This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 69f74e32e RANGER-4516: moved getResourceACLs() implementation from RangerPolicyEngine to RangerPolicyEvaluator 69f74e32e is described below commit 69f74e32e19c15a2d68c69b347678845a695b9d8 Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Tue Nov 7 15:53:23 2023 -0800 RANGER-4516: moved getResourceACLs() implementation from RangerPolicyEngine to RangerPolicyEvaluator --- .../policyengine/RangerPolicyEngineImpl.java | 197 +------------------- .../RangerAbstractPolicyEvaluator.java | 198 +++++++++++++++++++++ .../policyevaluator/RangerPolicyEvaluator.java | 4 + 3 files changed, 205 insertions(+), 194 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 12f8a1705..ed6ded49e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -28,15 +28,8 @@ import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.contextenricher.RangerTagForEval; import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult; -import org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; -import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.RangerPolicyResourceEvaluator; -import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary; -import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType; import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor; import org.apache.ranger.plugin.util.GrantRevokeRequest; @@ -60,7 +53,6 @@ import java.util.Map; import java.util.Set; import static org.apache.ranger.plugin.policyengine.PolicyEvaluatorForTag.MATCH_TYPE_COMPARATOR; -import static org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.ACCESS_CONDITIONAL; public class RangerPolicyEngineImpl implements RangerPolicyEngine { private static final Logger LOG = LoggerFactory.getLogger(RangerPolicyEngineImpl.class); @@ -321,47 +313,10 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { policyPriority = evaluator.getPolicyPriority(); } - MatchType matchType = tagMatchTypeMap.get(evaluator.getPolicyId()); + boolean isTemporalTagPolicy = policyIdForTemporalTags.contains(evaluator.getPolicyId()); + MatchType tagMatchType = tagMatchTypeMap.get(evaluator.getPolicyId()); - boolean isMatched = false; - boolean isConditionalMatch = evaluator.getPolicyConditionsCount() > 0; - - if (matchType == null) { - for (RangerPolicyResourceEvaluator resourceEvaluator : evaluator.getResourceEvaluators()) { - RangerPolicyResourceMatcher matcher = resourceEvaluator.getPolicyResourceMatcher(); - - matchType = matcher.getMatchType(request.getResource(), request.getResourceElementMatchingScopes(), request.getContext()); - isMatched = isMatch(matchType, request.getResourceMatchingScope()); - - if (isMatched) { - isConditionalMatch = evaluator.getPolicyConditionsCount() > 0; - - break; - } else if (matcher.getNeedsDynamicEval() && !isConditionalMatch) { - MatchType dynWildCardMatch = resourceEvaluator.getMacrosReplaceWithWildcardMatcher(policyEngine).getMatchType(request.getResource(), request.getResourceElementMatchingScopes(), request.getContext()); - - isConditionalMatch = isMatch(dynWildCardMatch, request.getResourceMatchingScope()); - } - } - } else { - isMatched = isMatch(matchType, request.getResourceMatchingScope()); - } - - if (!isMatched && !isConditionalMatch) { - continue; - } - - if (!isConditionalMatch) { - isConditionalMatch = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0; - } - - if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) { - updateFromPolicyACLs(evaluator, isConditionalMatch, ret); - } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) { - updateRowFiltersFromPolicy(evaluator, isConditionalMatch, ret); - } else if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) { - updateDataMasksFromPolicy(evaluator, isConditionalMatch, ret); - } + evaluator.getResourceACLs(request, ret, isTemporalTagPolicy, tagMatchType, policyEngine); } ret.finalizeAcls(); @@ -1173,152 +1128,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { return policyEngine.getPluginContext().getConfig().getIsFallbackSupported(); } - private void updateFromPolicyACLs(RangerPolicyEvaluator evaluator, boolean isConditional, RangerResourceACLs resourceACLs) { - PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary(); - - if (aclSummary == null) { - return; - } - - for (Map.Entry<String, Map<String, PolicyACLSummary.AccessResult>> userAccessInfo : aclSummary.getUsersAccessInfo().entrySet()) { - final String userName = userAccessInfo.getKey(); - - for (Map.Entry<String, PolicyACLSummary.AccessResult> accessInfo : userAccessInfo.getValue().entrySet()) { - Integer accessResult; - - if (isConditional) { - accessResult = ACCESS_CONDITIONAL; - } else { - accessResult = accessInfo.getValue().getResult(); - - if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) { - accessResult = RangerPolicyEvaluator.ACCESS_DENIED; - } - } - - RangerPolicy policy = evaluator.getPolicy(); - - resourceACLs.setUserAccessInfo(userName, accessInfo.getKey(), accessResult, policy); - } - } - - for (Map.Entry<String, Map<String, PolicyACLSummary.AccessResult>> groupAccessInfo : aclSummary.getGroupsAccessInfo().entrySet()) { - final String groupName = groupAccessInfo.getKey(); - - for (Map.Entry<String, PolicyACLSummary.AccessResult> accessInfo : groupAccessInfo.getValue().entrySet()) { - Integer accessResult; - - if (isConditional) { - accessResult = ACCESS_CONDITIONAL; - } else { - accessResult = accessInfo.getValue().getResult(); - - if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) { - accessResult = RangerPolicyEvaluator.ACCESS_DENIED; - } - } - - RangerPolicy policy = evaluator.getPolicy(); - - resourceACLs.setGroupAccessInfo(groupName, accessInfo.getKey(), accessResult, policy); - } - } - - for (Map.Entry<String, Map<String, PolicyACLSummary.AccessResult>> roleAccessInfo : aclSummary.getRolesAccessInfo().entrySet()) { - final String roleName = roleAccessInfo.getKey(); - - for (Map.Entry<String, PolicyACLSummary.AccessResult> accessInfo : roleAccessInfo.getValue().entrySet()) { - Integer accessResult; - - if (isConditional) { - accessResult = ACCESS_CONDITIONAL; - } else { - accessResult = accessInfo.getValue().getResult(); - - if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) { - accessResult = RangerPolicyEvaluator.ACCESS_DENIED; - } - } - - RangerPolicy policy = evaluator.getPolicy(); - - resourceACLs.setRoleAccessInfo(roleName, accessInfo.getKey(), accessResult, policy); - } - } - } - - private void updateRowFiltersFromPolicy(RangerPolicyEvaluator evaluator, boolean isConditional, RangerResourceACLs resourceACLs) { - PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary(); - - if (aclSummary != null) { - for (RowFilterResult rowFilterResult : aclSummary.getRowFilters()) { - rowFilterResult = copyRowFilter(rowFilterResult); - - if (isConditional) { - rowFilterResult.setIsConditional(true); - } - - resourceACLs.getRowFilters().add(rowFilterResult); - } - } - } - - private void updateDataMasksFromPolicy(RangerPolicyEvaluator evaluator, boolean isConditional, RangerResourceACLs resourceACLs) { - PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary(); - - if (aclSummary != null) { - for (DataMaskResult dataMaskResult : aclSummary.getDataMasks()) { - dataMaskResult = copyDataMask(dataMaskResult); - - if (isConditional) { - dataMaskResult.setIsConditional(true); - } - - resourceACLs.getDataMasks().add(dataMaskResult); - } - } - } - - private DataMaskResult copyDataMask(DataMaskResult dataMask) { - DataMaskResult ret = new DataMaskResult(copyStrings(dataMask.getUsers()), - copyStrings(dataMask.getGroups()), - copyStrings(dataMask.getRoles()), - copyStrings(dataMask.getAccessTypes()), - new RangerPolicyItemDataMaskInfo(dataMask.getMaskInfo())); - - ret.setIsConditional(dataMask.getIsConditional()); - - return ret; - } - - private RowFilterResult copyRowFilter(RowFilterResult rowFilter) { - RowFilterResult ret = new RowFilterResult(copyStrings(rowFilter.getUsers()), - copyStrings(rowFilter.getGroups()), - copyStrings(rowFilter.getRoles()), - copyStrings(rowFilter.getAccessTypes()), - new RangerPolicyItemRowFilterInfo(rowFilter.getFilterInfo())); - - ret.setIsConditional(rowFilter.getIsConditional()); - - return ret; - } - - private Set<String> copyStrings(Set<String> values) { - return values != null ? new HashSet<>(values) : null; - } - - private boolean isMatch(MatchType matchType, RangerAccessRequest.ResourceMatchingScope matchingScope) { - final boolean ret; - - if (matchingScope == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { - ret = matchType != MatchType.NONE; - } else { - ret = matchType == MatchType.SELF || matchType == MatchType.SELF_AND_ALL_DESCENDANTS; - } - - return ret; - } - private static class ServiceConfig { private final Set<String> auditExcludedUsers; private final Set<String> auditExcludedGroups; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java index 