RANGER-203: Added RangerMutableResource interface with methods to update resource element values. Removed RangerAccessResult.deniedResources; this will not be needed after the result class is updated to capture policy-id/audit-flag for each leaf-level element.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3cfe45b7 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3cfe45b7 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3cfe45b7 Branch: refs/heads/stack Commit: 3cfe45b75ffa99079c547c193e58ed2a689d9103 Parents: 3c52e0e Author: Madhan Neethiraj <[email protected]> Authored: Fri Jan 2 18:43:01 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Jan 7 11:18:37 2015 -0800 ---------------------------------------------------------------------- .../plugin/policyengine/RangerAccessResult.java | 24 ---- .../policyengine/RangerMutableResource.java | 30 +++++ .../plugin/policyengine/RangerResource.java | 11 +- .../plugin/policyengine/RangerResourceImpl.java | 127 ++++++------------- .../RangerDefaultPolicyEvaluator.java | 15 ++- 5 files changed, 87 insertions(+), 120 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3cfe45b7/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index 3c04139..1eadc05 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -25,7 +25,6 @@ public class RangerAccessResult { private RangerAccessRequest request = null; private Result result = null; - private RangerResource deniedResource = null; private boolean isAudited = false; private long policyId = -1; private String reason = null; @@ -69,20 +68,6 @@ public class RangerAccessResult { } /** - * @return the deniedResource - */ - public RangerResource getDeniedResource() { - return deniedResource; - } - - /** - * @param deniedResource the deniedResource to set - */ - public void setDeniedResource(RangerResource deniedResource) { - this.deniedResource = deniedResource; - } - - /** * @return the auditAccess */ public boolean isAudited() { @@ -124,14 +109,6 @@ public class RangerAccessResult { this.reason = reason; } - public void addDeniedResource(String resourceType, String resourceValue) { - if(deniedResource == null) { - deniedResource = new RangerResourceImpl(); - } - - ((RangerResourceImpl)deniedResource).addElement(resourceType, resourceValue); - } - @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -146,7 +123,6 @@ public class RangerAccessResult { sb.append("request={").append(request).append("} "); sb.append("result={").append(result).append("} "); - sb.append("deniedResource={").append(deniedResource).append("} "); sb.append("isAudited={").append(isAudited).append("} "); sb.append("policyId={").append(policyId).append("} "); sb.append("reason={").append(reason).append("} "); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3cfe45b7/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java new file mode 100644 index 0000000..da254c9 --- /dev/null +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java @@ -0,0 +1,30 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import java.util.Collection; + +public interface RangerMutableResource extends RangerResource { + void setOwnerUser(String ownerUser); + + void setElement(String type, String value); + + void setLeafElement(String type, Collection<String> value); +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3cfe45b7/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java index 9e10e40..df5abcb 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java @@ -19,17 +19,18 @@ package org.apache.ranger.plugin.policyengine; -import java.util.List; +import java.util.Collection; public interface RangerResource { public abstract String getOwnerUser(); public abstract boolean elementExists(String type); - public abstract boolean elementIsSingleValued(String type); - public abstract String getElementValue(String type); - public abstract List<String> getElementValues(String type); + public abstract boolean isLeafElement(String type); + + public abstract String getLeafElementType(); -} \ No newline at end of file + public abstract Collection<String> getLeafElementValues(); +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3cfe45b7/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java index da5010b..97a49b8 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java @@ -19,18 +19,16 @@ package org.apache.ranger.plugin.policyengine; -import java.util.ArrayList; +import java.util.Collection; import java.util.HashMap; -import java.util.List; import java.util.Map; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; - -public class RangerResourceImpl implements RangerResource { +public class RangerResourceImpl implements RangerMutableResource { private String ownerUser = null; - private Map<String, Object> elements = null; + private Map<String, String> elements = null; + private String leafElementType = null; + private Collection<String> leafElementValues = null; public RangerResourceImpl() { @@ -43,34 +41,24 @@ public class RangerResourceImpl implements RangerResource { @Override public boolean elementExists(String type) { - return elements != null && elements.containsKey(type); + return ((elements != null && elements.containsKey(type)) || + (leafElementType != null && leafElementType.equals(type) && leafElementValues != null && !leafElementType.isEmpty())); } @Override - public boolean elementIsSingleValued(String type) { - Object val = (elements != null && elements.containsKey(type)) ? elements.get(type) : null; - - return val == null || (val instanceof String) || (((List<?