This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 69f74e32e RANGER-4516: moved getResourceACLs() implementation from
RangerPolicyEngine to RangerPolicyEvaluator
69f74e32e is described below
commit 69f74e32e19c15a2d68c69b347678845a695b9d8
Author: Madhan Neethiraj <mad...@apache.org>
AuthorDate: Tue Nov 7 15:53:23 2023 -0800
RANGER-4516: moved getResourceACLs() implementation from RangerPolicyEngine
to RangerPolicyEvaluator
---
.../policyengine/RangerPolicyEngineImpl.java | 197 +-------------------
.../RangerAbstractPolicyEvaluator.java | 198 +++++++++++++++++++++
.../policyevaluator/RangerPolicyEvaluator.java | 4 +
3 files changed, 205 insertions(+), 194 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 12f8a1705..ed6ded49e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -28,15 +28,8 @@ import
org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
import org.apache.ranger.plugin.model.RangerPolicy;
-import
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
-import
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult;
-import
org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
-import
org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.RangerPolicyResourceEvaluator;
-import
org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary;
-import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType;
import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
@@ -60,7 +53,6 @@ import java.util.Map;
import java.util.Set;
import static
org.apache.ranger.plugin.policyengine.PolicyEvaluatorForTag.MATCH_TYPE_COMPARATOR;
-import static
org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.ACCESS_CONDITIONAL;
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
private static final Logger LOG =
LoggerFactory.getLogger(RangerPolicyEngineImpl.class);
@@ -321,47 +313,10 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
policyPriority =
evaluator.getPolicyPriority();
}
- MatchType matchType =
tagMatchTypeMap.get(evaluator.getPolicyId());
+ boolean isTemporalTagPolicy =
policyIdForTemporalTags.contains(evaluator.getPolicyId());
+ MatchType tagMatchType =
tagMatchTypeMap.get(evaluator.getPolicyId());
- boolean isMatched = false;
- boolean isConditionalMatch =
evaluator.getPolicyConditionsCount() > 0;
-
- if (matchType == null) {
- for
(RangerPolicyResourceEvaluator resourceEvaluator :
evaluator.getResourceEvaluators()) {
-
RangerPolicyResourceMatcher matcher =
resourceEvaluator.getPolicyResourceMatcher();
-
- matchType =
matcher.getMatchType(request.getResource(),
request.getResourceElementMatchingScopes(), request.getContext());
- isMatched =
isMatch(matchType, request.getResourceMatchingScope());
-
- if (isMatched) {
-
isConditionalMatch = evaluator.getPolicyConditionsCount() > 0;
-
- break;
- } else if
(matcher.getNeedsDynamicEval() && !isConditionalMatch) {
- MatchType
dynWildCardMatch =
resourceEvaluator.getMacrosReplaceWithWildcardMatcher(policyEngine).getMatchType(request.getResource(),
request.getResourceElementMatchingScopes(), request.getContext());
-
-
isConditionalMatch = isMatch(dynWildCardMatch,
request.getResourceMatchingScope());
- }
- }
- } else {
- isMatched = isMatch(matchType,
request.getResourceMatchingScope());
- }
-
- if (!isMatched && !isConditionalMatch) {
- continue;
- }
-
- if (!isConditionalMatch) {
- isConditionalMatch =
policyIdForTemporalTags.contains(evaluator.getPolicyId()) ||
evaluator.getValidityScheduleEvaluatorsCount() != 0;
- }
-
- if (policyType ==
RangerPolicy.POLICY_TYPE_ACCESS) {