5650b9ea8..b60fc9fb1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java @@ -21,16 +21,23 @@ package org.apache.ranger.plugin.policyevaluator; import org.apache.commons.collections.CollectionUtils; import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper; import org.apache.ranger.plugin.policyengine.PolicyEngine; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest.ResourceMatchingScope; import org.apache.ranger.plugin.policyengine.RangerPluginContext; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyengine.RangerResourceACLs; +import org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult; +import org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult; import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; +import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType; import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher; import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; import org.apache.ranger.plugin.util.RangerRequestExprResolver; @@ -43,8 +50,10 @@ import java.util.ArrayList; import java.util.Collection; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Map; +import java.util.Set; import java.util.concurrent.atomic.AtomicLong; import java.util.stream.Collectors; @@ -144,6 +153,48 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu return serviceDef; } + @Override + public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, MatchType matchType, PolicyEngine policyEngine) { + boolean isMatched = false; + boolean isConditionalMatch = false; + + if (matchType == null) { + for (RangerPolicyResourceEvaluator resourceEvaluator : getResourceEvaluators()) { + RangerPolicyResourceMatcher matcher = resourceEvaluator.getPolicyResourceMatcher(); + + matchType = matcher.getMatchType(request.getResource(), request.getResourceElementMatchingScopes(), request.getContext()); + + isMatched = isMatch(matchType, request.getResourceMatchingScope()); + + if (isMatched) { + break; + } else if (matcher.getNeedsDynamicEval() && !isConditionalMatch && policyEngine != null) { + MatchType dynWildCardMatch = resourceEvaluator.getMacrosReplaceWithWildcardMatcher(policyEngine).getMatchType(request.getResource(), request.getResourceElementMatchingScopes(), request.getContext()); + + isConditionalMatch = isMatch(dynWildCardMatch, request.getResourceMatchingScope()); + } + } + } else { + isMatched = isMatch(matchType, request.getResourceMatchingScope()); + } + + if (isMatched || isConditionalMatch) { + if (!isConditionalMatch) { + isConditionalMatch = isConditional || getPolicyConditionsCount() > 0 || getValidityScheduleEvaluatorsCount() != 0; + } + + int policyType = getPolicyType(); + + if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) { + updateFromPolicyACLs(isConditionalMatch, acls); + } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) { + updateRowFiltersFromPolicy(isConditionalMatch, acls); + } else if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) { + updateDataMasksFromPolicy(isConditionalMatch, acls); + } + } + } + public boolean hasAllow() { return policy != null && CollectionUtils.isNotEmpty(policy.getPolicyItems()); } @@ -253,6 +304,153 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu return sb; } + private boolean isMatch(MatchType matchType, ResourceMatchingScope matchingScope) { + final boolean ret; + + if (matchingScope == ResourceMatchingScope.SELF_OR_DESCENDANTS) { + ret = matchType != MatchType.NONE; + } else { + ret = matchType == MatchType.SELF || matchType == MatchType.SELF_AND_ALL_DESCENDANTS; + } + + return ret; + } + + + private void updateFromPolicyACLs(boolean isConditional, RangerResourceACLs resourceACLs) { + PolicyACLSummary aclSummary = getPolicyACLSummary(); + + if (aclSummary == null) { + return; + } + + for (Map.Entry<String, Map<String, PolicyACLSummary.AccessResult>> userAccessInfo : aclSummary.getUsersAccessInfo().entrySet()) { + final String userName = userAccessInfo.getKey(); + + for (Map.Entry<String, PolicyACLSummary.AccessResult> accessInfo : userAccessInfo.getValue().entrySet()) { + Integer accessResult; + + if (isConditional) { + accessResult = ACCESS_CONDITIONAL; + } else { + accessResult = accessInfo.getValue().getResult(); + + if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) { + accessResult = RangerPolicyEvaluator.ACCESS_DENIED; + } + } + + RangerPolicy policy = getPolicy(); + + resourceACLs.setUserAccessInfo(userName, accessInfo.getKey(), accessResult, policy); + } + } + + for (Map.Entry<String, Map<String, PolicyACLSummary.AccessResult>> groupAccessInfo : aclSummary.getGroupsAccessInfo().entrySet()) { + final String groupName = groupAccessInfo.getKey(); + + for (Map.Entry<String, PolicyACLSummary.AccessResult> accessInfo : groupAccessInfo.getValue().entrySet()) { + Integer accessResult; + + if (isConditional) { + accessResult = ACCESS_CONDITIONAL; + } else { + accessResult = accessInfo.getValue().getResult(); + + if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) { + accessResult = RangerPolicyEvaluator.ACCESS_DENIED; + } + } + + RangerPolicy policy = getPolicy(); + + resourceACLs.setGroupAccessInfo(groupName, accessInfo.getKey(), accessResult, policy); + } + } + + for (Map.Entry<String, Map<String, PolicyACLSummary.AccessResult>> roleAccessInfo : aclSummary.getRolesAccessInfo().entrySet()) { + final String roleName = roleAccessInfo.getKey(); + + for (Map.Entry<String, PolicyACLSummary.AccessResult> accessInfo : roleAccessInfo.getValue().entrySet()) { + Integer accessResult; + + if (isConditional) { + accessResult = ACCESS_CONDITIONAL; + } else { + accessResult = accessInfo.getValue().getResult(); + + if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) { + accessResult = RangerPolicyEvaluator.ACCESS_DENIED; + } + } + + RangerPolicy policy = getPolicy(); + + resourceACLs.setRoleAccessInfo(roleName, accessInfo.getKey(), accessResult, policy); + } + } + } + + private void updateRowFiltersFromPolicy(boolean isConditional, RangerResourceACLs resourceACLs) { + PolicyACLSummary aclSummary = getPolicyACLSummary(); + + if (aclSummary != null) { + for (RowFilterResult rowFilterResult : aclSummary.getRowFilters()) { + rowFilterResult = copyRowFilter(rowFilterResult); + + if (isConditional) { + rowFilterResult.setIsConditional(true); + } + + resourceACLs.getRowFilters().add(rowFilterResult); + } + } + } + + private void updateDataMasksFromPolicy(boolean isConditional, RangerResourceACLs resourceACLs) { + PolicyACLSummary aclSummary = getPolicyACLSummary(); + + if (aclSummary != null) { + for (DataMaskResult dataMaskResult : aclSummary.getDataMasks()) { + dataMaskResult = copyDataMask(dataMaskResult); + + if (isConditional) { + dataMaskResult.setIsConditional(true); + } + + resourceACLs.getDataMasks().add(dataMaskResult); + } + } + } + + private DataMaskResult copyDataMask(DataMaskResult dataMask) { + DataMaskResult ret = new DataMaskResult(copyStrings(dataMask.getUsers()), + copyStrings(dataMask.getGroups()), + copyStrings(dataMask.getRoles()), + copyStrings(dataMask.getAccessTypes()), + new RangerPolicyItemDataMaskInfo(dataMask.getMaskInfo())); + + ret.setIsConditional(dataMask.getIsConditional()); + + return ret; + } + + private RowFilterResult copyRowFilter(RowFilterResult rowFilter) { + RowFilterResult ret = new RowFilterResult(copyStrings(rowFilter.getUsers()), + copyStrings(rowFilter.getGroups()), + copyStrings(rowFilter.getRoles()), + copyStrings(rowFilter.getAccessTypes()), + new RangerPolicyItemRowFilterInfo(rowFilter.getFilterInfo())); + + ret.setIsConditional(rowFilter.getIsConditional()); + + return ret; + } + + private Set<String> copyStrings(Set<String> values) { + return values != null ? new HashSet<>(values) : null; + } + private Map<String, RangerPolicyResource> getPolicyResourcesWithMacrosReplaced(Map<String, RangerPolicyResource> resources, PolicyEngine policyEngine) { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAbstractPolicyEvaluator.getPolicyResourcesWithMacrosReplaced(" + resources + ")"); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index 0d4886c57..0a14b387a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -47,10 +47,12 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyengine.RangerResourceACLs; import org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult; import org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult; import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; +import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType; import static org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW; @@ -102,6 +104,8 @@ public interface RangerPolicyEvaluator { void evaluate(RangerAccessRequest request, RangerAccessResult result); + void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, MatchType matchType, PolicyEngine policyEngine); + boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext); boolean isCompleteMatch(RangerAccessResource resource, Map<String, Object> evalContext);