[ranger] 01/01: Merge branch 'master' into RANGER-3923

Tue, 24 Oct 2023 15:18:08 -0700 

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch RANGER-3923
in repository https://gitbox.apache.org/repos/asf/ranger.git

commit 12c80bfaf1fa0922e8f0c4c3cde4330e68fd3a3e
Merge: 21e56d955 105f6f5ce
Author: Madhan Neethiraj <mad...@apache.org>
AuthorDate: Tue Oct 24 13:38:53 2023 -0700

    Merge branch 'master' into RANGER-3923

 .../plugin/policyengine/RangerResourceTrie.java    |   3 -
 .../RangerCustomConditionEvaluator.java            | 182 +++++++++------------
 .../RangerDefaultPolicyEvaluator.java              |  18 +-
 .../RangerDefaultPolicyItemEvaluator.java          |  52 +-----
 .../apache/ranger/plugin/util/ServiceDefUtil.java  |  48 ++++++
 .../site/resources/blogs/adventures_in_abac_2.html |   2 +-
 .../org/apache/ranger/biz/PolicyRefUpdater.java    |   3 +-
 .../service/RangerServiceDefServiceBase.java       |  28 +---
 .../service/TestRangerServiceDefService.java       |   3 +-
 9 files changed, 140 insertions(+), 199 deletions(-)

diff --cc 
agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
index 489476b28,d78674d51..5d1fb0be5
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
@@@ -59,30 -59,13 +61,35 @@@ import java.util.Set
  public class ServiceDefUtil {
      private static final Logger LOG = 
LoggerFactory.getLogger(ServiceDefUtil.class);
  
+     public static final String IMPLICIT_CONDITION_EXPRESSION_EVALUATOR = 
RangerScriptConditionEvaluator.class.getCanonicalName();
+     public static final String IMPLICIT_CONDITION_EXPRESSION_NAME      = 
"_expression";
+     public static final String IMPLICIT_CONDITION_EXPRESSION_LABEL     = 
"Enter boolean expression";
+     public static final String IMPLICIT_CONDITION_EXPRESSION_DESC      = 
"Boolean expression";
+ 
      private static final String USER_STORE_ENRICHER = 
RangerUserStoreEnricher.class.getCanonicalName();
  
 +
 +    public static final String ACCESS_TYPE_MARKER_CREATE = "_CREATE";
 +    public static final String ACCESS_TYPE_MARKER_READ   = "_READ";
 +    public static final String ACCESS_TYPE_MARKER_UPDATE = "_UPDATE";
 +    public static final String ACCESS_TYPE_MARKER_DELETE = "_DELETE";
 +    public static final String ACCESS_TYPE_MARKER_MANAGE = "_MANAGE";
 +    public static final String ACCESS_TYPE_MARKER_ALL    = "_ALL";
 +    public static final Set<String> ACCESS_TYPE_MARKERS;
 +
 +    static {
 +        Set<String> typeMarkers = new LinkedHashSet<>();
 +
 +        typeMarkers.add(ACCESS_TYPE_MARKER_CREATE);
 +        typeMarkers.add(ACCESS_TYPE_MARKER_READ);
 +        typeMarkers.add(ACCESS_TYPE_MARKER_UPDATE);
 +        typeMarkers.add(ACCESS_TYPE_MARKER_DELETE);
 +        typeMarkers.add(ACCESS_TYPE_MARKER_MANAGE);
 +        typeMarkers.add(ACCESS_TYPE_MARKER_ALL);
 +
 +        ACCESS_TYPE_MARKERS = Collections.unmodifiableSet(typeMarkers);
 +    }
 +
      public static boolean 
getOption_enableDenyAndExceptionsInPolicies(RangerServiceDef serviceDef, 
RangerPluginContext pluginContext) {
          boolean ret = false;
  