- updateFromPolicyACLs(evaluator,
isConditionalMatch, ret);
- } else if (policyType ==
RangerPolicy.POLICY_TYPE_ROWFILTER) {
-
updateRowFiltersFromPolicy(evaluator, isConditionalMatch, ret);
- } else if (policyType ==
RangerPolicy.POLICY_TYPE_DATAMASK) {
-
updateDataMasksFromPolicy(evaluator, isConditionalMatch, ret);
- }
+ evaluator.getResourceACLs(request, ret,
isTemporalTagPolicy, tagMatchType, policyEngine);
}
ret.finalizeAcls();
@@ -1173,152 +1128,6 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
return
policyEngine.getPluginContext().getConfig().getIsFallbackSupported();
}
- private void updateFromPolicyACLs(RangerPolicyEvaluator evaluator,
boolean isConditional, RangerResourceACLs resourceACLs) {
- PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
-
- if (aclSummary == null) {
- return;
- }
-
- for (Map.Entry<String, Map<String,
PolicyACLSummary.AccessResult>> userAccessInfo :
aclSummary.getUsersAccessInfo().entrySet()) {
- final String userName = userAccessInfo.getKey();
-
- for (Map.Entry<String, PolicyACLSummary.AccessResult>
accessInfo : userAccessInfo.getValue().entrySet()) {
- Integer accessResult;
-
- if (isConditional) {
- accessResult = ACCESS_CONDITIONAL;
- } else {
- accessResult =
accessInfo.getValue().getResult();
-
- if
(accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
- accessResult =
RangerPolicyEvaluator.ACCESS_DENIED;
- }
- }
-
- RangerPolicy policy = evaluator.getPolicy();
-
- resourceACLs.setUserAccessInfo(userName,
accessInfo.getKey(), accessResult, policy);
- }
- }
-
- for (Map.Entry<String, Map<String,
PolicyACLSummary.AccessResult>> groupAccessInfo :
aclSummary.getGroupsAccessInfo().entrySet()) {
- final String groupName = groupAccessInfo.getKey();
-
- for (Map.Entry<String, PolicyACLSummary.AccessResult>
accessInfo : groupAccessInfo.getValue().entrySet()) {
- Integer accessResult;
-
- if (isConditional) {
- accessResult = ACCESS_CONDITIONAL;
- } else {
- accessResult =
accessInfo.getValue().getResult();
-
- if
(accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
- accessResult =
RangerPolicyEvaluator.ACCESS_DENIED;
- }
- }
-
- RangerPolicy policy = evaluator.getPolicy();
-
- resourceACLs.setGroupAccessInfo(groupName,
accessInfo.getKey(), accessResult, policy);
- }
- }
-
- for (Map.Entry<String, Map<String,
PolicyACLSummary.AccessResult>> roleAccessInfo :
aclSummary.getRolesAccessInfo().entrySet()) {
- final String roleName = roleAccessInfo.getKey();
-
- for (Map.Entry<String, PolicyACLSummary.AccessResult>
accessInfo : roleAccessInfo.getValue().entrySet()) {
- Integer accessResult;
-
- if (isConditional) {
- accessResult = ACCESS_CONDITIONAL;
- } else {
- accessResult =
accessInfo.getValue().getResult();
-
- if
(accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
- accessResult =
RangerPolicyEvaluator.ACCESS_DENIED;
- }
- }
-
- RangerPolicy policy = evaluator.getPolicy();
-
- resourceACLs.setRoleAccessInfo(roleName,
accessInfo.getKey(), accessResult, policy);
- }
- }
- }
-
- private void updateRowFiltersFromPolicy(RangerPolicyEvaluator
evaluator, boolean isConditional, RangerResourceACLs resourceACLs) {
- PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
-
- if (aclSummary != null) {
- for (RowFilterResult rowFilterResult :
aclSummary.getRowFilters()) {
- rowFilterResult =
copyRowFilter(rowFilterResult);
-
- if (isConditional) {
- rowFilterResult.setIsConditional(true);
- }
-
-
resourceACLs.getRowFilters().add(rowFilterResult);
- }
- }
- }
-
- private void updateDataMasksFromPolicy(RangerPolicyEvaluator evaluator,
