This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch RANGER-3923 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 12c80bfaf1fa0922e8f0c4c3cde4330e68fd3a3e Merge: 21e56d955 105f6f5ce Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Tue Oct 24 13:38:53 2023 -0700 Merge branch 'master' into RANGER-3923 .../plugin/policyengine/RangerResourceTrie.java | 3 - .../RangerCustomConditionEvaluator.java | 182 +++++++++------------ .../RangerDefaultPolicyEvaluator.java | 18 +- .../RangerDefaultPolicyItemEvaluator.java | 52 +----- .../apache/ranger/plugin/util/ServiceDefUtil.java | 48 ++++++ .../site/resources/blogs/adventures_in_abac_2.html | 2 +- .../org/apache/ranger/biz/PolicyRefUpdater.java | 3 +- .../service/RangerServiceDefServiceBase.java | 28 +--- .../service/TestRangerServiceDefService.java | 3 +- 9 files changed, 140 insertions(+), 199 deletions(-) diff --cc agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java index 489476b28,d78674d51..5d1fb0be5 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java @@@ -59,30 -59,13 +61,35 @@@ import java.util.Set public class ServiceDefUtil { private static final Logger LOG = LoggerFactory.getLogger(ServiceDefUtil.class); + public static final String IMPLICIT_CONDITION_EXPRESSION_EVALUATOR = RangerScriptConditionEvaluator.class.getCanonicalName(); + public static final String IMPLICIT_CONDITION_EXPRESSION_NAME = "_expression"; + public static final String IMPLICIT_CONDITION_EXPRESSION_LABEL = "Enter boolean expression"; + public static final String IMPLICIT_CONDITION_EXPRESSION_DESC = "Boolean expression"; + private static final String USER_STORE_ENRICHER = RangerUserStoreEnricher.class.getCanonicalName(); + + public static final String ACCESS_TYPE_MARKER_CREATE = "_CREATE"; + public static final String ACCESS_TYPE_MARKER_READ = "_READ"; + public static final String ACCESS_TYPE_MARKER_UPDATE = "_UPDATE"; + public static final String ACCESS_TYPE_MARKER_DELETE = "_DELETE"; + public static final String ACCESS_TYPE_MARKER_MANAGE = "_MANAGE"; + public static final String ACCESS_TYPE_MARKER_ALL = "_ALL"; + public static final Set<String> ACCESS_TYPE_MARKERS; + + static { + Set<String> typeMarkers = new LinkedHashSet<>(); + + typeMarkers.add(ACCESS_TYPE_MARKER_CREATE); + typeMarkers.add(ACCESS_TYPE_MARKER_READ); + typeMarkers.add(ACCESS_TYPE_MARKER_UPDATE); + typeMarkers.add(ACCESS_TYPE_MARKER_DELETE); + typeMarkers.add(ACCESS_TYPE_MARKER_MANAGE); + typeMarkers.add(ACCESS_TYPE_MARKER_ALL); + + ACCESS_TYPE_MARKERS = Collections.unmodifiableSet(typeMarkers); + } + public static boolean getOption_enableDenyAndExceptionsInPolicies(RangerServiceDef serviceDef, RangerPluginContext pluginContext) { boolean ret = false; @@@ -615,76 -612,31 +638,101 @@@ return ret; } + public static List<RangerAccessTypeDef> getMarkerAccessTypes(List<RangerAccessTypeDef> accessTypeDefs) { + List<RangerAccessTypeDef> ret = new ArrayList<>(); + Map<String, Set<String>> markerTypeGrants = getMarkerAccessTypeGrants(accessTypeDefs); + long maxItemId = getMaxItemId(accessTypeDefs); + + for (String accessTypeMarker : ACCESS_TYPE_MARKERS) { + RangerAccessTypeDef accessTypeDef = new