +633,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
RangerAccessResult ret = null;
RangerPolicyRepository policyRepository =
policyEngine.getPolicyRepository();
RangerPolicyRepository tagPolicyRepository =
policyEngine.getTagPolicyRepository();
- Set<String> zoneNames =
policyEngine.getMatchedZonesForResourceAndChildren(request.getResource()); //
Evaluate zone-name from request
+ Set<String> zoneNames =
RangerAccessRequestUtil.getResourceZoneNamesFromContext(request.getContext());
if (LOG.isDebugEnabled()) {
LOG.debug("zoneNames:[" + zoneNames + "]");
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
index 0df8686e3..884f69137 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
@@ -360,6 +360,18 @@ public final class RangerRequestScriptEvaluator {
return ret;
}
+ public String getResourceZone() {
+ String ret =
RangerAccessRequestUtil.getResourceZoneNameFromContext(getRequestContext());
+
+ return ret != null ? ret : StringUtils.EMPTY;
+ }
+
+ public Set<String> getResourceZones() {
+ Set<String> ret =
RangerAccessRequestUtil.getResourceZoneNamesFromContext(getRequestContext());
+
+ return ret != null ? Collections.emptySet() : ret;
+ }
+
public String getRequestContextAttribute(String attributeName) {
String ret = null;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
index 6fa75d602..3265f1011 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
@@ -130,6 +130,10 @@ public class RangerDefaultRequestProcessor implements
RangerAccessRequestProcess
RangerAccessRequestUtil.setCurrentUserRolesInContext(request.getContext(),
roles);
}
+ Set<String> zoneNames =
policyEngine.getMatchedZonesForResourceAndChildren(request.getResource());
+
+ RangerAccessRequestUtil.setResourceZoneNamesInContext(request,
zoneNames);
+
enrich(request);
RangerAccessRequestUtil.setIsRequestPreprocessed(request.getContext(),
Boolean.TRUE);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
index b505f495b..b088ed7ef 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -48,6 +48,7 @@ public class RangerAccessRequestUtil {
public static final String KEY_CONTEXT_IS_ANY_ACCESS = "ISANYACCESS";
public static final String KEY_CONTEXT_REQUEST = "_REQUEST";
public static final String KEY_CONTEXT_IS_REQUEST_PREPROCESSED =
"ISREQUESTPREPROCESSED";
+ public static final String KEY_CONTEXT_RESOURCE_ZONE_NAMES =
"RESOURCE_ZONE_NAMES";
public static void setRequestTagsInContext(Map<String, Object> context,
Set<RangerTagForEval> tags) {
if(CollectionUtils.isEmpty(tags)) {
@@ -131,6 +132,7 @@ public class RangerAccessRequestUtil {
ret.remove(KEY_CONTEXT_TAGS);
ret.remove(KEY_CONTEXT_TAG_OBJECT);
ret.remove(KEY_CONTEXT_RESOURCE);
+ ret.remove(KEY_CONTEXT_RESOURCE_ZONE_NAMES);
ret.remove(KEY_CONTEXT_REQUEST);
ret.remove(KEY_CONTEXT_ACCESSTYPES);
ret.remove(KEY_CONTEXT_IS_ANY_ACCESS);
@@ -257,4 +259,38 @@ public class RangerAccessRequestUtil {
return ret;
}
+ public static void setResourceZoneNamesInContext(RangerAccessRequest
request, Set<String> zoneNames) {
+ Map<String, Object> context = request.getContext();
+
+ if (context != null) {
+ context.put(KEY_CONTEXT_RESOURCE_ZONE_NAMES, zoneNames);
+ } else {
+ LOG.error("setResourceZoneNamesInContext({}): context
is null", request);
+ }
+ }
+
+ @SuppressWarnings("unchecked")
+ public static Set<String> getResourceZoneNamesFromContext(Map<String,
Object> context) {
+ Set<String> ret = null;
+
+ if (context != null) {
+ Object val =
context.get(KEY_CONTEXT_RESOURCE_ZONE_NAMES);
+
+ if (val instanceof Set) {
+ ret = (Set<String>) val;
+ } else {
+ if (val != null) {
+
LOG.error("getResourceZoneNamesFromContext(): expected Set<String>, but found
{}", val.getClass().getCanonicalName());
+ }
+ }
+ }
+
+ return ret;
+ }
+
+ public static String getResourceZoneNameFromContext(Map<String, Object>
context) {
+ Set<String> ret = getResourceZoneNamesFromContext(context);
+
+ return ret != null && ret.size() == 1 ? ret.iterator().next() :
null;
+ }
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index 6799be200..84ee31ba2 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -646,7 +646,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
requestProcessor.preProcess(request);
- Set<String> zoneNames =
policyEngine.getMatchedZonesForResourceAndChildren(resource);
+ Set<String> zoneNames =
RangerAccessRequestUtil.getResourceZoneNamesFromContext(request.getContext());
if (CollectionUtils.isEmpty(zoneNames)) {
getMatchingPoliciesForZone(request, null, ret);