boolean isConditional, RangerResourceACLs resourceACLs) {
- PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
-
- if (aclSummary != null) {
- for (DataMaskResult dataMaskResult :
aclSummary.getDataMasks()) {
- dataMaskResult = copyDataMask(dataMaskResult);
-
- if (isConditional) {
- dataMaskResult.setIsConditional(true);
- }
-
- resourceACLs.getDataMasks().add(dataMaskResult);
- }
- }
- }
-
- private DataMaskResult copyDataMask(DataMaskResult dataMask) {
- DataMaskResult ret = new
DataMaskResult(copyStrings(dataMask.getUsers()),
-
copyStrings(dataMask.getGroups()),
-
copyStrings(dataMask.getRoles()),
-
copyStrings(dataMask.getAccessTypes()),
-
new RangerPolicyItemDataMaskInfo(dataMask.getMaskInfo()));
-
- ret.setIsConditional(dataMask.getIsConditional());
-
- return ret;
- }
-
- private RowFilterResult copyRowFilter(RowFilterResult rowFilter) {
- RowFilterResult ret = new
RowFilterResult(copyStrings(rowFilter.getUsers()),
-
copyStrings(rowFilter.getGroups()),
-
copyStrings(rowFilter.getRoles()),
-
copyStrings(rowFilter.getAccessTypes()),
-
new RangerPolicyItemRowFilterInfo(rowFilter.getFilterInfo()));
-
- ret.setIsConditional(rowFilter.getIsConditional());
-
- return ret;
- }
-
- private Set<String> copyStrings(Set<String> values) {
- return values != null ? new HashSet<>(values) : null;
- }
-
- private boolean isMatch(MatchType matchType,
RangerAccessRequest.ResourceMatchingScope matchingScope) {
- final boolean ret;
-
- if (matchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
- ret = matchType != MatchType.NONE;
- } else {
- ret = matchType == MatchType.SELF || matchType ==
MatchType.SELF_AND_ALL_DESCENDANTS;
- }
-
- return ret;
- }
-
private static class ServiceConfig {
private final Set<String> auditExcludedUsers;
private final Set<String> auditExcludedGroups;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index 5650b9ea8..b60fc9fb1 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -21,16 +21,23 @@ package org.apache.ranger.plugin.policyevaluator;
import org.apache.commons.collections.CollectionUtils;
import org.apache.ranger.plugin.model.RangerPolicy;
+import
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
import org.apache.ranger.plugin.policyengine.PolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import
org.apache.ranger.plugin.policyengine.RangerAccessRequest.ResourceMatchingScope;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
+import org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult;
+import
org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult;
import
org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType;
import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import org.apache.ranger.plugin.util.RangerRequestExprResolver;
@@ -43,8 +50,10 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import java.util.stream.Collectors;
@@ -144,6 +153,48 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
return serviceDef;
}
+ @Override
+ public void getResourceACLs(RangerAccessRequest request,
RangerResourceACLs acls, boolean isConditional, MatchType matchType,
PolicyEngine policyEngine) {
+ boolean isMatched = false;
+ boolean isConditionalMatch = false;
+
+ if (matchType == null) {
+ for (RangerPolicyResourceEvaluator resourceEvaluator :
getResourceEvaluators()) {
+ RangerPolicyResourceMatcher matcher =
resourceEvaluator.getPolicyResourceMatcher();
+
+ matchType =
matcher.getMatchType(request.getResource(),
request.getResourceElementMatchingScopes(), request.getContext());
+
