RANGER-203: updates to RangerPolicyResource per comments from Alok. PolicyEngine updated to return the result in RangerAccessResult, instead of Boolean.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/2242c441 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/2242c441 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/2242c441 Branch: refs/heads/stack Commit: 2242c44183f2ecb1a631db9d7b483119d59e7c3c Parents: 941ae69 Author: Madhan Neethiraj <[email protected]> Authored: Fri Dec 19 17:24:01 2014 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Fri Dec 19 17:24:01 2014 -0800 ---------------------------------------------------------------------- .../ranger/plugin/model/RangerPolicy.java | 94 +++++++++++--------- .../plugin/policyengine/RangerAccessResult.java | 62 +++++++++++++ .../plugin/policyengine/RangerPolicyEngine.java | 8 +- .../policyengine/RangerPolicyEngineImpl.java | 13 ++- .../plugin/manager/TestServiceManager.java | 2 +- .../org/apache/ranger/common/ServiceUtil.java | 72 ++++++++++----- 6 files changed, 171 insertions(+), 80 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2242c441/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java index 13a9c4d..57b52cc 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java @@ -21,6 +21,8 @@ package org.apache.ranger.plugin.model; import java.util.ArrayList; import java.util.List; +import java.util.HashMap; +import java.util.Map; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; @@ -40,13 +42,13 @@ import org.codehaus.jackson.map.annotate.JsonSerialize; public class RangerPolicy extends RangerBaseModelObject implements java.io.Serializable { private static final long serialVersionUID = 1L; - private String service = null; - private String name = null; - private String description = null; - private Boolean isEnabled = null; - private Boolean isAuditEnabled = null; - private List<RangerPolicyResource> resources = null; - private List<RangerPolicyItem> policyItems = null; + private String service = null; + private String name = null; + private String description = null; + private Boolean isEnabled = null; + private Boolean isAuditEnabled = null; + private Map<String, RangerPolicyResource> resources = null; + private List<RangerPolicyItem> policyItems = null; /** @@ -63,7 +65,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria * @param isEnabled * @param configs */ - public RangerPolicy(String service, String name, String description, Boolean isEnabled, List<RangerPolicyResource> resources, List<RangerPolicyItem> policyItems) { + public RangerPolicy(String service, String name, String description, Boolean isEnabled, Map<String, RangerPolicyResource> resources, List<RangerPolicyItem> policyItems) { super(); setService(service); @@ -160,19 +162,19 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria /** * @return the resources */ - public List<RangerPolicyResource> getResources() { + public Map<String, RangerPolicyResource> getResources() { return resources; } /** * @param configs the resources to set */ - public void setResources(List<RangerPolicyResource> resources) { - this.resources = new ArrayList<RangerPolicyResource>(); + public void setResources(Map<String, RangerPolicyResource> resources) { + this.resources = new HashMap<String, RangerPolicyResource>(); if(resources != null) { - for(RangerPolicyResource resource : resources) { - this.resources.add(resource); + for(Map.Entry<String, RangerPolicyResource> e : resources.entrySet()) { + this.resources.put(e.getKey(), e.getValue()); } } } @@ -219,10 +221,10 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria sb.append("resources={"); if(resources != null) { - for(RangerPolicyResource resource : resources) { - if(resource != null) { - resource.toString(sb); - } + for(Map.Entry<String, RangerPolicyResource> e : resources.entrySet()) { + sb.append(e.getKey()).append("={"); + e.getValue().toString(sb); + sb.append("} "); } } sb.append("} "); @@ -246,49 +248,48 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria public static class RangerPolicyResource implements java.io.Serializable { private static final long serialVersionUID = 1L; - private String type = null; - private String value = null; - private Boolean isExcludes = null; - private Boolean isRecursive = null; + private List<String> values = null; + private Boolean isExcludes = null; + private Boolean isRecursive = null; public RangerPolicyResource() { - this(null, null, null, null); + this((List<String>)null, null, null); } - public RangerPolicyResource(String type, String value, Boolean isExcludes, Boolean isRecursive) { - setType(type); - setValue(value); + public RangerPolicyResource(String value, Boolean isExcludes, Boolean isRecursive) { + List<String> values = new ArrayList<String>(); + values.add(value); + + setValues(values); setIsExcludes(isExcludes); setIsRecursive(isRecursive); } - /** - * @return the type - */ - public String getType() { - return type; + public