This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new c49ed48d1 RANGER-4484: security-zone names should be made available in context c49ed48d1 is described below commit c49ed48d131c2bc39a1da3c6d8173a12c299baa8 Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Wed Oct 18 15:49:15 2023 -0700 RANGER-4484: security-zone names should be made available in context --- .../ranger/plugin/policyengine/PolicyEngine.java | 10 +++--- .../policyengine/RangerPolicyEngineImpl.java | 6 ++-- .../policyengine/RangerRequestScriptEvaluator.java | 12 ++++++++ .../service/RangerDefaultRequestProcessor.java | 4 +++ .../plugin/util/RangerAccessRequestUtil.java | 36 ++++++++++++++++++++++ .../apache/ranger/biz/RangerPolicyAdminImpl.java | 2 +- 6 files changed, 61 insertions(+), 9 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index 3373dbae9..063b685d0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -408,13 +408,13 @@ public class PolicyEngine { } public String getUniquelyMatchedZoneName(Map<String, ?> resourceAsMap) { - String ret = null; Set<String> matchedZones = getMatchedZonesForResourceAndChildren(resourceAsMap, convertToAccessResource(resourceAsMap)); - if (CollectionUtils.isNotEmpty(matchedZones) && matchedZones.size() == 1) { - String[] matchedZonesArray = new String[1]; - matchedZones.toArray(matchedZonesArray); - ret = matchedZonesArray[0]; + String ret = (matchedZones != null && matchedZones.size() == 1) ? matchedZones.iterator().next() : null; + + if (LOG.isDebugEnabled()) { + LOG.debug("getUniquelyMatchedZoneName(" + resourceAsMap + "): matchedZones=" + matchedZones + ", ret=" + ret); } + return ret; } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index fd78fd8e0..12f8a1705 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -273,7 +273,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { requestProcessor.preProcess(request); - String zoneName = policyEngine.getUniquelyMatchedZoneName(request.getResource().getAsMap()); + String zoneName = RangerAccessRequestUtil.getResourceZoneNameFromContext(request.getContext()); if (LOG.isDebugEnabled()) { LOG.debug("zoneName:[" + zoneName + "]"); @@ -556,7 +556,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { requestProcessor.preProcess(request); RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request); - Set<String> zoneNames = policyEngine.getMatchedZonesForResourceAndChildren(request.getResource()); + Set<String> zoneNames = RangerAccessRequestUtil.getResourceZoneNamesFromContext(request.getContext()); if (LOG.isDebugEnabled()) { LOG.debug("zoneNames:[" + zoneNames + "]"); @@ -633,7 +633,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerAccessResult ret = null; RangerPolicyRepository policyRepository = policyEngine.getPolicyRepository(); RangerPolicyRepository tagPolicyRepository = policyEngine.getTagPolicyRepository(); - Set<String> zoneNames = policyEngine.getMatchedZonesForResourceAndChildren(request.getResource()); // Evaluate zone-name from request + Set<String> zoneNames = RangerAccessRequestUtil.getResourceZoneNamesFromContext(request.getContext()); if (LOG.isDebugEnabled()) { LOG.debug("zoneNames:[" + zoneNames + "]"); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java index 0df8686e3..884f69137 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java @@ -360,6 +360,18 @@ public final class RangerRequestScriptEvaluator { return ret; } + public String getResourceZone() { + String ret = RangerAccessRequestUtil.getResourceZoneNameFromContext(getRequestContext()); + + return ret != null ? ret : StringUtils.EMPTY; + } + + public Set<String> getResourceZones() { + Set<String> ret = RangerAccessRequestUtil.getResourceZoneNamesFromContext(getRequestContext()); + + return ret != null ? Collections.emptySet() : ret; + } + public String getRequestContextAttribute(String attributeName) { String ret = null; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java index 6fa75d602..3265f1011 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java @@ -130,6 +130,10 @@ public class RangerDefaultRequestProcessor implements RangerAccessRequestProcess RangerAccessRequestUtil.setCurrentUserRolesInContext(request.getContext(), roles); } + Set<String> zoneNames = policyEngine.getMatchedZonesForResourceAndChildren(request.getResource()); + + RangerAccessRequestUtil.setResourceZoneNamesInContext(request, zoneNames); + enrich(request); RangerAccessRequestUtil.setIsRequestPreprocessed(request.getContext(), Boolean.TRUE); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index b505f495b..b088ed7ef 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java @@ -48,6 +48,7 @@ public class RangerAccessRequestUtil { public static final String KEY_CONTEXT_IS_ANY_ACCESS = "ISANYACCESS"; public static final String KEY_CONTEXT_REQUEST = "_REQUEST"; public static final String KEY_CONTEXT_IS_REQUEST_PREPROCESSED = "ISREQUESTPREPROCESSED"; + public static final String KEY_CONTEXT_RESOURCE_ZONE_NAMES = "RESOURCE_ZONE_NAMES"; public static void setRequestTagsInContext(Map<String, Object> context, Set<RangerTagForEval> tags) { if(CollectionUtils.isEmpty(tags)) { @@ -131,6 +132,7 @@ public class RangerAccessRequestUtil { ret.remove(KEY_CONTEXT_TAGS); ret.remove(KEY_CONTEXT_TAG_OBJECT); ret.remove(KEY_CONTEXT_RESOURCE); + ret.remove(KEY_CONTEXT_RESOURCE_ZONE_NAMES); ret.remove(KEY_CONTEXT_REQUEST); ret.remove(KEY_CONTEXT_ACCESSTYPES); ret.remove(KEY_CONTEXT_IS_ANY_ACCESS); @@ -257,4 +259,38 @@ public class RangerAccessRequestUtil { return ret; } + public static void setResourceZoneNamesInContext(RangerAccessRequest request, Set<String> zoneNames) { + Map<String, Object> context = request.getContext(); + + if (context != null) { + context.put(KEY_CONTEXT_RESOURCE_ZONE_NAMES, zoneNames); + } else { + LOG.error("setResourceZoneNamesInContext({}): context is null", request); + } + } + + @SuppressWarnings("unchecked") + public static Set<String> getResourceZoneNamesFromContext(Map<String, Object> context) { + Set<String> ret = null; + + if (context != null) { + Object val = context.get(KEY_CONTEXT_RESOURCE_ZONE_NAMES); + + if (val instanceof Set) { + ret = (Set<String>) val; + } else { + if (val != null) { + LOG.error("getResourceZoneNamesFromContext(): expected Set<String>, but found {}", val.getClass().getCanonicalName()); + } + } + } + + return ret; + } + + public static String getResourceZoneNameFromContext(Map<String, Object> context) { + Set<String> ret = getResourceZoneNamesFromContext(context); + + return ret != null && ret.size() == 1 ? ret.iterator().next() : null; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java index 6799be200..84ee31ba2 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java @@ -646,7 +646,7 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin { requestProcessor.preProcess(request); - Set<String> zoneNames = policyEngine.getMatchedZonesForResourceAndChildren(resource); + Set<String> zoneNames = RangerAccessRequestUtil.getResourceZoneNamesFromContext(request.getContext()); if (CollectionUtils.isEmpty(zoneNames)) { getMatchingPoliciesForZone(request, null, ret);