- RangerAccessResult updated to support Allowed/Denied/PartiallyDenied result
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3c52e0ed Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3c52e0ed Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3c52e0ed Branch: refs/heads/stack Commit: 3c52e0ed8a29fcdbb9d7c8e145a0a42580e20a29 Parents: 59417d3 Author: Madhan Neethiraj <[email protected]> Authored: Thu Jan 1 23:58:22 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Jan 7 11:18:37 2015 -0800 ---------------------------------------------------------------------- .../plugin/policyengine/RangerAccessResult.java | 60 +++++-- .../plugin/policyengine/RangerPolicyEngine.java | 7 +- .../policyengine/RangerPolicyEngineImpl.java | 176 ++++++++++++------- .../RangerDefaultPolicyEvaluator.java | 3 +- 4 files changed, 159 insertions(+), 87 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index 0735bd2..3c04139 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -21,24 +21,27 @@ package org.apache.ranger.plugin.policyengine; public class RangerAccessResult { - private RangerAccessRequest request; - private boolean isAllowed; - private boolean isAudited; - private long policyId; - private String reason; + public enum Result { ALLOWED, DENIED, PARTIALLY_DENIED }; + + private RangerAccessRequest request = null; + private Result result = null; + private RangerResource deniedResource = null; + private boolean isAudited = false; + private long policyId = -1; + private String reason = null; public RangerAccessResult(RangerAccessRequest request) { - this(request, false, false, -1, null); + this(request, Result.DENIED, false, -1, null); } - public RangerAccessResult(RangerAccessRequest request, boolean isAllowed, boolean isAudited) { - this(request, isAllowed, isAudited, -1, null); + public RangerAccessResult(RangerAccessRequest request, Result result, boolean isAudited) { + this(request, result, isAudited, -1, null); } - public RangerAccessResult(RangerAccessRequest request, boolean isAllowed, boolean isAudited, long policyId, String reason) { + public RangerAccessResult(RangerAccessRequest request, Result result, boolean isAudited, long policyId, String reason) { this.request = request; - this.isAllowed = isAllowed; + this.result = result; this.isAudited = isAudited; this.policyId = policyId; this.reason = reason; @@ -52,17 +55,31 @@ public class RangerAccessResult { } /** - * @return the isAllowed + * @return the result + */ + public Result getResult() { + return result; + } + + /** + * @param result the result to set */ - public boolean isAllowed() { - return isAllowed; + public void setResult(Result result) { + this.result = result; } /** - * @param isAllowed the isAllowed to set + * @return the deniedResource */ - public void setAllowed(boolean isAllowed) { - this.isAllowed = isAllowed; + public RangerResource getDeniedResource() { + return deniedResource; + } + + /** + * @param deniedResource the deniedResource to set + */ + public void setDeniedResource(RangerResource deniedResource) { + this.deniedResource = deniedResource; } /** @@ -107,6 +124,14 @@ public class RangerAccessResult { this.reason = reason; } + public void addDeniedResource(String resourceType, String resourceValue) { + if(deniedResource == null) { + deniedResource = new RangerResourceImpl(); + } + + ((RangerResourceImpl)deniedResource).addElement(resourceType, resourceValue); + } + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -120,7 +145,8 @@ public class RangerAccessResult { sb.append("RangerAccessResult={"); sb.append("request={").append(request).append("} "); - sb.append("isAllowed={").append(isAllowed).append("} "); + sb.append("result={").append(result).append("} "); + sb.append("deniedResource={").append(deniedResource).append("} "); sb.append("isAudited={").append(isAudited).append("} "); sb.append("policyId={").append(policyId).append("} "); sb.append("reason={").append(reason).append("} "); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index cf2a5f3..271e190 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -21,10 +21,15 @@ package org.apache.ranger.plugin.policyengine; import java.util.List; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerServiceDef; + public interface RangerPolicyEngine { + void setPolicies(RangerServiceDef serviceDef, List<RangerPolicy> policies); + RangerAccessResult isAccessAllowed(RangerAccessRequest request); - void isAccessAllowed(List<RangerAccessRequest> requests, List<RangerAccessResult> results); + List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests); void auditAccess(RangerAccessResult result); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index b2324c5..33b2ec7 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -20,130 +20,118 @@ package org.apache.ranger.plugin.policyengine; import java.util.ArrayList; -import java.util.Collections; import java.util.List; -import java.util.Map; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.manager.ServiceDefManager; import org.apache.ranger.plugin.manager.ServiceManager; import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; +import org.apache.ranger.plugin.policyengine.RangerAccessResult.Result; +import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; public class RangerPolicyEngineImpl implements RangerPolicyEngine { private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class); - private String svcName = null; private List<RangerPolicyEvaluator> policyEvaluators = null; public RangerPolicyEngineImpl() { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngine()"); + LOG.debug("==> RangerPolicyEngineImpl()"); } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngine()"); + LOG.debug("<== RangerPolicyEngineImpl()"); } } - public void init(String serviceName) throws Exception { + @Override + public void setPolicies(RangerServiceDef serviceDef, List<RangerPolicy> policies) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngine.init(" + serviceName + ")"); + LOG.debug("==> RangerPolicyEngineImpl.setPolicies(" + serviceDef + ", " + policies + ")"); } - svcName = serviceName; - policyEvaluators = new ArrayList<RangerPolicyEvaluator>(); - - ServiceManager svcMgr = new ServiceManager(); - RangerService service = svcMgr.getByName(svcName); - - if(service == null) { - LOG.error(svcName + ": service not found"); - } else { - ServiceDefManager sdMgr = new ServiceDefManager(); - - RangerServiceDef serviceDef = sdMgr.getByName(service.getType()); - - if(serviceDef == null) { - String msg = service.getType() + ": service-def not found"; - - LOG.error(msg); - - throw new Exception(msg); - } + if(serviceDef != null && policies != null) { + List<RangerPolicyEvaluator> evaluators = new ArrayList<RangerPolicyEvaluator>(); - List<RangerPolicy> policies = svcMgr.getPolicies(service.getId()); - - if(policies != null) { - for(RangerPolicy policy : policies) { - RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef); + for(RangerPolicy policy : policies) { + RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef); - if(evaluator != null) { - policyEvaluators.add(evaluator); - } + if(evaluator != null) { + evaluators.add(evaluator); } } - - if(LOG.isDebugEnabled()) { - LOG.debug("found " + (policyEvaluators == null ? 0 : policyEvaluators.size()) + " policies in service '" + svcName + "'"); - } + + this.policyEvaluators = evaluators; + } else { + LOG.error("RangerPolicyEngineImpl.setPolicies(): invalid arguments - null serviceDef/policies"); } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngine.init(" + serviceName + ")"); + LOG.debug("<== RangerPolicyEngineImpl.setPolicies(" + serviceDef + ", " + policies + ")"); } } - private RangerPolicyEvaluator getPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef) { - RangerPolicyEvaluator ret = null; - - // TODO: instantiate policy-matcher - - return ret; - } - @Override public RangerAccessResult isAccessAllowed(RangerAccessRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + request + ")"); + } + RangerAccessResult ret = null; - for(RangerPolicyEvaluator evaluator : policyEvaluators) { - ret = evaluator.evaluate(request); - - if(ret != null) { - break; + List<RangerPolicyEvaluator> evaluators = policyEvaluators; + + if(request != null && evaluators != null) { + for(RangerPolicyEvaluator evaluator : evaluators) { + ret = evaluator.evaluate(request); + + if(ret != null) { + break; + } } } if(ret == null) { ret = new RangerAccessResult(request); - ret.setAllowed(Boolean.FALSE); + ret.setResult(Result.DENIED); ret.setAudited(Boolean.FALSE); } + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + request + "): " + ret); + } + return ret; } @Override - public void isAccessAllowed(List<RangerAccessRequest> requests, List<RangerAccessResult> results) { - if(requests != null && results != null) { - results.clear(); - - for(int i = 0; i < requests.size(); i++) { - RangerAccessRequest request = requests.get(i); - RangerAccessResult result = isAccessAllowed(request); - - results.add(result); + public List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + requests + ")"); + } + + List<RangerAccessResult> ret = new ArrayList<RangerAccessResult>(); + + if(requests != null) { + for(RangerAccessRequest request : requests) { + RangerAccessResult result = isAccessAllowed(request); + + ret.add(result); } } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + requests + "): " + ret); + } + + return ret; } @Override @@ -158,6 +146,60 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } + public void init(String svcName) throws Exception { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.init(" + svcName + ")"); + } + + ServiceManager svcMgr = new ServiceManager(); + ServiceDefManager sdMgr = new ServiceDefManager(); + + RangerServiceDef serviceDef = null; + List<RangerPolicy> policies = null; + + RangerService service = svcMgr.getByName(svcName); + + if(service == null) { + String msg = svcName + ": service not found"; + + LOG.error(msg); + + throw new Exception(msg); + } else { + serviceDef = sdMgr.getByName(service.getType()); + + if(serviceDef == null) { + String msg = service.getType() + ": service-def not found"; + + LOG.error(msg); + + throw new Exception(msg); + } + + policies = svcMgr.getPolicies(service.getId()); + + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.init(): found " + (policyEvaluators == null ? 0 : policyEvaluators.size()) + " policies in service '" + svcName + "'"); + } + } + + setPolicies(serviceDef, policies); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.init(" + svcName + ")"); + } + } + + private RangerPolicyEvaluator getPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef) { + RangerPolicyEvaluator ret = null; + + ret = new RangerDefaultPolicyEvaluator(); // TODO: configurable evaluator class? + + ret.init(policy, serviceDef); + + return ret; + } + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -170,8 +212,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { public StringBuilder toString(StringBuilder sb) { sb.append("RangerPolicyEngineImpl={"); - sb.append("svcName={").append(svcName).append("} "); - sb.append("policyEvaluators={"); if(policyEvaluators != null) { for(RangerPolicyEvaluator policyEvaluator : policyEvaluators) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 2e7d691..28cca2e 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -35,6 +35,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; +import org.apache.ranger.plugin.policyengine.RangerAccessResult.Result; import org.apache.ranger.plugin.policyengine.RangerResource; import org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher; import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; @@ -95,7 +96,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator ret = new RangerAccessResult(request); ret.setPolicyId(policy.getId()); - ret.setAllowed(access.getIsAllowed()); + ret.setResult(access.getIsAllowed() ? Result.ALLOWED : Result.DENIED); ret.setAudited(access.getIsAudited()); break;
