RANGER-203: Resource to policy match updated to use all all the keys in a resource (ex: database, table/udf, [column]).
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/57ded063 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/57ded063 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/57ded063 Branch: refs/heads/stack Commit: 57ded063dee603767d06af2e9d6bcd442af564a2 Parents: ce1808a Author: Madhan Neethiraj <[email protected]> Authored: Mon Jan 26 16:07:31 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Jan 26 16:07:31 2015 -0800 ---------------------------------------------------------------------- .../audit/provider/MultiDestAuditProvider.java | 2 +- .../plugin/policyengine/RangerResource.java | 4 +++ .../plugin/policyengine/RangerResourceImpl.java | 12 ++++++++ .../RangerDefaultPolicyEvaluator.java | 31 ++++++++++++-------- 4 files changed, 36 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/57ded063/agents-audit/src/main/java/org/apache/ranger/audit/provider/MultiDestAuditProvider.java ---------------------------------------------------------------------- diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MultiDestAuditProvider.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MultiDestAuditProvider.java index 0f429ea..1eec345 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MultiDestAuditProvider.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MultiDestAuditProvider.java @@ -51,7 +51,7 @@ public class MultiDestAuditProvider extends BaseAuditProvider { try { provider.init(props); } catch(Throwable excp) { - LOG.info("MultiDestAuditProvider.init(): failed" + provider.getClass().getCanonicalName() + ")"); + LOG.info("MultiDestAuditProvider.init(): failed " + provider.getClass().getCanonicalName() + ")", excp); } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/57ded063/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java index f79aba8..6941bc3 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java @@ -19,6 +19,8 @@ package org.apache.ranger.plugin.policyengine; +import java.util.Set; + public interface RangerResource { public abstract String getOwnerUser(); @@ -26,4 +28,6 @@ public interface RangerResource { public abstract boolean exists(String name); public abstract String getValue(String name); + + public Set<String> getKeys(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/57ded063/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java index 529ac5f..86f7ea4 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java @@ -21,6 +21,7 @@ package org.apache.ranger.plugin.policyengine; import java.util.HashMap; import java.util.Map; +import java.util.Set; public class RangerResourceImpl implements RangerMutableResource { @@ -53,6 +54,17 @@ public class RangerResourceImpl implements RangerMutableResource { } @Override + public Set<String> getKeys() { + Set<String> ret = null; + + if(elements != null) { + ret = elements.keySet(); + } + + return ret; + } + + @Override public void setOwnerUser(String ownerUser) { this.ownerUser = ownerUser; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/57ded063/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 0160347..7fea4b6 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -178,20 +178,27 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator RangerServiceDef serviceDef = getServiceDef(); if(serviceDef != null && serviceDef.getResources() != null) { - for(RangerResourceDef resourceDef : serviceDef.getResources()) { - String resourceName = resourceDef.getName(); - String resourceValue = resource == null ? null : resource.getValue(resourceName); - RangerResourceMatcher matcher = matchers == null ? null : matchers.get(resourceName); + Collection<String> resourceKeys = resource == null ? null : resource.getKeys(); + Collection<String> policyKeys = matchers == null ? null : matchers.keySet(); + + boolean keysMatch = (resourceKeys == null) || (policyKeys != null && policyKeys.containsAll(resourceKeys)); - // when no value exists for a resourceName, consider it a match only if (policy doesn't have a matcher OR matcher allows no-value resource) - if(StringUtils.isEmpty(resourceValue)) { - ret = matcher == null || matcher.isMatch(resourceValue); - } else { - ret = matcher != null && matcher.isMatch(resourceValue); - } + if(keysMatch) { + for(RangerResourceDef resourceDef : serviceDef.getResources()) { + String resourceName = resourceDef.getName(); + String resourceValue = resource == null ? null : resource.getValue(resourceName); + RangerResourceMatcher matcher = matchers == null ? null : matchers.get(resourceName); - if(! ret) { - break; + // when no value exists for a resourceName, consider it a match only if (policy doesn't have a matcher OR matcher allows no-value resource) + if(StringUtils.isEmpty(resourceValue)) { + ret = matcher == null || matcher.isMatch(resourceValue); + } else { + ret = matcher != null && matcher.isMatch(resourceValue); + } + + if(! ret) { + break; + } } } }
