Repository: incubator-ranger Updated Branches: refs/heads/master 02083dc06 -> 788897211
RANGER-256: sample condition evaluators to demonstrate dynamic conditions Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/c59617d6 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/c59617d6 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/c59617d6 Branch: refs/heads/master Commit: c59617d6f74df41316a59d65ed90c574527987de Parents: 02083dc Author: Alok Lal <[email protected]> Authored: Sat Feb 21 09:22:21 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Sat Feb 21 09:22:21 2015 -0800 ---------------------------------------------------------------------- .../RangerConditionEvaluator.java | 3 +- .../conditionevaluator/RangerIpMatcher.java | 4 +- .../RangerDefaultPolicyEvaluator.java | 36 ++++---- .../service-defs/ranger-servicedef-hive.json | 8 +- .../conditionevaluator/RangerIpMatcherTest.java | 4 +- .../RangerDefaultPolicyEvaluatorTest.java | 95 +++++++++++++------- .../.settings/org.eclipse.wst.common.component | 18 ---- 7 files changed, 95 insertions(+), 73 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c59617d6/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java index 029e6c0..10eb04b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java @@ -20,10 +20,11 @@ package org.apache.ranger.plugin.conditionevaluator; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; public interface RangerConditionEvaluator { - void init(RangerPolicyItemCondition condition); + void init(RangerPolicyConditionDef conditionDef, RangerPolicyItemCondition condition); boolean isMatched(RangerAccessRequest request); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c59617d6/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java index f7b3a91..37501e9 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java @@ -30,6 +30,7 @@ import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; /** @@ -46,11 +47,12 @@ public class RangerIpMatcher implements RangerConditionEvaluator { public static final String ConditionName = "ip-range"; @Override - public void init(final RangerPolicyItemCondition condition) { + public void init(final RangerPolicyConditionDef conditionDef, final RangerPolicyItemCondition condition) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerIpMatcher.init(" + condition + ")"); } + // NOTE: this evaluator does not use conditionDef! if (condition == null) { LOG.debug("init: null policy condition! Will match always!"); _allowAny = true; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c59617d6/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 60e3d7a..0ac5eed 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -121,16 +121,21 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (result.containsKey(conditionName)) { continue; } - String evaluatorClassName = getEvaluatorName(serviceDef, conditionName); - if (Strings.isNullOrEmpty(evaluatorClassName)) { - LOG.error("initializeConditionEvaluators: Serious Configuration error: Couldn't get condition evaluator class name for condition[" + conditionName + "]! Disabling all checks for this condition."); + RangerPolicyConditionDef conditionDef = getConditionDef(serviceDef, conditionName); + if (conditionDef == null) { + LOG.error("initializeConditionEvaluators: Serious Configuration error: Couldn't get condition Definition for condition[" + conditionName + "]! Disabling all checks for this condition."); } else { - RangerConditionEvaluator anEvaluator = newConditionEvauator(evaluatorClassName); - if (anEvaluator == null) { - LOG.error("initializeConditionEvaluators: Serious Configuration error: Couldn't instantiate condition evaluator for class[" + evaluatorClassName + "]. All checks for condition[" + conditionName + "] disabled."); + String evaluatorClassName = conditionDef.getEvaluator(); + if (Strings.isNullOrEmpty(evaluatorClassName)) { + LOG.error("initializeConditionEvaluators: Serious Configuration error: Couldn't get condition evaluator class name for condition[" + conditionName + "]! Disabling all checks for this condition."); } else { - anEvaluator.init(condition); - result.put(conditionName, anEvaluator); + RangerConditionEvaluator anEvaluator = newConditionEvauator(evaluatorClassName); + if (anEvaluator == null) { + LOG.error("initializeConditionEvaluators: Serious Configuration error: Couldn't instantiate condition evaluator for class[" + evaluatorClassName + "]. All checks for condition[" + conditionName + "] disabled."); + } else { + anEvaluator.init(conditionDef, condition); + result.put(conditionName, anEvaluator); + } } } } @@ -144,13 +149,12 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return result; } - // TODO this should be cached in the policyengine to avoid repeated processing for every policy - String getEvaluatorName(RangerServiceDef serviceDef, String conditionName) { + RangerPolicyConditionDef getConditionDef(RangerServiceDef serviceDef, String conditionName) { if(LOG.isDebugEnabled()) { LOG.debug(String.format("==> RangerDefaultPolicyEvaluator.initializeConditionEvaluators(%s, %s)", serviceDef, conditionName)); } - String evaluatorName = null; + RangerPolicyConditionDef result = null; if (Strings.isNullOrEmpty(conditionName)) { LOG.debug("initializeConditionEvaluators: Condition name was null or empty!"); } @@ -160,21 +164,21 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator LOG.debug("initializeConditionEvaluators: Policy conditions collection of the service def is empty! Ok, skipping."); } else { Iterator<RangerPolicyConditionDef> iterator = serviceDef.getPolicyConditions().iterator(); - while (iterator.hasNext() && evaluatorName == null) { + while (iterator.hasNext() && result == null) { RangerPolicyConditionDef conditionDef = iterator.next(); String name = conditionDef.getName(); if (conditionName.equals(name)) { - evaluatorName = conditionDef.getEvaluator(); + result = conditionDef; } } } if(LOG.isDebugEnabled()) { - LOG.debug(String.format("<== RangerDefaultPolicyEvaluator.initializeConditionEvaluators(%s -> %s)", conditionName, evaluatorName)); + LOG.debug(String.format("<== RangerDefaultPolicyEvaluator.initializeConditionEvaluators(%s -> %s)", conditionName, result)); } - return evaluatorName; + return result; } - + RangerConditionEvaluator newConditionEvauator(String className) { if(LOG.isDebugEnabled()) { LOG.debug(String.format("==> RangerDefaultPolicyEvaluator.newConditionEvauator(%s)", className)); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c59617d6/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json index 5f134c6..f702241 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json @@ -55,16 +55,16 @@ [ { "name":"country", - "evaluator":"org.apache.ranger.plugin.conditionevaluator.RangerCountryMatcher", - "evaluatorOptions":"", + "evaluator":"org.apache.ranger.plugin.conditionevaluator.RangerSimpleMatcher", + "evaluatorOptions":"COUNTRY", "label":"Countries", "description":"Countries" } , { "name":"project", - "evaluator":"org.apache.ranger.plugin.conditionevaluator.RangerProjectMatcher", - "evaluatorOptions":"", + "evaluator":"org.apache.ranger.plugin.conditionevaluator.RangerSimpleMatcher", + "evaluatorOptions":"PROJECT", "label":"Projects", "description":"Projects" } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c59617d6/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java index e2d5c3c..99443a7 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java @@ -245,12 +245,12 @@ public class RangerIpMatcherTest { RangerIpMatcher matcher = new RangerIpMatcher(); if (ipArray == null) { - matcher.init(null); + matcher.init(null, null); } else { RangerPolicyItemCondition condition = mock(RangerPolicyItemCondition.class); List<String> addresses = Arrays.asList(ipArray); when(condition.getValues()).thenReturn(addresses); - matcher.init(condition); + matcher.init(null, condition); } return matcher; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c59617d6/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java index 036eff6..9256995 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java @@ -46,6 +46,8 @@ import org.junit.After; import org.junit.Before; import org.junit.Test; +import com.google.common.collect.Lists; + public class RangerDefaultPolicyEvaluatorTest { @Before @@ -70,34 +72,42 @@ public class RangerDefaultPolicyEvaluatorTest { } @Test - public void test_getEvaluatorName() { + public void test_getConditionEvaluator() { - // null policy passing has reasonable response + // null service def and/or policy has reasonable response RangerDefaultPolicyEvaluator evaluator = new RangerDefaultPolicyEvaluator(); - String className = evaluator.getEvaluatorName(null, "aCondition"); - assertNull(className); - // null policy condition def collection should behave sensibly + RangerPolicyConditionDef conditionDef = evaluator.getConditionDef(null, null); + assertNull(conditionDef); + + conditionDef = evaluator.getConditionDef(null, "aCondition"); + assertNull(conditionDef); + RangerServiceDef serviceDef = mock(RangerServiceDef.class); + conditionDef = evaluator.getConditionDef(null, null); + assertNull(conditionDef); + + // null policy condition def collection should behave sensibly when(serviceDef.getPolicyConditions()).thenReturn(null); - className = evaluator.getEvaluatorName(serviceDef, "aCondition"); - assertNull(className); + conditionDef = evaluator.getConditionDef(serviceDef, "aCondition"); + assertNull(conditionDef); // so should an service def with empty list of policy conditions. when(serviceDef.getPolicyConditions()).thenReturn(new ArrayList<RangerServiceDef.RangerPolicyConditionDef>()); - className = evaluator.getEvaluatorName(serviceDef, "aCondition"); - assertNull(className); + conditionDef = evaluator.getConditionDef(serviceDef, "aCondition"); + assertNull(conditionDef); // if service has a condition then sensible answer should come back - Map<String, String> pairs = new HashMap<String, String>(); - pairs.put("type1", "com.company.SomeEvaluator"); - pairs.put("type2", "com.company.AnotherEvaluator"); - serviceDef = getMockServiceDef(pairs); - className = evaluator.getEvaluatorName(serviceDef, "type1"); - assertEquals("com.company.SomeEvaluator", className); - className = evaluator.getEvaluatorName(serviceDef, "type2"); - assertEquals("com.company.AnotherEvaluator", className); - className = evaluator.getEvaluatorName(serviceDef, "type3"); - assertNull(className); + RangerPolicyConditionDef aConditionDef = getMockPolicyConditionDef("type1", "com.company.SomeEvaluator", null); + RangerPolicyConditionDef anotherConditionDef = getMockPolicyConditionDef("type2", "com.company.AnotherEvaluator", "key1"); + List<RangerPolicyConditionDef> conditionDefs = Lists.newArrayList(aConditionDef, anotherConditionDef); + + serviceDef = getMockServiceDef(conditionDefs); + conditionDef = evaluator.getConditionDef(serviceDef, "type1"); + assertEquals(aConditionDef, conditionDef); + conditionDef = evaluator.getConditionDef(serviceDef, "type2"); + assertEquals(anotherConditionDef, conditionDef); + conditionDef = evaluator.getConditionDef(serviceDef, "type3"); + assertNull(conditionDef); } @Test @@ -163,11 +173,11 @@ public class RangerDefaultPolicyEvaluatorTest { * Resulting map should contain a union of conditions in it and each pointing to correct evaluator object. */ // first create a service with right condition-name and evaluator names - Map<String, String> conditionEvaluatorMap = new HashMap<String, String>(); - conditionEvaluatorMap.put("c1", "org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluatorTest$Evaluator1"); - conditionEvaluatorMap.put("c2", "org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluatorTest$Evaluator2"); - conditionEvaluatorMap.put("c3", "org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluatorTest$Evaluator3"); - conditionEvaluatorMap.put("c4", "org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluatorTest$Evaluator4"); + Map<String, String[]> conditionEvaluatorMap = new HashMap<String, String[]>(); + conditionEvaluatorMap.put("c1", new String[] { "org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluatorTest$Evaluator1", null }); + conditionEvaluatorMap.put("c2", new String[] { "org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluatorTest$Evaluator2", null }); + conditionEvaluatorMap.put("c3", new String[] { "org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluatorTest$Evaluator3", null }); + conditionEvaluatorMap.put("c4", new String[] { "org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluatorTest$Evaluator4", null }); RangerServiceDef serviceDef = getMockServiceDef(conditionEvaluatorMap); // create policy items each with overlapping but dissimilar sets of conditions in them. RangerPolicyItem anItem = getMockPolicyItem(new String[] {"c1", "c2"}); @@ -199,7 +209,7 @@ public class RangerDefaultPolicyEvaluatorTest { static class AlwaysPass implements RangerConditionEvaluator { @Override - public void init(RangerPolicyItemCondition condition) { + public void init(RangerPolicyConditionDef conditionDef, RangerPolicyItemCondition condition) { // empty body! } @Override @@ -212,7 +222,7 @@ public class RangerDefaultPolicyEvaluatorTest { static class AlwaysFail implements RangerConditionEvaluator { @Override - public void init(RangerPolicyItemCondition condition) { + public void init(RangerPolicyConditionDef conditionDef, RangerPolicyItemCondition condition) { // empty body } @@ -308,22 +318,45 @@ public class RangerDefaultPolicyEvaluatorTest { return policyItem; } - RangerServiceDef