RangerPolicyResource(List<String> values, Boolean isExcludes, Boolean isRecursive) { + setValues(values); + setIsExcludes(isExcludes); + setIsRecursive(isRecursive); } /** - * @param type the type to set + * @return the values */ - public void setType(String type) { - this.type = type; + public List<String> getValues() { + return values; } /** - * @return the value + * @param values the values to set */ - public String getValue() { - return value; - } + public void setValues(List<String> values) { + this.values = new ArrayList<String>(); - /** - * @param value the value to set - */ - public void setValue(String value) { - this.value = value; + if(values != null) { + for(String value : values) { + this.values.add(value); + } + } } /** @@ -330,8 +331,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria public StringBuilder toString(StringBuilder sb) { sb.append("RangerPolicyResource={"); - sb.append("type={").append(type).append("} "); - sb.append("value={").append(value).append("} "); + sb.append("values={"); + if(values != null) { + for(String value : values) { + sb.append(value).append(" "); + } + } + sb.append("} "); sb.append("isExcludes={").append(isExcludes).append("} "); sb.append("isRecursive={").append(isRecursive).append("} "); sb.append("}"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2242c441/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java new file mode 100644 index 0000000..bf17e86 --- /dev/null +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -0,0 +1,62 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + + +public class RangerAccessResult { + private RangerAccessRequest request; + private boolean isAllowed; + private boolean auditAccess; + private long policyId; + private String reason; + + + public RangerAccessResult(RangerAccessRequest request, boolean isAllowed, boolean auditAccess) { + this(request, isAllowed, auditAccess, -1, null); + } + + public RangerAccessResult(RangerAccessRequest request, boolean isAllowed, boolean auditAccess, long policyId, String reason) { + this.request = request; + this.isAllowed = isAllowed; + this.auditAccess = auditAccess; + this.policyId = policyId; + this.reason = reason; + } + + public RangerAccessRequest getRequest() { + return request; + } + + public boolean isAllowed() { + return isAllowed; + } + + public boolean auditAccess() { + return auditAccess; + } + + public long getPolicyId() { + return policyId; + } + + public String getReason() { + return reason; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2242c441/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index aee6716..cf2a5f3 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -22,11 +22,11 @@ package org.apache.ranger.plugin.policyengine; import java.util.List; public interface RangerPolicyEngine { - boolean isAccessAllowed(RangerAccessRequest request); + RangerAccessResult isAccessAllowed(RangerAccessRequest request); - boolean isAccessAllowed(List<RangerAccessRequest> requests, List<Boolean> results); + void isAccessAllowed(List<RangerAccessRequest> requests, List<RangerAccessResult> results); - void auditAccess(RangerAccessRequest request); + void auditAccess(RangerAccessResult result); - void auditAccess(List<RangerAccessRequest> requests, List<Boolean> results); + void auditAccess(List<RangerAccessResult> results); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2242c441/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 71274f3..49cf364 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -87,27 +87,24 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } @Override - public boolean isAccessAllowed(RangerAccessRequest request) { + public RangerAccessResult isAccessAllowed(RangerAccessRequest request) { // TODO Auto-generated method stub - return false; + return null; } @Override - public boolean isAccessAllowed(List<RangerAccessRequest> requests, - List<Boolean> results) { + public void isAccessAllowed(List<RangerAccessRequest> requests, List<RangerAccessResult> results) { // TODO Auto-generated method stub - return false; } @Override - public void auditAccess(RangerAccessRequest request) { + public void auditAccess(RangerAccessResult result) { // TODO Auto-generated method stub } @Override - public void auditAccess(List<RangerAccessRequest> requests, - List<Boolean> results) { + public void auditAccess(List<RangerAccessResult> results) { // TODO Auto-generated method stub } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2242c441/plugin-common/src/test/java/org/apache/ranger/plugin/manager/TestServiceManager.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/manager/TestServiceManager.java b/plugin-common/src/test/java/org/apache/ranger/plugin/manager/TestServiceManager.java index b2e12a1..4263f59 100644 --- a/plugin-common/src/test/java/org/apache/ranger/plugin/manager/TestServiceManager.java +++ b/plugin-common/src/test/java/org/apache/ranger/plugin/manager/TestServiceManager.java @@ -117,7 +117,7 @@ public class TestServiceManager { int initPolicyCount = policies == null ? 