Repository: incubator-ranger Updated Branches: refs/heads/stack 1f458f00f -> 7d00538b3
RANGER-203: policy evaluation updated to handle "any" access requirement, currently used in Hive. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e8b58a91 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e8b58a91 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e8b58a91 Branch: refs/heads/stack Commit: e8b58a91306be000894f6f4a7b0d98bdd5e3b6fb Parents: bd8c234 Author: Madhan Neethiraj <[email protected]> Authored: Thu Jan 8 00:53:58 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Jan 8 00:53:58 2015 -0800 ---------------------------------------------------------------------- .../ranger/plugin/model/RangerPolicy.java | 80 +++++++-- .../ranger/plugin/model/RangerService.java | 11 +- .../ranger/plugin/model/RangerServiceDef.java | 101 +++++++++-- .../plugin/policyengine/RangerAccessResult.java | 14 +- .../plugin/policyengine/RangerPolicyEngine.java | 1 + .../policyengine/RangerPolicyEngineImpl.java | 28 +-- .../RangerDefaultPolicyEvaluator.java | 176 ++++++++----------- .../RangerAbstractResourceMatcher.java | 60 ++++++- .../RangerDefaultResourceMatcher.java | 40 +---- .../RangerPathResourceMatcher.java | 41 +---- .../resourcematcher/RangerResourceMatcher.java | 5 +- .../service-defs/ranger-servicedef-hbase.json | 3 +- .../policyengine/test_policyengine_01.json | 46 ++--- 13 files changed, 370 insertions(+), 236 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java index bab79a1..2457ae1 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java @@ -170,7 +170,15 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria * @param configs the resources to set */ public void setResources(Map<String, RangerPolicyResource> resources) { - this.resources = new HashMap<String, RangerPolicyResource>(); + if(this.resources == null) { + this.resources = new HashMap<String, RangerPolicyResource>(); + } + + if(this.resources == resources) { + return; + } + + this.resources.clear(); if(resources != null) { for(Map.Entry<String, RangerPolicyResource> e : resources.entrySet()) { @@ -190,7 +198,15 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria * @param policyItems the policyItems to set */ public void setPolicyItems(List<RangerPolicyItem> policyItems) { - this.policyItems = new ArrayList<RangerPolicyItem>(); + if(this.policyItems == null) { + this.policyItems = new ArrayList<RangerPolicyItem>(); + } + + if(this.policyItems == policyItems) { + return; + } + + this.policyItems.clear(); if(policyItems != null) { for(RangerPolicyItem policyItem : policyItems) { @@ -258,10 +274,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria } public RangerPolicyResource(String value, Boolean isExcludes, Boolean isRecursive) { - List<String> values = new ArrayList<String>(); - values.add(value); - - setValues(values); + setValue(value); setIsExcludes(isExcludes); setIsRecursive(isRecursive); } @@ -283,7 +296,15 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria * @param values the values to set */ public void setValues(List<String> values) { - this.values = new ArrayList<String>(); + if(this.values == null) { + this.values = new ArrayList<String>(); + } + + if(this.values == values) { + return; + } + + this.values.clear(); if(values != null) { for(String value : values) { @@ -293,6 +314,19 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria } /** + * @param value the value to set + */ + public void setValue(String value) { + if(this.values == null) { + this.values = new ArrayList<String>(); + } + + this.values.clear(); + + this.values.add(value); + } + + /** * @return the isExcludes */ public Boolean getIsExcludes() { @@ -377,7 +411,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria * @param accesses the accesses to set */ public void setAccesses(List<RangerPolicyItemAccess> accesses) { - this.accesses = new ArrayList<RangerPolicyItemAccess>(); + if(this.accesses == null) { + this.accesses = new ArrayList<RangerPolicyItemAccess>(); + } + + if(this.accesses == accesses) { + return; + } if(accesses != null) { for(RangerPolicyItemAccess access : accesses) { @@ -395,7 +435,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria * @param users the users to set */ public void setUsers(List<String> users) { - this.users = new ArrayList<String>(); + if(this.users == null) { + this.users = new ArrayList<String>(); + } + + if(this.users == users) { + return; + } if(users != null) { for(String user : users) { @@ -413,7 +459,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria * @param groups the groups to set */ public void setGroups(List<String> groups) { - this.groups = new