This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new dfd57ff52 RANGER-4922: Reduce time to find tags associated with
multi-level resource - Handle requests with resourceMatchingScope set to
SELF_OR_DESCENDANTS
dfd57ff52 is described below
commit dfd57ff5208d7811cf05e689a986f728152ff8b1
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Tue Oct 22 11:05:44 2024 -0700
RANGER-4922: Reduce time to find tags associated with multi-level resource
- Handle requests with resourceMatchingScope set to SELF_OR_DESCENDANTS
---
.../plugin/contextenricher/RangerTagEnricher.java | 2 +-
.../plugin/policyengine/TestPolicyEngine.java | 7 +
.../src/test/resources/policyengine/hbaseTags.json | 74 +++++++++
.../policyengine/test_policyengine_tag_hbase.json | 179 +++++++++++++++++++++
4 files changed, 261 insertions(+), 1 deletion(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index 92d2a7848..63ed47ded 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -852,7 +852,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
private boolean excludeDescendantMatches(RangerAccessRequest request) {
final boolean ret;
- if (request.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) {
+ if (request.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext()) ||
request.getResourceMatchingScope().equals(ResourceMatchingScope.SELF_OR_DESCENDANTS))
{
ret = false;
} else {
RangerAccessResource resource = request.getResource();
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 34f1f07f4..4a49374f3 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -284,6 +284,13 @@ public class TestPolicyEngine {
runTestsFromResourceFiles(hbaseTestResourceFiles);
}
+ @Test
+ public void testPolicyEngine_hbaseForTag_filebased() {
+ String[] hbaseTestResourceFiles = {
"/policyengine/test_policyengine_tag_hbase.json" };
+
+ runTestsFromResourceFiles(hbaseTestResourceFiles);
+ }
+
@Test
public void testPolicyEngine_conditions() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_policyengine_conditions.json" };
diff --git a/agents-common/src/test/resources/policyengine/hbaseTags.json
b/agents-common/src/test/resources/policyengine/hbaseTags.json
new file mode 100644
index 000000000..a6762f11d
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/hbaseTags.json
@@ -0,0 +1,74 @@
+{
+ "op":"add_or_update",
+ "tagModel":"resource_private",
+ "serviceName": "hbase_tag",
+ "tagDefinitions": {
+ "1": {
+ "name": "COLUMN_TAG",
+ "id": 1,
+ "guid": "tagdefinition-column-guid"
+ },
+ "2": {
+ "name": "COLUMN_FAMILY_TAG",
+ "id": 2,
+ "guid": "tagdefinition-column-family-guid"
+ },
+ "3": {
+ "name": "TABLE_TAG",
+ "id": 3,
+ "guid": "tagdefinition-table-guid"
+ }
+ },
+ "tags": {
+ "1": {
+ "type": "COLUMN_TAG",
+ "id": 1,
+ "guid": "tag-column-guid"
+ },
+ "2": {
+ "type": "COLUMN_FAMILY_TAG",
+ "id": 2,
+ "guid": "tag-column-family-guid"
+ },
+ "3": {
+ "type": "TABLE_TAG",
+ "id": 3,
+ "guid": "tag-table-guid"
+ }
+ },
+ "serviceResources": [
+ {
+ "serviceName": "hbasedev",
+ "resourceElements": {
+ "table": { "values": [ "finance" ] },
+ "column-family": { "values": [ "professional" ] },
+ "column": { "values": [ "ssn" ] }
+ },
+ "id": 1,
+ "guid": "finance.professional.ssn-guid"
+ },
+ {
+ "serviceName": "hbasedev",
+ "resourceElements": {
+ "table": { "values": [ "finance" ] },
+ "column-family": { "values": [ "personal" ] }
+ },
+ "id": 2,
+ "guid": "finance.personal-guid"
+ },
+ {
+ "serviceName": "hbasedev",
+ "resourceElements": {
+ "table": { "values": [ "finance" ] }
+ },
+ "id": 3,
+ "guid": "finance-guid"
+ }
+ ],
+ "resourceToTagIds": {
+ "1": [ 1 ],
+ "2": [ 2 ],
+ "3": [ 3 ]
+ }
+}
+
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hbase.json
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hbase.json
new file mode 100644
index 000000000..c09ad1b3f
--- /dev/null
+++
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hbase.json
@@ -0,0 +1,179 @@
+{
+ "serviceName":"hbasedev",
+
+ "serviceDef":{
+ "name":"hbase",
+ "id":2,
+ "resources":[
+
{"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"HBase Table","description":"HBase Table"},
+
{"name":"column-family","level":2,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"HBase Column-Family","description":"HBase
Column-Family"},
+
{"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"HBase Column","description":"HBase Column"}
+ ],
+ "accessTypes":[
+ {"name":"read","label":"Read"},
+ {"name":"write","label":"Write"},
+ {"name":"create","label":"Create"},
+
{"name":"admin","label":"Admin","impliedGrants":["read","write","create"]}
+ ]
+ },
+
+ "policies":[
+ {"id":1,"name":"table=finance; column-family=*, column=*:
audit-all-access","isEnabled":true,"isAuditEnabled":true,
+
"resources":{"table":{"values":["finance"]},"column-family":{"values":["*"]},"column":{"values":["*"]}}
+ }
+ ,
+ {"id":2,"name":"table=finance; column-family=personal;
column=*","isEnabled":true,"isAuditEnabled":true,
+
"resources":{"table":{"values":["finance"]},"column-family":{"values":["personal"]},"column":
{"values": ["*"]}},
+ "denyPolicyItems":[
+
{"accesses":[{"type":"read","isAllowed":true}],"users":["hrt_12"],"groups":[],"delegateAdmin":false}
+ ]
+ }
+ ],
+ "tagPolicyInfo": {
+
+ "serviceName":"tagdev",
+ "serviceDef": {
+ "name": "tag",
+ "id": 100,
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "tag",
+ "type": "string",
+ "level": 1,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": false
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "TAG",
+ "description": "TAG"
+ }
+ ],
+ "accessTypes": [
+ {
+ "itemId": 1,
+ "name": "hbase:read",
+ "label": "hbase:read"
+ },
+ {
+ "itemId": 2,
+ "name": "hbase:write",
+ "label": "hbase:write"
+ },
+ {
+ "itemId": 3,
+ "name": "hbase:create",
+ "label": "hbase:create"
+ }
+ ,
+ {
+ "itemId": 4,
+ "name": "hbase:admin",
+ "label": "hbase:admin",
+ "impliedGrants":
+ [
+ "hbase:read",
+ "hbase:write",
+ "hbase:create"
+ ]
+ },
+ {
+ "itemId": 5,
+ "name": "hbase:all",
+ "label": "hbase:all",
+ "impliedGrants":
+ [
+ "hbase:read",
+ "hbase:write",
+ "hbase:create",
+ "hbase:admin"
+ ]
+ }
+ ],
+ "contextEnrichers": [
+ {
+ "itemId": 1,
+ "name" : "TagEnricher",
+ "enricher" :
"org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
+ "enricherOptions" :
{"tagRetrieverClassName":"org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever",
"tagRefresherPollingInterval":60000,
"serviceTagsFileName":"/policyengine/hbaseTags.json"}
+ }
+ ],
+ "policyConditions": [
+ {
+ "itemId":1,
+ "name":"expression",
+ "evaluator":
"org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+ "evaluatorOptions" : {"engineName":"JavaScript",
"ui.isMultiline":"true"},
+ "label":"Enter boolean expression",
+ "description": "Boolean expression"
+ },
+ {
+ "itemId":2,
+ "name":"enforce-expiry",
+ "evaluator":
"org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
+ "evaluatorOptions" : {
"scriptTemplate":"ctx.isAccessedAfter('expiry_date');" },
+ "label":"Deny access after expiry_date?",
+ "description": "Deny access after expiry_date? (yes/no)"
+ }
+ ]
+ },
+ "tagPolicies":[
+ {"id":100,"name":"COLUMN_POLICY","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"tag":{"values":["COLUMN_TAG"],"isRecursive":false}},
+ "policyItems":[
+ {
+
"accesses":[{"type":"hbase:read","isAllowed":true}],"users":["hrt_12"],"groups":[],"delegateAdmin":false
+ }
+ ]
+ }
+ ]
+ },
+
+ "tests":[
+ {"name":"DENY 'scan finance.professional;' for hrt_12",
+ "request":{
+ "resource":{"elements":{"table":"finance",
"column-family":"professional"}},
+
"accessType":"read","user":"hrt_12","userGroups":[],"requestData":"scan
finance.professional; for hrt_12"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ },
+ {"name":"ALLOW 'scan finance.professional; with
resourceMatchingScope=SELF_OR_DESCENDANTS' for hrt_12",
+ "request":{
+ "resource":{"elements":{"table":"finance",
"column-family":"professional"}}, "resourceMatchingScope":
"SELF_OR_DESCENDANTS",
+
"accessType":"read","user":"hrt_12","userGroups":[],"requestData":"scan
finance.professional; with resourceMatchingScope=SELF_OR_DESCENDANTS for hrt_12"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":100}
+ },
+ {"name":"ALLOW 'scan finance.professional.ssn;' for hrt_12",
+ "request":{
+ "resource":{"elements":{"table":"finance",
"column-family":"professional", "column":"ssn"}},
+
"accessType":"read","user":"hrt_12","userGroups":[],"requestData":"scan
finance.professional.ssn; for hrt_12"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":100}
+ },
+ {"name":"DENY 'scan finance.personal;' for hrt_12",
+ "request":{
+ "resource":{"elements":{"table":"finance", "column-family":"personal"}},
+ "accessType":"read","user":"hrt_12","userGroups":[],"requestData":"scan
finance.personal; for hrt_12"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":2}
+ },
+ {"name":"DENY 'scan finance.personal;' with
resourceMatchingScope=SELF_OR_DESCENDANTS for hrt_12",
+ "request":{
+ "resource":{"elements":{"table":"finance",
"column-family":"personal"}}, "resourceMatchingScope": "SELF_OR_DESCENDANTS",
+
"accessType":"read","user":"hrt_12","userGroups":[],"requestData":"scan
finance.personal; for hrt_12 with with
resourceMatchingScope=SELF_OR_DESCENDANTS"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":2}
+ }
+ ]
+}
+
