Repository: incubator-ranger Updated Branches: refs/heads/stack 145fe6d6e -> 1f0dccadf
RANGER-203: policy-download implementation updated to: 1) generate audit 2) return 302 when no changes were found. policy-search updated to use wildcards specified in policy. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/1f0dccad Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/1f0dccad Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/1f0dccad Branch: refs/heads/stack Commit: 1f0dccadf28fe86ae075abde8dbdf3426ce6e6d6 Parents: 145fe6d Author: Madhan Neethiraj <[email protected]> Authored: Thu Feb 5 15:18:18 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Feb 5 15:18:18 2015 -0800 ---------------------------------------------------------------------- .../RangerDefaultPolicyEvaluator.java | 22 ++++---- .../RangerAbstractResourceMatcher.java | 2 +- .../plugin/store/file/ServiceFileStore.java | 20 +++---- .../plugin/store/rest/ServiceRESTStore.java | 2 + .../ranger/plugin/util/PolicyRefresher.java | 8 +-- .../ranger/plugin/util/ServicePolicies.java | 26 ++++----- .../ranger/plugin/store/TestServiceStore.java | 3 +- .../org/apache/ranger/rest/ServiceREST.java | 55 +++++++++++++++++--- 8 files changed, 89 insertions(+), 49 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index cc1ee1e..17fcc5e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -312,36 +312,32 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } - protected RangerResourceMatcher createResourceMatcher(RangerResourceDef resourceDef, RangerPolicyResource resource) { + protected static RangerResourceMatcher createResourceMatcher(RangerResourceDef resourceDef, RangerPolicyResource resource) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.createResourceMatcher(" + resourceDef + ", " + resource + ")"); } RangerResourceMatcher ret = null; + String resName = resourceDef != null ? resourceDef.getName() : null; String clsName = resourceDef != null ? resourceDef.getMatcher() : null; String options = resourceDef != null ? resourceDef.getMatcherOptions() : null; - if(StringUtils.isEmpty(clsName)) { - ret = new RangerDefaultResourceMatcher(); - } else { + if(! StringUtils.isEmpty(clsName)) { try { @SuppressWarnings("unchecked") Class<RangerResourceMatcher> matcherClass = (Class<RangerResourceMatcher>)Class.forName(clsName); ret = matcherClass.newInstance(); - } catch(ClassNotFoundException excp) { - // TODO: ERROR - excp.printStackTrace(); - } catch (InstantiationException excp) { - // TODO: ERROR - excp.printStackTrace(); - } catch (IllegalAccessException excp) { - // TODO: ERROR - excp.printStackTrace(); + } catch(Exception excp) { + LOG.error("failed to instantiate resource matcher '" + clsName + "' for '" + resName + "'. Default resource matcher will be used", excp); } } + if(ret == null) { + ret = new RangerDefaultResourceMatcher(); + } + if(ret != null) { ret.init(resourceDef, resource, options); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java index 9fb248a..3da7198 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java @@ -173,7 +173,7 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat return ret; } - public String getWildCardPattern(String policyValue) { + public static String getWildCardPattern(String policyValue) { if (policyValue != null) { policyValue = policyValue.replaceAll("\\?", "\\.") .replaceAll("\\*", ".*") ; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java index b51c160..8ec38f5 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java @@ -43,6 +43,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; +import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher; import org.apache.ranger.plugin.store.ServiceStore; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.plugin.util.ServicePolicies; @@ -707,6 +708,8 @@ public class ServiceFileStore extends BaseFileStore implements ServiceStore { LOG.debug("==> ServiceFileStore.