ArrayList<String>(); + if(this.groups == null) { + this.groups = new ArrayList<String>(); + } + + if(this.groups == groups) { + return; + } if(groups != null) { for(String group : groups) { @@ -431,7 +483,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria * @param conditions the conditions to set */ public void setConditions(List<RangerPolicyItemCondition> conditions) { - this.conditions = new ArrayList<RangerPolicyItemCondition>(); + if(this.conditions == null) { + this.conditions = new ArrayList<RangerPolicyItemCondition>(); + } + + if(this.conditions == conditions) { + return; + } if(conditions != null) { for(RangerPolicyItemCondition condition : conditions) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java index 65de02a..2f8d5e5 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java @@ -46,7 +46,6 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri private String name = null; private String description = null; private Boolean isEnabled = null; - @JsonDeserialize(using = CustomizedMapDeserializer.class) private Map<String, String> configs = null; @@ -151,7 +150,15 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri * @param configs the configs to set */ public void setConfigs(Map<String, String> configs) { - this.configs = new HashMap<String, String>(); + if(this.configs == null) { + this.configs = new HashMap<String, String>(); + } + + if(this.configs == configs) { + return; + } + + this.configs.clear(); if(configs != null) { for(Map.Entry<String, String> e : configs.entrySet()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java index 4bc50c7..0be4a8b 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java @@ -20,6 +20,7 @@ package org.apache.ranger.plugin.model; import java.util.ArrayList; +import java.util.Collection; import java.util.List; import javax.xml.bind.annotation.XmlAccessType; @@ -178,7 +179,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S * @param configs the configs to set */ public void setConfigs(List<RangerServiceConfigDef> configs) { - this.configs = new ArrayList<RangerServiceConfigDef>(); + if(this.configs == null) { + this.configs = new ArrayList<RangerServiceConfigDef>(); + } else + + if(this.configs == configs) { + return; + } + + this.configs.clear(); if(configs != null) { for(RangerServiceConfigDef config : configs) { @@ -198,7 +207,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S * @param resources the resources to set */ public void setResources(List<RangerResourceDef> resources) { - this.resources = new ArrayList<RangerResourceDef>(); + if(this.resources == null) { + this.resources = new ArrayList<RangerResourceDef>(); + } + + if(this.resources == resources) { + return; + } + + this.resources.clear(); if(resources != null) { for(RangerResourceDef resource : resources) { @@ -218,7 +235,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S * @param accessTypes the accessTypes to set */ public void setAccessTypes(List<RangerAccessTypeDef> accessTypes) { - this.accessTypes = new ArrayList<RangerAccessTypeDef>(); + if(this.accessTypes == null) { + this.accessTypes = new ArrayList<RangerAccessTypeDef>(); + } + + if(this.accessTypes == accessTypes) { + return; + } + + this.accessTypes.clear(); if(accessTypes != null) { for(RangerAccessTypeDef accessType : accessTypes) { @@ -238,7 +263,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S * @param policyConditions the policyConditions to set */ public void setPolicyConditions(List<RangerPolicyConditionDef> policyConditions) { - this.policyConditions = new ArrayList<RangerPolicyConditionDef>(); + if(this.policyConditions == null) { + this.policyConditions = new ArrayList<RangerPolicyConditionDef>(); + } + + if(this.policyConditions == policyConditions) { + return; + } + + this.policyConditions.clear(); if(policyConditions != null) { for(RangerPolicyConditionDef policyCondition : policyConditions) { @@ -258,7 +291,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S * @param enums the enums to set */ public void setEnums(List<RangerEnumDef> enums) { - this.enums = new ArrayList<RangerEnumDef>(); + if(this.enums == null) { + this.enums = new ArrayList<RangerEnumDef>(); + } + + if(this.enums == enums) { + return; + } + + this.enums.clear(); if(enums != null) { for(RangerEnumDef enum1 : enums) { @@ -387,7 +428,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S * @param elements the elements to set */ public void setElements(List<RangerEnumElementDef> elements) { - this.elements = new ArrayList<RangerEnumElementDef>(); + if(this.elements == null) { + this.elements = new ArrayList<RangerEnumElementDef>(); + } + + if(this.elements == elements) { + return; + } + + this.elements.clear(); if(elements != null) { for(RangerEnumElementDef element : elements) { @@ -974,19 +1023,21 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S public static class RangerAccessTypeDef implements java.io.Serializable { private static final long serialVersionUID = 1L; - private String name = null; - private String label = null; - private String rbKeyLabel = null; + private String name = null; + private String label = null; + private String rbKeyLabel = null; + private Collection<String> impliedAccessTypes = null; public RangerAccessTypeDef() { - this(null, null, null); + this(null, null, null, null); } - public RangerAccessTypeDef(String name, String label, String rbKeyLabel) { + public RangerAccessTypeDef(String name, String label, String rbKeyLabel, Collection<String> impliedAccessTypes) { setName(name); setLabel(label); setRbKeyLabel(rbKeyLabel); + setImpliedAccessTypes(impliedAccessTypes); } /** @@ -1031,6 +1082,34 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S this.rbKeyLabel = rbKeyLabel; } + /** + * @return the impliedAccessTypes + */ + public Collection<String> getImpliedAccessTypes() { + return impliedAccessTypes; + } + + /** + * @param impliedAccessTypes the impliedAccessTypes to set + */ + public void setImpliedAccessTypes(Collection<String> impliedAccessTypes) { + if(this.impliedAccessTypes == null) { + this.impliedAccessTypes = new ArrayList<String>(); + } + + if(this.impliedAccessTypes == impliedAccessTypes) { + return; + } + + this.impliedAccessTypes.clear(); + + if(impliedAccessTypes != null) { + for(String impliedAccessType : impliedAccessTypes) { + this.impliedAccessTypes.add(impliedAccessType); + } + } + } + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index a5a1ef3..57094a4 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -58,7 +58,19 @@ public class RangerAccessResult { * @return the accessTypeResult */ public ResultDetail getAccessTypeResult(String accessType) { - return accessTypeResults == null ? null : accessTypeResults.get(accessType); + if(accessTypeResults == null) { + accessTypeResults = new HashMap<String, ResultDetail>(); + } + + ResultDetail ret = accessTypeResults.get(accessType); + + if(ret == null) { + ret = new ResultDetail(); + + accessTypeResults.put(accessType, ret); + } + + return ret; } /** http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 565f2c4..0f70b09 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -28,6 +28,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef; public interface RangerPolicyEngine { public static final String GROUP_PUBLIC = "public"; + public static final String ACCESS_ANY = "any"; public static final long UNKNOWN_POLICY = -1; void setPolicies(String serviceName, RangerServiceDef serviceDef, List<RangerPolicy> policies); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 0016c15..4b26c27 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -24,10 +24,10 @@ import java.util.Collection; import java.util.List; import java.util.Map; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.policyengine.RangerAccessResult.ResultDetail; @@ -348,18 +348,24 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerAccessResult ret = new RangerAccessResult(); - List<RangerPolicyEvaluator> evaluators = policyEvaluators; - - if(request != null && request.getAccessTypes() != null && evaluators != null) { - for(String accessType : request.getAccessTypes()) { - ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail()); + if(request != null) { + if(CollectionUtils.isEmpty(request.getAccessTypes())) { + ret.setAccessTypeResult(RangerPolicyEngine.ACCESS_ANY, new RangerAccessResult.ResultDetail()); + } else { + for(String accessType : request.getAccessTypes()) { + ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail()); + } } - for(RangerPolicyEvaluator evaluator : evaluators) { - evaluator.evaluate(request, ret); - - if(ret.isAllAllowedAndAudited()) { - break; + List<RangerPolicyEvaluator> evaluators = policyEvaluators; + + if(evaluators != null) { + for(RangerPolicyEvaluator evaluator : evaluators) { + evaluator.evaluate(request, ret); + + if(ret.isAllAllowedAndAudited()) { + break; + } } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 99c45d3..ee2503f 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -23,8 +23,8 @@ import java.util.ArrayList; import java.util.Collection; import java.util.Collections; import java.util.List; -import java.util.Map; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -45,7 +45,7 @@ import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator { private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyEvaluator.class); - private