@@@ -615,76 -612,31 +638,101 @@@
          return ret;
      }
  
 +    public static List<RangerAccessTypeDef> 
getMarkerAccessTypes(List<RangerAccessTypeDef> accessTypeDefs) {
 +        List<RangerAccessTypeDef> ret              = new ArrayList<>();
 +        Map<String, Set<String>>  markerTypeGrants = 
getMarkerAccessTypeGrants(accessTypeDefs);
 +        long                      maxItemId        = 
getMaxItemId(accessTypeDefs);
 +
 +        for (String accessTypeMarker : ACCESS_TYPE_MARKERS) {
 +            RangerAccessTypeDef accessTypeDef = new 
RangerAccessTypeDef(++maxItemId, accessTypeMarker, accessTypeMarker, null, 
markerTypeGrants.get(accessTypeMarker));
 +
 +            ret.add(accessTypeDef);
 +        }
 +
 +        return ret;
 +    }
 +
+     public static RangerPolicyConditionDef 
createImplicitExpressionConditionDef(Long itemId) {
+         RangerPolicyConditionDef ret = new RangerPolicyConditionDef(itemId, 
IMPLICIT_CONDITION_EXPRESSION_NAME, IMPLICIT_CONDITION_EXPRESSION_EVALUATOR, 
new HashMap<>());
+ 
+         ret.getEvaluatorOptions().put("ui.isMultiline", "true");
+         ret.setLabel(IMPLICIT_CONDITION_EXPRESSION_LABEL);
+         ret.setDescription(IMPLICIT_CONDITION_EXPRESSION_DESC);
+         ret.setUiHint("{ \"isMultiline\":true }");
+ 
+         return ret;
+     }
+ 
 +    private static Map<String, Set<String>> 
getMarkerAccessTypeGrants(List<RangerAccessTypeDef> accessTypeDefs) {
 +        Map<String, Set<String>> ret = new HashMap<>();
 +
 +        for (String accessTypeMarker : ACCESS_TYPE_MARKERS) {
 +            ret.put(accessTypeMarker, new HashSet<>());
 +        }
 +
 +        if (CollectionUtils.isNotEmpty(accessTypeDefs)) {
 +            for (RangerAccessTypeDef accessTypeDef : accessTypeDefs) {
 +                if (accessTypeDef == null || 
StringUtils.isBlank(accessTypeDef.getName()) || 
ACCESS_TYPE_MARKERS.contains(accessTypeDef.getName())) {
 +                    continue;
 +                }
 +
 +                addToMarkerGrants(accessTypeDef, 
ret.get(ACCESS_TYPE_MARKER_ALL));
 +
 +                if (accessTypeDef.getCategory() == null) {
 +                    continue;
 +                } else if (accessTypeDef.getCategory() == 
RangerAccessTypeDef.AccessTypeCategory.CREATE) {
 +                    addToMarkerGrants(accessTypeDef, 
ret.get(ACCESS_TYPE_MARKER_CREATE));
 +                } else if (accessTypeDef.getCategory() == 
RangerAccessTypeDef.AccessTypeCategory.READ) {
 +                    addToMarkerGrants(accessTypeDef, 
ret.get(ACCESS_TYPE_MARKER_READ));
 +                } else if (accessTypeDef.getCategory() == 
RangerAccessTypeDef.AccessTypeCategory.UPDATE) {
 +                    addToMarkerGrants(accessTypeDef, 
ret.get(ACCESS_TYPE_MARKER_UPDATE));
 +                } else if (accessTypeDef.getCategory() == 
RangerAccessTypeDef.AccessTypeCategory.DELETE) {
 +                    addToMarkerGrants(accessTypeDef, 
ret.get(ACCESS_TYPE_MARKER_DELETE));
 +                } else if (accessTypeDef.getCategory() == 
RangerAccessTypeDef.AccessTypeCategory.MANAGE) {
 +                    addToMarkerGrants(accessTypeDef, 
ret.get(ACCESS_TYPE_MARKER_MANAGE));
 +                }
 +            }
 +        }
 +
 +        return ret;
 +    }
 +
 +    private static void addToMarkerGrants(RangerAccessTypeDef accessTypeDef, 
Set<String> markerGrants) {
 +        markerGrants.add(accessTypeDef.getName());
 +
 +        if (CollectionUtils.isNotEmpty(accessTypeDef.getImpliedGrants())) {
 +            markerGrants.addAll(accessTypeDef.getImpliedGrants());
 +        }
 +    }
 +
 +    private static long getMaxItemId(List<RangerAccessTypeDef> 
accessTypeDefs) {
 +        long ret = -1;
 +
 +        if (CollectionUtils.isNotEmpty(accessTypeDefs)) {
 +            for (RangerAccessTypeDef accessTypeDef : accessTypeDefs) {
 +                if (accessTypeDef.getItemId() != null && ret < 
accessTypeDef.getItemId()) {
 +                    ret = accessTypeDef.getItemId();
 +                }
 +            }
 +        }
 +
 +        return ret;
 +    }
 +
+     public static long getConditionsMaxItemId(List<RangerPolicyConditionDef> 
conditions) {
+         long ret = 0;
+ 
+         if (conditions != null) {
+             for (RangerPolicyConditionDef condition : conditions) {
+                 if (condition != null && condition.getItemId() != null && ret 
< condition.getItemId()) {
+                     ret = condition.getItemId();
+                 }
+             }
+         }
+ 
+         return ret;
+     }
+ 
      private static boolean 
anyPolicyHasUserGroupAttributeExpression(List<RangerPolicy> policies) {
          boolean ret = false;

Reply via email to