getMockServiceDef(Map<String, String> pairs) { + RangerServiceDef getMockServiceDef(List<RangerPolicyConditionDef> conditionDefs) { + // create a service def + RangerServiceDef serviceDef = mock(RangerServiceDef.class); + when(serviceDef.getPolicyConditions()).thenReturn(conditionDefs); + return serviceDef; + } + + RangerServiceDef getMockServiceDef(Map<String, String[]> pairs) { // create a service def RangerServiceDef serviceDef = mock(RangerServiceDef.class); if (pairs == null) { return serviceDef; } + List<RangerPolicyConditionDef> conditions = getMockPolicyConditionDefs(pairs); + when(serviceDef.getPolicyConditions()).thenReturn(conditions); + return serviceDef; + } + + // takes in a map of condition name to a an two element array where 1st element is evaluator-class-name and second is evaluator-options if any + List<RangerPolicyConditionDef> getMockPolicyConditionDefs(Map<String, String[]> pairs) { List<RangerPolicyConditionDef> conditions = new ArrayList<RangerServiceDef.RangerPolicyConditionDef>(); // null policy condition def collection should behave sensibly - for (Map.Entry<String, String> anEntry : pairs.entrySet()) { + for (Map.Entry<String, String[]> anEntry : pairs.entrySet()) { RangerPolicyConditionDef aCondition = mock(RangerPolicyConditionDef.class); when(aCondition.getName()).thenReturn(anEntry.getKey()); - when(aCondition.getEvaluator()).thenReturn(anEntry.getValue()); + when(aCondition.getEvaluator()).thenReturn(anEntry.getValue()[0]); + when(aCondition.getEvaluatorOptions()).thenReturn(anEntry.getValue()[1]); conditions.add(aCondition); } - when(serviceDef.getPolicyConditions()).thenReturn(conditions); - return serviceDef; + return conditions; + } + + RangerPolicyConditionDef getMockPolicyConditionDef(String name, String evaluatorClassName, String evaluatorOption) { + // null policy condition def collection should behave sensibly + RangerPolicyConditionDef aCondition = mock(RangerPolicyConditionDef.class); + when(aCondition.getName()).thenReturn(name); + when(aCondition.getEvaluator()).thenReturn(evaluatorClassName); + when(aCondition.getEvaluatorOptions()).thenReturn(evaluatorOption); + return aCondition; } RangerPolicyItem createPolicyItemForConditions(String[] conditions) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c59617d6/security-admin/.settings/org.eclipse.wst.common.component ---------------------------------------------------------------------- diff --git a/security-admin/.settings/org.eclipse.wst.common.component b/security-admin/.settings/org.eclipse.wst.common.component index 703c05f..c150b77 100644 --- a/security-admin/.settings/org.eclipse.wst.common.component +++ b/security-admin/.settings/org.eclipse.wst.common.component @@ -4,24 +4,6 @@ <wb-resource deploy-path="/" source-path="/src/main/webapp" tag="defaultRootSource"/> <wb-resource deploy-path="/WEB-INF/classes" source-path="/src/main/java"/> <wb-resource deploy-path="/WEB-INF/classes" source-path="/src/main/resources"/> - <dependent-module archiveName="lookup-client-0.4.0.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/lookup-client/lookup-client"> - <dependency-type>uses</dependency-type> - </dependent-module> - <dependent-module archiveName="ranger-util-0.4.0.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/ranger-util/ranger-util"> - <dependency-type>uses</dependency-type> - </dependent-module> - <dependent-module archiveName="unixauthclient-0.4.0.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/unixauthclient/unixauthclient"> - <dependency-type>uses</dependency-type> - </dependent-module> - <dependent-module archiveName="ranger-plugins-common-0.4.0.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/ranger-plugins-common/ranger-plugins-common"> - <dependency-type>uses</dependency-type> - </dependent-module> - <dependent-module archiveName="ranger-plugins-audit-0.4.0.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/ranger-plugins-audit/ranger-plugins-audit"> - <dependency-type>uses</dependency-type> - </dependent-module> - <dependent-module archiveName="ranger-plugins-cred-0.4.0.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/ranger-plugins-cred/ranger-plugins-cred"> - <dependency-type>uses</dependency-type> - </dependent-module> <property name="context-root" value="security-admin-web"/> <property name="java-output-path" value="/security-admin-web/target/classes"/> <property name="component.exclusion.patterns" value="WEB-INF/lib/spring-*.SEC03.jar,WEB-INF/lib/spring-*.RC3.jar,WEB-INF/lib/spring-2.*.jar"/>