List<ResourceDefMatcher> matchers = null; + private List<RangerResourceMatcher> matchers = null; @Override public void init(RangerPolicy policy, RangerServiceDef serviceDef) { @@ -55,20 +55,19 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator super.init(policy, serviceDef); - this.matchers = new ArrayList<ResourceDefMatcher>(); + this.matchers = new ArrayList<RangerResourceMatcher>(); - if(policy != null && policy.getResources() != null) { - for(Map.Entry<String, RangerPolicyResource> e : policy.getResources().entrySet()) { - String resourceName = e.getKey(); - RangerPolicyResource policyResource = e.getValue(); - RangerResourceDef resourceDef = getResourceDef(resourceName); + if(policy != null && policy.getResources() != null && serviceDef != null) { + for(RangerResourceDef resourceDef : serviceDef.getResources()) { + String resourceName = resourceDef.getName(); + RangerPolicyResource policyResource = policy.getResources().get(resourceName); RangerResourceMatcher matcher = createResourceMatcher(resourceDef, policyResource); if(matcher != null) { - matchers.add(new ResourceDefMatcher(resourceDef, matcher)); + matchers.add(matcher); } else { - // TODO: ERROR: no matcher found for resourceName + LOG.error("failed to find matcher for resource " + resourceName); } } } @@ -89,34 +88,74 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if(policy != null && request != null && result != null) { if(matchResource(request.getResource())) { for(RangerPolicyItem policyItem : policy.getPolicyItems()) { - for(String accessType : request.getAccessTypes()) { - RangerPolicyItemAccess access = getAccess(policyItem, accessType); + + // if no access is requested, grant if ***any*** access is available + if(CollectionUtils.isEmpty(request.getAccessTypes())) { + RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(RangerPolicyEngine.ACCESS_ANY); - if(access == null) { + if(!accessResult.isAudited() && policy.getIsAuditEnabled()) { + accessResult.setIsAudited(true); + } + + if(! matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) { continue; } - RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType); - - if(accessResult.isAllowed() && accessResult.isAudited()) { + if(! matchCustomConditions(policyItem, request)) { continue; } - if(!accessResult.isAudited() && policy.getIsAuditEnabled()) { - accessResult.setIsAudited(true); + if(CollectionUtils.isEmpty(policyItem.getAccesses())) { + continue; } - if(matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) { - if(matchCustomConditions(policyItem, request)) { - if(!accessResult.isAllowed() && access.getIsAllowed()) { - accessResult.setIsAllowed(true); - accessResult.setPolicyId(policy.getId()); - } + for(RangerPolicyItemAccess access : policyItem.getAccesses()) { + if(!accessResult.isAllowed() && access.getIsAllowed()) { + accessResult.setIsAllowed(true); + accessResult.setPolicyId(policy.getId()); + + break; } } + } else { + if(! matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) { + continue; + } + + if(! matchCustomConditions(policyItem, request)) { + continue; + } + + for(String accessType : request.getAccessTypes()) { + RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType); - if(result.isAllAllowedAndAudited()) { - break; + if(CollectionUtils.isEmpty(policyItem.getAccesses())) { + if(!accessResult.isAudited() && policy.getIsAuditEnabled()) { + accessResult.setIsAudited(true); + } + + continue; + } + + RangerPolicyItemAccess access = getAccess(policyItem, accessType); + + if(access == null) { + continue; + } + + + if(accessResult.isAllowed() && accessResult.isAudited()) { + continue; + } + + if(!accessResult.isAudited() && policy.getIsAuditEnabled()) { + accessResult.setIsAudited(true); + } + + if(!accessResult.isAllowed() && access.getIsAllowed()) { + accessResult.setIsAllowed(true); + accessResult.setPolicyId(policy.getId()); + } } } @@ -142,13 +181,11 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if(matchers != null && !matchers.isEmpty()) { ret = true; - for(ResourceDefMatcher matcher : matchers) { - String resourceName = matcher.getResourceName(); + for(RangerResourceMatcher matcher : matchers) { + String resourceName = matcher.getResourceDef().getName(); String resourceValue = resource.getValue(resourceName); - if(resourceValue != null) { - ret = matcher.isMatch(resourceValue); - } + ret = matcher.isMatch(resourceValue); if(! ret) { break; @@ -229,32 +266,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } - protected RangerResourceDef getResourceDef(String resourceName) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceDef(" + resourceName + ")"); - } - - RangerResourceDef ret = null; - - RangerServiceDef