+ isMatched = isMatch(matchType,
request.getResourceMatchingScope());
+
+ if (isMatched) {
+ break;
+ } else if (matcher.getNeedsDynamicEval() &&
!isConditionalMatch && policyEngine != null) {
+ MatchType dynWildCardMatch =
resourceEvaluator.getMacrosReplaceWithWildcardMatcher(policyEngine).getMatchType(request.getResource(),
request.getResourceElementMatchingScopes(), request.getContext());
+
+ isConditionalMatch =
isMatch(dynWildCardMatch, request.getResourceMatchingScope());
+ }
+ }
+ } else {
+ isMatched = isMatch(matchType,
request.getResourceMatchingScope());
+ }
+
+ if (isMatched || isConditionalMatch) {
+ if (!isConditionalMatch) {
+ isConditionalMatch = isConditional ||
getPolicyConditionsCount() > 0 || getValidityScheduleEvaluatorsCount() != 0;
+ }
+
+ int policyType = getPolicyType();
+
+ if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
+ updateFromPolicyACLs(isConditionalMatch, acls);
+ } else if (policyType ==
RangerPolicy.POLICY_TYPE_ROWFILTER) {
+ updateRowFiltersFromPolicy(isConditionalMatch,
acls);
+ } else if (policyType ==
RangerPolicy.POLICY_TYPE_DATAMASK) {
+ updateDataMasksFromPolicy(isConditionalMatch,
acls);
+ }
+ }
+ }
+
public boolean hasAllow() {
return policy != null &&
CollectionUtils.isNotEmpty(policy.getPolicyItems());
}
@@ -253,6 +304,153 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
return sb;
}
+ private boolean isMatch(MatchType matchType, ResourceMatchingScope
matchingScope) {
+ final boolean ret;
+
+ if (matchingScope == ResourceMatchingScope.SELF_OR_DESCENDANTS)
{
+ ret = matchType != MatchType.NONE;
+ } else {
+ ret = matchType == MatchType.SELF || matchType ==
MatchType.SELF_AND_ALL_DESCENDANTS;
+ }
+
+ return ret;
+ }
+
+
+ private void updateFromPolicyACLs(boolean isConditional,
RangerResourceACLs resourceACLs) {
+ PolicyACLSummary aclSummary = getPolicyACLSummary();
+
+ if (aclSummary == null) {
+ return;
+ }
+
+ for (Map.Entry<String, Map<String,
PolicyACLSummary.AccessResult>> userAccessInfo :
aclSummary.getUsersAccessInfo().entrySet()) {
+ final String userName = userAccessInfo.getKey();
+
+ for (Map.Entry<String, PolicyACLSummary.AccessResult>
accessInfo : userAccessInfo.getValue().entrySet()) {
+ Integer accessResult;
+
+ if (isConditional) {
+ accessResult = ACCESS_CONDITIONAL;
+ } else {
+ accessResult =
accessInfo.getValue().getResult();
+
+ if
(accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
+ accessResult =
RangerPolicyEvaluator.ACCESS_DENIED;
+ }
+ }
+
+ RangerPolicy policy = getPolicy();
+
+ resourceACLs.setUserAccessInfo(userName,
accessInfo.getKey(), accessResult, policy);
+ }
+ }
+
+ for (Map.Entry<String, Map<String,
PolicyACLSummary.AccessResult>> groupAccessInfo :
aclSummary.getGroupsAccessInfo().entrySet()) {
+ final String groupName = groupAccessInfo.getKey();
+
+ for (Map.Entry<String, PolicyACLSummary.AccessResult>
accessInfo : groupAccessInfo.getValue().entrySet()) {
+ Integer accessResult;
+
+ if (isConditional) {
+ accessResult = ACCESS_CONDITIONAL;
+ } else {
+ accessResult =
accessInfo.getValue().getResult();
+
+ if
(accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
+ accessResult =
RangerPolicyEvaluator.ACCESS_DENIED;
+ }
+ }
+
+ RangerPolicy policy = getPolicy();
+
+ resourceACLs.setGroupAccessInfo(groupName,
accessInfo.getKey(), accessResult, policy);
+ }
+ }
+
+ for (Map.Entry<String, Map<String,
PolicyACLSummary.AccessResult>> roleAccessInfo :
aclSummary.getRolesAccessInfo().entrySet()) {
+ final String roleName = roleAccessInfo.getKey();
+
+ for (Map.Entry<String, PolicyACLSummary.AccessResult>