RangerAccessTypeDef(++maxItemId, accessTypeMarker, accessTypeMarker, null, markerTypeGrants.get(accessTypeMarker)); + + ret.add(accessTypeDef); + } + + return ret; + } + + public static RangerPolicyConditionDef createImplicitExpressionConditionDef(Long itemId) { + RangerPolicyConditionDef ret = new RangerPolicyConditionDef(itemId, IMPLICIT_CONDITION_EXPRESSION_NAME, IMPLICIT_CONDITION_EXPRESSION_EVALUATOR, new HashMap<>()); + + ret.getEvaluatorOptions().put("ui.isMultiline", "true"); + ret.setLabel(IMPLICIT_CONDITION_EXPRESSION_LABEL); + ret.setDescription(IMPLICIT_CONDITION_EXPRESSION_DESC); + ret.setUiHint("{ \"isMultiline\":true }"); + + return ret; + } + + private static Map<String, Set<String>> getMarkerAccessTypeGrants(List<RangerAccessTypeDef> accessTypeDefs) { + Map<String, Set<String>> ret = new HashMap<>(); + + for (String accessTypeMarker : ACCESS_TYPE_MARKERS) { + ret.put(accessTypeMarker, new HashSet<>()); + } + + if (CollectionUtils.isNotEmpty(accessTypeDefs)) { + for (RangerAccessTypeDef accessTypeDef : accessTypeDefs) { + if (accessTypeDef == null || StringUtils.isBlank(accessTypeDef.getName()) || ACCESS_TYPE_MARKERS.contains(accessTypeDef.getName())) { + continue; + } + + addToMarkerGrants(accessTypeDef, ret.get(ACCESS_TYPE_MARKER_ALL)); + + if (accessTypeDef.getCategory() == null) { + continue; + } else if (accessTypeDef.getCategory() == RangerAccessTypeDef.AccessTypeCategory.CREATE) { + addToMarkerGrants(accessTypeDef, ret.get(ACCESS_TYPE_MARKER_CREATE)); + } else if (accessTypeDef.getCategory() == RangerAccessTypeDef.AccessTypeCategory.READ) { + addToMarkerGrants(accessTypeDef, ret.get(ACCESS_TYPE_MARKER_READ)); + } else if (accessTypeDef.getCategory() == RangerAccessTypeDef.AccessTypeCategory.UPDATE) { + addToMarkerGrants(accessTypeDef, ret.get(ACCESS_TYPE_MARKER_UPDATE)); + } else if (accessTypeDef.getCategory() == RangerAccessTypeDef.AccessTypeCategory.DELETE) { + addToMarkerGrants(accessTypeDef, ret.get(ACCESS_TYPE_MARKER_DELETE)); + } else if (accessTypeDef.getCategory() == RangerAccessTypeDef.AccessTypeCategory.MANAGE) { + addToMarkerGrants(accessTypeDef, ret.get(ACCESS_TYPE_MARKER_MANAGE)); + } + } + } + + return ret; + } + + private static void addToMarkerGrants(RangerAccessTypeDef accessTypeDef, Set<String> markerGrants) { + markerGrants.add(accessTypeDef.getName()); + + if (CollectionUtils.isNotEmpty(accessTypeDef.getImpliedGrants())) { + markerGrants.addAll(accessTypeDef.getImpliedGrants()); + } + } + + private static long getMaxItemId(List<RangerAccessTypeDef> accessTypeDefs) { + long ret = -1; + + if (CollectionUtils.isNotEmpty(accessTypeDefs)) { + for (RangerAccessTypeDef accessTypeDef : accessTypeDefs) { + if (accessTypeDef.getItemId() != null && ret < accessTypeDef.getItemId()) { + ret = accessTypeDef.getItemId(); + } + } + } + + return ret; + } + + public static long getConditionsMaxItemId(List<RangerPolicyConditionDef> conditions) { + long ret = 0; + + if (conditions != null) { + for (RangerPolicyConditionDef condition : conditions) { + if (condition != null && condition.getItemId() != null && ret < condition.getItemId()) { + ret = condition.getItemId(); + } + } + } + + return ret; + } + private static boolean anyPolicyHasUserGroupAttributeExpression(List<RangerPolicy> policies) { boolean ret = false;