serviceDef = getServiceDef(); - - if(serviceDef != null && resourceName != null) { - for(RangerResourceDef resourceDef : serviceDef.getResources()) { - if(StringUtils.equalsIgnoreCase(resourceName, resourceDef.getName())) { - ret = resourceDef; - - break; - } - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceDef(" + resourceName + "): " + ret); - } - - return ret; - } - protected RangerResourceMatcher createResourceMatcher(RangerResourceDef resourceDef, RangerPolicyResource resource) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.createResourceMatcher(" + resourceDef + ", " + resource + ")"); @@ -286,7 +297,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } if(ret != null) { - ret.init(resource, options); + ret.init(resourceDef, resource, options); } if(LOG.isDebugEnabled()) { @@ -303,10 +314,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator sb.append("matchers={"); if(matchers != null) { - for(ResourceDefMatcher matcher : matchers) { - sb.append("{"); - matcher.toString(sb); - sb.append("} "); + for(RangerResourceMatcher matcher : matchers) { + sb.append("{").append(matcher).append("} "); } } sb.append("} "); @@ -315,47 +324,4 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return sb; } - - class ResourceDefMatcher { - RangerResourceDef resourceDef = null; - RangerResourceMatcher resourceMatcher = null; - - ResourceDefMatcher(RangerResourceDef resourceDef, RangerResourceMatcher resourceMatcher) { - this.resourceDef = resourceDef; - this.resourceMatcher = resourceMatcher; - } - - String getResourceName() { - return resourceDef.getName(); - } - - boolean isMatch(String value) { - return resourceMatcher.isMatch(value); - } - - boolean isMatch(Collection<String> values) { - boolean ret = false; - - if(values == null || values.isEmpty()) { - ret = resourceMatcher.isMatch(null); - } else { - for(String value : values) { - ret = resourceMatcher.isMatch(value); - - if(! ret) { - break; - } - } - } - - return ret; - } - - public StringBuilder toString(StringBuilder sb) { - sb.append("resourceDef={").append(resourceDef).append("} "); - sb.append("resourceMatcher={").append(resourceMatcher).append("} "); - - return sb; - } - } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java index 68ff85a..e194e54 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java @@ -19,36 +19,47 @@ package org.apache.ranger.plugin.resourcematcher; +import java.util.ArrayList; import java.util.HashMap; +import java.util.List; import java.util.Map; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; public abstract class RangerAbstractResourceMatcher implements RangerResourceMatcher { private static final Log LOG = LogFactory.getLog(RangerAbstractResourceMatcher.class); + public final String WILDCARD_PATTERN = ".*"; + public final String OPTIONS_SEP = ";"; public final String OPTION_NV_SEP = "="; public final String OPTION_IGNORE_CASE = "ignoreCase"; public final String OPTION_WILD_CARD = "wildCard"; + private RangerResourceDef resourceDef = null; private RangerPolicyResource policyResource = null; private String optionsString = null; private Map<String, String> options = null; - protected boolean optIgnoreCase = false; - protected boolean optWildCard = false; + protected boolean optIgnoreCase = false; + protected boolean optWildCard = false; + + protected List<String> policyValues = null; + protected boolean policyIsExcludes = false; + protected boolean isMatchAny = false; @Override - public void init(RangerPolicyResource policyResource, String optionsString) { + public void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String optionsString) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerAbstractResourceMatcher.init(" + policyResource + ", " + optionsString + ")"); + LOG.debug("==> RangerAbstractResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")"); } + this.resourceDef = resourceDef; this.policyResource = policyResource; this.optionsString = optionsString; @@ -76,12 +87,46 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat optIgnoreCase = getBooleanOption(OPTION_IGNORE_CASE, true); optWildCard = getBooleanOption(OPTION_WILD_CARD, true); + policyValues = new ArrayList<String>(); + policyIsExcludes = policyResource == null ? false : policyResource.getIsExcludes(); + + if(policyResource != null && policyResource.getValues() != null) { + for(String policyValue : policyResource.getValues()) { + if(policyValue == null) { + continue; + } + + if(optIgnoreCase) { + policyValue = policyValue.toLowerCase(); + } + + if(optWildCard) { + policyValue = getWildCardPattern(policyValue); + } + + if(policyValue.equals(WILDCARD_PATTERN)) { + isMatchAny = true; + } + + policyValues.add(policyValue); + } + } + + if(policyValues.isEmpty()) { + isMatchAny = true; + } + if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerAbstractResourceMatcher.init(" + policyResource + ", " + optionsString + ")"); + LOG.debug("<== RangerAbstractResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")"); } } @Override + public RangerResourceDef getResourceDef() { + return resourceDef; + } + + @Override public RangerPolicyResource getPolicyResource() { return policyResource; } @@ -149,6 +194,11 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat public StringBuilder toString(StringBuilder sb) { sb.append("RangerAbstractResourceMatcher={"); + sb.append("resourceDef={"); + if(resourceDef != null) { + resourceDef.toString(sb); + } + sb.append("} "); sb.append("policyResource={"); if(policyResource != null) { policyResource.toString(sb); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java index af413ff..13500dc 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java @@ -19,56 +19,28 @@ package org.apache.ranger.plugin.resourcematcher; -import java.util.ArrayList; -import java.util.List; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher { private static final Log LOG = LogFactory.getLog(RangerDefaultResourceMatcher.class); - private List<String> policyValues = null; - private boolean policyIsExcludes = false; @Override - public void init(RangerPolicyResource policyResource, String optionsString) { + public void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String optionsString) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultResourceMatcher.init(" + policyResource + ", " + optionsString + ")"); + LOG.debug("==> RangerDefaultResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")"); } - super.init(policyResource, optionsString); - - policyValues = new ArrayList<String>(); - policyIsExcludes = false; - - if(policyResource != null) { - policyIsExcludes = policyResource.getIsExcludes(); - - if(policyResource.getValues() != null) { - for(String policyValue : policyResource.getValues()) { - if(policyValue == null) { - continue; - } - - if(optIgnoreCase) { - policyValue = policyValue.toLowerCase(); - } - - if(optWildCard) { - policyValue = getWildCardPattern(policyValue); - } - - policyValues.add(policyValue); - } - } - } + super.init(resourceDef, policyResource, optionsString); if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultResourceMatcher.init(" + policyResource + ", " + optionsString + ")"); + LOG.debug("<== RangerDefaultResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")"); } } @@ -92,6 +64,8 @@ public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher break; } } + } else { + ret = isMatchAny; } if(policyIsExcludes) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java index d5c2f6f..79f68c0 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java @@ -19,56 +19,31 @@ package org.apache.ranger.plugin.resourcematcher; -import java.util.ArrayList; -import java.util.List; - import org.apache.commons.io.FilenameUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; public class RangerPathResourceMatcher extends RangerAbstractResourceMatcher { private static final Log LOG = LogFactory.getLog(RangerPathResourceMatcher.class); - private List<String> policyValues = null; - private boolean policyIsExcludes = false; - private boolean policyIsRecursive = false; + private boolean policyIsRecursive = false; @Override - public void init(RangerPolicyResource policyResource, String optionsString) { + public void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String optionsString) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPathResourceMatcher.init(" + policyResource + ", " + optionsString + ")"); + LOG.debug("==> RangerPathResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")"); } - super.init(policyResource, optionsString); - - policyValues = new ArrayList<String>(); - policyIsExcludes = false; - policyIsRecursive = false; - - if(policyResource != null) { - policyIsExcludes = policyResource.getIsExcludes(); - policyIsRecursive = policyResource.getIsRecursive(); - - if(policyResource.getValues() != null) { - for(String policyValue : policyResource.getValues()) { - if(policyValue == null) { - continue; - } - - if(optIgnoreCase) { - policyValue = policyValue.toLowerCase(); - } + super.init(resourceDef, policyResource, optionsString); - policyValues.add(policyValue); - } - } - } + policyIsRecursive = policyResource == null ? false : policyResource.getIsRecursive(); if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPathResourceMatcher.init(" + policyResource + ", " + optionsString + ")"); + LOG.debug("<== RangerPathResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")"); } } @@ -96,6 +71,8 @@ public class RangerPathResourceMatcher extends RangerAbstractResourceMatcher { break; } } + } else { + ret = isMatchAny; } if(policyIsExcludes) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java index 3c9b687..c750cd8 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java @@ -20,9 +20,12 @@ package org.apache.ranger.plugin.resourcematcher; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; public interface RangerResourceMatcher { - void init(RangerPolicyResource policyResource, String optionsString); + void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String optionsString); + + RangerResourceDef getResourceDef(); RangerPolicyResource getPolicyResource(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json index 04127bb..696f5a9 100644 --- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json +++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json @@ -41,7 +41,8 @@ [ {"name":"read","label":"Read"}, {"name":"write","label":"Write"}, - {"name":"create","label":"Create"} + {"name":"create","label":"Create"}, + {"name":"admin","label":"Admin","impliedAccessTypes":["read","write","create"]} ], "policyConditions": [ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/test/resources/policyengine/test_policyengine_01.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json index a63d24a..ef45c84 100644 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json @@ -26,7 +26,7 @@ {"id":1,"name":"audit-all-select","isEnabled":true,"isAuditEnabled":true, "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, "policyItems":[ - {"accesses":[{"type":"select","isAllowed":false}],"users":[],"groups":["public"],"delegateAdmin":false} + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} ] } , @@ -41,60 +41,60 @@ ], "tests":[ - {"name":"'use default;' as user1 ==> ALLOWED", + {"name":"'use default;' as user1 ==> DENIED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"use default" + "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use default" }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'use default;' as user2 ==> ALLOWED", + {"name":"'use default;' as user2 ==> DENIED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"use default" + "accessTypes":[],"user":"user2","userGroups":["users"],"requestData":"use default" }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'use default;' as user3 ==> DENIED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"use default" + "accessTypes":[],"user":"user3","userGroups":["users"],"requestData":"use default" }, - "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'use default;' as user3, group1 ==> ALLOWED", + {"name":"'use default;' as user3, group1 ==> DENIED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users", "group1"],"requestData":"use default" + "accessTypes":[],"user":"user3","userGroups":["users", "group1"],"requestData":"use default" }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'use default;' as user3, group2 ==> ALLOWED", + {"name":"'use default;' as user3, group2 ==> DENIED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users", "group2"],"requestData":"use default" + "accessTypes":[],"user":"user3","userGroups":["users", "group2"],"requestData":"use default" }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'use default;' as user3, group3 ==> DENIED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users", "group3"],"requestData":"use default" + "accessTypes":[],"user":"user3","userGroups":["users", "group3"],"requestData":"use default" }, - "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'use finance;' as user3, group3 ==> DENIED", "request":{ "resource":{"elements":{"database":"finance"}}, - "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"use finance" + "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use finance" }, - "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'select col1 from default.testtable;' as user1 ==> ALLOWED", @@ -222,7 +222,7 @@ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'create table default.table1;' as user1, admin ==> DENIED", @@ -230,7 +230,7 @@ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'drop table default.table1;' as user1 ==> DENIED", @@ -238,7 +238,7 @@ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" }, - "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'drop table default.table1;' as user1, admin ==> DENIED", @@ -246,7 +246,7 @@ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" }, - "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'select col1 from default.table1;' as user3 ==> DENIED",