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ")"); } + ServicePolicies ret = null; + RangerService service = getServiceByName(serviceName); if(service == null) { @@ -719,20 +722,19 @@ public class ServiceFileStore extends BaseFileStore implements ServiceStore { throw new Exception(service.getType() + ": unknown service-def)"); } - ServicePolicies ret = new ServicePolicies(); - ret.setServiceId(service.getId()); - ret.setServiceName(service.getName()); - ret.setPolicyVersion(service.getPolicyVersion()); - ret.setPolicyUpdateTime(service.getPolicyUpdateTime()); - ret.setServiceDef(serviceDef); - ret.setPolicies(new ArrayList<RangerPolicy>()); - if(lastKnownVersion == null || service.getPolicyVersion() == null || lastKnownVersion.longValue() != service.getPolicyVersion().longValue()) { SearchFilter filter = new SearchFilter(SearchFilter.SERVICE_NAME, serviceName); List<RangerPolicy> policies = getPolicies(filter); + ret = new ServicePolicies(); + + ret.setServiceId(service.getId()); + ret.setServiceName(service.getName()); + ret.setPolicyVersion(service.getPolicyVersion()); + ret.setPolicyUpdateTime(service.getPolicyUpdateTime()); ret.setPolicies(policies); + ret.setServiceDef(serviceDef); } if(LOG.isDebugEnabled()) { @@ -1555,7 +1557,7 @@ public class ServiceFileStore extends BaseFileStore implements ServiceStore { isMatch = true; } else { for(String policyResourceValue : policyResource.getValues()) { - if(policyResourceValue.contains(val)) { // TODO: consider match for wildcard in policyResourceValue? + if(val.matches(RangerAbstractResourceMatcher.getWildCardPattern(policyResourceValue))) { isMatch = true; break; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java index de2852b..dcdce10 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java @@ -577,6 +577,8 @@ public class ServiceRESTStore implements ServiceStore { if(response != null && response.getStatus() == 200) { ret = response.getEntity(ServicePolicies.class); + } else if(response != null && response.getStatus() == 304) { + // no change } else { RESTResponse resp = RESTResponse.fromClientResponse(response); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java index 152309d..a814bfb 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java @@ -138,11 +138,11 @@ public class PolicyRefresher extends Thread { try { ServicePolicies svcPolicies = serviceStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion); - long newVersion = (svcPolicies == null || svcPolicies.getPolicyVersion() == null) ? -1 : svcPolicies.getPolicyVersion().longValue(); - - boolean isUpdated = newVersion != -1 && lastKnownVersion != newVersion; + boolean isUpdated = svcPolicies != null; if(isUpdated) { + long newVersion = svcPolicies.getPolicyVersion() == null ? -1 : svcPolicies.getPolicyVersion().longValue(); + if(!StringUtils.equals(serviceName, svcPolicies.getServiceName())) { LOG.warn("PolicyRefresher(serviceName=" + serviceName + "): ignoring unexpected serviceName '" + svcPolicies.getServiceName() + "' in service-store"); } @@ -158,7 +158,7 @@ public class PolicyRefresher extends Thread { policyEngine.setPolicies(serviceName, svcPolicies.getServiceDef(), svcPolicies.getPolicies()); } else { if(LOG.isDebugEnabled()) { - LOG.debug("PolicyRefresher(serviceName=" + serviceName + ").run(): no update found. lastKnownVersion=" + lastKnownVersion + "; newVersion=" + newVersion); + LOG.debug("PolicyRefresher(serviceName=" + serviceName + ").run(): no update found. lastKnownVersion=" + lastKnownVersion); } } } catch(Exception excp) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java index f1c8adf..436a91a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java @@ -44,10 +44,10 @@ public class ServicePolicies implements java.io.Serializable { private String serviceName; private Long serviceId; - private RangerServiceDef serviceDef; private Long policyVersion; private Date policyUpdateTime; private List<RangerPolicy> policies; + private RangerServiceDef serviceDef; /** @@ -75,18 +75,6 @@ public class ServicePolicies implements java.io.Serializable { this.serviceId = serviceId; } /** - * @return the serviceDef - */ - public RangerServiceDef getServiceDef() { - return serviceDef; - } - /** - * @param serviceDef the serviceDef to set - */ - public void setServiceDef(RangerServiceDef serviceDef) { - this.serviceDef = serviceDef; - } - /** * @return the policyVersion */ public Long getPolicyVersion() { @@ -122,4 +110,16 @@ public class ServicePolicies implements java.io.Serializable { public void setPolicies(List<RangerPolicy> policies) { this.policies = policies; } + /** + * @return the serviceDef + */ + public RangerServiceDef getServiceDef() { + return serviceDef; + } + /** + * @param serviceDef the serviceDef to set + */ + public void setServiceDef(RangerServiceDef serviceDef) { + this.serviceDef = serviceDef; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java b/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java index 4771085..8ce8f5c 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java @@ -218,8 +218,7 @@ public class TestServiceStore { assertEquals("getServicePolicies(" + updatedSvc.getName() + ") failed", svcPolicies.getPolicies().get(0).getName(), updatedPolicy.getName()); ServicePolicies updatedPolicies = svcStore.getServicePoliciesIfUpdated(updatedSvc.getName(), svcPolicies.getPolicyVersion()); - assertNotNull(updatedPolicies); - assertEquals(0, updatedPolicies.getPolicies().size()); + assertNull(updatedPolicies); filter = new SearchFilter(); filter.setParam(SearchFilter.POLICY_NAME, policyName); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index e4ee9d0..33391bc 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -36,6 +36,7 @@ import javax.ws.rs.core.Context; import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.ArrayUtils; +import org.apache.commons.lang3.ObjectUtils; import org.apache.commons.lang3.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -52,8 +53,10 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Component; +import org.apache.ranger.biz.AssetMgr; import org.apache.ranger.biz.ServiceMgr; import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.entity.XXPolicyExportAudit; @Path("plugins") @@ -64,10 +67,13 @@ public class ServiceREST { @Autowired RESTErrorUtil restErrorUtil; - + @Autowired ServiceMgr serviceMgr; + @Autowired + AssetMgr assetMgr; + private ServiceStore svcStore = null; public ServiceREST() { @@ -647,21 +653,34 @@ public class ServiceREST { @GET @Path("/policies/download/{serviceName}/{lastKnownVersion}") @Produces({ "application/json", "application/xml" }) - public ServicePolicies getServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName, @PathParam("lastKnownVersion") Long lastKnownVersion) throws Exception { + public ServicePolicies getServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName, @PathParam("lastKnownVersion") Long lastKnownVersion, @Context HttpServletRequest request) throws Exception { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ")"); } - ServicePolicies ret = null; + ServicePolicies ret = null; + int httpCode = HttpServletResponse.SC_OK; + String logMsg = null; try { ret = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion); + + if(ret == null) { + httpCode = HttpServletResponse.SC_NOT_MODIFIED ; + logMsg = "No change since last update"; + } else { + httpCode = HttpServletResponse.SC_OK; + logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : 0) + " policies. Policy version=" + ret.getPolicyVersion(); + } } catch(Exception excp) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); + httpCode = HttpServletResponse.SC_BAD_REQUEST; + logMsg = excp.getMessage(); + } finally { + createPolicyDownloadAudit(serviceName, lastKnownVersion, ret, httpCode, request); } - if(ret == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); + if(httpCode != HttpServletResponse.SC_OK) { + throw restErrorUtil.createRESTException(httpCode, logMsg, true); } if(LOG.isDebugEnabled()) { @@ -671,7 +690,6 @@ public class ServiceREST { return ret; } - private SearchFilter getSearchFilter(HttpServletRequest request) { if(request == null || MapUtils.isEmpty(request.getParameterMap())) { return null; @@ -702,4 +720,27 @@ public class ServiceREST { return ret; } + + private void createPolicyDownloadAudit(String serviceName, Long lastKnownVersion, ServicePolicies policies, int httpRespCode, HttpServletRequest request) { + try { + String agentId = request.getParameter("agentId"); + String ipAddress = request.getHeader("X-FORWARDED-FOR"); + + if (ipAddress == null) { + ipAddress = request.getRemoteAddr(); + } + + XXPolicyExportAudit policyExportAudit = new XXPolicyExportAudit(); + + policyExportAudit.setRepositoryName(serviceName); + policyExportAudit.setAgentId(agentId); + policyExportAudit.setClientIP(ipAddress); + policyExportAudit.setRequestedEpoch(lastKnownVersion); + policyExportAudit.setHttpRetCode(httpRespCode); + + assetMgr.createPolicyAudit(policyExportAudit); + } catch(Exception excp) { + LOG.error("error while creating policy download audit", excp); + } + } }