0 : policies.size(); RangerPolicy policy = new RangerPolicy(updatedSvc.getName(), policyName, "test policy description", Boolean.TRUE, null, null); - policy.getResources().add(new RangerPolicyResource("path", "/demo/test/finance", Boolean.FALSE, Boolean.TRUE)); + policy.getResources().put("path", new RangerPolicyResource("/demo/test/finance", Boolean.FALSE, Boolean.TRUE)); RangerPolicyItem item1 = new RangerPolicyItem(); item1.getAccesses().add(new RangerPolicyItemAccess("read", Boolean.TRUE)); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2242c441/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java index 8a990da..62a65c3 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java @@ -232,26 +232,30 @@ public class ServiceUtil { } ret.setAuditList(auditList); - for(RangerPolicy.RangerPolicyResource res : policy.getResources()) { - if(res.getType().equalsIgnoreCase("path")) { - ret.setName(addResource(ret.getName(), res.getValue())); + for(Map.Entry<String, RangerPolicy.RangerPolicyResource> e : policy.getResources().entrySet()) { + RangerPolicy.RangerPolicyResource res = e.getValue(); + String resType = e.getKey(); + String resString = getResourceString(res.getValues()); + + if(resType.equalsIgnoreCase("path")) { + ret.setName(resString); ret.setIsRecursive(Boolean.TRUE.equals(res.getIsRecursive()) ? RangerCommonEnums.BOOL_TRUE : RangerCommonEnums.BOOL_FALSE); - } else if(res.getType().equalsIgnoreCase("table")) { - ret.setTables(addResource(ret.getTables(), res.getValue())); + } else if(resType.equalsIgnoreCase("table")) { + ret.setTables(resString); ret.setTableType(Boolean.TRUE.equals(res.getIsExcludes()) ? RangerCommonEnums.POLICY_EXCLUSION : RangerCommonEnums.POLICY_INCLUSION); - } else if(res.getType().equalsIgnoreCase("column-family")) { - ret.setColumnFamilies(addResource(ret.getColumnFamilies(), res.getValue())); - } else if(res.getType().equalsIgnoreCase("column")) { - ret.setColumns(addResource(ret.getColumns(), res.getValue())); + } else if(resType.equalsIgnoreCase("column-family")) { + ret.setColumnFamilies(resString); + } else if(resType.equalsIgnoreCase("column")) { + ret.setColumns(resString); ret.setColumnType(Boolean.TRUE.equals(res.getIsExcludes()) ? RangerCommonEnums.POLICY_EXCLUSION : RangerCommonEnums.POLICY_INCLUSION); - } else if(res.getType().equalsIgnoreCase("database")) { - ret.setDatabases(addResource(ret.getDatabases(), res.getValue())); - } else if(res.getType().equalsIgnoreCase("udf")) { - ret.setUdfs(addResource(ret.getUdfs(), res.getValue())); - } else if(res.getType().equalsIgnoreCase("topology")) { - ret.setTopologies(addResource(ret.getTopologies(), res.getValue())); - } else if(res.getType().equalsIgnoreCase("service")) { - ret.setServices(addResource(ret.getServices(), res.getValue())); + } else if(resType.equalsIgnoreCase("database")) { + ret.setDatabases(resString); + } else if(resType.equalsIgnoreCase("udf")) { + ret.setUdfs(resString); + } else if(resType.equalsIgnoreCase("topology")) { + ret.setTopologies(resString); + } else if(resType.equalsIgnoreCase("service")) { + ret.setServices(resString); } } @@ -308,12 +312,22 @@ public class ServiceUtil { return ret; } - private List<RangerPolicy.RangerPolicyResource> toRangerResourceList(String resourceString, String resourceType, Boolean isExcludes, Boolean isRecursive, List<RangerPolicy.RangerPolicyResource> resList) { - List<RangerPolicy.RangerPolicyResource> ret = resList == null ? new ArrayList<RangerPolicy.RangerPolicyResource>() : resList; + private Map<String, RangerPolicy.RangerPolicyResource> toRangerResourceList(String resourceString, String resourceType, Boolean isExcludes, Boolean isRecursive, Map<String, RangerPolicy.RangerPolicyResource> resources) { + Map<String, RangerPolicy.RangerPolicyResource> ret = resources == null ? new HashMap<String, RangerPolicy.RangerPolicyResource>() : resources; if(resourceString != null) { - for(String resource : resourceString.split(",")) { - ret.add(new RangerPolicy.RangerPolicyResource(resourceType, resource, isExcludes, isRecursive)); + RangerPolicy.RangerPolicyResource resource = ret.get(resourceType); + + if(resource == null) { + resource = new RangerPolicy.RangerPolicyResource(); + resource.setIsExcludes(isExcludes); + resource.setIsRecursive(isRecursive); + + ret.put(resourceType, resource); + } + + for(String res : resourceString.split(",")) { + resource.getValues().add(res); } } @@ -392,8 +406,20 @@ public class ServiceUtil { return ret; } - private String addResource(String currentVal, String valToAdd) { - return (currentVal == null || currentVal.isEmpty()) ? valToAdd : (currentVal + "," + valToAdd); + private String getResourceString(List<String> values) { + String ret = null; + + if(values != null) { + for(String value : values) { + if(ret == null) { + ret = value; + } else if(value != null) { + ret += ("," + value); + } + } + } + + return ret; } private String getUserName(VXPermMap permMap) {