>)val).size() <= 1); + public boolean isLeafElement(String type) { + return leafElementType != null && leafElementType.equals(type); } @Override public String getElementValue(String type) { String ret = null; - if(elements != null) { - Object value = elements.get(type); - - if(value != null) { - if(value instanceof String) { - ret = (String)value; - } else { // value must be a List<String> - @SuppressWarnings("unchecked") - List<String> list = (List<String>)value; - - if(list != null && list.size() > 0) { - ret = list.get(0); - } - } + if(elements != null && elements.containsKey(type)) { + ret = elements.get(type); + } else if(leafElementType != null && leafElementType.equals(type)) { + if(leafElementValues != null && !leafElementValues.isEmpty()) { + ret = leafElementValues.iterator().next(); } } @@ -78,76 +66,35 @@ public class RangerResourceImpl implements RangerResource { } @Override - public List<String> getElementValues(String type) { - List<String> ret = null; - - if(elements != null) { - Object value = elements.get(type); - - if(value != null) { - if(value instanceof String) { - ret = new ArrayList<String>(); - ret.add((String)value); - } else { // value must be a List<String> - @SuppressWarnings("unchecked") - List<String> tmpList = (List<String>)value; - - ret = tmpList; - } - } - } + public String getLeafElementType() { + return leafElementType; + } - return ret; + @Override + public Collection<String> getLeafElementValues() { + return leafElementValues; } + @Override public void setOwnerUser(String ownerUser) { this.ownerUser = ownerUser; } + @Override public void setElement(String type, String value) { + // TODO: verify that leafElementType != type if(elements == null) { - elements = new HashMap<String, Object>(); - } - - elements.put(type, value); - } - - public void setElement(String type, List<String> value) { - if(elements == null) { - elements = new HashMap<String, Object>(); + elements = new HashMap<String, String>(); } elements.put(type, value); } - public void addElement(String type, String value) { - if(elements == null) { - elements = new HashMap<String, Object>(); - } - - Object val = elements.get(type); - - if(val == null) { - elements.put(type, value); - } else { - List<String> list = null; - - if(val instanceof String) { // convert to a list-value - list = new ArrayList<String>(); - - elements.put(type, list); - - list.add((String)val); - } else { // value must be a List<String> - @SuppressWarnings("unchecked") - List<String> tmpList = (List<String>)val; - - list = tmpList; - } - - list.add(value); - } - + @Override + public void setLeafElement(String type, Collection<String> value) { + // TODO: verify that elements doesn't have an entry for type + leafElementType = type; + leafElementValues = value; } @Override @@ -166,10 +113,18 @@ public class RangerResourceImpl implements RangerResource { sb.append("elements={"); if(elements != null) { - for(Map.Entry<String, Object> e : elements.entrySet()) { - sb.append(e.getKey()).append("={"); - sb.append(e.getValue()); - sb.append("} "); + for(Map.Entry<String, String> e : elements.entrySet()) { + sb.append(e.getKey()).append("=").append(e.getValue()).append("; "); + } + } + sb.append("} "); + + sb.append("leafElementType={").append(leafElementType).append("} "); + + sb.append("leafElementValues={"); + if(leafElementValues != null) { + for(String s : leafElementValues) { + sb.append(s).append("; "); } } sb.append("} "); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3cfe45b7/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 28cca2e..4911f40 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -86,6 +86,11 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator RangerAccessResult ret = null; RangerPolicy policy = getPolicy(); + /* + * TODO: handle partial-deny cases, especially for plug-ins that can deal with + * allowing access to part of the requested resource - like HBase returning + * columns for which the user has access to + */ if(request != null && policy != null && matchResource(request.getResource())) { for(RangerPolicyItem policyItem : policy.getPolicyItems()) { RangerPolicyItemAccess access = getAccess(policyItem, request.getAccessType()); @@ -126,14 +131,14 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator for(ResourceDefMatcher matcher : matchers) { String resourceType = matcher.getResourceType(); - if(resource.elementIsSingleValued(resourceType)) { - String resourceValue = resource.getElementValue(resourceType); + if(resource.isLeafElement(resourceType)) { + Collection<String> resourceValues = resource.getLeafElementValues(); - ret = matcher.isMatch(resourceValue); + ret = matcher.isMatch(resourceValues); } else { - List<String> resourceValues = resource.getElementValues(resourceType); + String resourceValue = resource.getElementValue(resourceType); - ret = matcher.isMatch(resourceValues); + ret = matcher.isMatch(resourceValue); } if(! ret) {