accessInfo : roleAccessInfo.getValue().entrySet()) {
+ Integer accessResult;
+
+ if (isConditional) {
+ accessResult = ACCESS_CONDITIONAL;
+ } else {
+ accessResult =
accessInfo.getValue().getResult();
+
+ if
(accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
+ accessResult =
RangerPolicyEvaluator.ACCESS_DENIED;
+ }
+ }
+
+ RangerPolicy policy = getPolicy();
+
+ resourceACLs.setRoleAccessInfo(roleName,
accessInfo.getKey(), accessResult, policy);
+ }
+ }
+ }
+
+ private void updateRowFiltersFromPolicy(boolean isConditional,
RangerResourceACLs resourceACLs) {
+ PolicyACLSummary aclSummary = getPolicyACLSummary();
+
+ if (aclSummary != null) {
+ for (RowFilterResult rowFilterResult :
aclSummary.getRowFilters()) {
+ rowFilterResult =
copyRowFilter(rowFilterResult);
+
+ if (isConditional) {
+ rowFilterResult.setIsConditional(true);
+ }
+
+
resourceACLs.getRowFilters().add(rowFilterResult);
+ }
+ }
+ }
+
+ private void updateDataMasksFromPolicy(boolean isConditional,
RangerResourceACLs resourceACLs) {
+ PolicyACLSummary aclSummary = getPolicyACLSummary();
+
+ if (aclSummary != null) {
+ for (DataMaskResult dataMaskResult :
aclSummary.getDataMasks()) {
+ dataMaskResult = copyDataMask(dataMaskResult);
+
+ if (isConditional) {
+ dataMaskResult.setIsConditional(true);
+ }
+
+ resourceACLs.getDataMasks().add(dataMaskResult);
+ }
+ }
+ }
+
+ private DataMaskResult copyDataMask(DataMaskResult dataMask) {
+ DataMaskResult ret = new
DataMaskResult(copyStrings(dataMask.getUsers()),
+
copyStrings(dataMask.getGroups()),
+
copyStrings(dataMask.getRoles()),
+
copyStrings(dataMask.getAccessTypes()),
+ new
RangerPolicyItemDataMaskInfo(dataMask.getMaskInfo()));
+
+ ret.setIsConditional(dataMask.getIsConditional());
+
+ return ret;
+ }
+
+ private RowFilterResult copyRowFilter(RowFilterResult rowFilter) {
+ RowFilterResult ret = new
RowFilterResult(copyStrings(rowFilter.getUsers()),
+
copyStrings(rowFilter.getGroups()),
+
copyStrings(rowFilter.getRoles()),
+
copyStrings(rowFilter.getAccessTypes()),
+ new
RangerPolicyItemRowFilterInfo(rowFilter.getFilterInfo()));
+
+ ret.setIsConditional(rowFilter.getIsConditional());
+
+ return ret;
+ }
+
+ private Set<String> copyStrings(Set<String> values) {
+ return values != null ? new HashSet<>(values) : null;
+ }
+
private Map<String, RangerPolicyResource>
getPolicyResourcesWithMacrosReplaced(Map<String, RangerPolicyResource>
resources, PolicyEngine policyEngine) {
if (LOG.isDebugEnabled()) {
LOG.debug("==>
RangerAbstractPolicyEvaluator.getPolicyResourcesWithMacrosReplaced(" +
resources + ")");
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 0d4886c57..0a14b387a 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -47,10 +47,12 @@ import
org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult;
import
org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult;
import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator;
import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType;
import static
org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW;
@@ -102,6 +104,8 @@ public interface RangerPolicyEvaluator {
void evaluate(RangerAccessRequest request, RangerAccessResult result);
+ void getResourceACLs(RangerAccessRequest request, RangerResourceACLs
acls, boolean isConditional, MatchType matchType, PolicyEngine policyEngine);
+
boolean isMatch(RangerAccessResource resource, Map<String, Object>
evalContext);
boolean isCompleteMatch(RangerAccessResource resource, Map<String,
Object> evalContext);
